Privacy Policy
Breach Deck LLC ("Breachdeck," "we," "us," or "our") operates the Breachdeck cybersecurity tabletop exercise platform. This policy describes what data we collect, why we collect it, and your rights regarding that data.
1. What we collect
Account information
When you create an account, we collect your name, email address, and organization name. If you sign in via SSO (SAML or OIDC), we receive the identity attributes your identity provider sends us.
Usage data
We collect information about how you use Breachdeck, including which scenarios you run, decisions you make during exercises, session durations, and scores. This data is used to power the debrief, benchmarking, and team analytics features.
Analytics data
We use PostHog to collect anonymized, aggregate usage analytics such as page views and feature usage patterns. On our marketing site and for anonymous visitors to the app, PostHog runs in cookieless mode — no cookies or local storage are used, and no personal data is collected. For logged-in users, we associate analytics with your account under the contractual basis of providing and improving the service (GDPR Article 6(1)(b)).
Session recordings (with consent)
With your opt-in consent via the cookie consent banner in the app, we may record your sessions to identify usability issues. Session recordings are retained for 30 days. You can change your preference at any time through the cookie preferences link in the app footer.
Error and performance data
We use Sentry to capture application errors and performance metrics. This helps us identify and fix bugs. Error reports may include your browser type, operating system, and the actions that led to the error.
Billing data
Payment information is collected and processed by Paddle, our payment provider. We do not store credit card numbers or bank account details on our servers. We receive subscription status, plan tier, and billing period information from Paddle.
2. How we use your data
- Service delivery: Running exercises, calculating scores, generating debrief reports
- Product improvement: Understanding usage patterns to improve the platform (aggregate analytics data; session recordings with consent)
- Security: Detecting abuse, maintaining audit logs, protecting user accounts
- Communication: Transactional emails (invitations, password resets, billing receipts)
- Compliance: Meeting regulatory requirements and responding to lawful requests
3. Cookies
Essential cookies (always active)
These cookies are required for the application to function. They include authentication session tokens, CSRF protection, and Convex real-time sync state. They cannot be disabled.
Analytics (cookieless, no consent required)
PostHog analytics run in cookieless mode for anonymous visitors — no cookies or localStorage are used and no consent is required. Only aggregate, non-personal data (page views, feature usage counts) is collected. For logged-in users, analytics are associated with your account using localStorage under the contractual basis of delivering the service.
Session recording cookies (opt-in)
Session recording in the app requires cookies and is only enabled after you grant consent via the cookie banner. You can change your preference at any time through the cookie preferences link in the app footer.
Marketing site
The Breachdeck marketing site (breachdeck.com) uses PostHog in cookieless mode. No cookies, localStorage, or personal data are used. No consent banner is shown because no data is stored on your device.
4. Data sharing
We do not sell your data to anyone. We share data only with the subprocessors listed below, and only to the extent necessary to deliver our service.
5. Data retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Exercise data: Retained while your organization's account is active.
- Analytics data: Retained for up to 12 months, then aggregated or deleted.
- Audit logs: Retained for 2 years for compliance purposes.
- Billing records: Retained as required by tax and accounting regulations.
6. Your rights
You have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data.
- Export: Receive your exercise data in a portable format.
- Objection: Object to processing of your data for analytics purposes.
- Withdraw consent: Change your session recording cookie preferences at any time via the app footer.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7. Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Convex | Database and backend infrastructure | United States |
| Paddle | Payment processing and subscription management | United Kingdom |
| PostHog | Product analytics and session recording | United States |
| Sentry | Error tracking and performance monitoring | United States |
| Resend | Transactional email delivery | United States |
| Loops | Newsletter and email marketing | United States |
| Cloudflare | CDN, DNS, and static site hosting | Global |
8. Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security assessments. SSO certificate data is encrypted with AES-256-GCM before storage.
9. Children's privacy
Breachdeck is designed for professional cybersecurity teams. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. We will notify you of material changes by email or through a notice in the application. The "Effective date" at the top indicates when this policy was last revised.
11. Contact
For privacy-related questions or requests, contact us at [email protected].
Adapted from Basecamp open-source policies (CC BY 4.0).