Threat model · what "secure" actually means here
The actual threat to your med-school notes is not a hacker.
Most articles on this topic spend their first paragraph on encryption and their second paragraph on a password manager. Useful, mostly irrelevant. The realistic risks for a medical student in 2026 sit in a different shape: an honor-code citation from a forgotten public Quizlet set, a classmate at the library workstation you forgot to sign out of, and an AI study tool that pools uploaded lecture decks into a cross-user question bank a stranger can search.
This page walks through that actual threat model. Five concrete threats. What the popular guides recommend. What Studyly does about each one. And one short pre-upload checklist you can apply to any tool, not just this one.
The threat model that matters
A useful definition of "secure study notes" for this population is narrower than the generic guides imply. You are a medical student. Your notes consist mostly of lecture slides and PDFs your professor distributed under an implicit personal-use rule, plus your own cards and write-ups. The realistic adversaries are not state-level, they are: your school's honor-code committee, the classmate at the next workstation, and the design choices of the third-party app you uploaded the slides into.
Encryption-at-rest matters less than whether your decks are publicly discoverable by another logged-in student. Two-factor auth matters less than whether the explain-my-answer panel paraphrases from a generic web source or quotes your own upload. Password managers matter, but they are table stakes; they are not the differentiator.
The bento below is the threat list, ranked by how often I have heard a real version of it described by a real student.
Honor code referral from a public set
A study set that contains copyrighted lecture slides goes public by default. A faculty member finds it. The conversation that follows is not about your study habits.
Library workstation tab left open
You sign into your study app on the medical library iMac, get paged for a small group, and walk off. The next person sits down at your account.
Cross-user question pool
An AI study tool indexes uploads. The question you generated from professor X's slide deck becomes searchable by a classmate looking for shortcuts.
Paraphrased explanation drift
Your tool's 'why was I wrong' panel paraphrases from the open web. The paraphrase contradicts what your professor actually taught, and you study the wrong thing for a week.
Identifiable patient detail in a case write-up
You drop a clinical case into a study tool to make flashcards. It still has the patient's age, MRN, and unit number from your rotation.
Account-level scraping of your decks
An unrelated browser extension or tool you authorized harvests your study sets in the background. You do not notice for a semester.
The honor-code surface, in detail
The most common bad outcome here is not data theft. It is a conversation with a faculty member about why a study set containing your professor's copyrighted lecture slides is sitting on a public study-tool URL with the lecture title in the meta description, findable by anyone in the program. That outcome arrives by accident, almost always. The student uploaded the deck, generated cards or questions, and did not flip the visibility setting from default-public to private.
The fix the popular guides recommend is "remember to set your visibility to private." That is not really a fix. The real fix is using a tool where there is no public-set surface at all. If the product does not have a community browser of student-uploaded decks, the toggle does not exist to forget.
Studyly's default state is private and there is no community-set browser. The questions generated from your upload live in your account. The explain-my-mistake panel pulls a verbatim quote from a specific page of your own PDF, which is the next section.
Where your upload travels (and where it does not)
The orange arrow at the bottom is the load-bearing one for the security story. A second logged-in student who tries to find the questions you generated from your professor's deck does not get a permission denial, they get a missing surface. There is nowhere to search.
Anchor fact · the part that is checkable
The explain panel quotes your PDF, page 47, lines 18-22.
When you tap "explain my mistake" on a wrong answer, the panel does not paraphrase from the open web. It pulls a verbatim quote from a specific span of the PDF you uploaded. If you uploaded Anatomy_I_Lecture_4.pdf, the explanation cites page 47 of that file by file name, page number, and line range.
That detail matters for two reasons. First, factual correctness: the answer is grounded in the document your professor actually wrote, so it cannot drift toward a different textbook or a paraphrase. Second, the quote stays inside your workspace. Nothing about your slide deck has to leave your account to produce the explanation. A community-pool tool needs to summarize the source from a generic question bank, which means the source has to live somewhere a stranger can reach it.
