Privacy Policy

01Who we are

Labonde Digital Ventures Ltd ("Labonde Digital Ventures"), the company operating the Coachalyst product, is the controller of your personal data within the meaning of Art. 4 (7) GDPR.

Registered office: [FILL: street, postcode] Paphos, Cyprus Company number (Registrar of Companies and Intellectual Property, Cyprus): [FILL: HE-XXXXXX] Email: hello@coachalyst.com Data protection contact: privacy@coachalyst.com

Coachalyst is a trademark of Labonde Digital Ventures Ltd. Our EU representative under Art. 27 GDPR is listed in the Impressum.

02Scope

This policy applies to all users of the Service worldwide. Where applicable, it implements the transparency and information duties under Art. 13 and Art. 14 GDPR.

For users who are clients of a professional coach using Coachalyst, your coach is a separate controller with respect to data you share with them through the coaching relationship. We act as a processor on the coach's behalf for that data. Your coach's privacy terms apply in addition to ours.

03Categories of personal data we process

We process the minimum data needed to run the Service. Categories include:

• Account data: email, optional name, password hash, preferred language, account creation date, email verification status.
• Profile data: date of birth, sex (optional, for health calculations), height, weight, training goals, experience level.
• Training data: workouts logged, sets, reps, weights, RPE, personal records, exercise notes.
• Nutrition data: calories, macronutrients, meals logged, supplement intake.
• Health-related data: sleep, readiness, recovery scores, menstrual cycle data (optional), Apple Health / Google Fit data (only if you connect it). This data is a "special category" under Art. 9 (1) GDPR.
• Progress media: photos and videos you upload.
• Communications: chat messages between you and your coach, check-in form responses, support tickets.
• Payment data: tier purchased, subscription status, invoice IDs. Payment card details are processed by LemonSqueezy (web) or Apple / Google (mobile); we never see or store card numbers.
• Device and usage data: device model, OS version, app version, IP address, crash diagnostics, coarse usage events (screens opened, features used).
• Marketing data: UTM parameters captured from ad / social links, referral codes, waitlist email and role.

04Purposes and legal bases

We process each data category for specific purposes under the following Art. 6 (1) GDPR legal bases (Art. 9 (2) additionally where health data is involved):

• Provide the Service (create accounts, sync data, deliver coaching features): performance of contract (Art. 6 (1) (b)).
• Process payments and prevent fraud: performance of contract (Art. 6 (1) (b)) and legitimate interests (Art. 6 (1) (f)).
• Process health-related data you enter: your explicit consent (Art. 9 (2) (a)); you can revoke consent in Settings at any time.
• Security, abuse prevention, and service stability: legitimate interests (Art. 6 (1) (f)).
• Send transactional emails (receipts, password resets, security alerts): performance of contract (Art. 6 (1) (b)).
• Send marketing emails (waitlist, launch updates): your consent (Art. 6 (1) (a)); withdrawable by clicking unsubscribe in any email.
• Comply with legal obligations (tax records, law enforcement requests): legal obligation (Art. 6 (1) (c)).
• Product analytics (aggregated usage): legitimate interests (Art. 6 (1) (f)) or consent where required; analytics cookies are off by default.

05Health, cycle, and medical data (enhanced protection)

Training performance, nutrition intake, sleep, readiness, recovery, cycle data, and any data received from Apple HealthKit or Google Health Connect qualify as data concerning health under Art. 9 (1) GDPR and are "special category data". We apply enhanced protections to this data on top of everything else in this policy.

Legal basis: your explicit consent (Art. 9 (2) (a) GDPR). We ask for a separate, specific consent when you first enable each tracker: generic "I accept everything" does not cover health processing.

What we do with your health data:

• Display it to you inside the app so you can see your own patterns.
• Feed it into calculations that help you personally (training load estimate, macro targets, recovery score).
• Share it with your professional coach if you are in a coaching relationship and have explicitly chosen to share that specific data type.
• Compute aggregated, non-identifying statistics to improve the product (for example, average workout duration by experience level). Aggregation removes any link to you before the result is used.

What we will never do with your health data:

• We do not sell it. Ever.
• We do not use it for advertising or behavioural profiling.
• We do not share it with insurers, employers, advertisers, data brokers, or affiliate partners.
• We do not use it to train machine-learning models that leave our own infrastructure.
• We do not voluntarily disclose it to law enforcement. We comply only with valid EU legal process and will notify you unless the order legally prohibits us from doing so.

Apple HealthKit: if you connect Apple Health, we read only the specific HealthKit categories you authorise on a per-category basis (for example: workouts, active energy, body mass, resting heart rate, menstrual flow). We do not write back to HealthKit unless you enable sync. Consistent with Apple App Review Guideline 5.1.3, we do not use HealthKit data for advertising, we do not share HealthKit data with third parties for advertising or data brokering, and we do not sell it. You can revoke individual HealthKit permissions any time in iOS Settings → Privacy & Security → Health → Coachalyst.

