Privacy policy

How we handle data for CoachOS (os-coach.com and app). Questions: support@os-coach.com.

Effective date: April 22, 2026

This Privacy Policy explains how Social Concept LLC DBA Coach OS ("CoachOS," "we") collects, uses, and shares information when you use os-coach.com and app.os-coach.com (the "Service"). It applies to Coaches, Clients, and visitors.

1. Summary

  • We collect information you give us (account, profile, programs, messages, payments) and information collected automatically (device, usage, cookies).
  • We use it to run the Service, bill you, support you, improve the product, and comply with law.
  • We share information with service providers who help run the Service, with your Coach or Clients as part of the coaching relationship, and when legally required.
  • We do not sell your personal information.
  • You have rights over your data, including access, correction, export, and deletion.

2. Information we collect

2.1 Information you provide

  • Account: name, email, password (hashed by our auth provider), role (Coach or Client), coaching business name.
  • Profile and intake: body measurements, training history, goals, sleep and stress self-reports, dietary preferences, injuries, and any other information you add to your profile or onboarding questionnaire.
  • Programs and content: workouts, nutrition templates, notes, check-in responses, messages, automations, and media you upload.
  • Billing: payment method details are handled by Stripe; we receive billing metadata (last four digits of card, subscription status, invoices) but not full card numbers.
  • Support: information you include when you contact support.

2.2 Information collected automatically

  • Usage: pages viewed, features used, clicks, session duration, device type, operating system, browser, approximate location (from IP), and referring URL.
  • Logs: server logs including IP address, timestamps, and error reports (via Sentry) for debugging and security.
  • Cookies and similar:authentication cookies (required), CSRF cookies (required), and — on the marketing site at os-coach.com only, after you click "Accept all" — Google Analytics cookies.

2.3 Information from third parties

  • Supabase (auth and database) — identity records.
  • Stripe (payments) — subscription status, checkout outcomes, payout status for Coaches using Stripe Connect.
  • OAuth providers (Google) — name, email, and profile picture if you sign in with Google.
  • Health integrations (Oura, and any other wearables you explicitly connect) — sleep, heart-rate variability, activity, and similar metrics that you authorize us to read. You can disconnect at any time.
  • Email providers (Resend) — delivery, bounce, and complaint events for messages we send.

3. How we use information

  • Provide, maintain, and secure the Service.
  • Create and manage your account.
  • Process payments and subscriptions (including Coach-to-Client payments via Stripe Connect).
  • Connect Coaches and Clients and deliver programs, messages, and reminders.
  • Generate AI-assisted insights, summaries, and suggestions where you use AI features (see §5).
  • Send service communications (e.g. confirmations, receipts, reminders, and security notices). These cannot be opted out of while your account is active.
  • Send product updates or marketing only if you opt in; you can unsubscribe from those at any time.
  • Analyze usage to improve the Service.
  • Comply with law, enforce our Terms, and protect users.

Legal bases (EEA/UK users): we process your personal data to perform our contract with you, to comply with legal obligations, based on your consent (where applicable, e.g. marketing, analytics, wearable data), and for our legitimate interests (security, product improvement, fraud prevention) — balanced against your rights.

4. How we share information

  • With your Coach or Clients. The Coach↔Client relationship is the point of the product: your Coach can see the profile, intake, programs, and messages you share in that relationship, and your Clients can see the programs and messages you send them.
  • Service providers. We share data with vendors who host, secure, or operate the Service on our behalf. Current primary processors include: Supabase (auth + database), Cloudflare (hosting, edge compute, and Durable Objects), Stripe (payments), Resend (email), OpenAI (AI features), Sentry (error monitoring), and Google (analytics on the marketing site only). We require processors to protect your data and use it only for our instructions.
  • Compliance and safety. We may disclose information when required by law, subpoena, or to protect the rights, property, or safety of CoachOS, our users, or others.
  • Business transfers. If CoachOS is involved in a merger, acquisition, or sale of assets, your information may transfer as part of that transaction; we will notify you.
  • With your consent. Any other sharing will be with your explicit permission.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act.

5. AI features — what happens to data

When you use AI features, the relevant context (e.g. the current client's program summary, recent check-ins) is sent to our AI provider (OpenAI) over an encrypted connection. We instruct OpenAI not to use this data to train their foundation models, consistent with their API terms. Do not submit protected health information (PHI), highly sensitive identifiers, or confidential third-party data to AI features.

6. Data retention

We retain account data for as long as your account is active. After deletion or prolonged inactivity, we retain backups and minimal records (e.g. billing history) for legitimate business and legal reasons, typically up to seven years for financial records and ninety days for operational backups, after which data is deleted or anonymized. Log data is retained for up to one year.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to limits such as legal retention).
  • Export your data in a portable format.
  • Object to or restrict processing.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your local data-protection authority.

To exercise any right, email support@os-coach.com. We will respond within the timeframe required by applicable law (e.g. 30 days under GDPR, 45 days under CCPA).

California residents: you have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing (which we do not do). Nevada residents: you may opt out of any future sale of your information.

8. Children's privacy

The Service is not intended for children under 13 (or under 16 in the EEA). We do not knowingly collect their personal information. If you believe a child has given us data, contact support@os-coach.com and we will delete it.

9. Security

We protect your data with industry-standard measures: TLS in transit, encryption at rest (including application-level encryption for sensitive fields such as intake notes), role-based access, logging, and regular reviews. No system is perfectly secure. In the event of a breach affecting your personal information, we will notify you as required by law.

10. International transfers

CoachOS operates on Cloudflare's global edge and Supabase's US-based infrastructure. If you are outside the United States, your data will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

11. Cookies and tracking

  • Essential cookies (authentication, CSRF, preferences) are set by the Service and cannot be disabled without breaking functionality.
  • Analytics cookies are loaded only on the marketing site (os-coach.com) after you consent via the cookie notice.
  • We do not use third-party advertising cookies.

This marketing site may load Google Analytics (GA4) only after you choose Accept all on the cookie notice. Until then, no analytics script from Google is loaded in your browser for this site. You can clear site data for os-coach.com in your browser settings to reset the choice; the notice will appear again on your next visit.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced by email or in-product at least 30 days before they take effect. The "Effective date" at the top reflects the most recent version.

14. Contact

Questions or requests? Social Concept LLC DBA Coach OS, 8 The Green, Suite A, Dover, DE 19901. Email: support@os-coach.com. For EU/UK users, you may also contact your local data-protection authority.