Portal Privacy Policy
Effective Date: November 1, 2025 | Portal (BrainBox / ElasticShelf) | Owned by: Rocking Cube LLC
1. Introduction
This Privacy Policy explains how Rocking Cube LLC (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when Customers and their authorized users access or use the Company’s web and mobile software platforms, including the BrainBox and ElasticShelf solutions (collectively, the “Portal”).
The Portal is provided to organizations such as human service agencies, group homes, and similar providers (each, a “Customer”) under a separate SaaS Services Agreement. Customers control how information about their staff, clients, and other individuals is entered into and used within the Portal. This Policy describes our role as the service provider to those Customers.
If you are an individual user (for example, an employee, contractor, or other staff member of a Customer) accessing the Portal, your use is also governed by your organization’s policies.
2. Scope and Roles
For most information processed in the Portal, the Customer is the “data controller” (or equivalent term under applicable law), and Rocking Cube acts as a “data processor” or “service provider.” We process such information only on the Customer’s behalf and in accordance with our SaaS Services Agreement and any applicable Business Associate Agreement (“BAA”).
If a Customer uses the Portal to store or process Protected Health Information (PHI) subject to HIPAA, Rocking Cube acts as a Business Associate to that Customer. Our security and privacy practices for PHI are further described in the SaaS Agreement and related documentation.
3. Information We Collect
Depending on how the Portal is configured and used by a Customer, we may process the following categories of information:
3.1 Account and Profile Information
- Names, email addresses, job titles, and contact details for Customer staff.
- Login credentials (username and a hashed, salted password).
- Agency, program, and location details associated with a user account.
3.2 Service and Case Information
- Information entered into the Portal by Customer staff about services, clients, visits, case notes, schedules, timesheets, and other records relevant to the Customer’s operations.
- Depending on Customer configuration, this may include limited demographic and service information about clients or families served by the Customer.
3.3 Usage and Device Information
- IP address, browser type, device type, and operating system.
- Access dates/times, pages viewed, and features used.
- Error logs and performance metrics.
3.4 Mobile App Location and Attendance Data (If Enabled)
When the Portal’s mobile app is used and location-based features are enabled by the Customer, we may collect:
- Approximate location at the time of clock-in or check-in, as captured by the user’s device.
- Time and date of check-in / check-out or visit logging.
Location data is used only for Customer-authorized purposes such as verifying visit locations, documenting service delivery, or supporting internal auditing and compliance.
3.5 Support and Communication Data
- Details you provide when contacting our support team.
- Emails, tickets, or chat messages related to the Portal.
4. How We Use Information
We use information processed through the Portal solely for the following purposes:
- To provide, operate, maintain, and improve the Portal and related services.
- To authenticate users, secure accounts, and prevent fraud or misuse.
- To generate logs, reports, and dashboards for Customers as configured in the Portal.
- To provide technical support and respond to inquiries and requests.
- To monitor performance, troubleshoot issues, and enhance reliability and security.
- To comply with applicable laws, regulations, subpoenas, or lawful requests by public authorities.
We do not sell personal information or PHI and do not use Portal data for unrelated advertising or marketing.
5. How We Share or Disclose Information
We may share information processed in the Portal only as follows:
5.1 With the Customer and Its Users
Information entered into the Portal is accessible to the Customer and its authorized users according to the Customer’s configuration, role-based access settings, and policies. Customers are responsible for managing user access and permissions.
5.2 Service Providers and Subprocessors
We may engage third-party service providers (for example, hosting, email, logging, and monitoring providers) to support the Portal. These providers are bound by contractual obligations to protect the information they process and to use it only for the services they provide to us.
5.3 Legal Requirements and Protection of Rights
We may disclose information if required to do so by law or in a good-faith belief that such action is reasonably necessary to: (a) comply with legal obligations; (b) protect the safety, rights, or property of any person; or (c) detect, prevent, or address fraud, security, or technical issues.
5.4 Business Transfers
If Rocking Cube is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, information processed through the Portal may be transferred as part of that transaction, in accordance with applicable law and subject to continued protections consistent with this Policy.
7. Data Retention
We retain Customer data, including any personal information and PHI contained in it, for as long as necessary to provide the Portal to the Customer and to fulfill the purposes described in this Policy, or as required by law or the applicable SaaS Agreement.
At the end of a Customer’s relationship with us, we will handle Customer data in accordance with the SaaS Agreement (for example, by providing a period for data export before deletion).
8. Security
Rocking Cube implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information processed in the Portal. This includes the hosting, encryption, access control, and logging practices described in our SaaS Agreement and in our separate security overview and documentation.
While we take reasonable and appropriate measures to protect information, no system can be guaranteed to be 100% secure. Customers are responsible for maintaining the security of their own devices, networks, and user access controls.
9. Choices and Rights
Because we provide the Portal to Customers, most requests to access, correct, or delete data should be directed to the applicable Customer (your employer or service provider). We will assist Customers in responding to such requests where required by law or our agreements with the Customer.
If you contact us directly with a request regarding information in the Portal, we may refer your request to the relevant Customer or work with that Customer to respond, consistent with our contractual obligations.
10. Children’s Privacy
The Portal is intended for use by organizations and their authorized staff, not for direct use by minors. Any information about minors stored in the Portal is entered and controlled by the Customer as part of the services it provides. Customers are responsible for obtaining any necessary consents and providing any notices required under applicable law.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Effective Date” at the top of the page. In some cases, we may provide additional notice (such as through the Portal or by email to Customer administrators) if required by law or if the changes are material.
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices related to the Portal, please contact us at:
Rocking Cube LLC
Email: support @ rockingcube.com