CoachComet
Get Started Free

Privacy Policy

Last updated: 8 March 2026

1. Data Controller

Alera LTD ("we", "us", "our"), trading as CoachComet, is the data controller for your personal data under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

Registered address: Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom

Data Protection Contact: privacy@coachcomet.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, hashed password
  • Client data (entered by coachs): Client names, email addresses, dates of birth, GP details, emergency contacts, session notes, assessment responses, thought records, therapy agreements, goal information, and action items
  • Special category data: Health-related information entered by coachs about their clients (processed under Article 9(2)(h) UK/EU GDPR for health care purposes)
  • Feedback data: Anonymous responses from third-party supporters completing 360-degree feedback assessments
  • Usage data: Pages visited, features used, timestamps, browser type, IP address
  • Payment data: Processed by Stripe; we do not store full card details. We retain transaction records (amounts, dates, status)
  • Communications: Emails or messages you send us

3. Lawful Basis for Processing

We process personal data under the following lawful bases (Articles 6 and 9 UK/EU GDPR):

  • Performance of a contract (Art. 6(1)(b)): To provide, maintain, and support the Service you have subscribed to
  • Legitimate interests (Art. 6(1)(f)): To improve the Service, ensure security, prevent fraud, and communicate product updates. We have conducted a Legitimate Interests Assessment (LIA) and concluded that these interests do not override your fundamental rights
  • Consent (Art. 6(1)(a)): Where you opt in to optional communications (e.g., marketing emails). You may withdraw consent at any time
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws (e.g., tax records, law enforcement requests)
  • Health care provision (Art. 9(2)(h)): Where coachs enter health-related client data, processing is necessary for the provision of health care under the responsibility of a health professional

4. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To process transactions and send related information
  • To send administrative notifications (security alerts, account updates, service changes)
  • To respond to support requests
  • To monitor usage patterns and improve user experience (analytics)
  • To enforce our Terms of Service and protect against misuse
  • To comply with legal obligations

5. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only with the following categories of sub-processors, under appropriate Data Processing Agreements (DPAs):

Sub-ProcessorPurposeLocation
Supabase (AWS)Database hosting, authentication, edge functionsEU (Frankfurt)
StripePayment processingUS (SCCs in place)
ResendTransactional email deliveryUS (SCCs in place)
Lovable (Netlify)Frontend hosting and deploymentEU/US

We may also disclose data to legal authorities when required by law, and in connection with business transfers (mergers, acquisitions, or asset sales), subject to the acquiring entity agreeing to equivalent data protection obligations.

6. International Transfers

Where your data is transferred outside the UK or EEA, we ensure one of the following safeguards is in place:

  • An adequacy decision by the UK Secretary of State or the European Commission
  • Standard Contractual Clauses (SCCs) approved by the ICO/European Commission
  • The recipient's binding corporate rules, where applicable

You may request a copy of the relevant safeguard documentation by contacting us.

7. Data Retention

  • Account data: Retained for the duration of your account plus 12 months following deletion, then permanently erased
  • Client data: Retained as long as the coach's account is active. Coachs may delete individual client records at any time (Right to be Forgotten). Upon account deletion, all associated client data is permanently erased within 30 days
  • Payment records: Retained for 7 years as required by HMRC tax regulations
  • Audit and security logs: Retained for up to 12 months
  • Lead/marketing data: Retained for 24 months from collection, then deleted

8. Your Rights (Articles 15-22 UK/EU GDPR)

You have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"). We provide a one-click data deletion tool within the Service for coachs to delete client records
  • Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON). We provide a data export function within the Service
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
  • Rights related to automated decision-making (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, contact us at privacy@coachcomet.com. We will respond within one calendar month as required by UK/EU GDPR.

9. Data Security

We implement the following technical and organisational measures (Article 32 UK/EU GDPR):

  • Encryption in transit: All data transmitted via TLS 1.2+
  • Encryption at rest: Database encryption using AES-256
  • Row-Level Security (RLS): Database policies ensure coachs can only access their own client data
  • Token-based access: Clients and third-party respondents access assessments and feedback forms via unique, time-limited tokens without requiring account creation
  • Access controls: Role-based access control for administrative functions
  • Rate limiting: Protection against brute-force and abuse attacks on public endpoints
  • Regular security assessments: Periodic review of configurations and dependencies

No method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify the ICO within 72 hours (Article 33 UK/EU GDPR) and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

10. Cookies and Tracking

We use the following categories of cookies:

TypePurposeConsent Required
Strictly necessaryAuthentication session, CSRF protection, cookie consent preferenceNo (exempt)
FunctionalTheme preference, UI stateNo (strictly necessary for function)

We do not use third-party tracking, analytics, retargeting, or advertising cookies. If this changes in the future, we will update this policy and obtain your explicit consent before deploying such cookies, in compliance with the Privacy and Electronic Communications Regulations (PECR) 2003.

11. Coach Responsibilities (Joint/Independent Controller Considerations)

Coachs using CoachComet are independent data controllers for the personal data of their own clients. CoachComet acts as a data processor on behalf of each coach for client data stored within the platform.

Coachs are responsible for:

  • Obtaining appropriate consent or establishing a lawful basis for entering client data into the Service
  • Informing their clients about how their data will be processed, including use of CoachComet as a sub-processor
  • Responding to data subject access requests from their own clients (CoachComet provides data export and deletion tools to facilitate this)
  • Ensuring compliance with professional codes of conduct and any sector-specific regulations

Our Data Processing Agreement (DPA) is available on request and forms part of our Terms of Service.

12. Data Protection Impact Assessments (DPIA)

We have conducted Data Protection Impact Assessments for high-risk processing activities, including the processing of health-related data and large-scale assessment data, in accordance with Article 35 UK/EU GDPR. DPIA summaries are available on request.

13. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect data from children. If a coach enters data relating to a minor client, the coach is solely responsible for ensuring appropriate parental/guardian consent and compliance with applicable child protection legislation.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or email at least 30 days before taking effect. The "Last updated" date at the top indicates the latest revision. Continued use after the effective date constitutes acceptance.

15. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with:

  • UK: Information Commissioner's Office (ICO) at ico.org.uk
  • EU: Your local Data Protection Authority (DPA) under Article 77 EU GDPR

We encourage you to contact us first at privacy@coachcomet.com so we can try to resolve your concern.

16. Contact

For data protection queries, contact us at:

  • Email: privacy@coachcomet.com
  • Post: Alera LTD, Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom