Trainer Privacy Policy

DRAFT — for counsel review before publishing. Prepared to reflect what the Cadence app actually collects and to cover US (including California and Washington), EU/UK (GDPR), and Canadian (PIPEDA) requirements. Not legal advice. Bracketed text like [THIS] marks a fact to confirm. See READ-ME-FIRST.md.

Last updated: [EFFECTIVE DATE — e.g., June 8, 2026]

The short version

Cadence is the platform you use to run your coaching business — programming, check-ins, chat, branding, and (when it ships) billing. This policy covers your information as a coach. It also explains your responsibilities for your clients' information, which you control and we process on your behalf.

In plain terms:

• We collect what we need to give you an account, run your workspace, bill you, and keep the platform secure.
• For your clients' data, you're in charge — you decide what to collect and why. We act on your instructions and offer you a Data Processing Addendum.
• We don't sell your data, don't advertise to you with it, and don't train AI models on your or your clients' content.

1. Who this policy is for

This policy is for trainers — the coaches and businesses that run on Cadence. A separate Client Privacy Policy covers the people you coach. Cadence is built for adult professionals; you and your clients must be 18 or older to use it.

2. Two roles — yours and ours

Because Cadence is a multi-tenant platform, data flows through two relationships:

• Your information → Cadence is the controller. We decide how to handle the limited information needed to give you an account, charge you, support you, and secure the platform. This policy is our notice to you for that.
• Your clients' information → you are the controller, Cadence is your processor. You decide what to collect from your clients and how to use it to coach them. We store and process it on your documented instructions to provide the service. We don't use your client data for our own purposes.

Your responsibility as a controller. Because your clients' information — including health and body data — is yours to control, you're responsible for having a lawful basis to collect it, giving your clients appropriate notice, and (where required, e.g., for health data under GDPR or consumer-health-data laws) obtaining their consent. Cadence provides client-facing privacy notices and tools to help, but the controller obligations are yours. We make a Data Processing Addendum (DPA) available to govern this relationship. [CONFIRM you'll offer a DPA; attach or link the template.]

3. What we collect from you

3a. Account & identity

• Your name, email, and password (or Google sign-in).
• Profile photo, if you add one.

3b. Business & brand

• Your business name, slug, logo, brand colors and fonts, custom app name, and the settings you configure (feature toggles, check-in prompts, automations, availability, packages, and discount codes).

3c. Billing

• If/when platform billing is active, the payment method you use to pay Cadence, captured through a third-party payment processor. We store only limited details (card brand and last four digits, expiry), plus your plan, trial dates, and billing status. Full card or bank numbers are handled by the processor, not stored on Cadence's servers.

3d. Communications & support

• Messages you send us, support requests, and feedback.

3e. Technical & usage

• Device and connection information, sign-in and security logs, and product-usage information used to operate, secure, and improve the platform. Non-essential analytics are opt-in.

4. How we use your information

• Provide and operate your workspace — your dashboard, programs, client management, and settings.
• Bill you for your Cadence subscription (via our payment processor) and manage trials and plan changes.
• Support you and respond to your messages.
• Secure the platform — prevent abuse, diagnose problems, protect accounts.
• Improve the product with limited usage data (opt-in where required).
• Send you service communications (account, security, billing). Marketing emails, if any, are based on your preferences and you can opt out.
• Meet legal and tax obligations.

What we never do: we don't sell your information, don't use it for third-party advertising, and don't train AI models on your content or your clients' content.

5. Legal bases (EU/UK GDPR)

For your information as a trainer, we rely on performance of a contract (running your account), legitimate interests (securing and improving the platform), consent (non-essential analytics/marketing), and legal obligation (records we must keep).

6. How your information is shared

• Service providers (our processors), disclosed by category: secure cloud hosting and database infrastructure, a payment processor, an email/notification provider, and error-monitoring and analytics tools. They're contractually bound to protect your data and use it only to serve us.
• For legal reasons, where required or to protect rights, safety, and security.
• In a business transfer (merger, acquisition, asset sale), subject to this policy or one at least as protective.

We don't sell your information or share it with advertisers or data brokers.

7. Subprocessors

We use a small number of subprocessors to host and operate Cadence (Section 6). We keep a current list of the specific companies, provide it on request, and — where required — give notice before adding a new one. [Link a named list here if/when you publish one.]

8. Your clients' data and your obligations

• You are the controller of your clients' data; Cadence is your processor.
• You must have a lawful basis and provide appropriate notice and consent — especially for health and body data, which is "special category" data (GDPR), "sensitive personal information" (California), and "consumer health data" (Washington).
• We process client data only on your instructions and the documented purposes in the DPA.
• When you delete a client — or close your account — associated client data is deleted or anonymized per our retention schedule (Section 10), subject to limited legal retention.
• Our handling of client data is described in the Client Privacy Policy and Consumer Health Data Privacy Policy, which you should make available to your clients alongside your own notice.

9. International data transfers

Cadence stores data in [HOSTING REGION — e.g., the United States]. If you or your clients are outside that region, information is transferred there. For transfers out of the EEA/UK we rely on appropriate safeguards such as the Standard Contractual Clauses (and UK Addendum) [CONFIRM with counsel].

10. How long we keep your information

• Account and workspace data is kept while your account is active and for [RETENTION PERIOD — e.g., up to 90 days] after closure, then deleted or anonymized.
• Billing records are kept for [e.g., up to 7 years] for tax/accounting.
• Security logs for [e.g., up to 12 months].

[CONFIRM all periods with counsel.]

11. Your rights

You have the rights described for individuals under the laws that apply to you — including access, correction, deletion, portability, restriction/objection, and withdrawing consent (GDPR/UK; PIPEDA), and the California rights to know, delete, correct, opt out of sale/sharing (we don't sell or share), limit sensitive PI, and non-discrimination. Contact [privacy@traincadence.app]; we'll respond within [RESPONSE WINDOW — e.g., 45 days] and may verify your identity. You can complain to your data-protection authority, and — where provided — appeal a declined request.

12. Children

Cadence is for adults. You and your clients must be 18 or older. We don't knowingly collect information from anyone under 18.

13. Security

We protect data with industry-standard measures, including encrypted transport (HTTPS/TLS). Other protections — such as row-level isolation between tenants, encryption at rest, and automated backups — are on our roadmap and described honestly on our Security page. We'll tell you, as required, if a breach affects your information. Security is never "done"; this evolves as we ship.

14. Changes and contact

We'll update this policy as Cadence grows and update the "Last updated" date for material changes.

• Email: [privacy@traincadence.app]
• Mail: [LEGAL ENTITY NAME], [MAILING ADDRESS]
• Security reports: security@traincadence.app