Privacy Policy | The GRC Playground

This Privacy Policy explains what personal information The GRC Playground collects about you, how we use it, who we share it with, and the rights you have over it. Please read it carefully. If anything here is unclear, contact us at privacy@grcplayground.com and we'll explain.

1. Who we are

The GRC Playground is operated by Ashley Pearce, an individual located in Florida, United States, doing business as “The GRC Playground.” We are the “data controller” responsible for the personal information processed through our website at grcplayground.com and any associated services (the “Service”).

For privacy-related questions, requests, or complaints, contact us at privacy@grcplayground.com.

2. What this policy covers

This policy covers personal information we collect when you visit our website, create an account, sign in, work through learning content, submit feedback, contact us, or otherwise interact with the Service. It does not cover websites or services operated by third parties, even if we link to them.

3. What we collect and why

We try to collect the minimum information necessary to operate the Service. The categories below describe what we collect, why, and on what legal basis (for users covered by GDPR).

Account information you provide

Email address. Required to create your account and used to authenticate you, send password resets, and (if you opt in) send you product updates and reminder emails. Legal basis: contractual necessity (we need this to provide you the Service you signed up for).
Password.We never store your password directly — it's hashed and managed by our authentication provider (Supabase). We can never recover your password; we can only reset it. Legal basis: contractual necessity.
Display name (optional).A name you choose to show on the leaderboard and in your profile. You can change or clear this at any time. We default to “Learner” if you don't set one. Legal basis: legitimate interest in providing a personalized learning experience.
Profile preferences. Things you can set on your profile page — avatar color, profile title, email notification preferences. Legal basis: contractual necessity (delivering features you've enabled).

Information generated as you use the Service

Learning progress.Which missions and lab pages you've started or completed, your XP total, your streak days, and badges you've earned. Legal basis: contractual necessity(the Service is a progress-tracked learning platform — we can't deliver it without tracking your progress).
Mission notebook entries. Notes you write inside missions are saved to your account so they persist across sessions. They are private to you. Legal basis: contractual necessity.
Feedback you submit. If you use our feedback form, we save the message text, an optional screenshot you attach, your account ID, and the page you were on when you submitted. Legal basis: legitimate interest in improving the Service.

Information collected automatically

Analytics events.We use PostHog to collect anonymized usage data — pages visited, features used, error counts, approximate location based on IP address (city-level, not precise). This helps us understand what works and what doesn't. Legal basis: legitimate interest (improving the Service). For visitors in the EU/UK, we will not fire analytics until you give explicit consent via the cookie banner on first visit.
Server logs. Vercel (our hosting provider) records standard request logs including IP address, user agent, and request paths. Used for security, abuse detection, and debugging. Legal basis: legitimate interest (operational security).
Authentication cookies.Strictly necessary to keep you logged in. These are set by our authentication provider and don't require consent because they're essential to the Service.

Information we do NOT collect

We do not currently collect payment information — the Service is free during pre-launch. When paid plans become available, we will update this policy and you will be notified. We do not collect government IDs, financial account numbers, health information, or location-tracking data. We do not knowingly collect personal information from anyone under 16.

4. Cookies and tracking

We use a small number of cookies and similar technologies. They fall into two categories:

Strictly necessary cookies.Used for sign-in session management. We can't provide the Service without them. These do not require consent.
Analytics cookies/identifiers. Set by PostHog when you have given consent. You can withdraw consent any time by visiting Cookie preferences (also linked in the footer of every page).

We do not use cookies for advertising or to track you across other websites. We do not sell or share your data for advertising purposes.

5. Who we share your data with

We don't sell your data. We share it only with the technical providers we need to actually run the Service. Each of these providers acts as a “data processor” under GDPR — they process your data on our behalf, under written agreements that require them to keep it secure and use it only for the purposes we've specified.

Supabase — provides our database, authentication, and file storage. They store your account, learning progress, and feedback screenshots in encrypted form. Supabase Privacy Policy.
Vercel — provides our website hosting, content delivery network, and request logs. Vercel Privacy Policy.
PostHog — provides product analytics (only with your consent in covered jurisdictions). PostHog Privacy Policy.

We may also share data when legally required (e.g., a valid court order or law enforcement request), or when necessary to investigate or prevent fraud, security threats, or violations of our Terms of Service.

6. International data transfers

Our service infrastructure is hosted in the United States. If you are accessing the Service from the EU/UK, Switzerland, or another jurisdiction with different data-protection rules, your information will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards with our processors to provide a comparable level of protection for your data during these transfers.

7. How long we keep your data

We keep your account and associated learning progress for as long as your account exists. If you delete your account, we delete or anonymize your personal information within 30 days, except where we are legally required to retain it longer (e.g., financial or tax records once paid plans exist).

Server logs are retained for 90 days. Analytics data is retained for 12 months in identifiable form before being further anonymized. Feedback messages are retained for 24 months unless you ask us to delete them sooner.

8. Your rights

Regardless of where you live, you have the right to:

Access the personal information we hold about you and receive a copy of it in a portable format.
Correct personal information that is inaccurate or incomplete.
Deleteyour personal information (also known as the “right to be forgotten”), subject to limited exceptions.
Object to or restrict our processing of your personal information.
Withdraw consent at any time where we are processing on the basis of your consent.
Lodge a complaint with a data protection authority — for EU/UK residents, with the supervisory authority in your country; for California residents, with the California Attorney General; for Florida residents, with the Florida Department of Legal Affairs.

How to exercise your rights: email privacy@grcplayground.com from the email address associated with your account. We'll verify your identity and respond within 30 days. There is no charge for these requests in the normal course; if a request is manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse to act.

Self-service options for the two most common requests are available directly from your Profile page: a “Download my data” button (returns a JSON export of everything we hold) and a “Delete my account” button in the Danger Zone (irrevocably removes your account, profile, learning progress, badges, feedback, and any uploaded screenshots). For other requests (correction, restriction, objection), email us.

9. Notice to California residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”):

Right to know what categories of personal information we collect and how we use them. (See Section 3 for the full list.)
Right to delete personal information, subject to limited exceptions.
Right to correct inaccurate personal information.
Right to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell or share your personal information for advertising, but you may still exercise this right by emailing us.
Right to limit use of sensitive personal information. We do not collect any category of sensitive personal information under the CCPA.
Right to non-discrimination for exercising these rights.

To exercise any of these rights, email privacy@grcplayground.com. You may also designate an authorized agent to make a request on your behalf.

10. Notice to Florida residents

The Florida Digital Bill of Rights (FDBR) applies to certain larger businesses. Based on our current size, FDBR does not currently apply to us; however, we voluntarily extend the same rights described above (access, correct, delete, port, opt out of targeted advertising) to Florida residents. Email privacy@grcplayground.com to exercise any of these rights.

11. Children's privacy

The GRC Playground is intended for adults working in or studying for governance, risk, and compliance roles. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected information from a child, contact us at privacy@grcplayground.com and we will delete it promptly.

12. How we protect your data

We use technical and organizational safeguards appropriate to the sensitivity of the information, including encryption in transit (TLS) and at rest, role-based access controls, row-level security policies on the database, and regular security review of our infrastructure. No system is perfectly secure; we'll notify you (and any required authorities) if a breach occurs that is likely to result in a risk to your rights and freedoms.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and/or by posting a prominent notice on the Service before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact us

For any privacy question, request, or complaint, email privacy@grcplayground.com. We will acknowledge your message within 5 business days and respond substantively within 30 days.

This Privacy Policy is provided in plain English to be readable without a law degree. It is not a substitute for legal advice. If you have questions about how it applies to your specific situation, contact a qualified attorney.