Your Privacy Matters

Privacy Policy

We're committed to protecting your privacy and being transparent about how we handle your data.

Last updated: March 2026

Introduction

IGNITE Health Systems LLC ("IGNITE," "we," "our," or "us") is committed to protecting your privacy.
This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our websites at ignitehealthsystems.com and ignitehealthpartnership.com, our mobile application Rapid Response Central, and related services (collectively, the "Services").
If you are a healthcare provider or patient using MEDFlow or other features that involve protected health information (PHI), our HIPAA Notice of Privacy Practices provides additional protections — see ignitehealthsystems.com/npp.

Account Information: Name, email, password, medical specialty, training program, graduation year — used for account creation and management.
Profile Information: Professional credentials, institutional affiliation, PGY year, practice name and location — used for personalization and provider directory listings.
Payment Information: Credit/debit card details processed by Stripe, Inc. — used for subscription billing.
Study Data: Question responses, flashcard reviews, study notes, bookmarks, exam results — used for spaced repetition scheduling, performance analytics, and learning personalization.
Clinical Data (MEDFlow): Patient records, appointments, medications, prescriptions, allergies, lab results, visit notes — used for clinical workflow functionality (see HIPAA section).
Cost Comparison Data: Insurance plan details, household size, age, location, anticipated healthcare utilization — used for DPC vs. insurance cost calculations.
Insurance Documents: Insurance card images, EOB documents — used for cost profile creation and AI-assisted data extraction.
Communications: Support requests, feedback, chat messages — used for service improvement and support.

Device Information: Device type, operating system, browser type, app version — used for compatibility and debugging.
Usage Data: Pages visited, features used, study session duration, question performance metrics — used for service improvement and analytics.
Log Data: IP address, access times, referring URLs — used for security and abuse prevention.
Sync Data: Cross-device synchronization tokens, device identifiers — used for multi-device experience consistency.

Providing the Services: delivering QBank questions, computing spaced repetition schedules (FSRS algorithm), generating anonymized performance analytics (minimum cohort size of 20), operating MEDFlow clinical workflows, processing DPC cost comparisons, synchronizing data across devices.
Improving the Services: analyzing usage patterns, training AI models that power chat and content generation, computing aggregate statistics for curriculum development (never individually identifiable).
Communications: service-related notifications (account verification, password resets, subscription updates), educational content (newsletters, study reminders) where opted in, responding to support inquiries.
Safety and Compliance: detecting fraud and security threats, complying with legal obligations, enforcing Terms of Service.

We do not sell your personal information.
Service Providers: Cloudflare (hosting, CDN, edge computing), Supabase (authentication, user database), Stripe (payment processing), Google Gemini API (AI-powered chat features), Sentry (error monitoring, PHI scrubbed), Hetzner (knowledge graph hosting — no PII/PHI).
Anonymized and Aggregated Data: aggregate question difficulty statistics, cohort performance benchmarks (minimum n=20, k-anonymity enforced), platform usage metrics.
Legal Requirements: we may disclose information if required by law, regulation, or governmental request.
Business Transfers: in the event of a merger, acquisition, or sale, your information may be transferred as part of that transaction.

Account and study data: Supabase/Neon PostgreSQL (AWS us-east-2), encrypted at rest (AES-256).
Knowledge graph content: Memgraph (Hetzner, Germany) — no PII/PHI stored.
Clinical records (MEDFlow): Cloudflare D1 (edge), AES-256-GCM field-level encryption for all PHI.
Insurance documents: Cloudflare R2, AES-256-GCM encryption at rest.
Security measures: AES-256-GCM encryption for all PHI at rest, TLS 1.3 for all data in transit, JWT/JWKS-based authentication with ES256 signing, role-based access controls, HIPAA audit logging.

Account data: retained for the life of your account plus 30 days after deletion.
Study progress: retained for the life of your account (required for spaced repetition continuity).
Clinical records (MEDFlow): retained per applicable medical records retention laws (minimum 7 years for adults).
Audit logs: retained for a minimum of 6 years per HIPAA requirements.
Payment records: retained per tax and financial reporting requirements.
Cached data: automatically expired (typically 5 minutes to 24 hours).

Account Controls: update profile information, export study data, delete your account through app settings or by contacting support.
Communication Preferences: adjust notification settings, unsubscribe from marketing emails. Essential service communications cannot be opted out of.
California Residents (CCPA/CPRA): Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale (we do not sell personal information), Right to Non-Discrimination.
Contact [email protected] for privacy rights requests.

The Services are not intended for individuals under 18.
We do not knowingly collect personal information from children under 18.
If we become aware that we have collected personal information from a child under 18, we will take steps to delete it promptly.

The Services are operated from the United States.
By using the Services, you consent to the transfer of your information to the US and other countries where our service providers operate.
We take appropriate steps to ensure your information receives adequate protection wherever it is processed.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law.
Material changes will be communicated by posting a notice on our website and, where required by law, by email notification.
Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.
We encourage you to periodically review this page for the latest information on our privacy practices.

MEDFlow, patient records, and insurance document processing involve protected health information (PHI) as defined by HIPAA.
When processing PHI on behalf of healthcare providers using MEDFlow in Practice Mode, IGNITE acts as a Business Associate under HIPAA.
The educational platform (ignitehealthsystems.com) generally does not involve PHI.
All PHI is encrypted at rest (AES-256-GCM), encrypted in transit (TLS 1.3), accessible only through authenticated requests, subject to HIPAA audit logging, and stored separately from educational data.
For HIPAA-specific inquiries, contact: [email protected]

If you have questions about this Privacy Policy or your personal data, please reach out: