CoachPulse
Privacy Policy
Contents
1. Who we are
CoachPulse is a fitness coaching platform that helps independent personal trainers manage their clients, build training plans, and track progress. This Privacy Policy explains how we collect, use, store, and protect your personal data.
Data Controller: Vadym Yeremenko, sole proprietor, operating CoachPulse.
Contact for privacy matters: privacy@coachpulse.pro
Domain: coachpulse.pro
We act as the data controller for personal data of trainers, clients, and visitors who use CoachPulse. Where trainers process their clients' data using our platform, the trainer acts as a separate data controller for that data, and CoachPulse acts as a data processor.
2. Data we collect
2.1 Account data
| Category | Examples | Source |
|---|---|---|
| Identity | Email address, first/last name, profile photo | You provide it at sign-up |
| Authentication | Password (hashed), Apple/Google sign-in identifier | You provide it; managed via Firebase Authentication |
| Locale | Preferred language (uk, en, ru, es) | App settings or device default |
| Device tokens | Push notification tokens (FCM/APNs) | Generated by your device |
2.2 Coaching data (clients)
| Category | Examples | Sensitivity |
|---|---|---|
| Workouts | Exercise plans, sets, reps, weights, completion status | Standard |
| Body measurements | Weight, height, body fat % | Health data (Art. 9 GDPR) |
| Check-ins | Mood, sleep hours, fatigue, soreness, RPE | Health data (Art. 9 GDPR) |
| Injuries | Free-text injury descriptions, affected joints, severity | Health data (Art. 9 GDPR) |
| Goals & notes | Training goals, trainer notes, client notes | Standard |
| Photos & media | Progress photos, exercise videos uploaded by trainer | Standard (may include health data) |
2.3 Communication data
| Category | Examples |
|---|---|
| Chat messages | Trainer ↔ client messages within the app |
| Voice notes | Audio messages and dictation, transcribed via Deepgram |
| Session requests | Booking requests, scheduled times |
2.4 Technical data
| Category | Examples |
|---|---|
| Logs | Request logs (IP, timestamp, endpoint, status code) — retained 30 days |
| Audit logs | Trainer access events to client data — retained 1 year for GDPR accountability (Art. 5(2)) |
| Cookies | See Cookie Policy |
| Crash data | Anonymized error reports (no personal data) |
3. Why we process your data
We only process your personal data when we have a lawful basis under GDPR.
| Purpose | Data used | Lawful basis (Art. 6) | Special category basis (Art. 9) |
|---|---|---|---|
| Provide the service (account, workouts, plans) | Account, coaching, communication | Performance of contract — Art. 6(1)(b) | Explicit consent — Art. 9(2)(a) |
| AI-powered coaching insights for trainer | Health data (check-ins, injuries, measurements) | Legitimate interest — Art. 6(1)(f) | Explicit consent — Art. 9(2)(a) |
| Push notifications | Device tokens, account | Performance of contract — Art. 6(1)(b) | — |
| Security, fraud prevention, abuse | Technical, audit logs | Legitimate interest — Art. 6(1)(f) | — |
| Legal obligations (data export, erasure, accounting) | All | Legal obligation — Art. 6(1)(c) | — |
AI Processing: We use AI/LLM providers (Anthropic, OpenAI, Google) to generate coaching insights for trainers. AI output is always presented as a suggestion, never as an automated decision. Trainers always make the final coaching decision (GDPR Art. 22 compliance — no automated decisions with legal or similarly significant effects). See our DPIA for full details.
4. Who we share data with
We do not sell your personal data. We share data only with sub-processors strictly necessary to operate the service. Each sub-processor is bound by a Data Processing Agreement (DPA) under GDPR Art. 28.
