Privacy Policy

1. Information We Collect

1.1 Personal Information You Provide

When you create an account or use our services, we collect:

• Identity Data: Full name, email address, phone number, date of birth
• Account Credentials: Username, password (encrypted), security questions and answers
• Professional Information (Instructors): Business name, certifications, licenses, insurance information, tax ID (EIN or SSN for 1099 reporting), professional qualifications
• Location Data: Street address, city, state, ZIP code, facility locations, geolocation data (with your permission)
• Payment Information: Credit card details, bank account information, billing address (securely processed and stored by Stripe, not by CCW Hub)
• Profile Information: Profile photo, bio, website, social media links, instructor specialties, student preferences
• Communications: Messages sent through the platform, customer support inquiries, survey responses, feedback

1.2 Information Collected Automatically

When you access our platform, we automatically collect:

• Device Information: IP address, browser type and version, device type, operating system, unique device identifiers
• Usage Data: Pages viewed, time spent on pages, links clicked, search queries, class views, booking actions
• Performance Data: Page load times, server response times, error reports, crash logs
• Referral Information: Source of traffic (e.g., Google search, social media, direct visit)

1.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your login session
• Remember your preferences and settings
• Analyze platform usage and performance
• Deliver personalized content and advertisements
• Prevent fraud and enhance security

1.4 Information from Third Parties

We may receive information from:

• Authentication Services: Clerk (user authentication and identity verification)
• Payment Processors: Stripe (payment transaction details, fraud detection)
• Analytics Providers: Google Analytics, Vercel Analytics (usage patterns, demographics)
• Social Media: If you connect your social media accounts (profile information, friends list with permission)

2. How We Use Your Information

2.1 Service Delivery and Operations

• Create and manage your account
• Process class bookings and payment transactions
• Facilitate communication between instructors and students
• Send booking confirmations, class reminders, and schedule updates
• Verify instructor credentials and qualifications
• Process instructor payouts
• Provide customer support and respond to inquiries
• Issue tax forms (1099-K for instructors earning $600+ annually)

2.2 Platform Improvement and Analytics

• Analyze usage patterns to improve features and user experience
• Conduct research and product development
• Monitor platform performance and troubleshoot technical issues
• Test new features and functionalities (A/B testing)
• Generate aggregated, anonymized analytics and reports

2.3 Marketing and Communications

• Send promotional emails about new features and platform updates (opt-out available)
• Recommend relevant classes based on location, search history, and preferences
• Display personalized content and targeted advertisements
• Request reviews, testimonials, and feedback
• Send newsletters and educational content (with your consent)

2.4 Security, Fraud Prevention, and Legal Compliance

• Detect and prevent fraudulent transactions and abuse
• Verify user identity and prevent account takeovers
• Enforce our Terms of Service and platform policies
• Comply with legal obligations, court orders, and law enforcement requests
• Protect the rights, property, and safety of CCW Hub, users, and the public
• Resolve disputes and enforce agreements
• Maintain audit logs and records as required by law

2.5 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data based on:

• Contractual Necessity: To fulfill our agreement with you (account creation, bookings, payments) - GDPR Article 6(1)(b)
• Legitimate Interests: To improve services, prevent fraud, ensure security, and conduct analytics - GDPR Article 6(1)(f)
• Consent: For marketing communications, optional data collection, and cookie placement - GDPR Article 6(1)(a)
• Legal Obligations: To comply with tax, accounting, and regulatory requirements - GDPR Article 6(1)(c)

3. Information Sharing

3.1 With Other Users

• Students to Instructors: When you book a class, we share your name, email, phone number, and any special requirements with the instructor
• Instructor Profiles: Instructor names, photos, bios, certifications, ratings, and reviews are publicly visible to all users
• Reviews and Ratings: Reviews you post are publicly visible with your first name and profile photo

3.2 With Service Providers

We share data with trusted third-party service providers who assist in operating our platform:

• Clerk: User authentication, identity verification, account management
• Stripe: Payment processing, fraud detection, payout transfers, tax reporting
• Resend: Transactional and marketing email delivery
• Twilio: SMS notifications and two-factor authentication
• Vercel: Cloud hosting, content delivery network (CDN), serverless functions
• Neon: Secure database hosting and management
• Google Analytics: Usage analytics and behavior tracking
• n8n: Workflow automation and integrations

All service providers are contractually obligated to protect your data through Data Processing Agreements (DPAs) and use it only for the specific purposes we authorize. They may not sell or share your data for their own purposes.

