1. Who we are
The Colorado Federal Firearms Licensees Association (“CFFLA,” “we,” “us”) is a Colorado trade association for federal firearms licensees. We operate cffla.org, including the public tools (the gun-law search, GunLawBot, the FFL member map, and our news and litigation pages) and the members-only Trade Portal. The platform technology is built and operated with Umbrella. Questions about this policy: info@cffla.org.
2. Two kinds of users, two kinds of data
This site serves two populations, and we treat their data differently:
- Public users — visitors using the free tools, GunLawBot users, supporters, and donors.
- Industry members — FFL dealers and industry members using the Trade Portal compliance suite.
Member compliance data is the member’s own business information. It is kept in its own access-controlled storage, is not used to profile members, and is not part of any public or civic-facing dataset.
3. What we collect
Visitors (no account):
- Anonymous product analytics — page views and feature-usage events with no name, email, or account identity attached. Our analytics do not use tracking cookies and do not record what you type into the law search or chat.
- Operational server logs — technical events needed to run and secure the service. Where a connection address appears in analytics events, it is stored as a salted hash, not a raw IP address.
- Bot-protection signals — our sign-in and sign-up forms use Cloudflare Turnstile, which processes connection data to distinguish humans from bots.
GunLawBot users:
- Your email address (GunLawBot accounts are email-only), session identifiers, and your chat conversations (stored so your conversation history works).
- Subscription and payment status, processed by Stripe (see §5).
Industry members (Trade Portal):
- Account and profile information — name, email, phone, business name, FFL number and type, business address, and the Colorado legislative districts derived from that address.
- Compliance-chat conversations with the member AI tools.
- Form-generator data — the information you enter to fill official forms is personally identifying by nature and is stored in private, access-controlled storage. Generated documents are never publicly accessible.
- Billing status and history, processed by Stripe.
- Support tickets, feedback, and bug reports you submit.
Donors:
- Donation amount, optional name and email for your receipt, and the fund designation you choose (general support or the litigation fund). Payment is processed by Stripe — card numbers never touch our systems.
4. How we use data — and the access rule
We use the data above to operate the service, provide the features you use, keep the service secure, support you, and improve the product. The standing access rule:
Development-team members may access platform data to operate, support, and improve the system. Data is never sold or released in any individual capacity. Aggregate information may be published at the discretion of the Board.
Access is purpose-bounded: we look at data to fix, build, secure, and support — not to browse. Published aggregates are subject to minimum group sizes so no individual member or user can be re-identified from a statistic.
5. Service providers
We use established providers to run the service. Each receives only what its function requires:
- Supabase — database, account authentication, and generating account emails (sign-in links, password resets).
- Resend — email delivery: account emails generated by our authentication system are delivered through Resend.
- Stripe — all payments (dues, subscriptions, donations). We never store card numbers.
- Anthropic and xAI — AI processing: your chat questions and the legal-source excerpts needed to answer them are processed by these providers to generate responses.
- Langfuse — AI-quality monitoring: chat questions and the system’s handling of them are recorded so we can find and fix wrong or unhelpful answers. Like the AI providers above, this means your question text — so keep personal details out of chat (§7).
- Voyage AI — converts legal texts and search queries into search indexes.
- Cloudflare — bot protection on auth forms.
- PostHog — anonymous product analytics (§3).
- Better Stack — operational logging (technical events; connection addresses salted-hashed, never raw).
- Redis Cloud — short-term caching of session and conversation context so chats stay fast.
- Render & Vercel — hosting.
- Geocodio — converts a member’s business address into legislative districts.
6. What we never do
- We never sell your data.
- We never release data about an identifiable individual or business, except as required by law.
- Member compliance data (profiles, form data, compliance conversations) is never used for advertising, public profiling, or any civic-facing dataset.
- Our analytics never capture the text of your legal questions.
7. A note on AI conversations
GunLawBot and the member compliance tools are AI systems. Your questions are processed by the AI providers in §5 to generate answers, and conversations are stored so your history works. Don’t put information in a chat that you wouldn’t want processed this way — the tools need your legal question, not your personal details.
8. Security and retention
Accounts are protected by row-level access controls — you can read your own data, and backend writes happen through controlled service paths. Generated form documents live in private storage reachable only through authenticated, expiring links. Draft forms are retained for roughly 90 days; completed documents are retained for the life of your account. Payment security is handled by Stripe under their PCI compliance.
9. Your rights
You can request access to, export of, correction of, or deletion of your data at any time by emailing info@cffla.org. Deleting your account removes your profile and stored documents, subject to records we must keep for legal, billing, or dispute purposes.
10. Age
This service is not directed to anyone under 18, and we do not knowingly collect data from minors.
11. Changes to this policy
When we change this policy, we’ll post the updated version here with a new effective date. Material changes affecting members will be announced through the portal. As new features launch, this document is updated to describe them before they apply to you.
12. Contact
CFFLA · 12470 York St #41, Eastlake, CO 80614 · info@cffla.org