Skip to content
Planner.coach

Privacy Policy

Last updated: May 2, 2026

Planner.coach is operated by HJ Digital, a company registered in Wales, United Kingdom ("we", "us", "our", "the Service"). This Privacy Policy explains what information we collect, how we use it, the legal basis for processing, and your rights regarding your data.

1. Information We Collect

Account Information

When you create an account, we collect your email address and authentication credentials. You may also provide your name and club/organization. If you subscribe to a paid plan, your payment information is processed directly by Stripe — we do not store your credit card details.

Content You Create

We store the content you create within the Service, including training sessions, activities, drill diagrams, training programs, and notes. This data is associated with your account and stored securely.

Athlete Information

If you use the athlete management features, you may enter athlete names, contact information (email, phone), emergency contacts, date of birth, physical metrics, and assessment data. You are the data controller for athlete personal data and are responsible for obtaining appropriate consent from athletes (or from a parent or guardian, where the athlete is below the jurisdictional age of digital consent — see Section 11). Sensitive athlete fields — date of birth, medical notes, email, phone, and emergency-contact details (name, phone, email, relationship) — are encrypted at rest at the column level, with the encryption key managed in a separate vault (see Section 9). Guardian contact details captured on parental-consent records, athlete forms, and onboarding-pack sessions are encrypted on the same basis.

Parental Consent Records

Where a coach enters data for a minor below the jurisdictional age of digital consent, the Service provides a built-in mechanism for recording verifiable parental consent. When that mechanism is used, we store a parental-consent record associated with the athlete's row containing:

  • Guardian name and contact details (email and/or phone). These guardian fields are encrypted at rest at the column level using the same AES key as the sensitive athlete fields above (see Section 9).
  • The consent path used: either email (guardian clicked a signed token link and granted consent themselves) or offline (coach attested that consent was collected outside the Service via one of: printed form, in-person signature, existing club registration, or other — with a date the consent was obtained, and optionally an uploaded scan of the signed form).
  • Consent status (pending, granted, revoked, or expired), the timestamp of each transition, and the country-code used to determine the applicable age threshold.
  • For email-path records: the IP address and browser user-agent string captured at the moment the guardian clicked "grant consent". This information is retained as proof of consent for regulator / auditor review and is not used for any other purpose.
  • For offline-path records: the coach who recorded the consent (the "recorded_by" attribution), along with an audit-log entry showing who recorded it and when.
  • If the coach uploads a scan of a signed paper form, the file is stored in a private storage bucket (parental-consent-scans) accessible only via short-lived signed URLs to the uploading coach and their authorised team members.
  • If either the guardian (via the same email link) or the coach (on a guardian's behalf, with a mandatory reason) later revokes consent, the timestamp of revocation, the revocation reason, and — where the coach initiated the revocation — the attributed coach user is stored.

Team Collaboration Data

If you create or join a team, we store team membership information (your role, team affiliation, and when you joined), team invitations (email address, role, invitation status), and team settings. Content you create in a team context (sessions, activities, athletes, training programs) is stored with a team association and is accessible to other team members at their assigned role level.

AI Coach Conversations

When you use the AI coaching assistant, your messages and the AI's responses are stored to maintain conversation history. Your messages, conversation history, and contextual data (such as session plans, activities, and training programs) are sent to Anthropic's API for processing. If you mention athlete names, performance data, or other personal information in chat messages, that information will be processed by Anthropic.

Analytics Data

With your consent, we use Amplitude to collect analytics data including pages visited, features used, and interaction patterns. We identify users by their internal user ID only — we do not send your email address or other personal information to Amplitude. You can opt out of analytics at any time via the cookie consent banner or in your account settings under Privacy Preferences. See Section 8 (Cookies and Analytics) for details.

Public Coach Profile

If you enable the Public Profile feature in Settings, the following information will be made publicly accessible on the internet at https://planner.coach/coach/[username], indexed by search engines, and rendered into social-media preview images (Open Graph images):

  • Your chosen display name (or your full name if no display name is set)
  • Your username (a unique identifier in the URL)
  • Your profile photo (avatar/logo)
  • Your club or organization name
  • Your default sport
  • Your bio
  • Your "member since" year
  • Counts of public templates, template imports, shared sessions, shared activities, and shared programs

This information will be rendered into cached image files (PNG) served from our CDN and may be shared by visitors on social networks including X (Twitter) and WhatsApp. Once published, copies of this information may persist in browser caches, search engine caches, social media previews, and third-party archives even after you disable your public profile.

