Application and Platform Privacy Policy

Sensory Bridges, Inc.

Effective Date: March 22, 2026 Last Updated: March 22, 2026

This policy supersedes all prior versions of the Sensory Bridges, Inc. Application and Platform Privacy Policy.

Regulatory Framework: This Policy is governed by the following federal and state laws, listed in order of regulatory hierarchy for school-based deployments: Individuals with Disabilities Education Act (IDEA), 20 U.S.C. §§ 1400–1482 and 34 C.F.R. §§ 300.610–300.626; Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g and 34 C.F.R. Part 99; Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312 (as amended effective June 23, 2025, with full compliance required by April 22, 2026); Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160, 162, 164 (limited applicability for Medicaid billing); Protection of Pupil Rights Amendment (PPRA), 20 U.S.C. § 1232h; and applicable state student data privacy, consumer privacy, and breach notification laws.

Scope: This Policy governs all data collected by the Brooks Band™ device, the Brooks Band™ companion application, and the associated administrative data platform (collectively, the “Platform”). This Policy applies to all pilot program participants, schools, local education agencies (LEAs), therapy organizations, individual educators and therapists, and families. This Policy does not govern data collected through the sensorybridges.com website, which is addressed in our separate Website Privacy Policy.

1. Introduction and Scope

Sensory Bridges, Inc. (“Sensory Bridges,” “we,” “our,” or “us”) is a Tennessee corporation headquartered in Chattanooga, Tennessee. We develop the Brooks Band™, an assistive technology wearable platform that supports self-regulation awareness for neurodivergent individuals.

Product Classification: The Brooks Band™ is classified as an assistive technology device under the Individuals with Disabilities Education Act (IDEA), 20 U.S.C. § 1401(1), and as a general wellness product under the FDA’s General Wellness Policy Guidance. It is not a medical device. Statements about the Brooks Band have not been evaluated by the Food and Drug Administration. The Brooks Band is not intended to diagnose, treat, cure, or prevent any disease or medical condition. No data collected through the Platform is used for the purpose of diagnosis, treatment, or mitigation of disease or medical conditions.

2. Privacy-by-Design Architecture

2.1 On-Device Processing

The Brooks Band™ is architecturally designed to process all voice-related data on the device itself. The device captures ambient sound through the onboard microphone to measure voice volume levels (amplitude only). All audio processing occurs locally on the device in real time. A rolling overwrite buffer processes the sound envelope and continuously erases. No raw audio, voice recordings, speech content, or voice patterns are ever stored on the device, transmitted to the companion application, or sent to any server.

2.2 Data Minimization

Only derived metrics (voice volume levels, movement data, haptic interaction logs) are transmitted from the device to the companion application. These metrics cannot be used to reconstruct audio or identify speech content. The Platform collects only the data strictly necessary for the educational services described in this Policy, consistent with the data minimization requirements of COPPA (16 C.F.R. § 312.7) and FERPA.

2.3 What Is Never Collected

The Platform never collects:

Raw audio, voice recordings, or speech content
Location or GPS data
Photographs, video, or camera input
Contact lists, call logs, or messaging data
Data from other applications on any device
Advertising identifiers or cross-app tracking data
Social media identifiers or online contact information of children

