Privacy Policy.

Coach Partners (“Coach Partners,” “we,” “us”) operates the practice-management platform at coachpartners.app (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have.

The platform is operated from Michigan, USA. By using the Service you understand and consent to the processing of your information in the United States, where data-protection laws may differ from those in your jurisdiction. See Section 11 for more on international transfers.

This Privacy Policy covers three categories of people:

• Coaches (account holders). Professionals who sign up for Coach Partners to manage their practice. We are the data controller for information about coaches.
• Marketing site visitors.Anyone who visits coachpartners.app without signing up. We're the controller for the limited data we collect from visitors.
• Coaching clients (end clients). People whose information is stored in the Service by their coach — intake responses, session notes, contact details, etc. For this information, the coach is the data controller and Coach Partners is a data processoracting on the coach's instructions. See Section 9 for how end clients can exercise their rights.

Account information. When you sign up, we collect your email address (from Google or from the email you enter to receive a magic link) and any optional profile information you provide (display name, title/credentials, timezone, phone, Zoom link, booking link).

Practice information. The name of your practice or organization, your role within it (admin or coach), and configuration settings you choose (intake form contents, coach agreement, calendar feed URL and event pattern, reminder preferences).

Coaching content you create or upload. Client records, session notes, next-steps, frameworks, resources, EAP authorizations, billing records, and self-rating notes.

Intake responses you collect from clients. When you send a client an intake link and they complete the form, their answers are stored against their client record in your practice.

Calendar feed contents (optional). If you choose to connect a Google Calendar, Coach Partners reads upcoming event titles, start/end times, and locations from the iCal URL you provide. This data is fetched on-demand and shown in your dashboard; we do not modify your calendar.

Operational and security data. An internal audit log records meaningful actions taken in the Service (record creation, updates, deletions) with timestamps and actor identifiers. Hosting infrastructure produces standard access logs (IP address, user agent, timestamps, status codes) for security and debugging purposes.

Donations. If you donate via Stripe, Stripe collects your payment information. Coach Partners does not store credit card numbers, CVV codes, or full billing addresses. We may receive limited confirmation information from Stripe (email address used, amount, donation date).

What we do not intentionally collect.We do not collect tracking identifiers beyond what's strictly required for the Service to function (authentication cookies). We do not use behavioral or advertising trackers. We do not sell or share your information with data brokers.

We use the information we collect to:

• Provide, operate, and maintain the Service — including authenticating you, rendering your practice data, sending you transactional emails (sign-in links, client reminders you've configured, welcome emails, signup notifications), and enabling features you opt into;
• Detect, prevent, and respond to security incidents, fraud, and abuse;
• Comply with legal obligations and enforce our Terms of Service;
• Improve the Service based on aggregate, non-identifying usage patterns;
• Communicate with you about your account, important service changes, and (sparingly) product updates.

What we do not do. We do not sell or rent your personal information. We do not share it with advertisers or data brokers. We do not use your content (session notes, intake responses, client records, etc.) to train machine-learning or AI models.

If you are in the United Kingdom, the European Economic Area, or another jurisdiction that requires a lawful basis for processing personal data, our bases are:

• Performance of a contract (Art. 6(1)(b)). We need to process your account information and content to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)). We rely on legitimate interests for limited purposes: security and abuse prevention, internal operational logging, and aggregate product improvement. We've balanced these interests against your privacy rights and concluded that the processing is proportionate.
• Consent (Art. 6(1)(a)). Where we ask for specific consent (for example, enabling client reminder emails on your behalf, or you opting in to optional integrations), processing is based on that consent. You can withdraw consent at any time by adjusting the relevant setting or by contacting us.
• Legal obligation (Art. 6(1)(c)). Where required by law (for example, retaining records to comply with tax law or responding to lawful requests).

For end-client data, the coach is the controller and chooses the legal basis. Coach Partners processes that data as a processor on the coach's documented instructions.

We share information only as described below:

• With sub-processors required to operate the Service. The full list is in our Terms of Service, Section 7. Each sub-processor is contractually bound to use the data only to provide their service to us, and to maintain appropriate security measures.
• With other members of your practice. If you are part of a multi-coach practice, your colleagues in the same organization can see practice-scoped data (clients, sessions, etc.) consistent with their role (admin or coach). Self-rating reflection notes are private to the coach who wrote them — other coaches in the same org cannot see them.
• If required by law— for example, to comply with a subpoena, court order, or other valid legal process. We'll attempt to notify you before disclosure unless prohibited by law.
• In a business transfer.If Coach Partners is acquired or merges with another company, your information may transfer with the business. The successor will be bound by this Privacy Policy or one substantially similar, and we'll give you notice and an opportunity to export and/or delete your data before any such transfer takes effect.
• With your consent. Any other sharing is explicit and opt-in.

