Athlen

Legal

Privacy Policy

Effective May 14, 2026

This Privacy Policy explains how Athlen App, Inc., a Delaware corporation (“Athlen,” “we,” “us,” or “our”), collects, uses, and shares personal data in connection with the Athlen platform at athlen.app and related services (the “Service”). It applies to coaches who hold an Athlen account, to clients who use a coach’s booking page or client portal, and to visitors to our marketing site.

Two important distinctions before you read on.

  • For data about coaches (the people who sign up for Athlen), Athlen is the controller.
  • For data about clients that a coach enters into the Service — contact details, notes, intake answers, bookings, payment status — the coach is the controller and Athlen is the processoracting on the coach’s instructions. If you are a client and you want to access, correct, or delete that data, contact your coach first.

1. What we collect

From coaches

  • Account & profile: email, name, country, language preference, business name, bio, photo, public booking-page slug, phone number (including a WhatsApp number if you provide one), city.
  • Authentication: magic-link tokens, server-side session records, timestamps and IP address of recent logins.
  • Subscription: plan tier, status, and billing identifiers; payment card data is collected and stored by Stripe — Athlen never sees full card numbers.
  • Calendar & video: OAuth refresh tokens for Google Calendar (and equivalents) you choose to connect, the events Athlen creates on your behalf, and video-meeting URLs.
  • Support: messages you send to hello@athlen.app or support@athlen.app, including any attachments.

From clients (entered by their coach, or by the client through a coach’s booking page or intake form)

  • Contact: name, email, phone, language preference, optionally birthday.
  • Coaching context: notes the coach writes, goals, acquisition source, referral linkage, intake-form responses, archived/active status.
  • Bookings: session times, service, location, payment method label and free-text notes, paid/unpaid status, cancellation reasons, attendance.
  • Client portal:when the coach enables a client portal, magic-link tokens and session records for the client’s sign-in.

Automatically

  • Usage data: pages viewed, features used, device and browser type, referring URL, approximate location derived from IP address.
  • Diagnostics: error reports (including stack traces and the URL being viewed at the time of the error).
  • Cookies and similar technologies: a session cookie to keep you signed in; a small number of first-party cookies for analytics. We do not use advertising cookies and do not sell personal data.

2. How we use personal data

  • Provide the Service: create your account, run bookings, send confirmation and reminder emails (and SMS where enabled), sync your calendar, track payments your clients owe you.
  • Communicate with you: account, security, billing, and service-update messages. With your consent, occasional product news.
  • Improve and secure the Service: diagnose errors, prevent abuse and fraud, measure feature use in aggregate, plan our roadmap.
  • Comply with law: respond to legal process, enforce our Terms, protect rights and safety.

3. Legal bases (EEA, UK, Israel)

Where the EU/UK GDPR or the Israeli Privacy Protection Law, 5741-1981 applies, we rely on the following legal bases:

  • Contract — to provide the Service to coaches under our Terms.
  • Legitimate interests — to secure the Service, prevent abuse, measure use, and develop new features, where those interests are not overridden by your rights.
  • Consent — for optional cookies and for marketing communications where consent is required.
  • Legal obligation — to comply with tax, accounting, and other laws.

For data we process as a coach’s processor (their clients’ data), the coach is responsible for the legal basis under their own privacy notice.

4. Sharing personal data

We do not sell personal data. We share it only with the categories below, and only to the extent needed:

  • Other users you book or are booked by— a coach’s booking page surfaces the coach’s name, photo, services, and contact details; a booking shares the client’s name and contact information with the coach.
  • Sub-processors — third-party vendors that operate the Service on our behalf under written data-processing terms (see section 5).
  • Professional advisors — lawyers, accountants, and auditors under duties of confidentiality.
  • Legal & safety — government authorities or other third parties where we believe in good faith that disclosure is required by law or necessary to protect rights, property, or safety.
  • Business transfers — in a merger, acquisition, financing, or sale of assets, subject to standard confidentiality. We will tell account holders before their data becomes subject to a different privacy policy.

5. Sub-processors

The Service runs on a small set of vendors. Today these are:

VendorPurposeRegion
VercelApplication hosting and CDNUSA
NeonManaged PostgreSQL databaseUSA / EU
Cloudflare R2Object storage for photos and uploadsUSA / EU
ResendTransactional email deliveryUSA / EU
SentryError tracking and diagnosticsEU (Germany)
PostHogProduct analyticsEU
Google LLCGoogle Calendar OAuth and event sync, where enabledUSA
Stripe, Inc.Subscription billing for Athlen plansUSA

We update this list as we add or change vendors. If you would like to receive notice of changes to sub-processors, write to privacy@athlen.app and ask to be added to the list.

6. International transfers

Athlen is a U.S. company. We host the Service primarily in the United States, and some sub-processors run in the EU. If you access the Service from Israel, the EEA, the UK, or another country, your personal data will be transferred to and processed in the United States and other jurisdictions whose data-protection laws may differ from yours. Where required, we rely on the European Commission’s Standard Contractual Clauses (or the equivalent UK/Israeli mechanism) with our sub-processors, and we apply technical and organizational safeguards to protect the data in transit and at rest.

7. How long we keep data

We keep personal data for as long as your account is active and for a reasonable period after, generally:

  • Account & profile data — for the life of the account and up to 12 months after closure;
  • Client records you maintain in Athlen — until you delete them or close your account; on account closure we delete or anonymize them within 90 days (longer if law or a dispute requires);
  • Billing records — kept for the period required by U.S. and other applicable tax laws (typically 7 years);
  • Diagnostic and security logs — kept for up to 90 days, longer if needed to investigate an incident.

You can ask us to delete data sooner — see your rights below.

8. Your rights

Depending on where you live (including under the EU/UK GDPR, the Israeli Privacy Protection Law, the California Consumer Privacy Act, and other U.S. state privacy laws), you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete data or close your account;
  • port your data to another service;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a supervisory authority, such as the Israeli Privacy Protection Authority or, in the EU, your national data-protection authority.

To exercise a right, email privacy@athlen.app from the address on your account. We will respond within the period required by applicable law (typically 30 days). If you are a client and your data was put into Athlen by a coach, please contact your coach first — they are the controller of that data; we will help them respond.

We will never charge you for exercising a right and will not retaliate against you for doing so.

9. Cookies and analytics

Athlen uses a small number of first-party cookies. The essentials keep you signed in and remember your locale and theme. We use PostHog (EU region) for product analytics and Sentry (EU region) for error diagnostics. We do not use advertising cookies, we do not fingerprint users for advertising, and we do not sell personal data. Where the law requires consent for non-essential cookies, we ask for it in the product.

10. How we protect your data

We follow industry-standard practices to keep your data safe: TLS for data in transit, encryption at rest provided by our hosting and database providers, principle-of-least-privilege access for our team, server-side session management with short-lived magic-link tokens, audit logging for administrative actions, and continuous error monitoring. No system is perfectly secure; we will tell affected users about a personal-data breach without undue delay where the law requires it.

11. Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact privacy@athlen.app and we will delete it. Coaches who work with minors are responsible for obtaining parental or guardian consent under the law that applies to their practice.

12. Data processing for coaches

When you sign up as a coach and put your clients’ personal data into Athlen, Athlen processes that data on your behalf. The Service, together with this Privacy Policy and our Terms of Service, sets out the data-processing terms between you and Athlen:

  • Subject matter & duration: the personal data is processed for as long as your account is active and during any retention period above.
  • Nature & purpose: hosting, displaying, transmitting, and otherwise making the data available to you and the data subjects through the Service.
  • Types of data and categories of data subjects: contact details, scheduling data, payment-status notes, and intake-form responses about your clients.
  • Sub-processors: as listed in section 5; you authorize us to use them.
  • Security & assistance: we maintain the safeguards in section 10 and will help you respond to data-subject requests and regulators where reasonably necessary.

If your organization needs a separate signed data-processing addendum or standard contractual clauses, write to privacy@athlen.app and we will provide one.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change, we will give you notice — for example, by email or an in-product notice — before the change takes effect. The “Effective” date at the top of this page tells you when the current version took effect.

14. Contact us

Athlen App, Inc., a Delaware corporation.
Registered office: c/o registered agent, Dover, Delaware, U.S.A.
Privacy: privacy@athlen.app
General: hello@athlen.app