Skip to main content

Privacy Policy

Last updated: October 9, 2025

1. Introduction and Scope

This Privacy Policy describes how **Spyglass Systems LLC**, operating as **Around Notes AI** ("we", "our", or "us"), collects, uses, and safeguards personal data and **Protected Health Information (PHI)** when you access spyglasssystems.com / aroundnotes.ai or use our AI-powered clinical documentation tools, including Around Notes™ (ARNOS).

We comply with the **General Data Protection Regulation (GDPR)**, **UK GDPR**, **California Consumer Privacy Act (CCPA/CPRA)**, the **Health Insurance Portability and Accountability Act (HIPAA)**, and other applicable laws. By using our services, you agree to this Privacy Policy.

2. Information We Collect

2.1 Personal and Account Information

We collect personal information you provide directly, including:

  • **Identifiers:** Name, email address, and professional contact details
  • **Professional Data:** Employer or institution affiliation, job title or specialty
  • **Authentication:** Account credentials, password hashes, and login metadata
  • **Billing/Payment:** Payment details handled through compliant third-party processors

2.2 Protected Health Information (PHI)

If you are a healthcare provider or Covered Entity, we may process **PHI** under a signed **Business Associate Agreement (BAA)** in compliance with HIPAA. PHI may include:

  • Patient demographic and clinical data
  • Dictated or transcribed clinical notes
  • Diagnostic impressions or treatment plans
  • AI-generated summaries or encounter documentation

2.3 Technical and Usage Data

We automatically collect limited technical information for security, diagnostics, and performance optimization:

  • IP address, device identifiers, and browser type
  • Operating system, app version, and access timestamps
  • Feature usage metrics, error logs, and audit trails
  • Cookies and tracking technologies (see Cookie Policy)

3. How We Use Information and Legal Basis

We process data for the purposes described below, under the corresponding lawful bases (GDPR Art. 6):

4. HIPAA and Business Associate Compliance

Around Notes AI functions as a **Business Associate** under HIPAA, bound by signed **Business Associate Agreements (BAAs)** with Covered Entities. We apply administrative, physical, and technical safeguards as required by 45 CFR §§164.308–164.312.

  • **Administrative:** Workforce training, incident response, and risk analysis programs
  • **Physical:** Secure data centers, controlled access, and device protection
  • **Technical:** AES-256 encryption, TLS 1.3, MFA, and audit logging
  • **Minimum Necessary Rule:** We limit PHI processing to what is strictly necessary for service delivery

5. Data Sharing and Disclosure

5.1 No Sale or Rent of Personal Data

**We do not sell, rent, or trade personal data or PHI.** Under CPRA, this includes any 'sharing' for cross-context behavioral advertising.

5.2 Limited and Controlled Sharing

We share data only with trusted entities under strict legal agreements:

  • **Subprocessors:** AWS (hosting), Microsoft Clarity (analytics), Stripe or similar (billing), all bound by DPAs and/or BAAs.
  • **AI/LLM Providers:** When external models are used, PHI is de-identified and processed only under secured, compliant terms.
  • **Legal or Regulatory Requests:** When required by applicable law, subpoena, or court order.
  • **Corporate Events:** If involved in a merger or acquisition, under confidentiality safeguards.

6. Data Security

We use layered security controls to ensure confidentiality, integrity, and availability of information:

  • **Encryption:** AES-256 for data at rest; TLS 1.3 for all data in transit
  • **Access Controls:** Role-based permissions, MFA, and least-privilege principles
  • **Infrastructure:** SOC 2 Type II and HIPAA-ready AWS environments
  • **Monitoring:** 24/7 system monitoring and automated anomaly detection
  • **Incident Response:** Breach notifications within 72 hours of confirmed event
  • **Audits:** Annual third-party penetration testing and compliance review

7. Your Privacy Rights

Depending on your location and applicable law, you may exercise the following rights:

7.1 GDPR / UK GDPR

  • Access, rectify, or erase your data
  • Restrict or object to processing
  • Receive data in a portable format (Art. 20)
  • Lodge a complaint with your Data Protection Authority

7.2 CPRA (California)

  • Right to know categories and purposes of data collected
  • Right to delete personal data (with exceptions)
  • Right to opt-out of 'sharing' for advertising
  • Right to limit use of Sensitive Personal Information (SPI)

7.3 HIPAA (Covered Entity Users)

  • Access and obtain copies of PHI
  • Request corrections or restrictions
  • Receive an accounting of disclosures

8. International Data Transfers

Spyglass Systems LLC is based in the United States. Data may be processed in the U.S. and EU regions (AWS). Transfers from the EEA/UK/Switzerland follow:

  • **Standard Contractual Clauses (SCCs):** Implemented for EU transfers to third countries.
  • **EU–U.S. Data Privacy Framework (DPF):** Adhered to by Spyglass and core subprocessors.
  • **Supplementary Measures:** Encryption, access limitation, and jurisdictional safeguards.

9. Data Retention and Deletion

Data is retained only as long as necessary for lawful and operational purposes:

  • **Account Data:** Active + up to 7 years post-closure (for legal/tax compliance)
  • **PHI:** Retained or deleted per BAA and applicable health regulations
  • **Analytics Data:** Aggregated or anonymized data retained up to 26 months
  • **Backups:** Encrypted backups purged automatically within 90 days

10. Cookies and Tracking

We use cookies to operate and secure our website, and optional cookies for analytics or marketing. Manage your consent anytime in our Cookie Policy.

11. Children’s Privacy

Our services are intended for users aged **18 and older**. We do not knowingly collect data from individuals under 18, and we comply with **COPPA** regarding users under 13.

12. Policy Updates

We may modify this Privacy Policy to reflect legal or operational changes. Material updates will be announced via email, in-app message, or website notice.

The 'Last Updated' and 'Version' fields indicate the current version.

13. Contact and Data Protection Officer

For privacy inquiries or to exercise your rights, contact:

Data Protection Officer
Spyglass Systems LLC
PO Box 4033, Davis, CA 95617
Email: legal@aroundnotes.ai / legal@aroundnotes.ai

Email: legal@aroundnotes.ai

Data Protection Officer: legal@aroundnotes.ai

Address: Spyglass Systems LLC, PO Box 4033, Davis, CA 95617, USA

Response Time: We will respond to privacy requests within Within 30 days (or 45 days for CPRA requests)

This Privacy Policy is effective as of October 9, 2025
Version 2.2