Legal

Privacy Policy

Effective date: April 7, 2026

Track My BCBA (“we,” “our,” or “us”) is operated by KorBon.ai. This Privacy Policy explains what information we collect when you use trackmybcba.com, how we use it, and the choices you have. By using the Service you agree to this policy.

Independent Tool — Not Affiliated with the BACB

Track My BCBA is an independent, privately developed productivity tool. We have no relationship — formal or informal — with the Behavior Analyst Certification Board (BACB). We are not endorsed by, licensed by, or in any way acting on behalf of the BACB. “BCBA” and “BCaBA” are registered certifications of the BACB; we use these terms solely to describe the population this tool is designed to help.

We Do Not Sell Your Data. Ever.

Your fieldwork records, session notes, audio, and personal information are yours. We do not sell, rent, trade, or broker your data to any third party — not advertisers, not data brokers, not anyone. The only reason your data is shared with any external service is to deliver features directly to you (e.g., AI transcription, payment processing). See Section 4 for the full list of subprocessors.

HIPAA-Informed Safeguards

Track My BCBA is not a covered entity under HIPAA and does not process Protected Health Information (PHI). However, because BCBAs and BCaBAs work in healthcare-adjacent settings, we voluntarily adopt HIPAA-informed technical safeguards: all AI processing runs inside Trusted Execution Environments (TEEs), every database table enforces row-level data isolation, audio and image files are never persisted to storage, all data is encrypted in transit, and account deletion triggers automatic cascade removal of all associated records. See Section 7 for full details.

1. Information We Collect

1.1 Account Information

When you create an account we collect:

  • Your name and email address
  • A password (stored as a hashed value by Supabase Auth — we never see your plaintext password)
  • If you sign in with Google, your Google profile name and email
  • Your BACB ID, certification type (BCBA or BCaBA), fieldwork type, and target completion date (provided during onboarding)
  • Your fieldwork state and country (for context only; not shared with any government authority)

1.2 Fieldwork & Log Data

The core purpose of Track My BCBA is to help you record supervised fieldwork sessions. Each log entry you create may contain:

  • Session date and time
  • Hours logged (independent and supervised)
  • Activity type (restricted vs. unrestricted)
  • Supervisor name, BACB certification number, and supervision type/modality
  • Session notes, observation details, and a supervision summary
  • The original raw text, transcribed audio, or OCR-extracted text you submitted (“raw input”)

This data is stored in our database (hosted by Supabase), scoped to your user ID, and protected by row-level security so no other user can access it.

1.3 Voice Recordings & Images

If you use the voice logging feature, your audio clip is sent directly to our transcription endpoint and processed by Whisper (via Chutes.ai). We do not permanently store your raw audio file after transcription is complete. If you use the photo/OCR feature, your image is sent to our OCR endpoint and processed by a vision model (via Chutes.ai). We do not permanently store the image after text extraction is complete.

1.4 Imported Files

If you upload a spreadsheet for import, the column headers and a small sample of rows are sent to our AI endpoint to assist with column mapping. We do not permanently store the uploaded file.

1.5 Billing Information

Payments are processed by Stripe. We never receive or store your raw credit card number. Stripe provides us with a customer ID and subscription status so we can grant or restrict access to the Service. See Stripe’s Privacy Policy for details on how payment data is handled.

1.6 Waitlist (Historical)

During our pre-launch period, we collected email addresses via a waitlist. The waitlist has been removed from the Service and all previously collected waitlist data has been purged. This section is retained for transparency only.

1.7 Usage Analytics

We use Vercel Analytics and Vercel Speed Insights to understand how the Service is used and to monitor performance. Both tools are cookieless and collect only anonymous, PII-free data — they never include your email, name, entry text, session notes, or any other personal identifiers.

1.8 Cookies & Session Data

We use HTTP-only cookies to maintain your authenticated session (managed by Supabase Auth). No third-party advertising cookies are set on the Service. A Cloudflare Turnstile token is used on the login/signup page for bot protection; Cloudflare may set its own cookies — see Cloudflare’s Privacy Policy.

2. How We Use Your Information

  • Provide the Service: store, display, and export your fieldwork logs; compute compliance metrics; generate supervision summaries.
  • AI Processing: send your text, audio, or image to Chutes.ai to transcribe, parse, or extract structured data on your behalf (see Section 3).
  • Billing & Access Control: manage your subscription status via Stripe and grant or restrict access accordingly.
  • Authentication: verify your identity via email/password or Google OAuth.
  • Service Communications: send transactional emails (email confirmation, password reset, account changes). We do not send unsolicited marketing emails to active account holders without consent.
  • Improve the Service: use aggregate, anonymized analytics to understand feature usage and prioritize improvements.
  • Legal & Safety: comply with applicable law, enforce our Terms of Service, and protect the rights and safety of users.