What each tool actually does about the threats above
The columns below are the typical community-pool study tool versus Studyly. Most rows look similar; the differences cluster on the rows where a public surface exists or does not.
Same threats, two different default states.
| Feature | Typical community-pool study tool | Studyly |
|---|---|---|
| Default visibility of generated study sets | Often public-by-default with a community browse surface. Set must be flipped to private manually. | Private to your account. There is no community-set browser to flip a toggle on. |
| Cross-user discoverability of your uploads | Some AI tools pool uploads; another student searching for the same lecture deck can land on questions generated from your file. | Decks live in your per-account workspace. Other accounts do not see your uploads or the questions made from them. |
| Source for the 'explain my mistake' panel | Paraphrased from a generic web summary, sometimes from a different textbook than yours. | Verbatim quote from a specific page of your uploaded PDF. The quote stays inside your workspace. |
| Honor-code surface area | A forgotten public-visibility toggle is enough to put copyrighted lecture content in front of a faculty member who searches for it. | No community surface, so the toggle does not exist to forget. |
| Account isolation on shared library computers | Same as any browser-based tool: your decks are visible to whoever sits down at the keyboard if you stay logged in. | Same browser-based reality. Sign out, the same way you would on any tool. |
| Deletion path | Varies. Sometimes self-service, sometimes by email, sometimes neither. | Email hello@studyly.io from the address you signed up with. Request goes to deletion. |
The shared-workstation problem
This one is honest and worth saying directly: Studyly does nothing unusual about it. The medical library has a row of iMacs. You sign in, get paged for small group, walk off. The next person sits down at your account. That is true on Studyly, on Quizlet, on Anki sync, on any browser-based study tool that respects a session cookie.
The real defense is procedural: sign out before walking away from a shared workstation. "Lock the screen" is not the same thing and is not equivalent on a shared device. If your school has a policy about session length on shared computers, that policy is the one that applies, not the tool's.
The pre-upload checklist below is the short version, applicable to Studyly and to any tool you might compare it against.
Pre-upload checklist · applies to any study tool
- Confirm your school's policy on uploading copyrighted lecture slides to third-party study tools. Many policies allow personal use; many forbid public sharing.
- Read the tool's default visibility setting before your first upload. If new study sets default to public, change the default before you start drilling.
- Check whether the 'explain my answer' feature pulls from your own source or paraphrases from the open web. Paraphrase from the open web is a quiet leak surface and a factual-drift surface.
- If you are uploading a clinical case write-up, strip identifiers (name, age, MRN, unit, attending) the same way you would before a journal club.
- Sign out of any study tool on a shared library workstation before walking away. 'Trust this device' is not a real defense against the next person at the keyboard.
- Audit the third-party browser extensions and connected apps that have read access to your study tool every semester.
- Keep a record of how to delete your account and uploads from each tool. For Studyly, that is an email to hello@studyly.io from the address you signed up with.
What about clinical-rotation notes?
A separate question, since the threat model is different. If your notes contain identifiable patient detail (name, MRN, unit, age in combination with date and a specific procedure), they should not be in any external study tool. Strip the identifiers before upload, the same way you would before posting a case to a journal club. Studyly is not HIPAA-compliant and does not need to be for the realistic use case, which is studying anatomy and pharmacology from your professor's lecture decks. A de-identified case write-up is fine. A copy-paste from your clinical workflow is not.
If your school has a clinical-data policy that explicitly forbids entering any patient-derived material into third-party tools even after de-identification, follow that policy. The tool cannot police this for you, and pretending otherwise would be dishonest.
Try it on tomorrow's lecture deck
Drop the deck in. The questions and the explanations stay in your account.
Free tier on app.jungleai.com, no credit card. Email gate sends a one-click access link. Decks are private to your workspace by default; there is no community surface to forget to flip a toggle on.
Common questions about secure study notes for med-school
What does 'secure' actually mean for a medical student's study notes?
