How we keep your story.
The privacy policy for Survive the Scam. Last revised May 23, 2026 (afternoon update — caregiver-page shares + share source field).
Survive the Scam is a non-profit scam-education project produced for the Better Business Bureau, Connecticut. The product is interactive, anonymous, and free. The notes below describe exactly what we know about you when you use it, what we don’t, and why.
What we collect
When you sit down by the fire, your browser generates a random session identifier — a string of letters and numbers, with no connection to your name, email, or any other personal information. That identifier is sent to our server alongside eight kinds of events:
- Scene views. Which episode and which scene you reached, with a timestamp. This lets us understand which beats are hardest to sit through and which decisions are hardest to make.
- Decisions. Which choice you picked at each decision point, and the risk delta it carried. This lets the product eventually show you comparative analytics — “you picked C; 12% of viewers did” — so you can understand where your instincts land relative to others.
- Outcomes. Which ending you landed on. The same as above but for the final scene of each episode.
- Shares. If you tap a share button anywhere on the site — an outcome card after finishing an episode, or a case-file card on the /for-families caregiver page — we log that the share happened along with which platform you sent it to (X, Facebook, LinkedIn, SMS, WhatsApp, Email, Copy Link, or your phone’s native share sheet), which framing you used (“I survived” vs. “saw this; thought of you”), which surface the share fired from (e.g., the outcome card vs. the caregiver page), and — when applicable — which outcome variant (disaster, escape, or hero) you were sharing. The message text itself is composed on your device and sent only to the platform you picked — we never see who you sent it to.
- Orb clicks. If you click the small blue spark floating next to the torch on the landing page, we log that the click happened. No identity, no profile — just an anonymous tally so we know whether the easter-egg entry to sparkwithtrust.com is reaching the people it should reach.
- Contact downloads. If you tap the “Save BBB CT to contacts” download on an outcome card, we log that the download happened along with the outcome variant you were on. The vCard file itself is generated on the fly and contains only the BBB Connecticut public phone number and address — no personal information, ever.
- Phone-number taps. If you tap a phone-number link on any page (BBB CT, the CT Attorney General, CT State Police), we log that the tap happened along with which page and which section produced it (for example, “the recently-scammed page’s BBB Connecticut row”). We do not log which number is on the other end of your phone, who you are calling for, or what you say once the call connects — only that you decided to call.
- Report-link clicks. If you click an outbound link to a scam-reporting service (such as bbb.org/scamtracker or the FBI Internet Crime Complaint Center at ic3.gov), we log that the click happened along with which page sent you. We do not see anything you submit on the other side. These two event types — phone taps and report-link clicks — are the only way we can answer the year-end question of whether this product is causing Connecticut residents to actually call BBB CT or file reports.
All eight event types are stored in a database hosted by Supabase in the United States (us-east-1). Each row contains the session identifier, the episode ID, the node ID, the event kind, the choice ID (for decision events), the risk-after value (for decision events), a small JSON object of event-specific metadata (today: the surface that produced phone-taps and report-link-clicks, plus the share fields described above), and a timestamp. Nothing else.
We also keep a separate, simpler table called session visits — one row per fresh session identifier with the first time we saw it. The “souls by the fire” counter on the landing page is a count of distinct rows in that table. No event detail, no IP, no profile — just an anonymous tally so returning visitors can see how many other people have pulled up a chair.
What we don’t collect
- No name. No email. No phone number. No mailing address.
- No IP address is stored alongside your events.
- No third-party advertising or cross-site tracking: no Google Analytics, no Meta Pixel, no LinkedIn Insights, no advertising trackers, no data brokers. We do collect two narrow categories of first-party telemetry: anonymous performance metrics (Core Web Vitals via Vercel Speed Insights) and anonymous page-view counts (page views, referrers, top pages, unique visitors via Vercel Analytics). Neither uses cookies. Neither sets a cross-site identifier. Neither sells or shares your data with anyone. See the third-party services section below for the specifics of what each captures.
