1. Who we are
The Coach OS ("we", "us", "our") is a coaching practice management platform operated from Cyprus. Our website is thecoachos.app.
2. What data we collect
We collect data you provide directly:
- Account information (name, email, business name)
- Client data you enter (names, emails, session notes, goals, action items)
- Session transcripts you upload or connect via integrations (Zoom, Fathom, Otter, Fireflies)
- Form responses submitted by your clients
- Messages sent through the platform
- Payment information (processed by Stripe, we do not store card numbers)
- Assessment responses (if you take the Practice Efficiency Assessment)
We collect automatically:
- IP address and browser type (for security and analytics)
- Usage data (pages visited, features used, timestamps)
3. How we use your data
- To provide and improve the Coach OS platform
- To generate intelligent session notes, content, and coaching insights
- To send transactional emails (confirmations, follow-ups, notifications)
- To process payments via Stripe
- To sync data with integrations you connect (Calendly, ActiveCampaign, Zapier)
- To detect and prevent security threats
4. AI and your data
We use AI (Anthropic Claude and OpenAI) to generate session notes, content, and coaching insights. Your data is sent to these providers for processing but is not used to train their models. We use API access with data processing agreements that prohibit training on your content.
Your AI Brain (coaching intelligence) is private to your account. No data from one coach is visible to another.
5. Data security
- All data is encrypted at rest and in transit (TLS 1.3)
- Row-level security on every database table (coaches only see their own data)
- Two-factor authentication available for all accounts
- Infrastructure hosted on Vercel and Supabase (SOC 2 certified infrastructure providers)
- API keys are hashed with SHA-256 before storage
- Webhook deliveries are HMAC-SHA256 signed
6. Data sharing
We share your data only with:
- Supabase — database and authentication hosting
- Vercel — application hosting
- Stripe — payment processing
- Resend — transactional email delivery
- Anthropic / OpenAI — AI processing (session notes, content generation)
- Nylas — calendar sync
- Twilio — SMS messaging (if enabled)
- Integrations you connect — Calendly, ActiveCampaign, Zapier (only when you explicitly authorize)
We never sell your data to advertisers or data brokers.
7. Your rights (including data deletion)
You can:
- Export all your data (Settings → Security → Export Your Data)
- Delete your account and all associated data (Settings → Security → Delete Account)
- Access all data we hold about you at any time through the dashboard
- Rectify any incorrect data by editing client profiles, notes, or your account settings
- Revoke connected social accounts (Facebook, Instagram, Threads, LinkedIn, BlueSky, Google) at any time from Settings → Social media accounts. Disconnecting wipes our stored tokens immediately.
For full data-deletion instructions — including how data flowing in from connected social accounts is handled and the timeline for removal — see our dedicated Data Deletion Instructions page.
For any GDPR or privacy request, email us at amagou@protonmail.com.
8. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
9. Data retention
We retain your data for as long as your account is active. When you delete your account, all data is permanently removed within 30 days. Backups are purged on the same schedule.
10. Changes to this policy
We may update this policy from time to time. Significant changes will be communicated via email to all registered accounts. The "Last updated" date at the top reflects the most recent revision.