Privacy Policy — Foresight

Effective date: July 6, 2026

This Privacy Policy explains how Ibis SaaS Holdings LLC ("Ibis SaaS Holdings," "we," "us," or "our") collects, uses, discloses, and protects information in connection with Foresight, our web platform for EMS education available at foresight911.com ("Foresight" or the "Service"). Foresight lets instructors and educational programs author NREMT-format assessment items, deliver exams to their own students, and view cohort analytics. It is an authoring, delivery, and analytics tool.

Foresight is an early-stage product. We describe our practices honestly and will update this Policy as the Service matures. If a specific written agreement between us and your institution (for example, a Data Processing Agreement) conflicts with this Policy, that agreement controls for the data it covers.

For questions about this Policy, contact us at info@foresight911.com.

Scope and Who This Policy Covers

This Policy applies to the Foresight web platform and the foresight911.com marketing website. It covers three groups of people:

  • Instructors and program administrators who create accounts, author assessment items, deliver exams, and view analytics.
  • Students who are enrolled by an instructor or program and who take exams that instructors deliver through Foresight.
  • Visitors to our marketing website who have not signed in to the application.

When an educational institution or program uses Foresight for its students, the institution generally acts as the party that decides what data is collected and why (often called the data controller), and Foresight acts as a service provider processing that data on the institution's behalf and under its instructions. The institution's own privacy notices may also apply to students, and this Policy should be read alongside them.

This Policy does not cover third-party websites, products, or services that we do not operate, even if they link to or from Foresight.

Information We Collect

We collect only the information needed to operate the Service. We do not collect Protected Health Information (PHI), and Foresight is not designed to receive it. Assessment content on the platform uses fictional patient vignettes only; it is not real patient data.

Account information. When an instructor, administrator, or student account is created, we collect information such as name, email address, and institution or program affiliation and role. Account credentials are handled through our authentication provider.

Assessment content and responses. We store the assessment items that instructors and programs author, and we store the responses students submit when they take exams.

Timing and usage data. To operate exams and the application, we collect timing and usage information such as when an exam is started and submitted, per-question or per-session timing, log-in activity, and standard technical data (for example, IP address, browser type, and device information) generated when the Service is used.

Performance metrics. We derive and store performance and analytics information, such as scores and cohort-level outcome measures, so that instructors and programs can review results.

Payment information. We do not collect or store payment-card numbers. Any payments or subscription billing are handled by Stripe, a third-party payment processor, and card data is provided directly to Stripe rather than to us.

We do not collect PHI, and we ask that users not enter real patient identifiers or clinical records into the Service.

How We Use Information

We use the information described above to:

  • Provide, operate, and maintain the Service, including authenticating users, delivering exams, grading responses, and generating analytics.
  • Enable instructors and programs to author assessment items and review student and cohort performance.
  • Maintain the security and integrity of the Service, including enforcing single-attempt limits, detecting misuse, and keeping database-level activity records.
  • Communicate with account holders about their accounts, service-related notices, and support requests.
  • Support billing and administration of institutional or individual subscriptions through our payment processor.
  • Comply with legal obligations and enforce our agreements.

We do not sell personal information, and we do not sell student data. We do not use student assessment responses for advertising or to build advertising or behavioral profiles.

AI Features and Subprocessors

Foresight offers an optional AI feature that helps instructors generate and refine draft assessment items. This feature runs only when an instructor chooses to use it (for example, by clicking "Generate"). When it runs, only the instructor's topic or prompt input and related item-authoring content are sent to our AI providers. We use the OpenAI and Anthropic APIs for AI item generation and refinement.

Student assessment responses are not sent to AI providers and are not used to train AI models. AI is invoked only for instructor-initiated item authoring, not for grading or processing student answers.

We rely on the following subprocessors to provide the Service. We treat all of them as operating with United States data residency:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting and content delivery.
  • Stripe — subscription billing and payment processing.
  • Resend — transactional email (for example, account and service notifications).
  • OpenAI and Anthropic — AI item generation and refinement, as described above.

We will maintain a current list of subprocessors and provide updates to institutions as set out in any applicable Data Processing Agreement. Each subprocessor is engaged to process data only as needed to provide its part of the Service.

Student Data and FERPA

For institutional use, Foresight is designed to operate under the "school official" exception of the Family Educational Rights and Privacy Act (FERPA), 34 CFR § 99.31(a)(1)(i)(B). Under this model, once an institution designates Foresight as a school official with a legitimate educational interest — typically through a signed Data Processing Agreement — Foresight processes student education records only to provide the Service, under the institution's direction and control, and does not disclose those records except as permitted by that agreement and applicable law.

We state this prospectively. Foresight does not claim to currently operate as a school official for any institution that has not designated it in a signed agreement. Where no such agreement is in place, the institution remains responsible for its own FERPA obligations, and Foresight processes data as described elsewhere in this Policy.

