CoachRun Privacy Policy
STATUS: DRAFT FOR LEGAL REVIEW — NOT YET IN FORCE. This is a draft scaffold, not final legal advice. Every value marked [to be confirmed] must be settled before this policy is published.
Effective date: [to be confirmed] Last updated: [to be confirmed] Version: Draft 0.1
In short
CoachRun is a tool that helps qualified running coaches write training plans. Our AI drafts a suggested weekly plan, but a real coach reviews and approves every plan before it reaches an athlete. CoachRun assists a qualified coach — it does not replace coaching judgment.
To do this, we handle some personal information, including health and fitness data about athletes (things like heart rate, training load, injury reports and Strava activity). This policy explains what we collect, why, who we share it with, how long we keep it, and the rights you have over your data.
We've tried to write this in plain language rather than legalese, in line with guidance from the UK's Information Commissioner's Office (ICO). If anything here is unclear, contact us at the address below.
1. Who we are (the data controller)
CoachRun is operated by [Declan Doherty], trading as CoachRun — a sole trader based in [to be confirmed]. CoachRun is not a limited company.
For the purposes of data protection law, this sole trader is the data controller for the personal data described in this policy — meaning we decide what data is collected and why.
How to contact us about your data:
- Email: [to be confirmed]
- Postal address: [to be confirmed]
[to be confirmed]
2. What personal data we collect
We collect two broad groups of data: information about coaches (our customers) and information about athletes (the people coaches train). We handle these differently because athlete data includes health information, which the law treats as especially sensitive.
2a. Coach data (our customers)
When a coach signs up and uses CoachRun, we collect:
- Account and identity details: name, email address, and login credentials.
- Business/profile details a coach chooses to add: [to be confirmed].
- Billing information: [to be confirmed].
- Usage and technical data: information about how the coach uses the platform, plus standard technical data such as IP address, device/browser type, and log data.
- Any communications a coach sends us (for example, support requests).
2b. Athlete data (including health data)
When a coach adds an athlete and the athlete claims their account, we process data about the athlete so the coach can plan and adjust their training. This includes:
- Identity and contact details: name and email address.
- Account data: login credentials for the athlete portal.
Special-category health data (Article 9). The following are health-related data, which UK GDPR Article 9 classes as a "special category" requiring extra protection. We process:
- Heart-rate data from training sessions.
- Training load and related training-effort metrics.
- Injury and pain reports — information an athlete or coach records about injuries, soreness, or physical limitations.
- Strava activity data — activity records imported from the athlete's own Strava account (see Section 5), which can include pace, distance, route/GPS data, heart rate, and other fitness metrics.
We treat all of the above as special-category health data and apply the additional safeguards described in Sections 3, 4 and 6.
[to be confirmed]
3. Why we use your data and our lawful basis
Under UK GDPR we must have a valid "lawful basis" for each use of personal data. Where the data is special-category health data, we must also meet an additional Article 9 condition.
Coach data
| What we use it for | Lawful basis (Article 6) |
|---|---|
| Creating and running your account; providing the service | Performance of a contract with you |
| Billing and taking payment | Performance of a contract / legal obligation (tax records) |
| Securing the platform, preventing abuse, keeping logs | Legitimate interests (running a secure service) |
| Service and product emails you need to receive | Performance of a contract |
| Marketing emails (if any) | [to be confirmed] |
Athlete data (non-health)
| What we use it for | Lawful basis (Article 6) |
|---|---|
| Creating the athlete portal account; delivering plans | [to be confirmed] |
| Securing the portal, notification emails | [to be confirmed] |
Athlete health data (Article 9 special category)
We process health data (heart rate, training load, injury/pain reports, Strava activity) so that a coach can create, review and adjust training plans for that athlete.
- Article 6 basis: [to be confirmed]
- Article 9 condition: explicit consent of the athlete (Article 9(2)(a)). We ask the athlete to give explicit consent to processing their health data at the point they claim their account (see Section 4).
[to be confirmed]
4. How we ask for consent, and how you withdraw it
Getting consent (the athlete consent gate). An athlete's health data is only processed after the athlete has claimed their own account and given explicit consent. When an athlete claims their account, we present a clear consent step that explains what health data will be processed and why, and asks them to actively agree before any health data processing begins. Consent is:
- Specific — it covers the health-data processing described in this policy.
- Informed — the athlete sees, in plain language, what they are agreeing to.
- Freely given and unambiguous — it requires a clear affirmative action, not a pre-ticked box.
