← Back to home
Legal

Privacy Policy

Effective date: 1 March 2026

⚠️ Template notice

This is a lightweight template. Replace with a properly reviewed Privacy Policy before commercial launch. Ensure compliance with GDPR, UK GDPR, CCPA, or applicable regulations for your markets. Consult legal counsel.

1. Who we are

Incident Tabletop ("we", "us", "our") operates the Incident Tabletop platform. This Privacy Policy explains how we collect, use, and protect information when you use our Service.

Contact: hello@incidenttabletop.com

2. The privacy-first design

Incident Tabletop is designed with data minimisation as a core principle. In the default browser storage mode, all exercise data is stored locally in your browser (IndexedDB) and never transmitted to our servers. We do not see your exercise data, scenario choices, or debrief records in this mode.

3. Information we collect

3.1 Account information

If you create an account or use SAML SSO: we receive the user attributes your identity provider sends (typically name, email, and a unique user identifier). We store a minimal user record — enough to associate sessions and encrypted credentials.

3.2 Payment information

Payments are processed by Stripe. We receive confirmation of payment status and your subscription tier. We do not store credit card numbers — Stripe handles all payment data under their own privacy programme.

3.3 Exercise data

In browser mode: stored locally, we have no access. In cloud storage mode: data is stored in the cloud infrastructure you configure (your DynamoDB, Cosmos DB, or Firestore). We do not operate shared storage for exercise data.

3.4 Usage data

If analytics are enabled (opt-in via environment variable), we may collect anonymised usage events (page views, feature usage) via your chosen analytics provider (e.g. Plausible, Google Analytics). Analytics are off by default.

3.5 Log data

Our servers may log standard request data (IP address, user agent, request timestamp) for security and debugging. These logs are retained for [30 days — placeholder] and not used for tracking.

4. How we use your information

  • To provide and operate the Service
  • To manage your account and subscription
  • To send transactional emails (account, billing, security notices)
  • To respond to support requests
  • To improve the platform (only using aggregated, anonymised data)
  • To comply with legal obligations

We do not sell your personal data to third parties.

5. Third-party services

  • Stripe — payment processing. Subject to Stripe's Privacy Policy.
  • OpenRouter — AI inference (only when you use AI features with your own API key). Your prompts are sent to OpenRouter under their terms.
  • Setyl — IT asset management integration (only when you connect your account). Data import is initiated by you.
  • Your SAML IdP — authentication attributes. Governed by your IdP's privacy terms.
  • Your cloud storage — DynamoDB, Cosmos DB, Firestore. Governed by the respective cloud provider's terms.

6. Data retention

We retain account data for as long as your account is active or as needed to provide the Service. You may request deletion of your account and associated data at any time by emailing us. Browser-stored exercise data is under your control — clear your browser storage to delete it.

7. Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request erasure of your data
  • Object to or restrict certain processing
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email hello@incidenttabletop.com. We aim to respond within 30 days.

8. Cookies

The Service uses a single session cookie (__session) which is httpOnly and stores your JWT session token. No advertising cookies, no third-party tracking cookies are set by default. If you enable analytics, a first-party analytics cookie may be set depending on your chosen provider.

9. Security

We implement technical and organisational measures to protect your data, including per-user credential encryption (HKDF-SHA256 + AES-256-GCM), httpOnly session tokens, and TLS for all data in transit. See our Security page for details.

10. International transfers

[Placeholder — describe where your servers are hosted and any data transfer mechanisms if relevant to your jurisdiction, e.g. UK GDPR, GDPR SCCs.]

11. Changes to this policy

We may update this Privacy Policy. We will notify you of material changes by email or a prominent notice in the Service. The effective date at the top of this page reflects the last update.

12. Contact

Questions about this policy? Email: hello@incidenttabletop.com

If you are in the UK or EU and believe we have violated your data protection rights, you have the right to lodge a complaint with your supervisory authority (e.g. the ICO in the UK). [Update for your jurisdiction]