Equanimity Labs
Menu

Privacy Policy

Effective date: [Insert effective date]

Last updated: April 1, 2026

1. Scope

This Privacy Policy describes how Equanimity Labs, Inc. ("Equanimity Labs," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Equanimity Labs website at equanimitylabs.org, the PRISM platform at prism.equanimitylabs.app, and related services (collectively, the "Services"). PRISM may include, without limitation, PRISM Studio, PRISM Classroom, PRISM Study Agent, PRISM Decks, and PRISM Rounds.

The Services are designed for use by postsecondary institutions, including universities, medical schools, graduate programs, residency and fellowship programs, and affiliated faculty, staff, learners, and authorized administrators. If you access the Services through an institution, that institution may have separate notices, policies, or agreements that also apply.

2. Institutional Role; FERPA

When PRISM is provided through a postsecondary institution, Equanimity Labs may receive, access, process, maintain, or host information on behalf of that institution, including information the institution treats as education records or personally identifiable information from education records under the Family Educational Rights and Privacy Act ("FERPA").

In those circumstances, the institution is generally the educational agency or institution responsible for determining:

  • whether information is an education record under FERPA;
  • who has legitimate educational interests in that information;
  • whether disclosure may be made under the school-official exception or another FERPA exception;
  • how requests to inspect, review, amend, or delete education records will be handled; and
  • what retention, return, or deletion requirements apply under the institution's agreement with us.

Where the institution relies on FERPA's school-official exception to disclose education records to us, Equanimity Labs acts only to provide the contracted institutional services, subject to the institution's control, written agreements, and applicable law. We do not acquire ownership of education records by hosting or processing them for an institution.

At postsecondary institutions, FERPA rights generally belong to the student as an eligible student rather than to the parent, except as otherwise permitted by law.

3. Information We Collect

We may collect the following categories of information:

  • Account and profile information, such as name, institutional email address, role, institution, authentication details, and account preferences.
  • Learning, assessment, and platform content, such as prompts, responses, cases, notes, assessments, drafts, course materials, submissions, feedback, and related activity within the Services.
  • Institution-provided configuration and administrative data, such as course structures, rosters, classroom settings, permissions, content libraries, and administrative preferences.
  • Usage and technical information, such as IP address, browser type, device information, timestamps, logs, session data, and feature usage information.
  • Billing and transaction information, such as billing contacts, subscription details, invoices, and payment status information processed by our payment providers.
  • Communications, such as information you provide when contacting us for support, legal, privacy, billing, or security matters.

Unless a separate signed agreement expressly permits it, do not submit protected health information, real patient records, Social Security numbers, or other regulated sensitive data into the Services.

4. How We Use Information

We use information we process to:

  • provide, host, operate, maintain, support, and secure the Services;
  • authenticate users and administer accounts, organizations, classrooms, and subscriptions;
  • deliver course-related, case-based, simulation, assessment, analytics, and other educational workflows authorized by the institution;
  • respond to support requests, investigate incidents, detect abuse, and protect the integrity of the Services;
  • comply with law, enforce our agreements, and protect the rights, safety, and security of Equanimity Labs, institutions, users, and others; and
  • generate internal operational analytics, diagnostics, and service-improvement insights using de-identified or aggregated information where permitted by applicable law and institutional agreement.

We do not use institutional user content or FERPA-covered data to train public-facing or general-purpose foundation models.

5. AI Features and Model Providers

PRISM includes AI-assisted features. To provide those features, we may use cloud and AI service providers, including Microsoft Azure and Azure OpenAI Service, and other subprocessors described in our applicable institutional agreements or subprocessor disclosures.

When institutional data is processed through these providers for PRISM functionality:

  • the providers act as service providers or subprocessors to support delivery of the Services;
  • the data is processed only as needed to provide the requested functionality, subject to applicable contractual and technical controls;
  • we do not permit institutional data or FERPA-covered data to be used by us to train public-facing or general-purpose models; and
  • any additional use of institutional data will occur only if authorized by the institution and permitted by law.

AI outputs may be incomplete, inaccurate, or inappropriate for a particular educational context and should be reviewed by users and faculty before reliance.

6. How We Share Information

We may disclose information only as follows:

  • With the institution and its authorized users. We may make information available to the institution and to faculty, staff, administrators, reviewers, and other users authorized by the institution, consistent with their roles, the institution's settings, and legitimate educational, administrative, security, or support needs.
  • With service providers and subprocessors. We may disclose information to vendors that help us host, secure, support, maintain, communicate about, or bill for the Services, provided they are bound by appropriate contractual restrictions.
  • For legal, safety, and security purposes. We may disclose information where required by law or where reasonably necessary to enforce our agreements, respond to legal process, investigate misuse, or protect rights, safety, and security.
  • In a business transaction. We may disclose information in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to applicable confidentiality, contractual, and legal protections.

We do not sell personal information from institutional users, and we do not share such information for cross-context behavioral advertising.

7. Access Controls and Legitimate Educational Interests

We use role-based and other access controls designed to limit access to information based on function and need. For institution-managed accounts, the institution is responsible for determining which users should have access to which categories of information. Equanimity Labs personnel access institutional data only where necessary to provide support, maintain and secure the Services, investigate incidents, comply with law, or perform other functions authorized by the institution and our agreements.

8. Retention and Deletion

We retain information for the period necessary to provide the Services, satisfy contractual obligations, maintain security and business records, comply with law, and resolve disputes.

For institution-managed data, including education records and related content, retention, return, and deletion are governed primarily by the applicable institutional agreement, subject to legal obligations, security logs, backup cycles, and operational constraints. We will delete or return institutional data as required by that agreement.

9. Access, Amendment, and Other Rights

If you use the Services through a postsecondary institution, requests relating to education records, including requests to inspect, review, amend, or delete those records, should generally be directed to your institution. We will reasonably assist the institution in responding to such requests as required by our agreements and applicable law.

If you contact us directly about institution-managed information, we may redirect your request to the institution or coordinate with the institution before taking action.

For non-institutional personal information, or where applicable privacy law grants direct rights, you may contact us at privacy@equanimitylabs.com.

10. Security

We use administrative, technical, and organizational measures designed to protect the information we process. These measures may include encryption in transit and at rest, role-based access controls, logging and monitoring, key-management practices, environment separation, and multifactor authentication for administrative access, as appropriate.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. International Processing

We may process information in the United States and other jurisdictions where we or our service providers operate. Where required by law, we will use appropriate safeguards for cross-border transfers.

12. Public Website, Cookies, and Similar Technologies

We may use cookies, local storage, and similar technologies to maintain sessions, authenticate users, remember preferences, secure the Services, and understand service usage. We do not use institutional user data for targeted advertising.

13. Children's Information

The Services are intended for postsecondary education environments and are not directed to children under 13. If we learn that we have collected personal information directly from a child under 13 in a manner not permitted by law, we will take appropriate steps to address it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will post the revised version and update the effective or last-updated date. If an institutional agreement requires a different notice process, that agreement will control to the extent of any conflict.

15. Contact Information

Privacy questions or requests may be sent to privacy@equanimitylabs.com. Security questions may be sent to security@equanimitylabs.com.