Draft — not yet in force. This policy is awaiting legal review. Highlighted [bracketed] items are placeholders still to be confirmed and are shown deliberately — nothing here should be treated as final.

CoachRun Privacy Policy

STATUS: DRAFT FOR LEGAL REVIEW — NOT YET IN FORCE. This is a draft scaffold, not final legal advice. Every value marked [to be confirmed] must be settled before this policy is published.

Effective date: [to be confirmed] Last updated: [to be confirmed] Version: Draft 0.1


In short

CoachRun is a tool that helps qualified running coaches write training plans. Our AI drafts a suggested weekly plan, but a real coach reviews and approves every plan before it reaches an athlete. CoachRun assists a qualified coach — it does not replace coaching judgment.

To do this, we handle some personal information, including health and fitness data about athletes (things like heart rate, training load, injury reports and Strava activity). This policy explains what we collect, why, who we share it with, how long we keep it, and the rights you have over your data.

We've tried to write this in plain language rather than legalese, in line with guidance from the UK's Information Commissioner's Office (ICO). If anything here is unclear, contact us at the address below.


1. Who we are (the data controller)

CoachRun is operated by [Declan Doherty], trading as CoachRun — a sole trader based in [to be confirmed]. CoachRun is not a limited company.

For the purposes of data protection law, this sole trader is the data controller for the personal data described in this policy — meaning we decide what data is collected and why.

How to contact us about your data:

[to be confirmed]


2. What personal data we collect

We collect two broad groups of data: information about coaches (our customers) and information about athletes (the people coaches train). We handle these differently because athlete data includes health information, which the law treats as especially sensitive.

2a. Coach data (our customers)

When a coach signs up and uses CoachRun, we collect:

2b. Athlete data (including health data)

When a coach adds an athlete and the athlete claims their account, we process data about the athlete so the coach can plan and adjust their training. This includes:

Special-category health data (Article 9). The following are health-related data, which UK GDPR Article 9 classes as a "special category" requiring extra protection. We process:

We treat all of the above as special-category health data and apply the additional safeguards described in Sections 3, 4 and 6.

[to be confirmed]


3. Why we use your data and our lawful basis

Under UK GDPR we must have a valid "lawful basis" for each use of personal data. Where the data is special-category health data, we must also meet an additional Article 9 condition.

Coach data

What we use it forLawful basis (Article 6)
Creating and running your account; providing the servicePerformance of a contract with you
Billing and taking paymentPerformance of a contract / legal obligation (tax records)
Securing the platform, preventing abuse, keeping logsLegitimate interests (running a secure service)
Service and product emails you need to receivePerformance of a contract
Marketing emails (if any)[to be confirmed]

Athlete data (non-health)

What we use it forLawful basis (Article 6)
Creating the athlete portal account; delivering plans[to be confirmed]
Securing the portal, notification emails[to be confirmed]

Athlete health data (Article 9 special category)

We process health data (heart rate, training load, injury/pain reports, Strava activity) so that a coach can create, review and adjust training plans for that athlete.

[to be confirmed]


4. How we ask for consent, and how you withdraw it

Getting consent (the athlete consent gate). An athlete's health data is only processed after the athlete has claimed their own account and given explicit consent. When an athlete claims their account, we present a clear consent step that explains what health data will be processed and why, and asks them to actively agree before any health data processing begins. Consent is:

[to be confirmed]

Withdrawing consent. An athlete can withdraw consent at any time, and it must be as easy to withdraw as it was to give. To withdraw consent, an athlete can [to be confirmed].

If an athlete withdraws consent, we stop processing their health data going forward. Withdrawing consent does not affect the lawfulness of processing that already happened before withdrawal. [to be confirmed]


5. Who we share your data with (third parties)

We do not sell your data. We share it only with the service providers we need in order to run CoachRun, and only for that purpose. Each of these acts as our data processor (except Strava, explained below) and is bound to protect your data.

Strava (athlete-owned connection). If an athlete chooses to connect Strava, they do so through Strava's own secure authorisation (OAuth), using their own Strava account, and grant CoachRun permission to read their activity data (the activity:read_all scope). The connection belongs to the athlete: it is optional, the athlete authorises it, and the athlete can disconnect it at any time from their Strava account. [to be confirmed]

Supabase (hosting and database — data processor). Athlete and coach data is stored in our database and authentication system, provided by Supabase, hosted in the EU-West-1 region (see Section 6). Supabase processes data on our instructions to host the platform.

Resend (email delivery — data processor). We use Resend to send emails, such as account notifications and the "your plan is ready" notification. Note our delivery model: we do not send plan content in email. Emails are a notification plus a link to the secure, authenticated athlete portal ("doorbell email") — the training plan itself lives in the portal, not in the email. [to be confirmed]

Anthropic (AI drafting — data processor). We use Anthropic's AI to produce a *draft* weekly training plan for the coach. Two points matter here:

[to be confirmed]


6. Where your data is stored, and how we protect it

Storage location. Coach and athlete data, including health data, is stored in our Supabase database in the EU-West-1 region.

Security measures. We take the security of health data seriously and apply measures including:

No system can be guaranteed 100% secure, but we work to protect your data using appropriate technical and organisational measures.


7. How long we keep your data (retention)

We keep personal data only for as long as we need it for the purposes described in this policy, and then delete or anonymise it.


8. Your rights

Under UK GDPR you have rights over your personal data. These apply to both coaches and athletes. You can:

How to exercise these rights. You can request an export or deletion of your data, or make any other rights request, by contacting us at [to be confirmed]. We will respond within the timeframe required by law (usually one month). We may need to verify your identity first.


9. International transfers

Your data is stored in the EU (EU-West-1). Some of our service providers may process data outside the UK/EU, which requires an approved safeguard under UK GDPR.

[to be confirmed]


10. A note on how CoachRun works

We think it's important you understand the role of AI in CoachRun, because it involves health data.

Our AI produces a *draft* weekly training plan. Every plan is reviewed and approved by a qualified coach before it is delivered to an athlete. CoachRun is a tool that assists a qualified coach — it does not replace the coach's professional judgment, and it does not make final decisions about anyone's training. The human coach is always in the loop.

[to be confirmed]


11. Changes to this policy

We may update this policy from time to time — for example, if we add a feature, change a service provider, or the law changes. When we make a material change, we will update the "Last updated" date at the top and [to be confirmed]. We encourage you to review this policy periodically.

Effective date: [to be confirmed]


*This document is a draft prepared for legal review and is not legal advice. It must be reviewed and approved by a qualified data protection lawyer before it is published or relied upon.*

This privacy policy is a working draft for legal review and is not yet in force.