Privacy Policy
Effective Date: March 22, 2026
1. Introduction
Branimi ("we," "us," or "our") provides a cloud-based school management platform (the "Service") to educational institutions ("Organizations"). This Privacy Policy explains what information we collect, how we use it, and how we protect it.
This policy applies to all users of the Service, including Organization administrators, instructors, and staff ("Authorized Users"). It also describes how we handle data about students ("Student Data") that Organizations enter into the Service.
Branimi acts as a data processor on behalf of Organizations. Organizations are the data controllers responsible for their data and for ensuring they have appropriate authority and consent to use the Service.
2. Information We Collect
2.1 Data Provided by Organizations
Organizations and their Authorized Users enter or import the following types of data into the Service:
| Data Type | Purpose | Source |
|---|---|---|
| Student names (first and last) | Attendance tracking, identification, certification records | Organization input, CSV imports |
| Student email addresses | Matching bookwork (Canvas LMS) records to student profiles | Organization input |
| Clock-in/clock-out timestamps | Tracking attendance hours toward certification requirements | NFC kiosk, CSV imports from time-clock systems |
| Daily attendance hours | Calculating progress toward required hours, generating reports | Computed from clock-in/out data |
| Bookwork grades and scores | Tracking academic progress, displaying completion status | Canvas LMS CSV imports |
| NFC fob serial numbers | Identifying students at kiosk terminals for clock-in/out | NFC hardware scan during registration |
| Staff names and email addresses | Account management, role assignment, system access | Organization input, authentication provider |
| Staff clock-in/clock-out times | Payroll tracking and reporting | NFC kiosk, CSV imports |
| Authorized User login activity | Security, audit trails, service delivery | Authentication provider (Clerk) |
2.2 Information Collected Automatically
When you use the Service, we automatically collect limited technical information:
- Browser type and version
- Pages viewed and features used within the Service
- Date and time of access
- IP address (used for security purposes only, not for tracking)
2.3 Information We Do NOT Collect
Branimi does not collect or store:
- Social Security numbers or government-issued identification numbers
- Financial information (credit cards, bank accounts) of students
- Student home addresses or phone numbers
- Biometric data (NFC fob serial numbers are device identifiers, not biometric data)
- Student photographs or images
- Health or medical information
3. How We Use Information
We use the information described above solely for the following purposes:
- Providing the Service: Tracking attendance hours, calculating progress toward certification requirements, displaying dashboards and reports, processing clock-in/clock-out events
- Supporting the Organization: Enabling data imports from external systems (time-clock systems, learning management systems), generating payroll reports, maintaining audit trails
- Maintaining security: Authenticating users, enforcing role-based access control, monitoring for unauthorized access, rate limiting
- Improving the Service: Fixing bugs, improving performance, developing new features based on aggregate usage patterns (not individual user behavior)
4. Special Protections for Minor Students
Branimi recognizes that some students in the Service may be minors (under 18 years of age). We take the following additional steps to protect minor student data:
- No direct collection: Branimi does not collect information directly from minor students. All Student Data is entered or imported by the Organization's Authorized Users.
- No student accounts: Minor students do not create accounts in the Service. They interact with the system only through the physical NFC kiosk (clock-in/clock-out), which does not require a login or personal device.
- Minimal data: We collect only the minimum data necessary to provide the Service's core functionality (attendance tracking and bookwork progress).
- No advertising: Student Data is never used for targeted advertising or marketing of any kind.
- Organization responsibility: The Organization is responsible for obtaining any required parental or guardian consent before entering minor student data into the Service. Branimi relies on the Organization to fulfill this obligation under its enrollment agreements.
5. How We Share Information
5.1 Service Providers (Sub-processors)
We use the following third-party service providers to operate the Service. Each processes data only as necessary to provide their specific function:
| Provider | Purpose | Location | Category |
|---|---|---|---|
| Vercel | Application hosting and deployment | United States | Infrastructure |
| Neon (PostgreSQL) | Database storage for all application data | United States | Database |
| Clerk | User authentication, login management, session handling | United States | Authentication |
| Upstash | Rate limiting and operational caching | United States | Infrastructure |
| Cloudflare | DNS management, security, and performance | United States | Infrastructure |
5.2 Legal Requirements
We may disclose information if required to do so by law, regulation, legal process, or governmental request. We will notify the Organization of such requirements to the extent permitted by law.
5.3 Business Transfers
If Branimi is involved in a merger, acquisition, or sale of assets, Organization Data may be transferred as part of that transaction. We will notify affected Organizations before their data is subject to a different privacy policy.
5.4 No Other Sharing
Beyond the circumstances described above, we do not share Organization Data or Student Data with any third party.
6. Data Security
We implement and maintain reasonable security measures to protect your data, including:
- All data is encrypted in transit using TLS/HTTPS
- Database access requires authenticated connections with SSL
- Role-based access control limits data visibility based on user roles
- All data modifications are logged in an audit trail
- User authentication is managed by a dedicated identity provider (Clerk) with industry-standard security
- Rate limiting protects against automated attacks
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options) protect against common web attacks
- Account access is invitation-only; self-registration is not available
7. Data Retention
We retain Organization Data for as long as the Organization's account is active. This includes historical student records (such as graduated students), which are retained because they may be needed for regulatory compliance or audit purposes.
Upon termination of an Organization's account:
- Organization Data is retained for 30 days to allow for data export
- After 30 days, Organization Data is permanently deleted from our systems
- Backup copies may persist for up to an additional 7 days before automatic deletion
8. Your Rights
8.1 Organization Rights
Organizations have the right to:
- Access all Organization Data stored in the Service at any time through the application
- Request export of Organization Data in a machine-readable format
- Request correction of inaccurate data
- Request deletion of Organization Data (subject to the termination process described in Section 7)
- Receive notice of material changes to this Privacy Policy
8.2 Student and Parent Rights
Parents or guardians of minor students, and adult students, may exercise their rights by contacting the Organization directly. The Organization is responsible for facilitating these requests and may contact Branimi for technical assistance. We will support Organizations in responding to data access, correction, and deletion requests.
8.3 Utah Consumer Privacy Act
For individuals covered by the Utah Consumer Privacy Act (UCPA), you may have additional rights including the right to access, delete, and obtain a copy of your personal data, and the right to opt out of certain processing activities. To exercise these rights, contact us using the information in Section 11.
9. Children's Privacy
Branimi does not knowingly collect personal information directly from children under 13 years of age. All Student Data is provided by the Organization, not by students themselves.
If we become aware that we have inadvertently collected personal information directly from a child under 13 without appropriate consent, we will take steps to delete that information promptly.
The Organization is responsible for ensuring compliance with the Children's Online Privacy Protection Act (COPPA) and any applicable state laws regarding children's data.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify Organizations of material changes by email or through the Service at least thirty (30) days before they take effect.
We encourage Authorized Users to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
11. Contact Information
If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is being handled, please contact us:
Branimi Email: support@branimi.com Help Center: docs.branimi.com
For concerns about Student Data, parents and guardians should first contact the Organization (school) directly. The Organization can then work with Branimi to address any data-related requests.