HeadCoach Privacy Policy

HeadCoach App Ltd. (“HeadCoach”, “we”, “us”) provides the HeadCoach mental performance app and the website at headcoachapp.com. Our registered address is Catalyst – The Innovation Centre, Queens Road, Belfast, Northern Ireland, BT3 9DT.

Contact for privacy matters: [email protected] (general inbox; we will route privacy requests internally).

Controller / processor model

When a sporting club, school, or other organization pays for your HeadCoach subscription as part of a team or program deployment, that organization is the data controller and HeadCoach acts as a data processor. If this applies to you, please contact your organization first about access, correction, or deletion of your data; we will support them in responding.

When you sign up directly as an individual, HeadCoach is the data controller for your personal data and you can contact us directly using the details above.

This policy covers the HeadCoach mobile app (iOS and Android), the website at headcoachapp.com, and any related services we operate.

Age limits

• HeadCoach is for users aged 13 and over. We do not knowingly collect personal data from anyone under 13. If you believe we have, please contact us using the details in section 1 and we will delete the account and associated data.
• In the United Kingdom, the age of consent for data processing is 13, which matches our policy.
• In the European Union, the age of digital consent is higher in many member states (typically 14, 15, or 16). HeadCoach is not currently sold or marketed into EU markets. If we begin operating in the EU we will introduce a parental consent step for users below the relevant local age of digital consent before launching there.
• In the United States, we comply with the Children’s Online Privacy Protection Act (COPPA): we do not knowingly collect personal information from children under 13.

We group the personal data we collect into the following categories.

Identity and account data

• Name, date of birth, gender, sport, position, and a profile photo (collected during the in-app Athlete Card step).
• Email address used to sign up.
• Authentication identifiers from Apple Sign-In, Google Sign-In, or Firebase Authentication when you choose those sign-in methods.

Performance and wellbeing data (special category data)

The core function of the app involves collecting information about your emotional and psychological state. Under UK and EU data protection law, this is “special category” personal data and we treat it accordingly. It includes:

• Daily check-in answers: selected moods, body-battery score (0–100), and free-text reflections.
• Answers to the 24-question EQ skills assessment, and the resulting Strengths / Effectives / Developings categorisation across the eight athlete or coach skills.
• Habit selections and completion data.
• Strategy completion data, training schedule preferences, and skill program progress.
• Weekly Wrap inputs and the AI-generated insights derived from them.
• Free-text or voice-transcribed responses you provide to the in-app AI agent (see section 6 on AI processing).

Usage and technical data

• Device type and unique device identifier, operating system, app version, language, and time zone.
• IP address and approximate location derived from it.
• Firebase Cloud Messaging (FCM) push notification token.
• Logs of how you use the app, e.g. screens visited, features used, errors encountered.

Payment data

Where you subscribe directly, payments are processed by Apple (in-app purchase on iOS) or by Stripe (on other platforms). We do not see or store your full card number. We receive the subscription status, plan, renewal dates, and a transaction reference.

Social layer data

If you are connected to a team in the app, your name, profile photo, and skill performance summary may be visible to other members of that team within team-facing features (Team Hub, Leaderboard, Mates). The visibility scope of these features is described in section 9.

Voice input

Where the app supports voice input, your voice is transcribed on your device and only the resulting text is sent to our backend. We do not store the audio recording.

Photos

If you upload a profile photo for your Athlete Card, the image is stored on our infrastructure (AWS and/or Firebase Storage). You can replace or remove your photo at any time from the app.

Marketing site data

When you visit headcoachapp.com, we and our analytics and advertising providers may collect information about your visit using cookies and similar technologies. See section 13.

• Directly from you, when you create an account, complete onboarding, complete a check-in, answer questions, upload content, contact us, or subscribe.
• Automatically, as you use the app, usage logs, device information, push token registration, error reports.
• From third parties you authorise, Apple, Google, or Firebase when you use them to sign in; Apple or Stripe when you pay; your club or school if they administer your account on your behalf.

