Privacy Policy
Last updated: July 3, 2026
OpenCEU is operated by Scaling Services LLC (Florida, USA). This policy explains what we collect, why we collect it, who sees it, and how long we keep it. The plain-language version lives at /trust; this is the complete one. If they ever disagree, this policy controls.
1. What we collect
Account data. Name, email, password (stored as a hash by our authentication provider — we never see it), and, if you add them, your BACB certification number and job details. Your BACB number appears on your certificates because audits require it.
CEU activity — the audit trail. This is the heart of the platform: event registrations, attendance-check responses with timestamps, quiz answers and scores, watch progress on recordings, certificates issued (and any revocations), and — for live events — an identity confirmation that records the email you confirmed, whether it matched, your IP address, and your browser user-agent. We collect this because BACB-auditable continuing education requires verifiable records of who did what, when.
Event chat. Messages you send in a live event chat, with your display name.
Payment data. Handled by Stripe. We store what Stripe returns about the transaction (who paid for which event, when, status) but never your card number.
Host organization data.For hosts: organization details, ACE Provider information, payout account identifiers (via Stripe Connect), and credentials for integrations the host connects (e.g., email, video, or streaming services). These are used only to operate those integrations on the host’s behalf.
Usage data. First-party page-view analytics (page, time, referrer source, device type, and IP-derived signals such as bot detection), ad impressions and clicks on our own sponsor units, and email engagement (opens, clicks, bounces) through our email provider. We also use, or may use, third-party analytics and advertising tools — see Section 4.
Cookies.A login session cookie (so you stay signed in), an anonymous ad-session cookie (a random ID that enforces ad frequency caps — e.g., “don’t show this viewer another pre-roll for 30 minutes”), and cookies set by the analytics/advertising tools described in Section 4.
What we deliberately do not collect: any information about the clients or patients that behavior analysts serve. OpenCEU holds professional continuing-education records about you — never clinical data about anyone in your care.
2. How we use it
- Running the platform: streaming events, scoring quizzes, issuing certificates, keeping you signed in.
- Compliance and audit-readiness:maintaining the records you or your event’s ACE Provider would need in a BACB audit.
- Customer service:resolving issues for you and for event hosts (e.g., “my attendance didn’t register”).
- Transactional email:registration confirmations, event reminders, and certificate delivery. These are part of the service — they aren’t marketing and are sent as long as you use the platform.
- Marketing email: when you create an OpenCEU account you are added to the OpenCEU email list (new CEUs, platform news). Every marketing email has a one-click unsubscribe, and unsubscribing never affects your certificates or account.
- Advertising measurement:counting impressions and clicks on sponsor units, tied to a random session ID (and your account ID if you’re signed in) so we can enforce frequency caps and report aggregate performance to sponsors.
- Analytics and ads for OpenCEU itself: see Section 4.
3. Who sees your data
Event hosts.When you register for or attend an event, that event’s host (the ACE Provider) can see your name, email, and your attendance/completion records for their events — they are required to keep these for compliance. Hosts can also export their registrant list and may contact you directly about their offerings; once exported, the host is independently responsible for that data and for honoring your opt-outs from their communications.
Sponsors and advertisers: nothing. We do not sell, rent, share, or transfer your personal information to sponsors. Sponsors receive aggregate numbers only (impressions, clicks). The only way a sponsor learns who you are is if you click their ad and give them your information on their own website. There is no automatic data passing.
Certification bodies.We or an event’s host may confirm completion records to a certification body (e.g., the BACB) in connection with an audit or verification request.
Service providers (subprocessors). Companies that process data on our behalf to run the platform — listed with their roles on /trust: Supabase (database & authentication), Vercel (application hosting), Cloudflare (video delivery & edge infrastructure), Stripe (payments), Brevo (email), LiveKit (live video), and Backblaze (encrypted off-site backups), plus the analytics/advertising providers in Section 4 when enabled.
Legal. We may disclose information if required by law or to protect the rights, safety, or integrity of the platform and its users.
We do not sell your personal information.
4. Analytics and advertising tools
We use, or may use, third-party analytics and advertising services for OpenCEU’s own measurement and marketing — such as Google Analytics and advertising pixels/tags from platforms like Google and Meta. These tools use cookies or similar technologies and may collect your IP address, device information, and the pages you visit here, and may be used to show you OpenCEU ads elsewhere (remarketing). They are governed by their providers’ own privacy policies, and you can limit them through your browser settings, Google’s opt-out tools, and your ad-platform settings. These tools measure OpenCEU’s own audience — they are separate from sponsor ads, which never receive your data from us.
5. How long we keep it
- Account data: for as long as you have an account. Delete your account in Settings and we delete your profile and login data.
- Compliance records (certificates, attendance logs, quiz responses, identity confirmations): retained for seven (7) years from issuance, including after account deletion. These are audit records — you, an ACE Provider, or the BACB may need to verify a CEU years after it was earned, and BACB rules require providers to keep event records for at least three years. Retained records are kept only for compliance purposes, not marketing.
- Usage and ad-measurement data: kept in identifiable form only as long as needed for reporting, then aggregated or deleted.
- Backups: encrypted backups are kept on a rolling schedule and age out automatically.
6. Security
Data is encrypted in transit and at rest. Database access is restricted by row-level security and a least-privilege access model; only employees have database access. Payments never touch our servers (Stripe handles them). We keep nightly encrypted backups with an independent off-site copy, apply rate limiting and audit logging on sensitive operations, and conduct security audits of the platform. No system is perfectly secure, but if a breach affects your personal information, we will notify you without undue delay. The full write-up is at /trust.
7. Your choices and rights
- Unsubscribe from marketing email via the link in any message.
- Delete your account in Settings (compliance records are retained as described in Section 5).
- Access, correct, or export your data — email matt@openceu.com and we’ll respond within 30 days. We honor deletion and access requests from all US users regardless of state, subject to the compliance-record retention above.
- Cookies:control them in your browser; the platform’s core cookies (login, ad frequency) are functional and contain no profile information.
8. Scope
OpenCEU is operated from the United States for a primarily US professional audience, and your data is processed in the United States. The platform is for adults 18 and older; we do not knowingly collect data from anyone under 18.
9. Changes and contact
When this policy changes materially, we’ll update the date above and notify you by email or in-app notice. Questions or requests: matt@openceu.com · Scaling Services LLC, Florida, USA.