Client Privacy Policy

DRAFT — for counsel review before publishing. This document was prepared to reflect what the Cadence app actually collects and to cover US (including California and Washington), EU/UK (GDPR), and Canadian (PIPEDA) requirements. It is not legal advice. Bracketed text like [THIS] marks a fact you or your lawyer must confirm. See READ-ME-FIRST.md for the full list of placeholders and assumptions.

Last updated: [EFFECTIVE DATE — e.g., June 8, 2026]

The short version

You're using Cadence because a fitness coach invited you. Cadence is the software your coach uses to program your training, run your check-ins, and message you. This policy explains what we collect, why, and the control you have.

In plain terms:

• We collect the things you'd expect a coaching app to collect — your contact details, your workouts, your check-ins, and the health and body information you choose to log (weight, measurements, photos, mood, sleep, nutrition, and more).
• Your coach decides what to ask you for and how to use it for your coaching. We hold and process that information on your coach's behalf.
• We do not sell your information. We do not use it for advertising. We do not use your data to train AI models. No one at Cadence reads your messages or looks at your photos except in the narrow cases described below.
• You can see, correct, export, or delete your information. Logging health data is your choice, and you can withdraw your consent at any time.

The rest of this policy is the detail behind those promises.

1. Who this policy is for

This policy is for clients — the people who use Cadence to train with their coach. If you are a coach (a "trainer") running your business on Cadence, a separate Trainer Privacy Policy applies to you.

Cadence is intended for adults aged 18 and over. We do not knowingly create accounts for, or collect information from, anyone under 18. (See Section 14.)

2. Who is responsible for your information

Cadence is a multi-tenant platform: your coach runs their own coaching business on top of our software. Because of that, two parties handle your information, in two different roles.

• Your coach is the "controller" of your coaching information. They decide what to collect from you and how to use it to coach you. Your relationship — including any separate agreement, intake forms, or waiver — is with them. Your coach should also provide you with their own privacy notice.
• Cadence is the "processor" for that coaching information. We store and process it on your coach's instructions to make the app work. We don't decide on our own to use your coaching data for new purposes.
• Cadence is the "controller" of a limited set of data we need to run the platform itself — for example, your login credentials, security and device logs, and platform-level usage analytics. For that narrow category, this policy is our direct notice to you.

What this means for you: if you want to know exactly how your coaching data is used, or you want it changed or deleted, you can ask either your coach or Cadence — we'll work together to honor it. See Section 12.

Contact: [LEGAL ENTITY NAME], [MAILING ADDRESS]. Privacy questions: [privacy@traincadence.app]. [If you appoint one: EU/UK representative or Data Protection Officer details here.]

3. What we collect

We collect only what's needed to run your coaching. Most of it comes directly from you (or from your coach setting up your program). Some is generated automatically when you use the app.

3a. Account & identity

• Your name and email address.
• Profile photo (if you add one).
• Time zone and unit preference (imperial/metric).
• How you sign in (email/password, or Google sign-in — see Section 16).

3b. Health & body information (please read)

This is the most sensitive information Cadence handles, so we want to be explicit about it. Depending on what your coach turns on and what you choose to log, this can include:

• Body measurements: body weight and circumference measurements (chest, waist, hips, arm, thigh), captured at the start and during weekly check-ins.
• Wellbeing indicators: self-reported mood, energy, sleep quality/hours, hunger, water intake, and step counts.
• Progress photos: front, side, and back body photos you choose to take. Each photo has a visibility toggle — you control whether your coach can see it, and you can keep any photo private.
• Health history and intake details: a free-text health-history field plus allergies and dietary restrictions. Because this field is open-ended, you may choose to enter information about injuries or medical conditions. You decide what to share here — Cadence does not require you to disclose any medical diagnosis. Please don't enter health details you're not comfortable having stored.
• Nutrition information: meals you log (descriptions, calories/macros or portion counts depending on your coach's method), optional photos of food, and short "how that meal felt" reflections (e.g., energized, sluggish).
• Goals you set (e.g., a target weight or lift).

Under EU/UK law this is "special category" data concerning health. Under California law much of it is "sensitive personal information." Under Washington law it is "consumer health data." We treat it accordingly — see Sections 6, 7, 9, and 13, and the separate Consumer Health Data Privacy Policy.

3c. Training & activity

• Your workout logs: exercises, sets, reps, weights, effort ratings (RPE), and any notes you add.
• Habit and check-in entries, including your written reflections on how your week went.

3d. Communications

• Messages between you and your coach in the in-app chat, including any attachments either of you send.