| Sub-processor | Purpose | Data accessed | Location |
|---|---|---|---|
| Neon (Databricks Inc.) | PostgreSQL database hosting | All data | EU (Frankfurt) |
| Firebase (Google LLC) | Authentication, push notifications | Email, identity, device tokens | EU + US (under SCCs) |
| Cloudflare R2 (Cloudflare, Inc.) | Media storage (photos, videos, data exports) | Uploaded media, exports | EU + global (CDN) |
| Anthropic, PBC | AI/LLM (primary) | Coaching prompts (anonymized — no IDs) | US (under SCCs) |
| OpenAI, OpCo LLC | AI/LLM (fallback) | Coaching prompts (anonymized — no IDs) | US (under SCCs) |
| Google AI (Google LLC) | AI/LLM (fallback) | Coaching prompts (anonymized — no IDs) | US + EU (under SCCs) |
| Deepgram, Inc. | Speech-to-text (voice notes, dictation) | Audio recordings | US (under SCCs) |
| Hostinger International Ltd. | Email service (SMTP), DNS | Email addresses, email content | EU (Lithuania) |
| Railway Corp. | Application hosting | All data in transit | EU + US |
We do not share your data with advertisers, data brokers, or any party for marketing purposes.
5. International transfers
Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers we rely on:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework where the sub-processor is certified)
- Supplementary technical measures — encryption in transit (TLS 1.2+) and at rest, anonymization of user identifiers in AI prompts
You can request a copy of the SCCs we use by emailing privacy@coachpulse.pro.
6. How long we keep data
| Data | Retention period | Reason |
|---|---|---|
| Active account data | Until account deletion | Performance of contract |
| After deletion request | 30 days (recovery window), then permanently erased | Allows you to undo accidental deletion. After 30 days: PII anonymized, special-category data hard-deleted. |
| Audit logs (trainer access events) | 1 year | GDPR Art. 5(2) accountability |
| Email logs (delivery records) | 1 year | Operational + compliance audit |
| Server request logs | 30 days | Security and abuse prevention |
| Backups | Up to 30 days | Disaster recovery — backups are also purged on rolling basis |
| Aggregate workout statistics (after erasure) | Indefinite, anonymized only | Trainer's legitimate interest in their own business records — no client identifier |
7. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Get a copy of all your data we hold | App → Settings → Privacy & Data → Download my data |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | App → Profile, or email privacy@coachpulse.pro |
| Erasure (Art. 17) | Have your data deleted (with 30-day recovery window) | App → Settings → Privacy & Data → Delete account |
| Restriction (Art. 18) | Pause processing while a dispute is resolved | Email privacy@coachpulse.pro |
| Portability (Art. 20) | Receive your data in a machine-readable format (JSON) | Same as Access — JSON export covers it |
| Object (Art. 21) | Object to processing based on legitimate interest | Email privacy@coachpulse.pro |
| Withdraw consent (Art. 7(3)) | Withdraw consent for AI processing of health data | Email privacy@coachpulse.pro — note that this disables most coaching features |
| Lodge a complaint (Art. 77) | Complain to a supervisory authority | Your local Data Protection Authority. In Ukraine: Ombudsman for Human Rights. EU residents: any EU DPA. |
We respond to all rights requests within 30 days, or sooner where technically feasible. Where requests are complex, we may extend by a further 60 days as permitted under Art. 12(3).
8. Security
We protect your data with industry-standard technical and organizational measures:
- All data encrypted in transit (TLS 1.2+) and at rest (database, object storage, backups)
- Authentication via Firebase Auth — passwords are never stored by us in plaintext
- Access to production systems restricted to operations personnel only
- Audit logs record all trainer access to client data
- Regular security review of dependencies and infrastructure
- Incident response procedure — see our breach runbook
In the event of a personal data breach affecting EU residents, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and inform affected users without undue delay (Art. 34) where the breach is likely to result in a high risk to their rights and freedoms.
9. Children's data
CoachPulse is not directed at children. We do not knowingly collect data from anyone under 16 years old (or the applicable digital-consent age in your country, if higher). If you believe a child under 16 has provided us with personal data, please contact privacy@coachpulse.pro and we will delete the account.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our service, the law, or our business practices. When we make material changes, we will notify you via the app and/or email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Past versions are available on request from privacy@coachpulse.pro.
11. Contact
Questions about this policy or our data practices? Reach us at:
- Email: privacy@coachpulse.pro
- Postal: Vadym Yeremenko, CoachPulse, Ukraine
We do not have a Data Protection Officer (DPO) as we are not required to appoint one under GDPR Art. 37 — our processing of special-category data is not at the scale that triggers mandatory DPO appointment. The privacy contact above handles all GDPR matters.