Ibis LearningIbis Learning
Ibis Learning

Active learning through conversation

Working draft — pending qualified healthcare IP counsel review. This document describes Ibis Learning's current posture in plain English. It is not legal advice and has not yet been reviewed by an attorney licensed to practice in the United States. It will be replaced with a counsel-reviewed version before we accept paying customers. If you are evaluating whether to trust your data to Ibis Learning, please contact us directly with questions.

Ibis Learning

Privacy Policy

Effective: 2026-04-19 · Draft v1

Ibis Learning is a continuing education platform for licensed healthcare professionals, built and operated by Ibis Core Systems (a Tennessee-based company). This policy explains what information we collect when you use the service, why we collect it, how long we keep it, and the choices you have.

1. Information we collect

Account information

When you create an account we collect your name, email address, a password (stored only as a one-way cryptographic hash — we never see your plaintext password), your profession, and optionally your license state. If you subscribe we collect billing information through our payment processor, Stripe; we do not store your card details on our servers.

Session content

When you use Ibis Learning's core voice or text features, we record the text of your side of the conversation, the text of the assistant's response, timestamps, and derived engagement information (how long you spent, which topics you engaged with, whether checkpoints were completed). For voice sessions, audio is streamed live to and from our model provider but we do not persist raw audio on our servers — only the transcribed text and the metadata about the session.

Operational data

We log technical information needed to operate the service: browser type, approximate request timing, error events, and anonymized performance metrics. When something goes wrong we send scrubbed error details to our error-monitoring provider (Sentry) with personally identifiable fields removed.

2. What we do NOT want you to give us

Ibis Learning is an educational platform, not a clinical documentation tool. Do not enter Protected Health Information (PHI) about patients into sessions. Our Terms of Service prohibit it, and our content pipeline includes a scrubbing layer that detects and redacts common PHI patterns before your utterance reaches our model provider. If PHI-like content is detected, it is masked in the record we retain and never transmitted to third-party vendors.

Even so: please do not type or speak identifiable patient information into sessions. Frame clinical questions as general cases, not as specific ones.

3. How we use the information

We use the data described above to:

  • Deliver the service. Generate the AI responses you interact with, compute your engagement time, award credit, issue certificates.
  • Maintain compliance records. For any session that produces a certificate, we retain the full session record as an auditable trail so that licensing boards, accreditors, and you can verify the certificate's authenticity years later.
  • Improve the product. Aggregate engagement patterns tell us which topics are under-served, which responses are under-confident, and where our corpus needs improvement. This work is always on aggregated, not individual-identifiable, data.
  • Communicate with you. Send transactional email (account confirmation, password reset, certificate notifications). We do not send marketing email without your explicit opt-in.

4. How we retain your data

We run a two-tier retention model, chosen deliberately so you know what's kept and why:

Compliance-evidence tier

Session transcripts, certificates, and the event chain that links a learner's engagement to an issued credit are retained for at least 7 years — the standard retention window for nursing continuing professional development activity files under ANCC accreditation requirements. These records are append-only: they are never edited or deleted after the fact. Access is limited to you (for your own records), our internal Nurse Planner (for quality sampling), and regulatory auditors under a documented protocol.

Product-insight tier

Aggregate engagement statistics — what topics are popular, where learners spend time, how often the assistant flags low-confidence responses — are retained for product improvement. This tier does not include your individual session content. For enterprise customers (hospitals, health systems), the aggregate statistics for their own workforce may be visible to their authorized reporting users; individual session transcripts are never shared with an employer. This is the bright line in our architecture and it is not configurable.

5. Vendors we share information with

We use the following third-party processors to operate the service. Each is bound by a contract to use your data only as we direct:

  • OpenAI — our model provider. Processes utterances and produces responses. We use the standard API tier today, which means OpenAI may retain traffic for up to 30 days for abuse monitoring. This will change to zero-data- retention (ZDR) with a signed Business Associate Agreement before we serve enterprise customers.
  • Neon / PostgreSQL — our database host.
  • Vercel — our application hosting.
  • Stripe — payment processing. They see your billing information; we only see a non-sensitive reference.
  • Resend — transactional email delivery.
  • Sentry — error monitoring. We strip PHI-pattern and credential-like content before sending.

We do not sell your data. We do not share your data with advertisers. We do not use your data to train third-party AI models beyond what is needed to generate your own responses.

6. Your rights

You have the right to access, correct, export, or delete your personal information. To exercise any of these rights, email privacy@ibislearn.com from the email address on your account. We will respond within 30 days.

Note on deletion: we can delete your account and personal information, but we are required to retain the compliance-evidence tier of any certificates that have already been issued to you. You will always have access to those certificates.

7. Security

Passwords are hashed with bcrypt. Transport is encrypted with TLS. Our ledger tables (certificates, session events) are engineered to be append-only at the database level so they cannot be tampered with. Application errors are monitored and alerted. We are not yet SOC 2 certified; certification is a post-launch priority.

8. Children

Ibis Learning is intended for licensed healthcare professionals and is not directed at children. We do not knowingly collect information from anyone under 18.

9. Changes to this policy

When we materially change this policy we will notify active account holders by email at least 14 days before the changes take effect. We keep a changelog of all past versions on request.

10. Contact

Questions or concerns? Email privacy@ibislearn.com or reach us through the footer of any authenticated page.