3. AI Processing & Third-Party Models

Track My BCBA relies on Chutes.ai to power its AI features. When you log a session by voice, text, or photo, the relevant content is transmitted to Chutes.ai servers for processing. Chutes.ai operates models inside Trusted Execution Environments (TEEs), which provide hardware-level isolation so that the model provider cannot inspect the plaintext of your data during inference.

We do not use your personal fieldwork data to train AI models. Data sent to Chutes.ai is used solely to generate a structured response for your session and is not retained by Chutes.ai for training purposes under our agreement.

AI-generated output (parsed entries, summaries) may contain errors. You are responsible for reviewing all entries before submitting any records to the BACB or a supervisor.

4. Data Sharing & Subprocessors

We do not sell, rent, trade, or share your personal data for advertising or marketing purposes — under any circumstances. The only entities that ever receive your data are the technical subprocessors listed below, and solely to provide the features you actively use:

SubprocessorPurposeData Shared
SupabaseDatabase & AuthenticationAll user and log data
StripePayment processingEmail, subscription status
Chutes.aiAI: transcription, parsing, OCR, summariesAudio, text, images (session content only)
ResendTransactional email (auth emails, beta reports)Email address
VercelHosting & PII-free analyticsAnonymized usage events, server logs
CloudflareTurnstile bot protectionIP address, browser signals on auth pages
GoogleOAuth sign-in (if you choose it)Name, email from your Google account

4.1 No Data Mining Commitment

We do not mine, analyze, or manually review your fieldwork entries, session notes, or supervisor information for any purpose beyond delivering the Service to you. We never read your notes. We never profile your behavior.

All analytics collected by the Service are anonymous marketing and product analytics only (page views, feature usage counts). They contain no personally identifiable information and cannot be linked back to individual users.

5. Data Retention

Your account data and fieldwork logs are retained for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g., Stripe transaction records, which Stripe retains per their own policies).

  • Cascade deletion: When your account is deleted, all associated data — fieldwork entries, supervisors, monthly verifications, and subscription records — is automatically and permanently removed via database cascade deletion. This is not a soft-delete; the data is gone.
  • AI request logs: Our internal AI request logs record only endpoint name, model used, success/failure, latency, and timestamp. They contain no user ID, no session content, and no personally identifiable information. These logs cannot be linked back to any individual user.
  • Audio and images: Voice recordings and uploaded images are processed ephemerally in memory and are never written to persistent storage. Once transcription or OCR is complete, the raw file no longer exists anywhere in our infrastructure.

6. Your Rights

Regardless of your location, you may:

  • Access a copy of your personal data (use the in-app export to download your logs in XLSX format)
  • Correct inaccurate data via your profile settings or by editing individual log entries
  • Delete your account and all associated data by contacting us
  • Withdraw consent for AI processing at any time by discontinuing use of the voice, photo, and text-parsing features
  • Object to processing or request data portability — contact us to exercise these rights

If you are a resident of the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or the CCPA. We will respond to verified requests within 30 days.

7. Security

We take reasonable technical and organizational measures to protect your data, including:

  • All data transmitted over HTTPS/TLS
  • Row-Level Security (RLS) with FORCE enforcement on every database table — your data is accessible only to your authenticated session, even for administrative connections
  • Passwords never stored in plaintext — hashed by Supabase Auth
  • Stripe handles all raw payment data — we never touch card numbers
  • Trusted Execution Environments (TEEs): All AI processing (transcription, parsing, OCR, summaries) runs inside hardware-isolated TEEs via Chutes.ai, so the model provider cannot inspect your data during inference
  • No persistent file storage: Audio recordings and uploaded images are processed in memory only and never written to disk or object storage
  • CSRF / origin protection: All mutation API endpoints validate request origin to prevent cross-site request forgery
  • Input validation: All user inputs are validated against strict schemas before processing
  • Bot protection: Login and signup pages are protected by Cloudflare Turnstile captcha
  • Cascade deletion: Account deletion triggers automatic cascade removal of all associated records (entries, supervisors, verifications, subscriptions)

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Children

The Service is intended for adults (18+) pursuing BACB certification. We do not knowingly collect information from anyone under 18. If we learn that we have inadvertently done so, we will delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Effective date” at the top of this page and, where appropriate, notify you by email. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data deletion requests, or to exercise your rights, contact us at:

Track My BCBA · KorBon.ai
trackmybcba.com
Email: privacy@trackmybcba.com

See also: Terms of Service