[to be confirmed]
Withdrawing consent. An athlete can withdraw consent at any time, and it must be as easy to withdraw as it was to give. To withdraw consent, an athlete can [to be confirmed].
If an athlete withdraws consent, we stop processing their health data going forward. Withdrawing consent does not affect the lawfulness of processing that already happened before withdrawal. [to be confirmed]
5. Who we share your data with (third parties)
We do not sell your data. We share it only with the service providers we need in order to run CoachRun, and only for that purpose. Each of these acts as our data processor (except Strava, explained below) and is bound to protect your data.
Strava (athlete-owned connection). If an athlete chooses to connect Strava, they do so through Strava's own secure authorisation (OAuth), using their own Strava account, and grant CoachRun permission to read their activity data (the activity:read_all scope). The connection belongs to the athlete: it is optional, the athlete authorises it, and the athlete can disconnect it at any time from their Strava account. [to be confirmed]
Supabase (hosting and database — data processor). Athlete and coach data is stored in our database and authentication system, provided by Supabase, hosted in the EU-West-1 region (see Section 6). Supabase processes data on our instructions to host the platform.
Resend (email delivery — data processor). We use Resend to send emails, such as account notifications and the "your plan is ready" notification. Note our delivery model: we do not send plan content in email. Emails are a notification plus a link to the secure, authenticated athlete portal ("doorbell email") — the training plan itself lives in the portal, not in the email. [to be confirmed]
Anthropic (AI drafting — data processor). We use Anthropic's AI to produce a *draft* weekly training plan for the coach. Two points matter here:
- A coach reviews and approves every plan before it reaches an athlete. The AI produces a suggestion; a qualified human decides.
- [to be confirmed]
[to be confirmed]
6. Where your data is stored, and how we protect it
Storage location. Coach and athlete data, including health data, is stored in our Supabase database in the EU-West-1 region.
Security measures. We take the security of health data seriously and apply measures including:
- Encryption of data in transit and at rest. [to be confirmed]
- Row-Level Security (RLS) in the database and coach-scoped access controls, so a coach can only access the data of their own athletes, and sensitive tables are reachable only through our controlled server-side access — not directly by client applications.
- Authentication controls on the athlete portal, so plan content is only reachable by a logged-in, authorised user.
- [to be confirmed]
No system can be guaranteed 100% secure, but we work to protect your data using appropriate technical and organisational measures.
7. How long we keep your data (retention)
We keep personal data only for as long as we need it for the purposes described in this policy, and then delete or anonymise it.
- Retention period: [to be confirmed]
- What happens when a coach or athlete closes their account, or an athlete withdraws consent: [to be confirmed]
8. Your rights
Under UK GDPR you have rights over your personal data. These apply to both coaches and athletes. You can:
- Access your data — ask for a copy of the personal data we hold about you.
- Port/export your data — ask for your data in a portable format.
- Rectify your data — ask us to correct data that is wrong or incomplete.
- Erase your data — ask us to delete your data ("right to be forgotten"), subject to any data we must keep by law.
- Withdraw consent — where we rely on your consent (for example, athlete health data), withdraw it at any time (see Section 4).
- Complain to a supervisory authority — if you're unhappy with how we've handled your data. In the UK this is the Information Commissioner's Office (ICO) at ico.org.uk. [to be confirmed]
How to exercise these rights. You can request an export or deletion of your data, or make any other rights request, by contacting us at [to be confirmed]. We will respond within the timeframe required by law (usually one month). We may need to verify your identity first.
9. International transfers
Your data is stored in the EU (EU-West-1). Some of our service providers may process data outside the UK/EU, which requires an approved safeguard under UK GDPR.
[to be confirmed]
10. A note on how CoachRun works
We think it's important you understand the role of AI in CoachRun, because it involves health data.
Our AI produces a *draft* weekly training plan. Every plan is reviewed and approved by a qualified coach before it is delivered to an athlete. CoachRun is a tool that assists a qualified coach — it does not replace the coach's professional judgment, and it does not make final decisions about anyone's training. The human coach is always in the loop.
[to be confirmed]
11. Changes to this policy
We may update this policy from time to time — for example, if we add a feature, change a service provider, or the law changes. When we make a material change, we will update the "Last updated" date at the top and [to be confirmed]. We encourage you to review this policy periodically.
Effective date: [to be confirmed]
*This document is a draft prepared for legal review and is not legal advice. It must be reviewed and approved by a qualified data protection lawyer before it is published or relied upon.*
This privacy policy is a working draft for legal review and is not yet in force.