Your Privacy Matters
CCW Hub LLC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. By using CCW Hub, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Personal Information You Provide
When you create an account or use our services, we collect:
- Identity Data: Full name, email address, phone number, date of birth
- Account Credentials: Username, password (encrypted), security questions and answers
- Professional Information (Instructors): Business name, certifications, licenses, insurance information, tax ID (EIN or SSN for 1099 reporting), professional qualifications
- Location Data: Street address, city, state, ZIP code, facility locations, geolocation data (with your permission)
- Payment Information: Credit card details, bank account information, billing address (securely processed and stored by Stripe, not by CCW Hub)
- Profile Information: Profile photo, bio, website, social media links, instructor specialties, student preferences
- Communications: Messages sent through the platform, customer support inquiries, survey responses, feedback
1.2 Information Collected Automatically
When you access our platform, we automatically collect:
- Device Information: IP address, browser type and version, device type, operating system, unique device identifiers
- Usage Data: Pages viewed, time spent on pages, links clicked, search queries, class views, booking actions
- Performance Data: Page load times, server response times, error reports, crash logs
- Referral Information: Source of traffic (e.g., Google search, social media, direct visit)
1.3 Cookies and Tracking Technologies
We use cookies and similar tracking technologies to:
- Maintain your login session
- Remember your preferences and settings
- Analyze platform usage and performance
- Deliver personalized content and advertisements
- Prevent fraud and enhance security
1.4 Information from Third Parties
We may receive information from:
- Authentication Services: Auth.js (user authentication and session management)
- Payment Processors: Stripe (payment transaction details, fraud detection)
- Analytics Providers: PostHog and Vercel Analytics (product usage and performance). Individual instructor sub-sites may also use Google Analytics when the instructor configures it.
- Social Media: If you connect your social media accounts (profile information, friends list with permission)
2. How We Use Your Information
2.1 Service Delivery and Operations
- Create and manage your account
- Process class bookings and payment transactions
- Facilitate communication between instructors and students
- Send booking confirmations, class reminders, and schedule updates
- Verify instructor credentials and qualifications
- Process instructor payouts
- Provide customer support and respond to inquiries
- Issue required tax forms (such as 1099-K) in accordance with applicable IRS reporting thresholds
2.2 Platform Improvement and Analytics
- Analyze usage patterns to improve features and user experience
- Conduct research and product development
- Monitor platform performance and troubleshoot technical issues
- Test new features and functionalities (A/B testing)
- Generate aggregated, anonymized analytics and reports
2.3 Marketing and Communications
- Send promotional emails about new features and platform updates (opt-out available)
- Recommend relevant classes based on location, search history, and preferences
- Display personalized content and targeted advertisements
- Request reviews, testimonials, and feedback
- Send newsletters and educational content (with your consent)
2.4 Security, Fraud Prevention, and Legal Compliance
- Detect and prevent fraudulent transactions and abuse
- Verify user identity and prevent account takeovers
- Enforce our Terms of Service and platform policies
- Comply with legal obligations, court orders, and law enforcement requests
- Protect the rights, property, and safety of CCW Hub, users, and the public
- Resolve disputes and enforce agreements
- Maintain audit logs and records as required by law
2.5 Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your data based on:
- Contractual Necessity: To fulfill our agreement with you (account creation, bookings, payments) - GDPR Article 6(1)(b)
- Legitimate Interests: To improve services, prevent fraud, ensure security, and conduct analytics - GDPR Article 6(1)(f)
- Consent: For marketing communications, optional data collection, and cookie placement - GDPR Article 6(1)(a)
- Legal Obligations: To comply with tax, accounting, and regulatory requirements - GDPR Article 6(1)(c)
3. Information Sharing
3.1 With Other Users
- Students to Instructors: When you book a class, we share your name, email, phone number, and any special requirements with the instructor
- Instructor Profiles: Instructor names, photos, bios, certifications, ratings, and reviews are publicly visible to all users
- Reviews and Ratings: Reviews you post are publicly visible with your first name and profile photo
3.2 With Service Providers
We share data with trusted third-party service providers who assist in operating our platform:
- Auth.js: User authentication, session management, account security
- Stripe: Payment processing, fraud detection, payout transfers, tax reporting
- Resend: Transactional and marketing email delivery
- Twilio: SMS notifications and two-factor authentication
- Vercel: Cloud hosting, content delivery network (CDN), serverless functions
- Neon: Secure database hosting and management
- PostHog: Product usage and behavior analytics
- Sentry: Error tracking and performance monitoring
- n8n: Workflow automation and integrations
All service providers are contractually obligated to protect your data through Data Processing Agreements (DPAs) and use it only for the specific purposes we authorize. They may not sell or share your data for their own purposes.
