Privacy Policy

Effective Date: April 6, 2026

This Privacy Policy describes how Captive Thought LLC (“BritePath,” “we,” “us,” or “our”), a South Carolina limited liability company, collects, uses, and protects your information when you use BritePath Pro and BritePath (collectively, the “Service”). This policy applies to all users of the Service, including organization administrators, parents, instructors, and students.

By using the Service, you agree to the practices described in this Privacy Policy. This policy should be read alongside our Terms of Service.

1. Information We Collect

Information You Provide

Account information. When your account is created (via invitation), we collect:

  • First and last name
  • Email address (for adults; students use a system-generated internal identifier instead)
  • Username
  • Password (stored as a cryptographic hash; we never store or have access to your plaintext password)

Profile information. You may optionally provide:

  • Phone number
  • Mailing address (street, city, state, postal code)
  • Date of birth
  • Profile photo (avatar)

Student information. When a student account is created by a parent or organization administrator, we collect:

  • First and last name
  • Date of birth (optional)
  • Grade level (as assigned by the organization)

Organization data. Organization administrators enter data related to their co-op’s operations, including:

  • Courses, schedules, and resource assignments
  • Enrollment and attendance records
  • Grades and academic records
  • Family and household groupings
  • Instructor assignments and availability
  • Background check status and dates (metadata only; we do not conduct or store the results of background checks)

Messages and photos. When you use the messaging feature, we store:

  • Message content (text)
  • Photos shared in conversations (stored in private storage buckets accessible only via time-limited signed URLs)
  • Read receipts and typing indicators
  • Conversation participation and membership

Push notification preferences. If you enable push notifications, we store:

  • Your device’s push subscription endpoint and encryption keys
  • Your notification preferences (enabled/disabled, detail level)
  • Platform type (web, iOS, or Android)

Information Collected Automatically

Authentication data. Supabase (our backend provider) automatically collects:

  • Session tokens and refresh tokens
  • Login timestamps
  • IP addresses associated with authentication events

Technical data. When you use the Service, standard web server logs may record:

  • Browser type and version (user agent)
  • Pages visited within the application
  • Timestamps of requests

We do not use cookies for tracking or advertising. The Service uses browser local storage solely for functional purposes such as maintaining your login session, remembering your selected organization, and storing UI preferences (such as sidebar state and selected term).

Information We Do Not Collect

  • We do not use third-party analytics, advertising trackers, or tracking pixels
  • We do not collect location data beyond what may be present in an IP address
  • We do not collect financial or payment information (the Service is currently free)
  • We do not collect the content or results of background checks

2. How We Use Your Information

We use the information we collect to:

  • Operate the Service — create and manage accounts, display schedules and grades, deliver messages, and provide the core features of the platform
  • Send notifications — deliver push notifications and email alerts based on your preferences (such as new messages, substitute teacher requests, or system announcements)
  • Maintain security — detect and prevent unauthorized access, fraud, or abuse
  • Provide support — respond to bug reports and support requests
  • Improve the Service — review aggregate, non-identifying operational data derived from server logs (such as error rates and page load performance) to identify issues and improve functionality. This data is not linked to individual users, is not shared externally, and we do not use third-party analytics services

We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes. We do not use your data to build advertising profiles. We do not use your data for automated decision-making or profiling.

3. How We Share Your Information

Within Your Organization

Your information is visible to other members of your organization according to the role and permission settings configured by your organization’s administrators. For example:

  • Administrators can see member profiles, enrollment records, and grades
  • Instructors can see students enrolled in their courses
  • Parents can see their own children’s schedules, grades, and attendance
  • Messaging participants can see messages and photos within their conversations

With Service Providers

We use the following third-party service providers to operate the Service. These providers process your data on our behalf and are contractually obligated to use it only for the purposes of providing their services:

ProviderPurposeData Shared
SupabaseDatabase hosting, authentication, file storage, real-time messagingAll application data (stored in their hosted PostgreSQL database and object storage)
CloudflareWebsite hosting, DNS, DDoS protectionWeb traffic data (IP addresses, request headers)
ResendTransactional email deliveryRecipient email address, email content (invitations, notifications)
Apple/Google/Mozilla Push ServicesPush notification deliveryDevice push tokens, notification content

When Required by Law

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of BritePath, our users, or the public.

In a Business Transfer

If Captive Thought LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via the Service or email.

4. Children’s Privacy

We are committed to protecting the privacy of children. Our practices regarding children’s data are designed to comply with the Children’s Online Privacy Protection Act (COPPA).

How children’s accounts are created. Student accounts are never created by the children themselves. They are created by:

  • A parent or legal guardian, or
  • An authorized organization administrator acting with parental knowledge and consent

What we collect from children. For student accounts, we collect only what is necessary to provide the Service:

  • Name
  • Date of birth (optional)
  • Educational records managed by the organization (grades, schedules, attendance, enrollment)

We do not collect email addresses, phone numbers, or mailing addresses directly from children. Student accounts use a system-generated internal identifier for authentication rather than an email address.

Messaging. Messaging is not available for student accounts unless explicitly enabled by the organization with parental consent.

Parental rights. Parents and legal guardians have the right to:

  • Review the personal information we have collected from their child (accessible through the parent’s own account)
  • Request correction of their child’s information
  • Request deletion of their child’s account and associated data
  • Refuse further collection of their child’s information

To exercise these rights, parents may manage their child’s data through their own account, contact their organization administrator, or contact us directly at legal@britepath.app.

Organization administrator role. When an organization administrator creates student accounts on behalf of families, the administrator represents that they have obtained appropriate consent. Administrators are responsible for ensuring parental consent is in place before enabling any features that involve student interaction, such as messaging.

5. Data Storage and Security

Where your data is stored. Your data is stored on servers operated by Supabase (our database and authentication provider) and Cloudflare (our hosting provider), both based in the United States.

How we protect your data. We implement reasonable security measures to protect your information, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Passwords stored using cryptographic hashing (never in plaintext)
  • Row-level security policies in our database to ensure users can only access data they are authorized to see
  • Separate database schemas for different applications and data domains
  • Private storage buckets for sensitive content (such as chat photos), with time-limited signed URLs for access

No system is perfectly secure. While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

When you delete your account:

  • Your profile information is removed
  • Your messages are anonymized (sender identity is removed, but message content may remain visible to other conversation participants)
  • Your organizational memberships are terminated
  • Photos you shared are deleted from storage

When an organization is deleted:

  • All identifiable organization data is removed, including courses, schedules, grades, enrollment records, and messages
  • Some data may be retained in anonymized or aggregated form for operational purposes, consistent with our Terms of Service
  • Member accounts are not deleted, but their association with the organization is removed

Residual data. After account or organization deletion, residual copies of your information may persist in system backups or logs for a limited period. We take reasonable steps to delete or de-identify this data in accordance with our standard retention practices and any applicable legal requirements.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request that we correct inaccurate information
  • Deletion — Request that we delete your personal information
  • Data portability — Request a copy of your data in a machine-readable format

How to exercise your rights. You can manage most of your data directly within the application (viewing your profile, updating information, deleting your account). For requests that cannot be handled through the application, contact us at legal@britepath.app.

We will respond to requests within a reasonable timeframe, typically within 30 days.

8. State-Specific Disclosures

California residents (CCPA/CPRA). We do not sell personal information. We do not share personal information for cross-context behavioral advertising. California residents have the right to request access to, deletion of, and information about the categories of personal information we collect. To make a request, contact us at legal@britepath.app.

Other U.S. states. Several states have enacted comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others). If you are a resident of one of these states and believe you have rights under applicable law that are not addressed here, please contact us.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • The updated policy will be posted with a new effective date
  • For material changes, we will notify you through the Service (for example, by requiring you to review and acknowledge the updated policy)
  • For non-material changes, your continued use of the Service after the updated policy is posted constitutes your acceptance

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled, please contact us at:

Email: legal@britepath.app

Mailing Address: Captive Thought LLC 105 Crepe Myrtle Ct Easley, SC 29640

Last updated: April 6, 2026