C
CoachDesk

Privacy Policy

Effective date: 2026-04-20

This Privacy Policy explains how CoachDesk ("we", "us") collects, uses, and protects personal data when you use the CoachDesk platform as a coach or as a client booking a session. We comply with the EU General Data Protection Regulation (GDPR) and Romanian data-protection law.

Who is the data controller

For coaches using CoachDesk to run their practice, CoachDesk acts as a data processor for the client data coaches upload, and as a data controller for account and billing data. For individuals booking sessions, the coach is the primary controller of coaching-related data; CoachDesk processes that data on the coach's behalf. You can reach us at privacy@coachdesk.app for any data-protection question.

What data we collect

Depending on how you use CoachDesk, we may process the following categories of personal data:

  • Account dataname, email, hashed password (or Google OAuth identifier), timezone, currency, language.
  • Coaching datasession types, availability, bookings, intake-form answers, private session notes, shared session summaries, goals.
  • Client datanames, emails, phone numbers, booking notes and optional portal activity of individuals booked by a coach.
  • Technical dataIP address, browser user-agent, basic request logs and audit events (sign-ins, critical actions) kept for security.

Lawful basis for processing

We only process personal data when we have a lawful basis under Article 6 GDPR:

  • Contract: to provide the CoachDesk service you signed up for (hosting your account, bookings, notes, billing).
  • Consent: for optional features such as AI-generated session summaries and non-essential cookies. You can withdraw consent at any time.
  • Legitimate interests: to keep the platform secure, prevent abuse, and improve the product through aggregated, non-identifying analytics.
  • Legal obligation: to retain invoices and audit trails required by Romanian accounting and tax law.

How long we keep your data

We keep personal data only as long as necessary for the purposes above. Specifically:

  • Account and profile data are kept while your account is active. When you delete your account, we retain it in a suspended state for 30 days (so you can cancel) and then permanently erase it.
  • Bookings, session notes and client records are kept while the coach's account is active, and are removed together with the account.
  • Security audit logs (sign-ins, account changes, deletion events) are kept for up to 90 days.
  • Encrypted backups are rotated on a 30-day cycle; deletions propagate to backups within that window.

Who we share data with

We rely on a limited number of vetted sub-processors to run CoachDesk (hosting, email delivery, payments, video, optional AI). You can review the full list and their data-protection addenda on our sub-processors page.

International data transfers

Our primary infrastructure is hosted in the European Union. Some sub-processors (for example SendGrid, OpenAI) may process data in the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses and, where applicable, supplementary safeguards.

Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Right of accessobtain a copy of the personal data we hold about you.
  • Right to rectification ask us to correct inaccurate or incomplete data.
  • Right to erasureask us to delete your personal data when it is no longer needed.
  • Right to data portability receive your data in a structured, machine-readable format (CSV / JSON).
  • Right to object / restrictobject to processing based on legitimate interests or ask us to restrict processing.
  • Right to complainlodge a complaint with the Romanian Data Protection Authority (ANSPDCP) or your local supervisory authority.

Coaches can exercise these rights directly from Settings → Privacy (export your data, disable AI features, delete your account). Clients booking sessions can use the portal's "My data" section, or email privacy@coachdesk.app and we will reply within 30 days.

Cookies

We use a small number of strictly-necessary cookies to keep you signed in and remember your language. We do not use advertising cookies. Any optional analytics cookies are only set after you accept them in the cookie banner, and you can change your choice at any time by clearing the CoachDesk cookie-consent entry in your browser storage.

AI-generated content

CoachDesk offers optional AI features that draft session summaries and prep briefs from notes you have already written. These requests are sent to OpenAI under a data-processing agreement that prohibits training on your data. AI is always opt-in at the coach level and can be disabled at any time from Settings → Privacy. We never send client data to AI providers unless the coach has enabled this feature.

Security

Passwords are hashed with bcrypt. All traffic is encrypted in transit with TLS. Sensitive operations (account deletion, data export) require re-authentication and are written to an audit log. We maintain encrypted backups and follow the principle of least privilege for internal access.

Changes to this policy

When we make material changes to this policy we update the effective date above and, for logged-in coaches, show a notice in the app. Minor clarifications are published without notice.

Contact us

If you have any question about this policy or want to exercise your rights, please write to privacy@coachdesk.app.