Last updated: March 2026
1. Who We Are The Coaching Platform is a private, invitation-only scheduling tool used by a closed group of coaches and trainees within an organization. Access is restricted to users who have been explicitly invited by an administrator.
2. Information We Collect We collect only the minimum information necessary to operate the platform: name and email address provided by your organization’s administrator, an optional profile picture for coaches, one-time login codes (OTP) that are deleted after use, and booking information such as selected session dates and times.
3. Google Account Integration Coaches may optionally connect their personal Google account exclusively to create Google Calendar events and Google Meet links for confirmed sessions. We request access to Google Calendar solely to create session events on the coach’s behalf. We do not read, scan, index, or store any existing calendar events, and we do not access Gmail, Google Drive, Google Contacts, or any other Google service. OAuth tokens are stored encrypted with AES-256 and never shared with third parties. Coaches can revoke access at any time via myaccount.google.com/permissions or from their profile settings on the platform.
4. How We Use Your Information We use your information to authenticate you via email OTP, match you with your group partner and coaching session, send booking-related email notifications, and create Google Calendar events and Meet links for confirmed sessions where the coach has explicitly granted consent.
5. Data Sharing We do not sell or rent your data. We share data only with Supabase (database hosting), Mailtrap (email delivery), Google (Calendar API for session events only), and Vercel (app hosting). All providers operate under their own privacy policies.
6. Data Retention User accounts and booking records are retained for the duration of the program and a reasonable period afterward. OTP codes are deleted immediately after use or expiry. Google OAuth tokens are deleted when a coach disconnects their account or is removed from the platform. Security logs are retained for up to 90 days.
7. Data Security All data is transmitted over HTTPS. Google OAuth tokens are encrypted with AES-256. Authentication uses short-lived one-time codes with no passwords stored. Role-based access control ensures users only access data relevant to them. Rate limiting and brute-force protection are applied to all authentication endpoints.
8. Your Rights You may request access to, correction of, or deletion of your personal data. You may revoke Google Calendar access at any time without affecting your platform account. To exercise these rights, contact your organization’s administrator.
9. Cookies The platform uses a single session cookie to keep you logged in. It is httpOnly, secure, and expires after 10 days. No tracking, advertising, or analytics cookies are used.
10. Changes to This Policy We may update this policy from time to time. Changes will be posted on this page with an updated date.
11. Contact For questions about this Privacy Policy, please contact your organization’s administrator.