C
CoachFlow

Privacy Policy

Last updated: February 16, 2026

1. Who we are

CoachFlow is operated by Web2Fly, a digital solutions company registered in France. When we say "we", "us", or "our", we mean Web2Fly as the data controller for CoachFlow.

Contact: contact@web2fly.com

2. Data we collect

Account data

When you sign up, we collect your name, email address, phone number, and optionally your timezone and coaching specialty.

Profile image

If you upload a profile photo, it is compressed client-side (resized to 256px, converted to WebP format, max ~100 KB) before being stored securely in our cloud storage. Your avatar may appear on your public booking pages.

Client data

Coaches store information about their clients (name, email, phone, session history, notes, tags). This data is entered and controlled by the coach. Phone numbers must be in international format and are validated on entry.

Session & booking data

We store session details (date, time, duration, price, status, location, payment status), booking link configurations, and availability schedules you create.

Usage data

We collect anonymized usage analytics (pages visited, features used) to improve the product. No personal data is shared with third-party analytics providers without your consent.

Cookies & local storage

We use essential cookies for authentication, language preference, and cookie consent. We also use browser local storage for theme preference and UI state. See our Cookie Policy for details.

3. How we use your data

  • Service delivery: To provide, maintain, and improve CoachFlow — including session management, booking, notifications, and dashboard analytics.
  • Authentication: To verify your identity and secure your account.
  • Notifications: To send booking confirmations, payment reminders, and session alerts (in-app and email).
  • Image processing: To compress and store your profile photo for display on your account and public booking pages.
  • Product improvement: To understand usage patterns and improve features (anonymized data only).
  • Legal compliance: To comply with applicable laws and respond to lawful requests.

4. Data sharing

We do not sell your personal data. We share data only with the following service providers, strictly to operate CoachFlow:

  • Supabase (database & file storage, EU region) — stores your account data, client records, sessions, and uploaded files.
  • Vercel (application hosting) — serves the application and runs server-side logic.
  • Web2Fly SMTP (transactional email via Infomaniak) — delivers booking confirmations, session reminders, and account notifications.
  • Upstash (rate limiting) — processes anonymized request metadata to protect against abuse.

All sub-processors maintain appropriate data protection standards and process data within the EU or under adequate safeguards (Standard Contractual Clauses).

5. Data retention & deletion

We retain your data for as long as your account is active. When you delete your account (Settings → Delete Account):

  • All personal data is permanently and immediately erased — including your profile, clients, sessions, booking links, availability, and uploaded files.
  • An anonymized audit log entry is kept to confirm the deletion occurred.
  • This action is irreversible. There is no recovery period.

Certain records may be retained where required by law (e.g., billing records under applicable tax regulations).

6. Your rights

Depending on your location, you have the following rights regarding your personal data:

For all users

  • Access — View and export your personal data at any time (Settings → Export My Data). Your data is exported as a JSON file.
  • Correction — Edit your profile, client records, and session details at any time through the application.
  • Deletion — Permanently delete your account and all associated data (Settings → Delete Account).
  • Portability — Download a machine-readable copy of all your data (JSON export).

Additional rights for European users (GDPR)

  • Object to processing for marketing purposes.
  • Restrict processing in certain circumstances.
  • Lodge a complaint with your local data protection authority (e.g., CNIL in France).

Additional rights for California residents (CCPA/CPRA)

  • Know what personal information is collected and how it is used.
  • Delete your personal information.
  • Opt-out of the sale of personal information — we do not sell your data.
  • Non-discrimination — We will not treat you differently for exercising your privacy rights.

To exercise any of these rights, use the built-in tools in Settings or contact us at contact@web2fly.com.

7. Security

We implement industry-standard security measures including:

  • Encryption at rest and in transit (TLS 1.3).
  • Row-Level Security (RLS) ensuring strict data isolation between coaches — no coach can access another coach's data.
  • Rate limiting on all API endpoints to prevent abuse.
  • Server-side input validation (Zod) on all forms and actions.
  • Content Security Policy (CSP) headers to prevent cross-site scripting.
  • Regular security assessments and code audits.

8. International data transfers

Your data is primarily stored in the EU (Supabase, Frankfurt region). Our application hosting (Vercel) operates globally with edge nodes. Data transfers outside the EU are covered by Standard Contractual Clauses or equivalent safeguards.

9. Children's privacy

CoachFlow is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance.

11. Contact

For privacy-related inquiries:

Web2Fly
Email: contact@web2fly.com
Website: web2fly.com