Skip to content
Planner.coach

Command Palette

Search for a command to run...

Documentation

Data Security and Retention

How Planner.coach protects athlete data: at-rest encryption of personal details, automated retention purging after six years of inactivity, and the audit trail behind it.

10 min readUpdated May 23, 2026

Athlete profiles often hold the most sensitive information in your coaching workspace -- dates of birth, medical notes, contact details, and guardian information. This page explains how that data is protected, how Planner.coach handles long-term retention, and the controls available to you when a guardian asks for their data to be erased.

Who is responsible for athlete data

In data-protection language, you (or your club) are the data controller -- the person who decides what data is collected, why, and for how long -- for the athlete records you create. Planner.coach is the processor, meaning we host the data, secure it, and give you the tools to act on guardian requests, but we don't make the decisions about it. The one exception is the United States COPPA carve-out for athletes under 13: US law puts a non-delegable obligation on Planner.coach as the platform operator, and we handle that part directly. See the Parental Consent page for how that flow works.

If you run a Club workspace, this split is also written into the Data Processing Agreement you accept on first sign-in.

Encryption at rest

The personal details on every athlete profile are encrypted in the database -- scrambled so they can't be read without the matching key. The fields covered are:

  • Date of birth
  • Medical notes
  • Email address
  • Phone number
  • Emergency contact details (name, phone, email, relationship)

Guardian contact details are protected the same way wherever they're stored:

  • Parental consent records -- guardian name, email, and phone on every consent record (whether collected via the email path or attested offline by a coach).
  • Individual athlete forms -- guardian name, email, and relationship captured when a form is sent to a parent or guardian.
  • Onboarding-pack sessions -- guardian name and email captured when a multi-step onboarding pack is sent.

The key that unlocks these fields is held in a separate secure vault, not in the database itself. Even if someone obtained a copy of the raw database, the protected fields would stay unreadable without access to that vault.

Encryption protects against database-level compromise. It does not, on its own, protect against someone gaining access to a coach's logged-in session -- that's why account passwords and team-member access controls still matter.

Encryption in transit

All traffic between your browser and Planner.coach is encrypted with HTTPS/TLS, so athlete data is never transmitted in the clear.

Account isolation

Every account is isolated from every other account at the database level. Your athletes, sessions, and notes are only ever returned to your account or to the team workspace they belong to.

How long athlete records are kept

Athlete records are retained for six years after the last interaction. After that, the record is removed automatically.

Six years is the limitation period for negligence claims under UK law and broadly matches what most clubs, governing bodies, and insurers in other countries expect to see kept too. Coaches working with younger athletes often need a defensible historical record for years after a player has moved on. Six years is long enough to cover a reasonable claim window and short enough that you're not holding personal data indefinitely. If your country's rules require a different window, check with your local governing body -- the six-year default suits most situations, but you remain the controller of your own records.

What counts as activity

Any interaction with an athlete record resets the inactivity clock. That includes:

  • Editing any field on the profile
  • Logging a measurement
  • Marking attendance for a session the athlete is in
  • Recording or updating consent
  • Sending a progress report
  • Adding the athlete to a group or programme

You don't need to do anything special to "extend" retention -- the act of working with the athlete is enough.

The retention timeline

Once an athlete crosses the six-year inactivity threshold, removal is scheduled 14 days out. You'll receive two emails before anything is deleted.

WhenWhat happens
Day 0Six-year inactivity threshold reached. A warning email is sent: "Action needed: {athlete name} will be removed from your roster." The record is scheduled for removal in 14 days.
Day 11A final reminder email is sent in case the first one was missed.
Day 14The athlete record is permanently removed. A hashed audit-log entry is written for compliance purposes.

Both emails come from noreply@updates.planner.coach and link directly to the athlete's profile so you can act in one click.

How to keep a record

If you want to keep an athlete on your roster, just interact with the record any time before day 14. Editing a field, logging a measurement, or marking them present at a session all reset the clock and cancel the scheduled removal.

If a record is removed and you later realise you needed it, the deletion is permanent -- there is no recovery path after day 14. The two warning emails are your safety net.

Existing athletes on your roster today

When this feature was switched on, every existing athlete had their inactivity clock reset to that day. Nothing was at risk of immediate removal -- the timer started fresh for everyone, so you have a full six years from the rollout date before the earliest possible warning email.

Archiving an athlete

If a player has left the squad but you want to keep their profile, measurements, attendance history, and consent records intact, use the Mark as Inactive action on the athlete row (or the Status → Mark inactive bulk action when you've selected several at once). Inactive athletes drop off the active roster, no longer count toward your athlete limit on capped plans, and stop appearing in the default athlete picker -- but every linked record stays in place. Flip them back to active any time.