It is rarely the threat model the popular guides assume. Most med students are not being targeted by a sophisticated attacker. The realistic threats are three: a publicly-shared Quizlet set that contains copyrighted lecture slides and ends up on the wrong dean's desk; a classmate spotting your study set on a shared library workstation because you stayed logged in; and an AI study tool that pools uploaded materials so the question you generated from professor X's slide deck becomes searchable by another user. A useful definition of 'secure' for this context is: my decks stay in my account, are not part of a cross-user public pool, and the explanation panel quotes my own upload back at me rather than a generic web summary.
Where does Studyly store the lecture slides I upload?
In a per-account workspace gated by the email you signed up with. The decks are uploaded to the underlying study app at app.jungleai.com (Studyly is a marketing site that gates traffic into Jungle, the app). Per the privacy policy, your email is shared with Jungle Inc. for account provisioning and with Resend for the welcome email; nothing else. The questions generated from your slide decks are tied to your account, not added to a cross-user, searchable public question bank.
Could a classmate find a question I generated from our shared lecture deck?
Not by browsing other users' decks, no. Studyly does not have a public question-bank surface where one student's uploads become discoverable to another student by searching for the lecture title. The question pool generated from your upload lives in your account. If you choose to export to Anki and share the .apkg file, that is on you, but the default state is private to your account.
What about the explanation when I get a question wrong: does it leak my source PDF anywhere?
The 'explain my mistake' panel quotes verbatim from a page of your uploaded PDF. The quote stays inside the explanation panel inside your account; it is not posted to a community feed, indexed in a search bar, or published anywhere a classmate could find it. The quote is the source of truth for why your answer was wrong, which is the whole point: a generic paraphrase from the open web is worth less and is also more likely to introduce factual drift.
How is this different from Quizlet's privacy settings?
Quizlet has historically had public sets as a default surface area. A med student who uploads a study set generated from copyrighted lecture slides and forgets to flip the visibility toggle has, on more than one campus, been the subject of an honor-code referral. The fix is not 'make your set private,' it is 'use a tool whose default does not surface your study materials to strangers.' Studyly's default is private, and there is no community-set browser to flip the toggle on.
Does Studyly read my notes to train an AI model?
Honest answer: the questions you see are generated from your upload using the model. Your upload is processed to produce questions for you. The privacy policy does not commit one way or the other on aggregate model training, so if that specific concern is load-bearing for your school's policy, email hello@studyly.io and ask before uploading. The page's claim is narrower: your slide decks are not exposed to other students, and the explain panel quotes your own PDF back at you, not someone else's.
Is Studyly HIPAA-compliant?
No, and it does not need to be for the realistic use case. A medical student's lecture slides are educational content (anatomy diagrams, pharmacology charts, pathology slides), not protected health information about a real patient. If your study notes contain identifiable patient data from a clinical rotation, that should not be in any external study tool, period. Strip identifiers before uploading, the same way you would before posting a case to a journal club.
What should I check before uploading any lecture material to any study tool?
Three things, in order: (1) your school's policy on sharing copyrighted lecture slides with third-party services. Some schools forbid it outright; many require it be for personal use only. (2) Whether the tool's default visibility setting puts your generated content on a public surface. If yes, change it before your first upload. (3) Whether the explanation feature pulls from your own source or paraphrases from the open web. Paraphrasing is a quiet leak surface and is also a factual-drift surface.
Can I delete my account and remove my uploaded decks?
The marketing-site privacy policy says you can email hello@studyly.io from the address you signed up with to request deletion of your record. Inside the underlying study app, deletion is account-level. If your school requires you to be able to remove your slide decks from any third-party service on demand, that policy line is the path: email, request deletion, get confirmation.
Why does the 'explain my mistake' feature matter for the security story?
Because the alternative is a paraphrase from the open web. A paraphrase from the web means the model has reached outside your account for source material, and the answer can drift from what your professor actually taught. A verbatim quote from your PDF, by contrast, is auditable: you can flip back to page 47 of your own upload and confirm the line. That makes the explanation both more accurate and a smaller leak surface, because nothing about your study material has to leave your workspace to produce it.