ABA Fieldwork Tracker ("we," "us," or "our") operates the website at abafieldworktracker.com and the ABA Fieldwork Tracker web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, and password (stored as a salted hash — we never store plaintext passwords).
Profile Information: Your selected certification pathway (BCBA or BCaBA), BACB standard year (2022 or 2027), fieldwork type (Supervised or Concentrated), and role (Trainee, Supervisor, or Admin).
Fieldwork Data: Hours logged, session dates, session times, hour category breakdowns (Independent Unrestricted, Independent Restricted, Supervised Unrestricted, Supervised Restricted, Group Supervision), supervision contacts, and observation records.
Organization Information: If you use organizational features, we collect your organization name, associated clinic or company details, and supervisor-trainee connection data.
Waitlist Information: If you join our early access waitlist, we collect your first name, last name, email address, and professional role.
Communications: If you contact us directly, we may receive additional information such as the contents of your message, attachments, and any other information you choose to provide.

1.2 Information Collected Automatically

Log Data: IP address, browser type, operating system, referring URL, pages visited, date/time of access, and actions taken within the Service. This data is also recorded in our audit trail for security and compliance purposes.
Device Information: Device type, screen resolution, and browser capabilities.
Cookies: We use essential cookies to maintain your session and authentication state. We do not use advertising cookies or third-party tracking cookies.

1.3 Information We Do NOT Collect

We do not collect Protected Health Information (PHI) as defined by HIPAA. Our Service tracks fieldwork hours and compliance metrics — not client names, diagnoses, treatment plans, or any identifiable patient data.
We do not collect payment or financial information. If we introduce paid plans in the future, payment processing will be handled entirely by a PCI-compliant third-party processor.
We do not collect biometric data, geolocation data, or social media identifiers.

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide the Service: Track fieldwork hours, calculate compliance against BACB requirements, generate progress reports, and enable supervisor-trainee connections.
Maintain Security: Detect and prevent unauthorized access, maintain audit trails, and protect the integrity of your data.
Improve the Service: Analyze aggregate, anonymized usage patterns to improve features, fix bugs, and optimize performance.
Communicate with You: Send service-related notifications (e.g., compliance alerts, connection invitations, account updates). We will never send unsolicited marketing emails without your explicit opt-in consent.
Generate Reports: Create BACB-ready PDF reports of your fieldwork progress, which are generated on-demand and delivered only to you or your designated supervisor.
Legal Compliance: Comply with applicable laws, regulations, and legal processes.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

Supervisor-Trainee Connections: When you accept a supervisor connection, your supervisor gains read-only access to your fieldwork dashboard, hours, compliance data, and progress reports. Supervisors cannot modify your data. You can revoke this connection at any time.
Organization Administrators: If your account is associated with an organization, administrators may view aggregate compliance data and audit logs for users within their organization.
Service Providers: We use a limited number of third-party service providers to host and operate the Service (e.g., cloud hosting, email delivery). These providers are bound by contractual obligations to protect your data and use it only to provide services to us.
Legal Requirements: We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Storage and Security

Infrastructure: Your data is stored on secure servers hosted by DigitalOcean in the United States.
Encryption: All data in transit is encrypted using TLS 1.2+. Passwords are hashed using industry-standard algorithms with unique salts.
Access Controls: Access to production systems is restricted to authorized personnel only, with multi-factor authentication required.
Audit Trail: All data access, modifications, and deletions are logged in an immutable audit trail with timestamps, user identification, IP addresses, and before/after change records.
Soft Delete: When you delete data (e.g., an hour entry), it is soft-deleted — meaning it is removed from your active view but retained in the audit trail for data integrity. Permanently purging data is available upon written request.
Backups: Data is backed up regularly and stored in encrypted, geographically separated locations.

5. Data Retention

Active Accounts: We retain your data for as long as your account is active or as needed to provide the Service.
Account Deletion: You may request deletion of your account and all associated data by contacting us at the email address below. Upon receiving a verified deletion request, we will permanently delete your personal data within 30 days, except where retention is required by law.
Audit Trail Data: Audit log entries may be retained for up to 3 years after account deletion for legal compliance and security purposes, after which they are permanently purged.
Waitlist Data: If you sign up for our waitlist, we retain your information until you unsubscribe or the waitlist program ends.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data (subject to legal retention requirements).
Export: Export your fieldwork data at any time in standard formats (CSV, PDF). We believe your data belongs to you — there is no vendor lock-in.
Revoke Connections: Remove supervisor or organization connections at any time from your account settings.
Opt-Out: Unsubscribe from non-essential communications at any time using the link in any email we send.

To exercise any of these rights, contact us at the email address listed in Section 11.

7. Cookies and Tracking

We use only essential cookies required for the Service to function — specifically, session cookies for authentication and security. We do not use:

Advertising or marketing cookies
Third-party analytics trackers (e.g., Google Analytics)
Social media tracking pixels
Cross-site tracking of any kind

Because we only use essential cookies, no cookie consent banner is required. However, you can configure your browser to reject all cookies, though this will prevent you from using the Service.

8. Third-Party Services

The Service may contain links to third-party websites or services (e.g., the BACB website). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

Our current third-party service providers include:

DigitalOcean: Cloud infrastructure and hosting
Formspree: Waitlist form submissions (landing page only)
Vercel: Landing page hosting and CDN

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately so we can delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date. For significant changes, we will also notify you via email if you have an active account. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@abafieldworktracker.com
Website: abafieldworktracker.com