Quick summary for privacy reviewers
- Most of what we ship is local-only. Morning Lab, Centers Lab, SeatLab, Lab Tools — student data lives in the teacher's browser storage, never on our servers.
- One narrow exception — Escape Labs. To let students join a teacher's escape-room session by code, we store first name + game inventory in our database. Auto-deleted 30 days after the session ends. A "Test Mode" toggle keeps everything local if your district prohibits any cloud sync.
- No advertising, no analytics, no third-party tracking on any Big Brain Labs property.
- Adult-teacher product — accounts (when present) are for educators, not students. Students never enter email, phone, or other PII beyond a first name in Escape Labs.
- Signed DPAs available on request. Email [email protected].
1. Company information
- Legal name
- Big Brain Labs LLC
- Entity type
- New York limited liability company
- Operator
- A working public-school teacher (sole proprietor of the LLC)
- Privacy contact
- [email protected] · usually responds within 1 business day
- District inquiries
- School / District contact form
- Hosting
- Cloudflare Pages — United States data centers
2. Data flow per app
| App | What it stores | Where | Retention |
|---|---|---|---|
| Morning Lab | Roster names, calendar/weather settings, daily routines | Browser localStorage | Until teacher clears |
| Centers Lab | Roster names, optional student photos, center labels & rotations | Browser localStorage | Until teacher clears |
| SeatLab | Roster names, seating charts, room layouts, themes | Browser localStorage | Until teacher clears |
| Lab Tools | Manipulative arrangements, drawings — no student data at all | Browser localStorage | Until teacher clears |
| Escape Labs (cloud mode) | Room template (items, codes, lockboxes); per-student first name + inventory | Supabase (US region) | Auto-deleted 30 days after session ends |
| Escape Labs (test mode) | Same data as cloud mode, but stored locally only | Browser localStorage | Until teacher clears |
| brb. (sister site) | Sign-out kiosk roster & photos | Browser localStorage (encrypted at rest) | Photos auto-delete after 30 days |
3. Sub-processors / vendors
Big Brain Labs uses these third-party services. Only Supabase ever receives any student data, and only the limited Escape Labs session data described above:
| Vendor | Purpose | Receives student data? |
|---|---|---|
| Cloudflare | Hosting, content delivery, basic server logs | No |
| Supabase | Email signup storage; Escape Labs session storage | Yes — Escape Labs only (first name + inventory) |
| Google Fonts / jsDelivr CDN | Web font + JS library delivery | No |
4. Compliance posture
FERPA (Family Educational Rights and Privacy Act)
For local-only apps, Big Brain Labs does not access, store, or transmit education records. Records remain entirely within the school district's control on the educator's device. For Escape Labs, the limited student data we process (first name + game inventory) is processed under the educator's direction as a "school official" with a "legitimate educational interest" under FERPA's school-official exception.
COPPA (Children's Online Privacy Protection Act)
Our apps are configured by adult teachers, not students. For local-only apps we do not engage in "operator collection" because no student data leaves the device. For Escape Labs, where students enter a first name to join a session, we operate under the school-authorization model: the school or teacher provides COPPA consent in lieu of parents (Section 312.5(c)(6)). We collect only data reasonably necessary to provide the educational service.
New York Education Law §2-d
- Local data storage: For local-only apps, all student PII is stored exclusively on the educator's device.
- Minimal cloud collection: For Escape Labs, we collect only first name and game inventory needed for the service, with automatic 30-day deletion.
- No sale or marketing use: We do not sell, share, or use student information for advertising.
- Parental rights: Requests by parents to inspect, correct, or delete student data are handled by the school or educator at the device level (local apps) or by emailing us directly (Escape Labs).
Other state laws
The local-first architecture means our compliance posture is identical or simpler under California (SOPIPA, CCPA), Illinois (SOPPA), Connecticut, Colorado, Virginia, and most other state-level student-privacy laws. Email [email protected] if your state has specific requirements you'd like us to address.
5. Security measures
- Transport: All traffic uses HTTPS / TLS 1.2+.
- Server-side data at rest: Encrypted by our hosting provider (Cloudflare) and database provider (Supabase).
- Access control: Row-level security on Supabase tables; only Big Brain Labs LLC has database access.
- Local data security: Securing the device is the most important step. Use device passcode, physical security, and clear roster data at end of school year using each app's "Clear" button.
- Breach notification: Affected users notified within 72 hours by email.
6. Vendor-review documents available on request
- Signed Data Processing Agreement (DPA)
- Student Data Privacy Consortium (SDPC) National Data Privacy Agreement
- NY Education Law §2-d Parents' Bill of Rights addendum
- California / Illinois / Colorado state-specific addenda
- SOC 2 / security questionnaire responses
- Custom contract amendments (we are small, flexible, and a teacher reads every email)
How to request: email [email protected] with your school/district name and what you need. Most documents turn around within 2 business days.
7. Pricing for schools and districts
Most Big Brain Labs apps are currently in free preview for individual teachers. For schools deploying to 10+ classrooms, we offer:
- Volume pricing (typically 30–50% off list)
- One PO / invoice per district instead of individual subscriptions
- Direct support during the school year
- Custom configuration help if you need something specific
Pricing isn't published online because school budgets vary too much for a fixed sticker price to be useful. Email [email protected] with your numbers and we'll send a real quote within 1 business day.
Get a quote — or request documents
One form for everything: pricing quotes, signed DPA, SDPC docs, NY Ed Law 2-d addendum, demos. We respond within one business day.