How we handle your coaching data
You put your livelihood and your clients’ progress into this platform. You deserve a plain-English answer about how it’s protected. This page covers data ownership, encryption, workspace isolation, payments, backups, and the third parties involved — with no marketing fluff and no overclaims about certifications we don’t hold.
Last reviewed: May 1, 2026
You control your data
- Coaches own their client roster, programs, check-ins, and messages.
- We act as your data processor — we don’t sell or rent your data.
- Coaches and clients can self-delete their own accounts and data anytime.
- Cancel anytime — no lock-in, no exit interview.
Encryption everywhere
- All traffic between your browser and our servers is encrypted in transit.
- Stored data is encrypted at rest on enterprise-grade cloud infrastructure.
- Passwords are never stored in plaintext — authentication is handled by a managed identity provider.
- Sessions are scoped and time-limited.
Workspace isolation
- Each coaching business operates inside its own isolated workspace.
- Authorization is enforced server-side on every request — not just in the UI.
- Coaches can only see and act on data belonging to their own business.
- Protections are tested continuously as part of our release process.
Payments handled by Stripe
- Card numbers never touch our servers in raw form.
- Stripe is a PCI-DSS Level 1 service provider.
- Coach payouts and client billing run through Stripe Connect.
- Refunds, disputes, and tax calculations stay inside Stripe.
What we don’t claim
Plenty of coaching platforms put official-looking compliance badges on their homepage when they shouldn’t. Here’s where we stand honestly:
- We are not SOC 2 audited. We follow the practices that map to SOC 2 controls (encryption, access control, logging, incident response, code review), but we have not gone through a formal third-party audit.
- We are not HIPAA compliant. CoachingPortal is built for general fitness and nutrition coaching, not medical care. We do not sign Business Associate Agreements. If you handle Protected Health Information, you need a platform that explicitly offers a BAA.
- We are not ISO 27001 certified. We model our internal practices on widely accepted security baselines but don’t hold a formal certificate today.
- GDPR / CCPA: We honor data access and deletion requests for coaches and their clients, and we provide standard data-processing terms on request. We are not a self-certified Data Privacy Framework participant at this time.
Sub-processors we use
These are the third-party services we rely on to deliver CoachingPortal. Each one is limited to the purpose listed, and your data is governed by their published security and privacy practices in addition to ours.
| Service | Purpose | Region |
|---|---|---|
| Google Cloud / Firebase | Application hosting, database, authentication, file storage | United States |
| Stripe | Payment processing for coach subscriptions and client billing | United States (PCI-DSS Level 1) |
| Sentry | Application error monitoring and crash reporting | United States |
| SendGrid / Resend | Transactional email (account, billing, notifications) | United States |
We update this list when we add or change sub-processors. Material changes are announced to coaches by email.
Backups, availability, and access control
Backups
Your data is replicated across multiple availability zones and backed up on a regular schedule with a 30-day retention window. We test restoration procedures regularly.
Availability
CoachingPortal runs on enterprise cloud infrastructure engineered for high availability. We don’t publish a public uptime SLA today, but we monitor health continuously and will notify affected coaches if there is a meaningful outage.
Access control (internal)
Production access is restricted to a small number of engineers and gated behind multi-factor authentication. Routine support uses audited admin tooling rather than direct production access.
Code review & deployment
Every change to production goes through code review and automated test suites covering authentication, tenant isolation, and security-sensitive endpoints before it ships.
Account deletion is in your hands
You shouldn’t have to email a support team to leave a platform. CoachingPortal lets both coaches and clients self-delete their own accounts and data directly from in-app settings.
Coach self-delete
Coaches can permanently delete their account, branded portal, programs, and client records from the account settings page. Deletion is immediate in active systems and propagates to backups within the standard 30-day retention window.
Client self-delete
Clients can delete their own account and personal data directly from their app settings without going through their coach or our support team. Same retention policy applies — gone from active systems immediately, gone from backups within 30 days.
Note: CoachingPortal does not currently offer bulk data export.
Frequently asked questions
Who owns the data I put into CoachingPortal?+
You do. Coaches own their client roster, programs, check-ins, messages, photos, and analytics. CoachingPortal acts as the data processor and stores it on your behalf. We do not sell, rent, or share coach or client data with third parties for marketing purposes.
Can I export my data?+
CoachingPortal does not currently offer bulk data export. Coaches and clients keep full read access to their own data inside the platform for as long as their account is active, and you can cancel at any time.
How do I delete my data?+
Both coaches and clients can self-delete their accounts and associated data directly from in-app settings — no support ticket required. Once deletion is confirmed, the account and its data are removed from active systems immediately and from backups within the standard 30-day backup retention window.
Is CoachingPortal HIPAA compliant?+
CoachingPortal is built for general fitness and nutrition coaching, not for medical providers. We do not currently sign Business Associate Agreements (BAAs) and the platform should not be used to store Protected Health Information as defined by HIPAA. If you are a medical professional, choose a platform that explicitly offers a BAA.
Where is my data stored?+
Application data is stored on Google Cloud (Firebase) infrastructure in the United States. Payment data is handled directly by Stripe and never touches our servers in raw card form.
How do you keep one coach from seeing another coach’s clients?+
Each coaching business operates inside its own isolated workspace. Authorization is enforced server-side on every request, so a coach can only see and act on data belonging to their own business. We test these protections continuously as part of our release process.
Do you use my client data to train AI?+
No. We do not train AI models on your coaching content, client check-ins, messages, or progress data. Some optional in-app features (such as AI-assisted exercise descriptions) call third-party model providers; those calls are scoped to the specific request and not used by us to train shared models.
What happens if there is a security incident?+
If we discover a security incident that affects coach or client data, we will notify affected coaches by email at the address on file and post a status update. We commit to honest disclosure and a clear description of what happened, what data was affected, and what we are doing to prevent recurrence.
How do I report a security issue?+
Email support@coachingportal.io with the subject line "Security report" and a description of the issue. We respond to security reports within two business days and do not pursue legal action against good-faith researchers.
Security questions or reports
If you’re evaluating CoachingPortal for your business and want to dig deeper, or you’ve spotted something that looks like a security issue, email us. We respond to security reports within two business days.
support@coachingportal.ioLooking for our privacy policy or terms of service?