Privacy Policy

1. Introduction

Coachful, operated by Influencee Agency OÜ ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Personal Information

When you create an account, we collect:

• Name and email address
• Profile picture (optional)
• Phone number (optional, used for WhatsApp communications)
• Account authentication data via Firebase Authentication

Usage Information

We automatically collect:

• Goals, habits, and progress data you enter
• Check-in responses and reflections
• Device information and browser type
• Usage patterns and feature interactions

Payment Information

Payment processing is handled by Stripe. We do not store your complete credit card information. We only receive limited information such as the last four digits of your card for reference purposes.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Personalize your experience and recommendations
• Process transactions and send related information
• Send you notifications, updates, and support messages
• Analyze usage to improve our Service
• Facilitate community features like Squad interactions
• Send WhatsApp messages for scheduling, reminders, and coaching communications
• Comply with legal obligations

4. Information Sharing

We may share your information with:

• Sub-processors: See the full list of sub-processors below.
• Squad Members: Limited profile information visible to other members in your accountability squads
• Coaches: If you have a premium plan with coach access, your coach may view your progress data
• Legal Requirements: When required by law or to protect our rights

We do not sell your personal information to third parties.

Sub-processors

We engage the following sub-processors to operate the Service. Each has signed a Data Processing Agreement with us and is bound by Standard Contractual Clauses (SCCs) where they process data outside the EU/EEA.

We update this list when sub-processors are added or removed. Material changes are reflected in the “Last updated” date at the top of this page.

4a. International Data Transfers

Coachful is operated from Estonia (EU). Several of our sub-processors are headquartered in the United States or other jurisdictions outside the European Economic Area. When your personal data is transferred outside the EU/EEA, we rely on the following safeguards under Chapter V of the GDPR:

• Standard Contractual Clauses (SCCs): We have executed the European Commission's 2021 SCCs with each sub-processor that handles personal data outside the EU/EEA.
• EU-U.S. Data Privacy Framework: Where applicable, our U.S. sub-processors are self-certified under the EU-U.S. Data Privacy Framework, providing an additional adequacy basis for transfers.
• Supplementary measures: Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted by our infrastructure providers. Sensitive credentials (OAuth tokens, payment provider keys) are encrypted with AES-256 before being written to our database.

A copy of the SCCs we rely on is available on request — write to support@coachful.co.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. You can request deletion of your account and data at any time by contacting us.

7. Your Rights

If you are located in the EU/EEA, UK, or Switzerland you have the following rights under the GDPR (Articles 15–22). Many of these are also available to users in other regions under local law.

• Right of access (Art. 15) — view the personal information we hold about you
• Right to rectification (Art. 16) — correct inaccurate or incomplete data through your account settings or by contacting us
• Right to erasure / “right to be forgotten” (Art. 17) — delete your account and associated data from Account Settings → Security → Delete account, or by contacting us
• Right to data portability (Art. 20) — download a machine-readable JSON copy of your data from Account Settings → Security → Download my data
• Right to restrict or object to processing (Art. 18, 21)
• Right to withdraw consent (Art. 7) — re-open the cookie banner from your browser settings, or contact us to withdraw consent for any other processing based on consent
• Right to lodge a complaint — with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with your local supervisory authority in the EU/EEA

To exercise any of these rights outside the self-service flows, email support@coachful.co. We respond to verified requests within 30 days.

8. Cookies and Tracking

We use cookies and similar technologies in three categories:

• Strictly necessary cookies — required for the Service to function (sign-in session, CSRF protection, tenant routing, the cookie consent decision itself). These always run.
• Analytics cookies — Google Analytics 4 to measure how the Service is used and improve it.
• Advertising cookies — Google Ads, Meta Pixel, Reddit Pixel, LinkedIn Insight Tag to measure marketing performance and reach prospective customers.

Visitors located in the EU/EEA, the United Kingdom, or Switzerland see a consent banner on their first visit. Analytics and advertising cookies are blocked until you explicitly accept, in line with the ePrivacy Directive and GDPR Article 6(1)(a). You can change your decision at any time by clearing the coachful_consent cookie in your browser, which will cause the banner to reappear.

Visitors outside those regions can manage cookies via their browser preferences.

9. Phone Numbers & WhatsApp Communications

We may collect your phone number for the purpose of sending communications via WhatsApp or other messaging services. This includes:

• Platform notifications: Coachful may send coaches account-related updates, reminders, and support messages via WhatsApp
• Coach-to-client communications: Coaches using the Coachful platform may send scheduling reminders, program updates, and other coaching-related messages to clients via WhatsApp
• Transactional messages: Booking confirmations, session reminders, and other service-related notifications

Your phone number will not be sold to third parties or used for unsolicited marketing. You may opt out of WhatsApp communications at any time by contacting your coach or our support team. Note that opting out may affect your ability to receive important service notifications.

