Status of this page
This page is designed to answer common vendor-review and GDPR processor questions without requiring a support request.
It is not a signed data processing agreement unless CoachHaven separately incorporates it into a contract, order form, or terms that bind both parties. If you need a signed DPA, email support@coachhaven.app.
Roles
For coach account administration, billing, support, security, legal compliance, and our own service analytics, CoachHaven acts as controller.
For coach-managed client records and workspace content, the coach normally acts as controller and CoachHaven acts as processor or service provider, depending on the applicable law.
Processing details
| Topic | Details |
|---|---|
| Subject matter | Hosting and operating CoachHaven for coaches, including client records, plans, tracking, messaging, imports, exports, and related workflows. |
| Duration | While the coach account or workspace remains active, plus any period required for deletion, backup expiry, billing, security, dispute handling, or legal compliance. |
| Nature and purpose | Storage, retrieval, display, transmission, support, security monitoring, AI-assisted workflow processing when used, exports, deletion, and service administration. |
| Data subjects | Coaches, invited clients, client contacts, support requesters, recipe submitters, and people whose data appears in coach-managed workspace content. |
| Personal data categories | Account/profile details, contact details, client records, plans, notes, messages, adherence logs, imports, support content, billing references, usage data, and telemetry. |
| Special-category data | Diet, allergy, training, nutrition, health-related goals, and similar information where coaches choose to enter it. Explicit client consent is the expected default unless another valid Article 9 or UK GDPR condition lawfully applies. |
Production subprocessors
| Provider | Purpose |
|---|---|
| Auth0/Okta | Authentication, login, session management, identity security, and related account identifiers. |
| Stripe | Payments, subscriptions, invoices, fraud checks, referral or promotion handling, and Stripe Connect where used. |
| Resend | Transactional email, contact notifications, support messages, and service communications. |
| Google Gemini | AI assistance, recipe import, generated plan context, and generated workflow features when used. |
| Deepgram | Audio transcription for supported assistant and import workflows. |
| Railway | Application hosting, deployment, runtime infrastructure, and service operations. |
| Managed Postgres | Primary relational database storage. |
| Upstash Redis | Cache, rate limiting, queue support, and short-lived operational state. |
| Tigris or S3-compatible object storage | Media, file storage, export artifacts, backups, and similar object storage needs. |
| Monitoring, logging, and telemetry providers | Security, reliability, debugging, metrics, logs, traces, and incident investigation. |
Controller instructions
CoachHaven processes coach-managed client data to provide, secure, support, and improve the service, and to follow the coach’s product actions and documented instructions. We will tell the coach if an instruction appears to require unlawful processing where the law requires us to do so.
Security measures
- TLS for data in transit.
- Managed infrastructure with access controls.
- Authentication, rate limits, audit records, and operational monitoring.
- Role-scoped product access where the product supports it.
- Export expiry and account deletion workflows for requested account actions.
- Logging and telemetry used for security, reliability, debugging, and incident investigation.
International transfers
CoachHaven targets users in the UK, EU/EEA, and US. Subprocessors may process data in those regions and other countries. Where UK or EEA personal data is transferred internationally, CoachHaven uses or requires safeguards available under data protection law, such as adequacy regulations, the UK/EU-US Data Privacy Framework where applicable, standard contractual clauses, the UK international data transfer addendum, or equivalent processor terms.
Assistance with rights and compliance
CoachHaven provides account export and deletion tools and will provide reasonable assistance for client rights requests, security questions, DPIA information, and regulator inquiries where the request relates to coach-managed data processed by CoachHaven.
Security incidents
If CoachHaven becomes aware of a confirmed personal data breach affecting coach-managed client data, we will notify affected coaches without undue delay and provide information reasonably available to help them meet their own legal obligations.
Deletion and return
Coaches can export account and workspace data and can request account deletion from settings. Deletion removes local account and associated workspace data after active client constraints are resolved, subject to legal, billing, security, dispute, and backup-cycle exceptions.
Contact
For DPA, subprocessor, privacy, or security questions, email support@coachhaven.app.