Privacy Policy
Effective date: 2026-04-14 · Last updated: 2026-07-13
1. What Hippo is (and is not)
Hippo is a personal surgical training companion. It is not an official training record, credentialing system, or accreditation platform unless your program has explicitly entered into an institutional agreement with us. You should continue to use your program's official learning-management system (Elentra, MedHub, New Innovations, one45, Entrada, etc.) for any records your program requires.
2. Data we collect
- Account data: email, name, specialty, institution, PGY year, role.
- Case logs: procedure, date, role, autonomy level, operative time, approach, and free-text notes/reflections that you enter yourself.
- EPA observations: ratings, attending information, and free-text comments.
- Device & audit data: IP address and user-agent when you take sensitive actions (case edits, sign-offs, exports). Retained in the audit log.
- Website acquisition data: public page views, campaign parameters, referring website, calls-to-action clicked, and a first-party session identifier. We use a 90-day first-party attribution cookie to understand which Hippo pages and referrals produce signups or pilot requests.
- Pilot contact data: when you request an institutional pilot, we collect the business contact, institution, role, program details, message, and your permission for Hippo to follow up.
- No PHI by design: Hippo does not ask you for patient names, dates of birth, medical record numbers, or any direct identifiers. Our notes fields are scrubbed for obvious PHI tokens before storage, but you are responsible for not entering PHI.
3. How we use it
To provide the product, generate the analytics and briefs you see in the app, respond to requested pilot inquiries, understand which public educational content is useful, and maintain security and integrity of the service. We do not sell your data. We do not show third-party advertising. We do not share your data with your program unless you explicitly opt in.
4. Where it lives
Primary storage is Supabase (Postgres) with encryption at rest and in transit. Files you upload are stored in Supabase Storage. For a full list of subprocessors see Subprocessors.
5. AI processing
Some features (morning brief, debrief parsing, dictation refinement, PHI preflight, feed drafts) send content to third-party large-language-model providers. Our default provider is Groq running open-weight Llama 3.3 70B. Every AI vendor we use has committed in their commercial terms of service that inputs and outputs are not used to train their models. We additionally regex-scrub every prompt on our server to remove obvious patient identifiers before it leaves our infrastructure, as defense-in-depth. You should still never enter patient names, health-card numbers, MRNs, or dates of birth into any free-text field. You can disable AI features in Settings if you prefer fully local processing.
6. Your rights
- Access & export: download a complete archive of your data from Settings → Data Export. This is machine-readable JSON and includes everything we hold for your account.
- Correction: edit anything you've entered from within the app.
- Deletion: request full account deletion from Settings → Delete account. We purge within 30 days, except for audit-log entries retained for legal/compliance reasons for up to 7 years (de-identified).
- Audit trail: see every action taken on your account at Settings → Audit Log.
7. Privacy Officer
Under PHIA and PIPEDA, Hippo is required to designate an individual accountable for our privacy practices. This person investigates complaints, processes access requests, and is your single point of contact for anything privacy-related.
Privacy Officer: Karim Sidhom, Founder
Email: privacy@hippomedicine.com
Response SLA: acknowledgement within 48 hours, substantive response within 30 days.
8. Contact & escalation
Complaints, access requests, or corrections should first go to the Privacy Officer above. If you are not satisfied with our response, you may escalate to:
- Manitoba Ombudsman (for PHIA matters in Manitoba) — ombudsman.mb.ca
- Office of the Privacy Commissioner of Canada (for PIPEDA matters) — priv.gc.ca
- Your provincial or national supervisory authority if you are outside Manitoba.
Hippo reserves the right to update this policy. Material changes will be notified in-app.