Google Health Connect: the same commitments apply to data read via Health Connect on Android, per the Google Play Health Connect Policy. You can manage permissions in the Health Connect app on your device.

Cycle and reproductive data: cycle tracking is off by default. When you enable it, entries are stored encrypted at rest with a dedicated key. Disabling cycle tracking in Settings erases all cycle entries immediately, with no 14-day grace period applied to the rest of your account. This is deliberate: reproductive data deserves the strongest deletion guarantee we can offer.

Your controls:

• Disable any tracker individually in Settings → Privacy.
• Disconnect Apple Health / Google Health Connect without affecting the rest of your account.
• Export a copy of your health data (Settings → Export my data).
• Delete your entire account, which erases all health data we hold about you.

Data Protection Impact Assessment: because we process special category data at scale, we have completed a Data Protection Impact Assessment (Art. 35 GDPR). A summary is available to supervisory authorities on request via privacy@coachalyst.com.

06How each type of data is used

Short version: each data type below is used only for the purposes listed, shared only with the parties listed, and kept only as long as stated. If a purpose is not listed, we do not do it.

• Email: used for account login, transactional emails (receipts, password reset, security alerts), optional marketing if you opt in. Shared with MailerLite only if you opted in to marketing. Retained until account deletion.
• Password: stored as a salted hash (Argon2 / scrypt); we never see, log, or recover the cleartext. Not shared with anyone. Retained until account deletion.
• Profile (name, date of birth, sex, height, weight, goals, experience): used for personalisation and health-related calculations. Shared with your professional coach only if you are in a coaching relationship. Retained until account deletion.
• Workout logs (sets, reps, weights, RPE, notes): used to display your training, drive analytics, generate personal records, and feed your coach's dashboard if connected. Shared with your coach only if connected. Retained until account deletion.
• Nutrition and supplement logs: used for tracking features and coaching. Shared with your coach only if you have chosen to share nutrition with them. Retained until account deletion.
• Cycle and menstrual data: used exclusively for the cycle tracking feature and, if you enable it, correlation with training data shown to you. Shared with your coach only on an explicit, per-share basis. Retained until you disable the feature or delete your account: whichever comes first. Immediate erasure, no grace period.
• Sleep, readiness, recovery: used for your dashboard and training suggestions. Shared with your coach if connected. Retained until account deletion.
• Apple HealthKit / Google Health Connect data: used only in-app to display and correlate with your own training. Not shared with any third party. Revocable at any time per section 5.
• Progress photos and videos: used for your own gallery and, if you explicitly share with your coach, for coaching feedback. Stored encrypted at rest. Shared with your coach only on explicit share. Retained until account deletion or you delete the media.
• Shared community media (food photos, recipes, public-library contributions): used inside the Service so other users can identify, view, and log the same item. Visible to other users only when you explicitly mark a contribution as shared (the default is private). Sharing a contribution to a community surface is permanent: the contribution itself remains in the Service to keep the community database stable for everyone, and on account deletion we irreversibly anonymise it (the photo or recipe stays; your name, profile, and account identifiers are removed). After anonymisation it is no longer your personal data within the meaning of Art. 4 (1) GDPR. The licence terms are set out in Terms § 9.
• Chat messages, check-ins, notes: used for communication between you and your coach or training partner. Visible only to the participants. Retained until either participant's account is deleted.
• Payment and subscription data (tier, invoice IDs, subscription status): used to provision features, bill correctly, and comply with tax law. Shared with LemonSqueezy / Apple / Google (payment providers) and tax authorities. Card details never reach us. Invoice records retained 10 years (legal obligation); other billing data until account deletion.
• Device and usage telemetry (device model, OS, app version, crash stacks, feature-open events): used to keep the service stable and debug issues. Stored on our self-hosted Sentry and PostHog instances. Not shared with anyone. Retained 90 days.
• UTM parameters and referral codes: used to attribute sign-ups to marketing campaigns or Creator partners for revenue share. Not shared with anyone. Stored in a first-party cookie and localStorage for 90 days.
• Security logs (IP address on login, failed-auth attempts): used to prevent account takeover and abuse. Not shared except on valid legal process. Retained 90 days.
• Support tickets and their contents: used to resolve your issue. Handled internally. Retained 2 years for quality and repeat-incident recognition, then deleted.
• Aggregated, non-identifying analytics (e.g. average workout duration by cohort): may be retained indefinitely because they no longer identify you.

Anything not on this list, we do not collect. If we ever add a new data type or use, we will update this section, the privacy policy version, and notify you in-app at least 30 days before it takes effect.

07Who we share data with

We do not sell your personal data. We share it only with the processors and partners listed below, each bound by a written data processing agreement (Art. 28 GDPR).

• Hetzner Online GmbH (Germany): hosting of our backend and database. EU-based.
• LemonSqueezy (Merchant of Record): web payments, EU VAT handling, affiliate payouts.
• Apple Inc.: in-app purchases on iOS (subject to Apple's own privacy terms).
• Google LLC: in-app purchases on Android (subject to Google's own privacy terms).
• MailerLite: transactional and marketing email delivery. EU-hosted instance.
• Sentry (self-hosted): crash and error reporting, IP addresses truncated.
• PostHog (self-hosted): product analytics on our own infrastructure; no data leaves our servers.

If you use Coachalyst as a client of a professional coach, the coach you are contracted with also has access to the training, nutrition, check-in, and chat data you share with them through the Service.

08International transfers

Our infrastructure runs in the European Union. Limited transfers may occur to the United States via Apple and Google in connection with in-app purchases.

Where transfers to third countries take place, we rely on the European Commission's Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and, where applicable, the EU-US Data Privacy Framework (adequacy decision of July 2023). You may request a copy of the safeguards in place by emailing privacy@coachalyst.com.

09Retention periods

We keep personal data only as long as necessary for the purposes for which it was collected.

• Account and profile data: while your account is active, plus 30 days after deletion for recovery, then erased.
• Training, nutrition, health, and media data: while your account is active; permanently erased within 30 days of account deletion.
• Chat messages: while your account is active; erased within 30 days of deletion of either participant's account.
• Invoices and tax records: retained for 10 years as required by Cypriot and German tax law.
• Backups: overwritten on a 30-day rotation; deleted data cannot be selectively restored from older backups.
• Security logs (IP addresses, auth attempts): 90 days.
• Waitlist email (until launch): deleted 30 days after you unsubscribe.
• Aggregated, non-identifying analytics: may be retained indefinitely.

10Your rights

Under the GDPR and Cypriot law you have the following rights with respect to your personal data:

• Right of access (Art. 15): you may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): ask us to correct inaccurate data.
• Right to erasure (Art. 17): ask us to delete your data ("right to be forgotten").
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Art. 7 (3)): where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of processing before withdrawal.
• Right not to be subject to automated decision-making (Art. 22): see section 11.
• Right to lodge a complaint with a supervisory authority (Art. 77).

11How to exercise your rights

You can exercise most rights directly from the app:

• Access and portability: Settings → Export my data. Delivered as a downloadable JSON + CSV archive within 30 days.
• Rectification: edit profile fields in Settings.
• Erasure: Settings → Delete my account. The deletion flow runs a 14-day grace window during which you can cancel; after grace, all personal data is irreversibly erased (see Account Deletion).
• Withdraw consent: toggle specific processing in Settings → Privacy.

For any other request, email privacy@coachalyst.com. We respond within one month (Art. 12 (3) GDPR); complex requests may be extended by two further months with notice.

12Automated decision-making

Coachalyst does not make decisions that produce legal effects or similarly significant effects about you based solely on automated processing (Art. 22 GDPR).

We use automated calculations for training load estimates, macro targets, and recovery scores. These are informational aids and never replace professional medical advice or produce legally binding decisions.

13Children

The Service is not intended for children under 16 in the European Economic Area or under 13 in other regions. We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, please contact privacy@coachalyst.com and we will delete it promptly.

14Security

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR), including:

• TLS 1.3 encryption in transit.
• AES-256 encryption at rest for databases and backups.
• Scrypt / Argon2 password hashing; we never store or log your password.
• Principle of least privilege for internal access; access is audited.
• Offline-first clients reduce data in transit; synchronisation uses authenticated tokens.
• Regular security reviews, dependency scanning, and penetration testing before material releases.

No system is absolutely secure. In the event of a personal data breach that poses a risk to your rights, we will notify the competent supervisory authority within 72 hours and inform you without undue delay (Art. 33, 34 GDPR).

15Cookies and tracking

Our website uses a minimal set of cookies. Essential cookies are always on; analytics cookies are off by default and only activate after you grant consent via the cookie banner. See the Cookie Policy at /cookies for the full list.

The mobile and desktop apps do not use third-party tracking SDKs. We self-host crash and analytics infrastructure.

16Changes, contact, and complaints

We may update this policy to reflect changes in the Service, our partners, or applicable law. We will notify you by email and via in-app notice at least 30 days before material changes take effect. The current version is always available at coachalyst.com/privacy.

Questions or requests: privacy@coachalyst.com.

If you are unhappy with how we handle your personal data, you may lodge a complaint with the competent supervisory authority. In Cyprus: Office of the Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy). In Germany, the authority of your state of residence (overview: https://www.bfdi.bund.de). You may also contact any other EU supervisory authority.