Draft — pending attorney review.
This version is published in advance of legal review so the platform can be exercised end-to-end. Substantive language may change before final publication. Last revised: 2026-05-25-draft.
Cheerbows.com Privacy Policy
STATUS: BOOTSTRAP DRAFT (2026-05-25) — PENDING ATTORNEY REVIEW
Effective Date: [TBD upon publication] Last Updated: 2026-05-25
1. About This Policy
This Privacy Policy describes how California Bows, LLC d/b/a Cheerbows.com ("Cheerbows," "we," "us," "our") collects, uses, shares, and protects personal information when you interact with our website cheerbows.com and our platform app.cheerbows.com (the "Platform").
This Privacy Policy works alongside our Terms of Service and, for Bow Maker subscribers, the Bow Maker Subscription Agreement. By using the Platform, you confirm that you have read and understood this Privacy Policy.
If you have questions or want to exercise a privacy right, contact us at privacy@cheerbows.com.
2. Who This Applies To
This policy applies to all visitors and users of the Platform, including:
- Coaches — individuals or organizations sourcing bows for cheer teams
- Bow Makers — approved artisans producing bows on the Platform
- Designers — individuals licensing bow designs through the Platform
- Anonymous visitors — anyone browsing the public catalog or marketing pages without an account
We do not knowingly collect personal information from anyone under the age of 18; see Section 11.
3. Information We Collect
We collect personal information in three ways: information you provide directly, information generated by your use of the Platform, and information from third parties.
3.1 Information you provide
Account information.
- Email address (required to create an account)
- Full name
- Role (coach, bow maker, designer, admin)
- For coaches: Cheer Gym or Athletic Program name (optional)
- For bow makers: business name, location, capacity, bio, portfolio URL, sample bow photographs
- For designers: bio and credentials
Profile + opportunity content.
- Team name, athlete count, opportunity descriptions, team colors, budget hints, notes
- Reference photographs (uniforms, fabric swatches, etc.)
- Shipping addresses (street address, city, state, postal code, country)
- Cheer Gym or Athletic Program affiliation
- Notification email recipients ("Also notify" addresses)
Application data (Bow Maker / Designer applicants).
- Business details, portfolio links, sample images
- Tax / payout information collected by Stripe Connect during onboarding (Cheerbows does not store full SSN, EIN, or bank account numbers — these go directly to Stripe)
Communications.
- Messages you send to hello@cheerbows.com, legal@cheerbows.com, or via the feedback widget on the Platform
- Reviews and ratings you post
3.2 Information generated by your use of the Platform
Order and transaction data.
- Bids you submit and outcomes (win/loss/decline)
- Orders you award or fulfill (amounts, dates, status)
- Payouts you receive
- Subscription status and billing history
Behavioral / device data.
- IP address, user agent string, referrer URL
- UTM source / medium / campaign on first visit (acquisition attribution)
- Page views, click events, time on page (via PostHog analytics)
- Cookies and similar tracking technologies (see Section 7)
Server logs.
- Standard request logs (IP, path, status code, timestamp) via our hosting provider Vercel
3.3 Information from third parties
Authentication.
- When you sign in with Google or another OAuth provider through Clerk, we receive your email, name, and profile photo from that provider
Payment processing.
- Stripe sends us payment status, last 4 digits of card, payment method type, and Stripe customer / subscription / payment intent identifiers. We do not receive full card numbers, CVV, or bank account numbers.
Analytics.
- PostHog records product events you trigger on the Platform. For signed-in users, we send PostHog your Cheerbows user ID (the primary identifier), your email address, and your role (coach / bow maker / designer / admin) as person properties so the analytics views can attribute funnels and cohorts. PostHog also receives standard request metadata (IP address, user agent) as part of the SDK's autocapture. We do not send payment card numbers, bank account numbers, full shipping addresses, or other sensitive data to PostHog.
4. How We Use Personal Information
We use the information described in Section 3 for the following purposes:
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Provide the Platform | Authenticate you, create accounts, process orders, match bids to opportunities | Performance of contract |
| Process payments | Charge for orders + subscriptions, pay out makers + designers via Stripe Connect | Performance of contract |
| Communicate with you | Transactional emails (bid won/lost, order shipped, review posted), platform notifications | Performance of contract; legitimate interest |
| Support and dispute resolution | Respond to your inquiries, mediate order disputes | Performance of contract; legitimate interest |
| Improve the Platform | Analyze usage patterns via PostHog to find friction; fix bugs | Legitimate interest |
| Security and fraud prevention | Detect suspicious activity, enforce ToS, block abuse | Legitimate interest; legal obligation |
| Marketing (current scope: none) | We currently send no marketing emails. Transactional emails only. | n/a |
| Comply with law | Tax reporting (1099-K for high-volume bow makers via Stripe), respond to lawful requests, DMCA takedown | Legal obligation |
5. How We Share Personal Information
Cheerbows does not sell your personal information. We share personal information only with the following categories of recipients, and only as needed to operate the Platform.
