Privacy Policy
Breachday LLC · breachday.io
Effective Date: May 30, 2026
Breachday LLC ("Breachday," "we," "us," or "our") is committed to protecting the privacy of our customers and the people who interact with our platform. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the choices available to you.
This Policy applies to: registered Account holders and their organization users; Exercise Participants who join sessions without an Account; visitors to breachday.io; and users of the public scenario builder at breachday.io/build.
By using the Service, you agree to the collection and use of information as described in this Policy.
1. Data Controller
The data controller for personal information collected through the Service is:
2. Information We Collect
2.1 Account Holders and Organization Users
When you or your colleagues register an Account or are invited to an Organization, we collect:
- Name and business email address (provided at signup or invite acceptance)
- Passwords are stored using industry-standard hashing; we do not store plaintext passwords
- Email verification status
- Organization name and slug
- User role within the Organization (ADMIN, FACILITATOR, or OBSERVER)
- Two-factor authentication data — TOTP secret and backup code hashes, if 2FA is enabled
- Profile image URL, if provided
- MSP role and client organization relationships, for MSP participants
- Platform admin flag, for Breachday staff accounts only
2.2 Billing and Subscription Data
Subscription and billing information is processed by Stripe. Breachday stores:
- Stripe customer ID and subscription ID
- Active price ID and Subscription Term dates
- Subscription status and lifecycle flags (e.g., lapse date, scheduled deletion date)
Breachday does not store raw payment card numbers, CVV codes, or bank account details. These are handled exclusively by Stripe.
2.3 Customer-Entered Organizational Data
Organizations using the Service may enter operational and security program data, which may describe real systems, processes, and personnel. This can include:
- IT asset inventory (name, type, criticality ratings, RTO/RPO targets, tags, descriptions)
- Vendor records (including emergency contact names, email addresses, phone numbers, SLA terms)
- Business Impact Analysis (BIA) process records and dependencies
- Scenario narratives, inject content, simulated artifacts (emails, logs), vote options, and facilitator notes
- Crisis communication templates
- Playbook PDF files (up to 15 MiB each), stored in our secure cloud file storage
- Lessons learned records (title, description, owner, status, due dates)
- Support ticket messages (Customer-visible and internal staff notes)
- Organization logo images, stored in our secure cloud file storage
This data is stored in our secure cloud database and file storage. It is Customer Data owned by your Organization.
2.4 Exercise Participant Data
Participants who join an Exercise Session via room code provide only a display name (up to 50 characters) and are not required to create an Account. During and after a session, Breachday collects:
- Display name entered at join
- Role seat selection within the session
- Action responses submitted during the session (up to 10,000 characters per response)
- Votes and confidence slider responses
- Hotwash feedback (sentiment rating and free-text)
- Session metadata: room code, timestamps, pause durations, facilitator ID
- Anonymous session ID stored in browser sessionStorage for reconnection (not linked to identity)
Participant data is associated with the Organization's Exercise Session record. Participants are not individually identified by Breachday beyond the display name they choose to enter.
2.5 Public Scenario Builder (/build)
The public scenario builder at breachday.io/build is available without an Account. Draft auto-saves are stored exclusively in your browser's local storage and are never transmitted to Breachday's servers for storage. When you export a scenario to PDF or DOCX, the content is sent to Breachday's servers only to generate the file at your request; it is processed transiently and is not stored as Customer Data. JSON exports are generated locally in your browser.
2.6 Automatically Collected Technical Data
When you use the Service, we automatically collect:
- Server logs: IP address, HTTP method, request path, response status, and timestamp — retained for up to 90 days for security and diagnostic purposes
- IP addresses used for rate-limiting on public exercise endpoints (not retained after the request window expires)
- Browser session data: see Section 4 (Cookies and Browser Storage)
Breachday does not use third-party product analytics SDKs (such as PostHog) within the application. The public marketing site (breachday.io) uses Google Analytics (gtag.js) to measure aggregate visitor traffic; see Section 4 (Cookies and Browser Storage).
