Privacy Policy
Version 0.1.0 · Last updated: 2026-XX-XX
1. Who we are
Certified Coach Ltd (company number 00000000) is the data controller for personal data processed through https://www.certified-coach.com.
Registered address: TBD
Data Protection Officer: privacy@certified-coach.com
ICO registration: ZB000000
2. What personal data we collect and why
We collect different categories of data depending on how you interact with the platform. For each category, we identify the lawful basis under UK GDPR.
| Category | Data collected | Purpose | Lawful basis |
|---|---|---|---|
| Account data | Name, email address, profile photo | Create and manage your account | Contract (Art. 6(1)(b)) |
| Authentication data | OAuth tokens, session identifiers, login timestamps | Secure authentication and session management | Contract (Art. 6(1)(b)) |
| Certificate data | Qualification name, issuing organisation, award date, status, certificate ID | Store and verify coaching credentials | Contract (Art. 6(1)(b)) / Legitimate interest (Art. 6(1)(f)) |
| Organisation data | Organisation name, contact details, member roles | Enable academy and club features | Contract (Art. 6(1)(b)) |
| Usage data | Pages visited, browser type, device info, IP address | Service improvement and security | Legitimate interest (Art. 6(1)(f)) |
| Transactional email data | Email address, message content, delivery status | Send account notifications and verification emails | Contract (Art. 6(1)(b)) |
| DBS / criminal record data | DBS certificate number, update service status (future feature) | Verify safeguarding compliance for coaching roles | Substantial public interest (Art. 6(1)(e), Art. 10, DPA 2018 Schedule 1 Part 2) — processed only via an approved DBS Umbrella Body |
3. Criminal offence data (Article 10)
When integrated with the DBS Update Service (a future feature), the platform will process criminal offence data under UK GDPR Article 10. This data receives enhanced protection:
- Processed only via an approved DBS Umbrella Body, not directly by the platform
- The platform stores only the DBS certificate number and update status — not the content of any DBS check
- Access is strictly limited to authorised personnel with a legitimate need
- A Data Protection Impact Assessment (DPIA) will be completed before this feature launches
- The lawful basis is substantial public interest in safeguarding children and vulnerable adults
4. How long we keep your data
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law. Our full data retention schedule is maintained internally.
| Data type | Retention period | Notes |
|---|---|---|
| Account data | Duration of account + 30 days | Deleted on account closure after grace period |
| Certificate data | Indefinite (trust artefact) | Certificates are trust artefacts that exist independently of profiles. Anonymised on profile deletion if requested, but the certificate record is retained. |
| Authentication logs | 90 days | Security and fraud detection |
| DBS data | Duration of coaching role + 6 months | Deleted when no longer needed for safeguarding |
| Usage / analytics data | 12 months | Aggregated/anonymised after retention period |
5. Who we share your data with
We share personal data only with trusted third-party service providers who process data on our behalf, or where required by law. We do not sell personal data.
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication and user management | United States |
| Neon (PostgreSQL) | Database hosting | United States |
| Vercel | Web application hosting and edge delivery | Global (edge network) |
| Resend | Transactional email delivery | United States |
| Stripe (future) | Payment processing and coach payouts | United States / Ireland |
| DBS Umbrella Body (future) | Criminal record checks for safeguarding | United Kingdom |
| Sentry | Error monitoring and diagnostics | United States |
6. International data transfers
Some of our service providers are based outside the United Kingdom. Where we transfer personal data internationally, we ensure appropriate safeguards are in place:
- UK adequacy decisions: transfers to countries the UK government has deemed to provide adequate data protection
- Standard Contractual Clauses (SCCs): approved by the ICO for transfers to the United States and other countries
- Supplementary measures: encryption in transit and at rest, access controls, and contractual commitments from each provider
7. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure: ask us to delete your data (subject to legal obligations and the certificate retention policy above)
- Portability: receive your data in a structured, commonly used, machine-readable format
- Restriction: ask us to restrict processing of your data in certain circumstances
- Objection: object to processing based on legitimate interests
- Withdraw consent: where processing is based on consent, withdraw it at any time (this does not affect the lawfulness of prior processing)
To exercise any of these rights, contact us at privacy@certified-coach.com. We will respond within 30 days.
8. Children and young people
Certified Coach is designed for use by adults. We do not knowingly collect personal data from children under 13. Where coaching certificates relate to young people aged 13 to 17, we apply additional safeguards in line with the ICO's Age Appropriate Design Code:
- Minimal data collection — only what is necessary for certificate verification
- No profiling or personalisation of minors' data
- Clear, age-appropriate privacy information
- Parental controls where applicable
9. Cookies
We use cookies and similar technologies to operate the platform. For full details of the cookies we use, how to manage them, and your choices, see our Cookie Policy.
10. How to contact us or make a complaint
If you have questions about this policy or wish to exercise your data protection rights, contact our Data Protection Officer:
- Email: privacy@certified-coach.com
- Post: Certified Coach Ltd, TBD
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The “Last updated” date at the top of this page indicates when the policy was last revised.