Privacy Policy

Effective date: 2026-02-11

This Privacy Policy explains how Scenarium (the “Service”) processes personal data. If you use Scenarium through an organization (your “Organization”), your Organization typically determines the purposes and means of processing and therefore acts as the controller. ObsidianCorps typically acts as a processor on behalf of the Organization.

At a glance

  • We don’t sell personal data. We use it to deliver, secure, and improve Scenarium.
  • Your Organization stays in control. It decides who can access exercises and content.
  • You keep ownership of your content. We process it only to provide the Service.
  • You have rights. Access, correction, deletion, and portability requests are supported.

Definitions

  • Personal data: information relating to an identified or identifiable natural person.
  • Controller: the entity that determines why and how personal data is processed.
  • Processor: the entity that processes personal data on behalf of a controller.
  • Customer Content: exercise data, injects, questions, responses, comments, attachments, and exports uploaded to the Service.

1. Who we are

The Service is provided by ObsidianCorps. For privacy questions, contact info@obsidiancorps.com.

2. Scope

This policy covers personal data processed when you visit our public pages, create or use an account, or participate in an exercise. This policy does not cover third-party services that you may access through Scenarium.

3. Personal data we process

  • Account data (name, email address, authentication identifiers, role and organization affiliation).
  • Organization and exercise data (organization name, exercise metadata, participant assignments, team structures).
  • Exercise content and responses (inject content, questions, answers, comments, attachments, exports).
  • Usage and technical data (log data, IP address, device/browser information, timestamps, security events).
  • Communications data (support requests, onboarding emails, and service notices).
  • Preference data (notification preferences, cookie choices, language or region settings).

We only collect data that is reasonably necessary for operating the Service and fulfilling contractual obligations with your Organization.

4. Sources of data

  • Directly from you (e.g., account creation, exercise participation).
  • From your Organization (e.g., when it assigns users to an exercise).
  • Automatically from your device (e.g., logs and security events).

5. Purposes and legal bases

  • Provide and secure the Service (performance of contract; legitimate interests).
  • Operate exercises, reporting, and exports (performance of contract; legitimate interests).
  • Customer support and communication (legitimate interests; consent where required).
  • Compliance, fraud prevention, and auditability (legal obligation; legitimate interests).

6. How the Service is used in organizations

Scenarium is commonly used for strategic exercises and crisis simulations. Organizations may assign users (participants, editors, directors) and publish injects to teams. Responses, comments, and exports are processed to run and evaluate exercises.

7. Processor/controller roles

When your Organization creates exercises and invites participants, your Organization is responsible for providing notices and obtaining permissions required by law for that processing. ObsidianCorps processes personal data according to the Organization’s instructions and these Terms.

If your Organization requires a Data Processing Addendum (DPA) and/or a list of subprocessors, contact info@obsidiancorps.com.

8. Sharing and subprocessors

We may share personal data with service providers (for example, hosting, monitoring, email delivery, analytics, and incident response) strictly as needed to operate the Service. We do not sell personal data.

Transparency

We assess vendors for security and privacy practices and require contractual protections. A current list of subprocessors is available on request.

Legal compliance and business transfers

We may disclose information if required by law, regulation, or lawful request, or to protect the rights, safety, and security of the Service. We may also transfer information in connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

9. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Measures may include access controls, least-privilege, encrypted transport (TLS), logging/monitoring, and backups.

Incident response

If we become aware of a personal data breach affecting Customer Content under our control, we will take reasonable steps to investigate and mitigate and, where applicable, notify the Organization consistent with contractual and legal requirements.

10. International transfers

If data is transferred outside your country/region, we use appropriate safeguards (for example, standard contractual clauses) where required.

11. Retention

We retain data for as long as necessary to provide the Service and as required by law or contract. Organizations may export or request deletion of exercise data subject to contractual and legal obligations.

Retention periods may vary depending on the type of record, contractual requirements, and the sensitivity of the data involved.

Account closure

If your Organization requests account closure, we will delete or anonymize data within a reasonable period unless retention is required for legal, security, or audit purposes.

12. Your rights

Depending on your location, you may have rights to access, correct, delete, or object to processing of your personal data, and to data portability. If you are using Scenarium through an Organization, please contact your Organization first.

Your controls inside Scenarium

  • Update profile and contact details from your account settings.
  • Manage notification preferences and exercise participation settings.
  • Request exports or deletion through your Organization administrator.

How to exercise rights

If you contact us directly, we may ask for information to verify your identity and/or confirm you are authorized by the Organization.

Communications

We may send service-related communications (for example, security notices, operational messages, billing/admin notices). Where required by law, we will seek consent for marketing communications and provide an unsubscribe mechanism.

13. Cookies and similar technologies

We use cookies for essential functionality, and (where enabled) optional cookies for preferences and analytics. You can manage your cookie preferences anytime via the “Manage cookie settings” button above. For details, see the Cookie Policy.

Your choices are stored in a preference cookie so we can respect your settings on future visits.

Do Not Track

Some browsers offer “Do Not Track” signals. Because there is no common standard for interpreting these signals, we do not respond to them at this time.

14. Children’s privacy

The Service is not directed to children and is intended for professional/organizational use. Do not use the Service if you are not legally able to consent to data processing in your jurisdiction.

15. Changes

We may update this policy from time to time. The effective date above indicates the latest revision.

16. Contact

For privacy inquiries, contact info@obsidiancorps.com.

Related policies

Review the other legal documents or adjust your cookie preferences.

Terms of Service Cookie Policy
Back to home
Made by ObsidianCorps

Cookie preferences

We use essential cookies to make Scenarium work. With your permission, we also use optional cookies for preferences and analytics. You can change your choices anytime in Cookie Settings.

Learn more in our Cookie Policy and Privacy Policy.