3. Categories of Data Collected

Category	Data Elements	Source	Legal Basis
Student/User Profile	Student name or de-identified code, student ID (assigned by school), grade level, classroom assignment, IEP goal domain, instructional setting	Entered by educator or administrator	FERPA school official exception; COPPA school authorization or parental consent
Voice Volume Level Data	Decibel-level measurements of voice volume (amplitude only). Treated as a biometric identifier under COPPA 2025 (16 C.F.R. § 312.2). Requires separate parental consent.	Brooks Band™ device (on-device processing; no raw audio stored or transmitted)	COPPA separate biometric consent; FERPA legitimate educational interest
Session Event Data	Timestamped voice volume events, peak dB classification, event duration, self-correction status, self-correction latency, setting context	Brooks Band™ device (on-device processing)	FERPA legitimate educational interest; IDEA § 300.320(a)(3) data collection
Motion and Movement Data	Accelerometer data, movement patterns, activity levels	Brooks Band™ device sensors	FERPA legitimate educational interest; COPPA school authorization or parental consent
Haptic Interaction Logs	Timestamp and type of haptic feedback delivered, user response status	Generated by device during use	FERPA legitimate educational interest
Progress Data	Self-correction rate, weekly trend data, event frequency, session summaries, progress toward goals	Auto-calculated by Platform	IDEA progress monitoring; 34 C.F.R. § 300.320(a)(3)
Administrative Records	Auto-generated progress documentation, session reports, Medicaid-aligned session records (where applicable)	Auto-generated by Platform from session data	IDEA documentation requirements; Medicaid billing compliance
Educator/Therapist Account	Name, email, role, credential, organization affiliation	Entered by educator/therapist at enrollment	Contractual necessity; DPA
Parent/Guardian Contact	Name, email, phone (for consent and notification purposes only)	Provided by school or parent during enrollment	COPPA parental consent; FERPA notification

4. FERPA Compliance

4.1 School Official Designation

When deployed in a school or LEA setting, Sensory Bridges operates as a “school official” with a “legitimate educational interest” under 34 C.F.R. § 99.31(a)(1). This designation is established through a Data Processing Agreement (DPA) executed between Sensory Bridges and the LEA prior to any data collection.

The DPA specifies: permitted uses of student data; prohibition on re-disclosure; direct control mechanisms retained by the LEA; data return and destruction timelines; breach notification procedures; and confirmation that Sensory Bridges does not retain ownership of student education records.

4.2 Parental Rights Under FERPA

Parents and eligible students retain all rights guaranteed by FERPA, including:

Right to Inspect and Review: Parents may request access to all education records maintained in the Platform for their child. Requests will be fulfilled within 45 days. (34 C.F.R. § 99.10)
Right to Seek Amendment: Parents may request correction of records they believe are inaccurate or misleading. (34 C.F.R. § 99.20)
Right to Consent to Disclosures: Written consent is required before disclosure of PII from education records to third parties not covered by a FERPA exception. (34 C.F.R. § 99.30)
Right to Revoke Consent: Consent may be revoked at any time by notifying the LEA.
Right to File a Complaint: Complaints may be filed with the U.S. Department of Education, Student Privacy Policy Office (SPPO), 400 Maryland Avenue SW, Washington, DC 20202-8520. (34 C.F.R. § 99.63)

4.3 Re-Disclosure Prohibition

Any party accessing student PII through the Platform under the school official exception is bound by the re-disclosure prohibition at 34 C.F.R. § 99.33. Student data may not be re-disclosed to any party not authorized under the DPA. All data exports from the Platform are logged with user identity, timestamp, and stated purpose.

4.4 FERPA Written Consent Requirements

When FERPA written consent is required (34 C.F.R. § 99.30), Sensory Bridges ensures the consent form specifies: the specific records to be disclosed; the purpose of the disclosure; the party or class of parties to whom the disclosure will be made; and requires a date and parent signature. Generic or blanket consent is not accepted.

5. COPPA Compliance (2025 Amended Rule)

5.1 Operator Status

Sensory Bridges is an “operator” under COPPA because the Platform collects information from children under 13 through the Brooks Band™ device and companion application. We comply with all requirements of COPPA as amended by the Final Rule effective June 23, 2025, with full compliance required by April 22, 2026. Regardless of school authorization, Sensory Bridges retains independent responsibility for all COPPA obligations, including providing online notice (16 C.F.R. § 312.4), maintaining data security (16 C.F.R. § 312.8), implementing data retention limits (16 C.F.R. § 312.10), and ensuring data minimization.

5.2 School Authorization Exception

In school-based deployments, Sensory Bridges may accept a school’s authorization in lieu of direct parental consent for educational data collection purposes only, pursuant to the FTC’s longstanding school authorization guidance. School authorization is valid only when: the data collection is solely for the educational benefit of the student and the school system; the data use is specific to the educational context; and the school agrees not to authorize collection of data for any commercial purpose.

School authorization does not extend to: biometric data collection (voice volume level data); Medicaid billing data; third-party disclosures beyond the DPA; or research participation. Each of these requires separate, direct parental consent.

