LEGAL DOCUMENT

PRIVACY POLICY

Last updated: March 3, 2026

1. OVERVIEW

Pathfinder Networks ("we", "us", "our") operates firesale.run and the BREACH cybersecurity training simulator. This Privacy Policy describes what information we collect, how we use it, and your rights regarding that information. We take data minimisation seriously — we collect only what is necessary to operate the Service.

2. INFORMATION WE COLLECT

// Account Information

When you sign up, we collect your email address. When you activate your account, we store a bcrypt-hashed password. We do not store passwords in plaintext at any point.

// Game Session Data

We record your game sessions including actions taken, timestamps, attacker moves, scenario outcomes, and AI-generated debrief reports. This data is used to generate your post-incident analysis and track training progress.

// Payment Information

Subscription payments are processed by Stripe. We do not store credit card numbers, CVV codes, or full payment details. We retain your Stripe customer ID to manage your subscription lifecycle (upgrades, cancellations, payment failures).

// Usage and Technical Data

We collect standard web server logs including IP addresses, browser user agent, request paths, and timestamps. This data is retained for up to 90 days for security monitoring and abuse prevention. We do not use third-party analytics trackers or advertising pixels.

3. HOW WE USE YOUR INFORMATION

  • // Deliver and operate the Service, including account authentication and session management
  • // Process subscription payments and manage billing via Stripe
  • // Send transactional emails: invite tokens, account confirmations, and subscription notices
  • // Send optional training follow-up emails (drip campaign) — you may opt out at any time by replying to any such email
  • // Detect and prevent abuse, fraud, and unauthorised access
  • // Improve scenario design and AI adversary behaviour using aggregated, anonymised session data

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. THIRD-PARTY SERVICES

We use the following third-party services to operate BREACH. Each is subject to its own privacy policy:

  • Stripe — payment processing (stripe.com/privacy)
  • Mailgun — transactional email delivery (mailgun.com/privacy-policy)
  • Anthropic — AI adversary reasoning engine (anthropic.com/privacy). Game session context is sent to Anthropic's API to generate adversary moves and debrief reports. No personally identifiable information is included in these prompts.
  • Amazon Web Services — hosting infrastructure (aws.amazon.com/privacy)

5. DATA RETENTION

  • // Account data: retained for the duration of your account plus 30 days after deletion
  • // Game sessions and debriefs: retained indefinitely as part of your training record while your account is active
  • // Web server logs: 90 days, then purged
  • // Active game session cache (Redis): 4-hour TTL, automatically expired
  • // Payment records: retained as required by applicable financial regulations (typically 7 years)

6. COOKIES AND TRACKING

The Service uses a single session authentication cookie (JWT token) to maintain your logged-in state. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics scripts. If you use the Stripe checkout flow, Stripe may set its own cookies subject to their privacy policy.

7. SECURITY

We implement industry-standard security measures including TLS encryption in transit, bcrypt password hashing, ModSecurity WAF, rate limiting, and strict Content Security Policy headers. However, no system is completely secure. We encourage you to use a strong, unique password and to report any suspected security issues to gabriel@firesale.run.

8. YOUR RIGHTS

You have the following rights regarding your personal data:

  • // Access: request a copy of the data we hold about you
  • // Correction: request correction of inaccurate data
  • // Deletion: request deletion of your account and associated data
  • // Opt-out: unsubscribe from marketing emails at any time by replying to any email or contacting us directly
  • // Portability: request an export of your game session history in JSON format

To exercise any of these rights, email gabriel@firesale.run. We will respond within 30 days.

9. CHILDREN'S PRIVACY

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us at gabriel@firesale.run and we will delete it promptly.

10. GOVERNING LAW

This Privacy Policy is governed by the laws of the State of Florida, USA. Users in other jurisdictions (including the EU/EEA) should be aware that data may be processed and stored in the United States. By using the Service you consent to this transfer.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated to subscribers by email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.

12. CONTACT

Privacy inquiries: gabriel@firesale.run

Pathfinder Networks // firesale.run // Seminole County, Florida, USA

← RETURN TO FIRESALE.RUN