2.7 Email Communications
Transactional emails are sent via Resend. Email addresses and message content for the following email types are processed by Resend:
- Email address verification
- Password reset
- Organization invitations
- In-app onboarding continuation after email verification (token-based link, not a separate marketing email)
- Support ticket notifications (new ticket, customer reply, staff reply)
- Payment failure notifications
- Subscription lapse and data deletion warnings (30-day and 5-day notices)
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing and operating the Service — authentication, session management, real-time exercise delivery, report generation, and export functionality
- Billing and subscription lifecycle management — processing payments, issuing invoices, managing Subscription Terms, and executing the post-cancellation data retention and deletion schedule
- Customer support — responding to in-app support tickets and email inquiries
- Transactional email — sending verification, password reset, invitation, billing, and lifecycle notification emails
- Security and abuse prevention — rate limiting on public endpoints, enforcing tenant isolation, detecting unauthorized access
- Platform administration — Breachday staff managing tenant accounts, support issues, and platform integrity (with full audit logging)
- MSP program operation — managing client organization relationships for MSP customers
- Legal compliance — complying with applicable laws, regulations, and lawful orders
Certain platform features use third-party AI providers via OpenRouter to generate content and recommendations. The AI Scenario Builder transmits scenario prompts and structural parameters entered by authenticated users to generate scenario content. The Weekly Scenario Recommendations feature transmits only publicly available threat intelligence headlines and internal template metadata. All OpenRouter requests are made under Zero Data Retention (ZDR) settings — input and output data is not stored, logged, or used for model training by OpenRouter or its upstream providers. Free-tier models (which do not support ZDR) are disabled.
We do not use Customer Data to train, fine-tune, or improve machine learning or artificial intelligence systems.
We do not sell, rent, or trade personal information to third parties for their own marketing or commercial purposes.
4. Cookies and Browser Storage
| Mechanism | Purpose | Persistence |
|---|---|---|
| Supabase auth cookies (httpOnly) | Authentication session; refreshed by middleware on each request | Session / sliding expiry |
| platform_admin_org_choice cookie | Breachday staff: tracks demo org context when switching tenants | Session |
| localStorage: UI theme preferences | UI theme preference (light/dark) | Persistent, user device |
| localStorage: Public scenario builder draft | Public /build scenario draft — never sent to server | Persistent until cleared |
| localStorage: Dashboard list view preferences | Dashboard table/cards view preference | Persistent, user device |
| localStorage: Participant rejoin data | Stores participantSessionId, roleSeatId, and display name on this device (not linked to a Breachday Account) | Persistent until cleared |
| sessionStorage: Participant session ID | Participant session ID for active room page reload | Browser session |
| sessionStorage: Anonymous realtime presence | Supabase Realtime anonymous presence | Browser session |
| sessionStorage: Exercise UI flags | Facilitator UI transition flags during exercise flow | Browser session |
| _ga, _gid, _ga_* cookies (marketing site) | Google Analytics — aggregate visitor traffic measurement on breachday.io | Up to 2 years (_ga) / 24 hours (_gid) |
The public marketing site uses Google Analytics cookies (_ga, _gid, _ga_*) to measure aggregate visitor traffic. Breachday does not use advertising trackers, retargeting pixels, or sell personal information.
Authentication cookies are strictly necessary for the Service to function and cannot be disabled for authenticated users. Local storage preferences can be cleared via your browser settings; doing so will reset UI preferences but will not affect your Account or Customer Data.
5. Third-Party Subprocessors
Breachday shares Customer Data with the following subprocessors, each contractually bound to process data only for the purposes of delivering their services to Breachday:
| Subprocessor | Role | Data Processed |
|---|---|---|
| Supabase | Postgres database, Auth, Realtime, Storage | All application data; auth credentials; org logos and playbook PDFs; real-time exercise events |
| Vercel | Next.js application hosting (serverless) | Request data passing through the application layer; no persistent data storage by Vercel |
| Stripe | Payment processing, subscription management, customer portal | Billing information, payment card data (Stripe-held), subscription records |
| Resend | Transactional email delivery | Recipient email addresses and message content for transactional emails |
| Inngest | Scheduled background job execution | Job payloads for scheduled data lifecycle operations (no persistent Customer Data stored by Inngest) |
| OpenRouter | AI model routing for AI Scenario Builder and Weekly Scenario Recommendations | AI Scenario Builder: scenario prompts and structural parameters from authenticated users. Weekly Scenario Recommendations: publicly available threat intelligence headlines and internal template metadata only. Zero Data Retention (ZDR) enforced on all requests — no data stored or used for model training. Free-tier models disabled. |
An up-to-date subprocessor list is maintained at breachday.io/subprocessors. Breachday will provide reasonable advance notice of material subprocessor changes. For features utilizing third-party AI providers, users in organizations subject to GDPR or CCPA can find the full subprocessor list in the Data Processing Agreement.
Stripe embeds JavaScript from js.stripe.com on billing and checkout pages. This is governed by Stripe's privacy policy.
6. Data Hosting and International Transfers
Application data is hosted on Supabase Postgres in the United States. The Next.js application is deployed on Vercel in the United States. Breachday currently serves US-based customers. If you are located outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
If Breachday expands service to EU or UK customers, this Policy will be updated to address applicable transfer mechanisms (such as Standard Contractual Clauses) and a DPA will be made available.