5.3 Biometric Identifiers (2025 Amendment)

The 2025 amended COPPA Rule expanded the definition of “personal information” to include biometric identifiers, including voiceprints (16 C.F.R. § 312.2). The Brooks Band™ measures voice volume levels — not voice content, speech patterns, or vocal characteristics that could constitute a voiceprint.

Pending a formal legal determination, Sensory Bridges treats voice-volume level data as a biometric identifier under the amended rule and requires separate written biometric consent from parents before collecting this data. We will provide written notification of our final determination to all participating families and institutions.

5.4 Third-Party Disclosure Consent

The 2025 amended COPPA Rule requires separate parental consent for disclosures of children’s personal information to third parties not integral to the service. Sensory Bridges obtains separate consent for each third-party data flow. The Platform’s current third-party data flows are limited to those identified in the DPA executed with each institution. A current list of service providers processing children’s data is available upon request by contacting privacy@sensorybridges.com.

5.5 Parental Rights Under COPPA

Parents of children under 13 retain the following rights under COPPA (16 C.F.R. § 312.6):

Right to Review: Parents may request review of personal information collected from their child. We will provide the information within 30 days of a verified request.
Right to Delete: Parents may request deletion of personal information collected from their child. We will delete the data within 30 days and confirm deletion in writing.
Right to Refuse Further Collection: Parents may revoke consent and refuse further collection at any time. The device will be deactivated for the child upon request.
Right to Direct Notification: Parents will receive direct notice of our data collection practices before any information is collected from their child.

To exercise these rights, contact privacy@sensorybridges.com with the subject line “COPPA Parental Rights Request.”

5.6 Written Information Security Program

As required by the 2025 amended COPPA Rule (16 C.F.R. § 312.8), Sensory Bridges maintains a Written Information Security Program (WISP) proportionate to the sensitivity of the children’s data we process. The WISP designates a security coordinator, requires annual risk assessments, provides for regular security testing, mandates employee and contractor training on children’s data handling, and requires written security assurances from all service providers processing children’s data.

6. IDEA Part B Confidentiality

For students receiving special education services under IDEA Part B, the confidentiality requirements at 34 C.F.R. §§ 300.610–300.626 apply. Sensory Bridges complies with IDEA confidentiality requirements including:

Notice to parents of their IDEA confidentiality rights at the point of enrollment.
Maintenance of a record of access showing all persons who have obtained access to a student’s education records, the date of access, and the purpose of access (34 C.F.R. § 300.614).
Data destruction notification: Parents are notified when education records maintained in the Platform are no longer needed for the IEP purpose, and data is destroyed at parental request (34 C.F.R. § 300.624).
Safeguards ensuring a single designated official is responsible for ensuring confidentiality at the LEA level (34 C.F.R. § 300.623).

7. HIPAA (Limited Applicability)

HIPAA does not generally apply to education records covered by FERPA. However, when a school-based deployment involves Medicaid billing for related services (e.g., SLP services billed to TennCare or GAMMIS), a limited HIPAA applicability track is triggered for the billing transaction itself.

In such cases, Sensory Bridges applies the following protections to Medicaid billing data:

Billing data is maintained separately from education records.
Electronic billing transactions comply with HIPAA transaction standards (45 C.F.R. Part 162).
Minimum necessary standard is applied to all billing disclosures.
Breach notification for billing data follows HIPAA timelines (within 60 days for breaches affecting 500+ individuals; HHS notification as required).

For deployments outside the school setting (e.g., private therapy practices) where HIPAA applies in full, Sensory Bridges will execute a Business Associate Agreement (BAA) with the covered entity prior to any data exchange.

8. Data Security

Sensory Bridges implements the following security measures:

Encryption in Transit: All data transmitted between the Brooks Band™ device and the companion application is encrypted via BLE with pairing-based authentication. All data transmitted between the companion application and the Platform backend is encrypted via TLS 1.2 or higher.
Encryption at Rest: All student data stored on the Platform backend is encrypted at rest using AES-256 or equivalent.
Access Controls: Role-based access controls (RBAC) ensure that educators, therapists, and parents access only data authorized for their role. No single user can view all student records across an institution unless specifically authorized by the LEA.
Audit Logging: All data access events, data exports, and account modifications are logged with user identity, timestamp, IP address, and action taken.
Device Management: In managed school deployments, devices are provisioned and managed through enterprise device management, enabling remote wipe, lockdown, and update management.
Incident Response: Sensory Bridges maintains a documented incident response plan. In the event of a data breach, LEAs are notified within 24 hours; parents are notified as required by FERPA breach guidance; FTC notification is made if children’s data is affected under COPPA (16 C.F.R. § 312.8); state breach notification statutes are followed as described in Section 12.
Employee Training: All personnel with access to student data receive training on FERPA, COPPA, and data handling obligations prior to accessing the Platform and annually thereafter.
Vendor Security: All third-party service providers processing student data are required to maintain reasonable data security practices and provide written security assurances prior to engagement.

9. Data Retention and Destruction

Sensory Bridges retains data in accordance with the following schedule. As required by the 2025 amended COPPA Rule (16 C.F.R. § 312.10), each retention period is accompanied by the specific business need for retention.

Data Type	Retention Period	Business Need	Governing Authority
Voice volume level data (on-device)	Real-time processing; rolling overwrite; not stored beyond device session	Real-time self-regulation awareness feedback	COPPA data minimization
Session event data	Duration of active IEP or service plan + 12 months for administrative closeout	Educator reporting, progress documentation	IDEA; DPA terms
IEP progress documentation	Duration of active IEP + 5 years (or per LEA records retention policy, whichever is longer)	IDEA compliance; LEA audit requirements	IDEA; FERPA; LEA records retention policy
Medicaid billing records	6 years from date of service (federal minimum)	Federal Medicaid audit requirements	42 C.F.R. § 447.26; state Medicaid agency
Student identifiers	Duration of active enrollment + 90 days	Account management	DPA terms; COPPA
Educator/therapist accounts	Duration of account + 12 months post-termination	Post-termination audit and transition	DPA terms
Audit logs	6 years	Compliance audit trail	HIPAA standard applied by analogy; DPA terms

Upon expiration of the retention period or upon written request from the LEA or parent (for IDEA records), Sensory Bridges will securely delete or return all applicable data within 30 days and provide written certification of destruction.

No student data is used for product training, machine learning model development, AI model training, advertising, or any purpose outside the scope authorized by the DPA and applicable consent.

10. Data Processing Agreements

Before any student data is collected through the Platform, Sensory Bridges executes a Data Processing Agreement with the participating LEA, school, or therapy organization. The DPA establishes:

Sensory Bridges’ designation as a school official with legitimate educational interest (FERPA).
Specific permitted uses and prohibited uses of student data.
The LEA’s retained ownership of all student education records.
Direct control mechanisms allowing the LEA to audit, inspect, and direct data handling.
Data return and destruction procedures at termination.
Breach notification timelines and procedures.
Re-disclosure prohibition binding Sensory Bridges and all downstream service providers.
Compliance with COPPA school authorization requirements where applicable.

A DPA summary describing the agreement’s scope and how to request the full agreement is available by contacting privacy@sensorybridges.com.

11. Role-Based Access

Role	Definition	Data Access Level
Authorized Organization	School, LEA, or therapy organization with an executed pilot or service agreement	Full administrative access to organizational data; designates Platform Administrators
Platform Administrator / Educator	Individual designated by the Authorized Organization to manage the platform and review student data	Student-level engagement data, aggregate reports, scheduling and configuration
Student User / Wearer	Individual who wears the Brooks Band™ device	Own device interactions only; no access to platform or dashboard
Parent / Guardian	Legal parent or guardian of the Student User	View-only access to their child’s engagement summaries; consent and opt-out rights

12. Breach Notification

In the event of a data breach affecting student data or children’s personal information, Sensory Bridges will provide notification as follows:

LEA Notification: Within 24 hours of breach determination, consistent with Georgia SB 89 requirements (O.C.G.A. § 20-2-663) and standard DPA terms.
FERPA: The LEA is responsible for parent notification under FERPA; Sensory Bridges will cooperate fully and provide all information necessary for the LEA to fulfill its notification obligations.
COPPA: If children’s personal information is affected, Sensory Bridges will notify the FTC as required by 16 C.F.R. § 312.8.
HIPAA: If Medicaid billing data is affected, notification follows HIPAA timelines (60 days for breaches affecting 500+ individuals; HHS notification as required).

