Privacy Policy
Last updated: 2026-06-14
1. Who we are
The controller of your personal data is Crux Solutions Paweł Dziennik, registered office at ul. Podłużna 40e/1, 30-239 Kraków, Poland, VAT ID PL5842716635 („we", „Coachably").
Privacy contact: support@coachably.app. We have not appointed a data protection officer — please use this address for all data protection matters.
2. Our role with respect to data
For Coaches (people who create an Account) we act as the data controller under Art. 4(7) GDPR.
For the Coach's Clients (people whose data a Coach enters into the Service) we act as a data processor under Art. 4(8) GDPR — we process such data on the Coach's behalf and instructions, under the Terms of Service, which form the data processing agreement between us and the Coach (Art. 28 GDPR).
3. What data we collect
From Coaches we collect:
- Account data: name, email address, password (stored as a hash).
- Profile data: profile picture, contact details, business information.
- Payment data: billing data sent to Stripe. Card numbers are processed solely by Stripe (as an independent controller); we only see payment status and the last 4 digits.
- Technical data: IP address, device type, browser, login logs.
- Correspondence: messages sent via the contact form or email.
Coaches may additionally enter data about their Clients (name, email, phone number, training plans, progress, body weight, measurements, health-related notes). Some of this may constitute special category data (health data, Art. 9 GDPR). In that case the Coach is the controller and is responsible for the lawful basis (typically: explicit consent of the Client or provision of a health-related service). Where the Coach's Client is a minor, the Coach is responsible for obtaining the consent of a legal guardian where required.
4. Purposes and legal bases
- Providing the Service (account creation, access to features, payment processing) — Art. 6(1)(b) GDPR (contract performance).
- Handling complaints and inquiries — Art. 6(1)(b) and (f) GDPR (legitimate interest in resolving requests).
- Invoicing and accounting — Art. 6(1)(c) GDPR (legal obligation under Polish tax and accounting law).
- Security and abuse prevention (logs, monitoring unauthorized access) — Art. 6(1)(f) GDPR.
- Marketing of our own services (e.g. newsletter if you sign up) — Art. 6(1)(a) GDPR (consent), which you can withdraw at any time.
5. Recipients and sub-processors
We use the following processors (processing data on our behalf and on our instructions):
- Supabase Inc. (US / EU) — database hosting and authentication.
- Resend, Inc. (US) — transactional emails (sign-up confirmation, password reset, system notifications).
- Cloudflare, Inc. (US) — site hosting, CDN, attack protection.
- Apple Inc. and Google LLC — distribution of the mobile app and push notifications (where you use them).
Stripe Payments Europe, Ltd. (Ireland) handles payments and subscriptions. For payment data, Stripe acts as an independent (separate) controller — it also processes that data for its own purposes (including anti-fraud and anti-money-laundering obligations) and is responsible for it under its own privacy policy.
Data may be transferred outside the European Economic Area (including to the United States). Such transfers rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), and where applicable on the EU–US Data Privacy Framework when the recipient is certified under it.
6. Retention periods
- Account data — for the duration of the contract. After Account deletion, data is permanently removed within 30 days, except for data required for tax purposes (5 years from the end of the financial year) and to pursue or defend legal claims (up to 6 years).
- Technical logs — up to 12 months.
- Correspondence — up to 24 months from the last contact.
7. Your rights
Under GDPR you have the right to:
- access your data (Art. 15),
- rectification (Art. 16),
- erasure („right to be forgotten", Art. 17),
- restriction of processing (Art. 18),
- data portability (Art. 20) — we provide an in-app JSON export,
- object to processing (Art. 21),
- withdraw consent, where processing is based on it.
To exercise any of these rights, contact us at support@coachably.app. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish Personal Data Protection Authority (uodo.gov.pl) or with the supervisory authority in your country of residence.
We do not make decisions about you based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
8. Cookies
We use cookies that are necessary for the Service to function and — with your consent — analytics cookies. You can manage your preferences in .
9. Security
We use TLS for connections, hashed password storage (bcrypt/scrypt), role-based access control, and regular backups. No system is fully secure — if you notice anything suspicious, please report it to support@coachably.app.
10. Changes to this policy
We will notify you of material changes by email and in the Service at least 14 days in advance.