Privacy Policy

Last updated: May 3, 2026

This policy describes how ELH Coach ("we", "us", "Service") collects, uses, and protects information from coaches, businesses (tenants), and the clients those tenants serve. We take privacy seriously: we do not sell your data, and we never have.

1. What we collect

Tenant data: business name, owner name & email, billing details (handled by Stripe — we never store full card numbers).
Coach data: name, email, role within a tenant.
Client data: name, email, body metrics, meal logs, messages, glucose/BP readings, cycle data, condition flags. This may include PHI.
Usage data: IP address, browser, device, page views — used for security, debugging, and aggregate product improvement.

2. How we use it

To provide the Service to you and your clients.
To send transactional emails (invites, billing, security).
To provide aggregated analytics to tenant admins about their own clients only.
To detect and prevent abuse, fraud, and unauthorized access.

We never use client health data to train AI models, sell to advertisers, or share with third parties for their own marketing.

3. Tenant isolation

Every ELH Coach tenant is logically isolated. Coaches in tenant A cannot see clients, messages, or data in tenant B. We enforce this with row-level security in our database and isolation tests in CI.

4. Subprocessors

Supabase — primary database (US region, encrypted at rest)
Render — application hosting (US region)
Stripe — payment processing
Resend — transactional email delivery
Sentry — error monitoring (PII scrubbed before send)

Brand-tier tenants requiring HIPAA receive a BAA covering all subprocessors above.

5. Your rights

If you are a tenant owner: you can export, correct, or delete any client data via the admin app at any time. If you are a client of a tenant: contact your coach or email privacy@elhcoach.app for direct access requests.

EEA, UK, and California residents have additional rights (access, rectification, erasure, portability, opt-out of "sale" — which we do not do). Submit requests to the email above; we respond within 30 days.

6. Retention

Active tenant data is retained for the life of the subscription. After cancellation, data is retained for 30 days (for export) and then permanently deleted, unless legally required to be retained longer.

7. Security

TLS 1.2+ everywhere, HSTS preload
Passwords: PBKDF2-SHA256, 200,000 iterations
Sessions: SHA-256 hashed bearer tokens, 30-day TTL
Database: row-level security, AES-256 at rest
PHI access is logged with tamper-evident audit chains

8. Children

The Service is not directed at children under 13. Tenants who serve minor clients must have parental consent on file before any client data is entered.

9. Changes

We will notify you by email of material changes at least 14 days before they take effect.

10. Contact

Privacy: privacy@elhcoach.app · Security: security@elhcoach.app