Privacy Policy

We are committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how you can control it.

Last Updated: March 2026 GDPR & CCPA Aligned Template Effective: Upon Account Creation
Summary: Skyhigh Cybersecurity LLC operates the Skyhigh Tabletop Exercise Platform. We collect only what is necessary to provide your account and subscription service. We do not sell your personal data. We do not store payment card numbers (Stripe handles all payments). Exercise session data stays in your browser. This policy explains it all in plain language. Read on for the full details.
1
Who We Are

This Privacy Policy applies to Skyhigh Cybersecurity LLC ("Skyhigh Cybersecurity," "we," "our," or "us"), the operator of the Skyhigh Tabletop Exercise Platform (the "Platform").

CompanySkyhigh Cybersecurity LLC
Emailinfo@skyhighcybersecurity.com
Websiteskyhighcybersecurity.com
Role (GDPR)Data Controller for account and subscriber data
2
Information We Collect
Data Type What It Is How Collected
Account data Full name, email address, organization name, subscription tier (free/pro/enterprise) Provided by you at registration
Billing data Subscription status, payment date, Stripe customer ID (no card numbers stored by us) Generated by Stripe on payment
Local usage data Exercise session counts, last session date, exercise history, After Action Report notes Stored in your browser's localStorage only — never sent to our servers
Technical logs IP address, browser type, pages accessed, access timestamps Automatically by web server / hosting infrastructure (Vercel)
Support communications Emails or messages you send us for support Provided by you when contacting us

We do not collect payment card numbers, bank account details, social security numbers, or government identification. All payment data is handled exclusively by Stripe under their own privacy policy.

3
How We Use Your Information
  • Account access: Authenticate you and maintain your Platform session
  • Subscription management: Process and track your subscription tier via Stripe
  • Transactional emails: Send password resets, account confirmations, and billing notifications via Supabase and Stripe
  • Customer support: Respond to questions, billing disputes, or technical issues you contact us about
  • Platform improvement: Aggregate, anonymized analytics to understand which features are used (no individual tracking)
  • Security and fraud prevention: Monitor for unauthorized access, abuse, or Terms violations
  • Legal compliance: Comply with applicable laws, court orders, or lawful regulatory requests

We do NOT: sell, rent, or share your personal information with third parties for marketing or advertising purposes. We do not use your data to build advertising profiles.

4
Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:

Processing ActivityLegal Basis
Providing your account and subscriptionPerformance of contract (Art. 6(1)(b) GDPR)
Billing and payment recordsLegal obligation / Performance of contract
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f) GDPR)
Responding to support inquiriesLegitimate interests / Consent
Marketing communications (if any)Consent (you may opt out at any time)
5
Data Sharing & Third Parties

We share your data only with trusted third-party service providers necessary to operate the Platform. We do not sell data to any party.

ProviderRoleData Shared
Supabase Authentication & database (data processor) Email, name, organization, subscription tier
Stripe Payment processing (independent data controller) Email, subscription status; Stripe manages all payment card data independently
Vercel Web hosting infrastructure Standard access logs (IP, timestamp, page); no account data
Law enforcement / regulators Legal compliance Only when legally required by court order, subpoena, or applicable law

In the event of a merger, acquisition, or sale of business assets, subscriber data may be transferred to the acquiring entity, with notice provided to you prior to such transfer where practicable.

6
Data Retention
  • Account data: Retained while your subscription is active, plus 30 days after cancellation to allow account reactivation. After 30 days, account data is deleted from Supabase on request.
  • Billing records: Retained for 7 years for tax and accounting compliance (managed by Stripe per their data retention policies).
  • Server logs: Retained by Vercel per their standard log retention policy (typically 30 days).
  • Local usage data: Stored in your browser's localStorage indefinitely until you clear your browser data. We have no access to this data.
  • After Action Reports: Downloaded to your device as .txt files. We have no access to or retention of AAR content.
7
Your Rights

Depending on your location, you have the following rights regarding your personal data:

👁 Access
Request a copy of all personal data we hold about you.
✎ Correction
Update your name, organization, or email via the Account Portal or by contacting us.
🗑 Deletion
Request deletion of your account and associated data. We will action within 30 days.
💾 Portability
Request your account data in a portable, machine-readable format (JSON/CSV).
🚫 Opt-Out
Unsubscribe from any marketing emails via the unsubscribe link or by contacting us.
⚠ Object
Object to processing based on legitimate interests (GDPR users).

EU/EEA residents have additional rights under the General Data Protection Regulation (GDPR). California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, right to delete, and right to opt out of sale (we do not sell data).

To exercise any right, email: info@skyhighcybersecurity.com. We will respond within 30 days (GDPR: within 30 days; CCPA: within 45 days).

8
Cookies & Local Storage

We do not use tracking cookies or advertising cookies. The Platform operates as follows:

  • Authentication session: Supabase stores a session token in your browser's localStorage (not a cookie) to keep you logged in. This is strictly necessary for Platform functionality and is not a tracking mechanism.
  • Usage data: Exercise history, session counts, and AAR notes are stored in localStorage in your browser. This data never leaves your device.
  • No third-party tracking: We do not embed Google Analytics, Facebook Pixel, or any other third-party tracking scripts.

Because we only use strictly necessary localStorage (not cookies), cookie consent banners are not required for the core Platform. If we add any optional analytics in the future, we will update this policy and implement appropriate consent mechanisms.

9
Data Security

We implement industry-standard technical and organizational security measures to protect your personal data:

  • In transit: All data transmitted between your browser and our servers is encrypted via HTTPS/TLS (enforced by Vercel).
  • At rest: Account data in Supabase is encrypted at rest using AES-256.
  • Authentication: Supabase uses JWT-based authentication with automatic session expiry.
  • Security headers: The Platform is configured with Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, Permissions-Policy, and other security headers.
  • Access controls: Only authorized Skyhigh Cybersecurity personnel with a legitimate need can access subscriber data in the Supabase dashboard.

No security measure is 100% guaranteed. In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities as required by applicable law (GDPR: within 72 hours of awareness).

10
International Data Transfers

Skyhigh Cybersecurity is based in the United States. If you access the Platform from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, your data may be transferred to and processed in the United States.

We rely on Supabase's data processing infrastructure. You can select a Supabase region (e.g., EU West) during setup to keep your data within the EU/EEA. For cross-border transfers where applicable, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms recognized under GDPR.

Stripe maintains its own international transfer compliance under its privacy policy and applicable frameworks including the EU-US Data Privacy Framework.

11
Children's Privacy

The Skyhigh Tabletop Exercise Platform is designed for business, professional, and organizational use only. It is intended for adults (18 years of age or older) who are authorized representatives of their organizations.

We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal data without parental consent, we will delete such data promptly. If you believe a minor has registered, contact us at info@skyhighcybersecurity.com.

12
Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send an email notification to all registered users with an active account
  • Display a notice in the Account Portal for 30 days following the update

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

13
Contact & Data Requests

For privacy inquiries, data access requests, deletion requests, or any questions about this Privacy Policy:

Privacy Emailinfo@skyhighcybersecurity.com
Response TimeWithin 30 days (CCPA) / 30 days (GDPR)
Websiteskyhighcybersecurity.com
CompanySkyhigh Cybersecurity LLC

This Privacy Policy is aligned with GDPR (EU) 2016/679, CCPA (California Civil Code §1798.100), and PIPEDA (Canada). For users in the EU/EEA/UK, Skyhigh Cybersecurity LLC acts as the Data Controller and is committed to upholding your rights under applicable data protection law. This Policy was last reviewed on March 2, 2026.