CoachReview Privacy Policy

1. Data controller

The controller of the personal data of Users is Marcin Jasiński, address: ul. Długa 75, 84-239 Bolszewo, VAT number 7742896892, registered in the Polish CEIDG.

Contact for data protection matters: mindmotion.tech@gmail.com or by post at the address above.

For Client data entered by a Coach, the Coach is generally the controller and the Operator acts as processor under the Data Processing Agreement (DPA) included as an attachment to the Terms.

2. Data Protection Officer

The Operator has not appointed a Data Protection Officer — there is no obligation to appoint a DPO under Article 37 GDPR. For all data protection matters, please contact the controller directly at mindmotion.tech@gmail.com.

3. Categories of data processed

Account data: first name, last name, email address, password (hashed), preferred language, time zone, public profile data (where published), billing data.

Technical data: IP address, device and browser identifiers, event logs, diagnostic data and cookie data.

Client data entered by a Coach: name, contact details, training notes, documents, materials, video recordings, availability calendar and other coaching-related information.

Special categories of data (Article 9 GDPR), such as health data, may be entered by a Coach on the Coach's own responsibility and only where the Coach has an appropriate legal basis.

4. Purposes and legal bases

Provision of the Service and account management – Article 6(1)(b) GDPR (performance of the contract).

Payments and invoicing – Article 6(1)(b) and (c) GDPR (legal obligation under accounting and tax law).

Service security, fraud prevention and event logging – Article 6(1)(f) GDPR (legitimate interest in protecting the Service).

Complaints and legal claims – Article 6(1)(b), (c) and (f) GDPR.

Marketing communication – Article 6(1)(a) GDPR (consent), with the additional requirements of the ePrivacy Directive for electronic communications.

Compliance with the DSA and other legal obligations – Article 6(1)(c) GDPR.

5. Sources of data

Most data is provided directly by the User (sign-up, profile, billing).

Some data is generated through use of the Service (logs, technical metadata).

Client data is provided by the Coach.

6. Recipients and processors

Data may be processed by the following categories of providers acting on behalf of the controller: hosting and cloud infrastructure providers, object storage providers (e.g. Amazon S3 or Cloudflare R2), transactional email providers, the payment processor Stripe Payments Europe, Ltd., monitoring and error logging providers, and customer support tools.

Data may also be disclosed to public authorities entitled to receive it under applicable law.

An up-to-date list of sub-processors with processing locations is available on request at mindmotion.tech@gmail.com.

7. International transfers

Some processors may process data outside the European Economic Area, in particular in the United States. The Operator implements appropriate safeguards, including the Standard Contractual Clauses approved by the European Commission and, for US recipients, the EU-US Data Privacy Framework where the recipient is certified.

A copy of the safeguards is available from the Operator on request.

8. Retention

Account data is retained while the Agreement is in force and for the period necessary to settle the Agreement and handle complaints.

Billing data and invoices are retained for the period required by tax and accounting law (typically five years from the end of the financial year).

Data needed to establish, exercise or defend legal claims is retained until the limitation period expires.

Published videos are retained for the availability period defined by the selected plan (6 months for Solo, 12 months for Pro), counted from the date of publication. Once that period elapses, the video is automatically moved to the trash, where it remains restorable for 30 days, after which it is permanently deleted together with the underlying object-storage file (Cloudflare R2 or Amazon S3). Unpublished drafts are deleted 30 days after creation. Detailed rules, including the procedure for plan changes, are described in the Terms of Service (section 6a).

Technical data and security logs are retained for no longer than 12 months unless longer retention is required for an ongoing security incident.

9. Rights of data subjects

Each data subject has the right of: access (Article 15 GDPR), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection to processing based on legitimate interest (Article 21) and withdrawal of consent where consent is the legal basis (Article 7).

Rights can be exercised through account settings or by contacting mindmotion.tech@gmail.com. The Operator responds without undue delay and at the latest within one month.

Data subjects also have the right to lodge a complaint with a competent supervisory authority in their country of habitual residence.

10. Profiling and automated decision-making

The Operator does not take decisions based solely on automated processing that produce legal effects or similarly significantly affect Users within the meaning of Article 22 GDPR.

11. Cookies and similar technologies

The Service uses cookies and similar technologies. Strictly necessary cookies (login, security, application operation) do not require consent. Analytics, marketing and other non-essential cookies require explicit, freely given and informed consent that can be withdrawn at any time.

The cookie banner allows Users to accept, reject or customise non-essential cookies. A detailed list of cookies, their purposes and retention periods is available in the cookie settings.

12. Security

The Operator applies appropriate technical and organisational measures to ensure data security, including TLS encryption in transit, password hashing, role-based access control, the principle of least privilege, data minimisation, regular backups and security event monitoring.

In case of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the Operator notifies the supervisory authority within 72 hours and, where required, the affected data subjects.

13. Google user data and Google API Services

Scopes requested: https://www.googleapis.com/auth/calendar.events.freebusy (Google Calendar free/busy read).

Data accessed: busy/free time blocks from your primary Google Calendar for the selected week. The Operator does not access event titles, descriptions, attendees, locations, attachments or any other event content.

Purpose: compute available time windows so the Coach can import them into the CoachReview availability calendar. Google user data is used solely to display free/busy windows to the Coach who connected the account and is not used for any other purpose.

Storage: a refresh token issued by Google is stored encrypted at rest and used only to query free/busy windows on the Coach's request. Free/busy responses are processed in memory; only the availability windows the Coach chooses to import are persisted.

Sharing: Google user data is never sold, shared with third parties for advertising, or used to train AI/ML models. CoachReview does not transfer Google user data to third parties except as necessary to provide or improve the integration, comply with applicable law, or as part of a merger, acquisition or sale of assets with notice to Users.

Limited Use: the use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revocation: the Coach can disconnect Google Calendar at any time in account settings, or revoke access at https://myaccount.google.com/permissions. On disconnect the refresh token is deleted.

14. Changes to this policy

The Operator may update this Privacy Policy following changes in law, providers or features. Material changes are communicated by email and indicated by an updated date at the top of the document. Previous versions are kept for accountability.