⚠️ Draft — pending legal review before publication
Version: 1.0In force since:

Privacy Policy — iBetterCoach

Last updated: 7 April 2026 Version: 1.0

1. Introduction

iBetterCoach ("we", "our" or "Platform") is a software-as-a-service (SaaS) platform aimed at personal trainers, sports coaches and fitness gyms. This Privacy Policy describes how we collect, use, store and protect the personal data of Platform users, in compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Portuguese Law no. 58/2019 of 8 August, which adapts Portuguese law to GDPR.

By using the Platform, the user declares having read, understood and fully accepted this Privacy Policy. If you do not agree with the terms described here, you should not use the Platform.

2. Data Controller and Data Protection Officer

2.1 Data controller

The data controller for personal data is:

iBetterCoach [legal entity to be defined] [Address to be defined] [Tax ID to be defined] General email: general@ibettercoach.com

2.2 Data Protection Officer (DPO)

iBetterCoach has appointed a Data Protection Officer (DPO), who can be contacted for any matter related to the processing of your personal data or to the exercise of your rights:

DPO email: dpo@ibettercoach.com Data protection email: privacy@ibettercoach.com

2.3 iBetterCoach's role in the processing chain

iBetterCoach acts as:

  • Data controller for the account data of Professionals (B2B customers) and Platform usage data.
  • Data processor for the personal data and health data of Athletes, processed on behalf of the Professional (B2B customer), under the terms of the Data Processing Agreement (DPA).

2.4 Nature of the service — assistance tool and user responsibility

iBetterCoach is a professional decision support tool, not a healthcare provider, and does not replace medical, nutritional or clinical advice. All suggestions, calculations and prescriptions generated by the Platform — including those assisted by artificial intelligence — are intended to be reviewed and validated by the Professional. In case of any doubt about a health matter, symptom, medication or clinical condition, the user must consult a doctor or other qualified healthcare professional.

Possibility of errors and inaccuracies. The Platform incorporates artificial intelligence components and automated processing that may produce information that is incorrect, outdated, incomplete or unsuitable for the specific case. AI models may "hallucinate" (generate plausible but factually wrong content), calculations may rely on assumptions that do not apply to every person, and scientific guidelines evolve over time. For these reasons, no information presented by the Platform should be treated as absolute truth without validation by the Professional and, whenever appropriate, by a healthcare professional. The user must keep a critical eye on what the Platform presents and report any content that appears incorrect or dangerous to support.

Personal responsibility of the user. Each user (Professional or Athlete) is responsible for their own decisions, for the truthfulness of the data they enter and for how they act on the information presented by the Platform. The Platform provides information and suggestions; the final decision is always the person's. The user undertakes to act with common sense, respect their own physical limits, follow the guidance of their healthcare professional and seek medical help whenever they feel symptoms, pain, discomfort or any warning sign.

The full detail of this limitation is set out in the Legal Notice and Medical Disclaimer (document 05), which forms an integral part of this Policy.

3. Personal Data Collected

3.1 Professional Data (Personal Trainer / Gym Manager)

  • Full name and identification details
  • Email address
  • Phone number
  • Authentication data (managed by the authentication provider Clerk)
  • Billing and payment data (processed by third-party payment providers)
  • Professional information (gym, role, specialisations)

3.2 Athlete Data (entered by the Professional)

  • Full name, date of birth, gender
  • Contact details (email, phone)
  • Emergency contact
  • Anthropometric data (weight, height, perimeters, skinfolds)
  • Body composition data (body fat percentage, lean mass, BMI)
  • Clinical and health data:
    • Diagnosed medical conditions
    • Medications in use (name, dosage, frequency)
    • Surgical history
    • Allergies and food intolerances
    • Lifestyle habits (sleep, smoking, alcohol consumption, stress levels)
    • Cardiovascular screening results (ACSM protocol)
    • Cardiovascular risk factors
  • Training data (plans, execution, loads, RPE, progression)
  • Nutritional data (meal plans, preferences, supplementation)
  • Physical assessment data (protocols, results, normative tables)
  • Training goals and objectives
  • Body photographs (when provided by the professional)
  • Clinical team (names and contacts of healthcare professionals)

3.3 Wearable and Health Data (when synchronised)

  • Heart rate
  • Steps and physical activity
  • Sleep data
  • Estimated calories
  • Other data from Apple HealthKit or Google Health Connect

3.4 Platform Usage Data

  • Access logs (authentication logs, IP addresses, timestamps)
  • Interface interactions (features used, pages visited)
  • Device data (browser type, operating system)
  • Cookies strictly necessary for the operation of the Platform

4. Purpose of Data Processing

Personal data is processed for the following purposes:

4.1 Service Delivery

  • Management of user accounts (professionals and gyms)
  • Creation and management of athlete profiles
  • Generation of training prescriptions and nutrition plans
  • Health screening and risk assessment
  • Calculation of metabolic and performance metrics
  • Application of physical assessment protocols
  • Monitoring of athlete progress and evolution
  • Synchronisation of wearable data

4.2 Service Improvement

  • Aggregated and anonymised analysis of usage patterns
  • Improvement of prescription algorithms and assistance models
  • Identification and correction of technical errors or issues
  • Development of new features

4.3 Security and Compliance

  • Prevention of unauthorised access
  • Detection of abusive or fraudulent use
  • Compliance with legal and regulatory obligations
  • Maintenance of audit logs

4.4 Communication

  • Sending service-related notifications (essential)
  • Technical support communications
  • Updates on changes to the service or legal terms

5. Legal Basis for Processing

The processing of personal data is based on the following legal grounds set out in GDPR:

  • Performance of a contract (Art. 6(1)(b)) — processing is necessary for the provision of the service contracted by the user.
  • Consent (Art. 6(1)(a)) — for health data and sensitive data, processing is based on the explicit consent of the data subject, given through the professional who acts as responsible for the relationship with the athlete.
  • Legitimate interest (Art. 6(1)(f)) — for service improvement and Platform security.
  • Legal obligation (Art. 6(1)(c)) — for compliance with applicable legal obligations.

6. Consent and Health Data

6.1 Nature of the Data

The Platform processes health data, which constitutes a special category of personal data under Art. 9 GDPR. The processing of these data is only lawful with the explicit, freely given, specific and informed consent of the data subject themselves — the Athlete — under Art. 9(2)(a) GDPR.

6.2 Consent is given by the Athlete

The Art. 9(2)(a) consent is always given by the Athlete themselves, through a dedicated flow with a separate, granular checkbox, at the moment of onboarding to the Platform. The Professional cannot give this consent on behalf of the Athlete. The full terms of this consent are detailed in the Informed Consent for Processing of Health Data document, which forms an integral part of this Policy.

The Athlete may withdraw their consent at any time, without affecting the lawfulness of prior processing, by contacting dpo@ibettercoach.com or by using the mechanisms provided in the Platform.

6.3 Professional's responsibility

Without prejudice to the consent given by the Athlete, the Professional using the Platform is responsible for:

  • Informing the Athlete, before processing begins, about the nature and purpose of the data that will be entered into the Platform
  • Presenting the Athlete with the Art. 9 consent flow whenever the Athlete is onboarded to the Platform
  • Not entering health data into the Platform without the Athlete having previously given the required consent
  • Ensuring the truthfulness and updating of the data entered
  • Keeping a record of the professional-athlete relationship in the context of which the data is processed

6.4 Minors

When the Athlete is under 16, the Art. 9 consent is given by the holder of parental responsibility, without prejudice to the Professional's duty to obtain the minor's assent, whenever possible, depending on their level of maturity.

7. Data Sharing with Third Parties

iBetterCoach does not sell personal data to third parties. Data may be shared in the situations described in this section.

7.1 Sub-processors

iBetterCoach uses a limited set of sub-processors for the provision of the service. All sub-processors are bound by contracts that include data protection clauses pursuant to Art. 28 GDPR. Where a sub-processor is located outside the European Economic Area (EEA), the transfer is protected by the Standard Contractual Clauses (SCC) approved by Commission Decision (EU) 2021/914 and, where applicable, by the EU-US Data Privacy Framework (DPF).

