Storm Deck ("we", "us", "our") provides a fire operations and property monitoring dashboard for rural property owners, land stewards, and small fire operations teams. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Information we collect

Account information

• First and last name
• Email address (required for account recovery and operational notices)
• Optional phone number, if you provide one
• Optional messaging-platform contact identifier (used to deliver direct alerts if you opt in)
• 6-digit login PIN, stored only as a salted, one-way hash — we never see or log the actual PIN
• User role (admin, operator, viewer) and the property or properties you are assigned to

Property and operational data

• Property name, coordinates, and configured alert zones
• Incident logs, notes, and timestamps you create
• Uploaded parcel GeoJSON files and landowner overlays
• Lightning strike records fetched on your behalf
• Fire hotspot records fetched on your behalf
• GPS location tracks from vehicles and devices you connect to Storm Deck — precise geolocation data is classified as sensitive personal data under the Oregon Consumer Privacy Act (OCPA). By connecting GPS devices and viewing unit tracks in Storm Deck, you consent to the collection and processing of this data for fire operations and property monitoring purposes. You may withdraw this consent at any time by disconnecting your GPS devices from the GPS integration.
• Map pan/zoom state and layer preferences (stored locally in your browser)

Automatically collected

• IP address and basic request logs, retained short-term for security and rate limiting (see "Data retention" for specific windows)
• Session cookies needed to keep you signed in (HttpOnly, same-site protected)
• Session start and end times (login timestamps and session duration), used for owner analytics described below — we do not track which maps you view, which buttons you click, or any content you view within the app

Public contact form

If you submit our public contact form (separate from signing in to a property dashboard), we store the name, email address, optional company, optional phone number, and message you submit, along with your IP address and browser identifier (user-agent string). This information is used only to respond to your inquiry and is retained per the schedule in "Data retention" below.

How we use your information

• To display your dashboard, incidents, and map layers
• To send alerts you've configured (mobile messaging, team channels, email) for lightning, fires, and evacuations in your zones
• To protect the service from abuse (rate limiting, audit logs)
• To troubleshoot and improve the product
• To provide aggregated usage analytics to the property owner (see "Property-owner visibility" below)

Property-owner visibility

Storm Deck is sold on a per-property basis. If you use Storm Deck under a property subscription, the owner of that property has access to a private analytics page that shows aggregated session activity for users assigned to their property.

Specifically, the property owner can see:

• Which users assigned to their property have logged in recently
• For each user, over the last 30 days: number of sign-in sessions, total time signed in, average session length, and number of distinct active days
• A weekly heatmap of combined usage times (averaged across the property's users over the past 28 days) used to choose low-activity windows for maintenance

This information is visible only to the owner of the property you are assigned to — never to owners of other properties, other Storm Deck customers, or the public. The owner cannot see which maps you viewed, which GPS tracks or incidents you opened, what you typed, or any other content — only when you were signed in and how long your session lasted.

This type of operational analytics is permitted under GDPR as a legitimate interest (for EU users) and is disclosed to comply with the CCPA and similar US state privacy laws. If you don't want your session times visible to the property owner, contact the property owner or contact@stormdeck.app.

We do not sell, rent, or trade your personal information. We do not serve advertising. We do not share your data with marketing firms or analytics brokers.

Third-party services

Storm Deck combines several map, weather, and fire-data sources to deliver real-time information. When you load a map, your IP address and the specific area you're viewing are forwarded to the relevant providers so they can return the right tiles and data.

The kinds of providers we use:

• Mapping and base-map tiles — satellite and street imagery from major mapping platforms
• Weather, lightning, radar, and atmospheric data — a mix of government and commercial weather data services
• Fire-detection and public-safety data — federal land-management agencies, federal weather services, regional dispatch centers, and other public-safety feeds
• GPS tracking infrastructure — operated on our own self-hosted servers
• Notification delivery — chat and messaging platforms used to deliver alerts you've opted into
• Off-site backup — encrypted backups stored with a separate U.S.-based provider

Each provider operates under its own privacy policy. If you would like the current named list of subprocessors for compliance review, contact us at contact@stormdeck.app.