3.3 For Legal and Safety Reasons
We may disclose your information when required by law or to:
- Comply with legal processes (subpoenas, court orders, warrants, regulatory inquiries)
- Enforce our Terms of Service and other agreements
- Investigate and prevent fraud, security threats, or illegal activities
- Protect the rights, property, or safety of CCW Hub, our users, or the public
- Respond to law enforcement requests or national security demands
3.4 Business Transfers
If CCW Hub is acquired, merged, reorganized, or sold (in whole or in part), your information may be transferred to the acquiring entity as part of the transaction. We will notify you via email and/or platform notification at least 30 days before this occurs and provide information about your rights under the new ownership.
3.5 Aggregated and Anonymized Data
We may share aggregated, de-identified, or anonymized data that cannot reasonably identify you with:
- Business partners for market research and analytics
- Investors and stakeholders for reporting purposes
- Industry organizations for benchmarking and trend analysis
- Academic researchers for firearms training studies
3.6 Advertising Partners and Customer Match
To show you relevant ads, measure how our ads perform, and reach new people who share interests with our customers, we may share a hashed (one-way encrypted) version of your contact information, such as your email address or phone number, with advertising platforms including Google and Meta.
- Your information is hashed before it leaves our systems. We do not share your email address or phone number in plain text.
- These platforms use the hashed data only to match you to your existing account with them. This lets us show ads to you and to audiences with similar interests (a practice Google calls "Customer Match" and "similar audiences").
- We do not authorize these partners to use your data for their own independent purposes, and we never sell your personal information.
- You can opt out at any time by unsubscribing from marketing, adjusting your ad settings with the relevant platform, or using the opt-out tools listed in the Cookies and Tracking section below.
4. Data Security
We implement industry-standard technical and organizational measures to protect your personal information:
4.1 Technical Safeguards
- Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
- Secure Infrastructure: Hosted on Vercel with enterprise-grade security, DDoS protection, and SOC 2 Type II compliance
- Database Security: Neon Postgres with encryption, automated backups, and point-in-time recovery
- Payment Security: PCI-DSS Level 1 compliant payment processing via Stripe (we never store complete credit card numbers)
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for staff, principle of least privilege
- Authentication: Secure password hashing using bcrypt, JWT session tokens via Auth.js
4.2 Organizational Safeguards
- Employee Training: Regular security awareness training for all staff
- Confidentiality Agreements: All staff sign confidentiality and data protection agreements
- Incident Response: 24/7 security monitoring and formal incident response plan
- Vendor Management: Due diligence and security assessments for all third-party providers
4.3 Security Monitoring and Audits
- Real-time threat detection and automated alerts
- Regular security audits and penetration testing
- Vulnerability scanning and patch management
- Annual third-party security assessments
- Compliance with OWASP Top 10 security standards
4.4 Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
- Notify affected users via email within 72 hours of discovery (as required by GDPR)
- Provide details about the breach, data affected, and steps we're taking
- Offer guidance on protecting yourself (e.g., password reset, credit monitoring)
- Report the breach to relevant authorities as required by law
- Conduct a thorough investigation and implement corrective measures
4.5 Limitations
While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and should use a strong, unique password.
5. Your Rights
5.1 Rights for All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Update or correct inaccurate or incomplete information in your account settings
- Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
- Opt-Out of Marketing: Unsubscribe from promotional emails by clicking "Unsubscribe" in any marketing email
- Cookie Control: Manage cookie preferences through your browser settings
5.2 GDPR Rights (EEA Users)
If you are in the European Economic Area, you have additional rights under GDPR:
- Right to Access (Article 15): Obtain confirmation of processing and a copy of your data in a commonly used format
- Right to Rectification (Article 16): Correct inaccurate or incomplete data
- Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten") when no longer necessary or consent is withdrawn
- Right to Restriction (Article 18): Request limited processing of your data in certain circumstances
- Right to Data Portability (Article 20): Receive your data in a machine-readable format (CSV or JSON) and transfer it to another service
- Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent (Article 7(3)): Revoke consent at any time for marketing or optional data collection
- Right to Lodge a Complaint (Article 77): File a complaint with your local data protection authority (supervisory authority)
5.3 CCPA Rights (California Users)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
- Right to Know (§1798.100): Request disclosure of:
- Categories and specific pieces of personal information collected
- Categories of sources from which data was collected
- Business or commercial purposes for collection
- Categories of third parties with whom we share data
- Right to Delete (§1798.105): Request deletion of your personal information (subject to exceptions)
- Right to Opt-Out of Sale (§1798.120): We do NOT sell your personal information to third parties
- Right to Non-Discrimination (§1798.125): You will not receive discriminatory treatment for exercising your CCPA rights
- Authorized Agent: You may designate an authorized agent to make requests on your behalf
5.4 How to Exercise Your Rights
To exercise any of these rights:
- Email: privacy@ccwhub.com with subject line "Privacy Rights Request"
- Account Settings: Access, update, or delete certain information directly in your account
- Data Export: Request a data export in machine-readable format (CSV or JSON)
We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing requests.
5.5 Verification Process
To protect your privacy, we verify your identity before fulfilling requests by:
- Matching your request email to your registered account email
- Requesting additional identifying information (last 4 digits of payment method, account creation date)
- Sending a verification code to your registered phone number or email
6. Cookies and Tracking Technologies
6.1 Types of Cookies We Use
- Essential Cookies (Strictly Necessary): Required for login, authentication, security, and basic functionality. These cannot be disabled without breaking the platform.
- Session cookies (expire when you close your browser)
- Authentication tokens (session JWT)
- CSRF protection tokens
- Performance Cookies (Analytics): Track usage patterns, page views, and performance metrics to improve the platform.
- PostHog (ph_*_posthog)
- Vercel Analytics (anonymous)
- Google Analytics (_ga, _gid, _gat), only on instructor sub-sites that enable it
- Functional Cookies (Preferences): Remember your preferences and settings.
- Language preference
- Location/region settings
- UI customization preferences
- Marketing Cookies (Advertising): Deliver personalized ads and track campaign effectiveness. You can opt out of these cookies.
- Google Ads conversion tracking
- Facebook Pixel (if applicable)
- Retargeting pixels
6.2 Managing Cookies
You can control cookies through:
- Browser Settings: Most browsers allow you to block or delete cookies. Consult your browser's help documentation for instructions.
- Cookie Consent Manager: Use our cookie preference center to customize which non-essential cookies you allow
- Opt-Out Tools:
Note: Disabling essential cookies may prevent you from using certain platform features (e.g., you may not be able to log in or book classes).
6.3 Do Not Track
Some browsers support "Do Not Track" (DNT) signals. Currently, there is no industry consensus on how to respond to DNT. We do not currently respond to DNT signals but may do so in the future as standards emerge.
7. Third-Party Services
7.1 Services We Use
- Auth.js (Authentication): Open-source authentication framework. No third-party data sharing, all auth data stays on our servers.
- Stripe (Payments): Payment processing, fraud detection, payouts. Privacy Policy
- Resend (Email): Transactional and marketing email delivery. Privacy Policy
- Twilio (SMS): SMS notifications and two-factor authentication. Privacy Policy
- Vercel (Hosting): Cloud hosting and infrastructure. Privacy Policy
- Neon (Database): Postgres database hosting. Privacy Policy
- PostHog: Product usage analytics. Privacy Policy
- Sentry (Error Tracking): Application error monitoring and performance tracking. Privacy Policy
- n8n (Automation): Workflow automation and integrations. Privacy Policy
7.2 Third-Party Links
Our platform may contain links to third-party websites (e.g., instructor personal websites, social media, external resources). We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies before providing any personal information.
7.3 Social Media Plugins
We may use social media plugins (Facebook Like, Twitter Share, etc.). These plugins may collect information about your visit, even if you don't interact with them. Refer to the respective social media platform's privacy policy for details.
8. Data Retention
We retain your data only as long as necessary to fulfill the purposes outlined in this policy:
8.1 Active Accounts
- Account Data: Retained while your account is active and for 90 days after account closure (to allow reactivation)
- Profile Information: Retained while account is active
- Booking History: Retained for 7 years after class date for tax and legal compliance
8.2 Deleted Accounts
- Personal Data: Deleted within 90 days of account deletion (except where legal retention applies)
- Payment Data: Retained by Stripe for 7 years for tax, accounting, and fraud prevention
- Communications: Support tickets and messages retained for 2 years for quality assurance
- Legal Records: Records related to disputes, investigations, or legal proceedings retained until resolution + 7 years
8.3 Specific Data Types
- Tax Records (1099 Forms): 7 years (IRS requirement)
- Transaction Records: 7 years (accounting and audit requirements)
- Security Logs: 1 year (incident response and forensics)
- Analytics Data: Aggregated, anonymized data may be retained indefinitely
- Marketing Data: Deleted immediately upon opt-out or account deletion
8.4 Backup Retention
Data may persist in backups for up to 90 days after deletion. Backups are encrypted and access-controlled. Data in backups is not actively used and will be permanently deleted when backups expire.
9. Children's Privacy
CCW Hub is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If you are under 18, you may not create an account or use our services.
If we become aware that we have inadvertently collected personal information from a child under 18, we will:
- Delete the information as quickly as possible
- Terminate the account
- Not use or disclose the information for any purpose
- Notify the parent/guardian if contact information is available
If you believe we have collected information from a minor, please contact us immediately at privacy@ccwhub.com.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make material changes, we will notify you by:
- Sending an email to your registered email address at least 30 days before changes take effect
- Displaying a prominent notice on the Platform
- Updating the "Last Updated" date at the top of this policy
- Requiring you to review and accept the updated policy upon next login (for significant changes)
Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform and may delete your account.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
By using CCW Hub, you acknowledge that you have read, understood, and agree to this Privacy Policy.
Effective Date: June 25, 2026