Privacy Policy

Last updated: [DATE]
Effective date: [DATE]

This Privacy Policy explains how Ziquecoach ("Ziquecoach", "we", "us", "our") collects, uses, shares, and protects your personal information when you use our app, website, and related services.

If you have any questions, email contact@ziquecoach.com.

1. Who We Are and Our Role

Ziquecoach is a software-as-a-service platform that lets independent fitness professionals ("Coaches") manage their own coaching businesses and serve their own clients ("Clients").

Our role depends on the data:

• For data you give us directly when you sign up, pay us, or contact us — we are the data CONTROLLER and decide how that data is used.
• For data your Coach collects about you in the course of providing their coaching services — your Coach is the data CONTROLLER and we are their data PROCESSOR. Your Coach is responsible for how that data is collected and used. Ask your Coach for their privacy notice.
• For analytics, fraud prevention, security, and platform improvement — we are an independent CONTROLLER acting in our own legitimate interests.

2. What We Collect and Why

We collect the following categories of personal information. For each category, we explain why we collect it and the lawful basis under GDPR.

A. Identity Data

What: name, email address, phone number, date of birth, profile photo.
Why: to create and secure your account, to identify you to your Coach, to comply with age requirements.
Lawful basis: performance of contract; legitimate interests (security).

B. Account Data

What: username, hashed password, security questions, login timestamps, IP address at login.
Why: to authenticate you and protect your account.
Lawful basis: performance of contract; legitimate interests (security).

C. Billing Data

What: masked card information (tokenized by Stripe — we never see your full card number), billing address, billing history, subscription plan.
Why: to process payments and maintain billing records required by tax law.
Lawful basis: performance of contract; legal obligation (tax records).

D. Coach/Client Linkage

What: which Coach you belong to, your plan or package, your status.
Why: to route your data to the right Coach and provide the coaching service.
Lawful basis: performance of contract.

E. Health and Fitness Data (Sensitive — see Section 3)

What: height, weight, body measurements, body fat percentage, progress photos, gender, age, fitness goals, injury history, medical notes you choose to share.
Why: to enable your Coach to design appropriate programs for you and to display your own data back to you.
Lawful basis: your explicit consent; performance of contract.

F. Activity Data

What: workouts logged, sets/reps/weights, cardio minutes, food logs, calorie and macro totals, sleep, mood, water intake, habit check-ins.
Why: to provide the tracking features of the app and let your Coach see your progress.
Lawful basis: performance of contract; consent (where required).

G. Messaging Data

What: messages between you and your Coach, attachments, voice notes.
Why: to deliver the in-app messaging feature.
Lawful basis: performance of contract.

H. Device and Usage Data

What: IP address, device type, operating system, browser, app version, crash logs, push notification tokens, session timestamps, feature usage analytics.
Why: to operate the app, fix bugs, prevent fraud, and improve the service.
Lawful basis: legitimate interests (service operation and improvement).

I. Location Data

What: approximate location (derived from IP address). We do not collect precise GPS location unless you grant permission for a specific feature.
Why: to detect fraud and apply region-appropriate features and law.
Lawful basis: legitimate interests (fraud prevention).

J. Third-Party Integration Data [CONFIRM IF USED]

What: data you authorize us to pull from Apple Health, Google Fit, Fitbit, MyFitnessPal, Strava, Garmin, or similar services.
Why: to sync your fitness data with Ziquecoach.
Lawful basis: your explicit consent (which you can withdraw any time).

K. Cookies and SDK Identifiers

What: essential cookies (login, security), and analytics identifiers (only with consent in regions that require it).
Why: to keep you logged in and to understand aggregate usage.
Lawful basis: legitimate interests (essential cookies); consent (analytics cookies).

What We Don't Collect

• Full payment-card numbers (Stripe handles these).
• Bank account numbers (Stripe handles these for Coaches).
• Government IDs (Stripe handles these for Coach onboarding).
• Anything we don't need.

3. Health and Fitness Data — Special Handling

Some of what you share with us — body measurements, weight, body-fat percentage, progress photos, food logs, injury notes, mood and energy ratings — is sensitive. We treat it carefully.

• Under the EU/UK GDPR, it is "data concerning health" and a special category of personal data under Article 9. We process it on the lawful basis of your EXPLICIT CONSENT, which you can withdraw at any time by emailing contact@ziquecoach.com or deleting your account.
• Under California's CPRA and similar US laws (Washington's My Health My Data Act, Connecticut, Nevada), it is "sensitive personal information" or "consumer health data," subject to enhanced rights and consent requirements.

Our commitments:

• We process health data only for the purposes you'd expect: running the coaching service, showing you your own data, sharing it with your own Coach, and computing safety-relevant warnings.
• We do NOT use your health data to train any AI model without separately asking you.
• We do NOT sell your health data.
• We do NOT share your health data with advertisers.
• You can export, correct, or delete any health data from your account settings or by emailing contact@ziquecoach.com.

4. Who We Share Your Data With

A. Your Coach

Your Coach can see the data you submit to them: workouts, food logs, measurements, messages, photos, and check-ins. Your Coach acts as a data controller for that data and has their own privacy obligations.

B. Our Sub-Processors (companies that help us run the service)

We use the following vendors. Each is bound by a data-processing agreement and, for transfers outside the EU/UK, by the appropriate Standard Contractual Clauses.

• Supabase — database, authentication, and file storage hosting (United States)
• Netlify — web hosting and serverless functions (United States)
• Stripe — payment processing and Stripe Connect for Coach payouts (United States)
• [CONFIRM IF USED] Sentry — crash reporting and error monitoring (United States)
• [CONFIRM IF USED] Resend / SendGrid / Postmark / Mailgun — transactional email (United States)
• [CONFIRM IF USED] Twilio / OneSignal / Firebase Cloud Messaging — push notifications and SMS (United States)
• [CONFIRM IF USED] Apple Push Notification Service — iOS push notifications (United States)
• [CONFIRM IF USED] Mixpanel / Amplitude / PostHog / Google Analytics — product analytics (United States)
• [CONFIRM IF USED] OpenAI / Anthropic — AI-generated suggestions (United States) — we do not train these models on your data
• [CONFIRM IF USED] Cloudinary / Mux — image and video storage (United States)
• [CONFIRM IF USED] Intercom / HelpScout / Zendesk — customer support (United States)

The current sub-processor list is published at ziquecoach.com/subprocessors and updated whenever we add or change a vendor.

C. Legal Requests

We may share data with law enforcement, courts, or regulators where we are legally required to do so, or where we believe in good faith it is necessary to protect the rights, safety, or property of Ziquecoach, our users, or others.

D. Business Transfers

If Ziquecoach is involved in a merger, acquisition, or sale of assets, your data may be transferred — but the same protections in this Privacy Policy will continue to apply.

What We Do Not Do

• We do NOT sell your personal information.
• We do NOT share your health data with advertisers.
• We do NOT use your health data to train AI models without separately asking you.

5. International Data Transfers

Ziquecoach is operated from [country] and our sub-processors are based primarily in the United States. If you are located in the EU, UK, Switzerland, or another jurisdiction with data-transfer restrictions, your personal data will be transferred to and processed in countries that may not provide the same level of data protection as your home country.

For these transfers, we rely on:

• The European Commission's Standard Contractual Clauses (2021 module-based set).
• The UK International Data Transfer Addendum (IDTA) for transfers out of the UK.
• The EU-US Data Privacy Framework where the relevant sub-processor is certified.

A copy of the relevant transfer safeguards is available on request — email contact@ziquecoach.com.

6. How Long We Keep Your Data

• Active account data: as long as your account is open.
• Deleted account data: hard-deleted within 30 days of deletion request, except where we are legally required to retain it.
• Backups: retained for 30 to 90 days, then overwritten.
• Billing and invoicing records: retained for up to 7 years (US tax law); EU/UK 5–10 years depending on jurisdiction.
• Messaging: retained for the life of the coach-client relationship plus a reasonable buffer.
• Anonymized and aggregated analytics: retained indefinitely (no longer identifies you).
• Security and abuse logs: 90 days to 1 year.
• Marketing-suppression data (so we don't email you again after unsubscribe): retained indefinitely, but minimal.

7. Your Rights

Wherever you live, you can access, correct, export, and delete your data through your account settings or by emailing contact@ziquecoach.com.

A. GDPR / UK GDPR Rights (EU, UK, EEA, Switzerland)

You have the right to:

• Access your personal data (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data — the "right to be forgotten" (Art. 17)
• Restrict processing in some cases (Art. 18)
• Receive your data in a portable, machine-readable format (Art. 20)
• Object to processing in some cases (Art. 21)
• Not be subject to solely automated decision-making with legal effects (Art. 22)
• Withdraw consent at any time (for processing based on consent)
• Lodge a complaint with your national supervisory authority

We will respond to requests within one calendar month, extensible to three months for complex requests (we'll tell you if we need more time).

B. California Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect, why, and who we share it with
• Delete your personal information
• Correct inaccurate personal information
• Opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising
• Limit the use and disclosure of sensitive personal information (which includes health information)
• Not be discriminated against for exercising your rights

We honor Global Privacy Control (GPC) browser signals as a valid opt-out request.

To exercise California rights, email contact@ziquecoach.com or use the in-app privacy form.

C. Other US States

If you live in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Jersey, New Hampshire, Kentucky, Rhode Island, Minnesota, Maryland, or Washington, you have similar rights under your state's privacy law. Email contact@ziquecoach.com to exercise them.

D. Washington My Health My Data Act

If you are a Washington resident, your fitness and wellness data is "consumer health data" under state law. You have the right to confirm whether we collect, sell, or share it, to delete it, and to withdraw consent. Email contact@ziquecoach.com.

E. Australia, Canada, Other Jurisdictions

You have rights under the Australian Privacy Act, PIPEDA (Canada), Quebec Law 25, and other applicable laws. Email contact@ziquecoach.com to exercise them.

We will not charge you for exercising your rights, and we will not penalize you for doing so.

F. How to Export or Delete Your Data In-App

Export your data: You can request a machine-readable copy of the personal data we hold about you from your account settings. We generate the export and email you a private download link. For your security, that link expires after 1 hour, and you can request one export every 24 hours.

Delete your account: You can request deletion of your account from your account settings. When you do, we first deactivate the account and stop active processing, then permanently delete your personal data within 30 days, except records we are legally required to retain (for example, billing and tax records — see Section 6). During the 30-day window you may contact us to cancel the deletion.

If you are a Coach with active Clients: to protect your Clients' own data and any active billing, account deletion is paused until you have offboarded or cancelled your active Clients. You may still request that we anonymize your personal profile information in the meantime. Email contact@ziquecoach.com if you need help winding down a coaching account.

Audit record: We keep an internal, append-only log of sensitive account actions (such as data exports and deletion requests) for up to 12 months to protect account security and to demonstrate compliance.

8. Children's Privacy

Ziquecoach is not intended for, and does not knowingly accept registrations from, users under 13 years old. Users between 13 and 17 may only use Ziquecoach if their parent or legal guardian creates and maintains the account on their behalf and accepts responsibility for everything that happens under it.

If you are a parent or guardian and believe your child has provided personal information to Ziquecoach without your consent, email contact@ziquecoach.com. We will promptly disable the account and delete the child's personal data.

Coaches working with minors must obtain documented parental consent before adding the Client to Ziquecoach.

9. Security

We use industry-standard security measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, regular backups, and security monitoring. No system is perfectly secure, however, and we cannot guarantee absolute security.

If we become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority as required by law — within 72 hours of becoming aware for incidents subject to GDPR.

10. Cookies and Tracking

We use a small number of cookies and similar technologies:

• Essential cookies for login and security.
• Analytics cookies (only where you consent or where local law permits) to understand how the app is used.

You can manage cookie preferences via your browser or via the cookie banner shown to users in regions that require consent (EU, UK).

We honor Global Privacy Control (GPC) signals from your browser as an opt-out of "sharing" under CPRA.

11. Automated Decisions and AI Features [CONFIRM IF USED]

Ziquecoach may use AI features (for example, AI-suggested meal plans or workout suggestions) to help your Coach build programs. These suggestions are reviewed by your Coach before being shared with you. We do not make decisions with legal or similarly significant effect on you using only automated processing. We do not train our AI providers' models on your personal data without separately asking you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you by email and in-app at least 30 days before the changes take effect.

13. Contact Us

Questions, complaints, or requests about your data? Contact:

Email: contact@ziquecoach.com
Mailing address: [Your business address]
Data Protection Officer / EU representative: [if appointed, list here]

If you are in the EU/UK and we don't resolve your concern, you may lodge a complaint with your national data protection authority. A list is at edpb.europa.eu (EU) or ico.org.uk (UK).