7. Data Retention and Deletion
Breachday retains Customer Data according to the following schedule:
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Account and org data | Duration of active Subscription + 6-month post-cancellation period | Automatic purge at end of 6-month retention window, or on org self-deletion |
| Exercise session data (actions, votes, feedback) | Duration of active Subscription + 6-month retention window | Same as above; earlier if 'data protection mode' ephemeral purge is enabled by org |
| Ephemeral sessions (data protection mode) | Configurable per org (default: 48 hours after session completion) | Hourly automated cleanup job |
| Playbook PDFs and org logos | Duration of active Subscription + 6-month retention window | Deleted from secure cloud file storage on org purge |
| Exercise report data | Duration of active Subscription + 6-month retention window | Deleted on org purge |
| Billing and transaction records | 7 years | Per financial regulation requirements; held by Stripe |
| Server and security logs | Up to 90 days | Rolling automated deletion |
| Password reset and verification tokens | Until used or until expiry (short-lived) | Deleted on use or expiry |
| Unverified signup accounts (no billing, single user) | 15 days after signup | Automatic deletion of org and auth user |
| Public /build localStorage data | User device only (drafts). PDF/DOCX exports are processed transiently and not stored. | Cleared by user or browser |
Post-cancellation deletion warning emails are sent at 30 days and 5 days before the scheduled deletion date. Data deleted at the end of the retention period is permanently and irreversibly removed from all Breachday systems. Breachday cannot recover deleted data.
8. Security
Breachday implements the following technical and organizational security measures:
- TLS encryption for all data in transit, with HSTS enforced in production
- Encryption at rest for database infrastructure via Supabase
- Room passwords are encrypted at rest and hashed for verification
- Org-scoped tenant isolation in all API procedures — Organizations cannot access each other's data
- Content Security Policy (CSP), X-Frame-Options, Referrer-Policy, and restrictive Permissions-Policy headers
- Two-factor authentication (TOTP + backup codes) available for all users; required for high-impact operations
- IP-based rate limiting on public exercise join and submission endpoints
- Platform admin audit logging for all cross-tenant administrative actions
Breachday has not completed a SOC 2 audit. SOC 2 Type II certification is on the roadmap. Breachday's infrastructure providers (Supabase, Vercel, Stripe) maintain their own SOC 2 certifications.
To report a security vulnerability, contact us at compliance@breachday.io. Please do not disclose potential vulnerabilities publicly until we have had an opportunity to investigate.
9. Your Rights and Choices
9.1 Access and Correction
Organization ADMINs can view and update account information through the account settings dashboard. To correct information that cannot be self-managed, contact compliance@breachday.io.
9.2 Data Export
Customer Data, including exercise reports, session logs, and scenario exports, can be downloaded in PDF, DOCX, or JSON formats from within the Service. During the post-cancellation read-only period, all previously generated data remains accessible for export.
9.3 Account and Organization Deletion
Organization ADMINs may permanently delete their Organization from account settings (requires 2FA and slug confirmation). This action immediately deletes all Customer Data and cannot be undone. Alternatively, cancelling a Subscription initiates the 6-month read-only retention window described in Section 7, after which data is automatically deleted.
9.4 Participant Data
Exercise Participants do not have Breachday accounts. Participants wishing to request deletion of their session data (associated only with a display name) should contact the Organization's ADMIN or Facilitator who ran the session, or contact compliance@breachday.io with the session date and organization name.
9.5 Email Communications
Transactional emails related to your Account and Subscription are sent as part of the Service and cannot be opted out of while your Account is active. Breachday does not send marketing emails unless you have separately opted in.
10. Sensitive and Regulated Data
The Service is designed for tabletop exercise simulation. While Breachday implements reasonable security controls, the Service is not specifically designed or certified for the processing of:
- Protected Health Information (PHI) under HIPAA
- Payment card data subject to PCI DSS
- Classified or government-restricted information
Breachday is not a HIPAA Business Associate by default. If your organization requires a Business Associate Agreement before submitting any PHI through the Service, contact compliance@breachday.io before doing so.
Customers are solely responsible for ensuring that content entered into scenarios, playbooks, and other Service features complies with applicable laws and regulations. Breachday recommends using fictional or anonymized data in exercise content.
11. Children's Privacy
The Service is a business-to-business platform intended for organizational use by individuals 18 years of age or older. Breachday does not knowingly collect personal information from individuals under 18. If we become aware that we have done so, we will take prompt steps to delete that information.
12. Changes to This Policy
Breachday may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address or a prominent in-Service notice at least 14 days before taking effect. Continued use of the Service after the effective date of an updated Policy constitutes acceptance.
13. Contact
For privacy questions, access requests, or deletion requests: