Privacy Policy

Creative Services Bound LLC, registered in the State of Delaware, United States. Our registered office is 1209 Orange Street, Suite 4B, Wilmington, DE 19801, United States.

For privacy-related questions, contact our Data Protection contact at privacy@creativeservicesbound.com. For sales-related questions, contact hello@creativeservicesbound.com.

We collect data in three ways: information you provide directly, information generated when you use the Service, and information obtained from third parties for verification or fraud prevention. The categories below match the taxonomy used in the Google Play Data Safety form.

Personal information

• Name, work email address, phone number.
• Company name, role, and business address.
• Country of operation and shipping destinations.
• Buyer-account identifier (a User ID we assign to your account, separate from any government identifier).

Financial information

• Purchase history (RFQs, quotes, orders, invoices). We do not directly handle or store full payment-card numbers. Card payments, where supported, are tokenized and processed by our PCI-DSS compliant payment processor.
• Banking details (where you elect to settle by wire, ACH, SEPA or letter of credit), held by our payment processor and used only to reconcile invoices.
• Tax registration numbers, EORI / IOR, and trade-compliance attestations you provide.

App activity

• In-app interactions (screens visited, searches, RFQ drafts, shipment tracking views).
• In-app search history within the catalog.
• User-generated content you choose to submit (notes on RFQs, internal comments, files).

App info and performance

• Crash logs and diagnostics (anonymized stack traces, exception messages).
• Performance traces (load times, network errors).

Device or other identifiers

• Android Advertising ID (only as required by analytics SDKs, not used for advertising personalization), Firebase installation ID, IP address, device model, operating system version, language and timezone.

Location

• Approximate location, derived from IP address, for fraud screening, trade-compliance screening (export controls), and to route your enquiry to the correct hub.
• We do not collect precise location (GPS) from the buyer mobile app.

Files and documents

• Documents you upload to an RFQ (BOMs, drawings, parts lists). Stored securely and only accessible by the trade desk assigned to your account.

Categories we do not collect

• We do not collect health or fitness data.
• We do not access your contacts, calendar, photos, or videos.
• We do not collect web browsing history outside of our own properties.
• We do not collect SMS, MMS, or messages from other apps on your device.
• We do not collect race, ethnicity, political beliefs, religious beliefs, sexual orientation, or biometric identifiers.

• To create and operate your buyer account.
• To process your RFQs, generate quotes, deliver orders, and provide trade-compliance documentation.
• To handle international shipping, customs paperwork, and broker relationships.
• To detect and prevent fraud, sanctions-list violations, and dual-use export breaches under ITAR, EAR, EU dual-use regulations and UK SPIRE.
• To send transactional service messages: quote replies, shipment alerts, invoices.
• To improve our products through aggregated, de-identified analytics.
• To meet our legal, regulatory, accounting and audit obligations.
• To send marketing emails about our services only if you opt in. You can withdraw consent at any time via the unsubscribe link in any marketing email.

• Performance of a contract: to operate your account, process orders, and ship goods.
• Legal obligation: to meet trade compliance, tax, and accounting law.
• Legitimate interests: fraud prevention, security, and operating our business safely.
• Consent: marketing communications, optional cookies on the website.

We do not sell your personal information. We share it only as needed to operate the Service, with the following categories of recipients, all bound by written data-processing agreements:

• Payment processor: to settle invoices and tokenize card details. Stripe, Inc. (United States).
• Cloud and infrastructure providers: Supabase, Inc. (database and storage), Vercel, Inc. (web hosting), Amazon Web Services (storage and email transit).
• Email provider: Resend, Inc. (United States) for transactional and marketing email.
• Analytics: Google Firebase Analytics (Google LLC) for crash reporting and aggregated usage analytics. We do not use Firebase for advertising.
• Trade compliance and customs partners: licensed customs brokers and trade compliance vetting services in the destination country, on a strict need-to-know basis.
• Logistics carriers: licensed bonded carriers and freight forwarders, only the data needed to deliver the consignment (consignee name, address, contact phone).
• Authorities: when required by law, court order, or to comply with sanctions and dual-use export controls.
• Successors: in the event of a merger, acquisition, or sale of assets, with notice to you in advance.

Where data is transferred outside the EEA, the UK or your country, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

• AES-256 encryption at rest for sensitive fields.
• TLS 1.3 in transit, certificate pinning on the mobile app.
• Row-level security on our databases. A leaked token cannot read another buyer's data.
• Multi-factor authentication available on every account, required for admin roles.
• Annual third-party penetration testing.
• Detection and response operated by our security team, with notification of any qualifying data incident within 72 hours where required by law.

We keep your data only as long as we need to:

• Account and order records: for as long as your account is active, plus seven years afterwards to meet US, UK and EU tax, customs, and trade-compliance retention rules.
• Payment records: seven years from the date of the relevant invoice.
• App diagnostic data and crash logs: 90 days, then permanently deleted or fully anonymized.
• Marketing consent records: until you withdraw consent, plus three years for legal defense.

Depending on where you live (GDPR, UK GDPR, CCPA / CPRA, and similar laws), you may have the right to:

• Access the personal data we hold about you.
• Ask us to correct inaccurate or incomplete data.
• Ask us to delete your data, subject to legal obligations to retain certain records (see Section 7).
• Restrict or object to our processing.
• Receive your data in a portable format.
• Withdraw any consent you previously gave.
• Lodge a complaint with a supervisory authority (in the EEA: your national Data Protection Authority, in the UK: the Information Commissioner's Office, in California: the California Privacy Protection Agency).

To exercise any of these rights, email privacy@creativeservicesbound.com. We respond within 30 days, or sooner where required by law.

You can request deletion of your buyer account and the personal data associated with it at any time. Two ways:

• In-app: open the Creative Services Bound buyer mobile app, go to Settings → Account → Delete account, and confirm. The request is logged immediately.
• By email: send a deletion request from the email address registered to your account to privacy@creativeservicesbound.com with the subject "Account deletion request".

Deletion happens within 30 days of the request, except for records we are legally required to retain (invoices, customs declarations, sanctions screening logs). Those records are kept for the minimum period set out in Section 7 and then permanently deleted.

A web-accessible deletion request page is also available at creativeservicesbound.com/contact (under "Privacy or data deletion" in the subject field).

The Service is intended for business buyers and is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a child has given us data, contact us and we will delete it.

The website uses functional cookies to remember your theme preference. We do not run advertising cookies. Where required by law, the website asks for your consent before any non-essential cookie is set.

The mobile app uses local storage equivalents (SharedPreferences on Android) to keep you logged in and remember your preferences. These are not cookies but are governed by the same principles.

The buyer mobile app and the buyer portal do not display third-party advertising. Your data is not used to build advertising profiles.

We will post material changes here and notify you in the app and by email. The effective date at the top reflects the most recent revision. Continued use of the Service after a change means you accept the revised policy.

Privacy questions, data subject requests, or complaints: privacy@creativeservicesbound.com.

Postal address: Creative Services Bound LLC, 1209 Orange Street, Suite 4B, Wilmington, DE 19801, United States.