The short version (in plain English)
- Student data stays on your device for almost everything we make. Names, photos, seating charts, manipulative arrangements — all stored in your browser's local storage, never on our servers.
- One exception: Escape Labs lets students join a class session by code; their first name and inventory are stored briefly in our database so progress syncs across devices. See section 4 for details.
- We only know about you, the teacher. If you sign up for our email list, we have your email address. That's it.
- No ads, no tracking pixels, no selling your data. Ever.
- Designed for K-12 with FERPA and COPPA in mind. See the District Readiness section below.
1. Who we are
Big Brain Labs is a small software company that builds focused classroom apps for K-12 teachers. We are operated by Big Brain Labs LLC, a New York limited liability company owned and run by a working public-school teacher. When this policy says "we," "us," or "Big Brain Labs," that's who we mean. You can reach us anytime at [email protected].
2. What this policy covers
This policy explains what we collect from teachers (and students, in the limited cases where any student data reaches our servers), how we use it, and your rights. It applies to bigbrainlabs.org, our companion site balaskas.us, and every app we ship under the Big Brain Labs name.
3. The student data conversation (this is the important part)
Big Brain Labs is built around a simple principle: student data should not leave the classroom unless we say up front that it does.
Here's the breakdown by app, so you know exactly where your data goes:
| App | What it stores | Where |
|---|---|---|
| Morning Lab | Roster names, daily greetings, calendar/weather settings | Your device only |
| Centers Lab | Roster names, optional student photos, center labels & rotations | Your device only |
| SeatLab | Roster names, seating charts, room layouts, themes | Your device only |
| Lab Tools | Manipulative arrangements, drawings — no student data at all | Your device only |
| Escape Labs | Room template, items, codes, lockboxes — plus student first name and inventory when they join a session by code | Cloud sync (see §4) |
| brb. (sister app) | Sign-out kiosk roster & photos | Your device only |
For everything marked "Your device only," the data is created and stored entirely on the device running the app, in your browser's local storage. It is never transmitted to our servers. It is never sent to any third party. We have no copy of it, no backup of it, and no technical ability to access it. If you opened our database, you would find your email address (if you signed up for our list) — and nothing about your students.
4. Escape Labs and the cloud-sync exception
Escape Labs is the one Big Brain Labs app where some student information briefly reaches our servers. We disclose this up front because we believe schools deserve a straight answer.
When a teacher starts an escape-room session, the room template (items, codes, lockbox configurations) is stored on our database (Supabase) so students can join from any device using a session code. When a student joins, the following is stored:
- The student's first name (or whatever name they typed) — used to label their inventory
- Which items they have unlocked — so they don't have to re-solve clues if they refresh the page
- The session code they joined with
We do not store: full names (we recommend "First name + last initial" only), email addresses, photos, behavior records, or any data not directly related to playing an escape room.
Session data is automatically deleted 30 days after the session ends, or sooner if the teacher deletes the room. Teachers can also wipe all student progress for a session at any time from the teacher dashboard.
If your district's policy prohibits any student data leaving the device, we recommend using Escape Labs in Test Mode (a button on the landing page) — Test Mode runs the entire experience in your browser's local storage with no cloud sync.
5. What we DO collect from teachers
Email signup
If you sign up for our email list (a popup on bigbrainlabs.org, or a form in any of our apps) we collect your email address and the date you signed up. We use this to email you when new apps launch or when there's a big update. You can unsubscribe at any time using the link in any email we send.
Bug reports
If you submit a bug or feature request through an in-app form or by emailing us, we receive: the description you wrote, your email (so we can follow up), the page you were on, and your browser's user-agent string (for debugging). We use these only to fix the issue.
Server logs
Our hosting provider (Cloudflare) keeps standard server logs (IP address, request URL, timestamp, status code) to prevent abuse and operate the service. These contain no personal information about students.
What we do NOT collect
We do not run analytics scripts (Google Analytics, Mixpanel, Heap, etc.) on any of our apps. We do not run advertising networks. We do not load third-party tracking pixels. The network requests our apps make are limited to: loading our own code, loading Google Fonts, and (for Escape Labs only) syncing room/inventory data to Supabase.
6. How we use your information
- To run our apps for you — loading your settings, syncing escape-room sessions
- To stay in touch — emailing you about new apps, security alerts, or important updates (only if you've opted in)
- To improve our apps — reading your bug reports and suggestions
- To prevent abuse — investigating suspicious traffic or violations of our terms
We don't sell your information. We don't share it with advertisers. We don't use it for targeted advertising. We don't use it for anything beyond running our apps and helping you.
