The Sign-Out Kiosk
Privacy Policy
Last updated: April 24, 2026

The short version (in plain English)

1. Who we are

brb. is a touchless sign-out kiosk for K-12 classrooms, operated by Big Brain Labs LLC, a company owned and run by a teacher. When this policy says "we" or "us," that's who we mean. You can reach us anytime at hello@brbkiosk.us.

2. What this policy covers

This policy explains what we collect from teachers who use brb., how we use it, and your rights. It applies to brbkiosk.us and the brb. application.

3. The student data conversation (this is the important part)

brb. is built around a simple principle: student data should not leave the classroom.

Here's what that means in practice. When you use brb., the application stores the following data on your device, in your browser's local storage:

This data is created and stored entirely on your device. It is never transmitted to brb.'s servers. It is never sent to any third party. We have no copy of it, no backup of it, and no technical ability to access it. If you opened the brb. database on our end, you would find your email address and your subscription status — and nothing about your students.

If you sign in on a second device, the kiosk loads with an empty roster. Your settings and subscription follow you, but your student data does not. That's intentional — it's how we guarantee that student data stays where you control it.

How long photos and pass records are kept

To keep brb. fast and to stay within your browser's storage limits, photos older than 30 days are automatically deleted from your device. Pass records (name, time, reason, duration) are kept longer so dashboard trends still work, but the photo for an old pass will quietly disappear after the 30-day window. If you need long-term records or photos for compliance or investigation, use Settings → Dashboard → Export Photos (ZIP) periodically and save the export to your school's storage.

4. What we DO collect from teachers

Account information

When you sign up using Google or email, our authentication provider Clerk receives:

We store your email address and Clerk account ID in our subscription database (Supabase), so we know who you are when you load brb. and whether your subscription is active.

Payment information

Our payment processor Lemon Squeezy collects your billing details when you subscribe. We do not see, store, or have any access to your full credit card number. From them, we receive: a confirmation that you've paid, your subscription's renewal date, and a customer ID for managing future renewals or cancellations.

Bug reports

If you submit a bug or feature request through the in-app form, we receive: the description you wrote, your account email (so we can follow up if needed), the page URL you were on, and your browser's user-agent string (for debugging). We use these only to fix the issue.

Server logs

Our hosting provider, Cloudflare, keeps standard server logs (IP address, request URL, timestamp, status code) to prevent abuse and operate the service. These contain no personal information about students.

5. How we use your information

We don't sell your information. We don't share it with advertisers. We don't use it for targeted advertising. We don't use it for anything beyond running brb. and helping you.

🏫 District readiness — FERPA, COPPA, and NY Education Law 2-d alignment

Because brb. doesn't transmit student data to our servers, our compliance posture is unusually simple compared to most education technology vendors. Here's how brb. aligns with the major K-12 privacy frameworks:

FERPA (Family Educational Rights and Privacy Act): brb. does not access, store, or transmit student education records. Educational records remain entirely within the school district's control on the teacher's device.

COPPA (Children's Online Privacy Protection Act): brb. is sold to and used by adult teachers, not students. We do not knowingly collect personal information from children under 13. Because student information stays on the local device, brb. does not constitute "operator collection" under COPPA.

New York Education Law §2-d: brb.'s local-first design supports the requirements of NY Ed Law 2-d by minimizing the collection of personally identifiable information of students. Specifically:

Need formal documentation? If your district requires a Data Processing Agreement, Student Data Privacy Consortium (SDPC) form, NY Ed Law 2-d Parents' Bill of Rights addendum, or any other vendor compliance document, please email hello@brbkiosk.us and we will work with your privacy office.

6. Service providers we use

brb. uses these third-party services. Each one processes data only as needed to support our service, under their own privacy policies:

None of these providers receive student data. They only see what they need to do their job (Clerk sees your sign-in, Lemon Squeezy sees your payment, Cloudflare sees the request to load the page).

7. How we keep your information safe

For teacher account data: We use industry-standard security: encrypted HTTPS for everything, encrypted storage at rest with our service providers, and role-based access controls in our database. The only person with access to teacher account data is Big Brain Labs LLC (the operator of brb.).

For student data on your device: brb. does more than rely on the device's security. Student photos in your local storage are encrypted at rest using a device-specific key, so a casual inspection of the browser's storage shows encrypted data, not viewable images. Kiosk passwords are stored as salted SHA-256 hashes — never plain text. The kiosk auto-locks after your configured idle time, when you switch tabs, and at a scheduled end-of-day time. All of this runs locally without us ever seeing your data.

We also support optional classroom features for additional student privacy: a "Privacy Pass" setting lets you provide an anonymous sign-out card for students who don't want photos taken — their pass is logged with reason and time only, no photo and no name.

No system is perfectly secure. If we ever experience a data breach affecting teacher account information, we will notify affected teachers within 72 hours by email and tell you exactly what happened and what we're doing about it. Because student data does not leave your device, a breach of our infrastructure cannot expose student data.

For student data: because it lives only on your device, securing the device is the most important step. Use a strong password for your kiosk (Settings → Security), enable your device's passcode lock, keep the device physically secure, and use Reset All Data at the end of the school year.

8. Your rights as a teacher

You always have the right to:

If you live in California, the EU, the UK, or another jurisdiction with extended privacy rights (CCPA, GDPR, and similar), all of those rights apply to you. Email us at hello@brbkiosk.us and we'll honor them.

9. Cookies and local storage

brb. uses your browser's local storage to keep your roster, photos, gallery, and settings on your device. We use cookies set by Clerk for sign-in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. International users

brb. is operated from the United States. If you use brb. from another country, your information will be transferred to and processed in the U.S. By using brb. you agree to that transfer.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll email you at least 30 days before the change takes effect. Continuing to use brb. after that means you accept the updated policy.

12. Get in touch

Questions, concerns, or feedback about this policy? Email hello@brbkiosk.us and we'll get back to you.

brbkiosk.us · For Parents · Terms of Service · Privacy Policy
© 2026 Big Brain Labs LLC. All rights reserved.