The short version: Rounds is built for de-identified clinical use. We do not require patient names or medical record numbers to function. We do not sell your data. We do not use clinical information you enter to train AI models. Individual nurses use Rounds free, and their data is theirs.
Overview
Sirius AI ("Sirius," "we," "us," or "our") operates Rounds, a clinical documentation assistance platform. This Privacy Policy explains how we collect, use, store, and protect information when you use Rounds at rounds.sirius-ai.co or through any associated services.
Rounds is designed from the ground up to protect patient privacy. The free individual tier operates on de-identified clinical data — room numbers, clinical notes, and diagnoses — without requiring any patient-identifiable information. Hospitals and health systems that wish to use Rounds with full Protected Health Information (PHI) must execute a Business Associate Agreement (BAA) with Sirius AI.
Information we collect
Account information. When you create a Rounds account, we collect your name, email address, password, professional role, credentials, hospital, and unit. If you sign in with Google, we receive your name and email from Google's authentication service.
Professional verification information. If you complete credential verification, we collect your NPI number or nursing license number. We use this to query publicly available government registries (the CMS NPI Registry and the Nursys database). We do not store any information beyond what you provide and what the registry returns.
Clinical documentation you create. When you use Rounds during a shift, you enter de-identified patient information — room numbers, clinical notes, diagnoses, vitals, and shift observations. On the free individual tier, this information must not include patient names, dates of birth, or medical record numbers. This information is stored under your account and used to generate AI-assisted documentation.
AI-generated content. Morning briefs, shift handoffs, SBAR scripts, clinical suggestions, and translations generated by Rounds are stored and associated with your account so you can reference them during and after your shift.
Usage data. We collect information about how you use Rounds — features used, pages visited, actions taken, and session duration. This helps us improve the product.
Communications. If you contact us by email or through the platform, we retain that correspondence.
Payment information. If you subscribe to a paid plan, payments are processed by Stripe. We do not store your credit card number. Stripe's privacy policy governs the handling of payment data.
Technical data. We collect your IP address, browser type, device type, and operating system when you access Rounds.
How we use your information
We use the information we collect to:
- Create and manage your account and professional profile
- Generate AI-assisted documentation, suggestions, translations, and SBAR scripts
- Verify your professional credentials through publicly available registries
- Display you in the staff directory to verified colleagues at your hospital
- Facilitate patient transfers, care team communications, and direct messages between staff
- Enforce free tier usage limits and rate limits
- Send transactional emails — account confirmation, password resets, billing receipts
- Improve the platform based on usage patterns
- Detect and prevent fraud, abuse, or violations of our Terms of Service
- Comply with legal obligations
We do not use clinical information you enter into Rounds to train AI models. The clinical notes, patient data, shift observations, and other documentation you create are processed to generate outputs for your use. They are not retained by our AI providers for model training beyond what their published policies specify.
Patient data — de-identification by design
Rounds is designed so that individual nurses can use it effectively without entering any Protected Health Information (PHI). The free individual tier requires only de-identified clinical data:
- Room number (not a HIPAA identifier on its own)
- Age in years (not date of birth)
- Sex
- Diagnosis or procedure
- Clinical observations, vitals, and notes
None of the above, in the combinations required to use Rounds, constitutes PHI under HIPAA when patient names, MRNs, and other direct identifiers are excluded.
Do not enter patient names, dates of birth, medical record numbers, Social Security numbers, or any other direct patient identifiers into Rounds on the free individual tier. Doing so without a signed BAA is a violation of HIPAA and these Terms.
Hospitals and health systems that enroll in a Team or Enterprise plan and execute a BAA with Sirius AI may use Rounds with full PHI. In those cases, Sirius AI acts as a Business Associate under HIPAA and handles PHI in accordance with applicable law and the signed BAA.
AI processing
Rounds uses AI systems to generate documentation assistance, clinical suggestions, translations, and SBAR scripts. When you submit information to generate AI content, that information is transmitted to our AI service provider for processing.