🏫 District readiness — FERPA, COPPA, and NY Education Law 2-d alignment
Because almost everything we make stores student data only on the educator's device, our compliance posture is unusually simple compared to most education-technology vendors. Here's how we align with the major K-12 privacy frameworks:
FERPA (Family Educational Rights and Privacy Act): For our local-only apps (Morning Lab, Centers Lab, SeatLab, Lab Tools, brb.), Big Brain Labs does not access, store, or transmit student education records. Educational records remain entirely within the school district's control on the teacher's device. For Escape Labs, the limited student data we process (first name + inventory) is processed under the educator's direction as a "school official" with a "legitimate educational interest" under FERPA's school-official exception.
COPPA (Children's Online Privacy Protection Act): Our apps are sold to and configured by adult teachers, not students. For local-only apps we do not engage in "operator collection" because no student data leaves the device. For Escape Labs, where students enter a first name to join a session, we operate under the school authorization model: the school or teacher provides COPPA consent in lieu of parents (Section 312.5(c)(6)), and we only collect data reasonably necessary to provide the educational service.
New York Education Law §2-d: Our local-first design supports the requirements of NY Ed Law 2-d by minimizing the collection of personally identifiable information of students. Specifically:
- Local data storage: For our local-only apps, all student personally identifiable information is stored exclusively on the educator's device, not on Big Brain Labs servers
- Minimal cloud collection: For Escape Labs, we collect only the first name and game inventory needed to provide the service, with automatic 30-day deletion
- No sale or marketing use: We do not sell, share, or use student information for advertising — and could not, since we do not have access to it for most apps
- Parental rights: Requests by parents to inspect, correct, or delete student data are handled by the school or educator at the device level (for local-only apps) or by emailing us at [email protected] (for Escape Labs session data)
Need formal documentation? If your district requires a Data Processing Agreement, Student Data Privacy Consortium (SDPC) form, NY Ed Law 2-d Parents' Bill of Rights addendum, or any other vendor-compliance document, please email [email protected] and we will work with your privacy office.
7. Service providers we use
Big Brain Labs uses these third-party services. Each one processes data only as needed to support our service, under their own privacy policies:
- Supabase — stores email signups, and (for Escape Labs only) escape-room templates and student session data
- Cloudflare — hosts our website and apps and serves them to your browser
- Google Fonts and jsDelivr CDN — deliver web fonts and JavaScript libraries
None of these providers receive student data from our local-only apps. Supabase receives only the limited Escape Labs data described in section 4.
8. How we keep your information safe
For data on our servers (email signups, Escape Labs sessions): We use industry-standard security: encrypted HTTPS for everything, encrypted storage at rest with our service providers, and row-level security policies in our Supabase database. The only people with access to teacher account data are Big Brain Labs LLC staff (currently: one teacher).
For student data on your device: Securing the device is the most important step. Use a passcode lock on the device, keep the device physically secure, and clear roster/photo data at the end of the school year using each app's "Clear" button.
No system is perfectly secure. If we ever experience a data breach affecting Big Brain Labs server data, we will notify affected users within 72 hours by email and tell you exactly what happened and what we're doing about it. Because student data does not leave your device for our local-only apps, a breach of our infrastructure cannot expose that data.
9. Your rights as a user
You always have the right to:
- See what we have about you. Email us and we'll send a copy.
- Correct anything that's inaccurate.
- Delete your data. Email us and we'll remove it within 30 days.
- Export your data in a machine-readable format anytime.
- Withdraw consent by unsubscribing from email or asking us to delete your data.
If you live in California, the EU, the UK, or another jurisdiction with extended privacy rights (CCPA, GDPR, and similar), all of those rights apply to you. Email us at [email protected] and we'll honor them.
10. Cookies and local storage
Our apps use your browser's local storage to keep your roster, photos, settings, and workspace state on your device. We do not use tracking cookies, advertising cookies, or third-party analytics cookies on any Big Brain Labs property.
11. International users
Big Brain Labs is operated from the United States. If you use our apps from another country, your information will be transferred to and processed in the U.S. By using our apps you agree to that transfer.
12. Children's privacy
Our apps are designed to be configured and operated by adult teachers in classrooms. We do not knowingly collect personal information from children under 13 outside of the school-authorization model described in the District Readiness section. If you believe a child has given us personal information without proper consent, please email us at [email protected] and we will delete it.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we'll email subscribers at least 30 days before the change takes effect and update the "Last updated" date at the top of this page. Continuing to use Big Brain Labs apps after that means you accept the updated policy.
14. Get in touch
Questions, concerns, or feedback about this policy? Email [email protected] and we'll get back to you.