What happens when a learner uses AI.
Synthetic-first practice. Provider calls only when AI runs.
Public previews and course examples use synthetic or sanitized banking scenarios. The course does not require customer records to complete the labs.
When AiBI Lab or Toolbox runs an AI response, the prompt, system instructions, and conversation context are sent to the selected provider for that response.
Server-side checks block common PII patterns and prompt-injection attempts before a request reaches a model. Injection blocks cannot be overridden.
The app stores account data, assessment responses, course progress, saved artifacts, support cases, and usage metadata needed to operate the product.
The course is designed so customer data is not needed.
Provider terms are reviewed, but the safest rule is still no PII.
Commercial API
Commercial terms state that Anthropic may not train models on Customer Content from the Services.
API Platform
OpenAI states API inputs and outputs are not used to train models by default and may be retained up to 30 days for service and abuse monitoring, except where a different endpoint or feature applies.
Gemini API paid services
Google states paid Gemini API prompts and responses are not used to improve products; prompts and responses may be logged for a limited period for safety, security, and required disclosures.
Retention, subprocessors, residency, and override handling.
AiBI keeps account, assessment, enrollment, certificate, saved-artifact, support, payment/provisioning, and usage-metadata records while needed to provide the product, operate support, investigate abuse, handle disputes, satisfy tax or legal obligations, and maintain launch evidence. Assessment resume drafts expire after 30 days. Institution rollouts can define stricter retention or deletion expectations before seats are assigned.
AI usage logs store user id or hashed IP, feature, provider/model, token and cost totals, status/error state, timestamps, and non-content PII flag/override metadata when applicable. They intentionally do not store raw prompt text or matched PII values.
Core application data is stored in Supabase and Vercel-hosted application infrastructure. Email is sent through Resend. Payments run through Stripe. Model requests may route to Anthropic, OpenAI, or Google Gemini depending on the feature and model selected. Residency follows those providers and configured services; AiBI does not currently offer a self-serve single-region residency guarantee.
AiBI does not currently claim SOC 2, ISO 27001, FedRAMP, GLBA, or other third-party security certification status. For institution rollouts, request a security packet or DPA review before seats are assigned; provider SOC 2 reports should not be treated as AiBI certification.
Paid Toolbox flows may let a learner confirm that a PII warning is from fabricated sample data and send anyway. Prompt-injection blocks cannot be overridden. A confirmed send records non-content audit metadata; it does not store the prompt text or matched value in the usage log.
AI output is a draft until a banker owns it.
Need a direct answer for IT or risk?
Email hello@aibankinginstitute.com. For institution rollouts, the Institute can scope the approved tool path and data boundary before seats are assigned.