We have selected AI providers that offer Business Associate Agreements and data processing terms appropriate for healthcare contexts. Clinical information you submit is processed in real time to generate your requested output. It is not used to train AI models by us or our providers beyond what is described in their published data use policies.
AI-generated content may contain errors, omissions, or inaccuracies. All AI-generated content must be reviewed and verified by a licensed healthcare professional before use. See our Terms of Service for the full clinical disclaimer.
How we share your information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
We share information only in the following circumstances:
- Staff directory. Your name, role, unit, credentials, and verification status are visible to other verified Rounds users at your hospital when you opt into the directory. You can turn this off in account settings.
- Care team features. When you send a message, leave a care team thread note, or initiate a patient transfer within Rounds, the content of that communication is visible to the intended recipient(s).
- Service providers. We work with Supabase (database and authentication), Stripe (payments), Vercel (hosting), and AI processing providers. These vendors have access to your information only to provide services on our behalf and are bound by data processing agreements.
- AI processing. Clinical information you submit for AI-generated outputs is transmitted to our AI service providers for real-time processing. We have BAAs with these providers where applicable.
- Legal requirements. We may disclose information if required by law, regulation, or valid legal process.
- Business transfers. If Sirius AI is acquired or merged with another company, your information may transfer as part of that transaction. We will notify you before this occurs.
Audit logs and access records
Rounds maintains an audit log of every patient record lookup performed by staff members. This log records who accessed which patient record, when, and for what stated reason. This is a HIPAA compliance feature that protects patients and supports your institution's data access policies.
Audit log data is retained for a minimum of six years in accordance with HIPAA record retention requirements for covered entities and business associates.
Data retention
We retain your account and profile information for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or compliance reasons.
Patient records and shift documentation are retained for as long as your account is active. Discharged patient records are archived and retained indefinitely to support continuity of care and audit requirements. Audit log data is retained for a minimum of six years.
You may request deletion of your personal data at any time by contacting us. Note that some data — particularly audit logs — may be subject to legal retention requirements that prevent immediate deletion.
Security
We implement industry-standard security measures appropriate for healthcare-adjacent data:
- All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
- All data stored in our database is encrypted at rest
- Row-level security policies ensure each user can only access their own data and data they are authorized to see
- Access controls limit which Sirius AI team members can access platform data
- Audit logs track all access to patient records within the platform
No system is 100% secure. If you discover a security vulnerability, please report it to us at samleebu12@gmail.com before disclosing it publicly.
In the event of a data breach that affects PHI, we will notify affected users and, where applicable, the U.S. Department of Health and Human Services in accordance with HIPAA breach notification requirements.
Your rights
You have the following rights regarding your personal information:
- Access. You can request a copy of the personal information we hold about you.
- Correction. You can update your account information at any time from account settings.
- Deletion. You can request deletion of your account and associated data by emailing us.
- Directory opt-out. You can opt out of the staff directory at any time from account settings.
- Data portability. You can request an export of your personal data in a machine-readable format.
To exercise any of these rights, contact us at samleebu12@gmail.com. We will respond within 30 days.
If you are located in the European Economic Area, United Kingdom, or California, you may have additional rights under GDPR or CCPA. Contact us to exercise those rights.
HIPAA and Business Associate Agreements
Rounds is designed for individual use with de-identified data and does not require a BAA for the free individual tier when used as designed.
For hospitals, health systems, and any use case involving PHI, Sirius AI is willing to execute a Business Associate Agreement. To request a BAA, contact us at samleebu12@gmail.com. BAA execution is required before PHI may be entered into the platform.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice within the platform before the changes take effect. Your continued use of Rounds constitutes acceptance of the updated policy.
Contact us
Questions about this Privacy Policy, your data, or our HIPAA compliance:
- Email: samleebu12@gmail.com
- Website: rounds.sirius-ai.co