There is no "trash" or recoverable-deletion bucket. Erasing an athlete is immediate and permanent (see below); use the inactive toggle whenever you might want to bring the record back later.

Removing an athlete profile (coach-side erasure)

When a guardian formally asks for their child's data to be erased under GDPR Article 17 (the "right to be forgotten") or an equivalent right elsewhere, use Delete athlete (erase data) from the athlete profile actions menu. The action is immediate and irreversible.

Open the athlete profile and choose Delete athlete (erase data) from the actions menu. The "Erase record" dialog asks for two things:

  • A reason category. "Guardian Article 17 / right-to-erasure request" is the most common, but you can also pick safeguarding-driven removal, duplicate record, data entered in error, or other.
  • A short note in your own words. This becomes part of the audit record, so a reviewer can later see why the deletion happened, not just that it did.

You then type the athlete's first name to confirm. There's no undo -- once you submit, the personal data on the profile and all linked records (parental consents, athlete forms, onboarding-pack sessions, measurements with notes) is permanently nulled. A row is written to the internal retention audit log capturing who acted, when, the reason category, and your note.

This is the action a coach uses when:

  • A guardian withdraws consent and you've decided you don't have a separate basis to keep the record (the common case after a revoked parental consent).
  • A guardian or athlete asks directly for erasure.
  • You added the wrong information and need it gone, not just hidden.

Audit log

Every removal -- whether from the six-year retention rule or from a coach-initiated Erase record action -- writes a row to an internal audit log. The log records that a removal happened and when, using a hashed reference rather than the athlete's name or personal details, so you have a defensible compliance trail without leaving identifying data behind after deletion.

If you're working inside a team workspace, there's a separate live ledger covering the day-to-day picture: who viewed an athlete record, who exported a roster, when a consent was signed or revoked. That feed is the Team Activity Log -- it complements the hashed deletion audit described above with named, in-the-moment visibility for safeguarding investigations.

What this means for you

A short checklist to keep your roster clean and your data hygiene tidy:

  • Keep guardian emails up to date. If your warning emails go to a stale inbox, you might miss the chance to extend retention.
  • Read the warning email when it arrives. Day 0 gives you 14 days; day 11 gives you 3 days. Either is plenty of time if you actually open the email.
  • Use the regular workflow. Marking attendance, logging measurements, and editing notes already keep records active -- there's no separate "renew" step to remember.
  • Don't keep ghost rosters. If a player has genuinely left and you don't need the historical record, you can let the auto-purge do its job. Six years is the default for a reason.
  • Erase deliberately. There's no undo and no recoverable-deletion bucket. If you might want the record back later, mark the athlete inactive instead -- and if you need a copy of progress reports before erasing, export them first.

Frequently asked questions

Can I disable the auto-purge?

No. The retention rule is a compliance feature, not a preference -- it exists so coaches and clubs aren't holding personal data indefinitely. You can always extend retention for a specific athlete by interacting with their record before the 14-day window closes.

What if I want to keep a record for longer than six years?

Log any activity on the record -- an edit, a measurement, marking attendance -- and the clock resets. There's no upper limit on how long you can keep a record active, as long as you keep interacting with it.

Will I lose progress reports and session history?

When an athlete record is removed, the linked personal data goes with it (profile, measurements, emergency contacts, consent records, individual progress reports). Aggregate session history -- the sessions themselves, your activity library, and your plans -- is not affected. You'll see a removed athlete drop out of historical attendance lists, but the session record itself remains.

Will I be billed for athletes that get auto-purged?

No. Once a record is removed, it no longer counts toward your athlete limit. If you're on a plan with an athlete cap, an auto-purge frees up that slot the same way a manual delete would.

What if an athlete (or guardian) asks for their data to be deleted sooner?

Use Delete athlete (erase data) from the athlete profile actions menu. The action scrubs the personal data immediately and writes an entry to the audit log with your reason; there is no recoverable-deletion bucket, so this is the correct response to a formal erasure request. If the athlete might just be off the roster temporarily, mark them inactive instead. The full flow is documented in Removing an athlete profile above. For data-subject rights more broadly, see the Privacy Policy.

Are coach accounts and session plans encrypted in the same way?

This page describes the protection applied to athlete and guardian personal data specifically -- the fields most likely to be sensitive under data-protection law. Account-level data such as your email and login credentials is protected through your authentication provider with separate controls.

Is guardian contact information encrypted too?

Yes. Guardian name, email, and phone -- captured on parental-consent records, individual athlete forms sent to a guardian, and multi-step onboarding-pack sessions -- are protected the same way as the athlete profile fields above.

Related resources

Ready to start planning?

Create your free account and plan your first session in minutes.