Data retention

• Account data (name, email, phone, role, property assignment): retained for the life of your account. On deletion request, we purge your account and associated records within 30 days, except where longer retention is required by law.
• Incidents, operational logs, radio configurations, field requests, parcel overlays, personnel deployment history: retained indefinitely while the associated property is active. When a property is deleted, these records are removed in the same operation. Closed incidents may be archived to JSON files on our servers for historical reference.
• Lightning strike records (per-incident records and the comprehensive regional archive that backs our public coverage claim): retained indefinitely.
• Public contact form submissions: retained up to 24 months from submission, then deleted automatically.
• Notification delivery audit log (the record that an alert was sent — not the underlying lightning or fire data, which is retained separately as described above): retained up to 12 months.
• Service request telemetry (no personal data — only counts, status codes, and timing for upstream service calls used for performance monitoring): retained up to 7 days.
• Backups: encrypted local backups are retained for up to 7 days on a rolling basis; encrypted off-site backup copies are retained with our backup provider on a longer rolling schedule for disaster recovery.

Data location and security

Storm Deck application servers and the primary database are physically located in a data center in Oregon, United States. Encrypted off-site backups are stored with a separate U.S.-based provider. All traffic between your browser and the service is protected with HTTPS / TLS. The names of our specific hosting and backup providers are available in the subprocessor list on request.

Security and incident response

• Login PINs are stored only as salted, one-way hashes; the original PIN is never visible to operators and is not written to logs.
• Session cookies are set with HttpOnly and same-site protection.
• Login attempts are rate-limited per username and per network address to deter brute-force attacks.
• If we discover a security incident affecting your personal data, we will notify affected account holders without unreasonable delay and in any event within the timelines required by applicable law — including Oregon's data-breach notification statute (ORS 646A.604), California Civil Code §1798.82, and, for EU/UK residents, GDPR Articles 33 and 34. Notification will describe what categories of data were affected, what we have done in response, and steps you can take to protect yourself.

Your rights

Regardless of where you live, you may at any time request to:

• Access the personal data we hold about you
• Correct inaccurate information
• Delete your account and associated personal data
• Receive a machine-readable export of your incident logs, personnel records, locations, parcel overlays, and lightning strike data (we respond within 30 days of request)
• Withdraw consent for optional features (alerts, GPS tracking, direct messaging integrations)

California residents (CCPA / CPRA)

• Right to know the categories and specific pieces of personal information we have collected about you
• Right to delete personal information we have collected from you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising — we do not sell or share personal information for this purpose
• Right to limit the use of sensitive personal information, including precise geolocation
• Right to non-discrimination for exercising any of the rights above

Oregon residents (OCPA)

• Right to access, correct, delete, and obtain a portable copy of your personal data
• Right to opt out of targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects — we do not engage in any of these activities
• Right to request a list of the categories of third parties with whom we have shared your personal data

EU and UK residents (GDPR / UK-GDPR)

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing (Article 21)
• Right to lodge a complaint with your national data protection authority

To exercise any of these rights, contact us at contact@stormdeck.app. We will verify your identity using information you provided at account creation before fulfilling any access, correction, deletion, or export request.

Children

Storm Deck is intended for adult property owners and operational staff. We do not knowingly collect information from anyone under the age of 13. If you believe a child under 13 has provided us with personal information, contact us and we will delete it.

Changes to this policy

If we revise this Privacy Policy, we will post the updated version at this URL with a revised effective date. For material changes affecting how we collect, use, or share personal data, we will give account holders at least 30 days' advance notice via email or in-app notice before the change takes effect.

Contact

Questions about this Privacy Policy, or to exercise any of the rights described above: contact@stormdeck.app