Privacy Policy

At BrightFish Learning, we understand and respect your concerns about the use of your personal information. We are committed to complying with the student data privacy laws that apply to your use of the Platform and helping our customers comply with FERPA. Read more below and in our Terms of Use.


The Site and its related products and services (collectively, “the Services”) are operated by BrightFish Learning, LLC. (“us”, “we”, “BrightFish”, “BrightFish Learning” or “the Company”), except and unless otherwise indicated. The Services consist of an online provider of educational tools and other materials and content. The text, images, data, illustrations, files, audio, videos, designs, documents, and other materials and content (collectively, the “Content”). Collectively, the Site, Services and Content are referred to in these Terms as the “Platform”. We use the term “Student Information” in this policy to refer to information that personally identifies a student and other information we receive about a student that is linked to information that personally identifies a student. Student Information does not include de-identified or aggregated information that does not personally identify an individual student.


When you use the Platform, you provide us with three types of Student Information:

  1. Personal Data. For the general purposes of authentication and roster management, we collect information that is used to identify individual users (the “Personal Data”). Personal Data does not include Data that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person. The Personal Data that we collect includes:
    • first and last name,
    • grade level,
    • email address (optional), and
    • school identification code (optional).
    As a general matter, we do not request nor collect any of the following information:
    • physical address(es),
    • telephone number(s),
    • photograph or physical likeness,
    • date or place of birth,
    • social security number,
    • dates of attendance in school,
    • grades or test scores,
    • disciplinary records, or
    • medical or health records.
    We collect Personal Data in different ways. For example, we collect Personal Data when a student or teacher registers for a BrightFish account and when a person responds to BrightFish emails or surveys. We also receive Personal Data from other sources (“Third-Party Applications”), such as identity verification services like Clever, Google and Facebook contingent on users granting such Third-Party Applications to share Personal Data with us. You have the right to decline to share certain elements of Personal Data that we ask you to provide, but must note that doing so may limit your use of certain features and functionality of the Platform. You may edit account information and submissions at any time by accessing your account through the Platform.
  2. Device Data. As you interact with the Site, we collect technical information (“Device Data”) such as cookies, your web browser type, your IP address, and your device’s operating system, among others. We take measures to ensure that our cookies do not collect personally identifiable or sensitive information. The aggregate information we collect is analyzed and may be combined with similar aggregate information of other visitors to the Site. You may set your browser to reject cookies; however, this may affect some functions of the Site.
  3. Performance Data. Student interactions with our Platform generate data we refer to as “Performance Data”. Performance Data may include, for example, the lessons a student chooses to complete, when a student starts and stops a lesson, and student responses in the lesson. Performance Data will be used for educational purposes only.


  1. Personal Data. We and our service providers use Personal Data to: (i) provide the Services, ii) comply with applicable laws, and (iii) promote our products, systems, and tools. Examples of how we may use Personal Data include:
    • To authenticate a user’s identity;
    • To customize the features that we make available to you;
    • To respond to inquiries, send service notices and provide customer support;
    • To communicate regarding a payment, and provide related customer service;
    • For regulatory purposes and compliance with industry standards;
    • To send communications about new features and products;
    We do not use Personal Data for maintenance, testing, or improvement of the Platform.
  2. Device Data. We use cookies in order to permit you to remain logged in as a User for the duration of your sessions. We use other Device Data to improve the product, debug, provide customer support, and for aggregate analysis.
  3. Performance Data. We use Performance Data for reporting purposes to teachers and educational agencies, and to test and improve our product. We also use aggregate Performance Data to develop new products, improve or modify our Services, conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business.


We do not disclose, share, rent, or sell any Personal Data or other personally identifiable information about students to any third parties for commercial uses, such as targeted advertising. We only disclose or share such Personal Data with bona fide service providers for purposes related to or arising out of the ordinary course of creation, development, operation, service, and maintenance of the Platform. Such bona fide third-party service providers shall only use such information for such purposes and not to sell such information under any circumstances. Third party providers who do help us operate our Services must adhere to privacy and security obligations in a manner consistent with the Company’s policies and practices.. For the purposes of illustration, examples of bona fide third-party service providers to us are services facilitating cloud-based hosting, online customer support, log-in monitoring and customer engagement services.


If you are a student using the Platform in connection with a “class”, your school administrator(s) and teacher(s) (“Educator Users”) may have the ability to access, monitor, use, or disclose data related to User Performance Data and Personal Data. If you are an Educator User, you agree that you will obtain and maintain all required consents from End Users to allow: (i) your access, monitoring, use, and disclosure of this data and our providing you with the ability to do so, and (ii) your End User’s use of the Programs. If a User enrolls in a “class” created by a teacher, on the Platform, the User grants permission to the teacher to view their Personal and Performance Data. Enrollments are done via a unique class join code, direct email invitation, a print out of student logins via PDF, or integration with a Third Party Application.


All student Personal Data is securely encrypted within our database, which has daily backups and is protected by SSH (Secure Shell) and a firewall. All actions that involve the digital transmission of Personal Data are handled by a 256-bit SSL (Secure Sockets Layer) encryption.


We retain Student Information to provide the Services to you and our other users and to provide a useful user experience, and not longer than is necessary to do so. Backups of our database are kept for a reasonable period of time and used only in the exceptional circumstances of data recovery due to system failures. Users may deactivate their account at any time by accessing their account through the Platform. Deactivating an account means the following:

  • You will no longer be able to access your account.
  • No further activity may take place on your account.
  • Your account will no longer be publicly visible on the student leaderboard.
  • All data associated with your account will be kept for reporting and compliance reasons.
  • Your data up until your deactivation will continue to be shared with any teacher and school that previously had access to such data.
  • A deactivated account can be restored, with all Student Information intact, upon request.

Following the termination of a license, a school or district may request that we deactivate and de-identify Student Information and we will do so, unless the school, district, or applicable regulations require the retention of such data, in which case the records shall be de-identified upon the expiration of the retention period. Prior to de-identifying any Student Information, we will first ensure that the school or district has downloaded backups of the same. This shall apply even in the case when the termination of a license is initiated by the Company. In the case of a request for deactivation and de-identification, the following happens:

  • We will obfuscate all of the Personal Data in the relevant student accounts. This means that their email, first name, last name, and username get replaced with a long, meaningless identifier. This is a one way change, and we can never recover the identity associated with the account after this step. We will perform this obfuscation in our database, all backups that we maintain, and in any third party applications that we use to deliver the Services.
  • We will retain all Performance Data associated with the accounts to improve the Platform. These reasons include, but are not limited to: internal data analytics and prevention of fraud and abuse.
  • This action also deactivates all relevant accounts, preventing them from being used in the future.

In order to request an account reactivation, please contact us at To request that Student Information be de-identified, please contact us at


A parent or guardian may review Student Information in the applicable student’s records by viewing their BrightFish account. The Platform enables any Educator User to permit parents, legal guardians, and eligible pupils to review personally identifiable information contained in Student Information, and to correct erroneous information, in accordance with procedures established by the school district or educational agency To the extent that a User opts to share his or her profile with his or her parent or guardian, such User expressly agrees to such sharing and all related responsibilities and liabilities therewith. We fully comply with the Requirements for Accessible Electronic and Information Technology Design as laid out by the U.S. Department of Education here.


Any and all student data provided to BrightFish, or to which BrightFish has been granted access, are and shall remain the sole property of the educational agency that provided or granted access to such records.


In accordance with the Children’s Online Privacy Protection Act (“COPPA”), we require parental consent for students under the age of 13. Children under the age of 13 should not register for their own BrightFish account. Setup of accounts for children under the age of 13 is coordinated with a child’s teachers and parent for licensed school customers only. If you are a parent, please coordinate with your child’s teacher to set up an BrightFish account for your child. If you are a teacher interested in using BrightFish with children under 13, please contact us at and we will work with you toward a school license and collecting the necessary parental consents. Parents may review their child’s personal information on BrightFish, direct us to delete it, and refuse to allow any further collection or use of their child’s information by BrightFish by revoking their consent. Parents seeking to revoke their consent, review their child’s information, and request a deletion of their child’s data should contact us at


Within 48 hours of learning about a data breach, or longer reasonable time as may be required by the legitimate needs of applicable law enforcement or as to take measures necessary to determine the scope of the breach and restore reasonable integrity of its systems, we will notify all teachers, parents, principals, and district administrators whose information may have been improperly disclosed, via email communication to the email address on file for each user. We will inform any users who oversee those students (i.e. relevant teachers, parents, principals, and district administrators) if any Student Information is involved. This email notification will describe the nature of the data breach, the date of the breach, the types of information that were subject to the breach, and steps that are being taken to protect their BrightFish accounts going forward.


If we are going to make any changes to this Privacy Policy that would change our practices around what data we collect, how we collect that data, or that would lessen the previously noted protections around student data privacy in a material way, we will notify all users at least 30 calendar days in advance of making such a change. We will provide notification via the emails associated with the profiles of our users.


If you have any questions or comments about this Privacy Policy, please contact us at: Privacy Director BrightFish Learning, LLC 504 South Oak Street., Hinsdale, IL 60527 (630) 335-1968


This Statement describes the policies and procedures employed by Learning Genie to ensure compliance with the requirements set forth in Section 49073.1 of the California Education Code (the “Code”).
  • Ownership of Student Information. See Section 9 of this Privacy Policy.
  • Student-generated content. The Platform does not collect or store any student-generated content. In the event the Platform is updated to incorporate such a feature, we will amend this statement to describe the means by which students may retain possession and control of student-generated content.
  • Third party access and use. See Section 4 of this Privacy Policy.
  • Parent and pupil review procedures. See Section 8 of this Privacy Policy.
  • Security and confidentiality of Student Information. BrightFish is committed to maintaining the security and confidentiality of Student Information. It has designated a Security Compliance Officer (SCO), who is responsible for: (a) ensuring that the Company’s servers are protected against unauthorized access to the greatest degree possible; (b) limiting employee access to Student Information to whatever extent is required for them to perform their job functions; and (c) regularly training employees in data security procedures to further ensure compliance with company data security policies.
  • Unauthorized disclosure. See Section 11 of this Privacy Policy.
  • Post-contract data deletion. See Section 7 of this Privacy Policy.
  • FERPA compliance BrightFish offers schools and districts utilizing the Platform the means to comply with their obligations under the Federal Educational Rights and Privacy Act (20 USC §1232(g)), by enabling Educator Users to inspect and review Student Information and to correct any inaccuracies therein as described in Section 8 of this Statement.
  • Prohibition against targeted advertising. See Section 4 of this Privacy Policy.