State breach notification deadlines:

State	Statute	Deadline
Tennessee	T.C.A. § 47-18-2107	60 days
Georgia	O.C.G.A. § 10-1-912	Without unreasonable delay
Alabama	Ala. Code § 8-38-5	45 days
North Carolina	N.C.G.S. § 75-65	Without unreasonable delay
South Carolina	S.C. Code § 39-1-90	30 days
Florida	F.S. § 501.171	30 days
Kentucky	K.R.S. § 365.732	60 days
Vermont	9 V.S.A. § 2435	45 days
California	Cal. Civ. Code § 1798.82	Most expedient time possible
New York	GBL § 899-aa (SHIELD Act)	30 days

13. State Student Data Privacy Laws

In addition to federal law, Sensory Bridges complies with applicable state student data privacy laws in each state where pilots or services are deployed:

Tennessee: T.C.A. § 49-1-708; T.C.A. § 49-6-4602 et seq. (student data operator prohibitions).
Georgia: Student Data Privacy, Accessibility, and Transparency Act (O.C.G.A. § 20-2-661 through 20-2-667), including prohibitions on selling student PII, using student data for targeted advertising, and requirements for appropriate security procedures and public accessibility of privacy practices.
North Carolina: Student Digital Learning Environment Act (N.C.G.S. § 115C-401.1).
New York: Ed. Law § 2-d (student data privacy and security); SHIELD Act (GBL § 899-aa); New York Child Data Protection Act (NYCDPA).
California: CalSOPIPA (Cal. Bus. & Prof. Code § 22584); CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.).
Florida: F.S. § 1002.222 (student records).
Kentucky: K.R.S. § 365.734 (student records); KCDPA (K.R.S. § 367.3671 et seq.).

14. Prohibited Uses of Data

Sensory Bridges will never use data collected through the Platform for:

Targeted advertising or marketing to students, children, parents, or educators.
Building behavioral or marketing profiles of students.
Sale, rental, lease, or monetization of student data or children’s personal information to any third party for any purpose.
Training machine learning models, artificial intelligence systems, or generative AI on identifiable student data.
Any commercial purpose unrelated to the educational services authorized by the DPA.
Profiling that produces legal or similarly significant effects on any individual.

15. Changes to This Policy

We may update this Policy from time to time. When we make changes, we will update the “Last Updated” date at the top of this Policy and provide thirty (30) days’ advance notice to all Authorized Organizations before the changes take effect. For material changes affecting data collection practices, disclosure practices, data retention periods, or children’s privacy protections, Sensory Bridges will obtain affirmative acknowledgment from Authorized Organizations and, where required by COPPA, obtain new parental consent before implementing the changes.

16. Contact Information

Sensory Bridges, Inc.

100 Cherokee Blvd., Suite 213

Chattanooga, TN 37405

Email: privacy@sensorybridges.com

Phone: 423-401-0655

For complaints regarding children’s privacy under COPPA, contact the Federal Trade Commission at www.ftc.gov or 1-877-FTC-HELP (1-877-382-4357).

For complaints regarding student data privacy under FERPA, contact the Student Privacy Policy Office (SPPO), U.S. Department of Education, 400 Maryland Avenue SW, Washington, DC 20202-8520.

Tennessee residents may file complaints with the Tennessee Attorney General, Division of Consumer Affairs, P.O. Box 20207, Nashville, TN 37202-0207.

Product Classification Notice: The Brooks Band™ is a general wellness and assistive technology device. It is not a medical device. Statements about the Brooks Band have not been evaluated by the Food and Drug Administration. The Brooks Band is not intended to diagnose, treat, cure, or prevent any disease or medical condition. Data collected by the Brooks Band is for educational and self-regulation awareness purposes only.