We use your personal data for the following purposes:

• To create and operate your HeadCoach account, including sign-in, profile setup, and onboarding.
• To run the core mental performance features, daily check-ins, the EQ skills assessment, your personalized 4-week skill program, habits, strategies, and the Weekly Wrap.
• To generate personalized content using AI processing (see section 6), including selecting the next profile question, generating insights for the Weekly Wrap, and powering in-app AI conversations.
• To send you transactional emails and push notifications related to your account and use of the app (e.g. email verification, account changes, reminders).
• To process subscription payments and manage trials, renewals, and refunds.
• To produce aggregate, de-identified statistics about how the app is used, so we can improve the product.
• To provide team-level (aggregate) reporting to your coach or club, where they have deployed the app to you. We do not provide individual-level performance or wellbeing data to your coach or club. See section 9.
• To respond to support requests, fix bugs, prevent fraud, and protect the security of the app.
• To comply with our legal obligations.

We do not

• Sell your personal data.
• Use your personal data to train AI models for ourselves or for any third party.
• Send marketing email to anyone today. If we begin to, we will obtain consent first and offer a clear unsubscribe.
• Show advertising inside the app.

Some features of the app are powered by AI. We currently use OpenAI as our AI processing provider. When you interact with these features, the relevant data, typically your check-in answers, reflections, profile question responses, or AI agent messages, is sent to OpenAI’s API for processing and the response is returned to the app.

What this means in practice:

• OpenAI processes the data only to generate the response we have requested.
• Under OpenAI’s standard API terms, OpenAI does not use data submitted via the API to train its models, and may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring before deleting them.
• Your reflections and the related responses are stored as part of your HeadCoach account record so that the app can show you your history, generate Weekly Wraps, and personalize future content. They are deleted when you delete your account (see section 12).

We rely on the following lawful bases under UK GDPR and (where applicable) EU GDPR.

We rely on a small set of trusted service providers to operate the app. These providers process personal data on our behalf, under contracts that require them to keep it secure and to use it only as instructed by us.

HeadCoach is usually deployed to athletes by a club, school, or coach. We treat the relationship between athlete and coach with care.

• Your coach or organization receives team-level, aggregated information only, for example, average team confidence over a period, or the number of athletes who completed their check-in in a given week.
• We do not share an individual athlete’s mood selections, free-text reflections, EQ assessment answers, AI agent conversations, or wellbeing scores with their coach or organization.
• Where you choose to share something within a team-facing feature (for example, a Mates profile or Leaderboard standing), the information you choose to share will be visible to other members of that team.
• If your subscription is paid for by your organization, the organization will receive billing information about your account (existence, plan, status), but not your in-app performance content.

Your HeadCoach account data is stored on Amazon Web Services in the United States. Some of our service providers (listed in section 8) are also located in the United States. If you access HeadCoach from the United Kingdom, this means your data is transferred to and stored in a country outside the UK.

Where personal data is transferred from the UK to the United States, we rely on the UK Extension to the EU–US Data Privacy Framework (where the recipient is certified) and on Standard Contractual Clauses with our UK Addendum, supplemented by the technical and organizational measures described in section 11.

• Data in transit between the app and our backend is encrypted using TLS.
• Data at rest in AWS is encrypted using AWS-managed keys.
• Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
• We follow the principle of least privilege, staff access only the data they need to do their job.
• We monitor for security incidents and will notify affected users and the relevant supervisory authority of any qualifying personal data breach within the legally required timeframes.

• Account data is kept for as long as your account is active.
• When you ask us to delete your account, we will delete or anonymise your personal data within 30 days from our production systems. Residual copies in encrypted backups are rotated out within 90 days.
• We may retain limited information for longer where we are required to by law (for example, financial records for tax purposes) or to defend legal claims.
• Aggregated, de-identified data may be kept indefinitely; once aggregated and de-identified, it is no longer personal data.