You can disable your public profile at any time in Settings. Disabling will prevent new visitors from seeing your profile, but cached copies held by third parties (search engines, social networks, CDN edge nodes) may remain accessible for a period of time outside our control.

Coach Credentials and Safeguarding Records

If you record coaching, safeguarding, or background-check credentials (e.g. DBS, WWCC, SafeSport, first-aid, federation licences) on your profile, we store the credential type, issuer, reference, issue and expiry dates, and any document scan you upload. DBS and equivalent records may include data relating to criminal convictions or offences. We process this data on the basis of your consent (UK GDPR Art. 6(1)(a)) and, for criminal-offence and other special-category data, under the substantial-public-interest condition for safeguarding of children and adults at risk (UK Data Protection Act 2018, Schedule 1 Part 2 paragraphs 14 and 18). You may withdraw at any time by deleting the credential, which removes the database record and the uploaded scan.

Where you are a member of a team, the team owner, members assigned the Safeguarding Officer role, and (where the team has not opted out) team admins may view your credential metadata and, via short-lived (60-second) signed download links, the underlying document scans. Each cross-user view of a credential document is recorded in the team audit log and is visible to admins and safeguarding officers. Once a team member downloads a credential scan via a signed link, that copy passes outside our control; the downloading user becomes an independent controller for that copy and is responsible for its further handling under their own data-protection obligations.

2. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service, including account management, content storage, payment processing, and AI coaching features.
  • Consent (Article 6(1)(a)): Analytics and usage tracking via Amplitude, which you can opt into or out of at any time. Publication of your profile data publicly via the Public Coach Profile feature, which you must actively opt into. You may withdraw this consent at any time by disabling your public profile in Settings. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal, nor does it affect cached copies held by third parties.
  • Parental consent for minors (Article 6(1)(a) + Article 8): Where personal data relating to a child below the jurisdictional age of digital consent is entered by a coach, we process that data on the basis of parental or guardian consent collected via the Service's built-in consent mechanism (see Section 11). Jurisdictional thresholds follow UK GDPR and GDPR-K (e.g. 13 in UK / US, 14 in Spain / Italy, 15 in France, 16 in Ireland / Germany). The guardian may withdraw consent at any time via the same email link they used to grant it, or by contacting the coach directly.
  • Legitimate interests (Article 6(1)(f)): Service security, fraud prevention, and improving the Service based on aggregated, anonymized usage patterns. We also rely on legitimate interests for the narrow purpose of retaining the forensic record of a granted consent (timestamp, IP, user-agent) to prove that consent was given — necessary to defend the lawful basis if it is later challenged, and balanced against the guardian's rights by keeping the retained data minimal and purpose-limited. We also rely on legitimate interests to send operational notifications about credential expiry, athlete-record retention, and account status, which are necessary to keep your safeguarding posture and account in good order.
  • Data minimisation and storage limitation (Article 5(1)(c) and 5(1)(e)): We apply automated retention controls to athlete records (see Section 7) so that personal data is not held for longer than is necessary for the coaching relationship, and we encrypt sensitive athlete and guardian fields at rest (see Section 9) so that only the minimum readable surface is exposed to authenticated, authorised reads.
  • Special-category and criminal-offence data (Articles 9(2)(g) / 10 + DPA 2018 Schedule 1 Part 2 paragraphs 14, 18): Where you upload safeguarding credentials such as DBS or WWCC certificates, we process this category of data for the substantial-public-interest purpose of protecting children and adults at risk in sport. An appropriate policy document is available on request to support@planner.coach.
  • Legal obligation (Article 6(1)(c)): Retaining billing records and responding to lawful requests.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Authenticate your identity and secure your account.
  • Process subscription payments and manage billing.
  • Provide AI coaching assistance based on your sessions and activities.
  • Send transactional emails (account verification, password reset, athlete reports where opted in).
  • Respond to support requests and communicate about the Service.
  • Analyze usage patterns to improve features and performance (with your consent).
  • Publish your profile information publicly on the internet when you enable the Public Coach Profile feature, including rendering it into shareable image assets distributed via CDN.