When an institution uses Foresight, the institution is the controller of its students' education records. Foresight acts as a processor and service provider on the institution's behalf. We do not sell student data, we do not use student data for advertising, and we do not use student assessment responses to train AI models. Upon request and consistent with any applicable agreement, we support institutions in exercising their rights over their students' data, including export and deletion.

Cookies and Analytics

We use a limited set of cookies and similar technologies that are necessary to operate the Service, such as maintaining a signed-in session.

On our marketing website only, we use two privacy-conscious analytics tools to understand aggregate traffic, such as page views and traffic sources: Google Analytics 4, configured with IP anonymization and with advertising and ad-personalization signals disabled; and Metricool, a cookieless analytics tool that estimates page views and visitor country from IP address without setting cookies.

Neither tool loads on the instructor or student application pages. We do not run marketing analytics on the pages where instructors author items or where students take exams.

Data Security

We take reasonable, industry-standard measures to protect the information in our care. These include:

  • Encryption in transit using TLS 1.2 or higher on connections to the Service.
  • Encryption at rest using AES-256 for stored data, with keys managed by our infrastructure provider.
  • Row-level security in our database, so that tenant and record boundaries are enforced at the data layer rather than only in the application.
  • Database-level activity logs retained through our infrastructure provider; structured, tamper-evident audit logging of significant events (such as publish, enrollment, and role changes) is on our near-term roadmap.
  • United States data residency for the systems that store Service data.

Assessment integrity controls include storing answer keys separately from question content so they are not readable by a student session, writing scores only through the server-side grader, and enforcing single-attempt limits at the database layer.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. As an early-stage company, we continue to expand and mature our security program over time.

Data Retention

We retain account information, assessment content, responses, timing and usage data, and performance metrics for as long as an account or institutional relationship remains active and as needed to provide the Service.

For institutional use, retention, export, and deletion of student data are governed by the institution's instructions and any applicable Data Processing Agreement. When an institution or account holder requests deletion, or when a relationship ends, we will delete or return the associated data as provided in that agreement or, absent an agreement, within a reasonable period, except where we are required to retain certain records to comply with law, resolve disputes, or enforce our agreements. Standard backups and infrastructure logs are retained by our providers on their normal cycles and then overwritten or deleted.

We may retain aggregated or de-identified information that does not reasonably identify any individual.

Your Rights and Choices

Depending on your role and applicable law, you or your institution may have rights to access, correct, export, or delete personal information.

  • Instructors and account holders can review and update much of their account information within the Service, and can contact us for additional assistance.
  • Students should generally direct requests about their education records to their institution, which controls that data. We will support the institution in responding.
  • Institutions may exercise access, export, and deletion rights over their data as described in this Policy and any applicable Data Processing Agreement.

To make a request or ask a question about your information, contact us at info@foresight911.com. We may need to verify your identity or confirm your relationship to an institution before acting on a request. Where a request concerns institution-controlled student data, we may refer you to, or coordinate with, the relevant institution.

Children's and Student Data

Foresight is intended for use by educational instructors, programs, and their enrolled students, and is not directed to the general public or to children for personal use.

Some EMS education pipelines include students who are minors. Where an institution enrolls students who are under 18, we process their data only to provide the Service to that institution, under its direction, and consistent with any applicable Data Processing Agreement and applicable student-privacy laws. For minors, we do not use student data for advertising, we do not build behavioral profiles, and we do not make commercial use of student data beyond providing the Service. Where a law or the institution requires parental or guardian consent, we look to the institution to obtain and manage that consent.

We do not knowingly collect personal information directly from children outside of this institutional context. If you believe a student's information has been provided to us other than through an authorized institutional relationship, contact us at info@foresight911.com.

Changes to This Policy

We may update this Policy from time to time as the Service evolves or as legal requirements change. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice through the Service or by email to account holders.

Because Foresight is early-stage, we expect this Policy to be revised as our features and compliance program mature. Your continued use of the Service after an update takes effect indicates your awareness of the revised Policy, subject to any applicable agreement with your institution.

Governing Law

This Policy and any dispute arising out of or relating to it or the Service are governed by the laws of the State of Florida, without regard to its conflict-of-laws principles, except where a mandatory law of the user's or institution's jurisdiction applies. Nothing in this section limits any rights that a student or institution has under FERPA or other applicable education-privacy laws.

How to Contact Us

Foresight is a product of Ibis SaaS Holdings LLC, a single-member limited liability company.

For privacy questions, data requests, or general inquiries, contact us at info@foresight911.com.

Institutions seeking a Data Processing Agreement or additional procurement and compliance documentation may reach us at the same address.

Foresight is a product of Ibis SaaS Holdings LLC. This page is provided for general information and is not legal advice.