5.1 Sub-processors (service providers)
We engage the following service providers, each of which has agreed to confidentiality and data-protection terms equivalent to those described in this Privacy Policy:
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Clerk | Authentication, user management | Email, name, OAuth tokens, session metadata | clerk.com/privacy |
| Stripe | Payments, Stripe Connect (payouts), Stripe Billing (subscriptions) | Name, email, payment method, payout details, billing address | stripe.com/privacy |
| Resend | Transactional email delivery | Email address, message content | resend.com/legal/privacy-policy |
| PostHog | Product analytics — events, funnels, session diagnostics | User ID, email, role, event properties, IP address, user agent | posthog.com/privacy |
| Cloudflare R2 | Object storage for uploaded files (template files, reference photos, brand logos) | File contents, file names, upload metadata | cloudflare.com/privacypolicy |
| Cloudflare (DNS, CDN) | DNS resolution, CDN caching of public assets | IP, request metadata | cloudflare.com/privacypolicy |
| Neon | Managed Postgres database hosting | All structured platform data (accounts, orders, bids, etc.) | neon.tech/privacy-policy |
| Vercel | Application hosting + edge runtime | Server access logs, function execution | vercel.com/legal/privacy-policy |
| Google Maps Platform | Address autocomplete on shipping address forms | Partial address strings you type into the form | policies.google.com/privacy |
| Google Address Validation API | Verify shipping address deliverability | Full shipping address at submission | policies.google.com/privacy |
5.2 Other Platform users
By design, certain information is visible to other Platform users:
- Coaches see the business name, location, ratings/reviews, bio, sample work, and bid details of Bow Makers who have bid on their opportunities
- Bow Makers see the team name, athlete count, deadline, budget hint, notes, and reference photos posted by Coaches on opportunities they can bid on
- Bow Makers see the Coach's shipping address only after the bid is awarded and Escrow is funded
- Designers see opportunity details for custom and customize- existing design requests they are working on
- Public Bow Maker profiles at
/makers/<id>display business name, location, bio, ratings, sample work, and a contact CTA
5.3 Business transfers
If Cheerbows is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal information may be transferred to the acquiring entity. We will notify you in advance of any such transfer and give you the opportunity to delete your account before the transfer.
5.4 Legal compliance
We may disclose personal information when required to do so by law (subpoena, court order, government request) or to protect Cheerbows's, our users', or the public's rights, property, or safety.
5.5 Aggregated / de-identified information
We may share aggregated or de-identified information (statistics about marketplace activity that cannot reasonably be tied to any individual) for any purpose.
6. International Data Transfers
Cheerbows is based in the United States. The sub-processors listed in Section 5.1 are based primarily in the United States, with some operating globally. If you are accessing the Platform from outside the United States — including the European Economic Area, the United Kingdom, or Switzerland — your information will be transferred to and processed in the United States.
For transfers from the EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses approved by the European Commission, where applicable
- The sub-processor's own transfer mechanisms (most listed providers are themselves transfer-mechanism-certified)
If you have questions about international transfers, contact privacy@cheerbows.com.
7. Cookies and Similar Technologies
Every cookie Cheerbows sets is essential to operating the platform. We do not use advertising cookies, cross-site-tracking cookies, or third-party marketing pixels, and we do not plan to. Because there are no non-essential cookies, there is nothing to opt out of; the first-visit notice you see is informational only.
The essential cookies we set:
- Clerk session cookies — keep you signed in
- Stripe cookies — fraud prevention on payment forms
- Inviting-maker cookie — when you visit a maker's public profile and click "Post a team order with this maker," we set a 2-hour cookie that attaches your subsequent opportunity post to that maker for a private RFP
- Impersonation cookie (admin only) — supports admin customer-support sessions where an admin views the platform as another user
- Acquisition cookie — first-touch UTM source / medium / campaign attribution; lets us understand which marketing channels send us users (no behavioral tracking, just the entry point)
- Product-analytics cookie (
posthog_distinct_idand related) — first-party analytics identifier we use to understand how the platform is used so we can fix bugs and improve flows. PostHog receives your Cheerbows user ID, email, role, the events you trigger, and standard request metadata (IP, user agent). It is not used for advertising or cross-site tracking, and PostHog data is not shared with third parties for marketing purposes. See §3.2 and §5.1 for the full data inventory. - Cookie-notice acknowledgment cookie (
cb_cookie_consent) — records that you've seen the first-visit notice so we don't re-prompt every page load
Controlling cookies
You can clear or block cookies through your browser settings. Note: disabling essential cookies will break the Platform — you won't be able to sign in, complete payments, or use core flows. Because we don't use non-essential cookies, there is no opt-out distinction to make beyond browser-level controls.
8. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal information.
8.1 Rights available to all users
- Access — Request a copy of the personal information we hold about you
- Correction — Request that we correct inaccurate or incomplete information (most can be edited directly via your profile pages)
- Deletion — Request that we delete your account and personal information. We will honor deletion requests subject to legal retention requirements (tax records, completed order history)
- Withdraw consent — Where we rely on consent, withdraw it at any time
To exercise any of these rights, email privacy@cheerbows.com from the email address on your account.
8.2 California residents (CCPA / CPRA)
In addition to the rights above, California residents have:
- Right to know what categories of personal information we have collected about you, the purposes for collecting it, the categories of sources, and the categories of third parties we share it with — all described in this Privacy Policy
- Right to correct inaccurate personal information
- Right to delete personal information (subject to exceptions)
- Right to opt out of sale or sharing of personal information — Cheerbows does not sell or share personal information in the manner the CCPA defines those terms
- Right to limit use of sensitive personal information — Cheerbows does not collect sensitive personal information as defined by CPRA
- Right to non-discrimination for exercising any of the above
To submit a verifiable consumer request, email privacy@cheerbows.com. We will respond within 45 days.
8.3 EEA / UK / Swiss residents (GDPR)
Under the GDPR and similar laws, you have:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability (machine-readable export)
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time
- Right to lodge a complaint with your local supervisory authority
8.4 Other states
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with privacy laws in effect as of 2026 grant similar rights. Cheerbows honors equivalent rights for residents of those states.
9. Data Retention
We retain personal information only as long as needed for the purposes described in this policy, plus any periods required by law:
| Data category | Retention period |
|---|---|
| Account data | While account is active, plus 90 days after deletion request (to handle account recovery + any open disputes) |
| Order + financial records | 7 years (IRS retention requirement for marketplace facilitator records) |
| Communications | 3 years from last interaction |
| Server access logs | 30 days |
| Analytics data (PostHog) | 7 years |
| Template files (R2) | While the licensing Bow Maker's account is active, plus 90 days for downstream order completion |
Upon account deletion, personal information not subject to legal retention is deleted within 30 days from production systems and within 60 days from backups.
10. Data Security
We take commercially reasonable steps to protect personal information from unauthorized access, alteration, disclosure, or destruction. Specific safeguards include:
- HTTPS everywhere with HSTS preload — all traffic is encrypted in transit
- Encryption at rest on database (Neon) and object storage (Cloudflare R2)
- Password hashing handled by Clerk using industry-standard algorithms; Cheerbows never sees raw passwords
- Two-factor authentication available on all accounts via Clerk
- Webhook signature verification on all Stripe and other third-party webhooks
- Principle of least privilege for internal admin access; admin actions logged
- Stripe-handled PCI compliance for payment card data
No system is perfectly secure. If we become aware of a breach of your personal information, we will notify you and applicable regulators as required by law.
11. Children's Privacy
The Platform is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18 without the consent of a parent or legal guardian. If you believe a child has provided personal information to us, please contact privacy@cheerbows.com and we will delete it.
Under the Children's Online Privacy Protection Act (COPPA), if you are under 13, we do not knowingly collect any personal information from you, full stop. Cheerbows is not directed to children and is unsuitable for children under 13.
12. Do Not Track and Global Privacy Control
We honor the Global Privacy Control (GPC) browser signal where required by law (currently California). When we detect a GPC signal, we treat it as a request to opt out of "sale" or "sharing" of personal information, even though Cheerbows does not sell or share in the CCPA sense in the first place.
Most browsers also support a "Do Not Track" header. The W3C never finalized a "Do Not Track" specification, and there is no industry consensus on how to honor it. We do not respond to "Do Not Track" headers specifically; we honor the more recent and well-specified GPC signal instead.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be:
- Announced via email to active account holders 30 days before taking effect
- Posted on the Platform with the updated "Last Updated" date
- Logged in the change history at the bottom of this document
Continued use of the Platform after the effective date of a material change constitutes acceptance of the updated policy.
14. Contact Us
For privacy questions, complaints, or to exercise any of the rights described in this policy:
California Bows, LLC d/b/a Cheerbows.com [Mailing address TBD] privacy@cheerbows.com
For general support: hello@cheerbows.com For legal notices: legal@cheerbows.com
Privacy Policy · version 2026-05-25-draft