WhatsApp messages are processed through Meta's WhatsApp Business API. By providing your phone number, you acknowledge that your data may be processed in accordance with WhatsApp's Privacy Policy.

10. Google API Data

Coachful integrates with Google APIs to provide coaching and communication features. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Scopes We Request

Gmail (Email Integration)

• gmail.readonly — Read your email messages to sync coaching-related emails into your Coachful inbox. We only access emails relevant to your coaching communications.
• gmail.send — Send emails on your behalf when you compose and send messages through Coachful's email features (e.g., client outreach, email sequences, broadcast emails).
• userinfo.email — Identify your Google account email address to link your Gmail account to your Coachful profile.

Google Drive (Recording Access)

• drive.readonly — Read-only access to Google Drive to locate and retrieve video call recordings (e.g., Google Meet recordings) for use within Coachful's session review and video analysis features. We do not modify, delete, or create files in your Google Drive.

Google Calendar

• calendar.readonly — Read your calendar events to display your schedule within Coachful and check availability for coaching sessions.
• calendar.events — Create, update, and manage calendar events for coaching sessions booked through Coachful.

How We Use Google Data

• Google data is used only to provide the specific features described above within the Coachful platform.
• We do not use Google data for advertising, market research, or to build user profiles unrelated to Coachful's coaching features.
• We do not sell, rent, or share Google user data with third parties, except as required to provide the Service (e.g., securely storing OAuth tokens to maintain your connection).
• We do not allow humans to read your Google data unless you provide affirmative consent, it is necessary for security purposes, it is required by law, or the data is aggregated and anonymized for internal operations.

Data Storage & Security

• OAuth refresh tokens are stored securely in our database and are encrypted at rest. They are used solely to maintain your authorized connection.
• Email content synced from Gmail is stored in our database to provide inbox features and is accessible only to you and your authorized coaches within your organization.
• Google Drive files are accessed on-demand and are not permanently stored in our systems beyond caching for active session review.
• Calendar data is synced to display scheduling information and is stored only as needed to provide calendar integration features.

Revoking Access

You can disconnect your Google account from Coachful at any time through your account settings. You can also revoke Coachful's access directly from your Google Account permissions page. Upon disconnection, we will stop accessing your Google data and delete stored OAuth tokens.

11. Instagram & Meta Platform Data

Coachful integrates with Meta's Instagram Platform API so coaches can build automations (auto-replies to DMs, comment-to-DM funnels, story-reply flows). When a coach connects their Instagram Professional account, we request the following permissions and process the data described below.

Instagram Permissions We Request

• instagram_business_basic — Read the connected account's username, profile picture, and account type to identify the integration.
• instagram_business_manage_messages — Send direct messages on the coach's behalf in response to user-triggered events (incoming DMs, story replies, post comments). Required to deliver the value the coach configured in their automation.
• instagram_business_manage_comments — Read post comments to detect keyword triggers and post public replies (the "Sent you a DM" pattern). Required for comment-to-DM automations.
• instagram_business_content_publish — Used by Coachful's separate content scheduling feature to publish posts. Not used by automations.

Data We Receive From Meta

• Messages and comments addressed to the connected account: received via Meta's webhook system. Used solely to evaluate automation triggers and craft replies.
• Sender Instagram-scoped user ID: opaque identifier required to send a reply DM. Stored for the minimum time needed to enforce the 24-hour messaging window and prevent duplicate sends.
• Long-lived access tokens (60 days): stored encrypted at rest. Refreshed automatically before expiry. Tokens are never returned to client browsers and are deleted upon disconnection.

How We Use Instagram Data

• Instagram data is used only to operate the automations and content features the coach explicitly configures.
• We do not use Instagram data for advertising, training AI models, or building cross-platform user profiles.
• We do not sell, rent, or share Instagram data with third parties beyond what is required to deliver the configured automation (e.g., calling Meta's API to send a DM the coach asked us to send).
• Coaches and their authorized organization members can view automation execution logs, which include the inbound message text and the outbound reply, to debug their flows.

Data Retention & Deletion

• Conversation tracking records (the timestamp of the last inbound message per sender) are kept only as long as needed to enforce Meta's 24-hour messaging policy.
• Automation execution logs are retained for 90 days for debugging and audit, then deleted.
• You can disconnect your Instagram account from the Coachful Connected Accounts panel at any time. We will revoke the integration, stop all webhook subscriptions, and delete stored access tokens.
• To request deletion of all Instagram-related data tied to your IG-scoped user ID, you (or Meta on your behalf) can submit a deletion request to our Data Deletion endpoint at https://app.coachful.co/data-deletion/instagram or email privacy@coachful.co.

By connecting your Instagram account, you acknowledge that data is also processed in accordance with Meta's Privacy Policy.

12. Children's Privacy

Our Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. Your continued use after changes indicates acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us at privacy@coachful.co