CoachTone← Back to home

Privacy Policy

Effective date: 28 April 2026 · Last updated: 3 May 2026

CoachTone ("CoachTone", "we", "us", or "our") operates the website and software-as-a-service platform available at coachtone.net (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.

We are established in Ireland and our processing of personal data is subject to the EU General Data Protection Regulation 2016/679 ("GDPR"), the Irish Data Protection Acts 1988–2018, and any other applicable data protection legislation.

Please read this policy carefully. By using the Service you acknowledge that you have read and understood it. If you do not agree, please discontinue use of the Service.

Important — two roles. This policy governs how we handle your personal data as a user of CoachTone (typically a fitness or wellness coach). When you submit your clients' check-in text through the Service, you are the data controller for that client data and CoachTone acts as your data processor. Section 8 explains your obligations in that capacity.

1. Who We Are — Data Controller

The data controller for personal data collected directly from you (account data, usage data, billing data) is:

CoachTone
Ireland
Email: privacy@coachtone.net

Data Protection contact: For all data-protection queries, requests to exercise your rights, or complaints, please contact us at privacy@coachtone.net.

2. Personal Data We Collect

2.1 Account and Identity Data

When you register, we collect your email address, first and last name, and encrypted credentials. This data is managed through our authentication provider, Clerk (see Section 9). You may also provide a profile picture.

2.2 Coaching and Client Content

The core function of CoachTone is to analyse text you submit — your clients' weekly check-in messages and your own coaching voice samples. This content:

  • May include your client's name, fitness metrics, bodyweight, nutrition adherence, training performance, and personal notes.
  • May include statements about physical or mental health, wellbeing, injury, or emotional state. This constitutes special category data (health data) under GDPR Article 9. See Section 3.
  • Is transmitted to Anthropic's API for AI processing and stored in our database linked to your account.

2.3 Subscription and Billing Data

We use Stripe to process payments. Stripe collects and stores your card details directly — CoachTone never stores full payment card information. We retain records of your subscription plan, status, billing cycle, and transaction history as required by Irish tax law.

2.4 Usage and Technical Data

We automatically collect log data when you use the Service, including IP address, browser type and version, operating system, pages visited, timestamps, and error reports. This data is used for security monitoring, debugging, and service improvement.

2.5 Communications

If you contact us by email or through any support channel, we retain those communications and any personal data contained in them for the purpose of responding to you and improving our support.

3. Special Category Data (Health Information)

Check-in content submitted through the Service frequently contains information relating to physical or mental health — for example, weight, injury status, disordered eating indicators, or emotional distress signals. Under GDPR Article 9, this is special category personal data requiring a heightened legal basis to process.

Our legal basis for processing special category data arising in client check-in content is Article 9(2)(a) — explicit consent. By accepting these terms and submitting check-in content through the Service, you provide explicit consent on your own behalf and represent that you have obtained all necessary consents and legal authorisations from your clients to process their data (including health data) using a third-party AI-powered tool.

If you cannot lawfully obtain such consent for a particular client, you must not submit that client's data to the Service.

4. Legal Bases for Processing

PurposeGDPR Legal Basis
Providing the Service (account management, check-in analysis, reply generation)Article 6(1)(b) — performance of a contract
Processing payments and maintaining billing recordsArticle 6(1)(b) — contract; Article 6(1)(c) — legal obligation (tax law)
Fraud prevention, security monitoring, and abuse detectionArticle 6(1)(f) — legitimate interests
Product analytics and service improvement (aggregated, not re-identified)Article 6(1)(f) — legitimate interests
Responding to support enquiriesArticle 6(1)(f) — legitimate interests
Sending service-critical transactional emailsArticle 6(1)(b) — contract
Processing special category health data in client check-in contentArticle 9(2)(a) — explicit consent
Compliance with legal obligationsArticle 6(1)(c) — legal obligation

5. How We Use Your Personal Data

We use the data described above to:

  • Create and maintain your account and authenticate your sessions.
  • Provide the core Service: receive check-in content, run it through our AI analysis pipeline, and return a structured analysis and coaching reply.
  • Store your check-in history and client records so you can review them over time.
  • Learn and apply your coaching voice style to personalise AI-generated replies.
  • Process subscription payments and manage your billing relationship.
  • Send transactional emails: account confirmation, password reset, billing receipts, plan change notifications.
  • Detect and prevent fraud, abuse, and violations of our Terms of Service.
  • Improve the reliability, security, and features of the Service using aggregated, non-identifiable usage signals.
  • Respond to legal requests and enforce our legal rights.

We do not sell your personal data. We do not use your personal data or your clients' data to train general-purpose AI models. Check-in content is processed by Anthropic's API under zero-retention settings where available; see Section 9.

6. Data Retention

CategoryRetention Period
Account and identity dataDuration of your account, then permanently deleted within 30 days of account closure
Check-in content, analyses, and client recordsDuration of your account; deleted upon account closure or on receipt of a valid erasure request
Coaching voice samplesDuration of your account; deleted on closure or erasure request
Billing records and invoices7 years from the date of the transaction (Irish tax and company law obligation)
Server and security logs90 days, then automatically purged
Support correspondence3 years from last contact, unless a legal claim is outstanding

7. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access (Art. 15) — You may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — You may ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — You may ask us to delete your personal data where there is no overriding legal reason to retain it. You can delete your account and all associated data directly from the Billing page inside the Service. This permanently removes your profile, all client records, and all check-in history. Billing records required by law (7 years) are exempt from this right.
  • Right to restriction (Art. 18) — You may ask us to pause processing of your data while a dispute is resolved.
  • Right to data portability (Art. 20) — You may request a machine-readable export of personal data you provided to us under a contract or consent basis.
  • Right to object (Art. 21) — You may object to processing based on legitimate interests. We will cease that processing unless we have compelling legitimate grounds that override your interests.
  • Right not to be subject to automated decision-making (Art. 22) — CoachTone does not make legally significant automated decisions about you based solely on automated processing.
  • Right to withdraw consent — Where processing is based on consent (including for special category health data), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal does not delete data already processed.

To exercise any of these rights, email us at privacy@coachtone.net. We will respond within 30 days. We may ask you to verify your identity before acting on your request.

8. Your Obligations as a Data Controller for Client Data

When you input your clients' personal data (check-in text, client names, health information) into the Service, you are the data controller for that data and CoachTone acts as your data processor under GDPR Article 28.

By using the Service you represent and warrant that you:

  • Have a lawful basis under GDPR Article 6 (and Article 9 for health data) to process each client's data using a third-party AI tool.
  • Have informed your clients, in a clear privacy notice, that their check-in responses may be processed using AI-powered software.
  • Have obtained explicit consent from clients whose data may constitute special category health data, or otherwise have a valid Article 9 ground.
  • Will promptly inform us of any data subject access requests received from your clients that relate to data stored on our platform, and will cooperate with us to fulfil those requests.
  • Will notify us immediately if you become aware of a personal data breach involving client data processed through the Service.

Our data processing obligations to you (as processor) are set out in our Data Processing Addendum, which forms part of our Terms of Service and is incorporated herein by reference.

9. Third-Party Service Providers (Sub-Processors)

We share data only with the following vetted sub-processors. All are bound by data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) for international transfers.

Clerk (clerk.com)

Purpose: User authentication, session management, and identity verification.

Location: United States

Transfer mechanism: SCCs in place. See clerk.com/legal/privacy.

Anthropic (anthropic.com)

Purpose: AI language model processing via API. Data sent to Anthropic includes: client first name, stated goal, check-in text, the coach's described coaching style, and (optionally) anonymised writing samples and prior check-in summaries used to personalise the reply. Full card numbers and payment data are never sent. Anthropic processes this data solely to return an AI-generated analysis and draft reply; it is not used to train Anthropic's general-purpose models.

Location: United States

Transfer mechanism: SCCs in place under EU Commission Decision 2021/914. We request zero-retention API processing where available under Anthropic's Business terms. See anthropic.com/privacy.

Vercel (vercel.com)

Purpose: Cloud hosting, global CDN delivery, and serverless function execution.

Location: United States (global CDN)

Transfer mechanism: SCCs in place. See vercel.com/legal/privacy-policy.

Neon (neon.tech)

Purpose: Serverless PostgreSQL database storing your account data, client records, check-in history, and analyses.

Location: EU region configured where available.

Transfer mechanism: DPA in place.

Stripe (stripe.com)

Purpose: Payment processing, subscription management, and invoicing.

Location: Stripe has an EU entity (Stripe Payments Europe Ltd, Ireland). Card data is never transmitted to CoachTone servers.

Transfer mechanism: EU entity; GDPR-compliant. See stripe.com/ie/privacy.

Sentry (sentry.io)

Purpose: Application error monitoring and crash reporting. We send technical metadata about runtime errors (stack traces, URLs, browser type, your CoachTone user ID) so we can detect and fix bugs. We have configured Sentry to redact request bodies and disable collection of IP addresses, cookies, and HTTP headers. We do NOT send check-in content, client names, voice samples, or any other coaching content to Sentry.

Location: European Union (Frankfurt, Germany — de.sentry.io).

Transfer mechanism: Data is stored within the EU. DPA in place under Functional Software Inc. See sentry.io/legal/dpa.

We do not share personal data with any other third parties except where required by law.

10. International Data Transfers

Some of our sub-processors (Clerk, Anthropic, Vercel) are based in the United States. The United States does not have an EU adequacy decision in place for general commercial transfers. We therefore rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914 as the transfer mechanism for these transfers.

We conduct a Transfer Impact Assessment (TIA) for each US-based sub-processor to ensure the level of protection afforded to your data is essentially equivalent to that guaranteed within the EEA. Copies of our SCCs are available on request at privacy@coachtone.net.

11. Cookies and Tracking Technologies

We use a minimal number of cookies required for the Service to function:

  • Authentication cookies — Set by Clerk to maintain your authenticated session. These are essential; the Service cannot function without them.
  • Preference cookies — We store your dark/light mode preference in localStorage, not a cookie, and this data never leaves your device.

We do not currently use any analytics, advertising, or tracking cookies. If we introduce analytics tools in future, we will update this policy, display a cookie notice, and obtain consent where required.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Database data is encrypted at rest.
  • Access to production systems is restricted to authorised personnel with multi-factor authentication.
  • HTTP security headers (including Content Security Policy and HSTS) are applied to all responses.
  • We conduct periodic security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission (DPC) within 72 hours and notify you without undue delay where the breach is likely to result in a high risk to you.

13. Children's Privacy

The Service is intended exclusively for adults (18 years of age or older) acting in a professional capacity as fitness or wellness coaches. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a user is under 18, we will delete that account and all associated data without notice.

14. EU Artificial Intelligence Act Compliance

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689, "AI Act") entered into force on 1 August 2024 with provisions phasing in through 2027. CoachTone operates as a deployer of an AI system under the AI Act.

Risk classification

CoachTone has assessed its AI pipeline against the AI Act's risk categories. The Service does not fall within any prohibited AI practice (Article 5) and is not classified as a high-risk AI system under Annex III. It is classified as a limited-risk AI system, subject to transparency obligations under Article 50.

Transparency

In accordance with Article 50(4), users are clearly informed — in the Service interface and in our Terms of Service — that analyses, risk flags, coaching strategy recommendations, and reply drafts are generated by an AI system. AI-generated outputs are presented as drafts, not final decisions.

Human oversight

In accordance with Article 26, CoachTone is designed to support human oversight. Every AI Output must be reviewed and approved by the coach before being sent to a client. The Service does not send communications on behalf of coaches without explicit human action.

No automated decision-making with legal or significant effects

The AI system does not make decisions that produce legal effects or similarly significant effects on any individual. All outputs are recommendations for review by a qualified coach.

We monitor developments in AI Act guidance and will update our practices and this policy as new obligations come into effect.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Send a notification to your registered email address at least 14 days before the changes take effect.
  • For significant changes affecting how we process special category data, seek fresh consent where required.

Your continued use of the Service after the effective date of any updated policy constitutes acceptance of the revised terms.

16. How to Complain

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the supervisory authority in your country. In Ireland, this is:

Data Protection Commission (DPC)
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
www.dataprotection.ie

We would, however, appreciate the opportunity to address your concern before you contact the DPC. Please email us at privacy@coachtone.net first.

17. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact:

CoachTone — Data Protection
Ireland
Email: privacy@coachtone.net

Terms of ServiceData Processing AddendumCancel subscriptionHome