4. Team Data Sharing

When you create or join a team, certain data is shared with other team members:

  • Team members can see: Content created within the team context, including sessions, activities, athletes (names, contact details, metrics, and assessment data), training programs, and drill diagrams. The level of access depends on each member's assigned role.
  • Coach safeguarding credentials: Where you record coaching credentials on your profile (see Section 1), team owners, members assigned the Safeguarding Officer role, and (where the team has not opted out) team admins may view your credential metadata and, via short-lived (60-second) signed download links, the underlying document scans. Each cross-user view of a credential document is recorded in the team audit log. Coaches with role “Coach” or “Assistant” can only see their own credentials.
  • Your personal data stays personal: Content you created outside of a team context is not shared with team members unless you explicitly choose to share it using the share-to-team feature.
  • Team owner responsibilities: If you are a team owner or admin who shares athlete data with a team, you are the data controller for that athlete data. You are responsible for obtaining appropriate consent from athletes (or their parents/guardians for minors under 16) before sharing their data with team members, and for informing athletes about who has access to their information.
  • Leaving a team: If you leave a team, you lose access to all team data. Content you created in the team context remains accessible to the team. Your personal data (created outside the team) is unaffected.
  • Team archival: If a team is archived or the owner's subscription is downgraded, the team becomes read-only. Team data is retained but members cannot create or modify content until the team is restored.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — Database hosting and user authentication. Your data is stored on servers in the United States. See Supabase's Privacy Policy.
  • Stripe — Payment processing. Stripe handles all payment card data securely. We do not store your card details. See Stripe's Privacy Policy.
  • Resend — Transactional email delivery, including athlete reports, team invitations, parental-consent emails, retention warnings, and credential expiry reminders (sent by default 60, 30, 7, and 0 days before expiry, and 7 days after, on a per-credential basis). Resend processes only the recipient name and email address. See Resend's Privacy Policy.
  • Anthropic — AI coaching assistant. Your messages, conversation history, and related coaching content (sessions, activities, training programs) are processed by Anthropic to generate responses. Anthropic does not use your data to train its models. See Anthropic's Privacy Policy.
  • Amplitude — Analytics (with your consent only). We collect anonymized usage data including page views and feature usage. Data is processed in the EU. We do not send your email address to Amplitude. See Amplitude's Privacy Policy.
  • Netlify — Web hosting and infrastructure. See Netlify's Privacy Policy.

Social Sharing: Public profile pages include share buttons for X (Twitter) and WhatsApp. If you or a visitor uses these buttons, the profile URL and a pre-composed message containing the coach's display name and sport are passed to the respective platform. These platforms' own privacy policies govern any data they collect from that interaction.

Connected AI assistants (MCP): You can connect an external AI assistant — such as ChatGPT or Claude — to your account as a custom connector using our Model Context Protocol (MCP) integration. The connection is initiated by you and secured with OAuth; you grant access and can revoke it at any time from the assistant or your account. While connected, the assistant can read your coaching library (activities, sessions, calendar events, rosters, lineups, and season plans) and create, edit, or delete sessions, session groups, season plans, and calendar events on your behalf. It cannot create or modify athletes, canvas drills, or training programs. Athlete personal data is restricted: only names and aggregate figures are shared — dates of birth, contact details, emergency contacts, and medical/notes fields are never sent to a connected assistant. Once data reaches the connected assistant, it is governed by that provider's own privacy policy rather than this one. The integration is available to coach accounts only.

6. International Data Transfers

Your data is stored and processed on servers in the United States, including any uploaded coach credential document scans, which are held in Supabase Storage in the United States. Analytics data is processed in the European Union. These transfers are necessary to provide the Service and are made under appropriate safeguards, including the UK International Data Transfer Agreement (UK IDTA) and the service providers' data processing agreements. By using the Service, you acknowledge that your data will be transferred to and processed in these locations.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and content from our systems immediately. Billing records may be retained for up to 7 years as required by UK tax law. Your Stripe customer record is deleted as part of account deletion.

Athlete records — automated retention. To meet our obligations under UK GDPR Article 5(1)(e) (storage limitation), athlete records that have been inactive for an extended period are automatically purged. "Inactivity" means no writes, attendance events, measurement records, or other recorded interactions on the athlete record; any such activity resets the inactivity clock. The current default inactivity threshold is six (6) years, chosen to align with the limitation period for negligence claims under the UK Limitation Act 1980. We may adjust this default from time to time without re-papering customers — the retention period in force is the one in effect at the time the purge runs, and material reductions will be communicated in advance. Coaches can extend retention indefinitely simply by interacting with the record (for example, recording an attendance, updating a measurement, or editing the profile).

Warning, reminder, and purge schedule. Before any athlete record is hard-deleted, we send two notificationsto the coach (the data controller for that record):

  • A first warning email, sent by default 14 days before the scheduled purge date.
  • A final reminder email, sent by default 3 days before the scheduled purge date.

These notifications are sent only to the coach who controls the record — they are not sent to the athlete or their guardian, since the coach is the data controller and is best placed to decide whether the record should be retained, deleted, or exported. The notification emails contain the athlete's name and a link to the record so the coach can review it. Any qualifying activity on the record before the purge date cancels the scheduled purge. On or after the purge date, the athlete's personal data is hard-deleted and is not recoverable.

Deletion is immediate. When an athlete is deleted from the Service (whether manually by the coach via the Erase record action or through the retention process), the athlete row and its related personal data are removed in the same transaction. We do not hold a recoverable copy. Coaches who only want to take an athlete off the active roster without erasing history should use the Mark as Inactive archive toggle instead.

Compliance audit log. When an athlete record is hard-deleted, we record a single audit-log entry containing a cryptographically hashed reference to the deleted record (no athlete name, contact details, or other personal data). This hashed record is retained for compliance traceability — so that we can demonstrate the purge ran as scheduled if a regulator or auditor asks — and is not itself personal data on its own. See also Section 7 of our Terms of Service for the corresponding coach-facing obligations.

The default thresholds above (6-year inactivity, 14-day warning, 3-day reminder) are configurable and may be adjusted from time to time as our compliance posture evolves; we will not extend retention without legal basis, and any material change will be noted in the "Last updated" date on this page.

Parental-consent records — coach-actioned erasure. We are the data processor for athlete personal data; the coach (or their team / club) is the data controller. When a guardian revokes consent, the operational obligation to erase the athlete record sits with the coach. We provide tooling so they can act on this directly: a Delete athlete action on each athlete profile which captures a reason category, wipes name / contact details / date of birth / notes / emergency contacts in a single transaction, cascades to related records, and writes a hashed compliance audit row in retention_purge_log. The consent record itself is retained for up to 7 years after revocation in a minimised form (guardian name, consent path, grant / revoke timestamps, revocation reason) so that we and the coach can demonstrate the lawful basis for any processing that occurred while consent was in force. Uploaded scans of signed paper forms, where provided, follow the same 7-year retention.

Coach-revocation escalation. Because we cannot rely solely on coach discipline to deliver on revocations, a daily scheduled job (the "ICO Age Appropriate Design Code fallback sweep") checks for athlete records where consent has been revoked but no hard-delete has been recorded. At 30 days from revocation it emails the coach (and, in team contexts, the team owner) reminding them to action the deletion or document a legitimate-interest basis to retain. At 90 days it flags the record internally for Planner.coach staff review so we can contact the controller directly. We will not silently auto-delete inactive revoked records — the coach is given an opportunity to act first.

COPPA carve-out for US under-13 athletes. COPPA gives Planner.coach (the operator under US law) a direct, non-delegable obligation to delete a child's personal information on a parent's request. Where the athlete record is associated with the country code US and the athlete is under 13 at the time of revocation, the guardian's self-revoke link triggers an automatic hard-delete of the athlete's personal data on Planner.coach in the same database transaction. The coach is notified by email so they can erase any copies of the data they hold elsewhere (paper rosters, shared spreadsheets, messaging apps). This carve-out applies in addition to, not instead of, the coach's own controller-side erasure obligation.

Coach credentials. Coach credential records (DBS, WWCC, SafeSport, federation licences, first-aid, etc.) and any uploaded document scan are retained while the credential is current and for up to twelve (12) months after expiry, after which the document scan is purged automatically; the credential metadata (type, issuer, expiry date, hashed reference) is retained for a further six (6) years to support audit of the safeguarding decisions taken by you and your club while the credential was relied upon. You may delete a credential and its scan at any time from your profile. For UK DBS records specifically, we follow the DBS Code of Practice guidance that copies of the certificate should not be retained beyond the period necessary; coaches and clubs are encouraged to rely on the credential metadata + reference number rather than a retained scan once verification is complete.

