Privacy Policy
Last updated: June 2026
This Privacy Policy explains how CoachPulse processes personal data when you use our website (coachpulse.pro), public trainer pages, and the CoachPulse mobile applications for trainers and clients (together, the "Service"). It describes what data we collect, why we process it, the legal bases we rely on under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the sub-processors involved, your rights, and how to contact us. The controller of your personal data is APPSTERRA LLC ("CoachPulse", "we", "us"), registered at 238 kab. 69, vul. Zelena, Lviv 79028, Ukraine. We have not appointed a Data Protection Officer. For any data-protection question contact <email>privacy@coachpulse.pro</email>. APPSTERRA LLC is established in Ukraine. Where we offer the Service to residents of the EU/EEA, we will designate a representative under Article 27 GDPR; until then, EU/EEA residents may contact us at <email>privacy@coachpulse.pro</email>.
What data we collect
We collect the following categories of personal data, depending on how you use the Service. Account and identity data: name, email address, phone number (optional), date of birth (optional), profile photo, password hash, authentication tokens, device identifiers, locale, and time zone. Trainer profile data: bio, certifications, languages, training specialties, pricing, schedule, workplace addresses (which we geocode to coordinates so clients can find nearby trainers), and public profile slug. Client–trainer relationship data: invitation codes, the link between a client account and their assigned trainer, and the date the relationship was established. Workout and training data: workouts assigned and performed, sets, repetitions, weight lifted, rate of perceived exertion (RPE), one-rep-max (1RM) estimates, personal records, workout duration, and workout history. Nutrition data: meal logs, food entries, macronutrient and calorie totals, and dietary preferences. Communication data: chat messages exchanged between trainer and client, attachments, voice notes (where used), and read/delivery timestamps. Trainer-authored notes: private notes a trainer keeps about a client (training plans, observations, follow-ups). Progress media: photos and videos a client or trainer uploads to document progress, technique, or form. Scheduling data: session bookings, calendars, reminders, and time zones. Payment and billing data: subscription status, transaction identifiers, and country of purchase. We never see or store full payment card numbers — those are handled by Apple Inc. and Google LLC through their in-app billing systems. Push-notification tokens: device tokens issued by Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) so we can deliver messages, schedule reminders, and security notices to your device. Technical and usage data: a one-way hashed form of your IP address, browser and operating system version, app version, crash reports, performance telemetry, language, referring URL, access-audit logs of sensitive operations (sign-in, account changes, exports, deletions), and cookies (see "Cookies and technical data" below). Inquiry and booking data: messages and booking requests submitted through trainer landing pages or contact forms on coachpulse.pro.
Health and wellness data (special-category data)
Some data the Service processes is "special-category data" under Article 9 of the GDPR because it concerns your health. We collect and process this data only with your explicit consent (GDPR Art. 9(2)(a)), given when you first enable the relevant feature, and you may withdraw consent at any time from the Settings screen or by writing to privacy@coachpulse.pro. The following categories are treated as health data: injuries — body parts affected, movement restrictions, start and end dates, severity, and recovery notes; wellness check-ins — self-reported mood, sleep hours, fatigue level, soreness intensity and affected body areas, and post-workout RPE; the AI-generated summary of your check-ins, which is derived from your inputs and presented to you and (where you have a trainer) to your trainer; body measurements — body weight, body-fat percentage, body-part circumferences, BMI, and any other physical measurements you choose to log. Withdrawing consent stops future processing of the affected category. Data already processed remains lawful up to the moment of withdrawal. After withdrawal you can also request deletion of the underlying records.
How we use your data and our legal bases
We process your data for the purposes set out below, each with its GDPR legal basis. To provide the Service (Art. 6(1)(b), performance of a contract): create and maintain your account; deliver workout, nutrition, messaging, scheduling, and progress-tracking features; sync data across your devices; process payments and subscriptions; provide customer support. To process health-related features (Art. 9(2)(a), explicit consent): record injuries, wellness check-ins, the AI-generated check-in summary, and body measurements; deliver these inputs to the trainer you are working with so they can adapt your program. To operate AI coaching assistance (Art. 6(1)(b) and Art. 9(2)(a) where health data is involved): generate program suggestions, summaries, and explanations using the AI sub-processors named below. To moderate user-generated content and keep the Service secure and prevent abuse (Art. 6(1)(f), legitimate interest in safeguarding the platform and our users): review reports submitted via the "Report" function on public profiles, detect fraud, abuse, spam, brute-force attempts, and policy violations, and investigate reports made under our Terms of Service. To comply with legal obligations (Art. 6(1)(c)): retain records required by tax, accounting, consumer-protection, and law-enforcement obligations applicable to us. To communicate service messages (Art. 6(1)(b)): transactional emails such as account confirmation, password reset, billing receipts, security alerts, and important changes to this policy or our Terms. To improve the Service (Art. 6(1)(f), legitimate interest in product quality): analyse aggregated and de-identified usage patterns; review crash reports. We do not use your personal data for marketing without your prior opt-in consent (Art. 6(1)(a)).