3.3 For Legal and Safety Reasons

We may disclose your information when required by law or to:

• Comply with legal processes (subpoenas, court orders, warrants, regulatory inquiries)
• Enforce our Terms of Service and other agreements
• Investigate and prevent fraud, security threats, or illegal activities
• Protect the rights, property, or safety of CCW Hub, our users, or the public
• Respond to law enforcement requests or national security demands

3.4 Business Transfers

If CCW Hub is acquired, merged, reorganized, or sold (in whole or in part), your information may be transferred to the acquiring entity as part of the transaction. We will notify you via email and/or platform notification at least 30 days before this occurs and provide information about your rights under the new ownership.

3.5 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably identify you with:

• Business partners for market research and analytics
• Investors and stakeholders for reporting purposes
• Industry organizations for benchmarking and trend analysis
• Academic researchers for firearms training studies

4. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

4.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Secure Infrastructure: Hosted on Vercel with enterprise-grade security, DDoS protection, and SOC 2 Type II compliance
• Database Security: Neon Postgres with encryption, automated backups, and point-in-time recovery
• Payment Security: PCI-DSS Level 1 compliant payment processing via Stripe (we never store complete credit card numbers)
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for staff, principle of least privilege
• Authentication: Secure password hashing using bcrypt, OAuth 2.0 integration via Clerk

4.2 Organizational Safeguards

• Employee Training: Regular security awareness training for all staff
• Background Checks: All employees with data access undergo background checks
• Confidentiality Agreements: All staff sign confidentiality and data protection agreements
• Incident Response: 24/7 security monitoring and formal incident response plan
• Vendor Management: Due diligence and security assessments for all third-party providers

4.3 Security Monitoring and Audits

• Real-time threat detection and automated alerts
• Regular security audits and penetration testing
• Vulnerability scanning and patch management
• Annual third-party security assessments
• Compliance with OWASP Top 10 security standards

4.4 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users via email within 72 hours of discovery (as required by GDPR)
• Provide details about the breach, data affected, and steps we're taking
• Offer guidance on protecting yourself (e.g., password reset, credit monitoring)
• Report the breach to relevant authorities as required by law
• Conduct a thorough investigation and implement corrective measures

4.5 Limitations

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and should use a strong, unique password.

5. Your Rights

5.1 Rights for All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate or incomplete information in your account settings
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
• Opt-Out of Marketing: Unsubscribe from promotional emails by clicking "Unsubscribe" in any marketing email
• Cookie Control: Manage cookie preferences through your browser settings

5.2 GDPR Rights (EEA Users)

If you are in the European Economic Area, you have additional rights under GDPR:

• Right to Access (Article 15): Obtain confirmation of processing and a copy of your data in a commonly used format
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten") when no longer necessary or consent is withdrawn
• Right to Restriction (Article 18): Request limited processing of your data in certain circumstances
• Right to Data Portability (Article 20): Receive your data in a machine-readable format (CSV or JSON) and transfer it to another service
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent (Article 7(3)): Revoke consent at any time for marketing or optional data collection
• Right to Lodge a Complaint (Article 77): File a complaint with your local data protection authority (supervisory authority)

5.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know (§1798.100): Request disclosure of:
  • Categories and specific pieces of personal information collected
  • Categories of sources from which data was collected
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share data
• Right to Delete (§1798.105): Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out of Sale (§1798.120): We do NOT sell your personal information to third parties
• Right to Non-Discrimination (§1798.125): You will not receive discriminatory treatment for exercising your CCPA rights
• Authorized Agent: You may designate an authorized agent to make requests on your behalf

5.4 How to Exercise Your Rights

To exercise any of these rights:

• Email: privacy@ccwhub.com with subject line "Privacy Rights Request"
• Account Settings: Access, update, or delete certain information directly in your account
• Data Export: Request a data export in machine-readable format (CSV or JSON)

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing requests.

