← Back to X·Sim

Privacy Policy

Operator: Brickell Bay Group LLC ("BBG", "we", "us") · Product: X·Sim · Last updated: 3 July 2026

Privacy-conscious by design. X·Sim is a training simulator. It does not collect real patient health information (PHI) — all simulated patient data is fictional. We keep the personal data we do collect to the minimum needed to run instructor accounts, billing, and live sessions. Audio and video, if you enable them, flow directly between participants and are not recorded by us.

1. Who we are

X·Sim is operated by Brickell Bay Group LLC (Florida, USA), the controller of the personal data described here. For account and billing data, BBG is the controller; for student participation data handled during a session, the hosting instructor or their institution is the controller and BBG acts as a processor. Contact details are in Section 11.

2. What we collect and why

DataHow it's handled & why
Student identityStudents need no account. The display name a student enters is shared with their instructor for attendance during the live session and is held on the instructor's device — not stored in our database.
Instructor / organization accountsWhen an instructor signs up we store their email, name, organization, a salted cryptographic hash of their password (never the password itself), subscription tier and status, role, and timestamps (created, last seen) in our database (Cloudflare D1, USA). Purpose: to create and secure the account and provide paid features. Legal basis (where applicable): performance of a contract.
Organization seat accountsOrganization admins may create instructor seat accounts (email + name) for their members. The organization is responsible for notifying those members and having a lawful basis to add them.
PaymentsHandled by Stripe. We store only a Stripe customer reference and subscription/discount status — never full card numbers. Stripe processes your payment details under its own privacy policy. Purpose: to take payment and manage subscriptions.
Session cookieOne signed, HttpOnly, Secure cookie keeps instructors logged in for up to 30 days. It contains only an account reference — no personal data — and is strictly necessary; it is not used for advertising or cross-site tracking.
Security & audit logsWe record limited events (e.g., account actions, admin actions, failed-login counts) to protect the Service against abuse. Legal basis: legitimate interests in security.
Simulated patient vitals & rhythmsFictional; generated in your browser. During a session they pass peer-to-peer between the instructor and trainee only. Not personal data.
Session code / linkA random room identifier used only to connect two browsers. Not tied to your identity.
Microphone / camera streamsOptional. Streamed peer-to-peer in real time to the other participant, encrypted in transit. Not recorded or stored by the Service. Off unless you grant browser permission (camera also requires an explicit in-app consent).
Button-press / device eventsDuring a session, the trainee's simulated device actions are sent to the instructor's screen for coaching. They describe simulator interactions, not personal data, and are not persisted after the session ends.
Technical dataTo connect and secure the Service, our infrastructure providers process IP addresses and standard request metadata (see Sections 3–4).

3. Signaling & connectivity

To set up the direct peer-to-peer connection, X·Sim uses a third-party WebRTC signaling broker (PeerJS) and public STUN servers. These exchange the technical information (network candidates and session descriptions, including IP addresses) needed to connect two browsers. Your media does not pass through us. If direct connection fails on restrictive networks, a relay (TURN) server may be used; if so, media transits that relay in transport-encrypted form. WebRTC media is encrypted in transit (DTLS-SRTP).

4. Service providers (sub-processors)

We share personal data only with providers that help us run the Service, under contracts that limit their use of it:

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We may disclose data if required by law, to enforce our Terms, or to protect the rights, safety, and security of users or the public, and in a merger, acquisition, or asset sale (with notice where required).

5. Local storage

X·Sim keeps small values in your browser (e.g., a chosen role, display name, or session code) to make the app work and to prefill forms. This stays on your device and is not sent to us. Clearing your browser data removes it.

6. Data retention

We keep account data for as long as your account is active and as needed to provide the Service. When an account is deleted, we remove the account record and any organization seat accounts and rooms it owns; residual copies in backups or logs are purged on our normal cycle. Billing records held by Stripe are retained as required for tax and accounting. Session media and simulated data are not retained after a session ends. Security/audit logs are kept for a limited period.

7. International transfers

We operate in the United States, and our providers may process data there. If you access the Service from outside the U.S., you understand your data will be transferred to and processed in the U.S. and other countries where our providers operate. Where required, transfers rely on appropriate safeguards such as standard contractual clauses offered by our providers.

8. Your rights & choices

We will verify requests against the requesting account and respond within the time required by applicable law. An authorized agent may submit a request with proof of authorization.

9. Security & honest limits

We use industry-standard measures: passwords are stored only as salted PBKDF2 hashes, sessions use a signed HttpOnly/Secure cookie, database queries are parameterized, admin access is key-protected, payment webhooks are signature-verified, and traffic is encrypted with TLS. WebRTC media is encrypted in transit. No method of transmission or storage is perfectly secure, however, and anyone with a session link can join that session — share links only with intended participants and use the AV features only where appropriate and with everyone's consent. If a breach affects your data, we will notify you and regulators as required by law.

10. Children & not a HIPAA-covered service

X·Sim is intended for adult learners and professionals. It is not directed at children under 13, and we do not knowingly collect their data; if we learn we have, we will delete it. X·Sim is a training simulator and is not designed to handle real PHI. Do not enter or capture real patient information. If an institution wishes to use it in a workflow subject to HIPAA, FERPA, or similar laws, that institution is responsible for its own compliance assessment and for obtaining any required consents.

11. Changes & contact

We may update this Policy; material changes will be noted by the "Last updated" date and, where appropriate, by additional notice. Privacy questions and data-rights requests: pino1894@gmail.com. Sales and general questions: pino1894@gmail.com. Mailing address available on request to Brickell Bay Group LLC, Florida, USA.

Terms of Use →