Privacy Policy
Effective Date: May 2, 2026 (updated)
Before the legal language
What we will and will never do with your data
BCBAs asked us to be direct. Here it is, plainly — before any boilerplate.
What we will NEVER do
- Share reviewer information with employers under any circumstances
- Sell user data to third parties
- Allow employers to identify reviewers, even if they pay
- Disclose your BACB credential alongside your review
What we WILL do
- Verify BACB credentials against the public registry
- Store credentials encrypted and separately from review content
- Comply with valid legal subpoenas only after making reasonable good-faith efforts to challenge them, and notify the affected user unless legally prohibited from doing so
- Notify affected users within 72 hours of any data breach
- Allow users to request full deletion of their account and data at any time
These commitments are binding. The detailed policy below explains exactly how we implement each one.
0. Core Commitments — Detail
We never sell your data.
We do not sell, rent, or trade personal information — including email addresses, BACB numbers, or review content — to employers, recruiters, data brokers, or any third party. Period.
BACB credential numbers are stored separately and encrypted.
Cert numbers used for verification are stored in a separate data store with stricter access controls than review content. They are encrypted at rest and are never linked to published review text in any user-facing view.
Reviewer identity is never linked to review content in public views.
Published reviews display credential type, tenure range, and service setting only. Your name, email, and cert number are not attached to any review visible to BCBAs, employers, or the general public.
In a data breach, we will notify you within 72 hours.
If we discover a security incident that affects your personal data, we will notify affected users within 72 hours of discovery. We will follow all applicable state and federal breach notification laws and publicly document what happened and what we did about it.
You can request full deletion of your account and data at any time.
Email privacy@verifiedaba.com. Review content is retained in fully de-identified form to preserve Fidelity Score™ integrity — your name, email, and cert number are permanently deleted. All other personal data is removed within 30 days.
1. Introduction
This Privacy Policy explains how Verified ABA ("we," "us") collects, uses, and shares information when you use the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.
2. Information We Collect
Account information — when you sign up: email, password hash, optional name, professional credential, and state of practice.
Credential information — BACB certification number, which we check against the BACB public registry. This information is stored separately from any Review you submit. See Section 4.
Review content — ratings, written text, caseload numbers, employment status, tenure range, and service setting. Review content is stored without your name or email attached.
Employer account information — organization name, contact person, billing details (processed by our payment provider; we do not store full card numbers).
Automatically collected — IP address, device and browser metadata, referrer, pages viewed, and security-related logs. See Section 11.
Communications — messages you send to us, including support requests and dispute submissions.
3. How We Use Information
- to verify credentials and protect the integrity of Reviews;
- to compute the Fidelity Score™ and display aggregate statistics;
- to operate and secure the Service (spam prevention, rate limiting, fraud detection);
- to communicate with you about the Service (account, transactional, and service announcements);
- to respond to disputes, appeals, and legal process;
- to improve the Service and develop new features;
- to comply with law.
4. Anonymity Architecture
The Service is designed so that Reviews are published without a name, email, or BACB number attached. Credential data used for verification is stored in a separate data store with stricter access controls and an audit log of any administrative access. Employer-specific data is not published for an employer until a minimum threshold of verified Reviews has been received, which prevents a single Reviewer from being implicitly identified.
We do not promise absolute anonymity. Anonymity can be compromised by information you include in your Review (e.g., exact dates, named individuals), by a valid legal process obligating us to produce identifying information, or by a security incident. See Sections 6 and 9.
6. Legal Process
A request seeking identifying information about a Reviewer must be served by valid U.S. legal process. Where lawful and reasonable, we will notify the affected Reviewer before producing information so that they may assert objections, including the First Amendment and anti-SLAPP defenses recognized in Dendrite International, Inc. v. Doe No. 3, 775 A.2d 756 (N.J. Super. Ct. App. Div. 2001), and Doe v. Cahill, 884 A.2d 451 (Del. 2005). See our Legal Process policy for detail.
7. Data Retention
We retain account information for the life of the account. Published Reviews are retained so that Fidelity Scores™ remain historically consistent. If you request account deletion, we will close your account and dissociate personal identifiers, but may retain Review content in de-identified form so that aggregate scores are not materially disrupted. Security and moderation logs are retained for up to 24 months for abuse prevention, then deleted or de-identified.
8. Your Rights by State
Depending on your state of residence, you may have rights to access, correct, delete, or limit the use of your personal information, and to opt out of certain processing. The Service recognizes rights afforded by (among others) the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OPA), Montana Consumer Data Privacy Act (MCDPA), and comparable laws.
To exercise a right, email privacy@verifiedaba.com. We will verify your identity before responding. You may appeal a decision by replying to our response with the subject line "Appeal."
9. Security & Breach Response
We use industry-standard administrative, technical, and physical safeguards to protect information, including encryption in transit (TLS), encryption at rest for credential data, row-level access control in the database, audited admin-only access to credential data, and regular review of security logs. No system is perfectly secure; we cannot guarantee the security of information submitted to the Service.
Breach notification. If we discover a security incident that has resulted in unauthorized access to, or disclosure of, personal information, we will:
- Notify affected users within 72 hours of discovery by email to the address on file;
- Comply with all applicable state and federal breach notification laws (including California, Virginia, Texas, and comparable state statutes);
- Publish a post-incident summary on this page describing what happened, what data was affected, and what we did in response.
10. Children's Privacy
The Service is intended for adults engaged in the clinical profession and is not directed to children under 13. We do not knowingly collect personal information from children.
12. International Users
The Service is hosted in the United States. Accessing the Service from outside the U.S. means your information may be processed in the U.S. We do not target users in the European Economic Area or United Kingdom and do not offer GDPR-specific rights. If you believe you are a GDPR-protected data subject, please contact us and we will address your request in good faith.
13. Contact
Questions about this Policy may be directed to privacy@verifiedaba.com.