Summary of legal bases
For ease of reference, the legal bases on which we rely are: performance of a contract with you (GDPR Art. 6(1)(b)) — to create and operate your account and deliver the Service; explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)) — for health-data features, for AI features that process health data, for voice transcription, and for marketing communications; compliance with a legal obligation (GDPR Art. 6(1)(c)) — for tax, accounting, and law-enforcement obligations; legitimate interest (GDPR Art. 6(1)(f)) — for fraud prevention, abuse detection, user-content moderation, security, and aggregated product analytics. Where we rely on legitimate interest, we have weighed our interest against your rights and freedoms; you can request details of that assessment from privacy@coachpulse.pro.
AI processing and named AI sub-processors
The Service uses large language models from third-party providers to generate coaching assistance, training recommendations, check-in summaries, and program explanations. The AI providers act as our sub-processors under written data-processing agreements that include the Standard Contractual Clauses (and, where applicable, adequacy decisions such as the EU-US Data Privacy Framework). We share with these providers only the data necessary to fulfil the specific request: injuries (affected body parts, restrictions), training goals and level, wellness check-in vitals (mood, sleep, fatigue, soreness, RPE), body measurements, recent training performance, the free-text content of trainer messages or client questions submitted to AI features, and the user's first name. We do not send email addresses, surnames, or internal user identifiers. We do not sell your data to AI providers and we do not allow them to use your data to train their public models. The AI sub-processors we currently rely on are: Anthropic PBC (Claude, primary provider) — United States — safeguarded by Standard Contractual Clauses and the EU-US Data Privacy Framework; OpenAI L.L.C. (GPT family, fallback only) — United States — safeguarded by Standard Contractual Clauses; Google LLC (Gemini family, fallback only) — United States and other Google regions — safeguarded by Standard Contractual Clauses and the EU-US Data Privacy Framework; Deepgram Inc. (speech-to-text for voice notes, processed using ephemeral 60-second access keys with no persistent retention) — United States — safeguarded by Standard Contractual Clauses. If we add, remove, or change an AI sub-processor we will update this list before the change takes effect. Our use of AI is decision-support: it produces suggestions for you and your trainer to review — see "Automated decision-making" below.
Operational sub-processors
Beyond the AI providers named above, we rely on the following operational sub-processors to deliver the Service. Each acts under a written data-processing agreement and only on our documented instructions. Neon Inc. — managed PostgreSQL hosting for the core application database (all account, profile, training, scheduling, and health-related records); processing location: European Union; safeguarded by EU storage and Standard Contractual Clauses for any administrative access from outside the EEA. Railway Corp. — hosting of the backend API and scheduled background jobs (account-deletion sweep, retention sweeps, reminder dispatch); processing location: United States; safeguarded by Standard Contractual Clauses. Vercel Inc. — hosting of the public website coachpulse.pro and public trainer pages; processing locations: global edge network with primary regions in the United States and the European Union; safeguarded by Standard Contractual Clauses. Cloudflare Inc. — object storage (R2) for profile photos, progress media, exports, and message attachments; processing locations: global edge network with EU storage where available; safeguarded by Standard Contractual Clauses. Google LLC — Firebase Authentication (account sign-in and session tokens) and Firebase Cloud Messaging (push-notification delivery to Android and iOS devices); processing location: United States and other Google regions; safeguarded by Standard Contractual Clauses and the EU-US Data Privacy Framework. Google LLC — Google Play Billing (Android in-app purchases); processing location: United States; safeguarded as above. Apple Inc. — App Store distribution, StoreKit in-app purchases, Sign-in with Apple, and Apple Push Notification service (APNs); processing location: United States and other Apple regions; safeguarded by Standard Contractual Clauses and the EU-US Data Privacy Framework. Hostinger International Ltd. — transactional email delivery via SMTP (account confirmation, password reset, booking notifications, billing receipts, security notices); processing location: European Union (Lithuania). OpenStreetMap Foundation / Nominatim — one-time geocoding of trainer-typed workplace addresses to latitude/longitude so clients can find nearby trainers; processing location: United Kingdom and global mirrors; we never send client data, health data, or user identifiers to this service. We will update this list before any new sub-processor begins processing your data. A current list is available on request to <email>privacy@coachpulse.pro</email>.
International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA), in particular in the United States and the United Kingdom; APPSTERRA LLC itself is established in Ukraine. When we transfer personal data outside the EEA we rely on one or more of the safeguards permitted under Chapter V of the GDPR, principally: the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) under Article 46(2)(c) GDPR; and, where the recipient is a US organisation that self-certifies under the EU-US Data Privacy Framework adopted by Commission Implementing Decision (EU) 2023/1795, an adequacy decision under Article 45 GDPR. Ukraine is not currently the subject of an EU Commission adequacy decision, so transfers from the EEA to APPSTERRA LLC in Ukraine are made under the Standard Contractual Clauses. The full list of sub-processors and their transfer mechanisms is available on request to privacy@coachpulse.pro. You can request a copy of the Standard Contractual Clauses we use by writing to the same address.
Automated decision-making
We do not make any decision producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing within the meaning of Article 22 of the GDPR. AI features in the Service generate suggestions, summaries, and explanations — for example, recommended training adjustments based on a check-in or a draft message a trainer can review. Final decisions are made by you and, where applicable, by your trainer. No access decision, account-suspension decision, or paid-feature decision is made by AI alone; each is reviewed by a human at CoachPulse before it takes effect.
How long we keep your data
We keep personal data only for as long as needed for the purposes set out above. Account data — for the lifetime of your account, plus up to 30 days after a deletion request, while our scheduled erasure job removes your data from active systems. Workout, nutrition, scheduling, and progress-tracking data — for the lifetime of your account; you can delete individual entries at any time from the app. Health data (injuries, wellness check-ins, AI-generated check-in summary, body measurements) — for the lifetime of your account, or until you withdraw consent, whichever is earlier; you can delete individual records at any time. Chat messages and attachments — for the lifetime of the trainer–client relationship; either party can delete their messages from their own view at any time. Trainer-authored notes about clients — for the lifetime of the trainer–client relationship, or until the trainer deletes them; clients can request access to and deletion of notes about them under "Your rights" below. Payment and billing data — up to 10 years where required by applicable accounting, tax, or consumer-protection law (Art. 6(1)(c)). Trainer-inquiry and booking data — once a trainer marks an inquiry as accepted or archived, we keep it for up to 12 months from that point; inquiries that have not been actioned remain visible to the trainer until they are. Server error logs — up to 90 days. Access-audit logs (records of sensitive operations such as sign-in, exports, and deletions) — up to 12 months. Background-job run history (for example the daily account-deletion sweep) — up to 90 days. Backups containing personal data — retained for a limited rolling window and then overwritten; deletions made in active systems propagate into the backup rotation. We may keep limited data longer where strictly necessary to comply with a legal obligation, defend a legal claim, or enforce our Terms.
Your rights
You have the following rights in relation to your personal data under the GDPR. Access (Art. 15) — request a copy of the personal data we process about you and information about how we process it. Rectification (Art. 16) — ask us to correct inaccurate or incomplete data. Erasure (Art. 17) — ask us to delete your data; see "Account erasure and data export" below. Restriction (Art. 18) — ask us to limit how we use your data while a request is being resolved. Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (we provide JSON exports), or have it transmitted to another controller where technically feasible. Object (Art. 21) — object to processing carried out on the basis of legitimate interest. Withdraw consent (Art. 7(3)) — withdraw any consent you have given (for example, for AI features or health-data processing) at any time, without affecting the lawfulness of processing carried out before withdrawal. Not to be subject to a decision based solely on automated processing (Art. 22) — see "Automated decision-making" above. To exercise any of these rights, use the in-app controls described in the next section, or write to privacy@coachpulse.pro from the email address associated with your account. We respond within 30 calendar days of receipt; where a request is complex or we receive many requests, we may extend this period by up to two further months and will inform you. There is no fee unless your request is manifestly unfounded or excessive.
