Privacy Policy

Behavior Support Platform

Effective Date: March 16, 2026

Version: 1.0

1. Who We Are

Fluency Plus, LLC ("Company," "we," "us," or "our") is a Mississippi limited liability company that operates the BX Plan Platform ("Platform"), a web-based behavior plan generator for K–12 school districts. Our contact information:

Fluency Plus, LLC
215 North Bolivar Avenue
Cleveland, Mississippi 38732
Email: contact@fluencyplus.com

2. Who This Policy Applies To

This policy applies to school district employees and other authorized users ("Users") who access the Platform through their district’s subscription. The Platform is designed for use by adult educators and administrators. It is not intended for use by students, parents, or children.

3. Our Core Privacy Commitment: Zero Student Data Retention

BX Plan Platform does not collect, store, transmit, or process student personally identifiable information (PII) on its servers.

When Users enter student names or other student information to generate behavior plan documents (PDF or DOCX), that information is processed entirely within the User’s web browser. It is never sent to or stored on Fluency Plus servers. The generated documents exist only on the User’s local device.

This architecture means:

• No student names, IDs, dates of birth, grades, diagnoses, disability information, or behavioral data are stored on our servers
• No student education records are collected, maintained, or accessible by Fluency Plus
• No student data is subject to our backup, recovery, or logging systems
• Document generation (PDF/DOCX) happens entirely in the browser using locally hosted libraries — no external services are contacted during generation

4. Information We Collect

4.1 Account Information (via OAuth)

When you log in through Google or Microsoft, we receive and store the following from your OAuth provider:

• Name — your display name as set in your Google or Microsoft account
• Email address — your school district email
• Email domain — extracted from your email to verify your district subscription
• OAuth provider identifier — a unique ID assigned by Google or Microsoft (not your password)

We do not receive or store your password, contacts, calendar, files, or any other data from your Google or Microsoft account. We do not request access to any account data beyond what is listed above.

4.2 Activity Logs

When you generate a behavior plan, we log:

• Your user ID (internal to our system)
• The IDs of the intervention strategies you selected
• A timestamp of when the plan was generated

Activity logs do not contain student names, student information, plan content, replacement behaviors selected, or any other details about the plan you generated. They record only which strategies were used, not for whom or why.

4.3 Session Data

We use a single session cookie (connect.sid) to keep you logged in. This cookie:

• Contains a session identifier (not your personal information)
• Is encrypted and transmitted over HTTPS only
• Cannot be read by JavaScript (HttpOnly flag)
• Expires after 30 minutes of inactivity
• Is deleted when you log out

Session data is stored server-side in our PostgreSQL database and is automatically purged when the session expires.

4.4 District Application Information

If a district administrator submits an application to subscribe to the Platform, we collect district contact information including contact name, email, phone number, and mailing address. This information is used solely to process the application and manage the district’s subscription.

4.5 Information We Do Not Collect

• We do not use analytics trackers, pixel tags, or advertising cookies
• We do not collect IP addresses in application logs
• We do not collect browser fingerprints or device identifiers
• We do not collect payment information through the Platform (billing is handled separately by invoice)

5. How We Use Your Information

We use the information we collect for the following purposes only:

• Authentication — to verify your identity and confirm your district’s active subscription
• Authorization — to enforce your district’s user limits and license terms
• Service delivery — to provide access to intervention strategies and plan generation tools
• Service improvement — we may use de-identified, aggregated usage statistics (such as how frequently certain strategy categories are selected) to improve the Platform. These statistics cannot be linked to any individual student or user

We will never use your information for advertising, marketing to third parties, building personal profiles for non-educational purposes, or any purpose unrelated to providing and improving this educational service.

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

• Within your district — your district’s designated administrators can view your name, email, and activity history (strategy IDs and timestamps only) for their district’s users
• Legal requirements — if required by law, subpoena, court order, or governmental regulation, we will disclose information to the extent legally required
• Safety — if we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent illegal activity
• Business transfer — in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected districts before any such transfer

We do not share your information with any third-party service providers for processing, hosting analytics, sending communications, or any other purpose beyond what is described in this policy.