Sub-processorPurposeData categoriesLocationSafeguard
Supabase Inc.PostgreSQL database, storage, alternative authenticationAll Platform data, including health dataEU (Frankfurt)DPA + SCC
Clerk Inc.Authentication, session management and organization managementIdentity, email, session and organization IDsUSADPA + SCC + DPF
Vercel Inc.Web application hosting, edge functions, CDNTechnical: IP, HTTP headers, access logsEU (preferred)DPA + SCC + DPF
Anthropic, PBCAI filler layer — generation of explanatory text from pseudonymised promptsPseudonymised text only, with no direct Athlete identifiers and no identifiable health dataUSADPA + SCC + opt-out from training enabled

Payment processor. iBetterCoach uses Stripe as payment processor. The Professional's card data (PAN, CVV) is tokenised directly in the browser by Stripe; iBetterCoach does not receive or store full payment instrument data. Clerk does not process payments.

7.2 User-enabled integrations (not sub-processors)

The Platform allows the Athlete to synchronise wearable data from Apple HealthKit and Google Health Connect. These integrations operate based on the Athlete's explicit authorisation on their device, and Apple and Google do not process data on behalf of iBetterCoach — they are platform providers of the Athlete's device. iBetterCoach only receives the data the Athlete authorises to share.

7.3 Updates to the sub-processor list

iBetterCoach reserves the right to change the list of sub-processors. Any addition or replacement will be communicated 30 days in advance, giving the B2B customer the option to object under the terms of the DPA.

7.4 Access within the Platform context

  • The Athlete's data is accessible to the Professional(s) who have an active and authorised relationship with the Athlete.
  • In multi-gym contexts, only Professionals with explicit permissions access the data.
  • Gym managers access operational data of trainers on their team.

7.5 Legal obligations

iBetterCoach may have to share data with competent authorities (CNPD, judicial authorities, police) when required by law, court order or substantiated request from a public authority.

8. International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA). In these situations, we ensure that adequate safeguards are in place, namely:

  • Standard contractual clauses approved by the European Commission
  • Adequacy decisions of the European Commission
  • Other mechanisms set out in GDPR

9. Data Retention

9.1 Account Data

  • Maintained while the account is active
  • After cancellation, data is retained for a maximum period of 90 days to allow reactivation, after which it is deleted or anonymised

9.2 Athlete Data

  • Maintained as long as there is an active relationship between the professional and the athlete
  • When the athlete is archived, data is retained for a period of 2 years for clinical history and audit purposes, after which it is deleted or anonymised
  • The professional may request early deletion of an athlete's data

9.3 Usage Data and Logs

  • Access logs: retained for 12 months
  • Aggregated analytical data: retained indefinitely (anonymised)

10. Rights of Data Subjects

Under GDPR, data subjects have the following rights:

  • Right of access — obtain confirmation and a copy of the personal data processed
  • Right of rectification — request correction of inaccurate data
  • Right to erasure ("right to be forgotten") — request deletion of data, under the conditions provided by law
  • Right to restriction of processing — request restriction of processing in certain circumstances
  • Right to data portability — receive data in a structured, commonly used and machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact: privacy@ibettercoach.com

The data subject also has the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) — www.cnpd.pt

11. Data Security

iBetterCoach implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Data isolation by context (multi-tenant)
  • Role-based access control (RBAC)
  • Secure authentication with session management
  • Audit logs of access and critical operations
  • Regular backups with tested recovery
  • Validation and sanitisation of all inputs
  • Secure error responses (without exposure of internal data)

12. Cookies

The Platform uses exclusively cookies strictly necessary for the operation of the service (authentication, session, interface preferences). We do not use advertising or third-party tracking cookies.

13. Minors

The Platform is not intended to be used directly by minors under 16. When data of athletes under 16 is entered by a professional, the professional is responsible for ensuring that consent has been obtained from the holder of parental responsibility.

14. Changes to This Policy

iBetterCoach reserves the right to update this Privacy Policy at any time. Changes will be communicated to users through the Platform or by email. Continued use of the Platform after the communication of changes constitutes acceptance thereof.

15. Contact

For privacy and data protection matters:

Email: privacy@ibettercoach.com Address: [To be defined]

This document is part of the iBetterCoach product governance and must be reviewed by a lawyer specialised in data protection before publication.

This document may be updated. The version in force is always the one available on this page.

Other legal documents