5.5 Verification Process

To protect your privacy, we verify your identity before fulfilling requests by:

• Matching your request email to your registered account email
• Requesting additional identifying information (last 4 digits of payment method, account creation date)
• Sending a verification code to your registered phone number or email

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

• Essential Cookies (Strictly Necessary): Required for login, authentication, security, and basic functionality. These cannot be disabled without breaking the platform.
  • Session cookies (expire when you close your browser)
  • Authentication tokens (from Clerk)
  • CSRF protection tokens
• Performance Cookies (Analytics): Track usage patterns, page views, and performance metrics to improve the platform.
  • Google Analytics (_ga, _gid, _gat)
  • Vercel Analytics (anonymous)
• Functional Cookies (Preferences): Remember your preferences and settings.
  • Language preference
  • Location/region settings
  • UI customization preferences
• Marketing Cookies (Advertising): Deliver personalized ads and track campaign effectiveness. You can opt out of these cookies.
  • Google Ads conversion tracking
  • Facebook Pixel (if applicable)
  • Retargeting pixels

6.2 Managing Cookies

You can control cookies through:

• Browser Settings: Most browsers allow you to block or delete cookies. Consult your browser's help documentation for instructions.
• Cookie Consent Manager: Use our cookie preference center to customize which non-essential cookies you allow
• Opt-Out Tools:
  • Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
  • Network Advertising Initiative: https://optout.networkadvertising.org/
  • Digital Advertising Alliance: https://optout.aboutads.info/

Note: Disabling essential cookies may prevent you from using certain platform features (e.g., you may not be able to log in or book classes).

6.3 Do Not Track

Some browsers support "Do Not Track" (DNT) signals. Currently, there is no industry consensus on how to respond to DNT. We do not currently respond to DNT signals but may do so in the future as standards emerge.

7. Third-Party Services

7.1 Services We Use

• Clerk (Authentication): User authentication and account management. Privacy Policy
• Stripe (Payments): Payment processing, fraud detection, payouts. Privacy Policy
• Resend (Email): Transactional and marketing email delivery. Privacy Policy
• Twilio (SMS): SMS notifications and two-factor authentication. Privacy Policy
• Vercel (Hosting): Cloud hosting and infrastructure. Privacy Policy
• Neon (Database): Postgres database hosting. Privacy Policy
• Google Analytics: Usage analytics. Privacy Policy

7.2 Third-Party Links

Our platform may contain links to third-party websites (e.g., instructor personal websites, social media, external resources). We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies before providing any personal information.

7.3 Social Media Plugins

We may use social media plugins (Facebook Like, Twitter Share, etc.). These plugins may collect information about your visit, even if you don't interact with them. Refer to the respective social media platform's privacy policy for details.

8. Data Retention

We retain your data only as long as necessary to fulfill the purposes outlined in this policy:

8.1 Active Accounts

• Account Data: Retained while your account is active and for 90 days after account closure (to allow reactivation)
• Profile Information: Retained while account is active
• Booking History: Retained for 7 years after class date for tax and legal compliance

8.2 Deleted Accounts

• Personal Data: Deleted within 90 days of account deletion (except where legal retention applies)
• Payment Data: Retained by Stripe for 7 years for tax, accounting, and fraud prevention
• Communications: Support tickets and messages retained for 2 years for quality assurance
• Legal Records: Records related to disputes, investigations, or legal proceedings retained until resolution + 7 years

8.3 Specific Data Types

• Tax Records (1099 Forms): 7 years (IRS requirement)
• Transaction Records: 7 years (accounting and audit requirements)
• Security Logs: 1 year (incident response and forensics)
• Analytics Data: Aggregated, anonymized data may be retained indefinitely
• Marketing Data: Deleted immediately upon opt-out or account deletion

8.4 Backup Retention

Data may persist in backups for up to 90 days after deletion. Backups are encrypted and access-controlled. Data in backups is not actively used and will be permanently deleted when backups expire.

9. Children's Privacy

CCW Hub is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If you are under 18, you may not create an account or use our services.

If we become aware that we have inadvertently collected personal information from a child under 18, we will:

• Delete the information as quickly as possible
• Terminate the account
• Not use or disclose the information for any purpose
• Notify the parent/guardian if contact information is available

If you believe we have collected information from a minor, please contact us immediately at privacy@ccwhub.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify you by:

• Sending an email to your registered email address at least 30 days before changes take effect
• Displaying a prominent notice on the Platform
• Updating the "Last Updated" date at the top of this policy
• Requiring you to review and accept the updated policy upon next login (for significant changes)

Your continued use of the Platform after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform and may delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

11. Contact Information

For questions, concerns, or requests regarding this Privacy Policy, your data, or to exercise your privacy rights, please contact us: