Privacy Policy

Effective: April 23, 2026 Version: 2.0

This Privacy Policy explains how upcoach LLC (“upcoach,” “we,” “us”) handles personal information. It’s written to be readable — if anything is unclear, email [email protected].

At a glance

We run a coaching platform. Different people’s data is handled differently depending on how they got here.
If you signed up directly (you’re a coach, an admin, or a prospect): we’re in charge of your account data.
If you’re here because your coach or organization invited you (you’re a coachee or team member): your coach/organization is in charge of most data about you. We help deliver the service on their instructions. Reach out to them first for access, deletion, or corrections. If they don’t respond within 30 days, contact us directly.
We use third-party services (Stripe, Intercom, AI providers, etc.) — the full list is at upcoach.com/sub-processors.
We don’t sell your data, we don’t train AI on it, and we don’t use it for ads.
You have rights under GDPR, UK GDPR, and similar laws — including access, correction, deletion, and objection. See the “Your rights” section below.

1. Who we are

upcoach LLC 16192 Coastal Highway Lewes, Delaware 19958 County of Sussex, United States

Privacy contact: [email protected]

We’re currently in the process of appointing an EU Representative under GDPR Article 27. Once appointed, their contact details will be published here.

2. Who controls your data?

upcoach wears two hats depending on which data we’re talking about.

We’re in charge (“controller”) of:

Account data — contact info, billing, login credentials, marketing preferences — for anyone who signed up to upcoach directly, whether as a coach, organization admin, or prospect filling out a form.
Marketing-site data — visitors to upcoach.com and people who interact with our sales or marketing.

Your coach or organization is in charge (“controller”) of:

Workspace data — notes about you, observations, messages, programs, assessments, or any content created inside a coaching organization’s workspace.

If you’re a coachee or member of a coaching organization, your coach or organization decides what data to collect about you, how long to keep it, and who sees it. They chose upcoach as the tool to manage that data, but they’re the ones in charge.

What this means in practice

Questions about your account (your login, your billing, your marketing preferences): contact us directly at [email protected].
Questions about what your coach or organization has about you (notes, observations, messages sent to you): contact your coach or the admin of your organization first. They control that data.
If your coach or organization doesn’t respond within 30 days, or no longer exists, contact us at [email protected] and we’ll step in.

3. Data we collect

Data you give us

When you sign up, use upcoach, or contact us, you provide:

Account info: name, email address, password (hashed), organization name, role, profile details (bio, headline, location, timezone, language, photo if you upload one), and links you choose to display.
Billing info (for paying customers): billing contact, tax ID where applicable. Payment card data goes directly to Stripe; we don’t see or store full card numbers.
Content you create: session notes, activity responses, messages you send, files you upload, programs you design.
Communications: emails you send us, chat messages, contact-form submissions, feedback.

Data generated as you use upcoach

Usage data: features you use, pages you view, actions you take, timestamps.
Device and technical data: IP address, browser type, operating system, device identifiers, session info.
Diagnostic data: errors and crash reports that help us fix bugs.

Data we receive from others

Calendar data (if you connect Google or Microsoft Calendar): events, availability, calendar email. This is under your own authorization — see the sub-processor list.
Payment data from Stripe: transaction metadata (amount, status, date), not card details.
Affiliate attribution: if you arrive through an affiliate link, we record the referral (handled by Rewardful).

What we don’t collect

We don’t buy or enrich your data from data brokers.
We don’t use ad networks or ad pixels on our marketing site — no Facebook Pixel, no Google Ads pixel, no retargeting.
We don’t run third-party cross-site analytics — our visitor counter is Plausible, self-hosted, cookieless.

