Privacy Policy

1. Information We Collect

When you use by.coach, we collect information you provide directly:

• Account information — name, email address, and profile details when you sign up as a trainer.
• Client information — names and email addresses of clients added by trainers.
• Payment information — processed securely by Stripe. We do not store credit card numbers.
• Usage data — pages visited, features used, and device information to improve the service.

2. How We Use Your Information

We use collected information to:

• Provide and maintain the by.coach platform
• Process payments and manage subscriptions
• Send transactional emails (welcome emails, workout delivery)
• Improve the service based on usage patterns
• Respond to support requests

3. Information Sharing

We do not sell your personal information. We share data only with:

• Stripe — for payment processing (Stripe Privacy Policy)
• Clerk — for authentication (Clerk Privacy Policy)
• Resend — for transactional emails (Resend Privacy Policy)
• Cloudflare — for DNS, CDN, and file storage (Cloudflare Privacy Policy)
• Zoom — for video meeting creation (optional integration) (Zoom Privacy Policy)
• Google — for Google Meet meeting creation (optional integration) (Google Privacy Policy)

4. Video Conferencing Integrations

Trainers may optionally connect their Zoom or Google Meet account to automatically create unique meeting links for client bookings.

What we access

• Meeting creation — we create scheduled meetings on the trainer's behalf (Zoom: meeting:write:meeting scope; Google Meet: meetings.space.created scope)
• Account email — we read the connected account's email address to display in the trainer's settings (Zoom: user:read:email scope)

What we store

• OAuth access and refresh tokens, encrypted at rest using AES-256-GCM
• Connected account email address and provider account ID
• Meeting links generated for bookings (stored on the booking record)

What we do NOT access or store

• Meeting recordings, transcripts, or content
• Participant lists or meeting attendance data
• Calendar data or contacts

Data retention and deletion

• Integration data (tokens, email, account ID) is retained while the integration is active
• Disconnecting the integration from Settings immediately deletes all stored tokens and provider data
• If a trainer removes the app from their Zoom account, we honor the deauthorization request and delete all Zoom-related data within 10 days, in compliance with Zoom's data handling requirements
• Meeting links on past bookings are retained as historical records but are no longer functional after disconnection

5. Data Security

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), secure password hashing, rate limiting, and access controls. OAuth tokens for video integrations are encrypted using AES-256-GCM. Data is stored on servers in the United States.

6. Your Rights

You can:

• Access, update, or delete your account information at any time
• Request a copy of your data
• Unsubscribe from non-essential emails
• Request account deletion by contacting [email protected]

7. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

8. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on the platform.

9. Contact

Questions about this policy? Contact us at [email protected].