Privacy Policy

1. Scope and applicability

This Privacy Policy applies to all visitors, users, and customers ("you" or "your") who access the TTXLab website at ttxlab.com, create an account, participate in tabletop exercises, or otherwise interact with the Service. It covers data collected through the website, the TTXLab platform, email communications, and any other channel through which we process personal data.

If you are accessing the Service on behalf of an organization, you confirm you have the authority to bind that organization to this Privacy Policy. Where TTXLab acts as a data processor on behalf of your organization (the data controller), the terms of our Data Processing Agreement also apply.

2. Data controller and contact information

The data controller for personal data processed through the Service is:

TTXLab
600 1st Ave Ste 330, PMB 533227
Seattle, Washington 98104-2246
Data Protection Contact: support@ttxlab.com

If you have questions about this policy, wish to exercise your data subject rights, or need to report a privacy concern, please contact us at support@ttxlab.com. We aim to respond to all privacy-related inquiries within 30 days.

3. Lawful basis for processing

We process personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR) and equivalent frameworks:

• Performance of a contract: Processing necessary to deliver the Service to you, including account creation, exercise facilitation, report generation, and billing.
• Legitimate interest: Processing for platform security, fraud prevention, product improvement, internal analytics, and enforcing our Terms of Service. We balance these interests against your rights and only rely on this basis where our interests do not override your fundamental rights.
• Consent: Where we rely on your consent (for example, for optional analytics cookies or marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legal obligation: Processing necessary to comply with applicable laws, regulations, legal proceedings, or enforceable governmental requests.

4. Categories of data collected

We collect and process the following categories of personal data:

4.1 Account data

When you create an account, we collect your email address, display name, and organization affiliation. Authentication is provided through Convex Auth using email magic links. We may also store profile preferences, role assignments, and workspace membership records.

4.2 Exercise and platform data

When you use the Service, we process data related to tabletop exercises including: scenario configurations, role assignments, participant responses, transcript content, facilitator notes, scoring outputs, generated recommendations, and exercise reports. This data is organization-scoped and access-controlled.

4.3 Analytics and telemetry data

With your consent, we collect analytics data through PostHog including: page views, navigation patterns, feature usage, session duration, browser type, operating system, screen resolution, and general geographic region derived from IP address. Analytics cookies are only initialized after explicit consent through our cookie consent banner. See our Cookie Policy for details.

4.4 Marketing and communications data

If you subscribe to our newsletter, download resources such as the Starter Kit, or submit a contact form, we collect your email address, name, company name, and any information you voluntarily provide. We use this data to send requested materials and, where consent is given, marketing communications.

4.5 Technical and log data

Our infrastructure automatically collects technical data including: IP addresses, request timestamps, HTTP headers, referrer URLs, and error logs. This data is used for security monitoring, incident response, and service reliability. It is retained in accordance with our retention schedule (see Section 12).

4.6 Payment data

Payment processing is handled by third-party payment processors. TTXLab does not store full credit card numbers or payment credentials on our systems. We may receive and store partial payment information (such as the last four digits of a card) for billing record purposes.

5. How we use your data

We use collected data for the following purposes:

• Providing, operating, and maintaining the Service
• Authenticating users and enforcing access controls
• Facilitating tabletop exercises and generating reports
• Processing billing and subscription management
• Responding to support requests and inquiries
• Analyzing usage patterns to improve product quality and reliability (with consent for analytics)
• Detecting, preventing, and addressing security incidents and fraud
• Complying with legal obligations and enforcing our Terms of Service
• Sending transactional communications (account verification, exercise invitations, billing notices)
• Sending marketing communications where consent has been obtained

6. AI and model training disclosure

TTXLab does not use customer data to train artificial intelligence or machine learning models. Customer exercise data, transcripts, reports, and any content you create or upload through the Service are not used as training data for any AI/ML system, whether operated by TTXLab or any third party.

Where the Service uses AI capabilities (such as AI-facilitated exercise scenarios or report generation), these features process your data solely to deliver the requested output within your session. Inputs and outputs are not retained for model training or improvement purposes. Our AI subprocessors are contractually prohibited from using customer data for model training.

7. Data subject rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR and equivalent local law:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to legal retention requirements and legitimate interests.
• Right to restriction of processing: You may request that we limit how we process your data in certain circumstances.
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at support@ttxlab.com. We will respond within 30 days of receiving your request, or within the timeframe required by applicable law.