Team audit log. When a team admin or safeguarding officer views another member's credential document scan, an audit-log row is recorded (caller, target, certification id, team, IP, user agent, timestamp). Audit-log rows are append-only — they cannot be edited or deleted from the application — and are retained for the lifetime of the team. If the team is archived, the audit log is retained for a further seven (7) years to support safeguarding-incident response (NSPCC CPSU and NSW Office of the Children's Guardian guidance both cite multi-year retention baselines). When the team is hard-deleted, audit rows are also deleted; safeguarding officers should export the relevant log entries before requesting team deletion if longer retention is needed for an open investigation.

If you had enabled a Public Coach Profile, dynamically generated social-media preview images (Open Graph images) containing your profile data may remain in CDN cache for up to 24 hours after your account is deleted or your profile is disabled. We cannot guarantee immediate removal from third-party systems including search engine caches, social media platform caches, and browser caches, which are outside our control.

8. Cookies and Analytics

Essential cookies: The Service uses essential cookies for authentication and session management. These cookies are necessary for the Service to function and cannot be disabled.

Analytics (consent required): With your consent, we use Amplitude to collect analytics data including page views, feature usage, and interaction patterns. This helps us understand how the Service is used and where to make improvements. Analytics data is identified by your internal user ID only.

You can manage your analytics preferences at any time:

  • When you first visit the Service, a consent banner will ask you to accept or decline analytics.
  • You can change your preference at any time in your account settings under "Privacy Preferences".

We respect the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as an opt-out of analytics tracking.

Public profile analytics: Public profile pages may be visited by people who are not registered users of the Service. Visitor interactions with public profiles — including how visitors arrived (e.g., via a direct link or a social media share) — are tracked using anonymous session identifiers only, not by name or email. Share links generated by the Service may include a ref query parameter (e.g., ?ref=profile-share) to identify the origin of the share. This parameter is used solely for internal analytics attribution and does not identify individual visitors.

9. Data Security

We implement a layered set of technical and organisational security measures to protect your data:

  • Encryption in transit: All connections to the Service use HTTPS/TLS.
  • Column-level encryption at rest of sensitive athlete and guardian fields: Athlete date of birth, medical notes, email address, phone number, and emergency-contact details (name, phone, email, relationship) are encrypted at the column level using AES, with the encryption key managed in a separate key vault — held outside the database itself, so that a compromise of the database alone does not yield readable data. Guardian name, email, phone, and relationship captured on parental-consent records, individual athlete forms, and onboarding-pack sessions are encrypted on the same basis, using the same key. The key is rotatable, and we run an automated daily key-health check that verifies an end-to-end encrypt / decrypt round-trip; if the check fails, the retention auto-purge described in Section 7 is suspended until the key is restored, so we do not delete records we cannot first verify we can read.
  • Authenticated, authorised reads only: Encrypted athlete and guardian fields are decrypted in memory only when an authenticated user with the appropriate access rights reads the record. The plaintext is never persisted outside the database, never logged, and never sent to a third-party service except where an explicit feature requires it (e.g. sending an athlete report email or a guardian consent email — see Section 5).
  • Row-level security (RLS): All database tables enforce row-level security policies so that one user cannot read another user's (or another team's) data even if the application layer is bypassed.
  • Secure authentication and Content Security Policy: We use a managed authentication provider, and the Service ships a strict Content Security Policy header set to mitigate cross-site scripting and content-injection risks.

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Access (Article 15): Request a copy of the personal data we hold about you.
  • Rectification (Article 16): Correct inaccurate data via your account settings or by contacting us.
  • Erasure (Article 17): Delete your account and associated data at any time via your account settings.
  • Data portability (Article 20): Export your data in JSON format via the "Export My Data" feature in account settings.
  • Restriction of processing (Article 18): Request that we restrict processing of your data while a dispute is resolved.
  • Object to processing (Article 21): Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw analytics consent at any time via your account settings. Disable your public profile at any time in Settings to stop public display of your profile data (cached copies may persist briefly as described in Section 7). Withdraw your account entirely by deleting it.

To exercise these rights, use the features in your account settings or contact us at support@planner.coach. We will respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.

10a. Controller / Processor relationship

For athlete personal data you (the coach, team, or club) enter into Planner.coach, you are the data controller and we are the data processor. The Article 28 (UK GDPR) contract that governs that relationship is the Data Processing Agreement (DPA), which forms part of our Terms of Service. The DPA covers the categories of data we process on your behalf, our security measures, sub-processors, breach notification, assistance with data-subject requests, and return / deletion of data on termination.

For our own data — your account, billing, and platform usage — we are the data controller, and the rest of this Privacy Policy describes that processing.

11. Children's Privacy

This section concerns personal data about minor athletes recorded by their coaches. It does not apply to coach safeguarding credentials (e.g. DBS, WWCC, SafeSport), which concern adult coaches only and are described in Section 1 above.

Independent accounts. Our Terms of Service (Section 3) require all independent account-holders to be at least 16 years old. Age is self-attested at sign-up — we do not collect a date of birth as part of the sign-up form — so we cannot technically prevent a younger user from creating an account by misstating their age, though doing so is a breach of our Terms. As an additional safeguard, we block the specific flow by which an independent account can link itself to a coach-held athlete record: where the coach-held record indicates the athlete is below the jurisdictional age of digital consent, the API that accepts the athlete-invite link will reject the request until a granted parental-consent record for that athlete exists. If we discover an account-holder below our minimum age — whether through a breach report, support contact, or our own systems — we will remove the account and any associated personal data.

Coach-entered athlete data for minors. Coaches using the Service may enter data about minors they coach (for example, a child playing on a team the coach is responsible for). When a coach enters a date of birth indicating that the athlete is below the jurisdictional age of digital consent for their country, the coach is required to record a verifiable parental consent before the athlete can be saved. The Service provides two paths:

  • Email path — an email is sent to the guardian containing a signed, single-use link to a consent page hosted on the Service. The guardian reviews the request, grants consent themselves, and may also express photo / video preferences for the child on the same page. We record the grant timestamp, the IP address, and the browser user-agent as proof that the guardian (and not the coach) performed the action. The guardian may revoke consent at any time using the same link.
  • Offline path — where a club has already collected a signed paper form or equivalent during its own registration process, a coach may attest that consent was obtained, recording the method, the date the consent was obtained, the guardian's identity, and optionally uploading a scan of the signed form. The recording is attributed to the individual coach so that the record is traceable even when consent was collected outside the app. The coach may revoke such a record at any time on the guardian's behalf, but is required to supply a mandatory reason that is written to the audit log.

Email-path and offline-path records are stored with distinct consent_type values so that auditors and regulators can tell them apart. Both satisfy the legal floor; the distinction matters for liability if a dispute arises.

Jurisdictional age thresholds. The Service uses a per-country lookup to determine when parental consent is required. Defaults follow UK GDPR, GDPR-K, and COPPA: 13 in the UK, US, Canada, Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden; 14 in Spain, Italy, Austria, Cyprus, Bulgaria, Lithuania; 15 in France, Greece, Slovenia, Czech Republic; 16 in Ireland, Germany, Netherlands, Luxembourg, Poland, Croatia, Slovakia, Hungary, Romania.

Revocation consequences. When a guardian revokes consent (directly via the email link, or the coach revokes on their behalf with reason), we notify the coach by email. As the data controller, the coach is responsible for actioning the erasure on Planner.coach via the Delete athlete button on the athlete profile, and for removing any copies of the data they hold outside Planner.coach. Two automated safety nets operate alongside: an ICO Age Appropriate Design Code fallback sweep that nudges the coach if no hard-delete is recorded after 30 days (with an internal staff flag at 90 days), and the COPPA carve-out which auto-deletes US under-13 records inline on revoke. Both are described in detail in Section 7.

Photo and video consent. Where photo / video consent is granted or denied on the guardian-facing consent page, that preference is written through to the athlete record and surfaces as an indicator on features that use the athlete's photo or video (for example, the in-app share flow). Photo / video consent is informational and does not replace any club-specific safeguarding policies; it is an additional signal for the coach.

Coaches remain responsible for handling minors' data in compliance with applicable child protection laws, including the UK GDPR, COPPA (US), GDPR-K (EU), and the Children's Code (Age Appropriate Design Code).

If you believe a child's data has been added to the Service without appropriate consent, contact us at support@planner.coach and we will investigate and remove it.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. The updated policy will be posted on this page with a revised "Last updated" date and is effective immediately upon posting. Continued use of the Service after an update constitutes acceptance of the revised policy.

14. Contact

If you have any questions about this Privacy Policy, please contact us at support@planner.coach.

HJ Digital
Wales, United Kingdom