4. What we use your data for

Table: what we do and why we’re allowed to

Purpose	Data involved	Legal basis (GDPR Art 6)
Create and maintain your account	Account info	Contract — Art 6(1)(b)
Deliver the coaching platform you subscribed to	All of the above, as needed for the features you use	Contract — Art 6(1)(b)
Process payments and issue invoices	Billing info, transaction data	Contract — Art 6(1)(b) / Legal obligation — Art 6(1)(c)
Provide customer support	Your communications, account info, relevant usage data	Contract / Legitimate interest — Art 6(1)(f)
Send transactional emails (password resets, invitations, notifications)	Email address, context of the event	Contract — Art 6(1)(b)
Send marketing emails to people who expressed interest in upcoach (contact-form submissions, trials, demos, past customers)	Email address, interaction history	Legitimate interest — Art 6(1)(f); easy opt-out in every message
Monitor platform health, detect abuse, prevent fraud	Usage data, diagnostic data, IP, device data	Legitimate interest — Art 6(1)(f)
Improve our product (aggregate analytics, feature usage trends)	Usage data (Mixpanel)	Legitimate interest — Art 6(1)(f)
Meet legal, tax, and accounting obligations	Billing, communications, logs	Legal obligation — Art 6(1)(c)
Provide AI-assisted features when you use them	Whatever content you submit through AI features	Contract — Art 6(1)(b). See Section 8.
Process marketing-site analytics	Visitor counts via self-hosted Plausible (cookieless, no cross-site tracking)	Legitimate interest — Art 6(1)(f)

What we don’t do

We don’t sell your data. Not to anyone.
We don’t use your data to train AI models. Neither upcoach nor our AI providers train on content processed through upcoach.
We don’t share your data with advertisers.
We don’t make automated decisions that have legal or similarly significant effects on you (GDPR Art 22).

A note about marketing emails

If you filled out a contact form, signed up for a trial, booked a demo, or are a current or past customer, we may send you occasional marketing emails — product updates, relevant tips, announcements. Under GDPR recital 47, this is permitted as a legitimate interest for people who have shown interest in upcoach, as long as opting out is easy.

Every marketing email we send includes a one-click unsubscribe. You can also email [email protected] to stop all marketing messages. Unsubscribing from marketing does not affect transactional emails (password resets, billing, service notifications) — those continue because we need to send them to provide the service.

5. Who else sees your data (sub-processors)

We use a small number of third-party providers to deliver the service. The complete, current list is at upcoach.com/sub-processors.

The list names each provider, what they do for us, what data they touch, where they process it, and the legal mechanism we rely on for international transfers. We update that page whenever a sub-processor changes.

Summary of what’s there:

Payments: Stripe (including Stripe Connect for coaches who sell through upcoach), ProfitWell Retain
Email: Resend
Support & communications: Intercom, Calendly
Analytics & error tracking: Mixpanel (inside the app, with an opt-out coming), Sentry
Infrastructure, storage, delivery: DigitalOcean (managed databases, session store, servers, object storage), Cloudflare (hosting, R2 object storage, CDN), Bunny (video), Pusher (realtime)
AI providers: Anthropic, OpenAI (see Section 8)
User-authorized integrations: Google Calendar, Microsoft Calendar (you connect these; they operate under your authorization)
Affiliate attribution (marketing site only): Rewardful

6. Where your data is processed

upcoach is based in the United States. Several of our providers are also US-based, which means personal data from the EEA, UK, or Switzerland may be transferred to the US or other countries.

When this happens, we use EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF) — standard legal mechanisms approved by the European Commission — plus each provider’s own contractual commitments. For customers in the UK, the UK International Data Transfer Addendum applies. For customers in Switzerland, the SCCs are adapted to refer to the Swiss FADP.

More detail is in our DPA (for customers acting as controllers) and in the sub-processor list.

7. How long we keep your data

While you have an account: as long as you’re a customer, we keep your data to deliver the service.
When you close your account or your subscription ends: we delete or anonymize your data within 30 days, except as noted below.
Encrypted backups: our backup rotation keeps data for up to 7 days before being overwritten. So your data may persist in backups for up to 7 days after deletion.
Tax and accounting records (invoices, payment history): retained for periods required by applicable tax law, typically up to 7 years.
Records needed for legal claims: retained as long as reasonably necessary to establish, exercise, or defend legal claims.
Support conversations: retained while useful for support context, purged per provider retention (Intercom) or our own retention rules.

If you’re a coachee or member of a coaching organization, your coach or organization sets the retention for workspace data (their notes about you, programs they designed, messages they sent you). Ask them.

8. AI-assisted features

Some features in upcoach use AI models to help with suggestions, summaries, or generated content.

Which providers and what data

We currently use models from Anthropic (Claude) and OpenAI. When you use an AI-assisted feature, the content relevant to that feature (prompts, the text you’re asking about) is sent to the AI provider.

What doesn’t happen

Neither Anthropic nor OpenAI trains their models on our data under their current API terms.
AI features don’t make decisions that have legal or similarly significant effects on you.
We don’t build or sell AI models using your data.

Future changes

AI is evolving quickly. If we change AI providers, or materially change how AI features work, we’ll update this policy and the sub-processor list. Material changes will bump the version at the top of this page and, where required by law, we’ll notify you directly.

9. Cookies and tracking

We use a small number of cookies, all covered by our Cookie Policy. On our marketing site, visitors in certain regions see a consent banner before any non-essential cookies are set. Our marketing site does not use Google Analytics, Facebook Pixel, Hotjar, or similar third-party analytics; visitor counts come from Plausible (self-hosted, cookieless).

We honor the Global Privacy Control (GPC) signal on the marketing site. If your browser sends GPC, we treat it as an opt-out of non-essential cookies automatically.

10. Security

We take reasonable technical and organizational measures to protect your data, including:

Encryption in transit (TLS 1.2 or higher) for all traffic
Encryption at rest for databases, object storage, and backups
Multi-factor authentication for administrative access
Role-based access control — upcoach staff only access production data when their role requires it
Logical isolation between different organizations’ data
An incident response process with a 48-hour breach notification commitment to customers who are controllers
Regular review and improvement of our measures

No system is perfectly secure. If a security incident affects your data, we’ll notify you as required by law, and promptly notify customers who are controllers.

11. Children

upcoach is not intended for use by individuals under 16. We don’t knowingly collect personal data from children under 16 through our service. If you believe we’ve inadvertently collected data about a child, please contact [email protected] and we’ll delete it.

Coaching organizations using upcoach are responsible for ensuring they have a lawful basis for processing data about any individuals, including minors where applicable in their jurisdiction. See our DPA for details on what coaching organizations warrant.

12. Your rights

Depending on where you are, you may have the following rights under GDPR, UK GDPR, Swiss FADP, or similar laws:

Access: get a copy of the personal data we hold about you.
Rectification: correct data that’s wrong or incomplete.
Erasure: ask us to delete your data (with limits — some data we’re legally required to keep).
Restriction: ask us to limit how we use your data in specific situations.
Portability: get your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interest (including marketing).
Withdraw consent: where we rely on your consent, you can withdraw it at any time (this doesn’t affect processing we’ve already done with your consent).
Not be subject to solely automated decisions that have legal or similarly significant effects — we don’t make these, but the right exists.
Complain to a supervisory authority: you can lodge a complaint with your national data protection authority. In the UK, that’s the Information Commissioner’s Office (ICO). In EU member states, it’s your country’s DPA. If you’re not sure who to contact, ask us.

How to exercise your rights

For account data (your login, your profile, your billing, your marketing preferences): email [email protected]. Most requests are resolved within 30 days.
For workspace data (notes, programs, messages inside a coaching organization): contact your coach or organization first — they’re the controller. If they don’t respond within 30 days, contact us and we’ll step in.
For marketing emails: use the unsubscribe link in any email, or email [email protected].
For cookies on our marketing site: use our cookie preferences page or the banner that appears on first visit.

We don’t charge for exercising these rights. We may ask for proof of identity before acting on certain requests, to prevent someone else from impersonating you.

13. Marketing site visitors and prospects

If you visit upcoach.com without being a customer, the data we have about you is limited:

Plausible visitor counts — aggregate, no cookies, no cross-site tracking, not linked to your identity
If you filled out a contact form: your name, email, and whatever you wrote, so we can reply and follow up. We may add you to prospect communications under legitimate interest (see Section 4); every email has an easy opt-out.
If you clicked an affiliate link (?ref=…): the referral is recorded by Rewardful to attribute a potential signup to the referring affiliate. Doesn’t happen for direct visitors.
If you booked a demo via Calendly: the booking details.

None of these activities run third-party ad pixels or cross-site tracking.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in the law, our services, or our practices. When we do, we’ll:

Update the “Effective” date and version at the top
Post the new version at this URL
Note the change in the changelog at the bottom
Where the change is material, notify you directly by email or a prominent in-product notice

If you keep using upcoach after the effective date of a material update, that counts as acceptance. You can always stop using upcoach if you disagree with an update.

15. How to contact us

Privacy questions, data subject requests, or anything else related to this policy:

[email protected]