Privacy Policy
Last updated: July 3, 2026
1. Who We Are
The CoachApp platform (the "Service") is provided by CoachApp ("we", "us"), established in the Republic of Belarus. This Policy explains what personal data is processed in the Service, for what purposes, how it is protected, and what rights you have. Questions about this Policy: hello@coachapp.example.
2. Roles: the Coach as Controller, CoachApp as Processor
The Service has two kinds of users — Coaches (our customers) and their Clients (trainees who use the companion app via an access code issued by their Coach).
- For a Coach's own account data (username, contact details, billing records) we are the data controller.
- For Client data that a Coach enters into the Service, or that a Client enters themselves (names, contact info, body measurements, nutrition and workout logs), the Coach is the data controller: the Coach decides whose data is processed and why. CoachApp acts as the processor and platform operator — we process this data only to provide the Service and per the instructions implied by its functionality.
Coaches are responsible for obtaining their Clients' consent to the processing of their data in the Service, including health-related data.
3. Data We Process
3.1. Coach data
- registration data: username, display name, email address;
- credentials: password (stored only as a bcrypt hash — never in plaintext), last-login timestamp;
- subscription and payment data: plan, validity period, records of received payments;
- content created in the Service: programs, exercises, notes, finance records, schedule entries.
3.2. Client data
- identification and contact data entered by the Coach or the Client: name, phone/contact details, access code;
- health-related data: body measurements (weight, girths, body-fat percentage), workout logs (exercises, weights, reps), food diary entries (meals, calories, macronutrients), and photos of nutrition labels or meals uploaded for scanning;
- in-app activity data (completed workouts, streaks, achievements).
4. Purposes and Legal Grounds
- providing the Service (performance of the contract with the Coach): maintaining accounts, storing and displaying data, syncing between the trainer and client apps;
- processing Client data — based on the Client's consent obtained by their Coach, within the Service's functionality;
- payment records — performance of the contract and statutory accounting requirements;
- security — our legitimate interest in protecting the Service from abuse;
- communication — service notices and responses to your requests.
We do not use personal data for advertising and we do not sell it.
5. Isolated-Database Architecture
Every Coach receives their own, fully isolated database. All of that Coach's Client data — programs, workouts, nutrition, finance — lives only in that database. Different coaches' data is physically separated: one coach's requests cannot read another coach's data. Routing to the correct database is enforced server-side through the authenticated session token.
6. AI Processing (Nutrition Scanning)
When a Client photographs a nutrition label or a meal to log it in the food diary, the image is transmitted to Anthropic's Claude API (servers located in the United States) solely to extract nutrition data (calories, protein, carbohydrates, fat). Under Anthropic's API terms, submitted images are not used to train models. The extracted result is stored in the Coach's isolated database. Using this feature is optional — nutrition data can always be entered manually instead.
7. Storage and Security
- passwords are stored only as bcrypt hashes; plaintext passwords are never stored and cannot be viewed even by an administrator;
- sessions use signed JWT tokens with limited validity;
- SQLite databases run in WAL mode; each coach's database is isolated at the filesystem level;
- administrative functions are access-restricted and separately authenticated;
- backups are retained for a limited period (see Section 8).
No system can guarantee absolute security, but we apply reasonable organisational and technical measures appropriate to the nature of the data processed.
8. Retention and Deletion
Data is kept for as long as the Coach's account is active. A Coach may request full account deletion — in that case the master account record and the Coach's entire isolated database, including all Client data in it, are hard-deleted. Backups containing the deleted data are purged within 30 days. Payment records required for statutory accounting are retained in anonymised form for the periods required by law. Details are in the Data Deletion Policy.
9. Data Sharing
We do not sell personal data and do not share it for advertising. Data is shared only with the following categories of processors, to the extent needed to run the Service:
- hosting provider — running the servers and storing the databases;
- Anthropic (US) — image processing for nutrition scanning (Section 6).
Data may be disclosed to public authorities only where there is a legal basis under the law of the Republic of Belarus.
10. Your Rights
You may request access to your data, its rectification, deletion, or export.
- Coaches contact us directly at hello@coachapp.example;
- Clients should first contact their Coach — the Coach controls their records and can correct or delete them in the app. If the issue is not resolved, a Client may also contact our support and we will assist within our role as processor.
You may also withdraw consent to processing (which may make further use of the Service impossible) and lodge a complaint with the personal-data protection authority of the Republic of Belarus.
11. Cookies and Local Storage
We use only functional browser storage (session token, theme, language). There are no advertising or third-party analytics cookies. See the Cookie & Storage Policy.
12. Children
The Service is directed at professional coaches. Client accounts are created by a Coach, not by the child; the Service is not intended for independent use by children under 16. If a Coach works with a minor Client, the Coach must ensure a parent or legal guardian has consented to the processing of that Client's data.
13. International Transfers
Primary data storage happens on the Service's servers. The only routine cross-border transfer is the transmission of nutrition-label/meal photos to Anthropic's Claude API in the United States, as described in Section 6. By using the scanning feature, the user consents to that transfer.
14. Changes to This Policy
We may update this Policy. We will announce material changes through the Service or by email. The date of the latest revision is shown at the top of this page.
15. Contact
CoachApp, email hello@coachapp.example. See also our Terms of Service and Data Deletion Policy.