8. CCPA/CPRA rights (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected, the purposes for collection, the categories of sources, and the categories of third parties with whom we share data.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: TTXLab does not sell personal information. We do not share personal information for cross-context behavioral advertising. If this practice changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, service quality, or access levels for making a privacy request.
• Right to limit use of sensitive personal information: If we collect sensitive personal information as defined under CPRA, you may request that we limit its use to what is necessary to provide the Service.

To submit a CCPA/CPRA request, email support@ttxlab.com with the subject line "CCPA Request." We will verify your identity before processing the request and respond within 45 days as required by law.

9. Cookies and tracking technologies

TTXLab uses cookies, local storage, and similar technologies for authentication, session management, user preferences, and optional analytics. Essential cookies are required for the Service to function. Analytics cookies are only enabled after you provide explicit consent through our cookie consent banner.

For a detailed breakdown of the cookies we use, including names, purposes, durations, and how to manage your preferences, please see our Cookie Policy.

10. Data sharing and subprocessors

We share personal data only as necessary to operate the Service and as described in this policy. We do not sell personal data. Data may be shared with the following categories of recipients:

• Infrastructure and hosting: Convex (database and backend), Vercel (web hosting and edge network) — United States.
• Authentication: Convex Auth, Resend (email delivery for magic links) — United States.
• Analytics: PostHog (product analytics, only with consent) — United States.
• AI services: OpenAI and/or Anthropic (AI-facilitated exercise features) — United States. These providers are contractually prohibited from using customer data for model training.
• Payment processing: Stripe or equivalent payment processor — United States.
• Email and communications: Resend (transactional email) — United States.

A current list of subprocessors is maintained on our Trust Center. We evaluate subprocessors for security and privacy practices before engagement and require contractual commitments regarding data protection. We will provide reasonable notice before adding new subprocessors that process customer personal data.

11. International data transfers

TTXLab is based in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where necessary. You may request a copy of the applicable SCCs by contacting support@ttxlab.com.

12. Data residency and storage locations

Primary application data (including exercise data, user accounts, and workspace configurations) is stored in the United States through our infrastructure provider, Convex. Website hosting and edge caching is provided by Vercel with points of presence globally, though origin data remains in the United States.

Subprocessor data processing locations are listed in the subprocessor table above (Section 10). If your organization requires specific data residency commitments, contact us at support@ttxlab.com to discuss available options.

13. Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Our general retention practices are:

• Account data: Retained for the duration of your account. Deleted within 90 days of account closure, unless required for legal compliance.
• Exercise data: Retained according to workspace retention settings configured by your organization administrator. Ephemeral mode exercises are designed for short-lived simulations and avoid long-term transcript persistence.
• Analytics data: Aggregated analytics data is retained for up to 24 months. Individual analytics events are retained according to our analytics provider's retention schedule.
• Marketing data: Retained until you unsubscribe or request deletion.
• Log and security data: Server logs and security event data are retained for up to 12 months for incident investigation and compliance purposes.
• Billing data: Transaction records are retained as required by applicable tax and financial regulations (typically 7 years).

Organization administrators can manage exercise data retention through workspace settings. For account deletion requests, contact support@ttxlab.com.

14. Data breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, TTXLab will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, unless the breach is unlikely to result in a risk to data subject rights.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Notify affected customers (data controllers) within 72 hours where TTXLab acts as a data processor, providing details of the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken to address the breach.
• Document all breaches in an internal breach register, including facts, effects, and remedial actions, regardless of whether notification to the supervisory authority is required.

If you believe your data has been compromised or you have identified a security vulnerability, please report it immediately to support@ttxlab.com with as much detail as possible.

15. Children's data

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to TTXLab, please contact us at support@ttxlab.com. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.

16. Security measures

We implement technical and organizational measures designed to protect your personal data, including: encryption in transit (TLS), encryption at rest through provider-managed controls, organization-scoped access controls, role-based authorization, audit logging of key lifecycle events, and regular security reviews. For more details on our security posture, see our Security page and Trust Center.

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any incident in accordance with our breach notification procedures (see Section 14).

17. Third-party links

The Service may contain links to third-party websites or services that are not operated by TTXLab. We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party service you visit.

18. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, provide notice through the Service or via email. We encourage you to review this policy periodically.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy. If you do not agree with the updated policy, you should discontinue use of the Service and contact us to request deletion of your data.

19. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

TTXLab
Data Protection Contact
Email: support@ttxlab.com
Address: 600 1st Ave Ste 330, PMB 533227, Seattle, WA 98104-2246

For a broader overview of our security and compliance posture, visit the Trust Center. For cookie-specific questions, see our Cookie Policy. For terms of use, see our Terms of Service.