Privacy Policy
Last updated: 19 March 2026
1. Who we are
CoachSync is a coaching management platform operated by nullhex Ltd. We help golf coaches manage their students, scheduling, payments, and communications. If you have questions about this policy, contact us at privacy@coachsync.app.
2. What data we collect
We collect information necessary to provide our service. This includes:
- Account information - name, email address, and password when you create a coach account.
- Client information - name, email, phone number, skill level, handicap, goals, and lesson notes as entered by coaches.
- Lesson and booking data - lesson history, scheduling details, attendance records, and booking preferences.
- Payment information - payment details are processed securely by Stripe. We store transaction references but do not hold card numbers directly.
- Communications - messages sent through WhatsApp, SMS, and email via the platform.
- Usage data - basic analytics such as page views, feature usage, and error logs to improve the service.
3. How we use your data
- Service delivery - managing lessons, bookings, client records, and payments.
- Communications - sending booking confirmations, reminders, nurture emails, and other messages on behalf of coaches.
- AI content generation - generating social media content and coaching suggestions using anonymised lesson context.
- Analytics and improvement - understanding how the platform is used so we can make it better.
- Legal compliance - meeting our legal obligations including tax and fraud prevention.
4. Sub-processors
We share data with the following third-party sub-processors only as necessary to provide the service. Each processes data under their own privacy policy and our data processing agreements.
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe | Payments | Card details, billing info | US / EU |
| Resend | Email delivery | Email addresses, message content | US |
| Twilio | SMS delivery | Phone numbers, message content | US |
| Meta | WhatsApp messaging | Phone numbers, message content | US / EU |
| Calendar sync | Calendar events, OAuth tokens | US | |
| Anthropic | AI content generation | Coaching context, client names | US |
| Supabase | Database hosting | All application data | EU (eu-west) |
| Vercel | Application hosting | Request data, session cookies | Global Edge |
5. International data transfers
Some of our sub-processors are based outside the UK and European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) - all our US-based sub-processors (Stripe, Resend, Twilio, Meta, Google, Anthropic) have executed Standard Contractual Clauses as part of their data processing agreements, providing contractual guarantees for data protection.
- EU/UK adequacy - our primary database is hosted in the EU (Supabase, eu-west region). Application hosting on Vercel uses edge locations with data processed in the nearest region to the user.
- Encryption in transit and at rest - all data transfers use TLS encryption. Sensitive fields (OAuth tokens, client PII) are additionally encrypted at the application level.
6. EU/EEA representative
nullhex Ltd is a UK-registered company. In accordance with Article 27 of the EU GDPR, we are in the process of appointing an EU representative for data protection matters relating to EU/EEA residents. Details will be published here once finalised. In the meantime, EU/EEA residents may contact us directly at privacy@coachsync.app.
7. Data retention and deletion
We retain your data for as long as your account is active. Coaches can delete individual client records at any time. Coaches can also request deletion of their entire account, which will be processed within 30 days.
After account deletion, data is retained for up to 30 days for recovery purposes before being permanently removed. Payment records may be retained longer where required by law.
8. Your rights (GDPR)
If you are in the UK or EU, you have the following rights under data protection law:
- Access - request a copy of the personal data we hold about you.
- Rectification - ask us to correct inaccurate or incomplete data.
- Erasure - ask us to delete your personal data.
- Portability - request your data in a structured, machine-readable format.
- Objection - object to processing based on legitimate interests.
- Restriction - ask us to limit how we process your data in certain circumstances.
To exercise any of these rights, email us at privacy@coachsync.app. We will respond within 30 days.
9. Cookies
We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. For full details, see our Cookie Policy.
10. Security
We use industry-standard security measures including encrypted connections (TLS), hashed passwords, and access controls. Payment data is handled entirely by Stripe and never touches our servers directly.
11. Changes to this policy
We may update this policy from time to time. We will notify registered users of significant changes by email. The latest version will always be available at this page.
12. Contact
For any privacy-related questions or requests, contact us at privacy@coachsync.app.