Parent Academy — Module 1 is free.Start free
Bright StepsBehavior Transformation Support
Sign in
HomeAcademyJourneyCommunityWinsBright GuidePre-IEP AssistantHard MomentAffirmationsRoadmapIEP HelperBehaviorJournalBefore You BookResources

Privacy Policy

Last updated: 5/25/2026

What we collect

  • Account info: name, email, password hash.
  • Payment info: handled by Stripe; we receive only a customer ID and amount — never your full card number.
  • Usage data: basic analytics (pages visited, errors). No third-party advertising trackers.
  • Cookies: a session cookie to keep you signed in, plus a local preference for the cookie banner.

What we collect about your child

You may choose to provide information about your child to generate behavior plans (BIPs), IEP/504 support, journal entries, ABC logs, and care-team briefs. This may include:

  • Identifiers: first name or nickname, age or grade.
  • Disability and diagnosis information you enter (e.g. ADHD, autism, learning disability, IEP/504 category).
  • Behavioral and sensory details: triggers, calming strategies, strengths, interests, hard moments, medications you choose to log.
  • School documents you upload (IEPs, evaluations, behavior reports) stored in a private, per-account folder.
  • Communications logs (school emails, teacher exchanges) you save in the app.

How this data is protected:

  • Stored under your account only — other parents cannot see it, and Bright Steps staff do not browse user records.
  • Row-level security in the database enforces that only you (the account owner) can read or write your child's records. Server-side triggers prevent changing a record's owner.
  • Uploaded documents live in a private storage bucket scoped to your user ID; the bucket is not publicly listable.
  • AI providers process prompts to generate plans but are contractually prohibited from training on your data. We send only the minimum context needed.
  • An internal access log records administrative actions on confidential tables and is retained for 365 days.
  • You can delete any child profile, document, or log at any time from inside the app; deletion is immediate.

Bright Steps is a parent-support and educational planning tool. It does not replace professional educational, medical, or legal advice, and the records you keep here are not a clinical or school record.

How we use it

To deliver the Service, generate plans you request, process payments, send transactional emails, and improve the product.

How we share it

We do not sell your data. Limited sharing with processors required to run the Service:

  • Hosting & database (Lovable Cloud / Supabase)
  • Payments (Stripe)
  • AI processing (model providers; prompts are sent for plan generation)

Children's data (COPPA)

Information about children is provided by parents/legal guardians. We do not knowingly collect data directly from children under 13. Parents can request deletion of their child's data at any time from the account page.

Security

Data is encrypted in transit (TLS) and at rest. Access is restricted via role-based controls and database row-level security.

Your rights

You may access, correct, export, or delete your data. EU/UK users have additional rights under GDPR; California users under CCPA. Use the account page or contact us to exercise these rights.

Retention

We keep account data while your account is active. On deletion, personal data is removed within 30 days, except where retention is required by law (e.g. payment records).

International transfers

Data may be processed in the United States. By using the Service you consent to this transfer.

Contact

Questions or data requests: reach us through the in-app support channel.

See also: Terms of Service · Refund Policy