Privacy Policy

Last updated: April 2026

1. About BrightPath

BrightPath (“we,” “our,” or “us”) provides an educational guidance platform to help U.S. parents understand their child's possible learning differences and navigate special education processes under IDEA. BrightPath is not a medical service and does not provide diagnoses. All results are guidance only.

HIPAA Notice

BrightPath is not a HIPAA covered entity. We are not a healthcare provider, health plan, or healthcare clearinghouse, and we do not provide medical diagnoses or treatment. Information you enter about your child's developmental or behavioral characteristics is educational guidance data only. However, we treat this information with the highest level of care and apply security measures equivalent to HIPAA standards.

2. Information We Collect

Account information: Email address and password when you create an account. All other information (child's name, age, grade, state) is optional and used only to personalize your results and letters.

Assessment responses: Your answers to indicator questions and any free-text notes you enter. These may include information about your child's developmental, behavioral, or learning characteristics. We treat this as sensitive data (see Section 3).

Daily log entries: Mood ratings, category tags, and notes you enter in the Daily Log feature.

Payment information: We do not store payment card details. Payments are processed by Stripe, who are PCI-DSS compliant. We receive only subscription status and a customer reference number.

3. Sensitive Data — Children's Health Information

Important

Assessment responses and daily logs may describe your child's developmental, behavioral, or learning characteristics. We classify this as sensitive personal data and apply heightened protections to it. This data is used solely to generate your personalized guidance and is never shared with third parties for commercial purposes.

By submitting an assessment or daily log, you confirm that:

  1. You are the parent or legal guardian of the child described
  2. You consent to BrightPath processing this information to generate your guidance, next steps, and letters
  3. You understand that this information may be transmitted to our AI sub-processor (Anthropic) solely to generate content — see Section 5

4. Children's Privacy (COPPA)

BrightPath is designed for parents and guardians, not for children to use directly. We do not knowingly collect personal information from children under 13.

BrightPath does collect information about children (name, age, grade) that is entered voluntarily by their parent or guardian. This information is entirely optional and is used only to personalize that parent's guidance. We treat all child-related data with the highest level of care: it is never shared with third parties for commercial purposes, never used in advertising, and never used for any purpose other than generating that parent's specific guidance.

If you believe that a child under 13 has provided us with personal information directly, please contact us at privacy@brightpathapp.org and we will promptly delete it.

5. FERPA Considerations

BrightPath is a private tool for parents and does not connect to, receive data from, or share data with any school or educational institution. Any school-related information you enter is for your own reference only. We are not an educational agency or institution subject to FERPA, but we respect its principles and apply equivalent protections to any child-related information stored on our platform.

6. How We Use Your Information

  • To generate your assessment results and condition indicator analysis
  • To create personalized daily tips, next steps, and IEP guidance
  • To generate letters for sharing with doctors or schools (at your request)
  • To send deadline reminder emails (if you set them up)
  • To manage your subscription and account
  • To improve the platform (using anonymized, aggregated data only)

We never sell your data. We never use your data for advertising. We never share individually identifiable information with third parties except as required to operate the service (see Section 7 for a full list of sub-processors).

Letter Generation

To generate personalized letters and guidance summaries, BrightPath uses the Claude API provided by Anthropic, Inc. When you request a letter or guidance summary, relevant information (such as your child's age, grade, and assessment results) is transmitted to Anthropic's API servers solely to generate that content. Anthropic does not use API-submitted data to train its AI models. Data sent to the API is subject to Anthropic's API Privacy Policy.

7. Third-Party Sub-Processors

We share data with the following trusted sub-processors, each of whom is contractually bound to protect your data:

ProviderPurposeData Shared
Supabase / AWSDatabase storageAll account and assessment data (encrypted)
Anthropic, Inc.AI letter & guidance generationAssessment data, child age/grade (for letter generation only)
ResendTransactional emailEmail address, reminder content
StripePayment processingEmail address, subscription status (no card data stored by us)
Microsoft ClaritySession recordings & heatmapsAnonymized interaction data (clicks, scrolls, page views). No personal or child data.
Google (Ads / gtag)Ad conversion tracking & remarketingPage visit data, ad click attribution. No personal or child data.

8. Data Storage and Security

Your data is stored in a secure database provided by Supabase, hosted on AWS in the United States. We apply the following security measures:

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher (HTTPS)
  • Encryption at rest: Database storage is encrypted using AES-256
  • Access controls: Row Level Security (RLS) ensures your data is accessible only to you
  • Sensitive data handling: Assessment responses and child-related data are treated as a separate, elevated-protection category

We apply reasonable technical and organizational measures to protect your information against unauthorized access, loss, or disclosure.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:

  • Account and login data: Retained until you delete your account
  • Assessment responses and daily logs: Retained for the life of your account; remain accessible on the free tier after cancellation
  • Generated letters: Retained for the life of your account (parents may need these for school or medical records)
  • Payment records: Retained as required for tax and accounting purposes (typically 7 years)
  • Anonymized analytics: Retained indefinitely (cannot be linked back to any individual)

On account deletion, all personally identifiable data is deleted within 30 days unless retention is required by law. Backup copies are purged within 90 days.

10. Data Breach Notification

In the event of a data breach that may affect your personal information, we will notify affected users by email as soon as practicable and in any case within 72 hours of becoming aware of the breach. Our notification will describe: (a) what data was involved; (b) what steps we have taken to address the breach; and (c) what steps you can take to protect yourself. Where required by applicable law, we will also notify relevant regulatory authorities.

11. Your Rights

You have the right to:

  • Access all personal data we hold about you
  • Correct inaccurate information
  • Delete your account and all associated data
  • Export your data in a machine-readable format
  • Withdraw consent for any optional data processing
  • Object to or restrict processing of your personal data

To exercise any of these rights, email us at privacy@brightpathapp.org. We will respond within 30 days.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the personal information we collect, use, disclose, and sell
  • Right to Delete: You may request deletion of personal information we hold about you
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt-Out of Sale: BrightPath does not sell your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

Residents of Virginia (VCDPA) and Colorado (CPA) have similar rights. To exercise any of these rights, contact privacy@brightpathapp.org.

13. Cookies & Analytics

BrightPath uses essential cookies required for authentication and session management. In addition, we use the following analytics and advertising tools to improve the platform and measure the effectiveness of our outreach:

  • Microsoft Clarity: Records anonymized session replays and heatmaps to help us understand how visitors use the site. Clarity automatically masks sensitive content. No personally identifiable information is collected. You can learn more at clarity.microsoft.com.
  • Google Ads (gtag.js): Measures ad campaign performance and enables remarketing. This may set cookies to track page visits originating from Google Ads. No child-related data, assessment responses, or health information is shared with Google.

These tools do not have access to any assessment responses, daily log entries, child-related data, or letter content. They track only general site usage such as page views, scroll depth, and click patterns. You can block these tools using your browser's cookie settings or a privacy extension.

14. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. Continued use of BrightPath after changes take effect constitutes acceptance of the updated policy. The “Last updated” date at the top of this page reflects the most recent revision.

15. Contact Us

For privacy questions, data requests, or concerns: privacy@brightpathapp.org