- No tracking cookies. The site uses your browser’s
sessionStorageandlocalStorageto remember which cases you’ve closed, your mute preference, and whether you’ve already lit the fire. None of that information leaves your device. - No demographic data. No inferred age, gender, income, or location beyond the Connecticut framing already baked into the product.
- No microphone or camera access. The audio in the product plays one way — out of your speakers.
Why we collect what we collect
There are two reasons, and only two:
- To show comparative choice analytics. When you reach an outcome, we want to be able to say “you took the hardest path; 8% of viewers did.” That requires knowing what most viewers do. The aggregate is the lesson.
- To tighten BBB Connecticut’s pattern data on real scams. Which scenes make viewers freeze, which decision points produce the most disasters, which scams resonate with which demographics — anonymous patterns feed back into BBB CT’s consumer alerts. Your one anonymous session improves the alert that goes out to the next person.
How long we keep it
Aggregate event data is retained for 24 months and then deleted. Session identifiers cannot be linked to anything outside this product — they exist in this database and nowhere else.
Your rights
- To know what we collect. That’s this page. Bookmark it. We will revise it in public.
- To clear your local data. Your browser’s site-data settings will erase everything stored on your device (closed-case flags, mute preference, etc.) without affecting the site.
- To opt out of analytics entirely. Set your browser’s “Do Not Track” signal. We honor it — when it’s present, we suppress all event logging for that session.
- No account = nothing to delete server-side. We do not keep a profile on you. There is nothing to delete because there is nothing connecting your session identifier to you.
Third-party services we use
These are the only outside services involved in delivering this product:
- Vercel — hosts the website. Standard server logs (timestamp, requested URL, browser user-agent) are retained by Vercel per their privacy policy. Vercel does not have access to your individual decisions inside the product.
- Vercel Speed Insights — collects anonymous page-performance metrics (Core Web Vitals like LCP, FID, CLS, INP, TTFB) on every page view so we can spot slow renders and fix them. No cookies, no PII, no cross-site tracking, no correlation to your session identifier in our database. The metrics are aggregated; we use them to debug the product, not to profile viewers.
- Vercel Analytics — first-party page-view and session analytics. Records what URLs are visited, where visitors arrived from (referrer), which pages are most popular, and a daily unique-visitor count. It does not set cookies, does not use cross-site identifiers, does not build behavioral profiles, does not share data with advertisers or other parties, and is not correlated to the session identifier in our event database. We use it to understand which case files reach people and which don’t — institutional learning, not surveillance.
- Supabase — stores the anonymous event data described above. US-hosted. Encrypted at rest.
- Mux — used only for video playback (when streamed video episodes ship). Plays one way; collects no PII from viewers.
- ElevenLabs & Replicate — used only at content-prep time by the production team. No viewer data is shared with either service. You do not interact with them directly.
AI crawlers and public-content sharing
The case files, transcripts, and scam-pattern index on this site are public content, and we permit AI assistants and answer engines (ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, and others) to read and quote them. We publish a /llms.txt summary at the site root specifically to help these crawlers surface the right help to the right person at the right moment — that is the entire point of a scam-education project.
What this means in practice: an episode title, a scam-pattern description, or a line from a transcript may appear in an AI assistant’s answer when someone asks about a scam. That is intended.
What this does NOT mean: viewer session data, decision events, share events, the “souls by the fire” counter, or anything else from the database described above is not included in /llms.txt and is not accessible to any crawler. Crawlers see only what an ordinary visitor browsing the public pages would see.
Children
This product depicts financial fraud against adults and is not directed at users under 18. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has used the product, contact BBB CT (below) and we will purge any associated session data on request.
Changes to this policy
When we change this page, we will note the revision date at the top. Material changes — anything that affects what we collect or who can see it — will be flagged with a banner at the top of the landing page for seven days.
Contact
Privacy questions belong with BBB Connecticut. They are the sponsoring institution and the keepers of this product’s standards.
Better Business Bureau, Connecticut
Cromwell, CT
860-740-4500
bbb.org/local-bbb/bbb-serving-connecticut ↗
This product is a non-profit consumer-protection collaboration with BBB Connecticut. The stories are dramatized composites of real reported Connecticut scams. The fewer people we know about, the better we can tell them.