7. Third-Party Services

The Platform interacts with the following third-party services:

• Google OAuth 2.0 — for user authentication. When you click "Sign in with Google," you are redirected to Google’s servers to authenticate. We receive only your name, email, and Google profile ID. Google’s privacy policy: https://policies.google.com/privacy
• Microsoft Entra ID — for user authentication (where enabled by your district). We receive only your name, email, and Microsoft profile ID. Microsoft’s privacy policy: https://privacy.microsoft.com/privacystatement
• Google Fonts — the Platform loads the DM Sans typeface from Google’s font servers. This results in your browser making a standard HTTP request to Google, which may include your IP address. No cookies or tracking are involved. Google Fonts privacy: https://developers.google.com/fonts/faq/privacy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only the minimum scopes needed for authentication (profile and email).

8. Data Security

We protect your information with the following measures:

• All data in transit is encrypted via HTTPS/TLS (enforced by our web server)
• Session cookies are marked Secure, HttpOnly, and SameSite
• Our database is not exposed to the network and accepts only local connections
• Database authentication requires password credentials (scram-sha-256)
• API endpoints are rate-limited to prevent abuse
• A Content Security Policy (CSP) restricts what resources the browser can load
• Sessions are automatically destroyed on server errors as a safety measure
• Multi-tenant data isolation ensures districts cannot access each other’s data (to the extent that we keep logs and user information as outlined in our TOS and this policy)

No system is perfectly secure. While we implement commercially reasonable safeguards appropriate to the sensitivity of the data we hold, we cannot guarantee absolute security.

9. Data Retention

• Account data — retained for as long as your district maintains an active subscription. Upon subscription termination, we will delete user accounts and associated activity logs within 90 days unless retention is required by law
• Activity logs — retained for the duration of the subscription for your professional reference and district administrative purposes
• Session data — automatically deleted after 30 minutes of inactivity or upon logout
• District application / onboarding data — retained for the duration of the subscription relationship. Rejected applications / onboarding data are retained for up to 12 months
• Student data — not applicable. No student data is ever stored on our servers

10. FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. BX Plan Platform is designed to comply with FERPA through its zero student data retention architecture:

• No student education records are collected, maintained, or stored by the Platform
• Student information entered by Users for plan generation remains entirely in the User’s browser and is never transmitted to our servers
• Activity logs contain only strategy IDs and timestamps — no student-identifiable information

When the Platform is used by a school district under a subscription agreement, Fluency Plus, LLC may operate as a "school official" with "legitimate educational interests" under FERPA 34 CFR §99.31(a)(1)(i)(B). However, because the Platform does not access, collect, or store student education records, the scope of this designation is limited to the employee account and usage data described in this policy.

Districts are responsible for maintaining downloaded plan documents (PDFs/DOCX files) in compliance with FERPA and their local data retention policies.

11. COPPA Compliance

The Children’s Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13. BX Plan Platform is designed for use by adult school district employees and does not collect information from or about children. The Platform is not directed at children and we do not knowingly collect personal information from anyone under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will promptly delete it.

12. Your Rights

You have the following rights regarding your information:

• Access — you may request a copy of the personal information we hold about you to the extent that we hold identifiable information about you, which is limited as described in this policy
• Correction — you may request correction of inaccurate information. Note that your name and email are sourced from your OAuth provider; to update them, update your Google or Microsoft account
• Deletion — you may request deletion of your account and associated data. Contact your district administrator or email us at contact@fluencyplus.com

To exercise any of these rights, contact us at contact@fluencyplus.com. We will respond within 30 days.

13. District Administrator Rights

District administrators have additional visibility into their district’s usage upon request:

• Be provided a list of users registered under their district domain to the extent we hold such information in accordance with this policy
• Be provided a list of activity history (strategy IDs and timestamps) for users in their district

Administrators cannot access data from other districts. All queries are scoped by district domain.

14. Data Breach Notification

In the event of a security breach affecting personal information, Fluency Plus, LLC will:

• Notify affected school districts without unreasonable delay
• Notify affected individual users when required by law
• Provide information about the nature of the breach, the data affected, and steps being taken in response
• Comply with Mississippi Code §75-24-29 and any other applicable state breach notification laws

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" and "Version" at the top of this policy
• Notify subscribing districts by email at least 30 days before material changes take effect
• Post the updated policy on the Platform

Continued use of the Platform after the effective date of an updated policy constitutes acceptance of the changes.

16. Governing Law

This Privacy Policy is governed by the laws of the State of Mississippi, without regard to its conflict of law provisions.

17. Contact Us

For questions or concerns about this Privacy Policy or our data practices:

Fluency Plus, LLC
215 North Bolivar Avenue
Cleveland, Mississippi 38732
Email: contact@fluencyplus.com