The headcoachapp.com marketing website uses cookies and similar technologies for analytics and advertising attribution. These include first-party cookies and third-party cookies set by Google Analytics 4, the Meta Pixel, and the LinkedIn Insight Tag.

• Strictly necessary cookies, required for the site to work, are set without consent.
• Analytics and advertising cookies are set only after you give consent through the cookie banner on the site, where local law requires consent.
• You can change your preferences at any time using the cookie settings link on the site, and you can also block or delete cookies through your browser settings.

The HeadCoach mobile app does not use cookies. It uses similar local-storage mechanisms to remember your sign-in state and your in-progress onboarding step.

We do not currently send marketing emails to any users of HeadCoach. If we introduce marketing communications in future, we will obtain your consent first and you will be able to unsubscribe at any time using the link in any marketing email or by contacting us.

HeadCoach is not currently deployed through schools or colleges in a way that triggers obligations under the U.S. Family Educational Rights and Privacy Act (FERPA) or equivalent student-data-privacy laws. If we deploy through schools or colleges in future, we will sign appropriate data-sharing or data-processing agreements with those institutions, treat student records as confidential to the educational purpose for which they are shared, and not use student data for marketing.

Depending on where you live, you have the following rights in respect of your personal data.

UK and EU residents (UK GDPR / EU GDPR)

• Right to be informed, through this policy.
• Right of access, to a copy of the personal data we hold about you.
• Right to rectification, of inaccurate or incomplete data.
• Right to erasure (the “right to be forgotten”), to ask us to delete your data.
• Right to restrict processing.
• Right to object to processing carried out on the basis of legitimate interests.
• Right to data portability, to receive your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent at any time, where we rely on consent.
• Right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk, or with your local EU supervisory authority.

California residents (CCPA / CPRA)

• Right to know what personal information we collect, use, disclose, and (if applicable) sell or share, see sections 3, 5, and 8.
• Right to delete personal information we have collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell personal information. Where the marketing-site advertising cookies described in section 13 may constitute “sharing” under California law, you can opt out via the cookie banner on the site.
• Right to limit the use of sensitive personal information. We use sensitive personal information only for purposes permitted under the CPRA, to provide the service you signed up for and to maintain its quality and safety.
• Right to non-discrimination for exercising these rights.

Other US states (Virginia, Colorado, Connecticut, Utah, and others)

We extend the substantive rights above (access, correction, deletion, opt-out of targeted advertising and sale, appeal of refusals) to residents of US states whose law provides them, regardless of the technical thresholds in those laws.

Canadian residents (PIPEDA)

• Right to access personal information we hold about you.
• Right to challenge the accuracy and completeness of that information and have it amended.
• Right to withdraw consent for the use or disclosure of your personal information, subject to legal or contractual restrictions.
• Right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

How to exercise these rights

To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month for UK / EU requests and within 45 days for US state-law requests, and we may need to verify your identity before we act. We will not charge you a fee unless your request is manifestly unfounded or excessive.

HeadCoach is intended for athletes aged 13 and over. We collect personal data, including sensitive wellbeing data, from young people, and we take this seriously.

• We do not knowingly collect personal data from anyone under 13. If we learn that we have, we will delete it.
• Where the app is deployed by a club or school, we expect that organization to obtain any parental or guardian consent required by local law before enrolling an athlete who is a minor. The organization acts as the data controller for those athletes.
• Coaches and organizations cannot see individual athletes’ in-app responses. They see team-level patterns only (see section 9).
• We do not send marketing email to any users today, and we will never send marketing email to a user we know to be a minor.
• Parents or guardians who wish to access, correct, or delete a minor’s account can contact us at [email protected].

We will update this policy from time to time. When we make material changes, we will notify you in the app and, where we have your email address, by email. The date of the most recent update is shown at the top of the policy when published on headcoachapp.com.

HeadCoach App Ltd.

Catalyst – The Innovation Centre

Queens Road, Belfast, Northern Ireland, BT3 9DT

Email: [email protected]