3e. Payment information

• If you pay your coach through Cadence, we capture your payment method through a third-party payment processor. We store only limited details (such as the card brand and last four digits and an expiry month/year, or a bank name and last four digits). Full card or bank numbers are handled by the payment processor and are not stored on Cadence's servers.
• Records of your subscription and invoices.

3f. Technical & usage information

• Basic device and connection information and security logs (for example, sign-in events and error diagnostics) needed to keep the service running and secure.
• Product analytics — only with your consent. Any non-essential analytics or cookies are off until you opt in, and you can change your mind. See Section 10.

We do not collect information from wearables or fitness trackers today. (If that ever changes, we'll update this policy and ask for your consent first — see Section 15.)

4. How we use your information

We use your information to:

• Provide the coaching service — show your program, log your training, run your check-ins, calculate progress, and power the chat with your coach.
• Let your coach coach you — your coach sees the data you share so they can adjust your program, review your check-ins, and respond to you.
• Handle payments (if you pay through Cadence) via our payment processor.
• Keep the service working, safe, and secure — diagnose problems, prevent abuse, and protect accounts.
• Communicate with you about the service (for example, account or security notices). Coaching nudges and reminders are controlled by your notification settings.
• Improve the product using limited technical and usage data — and, where required, only with your consent.
• Meet legal obligations (for example, keeping certain billing records).

What we never do

• We never sell your information, and we don't "share" it for cross-context behavioral advertising.
• We never use it to show you ads.
• We never use your content — your messages, photos, check-ins, or health data — to train AI or machine-learning models.
• No human at Cadence reads your messages or views your photos except in narrow, necessary cases: to investigate a security issue or suspected abuse, to provide support you've asked for, or where we're legally required. Your coach, of course, sees what you share with them as part of coaching you.

5. Our legal bases (EU/UK GDPR)

If you're in the EEA or UK, we (and your coach) rely on these legal bases:

• Performance of a contract — to deliver the coaching service you've signed up for.
• Consent — for any non-essential analytics/cookies, and as the basis your coach relies on for collecting your health data (see below). You can withdraw consent at any time.
• Legitimate interests — to keep the service secure, prevent abuse, and make basic product improvements, balanced against your rights.
• Legal obligation — to keep records we're required to keep.

Health (special category) data is processed on the basis of your explicit consent under Article 9 GDPR. You give that consent by choosing to log health and body information, and you can withdraw it at any time by stopping, deleting your entries, or contacting us or your coach. Withdrawing consent doesn't affect processing that already happened.

6. Your consent and control over health data

Logging health and body data is always your choice:

• You decide whether to record measurements, photos, nutrition, mood, and the rest.
• Progress photos are private by default to the extent you want — each has a visibility toggle, and you can keep photos hidden from your coach.
• You can delete individual entries, or ask us or your coach to delete your health data entirely.
• Withdrawing consent or deleting data won't be held against you; we don't penalize you for exercising your rights.

7. How your information is shared

We share your information only as needed to run the service:

• With your coach — the data you log and the messages you send are shared with the coach who invited you. That's the point of the app.
• With service providers (our processors) who help us operate Cadence. We disclose them by category, not name: secure cloud hosting and database infrastructure, a payment processor, an email/notification provider, and error-monitoring and analytics tools. They're bound by contract to protect your data, use it only to provide their service to us, and never for their own purposes. (A current list of the specific vendors we use is available on request — see Section 18.)
• For legal reasons — if we're required by law, or to protect the rights, safety, and security of users, your coach, or Cadence.
• In a business transfer — if Cadence is involved in a merger, acquisition, or sale of assets, your information may transfer as part of that deal; we'll notify you and any new owner will be bound by this policy or a policy at least as protective.

We do not sell your information, and we do not share it with advertisers or data brokers.

8. Subprocessors

We use a small number of third-party service providers ("subprocessors") to host and operate Cadence, described by category in Section 7. We maintain a current list of the specific companies and will provide it on request, and — where the law requires — give notice before adding a new one that handles your data. [CONFIRM: if/when you publish a named subprocessor list, link it here and on the Security page.]

9. International data transfers

Cadence stores data in [HOSTING REGION — e.g., the United States]. If you're located elsewhere (for example, the EEA, UK, or Canada), your information will be transferred to and processed in [that region], which may have different data-protection laws than your home country.

Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) [CONFIRM with counsel]. You can ask us for a copy of the safeguards we use.

10. Cookies and analytics

• Essential cookies/storage keep you logged in and the app working. These are always on.
• Non-essential analytics are opt-in. We don't load product analytics until you consent, and you can withdraw consent at any time. We don't use advertising cookies or third-party ad trackers.

11. How long we keep your information

We keep your information for as long as your account is active and you're working with your coach. After that:

• Coaching data is retained for [RETENTION PERIOD — e.g., up to 90 days] after your account is closed or your coach removes you, then deleted or anonymized — unless you ask us to delete it sooner, or we're required to keep it longer.
• Billing and invoice records are kept for [e.g., up to 7 years] to meet tax and accounting obligations.
• Security logs are kept for [e.g., up to 12 months].

If you ask us to delete your data, we'll honor it as described in Section 12, subject to those limited legal retention needs. [CONFIRM all retention periods with counsel.]

12. Your rights and choices

Depending on where you live, you have some or all of these rights:

• Access — get a copy of the information we hold about you.
• Correct — fix information that's wrong or incomplete.
• Delete — ask us to erase your information ("right to be forgotten").
• Port — get your data in a portable format, or have it sent to you.
• Restrict or object — limit or object to certain processing.
• Withdraw consent — for health data or analytics, at any time.

California residents also have the right to know, delete, and correct their personal information; to opt out of the sale or sharing of personal information (we don't sell or share it, so there's nothing to opt out of); to limit the use of sensitive personal information (we already use it only to provide the service you've asked for); and to non-discrimination for exercising these rights.

Washington residents have specific rights over consumer health data described in our separate Consumer Health Data Privacy Policy.

Canadian residents can access and correct their information and withdraw consent, consistent with PIPEDA.

How to exercise your rights. You can contact either your coach or Cadence at [privacy@traincadence.app]. Because your coach controls your coaching data, some requests are routed to them and we'll help fulfill them. We'll respond within [RESPONSE WINDOW — e.g., 45 days] (or sooner where the law requires), and we may need to verify your identity first. If we decline a request, we'll tell you why, and — where the law provides one — you can appeal or complain to your local data-protection authority.

13. Region-specific disclosures

California (CCPA/CPRA). In the past 12 months we've collected the categories of personal information described in Section 3, including sensitive personal information (health and body data, and precise account identifiers). We collect it from you and from your coach, use it for the purposes in Section 4, and disclose it only to the service-provider categories in Section 7. We do not sell or share personal information, and we do not use or disclose sensitive personal information beyond the purposes permitted for providing the service you requested.

Washington (My Health My Data Act). Health and body information you log is consumer health data. How we collect, use, share, and let you control it is described in our standalone Consumer Health Data Privacy Policy, which is linked from our homepage as that law requires. We do not sell consumer health data.

EU/UK (GDPR). Your legal bases are in Section 5; health data relies on explicit consent (Article 9). You have the rights in Section 12 and may complain to your supervisory authority.

Canada (PIPEDA). We collect, use, and disclose personal information with your knowledge and consent, use stronger protection for sensitive health information, and let you access and correct your data.

14. Children's privacy

Cadence is for adults. The service is not directed to anyone under 18, and we don't knowingly collect information from minors. If you believe a minor has provided us information, contact [privacy@traincadence.app] and we'll delete it.

15. Features that aren't active yet

Some capabilities are on our roadmap but not active today — for example, syncing with wearables/fitness trackers, AI-assisted meal planning, and push notifications. We're telling you now so there are no surprises: we are not collecting wearable data or using AI on your data today. Before any such feature launches, we'll update this policy and, where it involves your health data, ask for your consent first.

16. Signing in with Google

If you sign in with Google, we receive basic profile information (such as your name and email) to create and secure your account. Cadence's use of information received from Google APIs follows Google's Limited Use requirements: we use it only to provide and improve user-facing features, we don't transfer or sell it, we don't use it for advertising, and we don't let humans read it except as needed for security, to comply with the law, or with your consent. [CONFIRM scopes with counsel if you add Google Calendar or other Google integrations.]

17. Security

We protect your information with industry-standard safeguards. Today that includes serving the app over encrypted connections (HTTPS/TLS) and requiring a login for access. Other protections — including row-level isolation between coaches, encryption of stored data at rest, and automated backups — are on our roadmap and described honestly on our Security page; we'd rather under-promise than overclaim. No method of storage or transmission is ever 100% secure, but we work hard to protect your data and will notify you, and the relevant authorities, of a breach affecting your information where the law requires.

18. Changes and contact

We'll update this policy as Cadence grows. If we make a material change, we'll update the "Last updated" date and, where appropriate, give you additional notice. Security and privacy are never "done" — this page changes as we ship.

Questions, requests, or concerns:

• Email: [privacy@traincadence.app]
• Mail: [LEGAL ENTITY NAME], [MAILING ADDRESS]
• Your coach: for anything specific to your coaching data, your coach is also a point of contact.