Account erasure and data export
You can delete your account directly from the app at any time. Open Settings, then Account, then Delete Account, and confirm. Your account enters a 30-day soft-delete grace period during which you can cancel the deletion by signing back in; after the grace period our scheduled erasure job hard-deletes or irreversibly anonymises your data across the production database and our object storage (Cloudflare R2). Reviews and case studies that you have published on trainer pages remain visible in anonymised form (your name and identifiers are removed); any unpublished records are hard-deleted. Your Firebase Authentication user is deleted at the end of the grace period. If you signed in with Apple, we revoke your Apple refresh token through Apple's /auth/revoke endpoint as required by App Store Review Guideline 5.1.1(v), so your Apple ID no longer grants access to the Service. You can also request deletion by writing to privacy@coachpulse.pro from the email address associated with your account. To export your personal data, open Settings, then Account, then Export Data; we deliver a JSON export within 30 days via a short-lived secure download link.
How we secure your data
We apply industry-standard technical and organisational measures to protect your personal data. All traffic between your device and our servers, and between our servers and our sub-processors, is encrypted in transit using TLS 1.2 or higher. Personal data at rest is encrypted by our database provider (Neon), our object-storage provider (Cloudflare R2), and our identity provider (Google Firebase). We do not handle account passwords directly — authentication is delegated to Firebase Authentication, which stores password hashes under industry-standard schemes. Each request to our backend API is authenticated with a short-lived Firebase ID token and authorised under a strict role separation between trainers and clients, so a trainer cannot access another trainer's data and a client cannot access another client's data. Sensitive operations (sign-in, account changes, exports, deletions) are written to an access-audit log. We apply per-IP and per-account rate limiting, hash IP addresses before storage, and operate an in-app and on-web "Report" function with user-blocking to deter and respond to abuse. Production secrets are held in a managed secret store; the application fails to start if any required secret is missing. Webhooks from Apple (App Store Server Notifications v2) and Google (Real-Time Developer Notifications) are verified cryptographically before any account is changed.
Children
The Service is not directed to children. We do not knowingly collect personal data from a person under the age of 16. If you are under 16, do not use the Service or provide any personal data to us. If you believe a child has provided us with personal data, write to privacy@coachpulse.pro and we will delete the data without undue delay. We rely on Apple's App Store and Google Play age-rating mechanisms to limit distribution; trainers using the Service to coach minor clients must obtain parental or guardian consent under the law applicable to the minor and may not enrol minors into the Service without that consent.
Cookies and technical data
The coachpulse.pro website uses only strictly necessary cookies. We set a first-party hosting session cookie used by our deployment platform, a first-party NEXT_LOCALE cookie that remembers your preferred language for up to one year, and a CSRF-protection cookie when forms are submitted. We do not set advertising cookies, we do not use cross-site tracking, and we do not share data with advertising networks. We do not currently use any third-party analytics on coachpulse.pro; if we add a privacy-respecting analytics tool in the future, we will update this policy and, where required, obtain your consent first. The mobile applications do not use third-party advertising SDKs.
Right to lodge a complaint
If you believe our processing of your personal data infringes the GDPR or applicable data-protection law, you have the right to lodge a complaint with a supervisory authority — in particular, in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. For users in Ukraine, the competent authority is the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини), vul. Instytutska 21/8, 01008 Kyiv, Ukraine — hotline@ombudsman.gov.ua. For users in Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, "UODO"), Stawki 2, 00-193 Warsaw, Poland — kancelaria@uodo.gov.pl. A directory of EU/EEA supervisory authorities is published by the European Data Protection Board at edpb.europa.eu. We would appreciate the chance to address your concern first; please contact us at privacy@coachpulse.pro before lodging a complaint.
EU representative
APPSTERRA LLC is established in Ukraine. Where we offer the Service to residents of the European Union or the European Economic Area, we will designate a representative under Article 27 GDPR and update this policy with the representative's details. Until then, EU/EEA residents may contact us directly at privacy@coachpulse.pro for any data-protection matter.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our sub-processors. When we make a material change we will notify you in advance — by email to the address associated with your account, by in-app notice, and by a prominent notice on coachpulse.pro — and we will update the "Last updated" date at the top of this policy. The version in force at any time is the one published at coachpulse.pro and accessible from within the apps.
Contact
Controller: APPSTERRA LLC, 238 kab. 69, vul. Zelena, Lviv 79028, Ukraine. Privacy and data-protection questions, including requests to exercise your rights: privacy@coachpulse.pro. General contact: hello@coachpulse.pro. Reports of abuse or Terms of Service violations: legal@coachpulse.pro. We have not appointed a Data Protection Officer; for data-protection questions please contact privacy@coachpulse.pro. Our Article 27 GDPR representative for the EU/EEA has not yet been designated.