We implement administrative, technical, and organizational measures designed to protect your information:

• Encryption in transit. All connections to the Service use TLS.
• Encryption at rest.Sensitive fields are encrypted with AES-256-GCM before they're written to our database. Specifically: session notes, next-steps, self-rating reflection notes, client intake responses, client assessment data, and client synopses. Encryption keys are held by Coach Partners and are not accessible to you, your clients, or our sub-processors.
• Row-level access controls. Database-level policies (RLS) restrict access to practice-scoped data.
• Audit logging. Meaningful actions in the Service are logged with actor identifiers and timestamps and surfaced to organization admins.
• Sub-processor diligence. Vendors are selected for their published security programs.

No system is perfectly secure. If you become aware of any unauthorized access to your account or a security issue with the Service, please notify us immediately at contact@coachpartners.app.

We retain your information for as long as your account is active and for as long as needed to provide the Service to you.

When you delete your practice from Admin → Danger zone, we permanently delete the organization record and all org-scoped records (clients, sessions, notes, intake responses, frameworks, billing records, memberships) from production systems. Encrypted content is unrecoverable after deletion because the key material remains separate from individual records.

Audit log entries are retained in disassociated form (without the deleted organization ID) for security and legal purposes, typically up to 12 months after practice deletion.

Backups. Our database provider takes periodic backups for disaster recovery. Deleted data may persist in backups for up to 30 days before being aged out. Backups are not searchable or readable by Coach Partners staff in the normal course of business; they exist only to restore the Service after a catastrophic failure.

Email logs. Records of transactional emails we send on your behalf (such as client reminders) are retained for up to 12 months for deliverability auditing.

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• Access.Request a copy of the personal information we hold about you. You can access most of this yourself through the Service's data-export feature (Admin → Your data → Download JSON or CSV).
• Correction. Update or correct inaccurate information. Most account and practice fields are editable from the Admin page.
• Deletion. Request that we delete your personal information. You can do this yourself by deleting your practice from Admin → Danger zone, or by emailing us.
• Portability. Receive your data in a structured, commonly used, machine-readable format (provided via JSON and CSV export).
• Restriction. Ask us to restrict processing in certain circumstances.
• Objection. Object to processing based on our legitimate interests.
• Withdraw consent. Where processing is based on your consent (for example, opt-in email features), you may withdraw consent at any time.
• Lodge a complaintwith your local data-protection authority. We'd appreciate the chance to address your concern first.

To exercise these rights, email contact@coachpartners.app. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

For end clients (people whose information is stored by a coach using Coach Partners): your coach is the controller of your data. Direct rights requests to them. If you cannot reach them or they are unresponsive, you may contact us and we will take reasonable steps to facilitate your request consistent with our role as a processor.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect about you and how we use and share it (described in Sections 3–6 of this Policy);
• The right to delete your personal information (see Section 9);
• The right to correct inaccurate personal information;
• The right to opt out of the sale or sharing of your personal information. Coach Partners does not sell or share personal information for cross-context behavioral advertising, so this right is implicitly satisfied;
• The right to limit use of sensitive personal information (we use sensitive information only to provide the Service you signed up for);
• The right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us using the methods in Section 9.

Coach Partners is operated from the United States and stores data on infrastructure in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. By using the Service, you understand and consent to this transfer. Where required by law, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses with our relevant sub-processors) to legitimize these transfers.

The Service is intended for professional coaches age 18 and over and is not directed at children. We do not knowingly collect personal information from anyone under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child's information has been provided to us, please contact us and we will delete it.

Coach Partners uses the minimum cookies necessary to operate the Service:

• Authentication cookies set by our authentication provider (Supabase) to keep you signed in while you use the Service.
• Local storagefor a small number of interface preferences (for example, whether you've collapsed the onboarding checklist).

We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking. If we ever add analytics, it will be a privacy-respecting, aggregate-only tool, disclosed here, and (where required) opt-in.

We may update this Privacy Policy from time to time. When we make changes, we will update the “Last updated” date at the top of this page. For material changes, we will also notify you in-app or by email at least fourteen (14) days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For privacy questions, data-subject requests, or to report a security issue:

contact@coachpartners.app

Coach Partners is operated from Michigan, USA. Postal contact address available on request.