Brighten Learning Privacy Policy

Effective Date: January 1, 2026
Applies To: Brighten Learning, Inc. products and services, including web portals, mobile apps, and integrations (collectively, the “Services”).

  1. Scope & Audience

This Privacy Policy explains how Brighten Learning (“we,” “us,” or “Brighten”) collects, uses, discloses, and safeguards personal information across the following customer segments:

  • K–12 Institutional (Domestic) – U.S. schools/districts (FERPA/COPPA as applicable).
  • International Education – Non‑U.S. schools/districts (global terms).
  • Residential Education (Home-Based) – Parent acts as administrator (direct COPPA consent where applicable).
  • Clinical/Behavioral Enterprise – HIPAA only with paid Compliance Add‑On (BAA required).
  • Commercial Organization – Non‑education businesses.

Roles covered: Student, Teacher, Admin, Parent, Organization Admin, Brighten Support.

Compliance Add‑On Requirement: Brighten does not assume HIPAA, FERPA, state-specific, or other specialized compliance obligations unless the purchasing organization has the correct license tier and has entered into the paid Compliance Add‑On (e.g., DPA/BAA), as applicable.

  1. Information We Collect

We collect information as required to provide the Services and as permitted by law, which may include:

  • Account & Profile Data: Names, emails, role, school/organization, administrative contact, credentials, settings.
  • Student Learning Data: Course enrollments, progress, activity logs, submissions, usage metrics.
  • Device & Technical Data: App/device identifiers, OS/version, IP address, browser/app telemetry, cookies, crash logs.
  • Support & Communications: Tickets, chat/email transcripts, feedback, audit logs.
  • Payment & Billing: Billing contact, transaction metadata, limited payment details (processed by PCI‑compliant providers).
  • Compliance Artifacts (Add‑On Only): Where applicable and purchased,BAA/DPA, privacy annexes, and related configuration.
  1. How We Use Information

We use personal information to:

  • Provide & improve Services.
  • Administer accounts and licenses.
  • Ensure safety and integrity.
  • Comply with law and contracts.
  • Communicate service notices and support updates.

We do not sell student personal information or use it for behavioral advertising.

  1. Legal Bases (International Education)

For non‑U.S. entities, we rely on legitimate interests, contractual necessity, consent (e.g., parental consent for Residential), and legal obligations as applicable under local law.

  1. Segment-Specific Compliance
  • K–12 Institutional (U.S.): Supports FERPA/COPPA compliance as required by law. State-specific obligations only apply when executed via paid add‑ons.
  • Residential Education: Parent provides direct consent for minors where required.
  • Clinical/Behavioral Enterprise: HIPAA applies only with correct license + paid BAA.
  • Commercial Organization: General commercial terms apply.
  1. Disclosure of Information

We disclose information:

  • To Organization/Parent Admins for account oversight and legitimate educational or operational purposes.
  • To authorized subprocessors for hosting, analytics, support, and payments (contractually bound to limited use).
  • For safety, legal compliance, or in connection with business transfers.

School or Teacher Requests: When schools or teachers request information (such as administrator contact details), Brighten will disclose only contact information (never passwords, login credentials, or access tokens) and only to verified school officials for legitimate educational purposes, consistent with applicable law (e.g., FERPA). Verification may include matching the requester’s email domain to the school, confirming their role in the Organization Admin console, and/or seeking confirmation from a designated Organization Admin. Brighten may decline or request additional verification if reasonable confidence cannot be established.

Brighten maintains a list of authorized subprocessors used to deliver the Services. This list is updated as needed and is available upon request by contacting privacy@brightenlearning.com.

  1. Data Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, and monitoring. No system is perfectly secure.

  1. Retention & Deletion

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or maintain business records as permitted by law.

  • Organization/School Accounts: Retained for the duration of the relationship and may be archived indefinitely for legitimate business purposes such as recordkeeping, compliance, and audit, unless deletion is legally required.
  • Student Data: Retained for the active term and then deleted within 60 days, unless longer retention is required by law or requested by the organization.
  • Support Logs & Audit Trails: Retained for operational integrity and compliance for up to 12 months, or longer if legally required.
  • Payment Records: Retained as required by tax and accounting laws.

We disclose retention periods or criteria as required by law. Users (or their admins/parents) may request deletion of certain data, subject to legal and contractual obligations.

  1. Children’s Privacy

We do not knowingly collect personal information from children without school or parental consent as required by law.

  1. International Transfers

Transfers use contractual safeguards as required by law.

  1. Mobile App Permissions

Our apps may request permissions necessary for functionality (e.g., network access, notifications, storage for offline content). Brighten does not monitor or enforce device security; customers are responsible for maintaining their own device hygiene.

  1. Cookies & Similar Technologies

Used for session management, analytics, and security. Disabling cookies may limit functionality.

  1. Acceptable Use & Safety

Users must comply with our Acceptable Use Policy, which prohibits unlawful activity, harassment, and attempts to compromise the Services. Useless where contractually stated, Brighten does not manage customer devices or enforce device hygiene.

  1. Data Subject Rights

Access, correction, deletion requests must come from Organization Admins or Parents. We respond as required by law.

  1. Incidents & Breach

We maintain processes to detect and respond to incidents. Breach notifications occur as required by law and contract terms.

  1. Changes to This Policy

This Privacy Policy is a living document and may be updated periodically to reflect changes in our practices, legal requirements, or service offerings.

  • Updates are effective upon posting unless otherwise stated.
  • Material changes will be communicated through the Service or to Organization Admins/Parents as required by law.
  • Continued use of the Services after an update constitutes acceptance of the revised Privacy Policy.
  1. State-Specific Compliance

New York Parents’ Bill of Rights for Data Privacy and Security
Brighten acknowledges the New York Parents’ Bill of Rights for Data Privacy and Security and agrees to comply with the Contractor Privacy Provisions applicable to schools in the State of New York. In the event of a direct conflict between this Privacy Policy and the Privacy Bill of Rights, the Privacy Bill of Rights will control.
Full text: http://www.p12.nysed.gov/docs/parents-bill-of-rights.pdf.

California Privacy Rights (CPRA/CCPA)
Brighten complies with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). California residents have rights to access, correct, delete, and limit use of sensitive personal information, subject to verification and legal exceptions. Retention periods or criteria are disclosed in this policy. Requests may be submitted to privacy@brightenlearning.com.

Other States
Brighten complies with applicable state privacy laws, including but not limited to Colorado, Connecticut, Illinois, Nevada, and Virginia, and will enter into supplemental agreements or addendums where required.

  1. Contact

Brighten Learning, Inc.
privacy@brighenlearning.com
or visit our contact form: (contact form address here)

For compliance inquiries, reference your license tier and any purchased add‑ons.

Compliance Disclaimer

Compliance add‑ons require the correct license tier and a paid engagement. Brighten does not assume HIPAA, FERPA, state‑specific, or other specialized obligations unless expressly agreed in a signed addendum.