Privacy Policy

Last updated April 21, 2026·8 min read
On this page13 sections
  1. 1. Who this policy applies to
  2. 2. Personal data we process
  3. 3. Purposes and legal bases (GDPR)
  4. 4. Automated processing and AI
  5. 5. Recipients and subprocessors
  6. 6. International transfers
  7. 7. Retention
  8. 8. Controllers, processors, and your responsibilities (coaches)
  9. 9. Your rights (EEA/UK and similar jurisdictions)
  10. 10. Security
  11. 11. Children
  12. 12. Changes to this policy
  13. 13. Contact

This Privacy Policy describes how CLE LTD. (“CoachRocks”, “we”, “us”, “our”) processes personal data when you use the CoachRocks coaching platform and related services (the “Services”), available at https://coachrocks.com.

For questions about this policy or your personal data, contact us at support@coachrocks.com.
CLE LTD. has not appointed a Data Protection Officer or EU/UK representative at this time. For GDPR-related inquiries, please contact us at the address above.

1. Who this policy applies to

We process personal data about:

  • Coaches (account holders) who register for and use the Services.
  • Coaching clients and other individuals whose information coaches enter or import into CoachRocks, or who appear in meetings, recordings, transcripts, or AI-generated outputs.

If you are a client of a coach who uses CoachRocks, your coach is typically the primary decision-maker (controller) for your data in the platform; CoachRocks processes such data on behalf of our customers (processor) as described in our agreements and Section 8.

2. Personal data we process

We process the following categories of data, depending on how you use the Services:

2.1 Account and identity (coaches)

  • Name, email address, profile image (e.g. from Google sign-in), account identifiers, authentication data (including password hashes where applicable), and Google account identifiers where you use Google login.

2.2 Client and contact records

  • Name, email, phone, notes, tags, contract or related fields, and other information coaches store about clients.

2.3 Meetings, media, and conversation content

  • Meeting titles, dates, links, uploaded or linked recordings (e.g. video/audio), transcripts (including speaker-labelled segments from integrated tools), and related metadata.
  • AI-generated analyses derived from sessions (e.g. summaries, themes, action items, recommendations, follow-up content, and similar outputs).

2.4 Integrations

  • Google (OAuth and Calendar): When you connect Google, we receive profile information allowed by the scopes you approve and process calendar-related data as needed to provide calendar features (e.g. read-only calendar access where configured). OAuth tokens required for integration are stored and used only to operate the integration.
  • Meeting bot / transcription partners: Where you use features that rely on a third-party bot or similar service, we send operational data (such as meeting URLs or identifiers) and receive transcripts or status information as required for those features.
  • Email delivery: We send transactional and product-related emails (e.g. password reset, notifications) via our email provider; these messages may include names, email addresses, and content needed for the email purpose.

2.5 Technical and security data

  • Session and device-related data associated with authentication (e.g. refresh tokens, session validity, and device or client information such as user-agent where stored for security or troubleshooting).
  • Activity and audit-type logs where enabled, to understand usage and maintain security.
  • Server and infrastructure logs (e.g. IP address, timestamps, error logs) typical for hosted software.

2.5.1 Cookies and local storage inventory

The Services use the following cookies and browser storage. You can reject analytics/marketing technologies at any time through the cookie banner or your browser settings.

NameTypePurposeLifetime
refreshToken / refresh_tokenCookie (HTTP-only, Secure, SameSite=Lax in production)Strictly necessary. Keeps you signed in by silently refreshing the short-lived access token. Cannot be read by JavaScript.30 days (configurable via REFRESH_TOKEN_EXPIRY)
coachrocks_consentCookie (SameSite=Lax)Strictly necessary. Records your response to the cookie banner so we don't re-prompt on every page load.1 year
access_tokenBrowser localStorage (not a cookie)Strictly necessary. Short-lived JWT used to authenticate API requests from the app.Session / ~1 hour; refreshed automatically
trial-banner-dismissed-YYYY-MM-DD / quota-banner-dismissed-YYYY-MM-DDBrowser localStorageStrictly necessary (functional). Remembers that you dismissed a trial/quota reminder for that calendar day.Dropped when the date rolls over
PostHog cookies / localStorage (e.g. ph_*, posthog-*)Cookie + localStorageAnalytics (consent required). Used for product analytics — session identification, event tracking, and feature usage metrics. Loaded only if you click Accept on the cookie banner.Up to 1 year; deleted if you click Reject

Strictly necessary items are set without consent because the Services cannot function without them; optional analytics items load only after you grant consent. You can withdraw consent at any time by clicking Reject on the banner or by clearing cookies in your browser — the next page load will re-prompt.

2.6 Communications with us

  • Information you provide when you contact support or correspond with us.

We do not use CoachRocks to knowingly collect special categories of data under Article 9 GDPR from you as a dedicated data-collection step. However, recordings and transcripts may incidentally reveal sensitive information spoken in sessions. Coaches should only upload or process such content where they have an appropriate legal basis and safeguards.

3. Purposes and legal bases (GDPR)

We process personal data for the purposes below, relying on the legal bases indicated.

PurposeLegal basis (summary)
Providing the Services (account, meetings, storage, integrations, AI features)Performance of a contract (Article 6(1)(b)) with the coach; where applicable, steps prior to contract at request of the data subject
Security, abuse prevention, authenticationLegitimate interests (Article 6(1)(f)) in securing accounts and the platform; where required, legal obligations
Product improvement, analytics of service usage (if non-essential)Consent where required, or legitimate interests where strictly necessary and proportionate, as applicable under local law
Marketing (if any)Consent where required
Compliance with lawLegal obligation (Article 6(1)(c))

Client data entered by coaches: Coaches determine why and how client data is processed in CoachRocks. We process that data as processor on documented instructions, unless we are required to process it by law.

Calendar-derived or imported contacts: Coaches must ensure they have a valid legal basis (e.g. consent or legitimate interest, as appropriate) before importing or syncing third-party personal data into CoachRocks.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal; withdrawal may limit certain features.

4. Automated processing and AI

CoachRocks uses automation and AI (including third-party AI models) to transcribe, analyse, and generate content from session materials. This processing may involve profiling-like outputs (e.g. themes, recommendations). It is not intended as a substitute for professional judgment. See our AI Transparency Notice for details.

5. Recipients and subprocessors

We use trusted service providers (processors) who process personal data on our behalf under agreements that require them to protect the data and process it only for the purposes we specify.

Categories of processors include:

  • Hosting and infrastructure (e.g. application hosting, databases, object storage such as cloud storage/CDN providers).
  • AI and speech services (e.g. transcription and language models).
  • Meeting or bot integrations (e.g. third-party meeting transcription services).
  • Email delivery (transactional email).
  • Authentication and calendar (e.g. Google APIs where you connect Google).

A current list of subprocessor names and purposes is published at https://coachrocks.com/subprocessors (or available on request at support@coachrocks.com).

6. International transfers

Some subprocessors may process data in countries outside the European Economic Area (EEA), including the United States. Where we transfer personal data from the EEA/UK/Switzerland to countries not subject to an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK Addendum where applicable), supplemented by technical and organisational measures as required by law.

You may request more information about transfers by contacting support@coachrocks.com.

7. Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

Indicative retention (subject to your subscription, legal holds, and product configuration):

  • Account data: For the life of the account and a short period thereafter for backup, dispute resolution, or legal compliance, unless deleted earlier upon request where applicable.
  • Client, meeting, recording, and analysis data: Until deleted by the coach/user, upon account termination according to our Terms of Service, or as required by automated retention rules we may apply from time to time.
  • Security and logs: For a limited period consistent with security needs and legal obligations.

We may shorten or lengthen retention as we document in product settings or separate notices. [Optional roadmap commitment:] We are implementing or maintaining automated deletion and export capabilities to support storage limitation and your rights.

8. Controllers, processors, and your responsibilities (coaches)

If you are a coach, you are typically the controller of your clients’ personal data in CoachRocks. CoachRocks acts as processor for that data. Our Data Processing Agreement (where offered) forms part of our contractual commitments.

You must:

  • Provide any required notices and obtain any required consents or other legal bases for your use of CoachRocks with respect to client data.
  • Ensure imports (e.g. from calendar or third-party tools) comply with applicable law.
  • Use AI outputs responsibly and in line with professional standards.

9. Your rights (EEA/UK and similar jurisdictions)

Subject to applicable law, you may have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Erase data (“right to be forgotten”) in certain cases.
  • Restrict processing in certain cases.
  • Data portability (where processing is based on contract or consent and technically feasible).
  • Object to processing based on legitimate interests (including profiling in some cases).
  • Withdraw consent where processing is consent-based.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact support@coachrocks.com. We may need to verify your identity. If you are a client of a coach, we may need to route your request through the coach where we act only as processor and cannot identify you independently.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data, including access controls, encryption in transit (HTTPS), secure authentication practices, and vendor due diligence. No method of transmission or storage is completely secure; we work to reduce risk in line with Article 32 GDPR.

11. Children

The Services are not directed at children under [16 or as required by your jurisdiction]. We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. Where required by law, we will notify you (e.g. by email or in-product notice). Continued use of the Services after changes may constitute acceptance where permitted by law.

13. Contact

CLE LTD.
Floor 11, No.172, Section 2, Minsheng East Road, Taipei 10485, Taiwan
Email: support@coachrocks.com

This document is a template for legal review. It does not constitute legal advice.