Privacy Policy

Last updated: 19 March 2026

1. Who we are

CoachSync is a coaching management platform operated by nullhex Ltd. We help golf coaches manage their students, scheduling, payments, and communications. If you have questions about this policy, contact us at privacy@coachsync.app.

2. What data we collect

We collect information necessary to provide our service. This includes:

Account information - name, email address, and password when you create a coach account.
Client information - name, email, phone number, skill level, handicap, goals, and lesson notes as entered by coaches.
Lesson and booking data - lesson history, scheduling details, attendance records, and booking preferences.
Payment information - payment details are processed securely by Stripe. We store transaction references but do not hold card numbers directly.
Communications - messages sent through WhatsApp, SMS, and email via the platform.
Usage data - basic analytics such as page views, feature usage, and error logs to improve the service.

3. How we use your data

Service delivery - managing lessons, bookings, client records, and payments.
Communications - sending booking confirmations, reminders, nurture emails, and other messages on behalf of coaches.
AI content generation - generating social media content and coaching suggestions using anonymised lesson context.
Analytics and improvement - understanding how the platform is used so we can make it better.
Legal compliance - meeting our legal obligations including tax and fraud prevention.

4. Sub-processors

We share data with the following third-party sub-processors only as necessary to provide the service. Each processes data under their own privacy policy and our data processing agreements.

Service	Purpose	Data processed	Location
Stripe	Payments	Card details, billing info	US / EU
Resend	Email delivery	Email addresses, message content	US
Twilio	SMS delivery	Phone numbers, message content	US
Meta	WhatsApp messaging	Phone numbers, message content	US / EU
Google	Calendar sync	Calendar events, OAuth tokens	US
Anthropic	AI content generation	Coaching context, client names	US
Supabase	Database hosting	All application data	EU (eu-west)
Vercel	Application hosting	Request data, session cookies	Global Edge

5. International data transfers

Some of our sub-processors are based outside the UK and European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) - all our US-based sub-processors (Stripe, Resend, Twilio, Meta, Google, Anthropic) have executed Standard Contractual Clauses as part of their data processing agreements, providing contractual guarantees for data protection.
EU/UK adequacy - our primary database is hosted in the EU (Supabase, eu-west region). Application hosting on Vercel uses edge locations with data processed in the nearest region to the user.
Encryption in transit and at rest - all data transfers use TLS encryption. Sensitive fields (OAuth tokens, client PII) are additionally encrypted at the application level.

6. EU/EEA representative

nullhex Ltd is a UK-registered company. In accordance with Article 27 of the EU GDPR, we are in the process of appointing an EU representative for data protection matters relating to EU/EEA residents. Details will be published here once finalised. In the meantime, EU/EEA residents may contact us directly at privacy@coachsync.app.

7. Data retention and deletion

We retain your data for as long as your account is active. Coaches can delete individual client records at any time. Coaches can also request deletion of their entire account, which will be processed within 30 days.

After account deletion, data is retained for up to 30 days for recovery purposes before being permanently removed. Payment records may be retained longer where required by law.

8. Your rights (GDPR)

If you are in the UK or EU, you have the following rights under data protection law:

Access - request a copy of the personal data we hold about you.
Rectification - ask us to correct inaccurate or incomplete data.
Erasure - ask us to delete your personal data.
Portability - request your data in a structured, machine-readable format.
Objection - object to processing based on legitimate interests.
Restriction - ask us to limit how we process your data in certain circumstances.

To exercise any of these rights, email us at privacy@coachsync.app. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. For full details, see our Cookie Policy.

10. Security

We use industry-standard security measures including encrypted connections (TLS), hashed passwords, and access controls. Payment data is handled entirely by Stripe and never touches our servers directly.

11. Changes to this policy

We may update this policy from time to time. We will notify registered users of significant changes by email. The latest version will always be available at this page.

12. Contact

For any privacy-related questions or requests, contact us at privacy@coachsync.app.