Effective date: May 30, 2026 · Operated by: Carley Fitzgerald d/b/a Everything's Fine: The Disaster Deck
This Privacy Policy describes how Carley Fitzgerald, doing business as Everything's Fine: The Disaster Deck(“we,” “our,” or “us”), collects, uses, and protects information when you use our website and tabletop exercise platform at https://thedisasterdeck.com(the “Service”).
We are committed to protecting your privacy. We collect only what we need to provide the Service, we do not sell your personal data, and we are transparent about how your information is handled — including by third-party providers.
Account information. When you register, we collect your name, email address, and organization name. This information is used to create and manage your account.
Exercise and session data. When you use the platform to run tabletop exercises, we store the data you create: scenario selections, action cards placed on the board, notes and justifications you add, player role assignments, after-action review responses, and AI debrief results. This data is associated with your account and stored on your behalf.
Payment information. If you purchase a subscription, payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or full payment details. We receive a Stripe customer ID, subscription status, and plan information from Stripe for account management purposes.
Usage data. We may collect standard web server logs including your IP address, browser type, pages visited, and timestamps. This information is used for security monitoring and service improvement and is not linked to personal profiles.
Contact form submissions. If you contact us through the website, we collect your name, email address, and the content of your message in order to respond to your inquiry.
We do not use your exercise data for marketing, advertising, or behavioral profiling. We do not sell your personal data to any third party.
We rely on the following third-party providers to deliver the Service. Each provider has its own privacy policy governing its data practices.
Supabase (database and authentication)
Your account data and exercise history are stored in a Supabase database hosted on Amazon Web Services (AWS) in the US-East-1 (Northern Virginia) region. Data is encrypted in transit (TLS) and at rest (AES-256). Supabase Privacy Policy: supabase.com/privacy
Anthropic (AI debrief generation)
When you click “Generate AI Debrief” at the end of an exercise, the content of your exercise board — including card titles, placement notes, and player assessment responses — is sent to Anthropic's API to generate the debrief text. No personally identifiable information (name, email, organization) is included in these requests. Anthropic does not retain prompts or responses for training purposes under their current enterprise API terms. Anthropic Privacy Policy: anthropic.com/privacy
Stripe (payment processing)
Subscription payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. Stripe's collection and use of payment data is governed by the Stripe Privacy Policy: stripe.com/privacy
Vercel (website hosting)
The website and API are hosted on Vercel's edge network. Vercel may process request metadata (IP address, headers) as part of standard web hosting operations. Vercel Privacy Policy: vercel.com/legal/privacy-policy
We understand that government emergency management teams handle sensitive operational information. Please be mindful of what you enter into exercise notes and assessments. We recommend:
When a debrief is generated, exercise board content is sent to Anthropic's API. This is disclosed in the platform UI before debrief generation. Users who do not wish their exercise content to be processed by Anthropic may skip the AI debrief and use the board summary and manual AAR forms instead.
We retain your account data and exercise history for as long as your account is active. If you cancel your subscription, your data is retained for 90 days to allow for reactivation or export, after which it is deleted. You may request deletion of your data at any time by contacting us.
Contact form messages are retained for up to 12 months and then deleted.
The Service uses session cookies for authentication (to keep you logged in). We do not use advertising cookies, cross-site tracking cookies, or behavioral analytics services that track you across other websites.
The free demo at /play does not require an account and does not set any persistent cookies.
You have the right to access, correct, or delete your personal data at any time. You may also request a copy of the data we hold about you. To exercise these rights, contact us at the address below.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we have collected and the right to opt out of the sale of personal information (we do not sell personal information).
The Service is intended for use by adult emergency management professionals and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of the page. Material changes will be communicated by email to registered account holders at least 14 days before they take effect.
For privacy-related questions, data requests, or concerns, contact us at: