Privacy Policy

Overview

BCBA Hub ("we," "our," or "us") is a clinical operations platform built for Board Certified Behavior Analysts (BCBAs). This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at bcba-hub.com.

Information We Collect

We collect the following types of information:

• Account information — your name, email address, and password when you create an account
• Clinical data you enter — client names or initials, session notes, CEU logs, authorization codes, calendar events, tasks, and goal bank entries
• Google Calendar data — if you choose to connect your Google Calendar, we access your calendar events to display them alongside your BCBA Hub schedule. We only read and write events — we never access other Google account data
• Usage data — feature usage and feedback submissions to improve the product
• Files you upload — documents, certificates, and attachments you add to your account

How We Use Your Information

• To provide and improve the BCBA Hub service
• To sync your data across devices via Supabase (our database provider)
• To display your Google Calendar events within BCBA Hub when you opt in
• To send transactional emails (account confirmation, password reset) via Resend
• To analyze anonymous usage patterns and improve features

Google Calendar Integration

When you connect your Google Calendar, BCBA Hub:

• Reads your calendar events to display them in your BCBA Hub schedule
• Creates, updates, and deletes events in your Google Calendar when you manage them in BCBA Hub (two-way sync)
• Stores your OAuth token securely via Supabase Auth
• Does not sell, share, or use your Google Calendar data for advertising or any purpose outside of providing the sync feature
• Does not access any Google data beyond your calendar events

You can disconnect Google Calendar at any time from the Setup tab. This immediately removes all imported Google events from BCBA Hub.

Data Storage & Security

Your data is stored using Supabase, a secure cloud database platform hosted on AWS infrastructure. Files are stored in Supabase Storage with row-level security — only you can access your own data.

• All data is encrypted in transit (HTTPS/TLS)
• Database access is protected by Row Level Security (RLS) policies
• Passwords are never stored in plain text
• File uploads are stored in private buckets accessible only to your account

Data Sharing

We do not sell your personal information. We share data only with:

• Supabase — our database and authentication provider
• Resend — our email delivery provider (for transactional emails only)
• Google — when you authorize Google Calendar integration
• Stripe — for payment processing (billing information only, not clinical data)

Your Rights

You have the right to:

• Access all data associated with your account
• Export your data at any time using the Export feature in Setup
• Delete your account and all associated data by contacting us
• Disconnect any third-party integration (Google Calendar) at any time
• Correct inaccurate information in your profile

Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated data is permanently removed within 30 days. Google Calendar event data is removed immediately upon disconnecting the integration.

Children's Privacy

BCBA Hub is intended for licensed healthcare professionals. We do not knowingly collect information from individuals under 18 years of age.

Changes to This Policy

We may update this Privacy Policy as the product evolves. We will notify you of significant changes via email or an in-app notice. Continued use of BCBA Hub after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

• Email: support@bcba-hub.com
• Website: bcba-hub.com