Privacy Policy

Coachly is operated by Qup DA (Norwegian organization number 912 372 022), with its registered office in Norway. Qup DA is the data controller for the personal information processed through the Coachly app and the quptrain.com website.

For any privacy questions, requests, or complaints, contact us at {{CONTACT_EMAIL}}.

We collect only what we need to provide the service:

We use your information only for these purposes:

• To run the service: store your training logs, display your progress, calculate scores, and let you generate share codes for your coach.
• To authenticate you: verify your email/password or PIN at sign-in.
• To send the reminders you enabled: if you turn on daily reminders, we send a push notification at the time you choose.
• To respond to support requests: if you contact us, we use your email and the contents of your message to reply.
• To improve and secure the service: diagnose crashes, prevent abuse, and keep the service running.
• To comply with legal obligations: respond to valid legal requests where we are required to do so.

We do not use your data for advertising, do not sell or rent it, and do not share it with advertisers or data brokers.

If you are in the EU/EEA, our legal bases under the GDPR are:

• Performance of a contract (Article 6(1)(b)) — for everything required to deliver the Coachly service to you.
• Consent (Article 6(1)(a)) — for optional features such as daily reminders and sharing your data with a coach. You can withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)) — for keeping the service secure and free from abuse.
• Explicit consent for special-category data (Article 9(2)(a)) — training and well-being entries (mood, sleep, soreness) may be considered health-related data. By logging these, you give explicit consent for us to process them solely to provide the service.

Coachly lets you generate a 6-digit code that gives a coach access to a read-only training report at quptrain.com. The code is valid for 10 minutes and does not require the coach to create an account.

The coach can see only what you choose to share:

• Your training logs and category breakdown
• Goals and questionnaire scores (if completed)
• Personal notes — only if you toggle "Include personal notes" ON

Each share is initiated by you. Codes expire automatically. You can revoke access at any time by not generating a new code.

Your data is stored in secure cloud databases (MongoDB Atlas) hosted in the European Union. Backups are encrypted and stored in the same region. Data is transmitted between your device and our servers over standard HTTPS/TLS.

We do not transfer personal data outside the EU/EEA, except as required for the operation of services such as Apple Push Notification Service or Firebase Cloud Messaging when you enable push notifications. These transfers are covered by Standard Contractual Clauses where applicable.

We keep your account and training data for as long as your account exists. If you delete your account from within the app, we delete your account record and associated training logs from our active databases within 30 days. Encrypted backups are rotated and fully deleted within 90 days.

We may retain limited records (such as anonymized error logs or legal compliance records) for longer if we are required to by law.

If you are in the EU/EEA, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data ("right to be forgotten")
• Restrict or object to certain processing
• Receive a copy of your data in a portable format (data portability)
• Withdraw consent at any time
• Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority

You can exercise most of these rights directly in the app — for example, deleting your account from Settings, or editing your profile data. For anything else, email us at jan.egil.staff@qupda.com and we will respond within 30 days.

We protect your data with industry-standard security measures:

• HTTPS/TLS encryption for all network traffic
• Passwords stored as one-way bcrypt hashes — never in plain text
• PIN stored on your device using the operating system's secure storage (Keychain on iOS, Keystore on Android)
• JWT-based authentication tokens with limited lifetime
• Encrypted database backups
• Restricted server access via principle of least privilege

No service is 100% secure, but we work continuously to reduce risk. If we ever suffer a data breach affecting your personal information, we will notify you and the relevant authorities as required by law.

Coachly is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has signed up for Coachly, please contact us and we will promptly delete the account.

The quptrain.com website is used to display read-only training reports when a coach enters a 6-digit share code provided by a Coachly user. The site uses only essential, first-party cookies required for the page to function. We do not use tracking cookies, analytics cookies, or advertising cookies.

Coachly relies on a small set of third-party services to operate. Each is bound by its own privacy terms:

• MongoDB Atlas (database hosting, EU region)
• Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) for push notifications, if you enable reminders
• Expo for app distribution and push notification routing
• Apple App Store and Google Play for app distribution and update delivery

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you in the app or by email. Continued use of Coachly after a change means you accept the updated policy.

For privacy questions or to exercise your rights under this policy, contact: