Privacy Policy (UK GDPR)

Effective date: 22 January 2026
Last updated: 22 January 2026

This Privacy Policy explains how YRoot Coaching Ltd ("YRoot", "we", "us", "our") collects, uses, stores, and shares personal data when you use our services, website, and digital platform (the "App").

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller and contact details

Data Controller

• Legal entity: YRoot Coaching Ltd
• Registered office: 456 Gower Road, Killay, Swansea, SA2 7AL, Wales
• Company number: 17216991
• Email: support@yrootcoaching.com

Data protection contact

YRoot has not appointed a Data Protection Officer (DPO).

For privacy-related enquiries, please contact: legal@yrootcoaching.com

ICO registration

YRoot Coaching Ltd is registered with the Information Commissioner's Office (ICO) where required by law.

2. Scope of this policy

This policy applies to personal data processed through:

• our coaching services (1:1 and group),
• the YRoot App (platform and related services),
• our website and contact forms,

3. Personal data we collect

3.1 Coaching services

We may collect:

• Identity and contact data: name, email address, timezone, optional phone number
• Session administration: booking details, attendance, scheduling notes
• Coaching information you choose to share: goals, progress, reflections, priorities
• Coach notes: session notes taken by your coach (where applicable)

Session recordings:

• By default, we do not record coaching sessions (audio/video).
• If recording is ever required, it will only occur with explicit prior consent and with clear terms on storage and retention.

Where notes are stored:

• Coach notes are stored securely in [SECURE STORAGE TOOL] with access restricted to authorised personnel.

3.2 YRoot App

We may collect:

Account data:

• email address
• name (optional)

passwords are managed securely via our authentication provider and are never stored in plain text by us

User-generated content:

• goals, checks, factors, actions
• notes and journaling content
• attachments you upload (files/images/documents)
• other data you choose to input into the App

Usage data:

• login timestamps
• feature usage and interactions
• device and browser data (limited technical metadata)

Payment data:

• subscriptions are processed by Lemon Squeezy (our payment provider / Merchant of Record)
• we do not store your full payment card details
• we receive subscription status and billing identifiers from Lemon Squeezy to manage access

3.3 Website

We may collect:

Contact forms:

• name
• email address
• message content

Cookies & similar technologies:

• essential/functional cookies
• analytics cookies (depending on configuration and consent)

Server logs:

• IP address
• user agent and device info
• pages visited, referral source
• timestamps and basic diagnostic data

4. How we use your data (purposes)

We use personal data to:

• deliver coaching services and manage bookings
• provide and secure App access
• process certification applications and training
• respond to enquiries and customer support
• maintain platform performance, security, and analytics
• comply with legal obligations (e.g., accounting, tax)
• send service communications (essential updates, policy changes)
• send marketing communications (only where lawful and permitted)

5. Legal bases for processing

We rely on the following legal bases under UK GDPR:

5.1 Performance of a contract

We process data as necessary to:

• provide coaching sessions
• provide App services and manage subscriptions
• manage certification delivery

5.2 Legitimate interests

We may process data to:

• improve our services and the App
• prevent fraud and misuse
• maintain security, logs, and diagnostics
• understand usage trends and service performance

We ensure our legitimate interests do not override your rights and freedoms.

5.3 Consent

We process data based on consent when required, including:

• marketing emails
• non-essential cookies (where applicable)
• any session recording (if introduced)

You can withdraw consent at any time.

5.4 Legal obligations

We may process personal data to comply with legal obligations, including:

• accounting, tax, and audit requirements
• responding to lawful requests

6. Data retention

We keep personal data only as long as necessary for the purposes described above.

6.1 Coaching services

• Client administration records (invoices, payments, contracts): up to 6–7 years (UK tax/accounting practice)
• Coaching notes: typically 24 months after last session, unless longer retention is required by law or agreed

6.2 App data

• While your account is active: data is retained to provide the service
• After account deletion: we delete or anonymise personal data within 30 days, except where retention is required for legal reasons
• Backups: may persist for up to 90 days before being overwritten

6.3 Certification data

• Application data: 12–24 months after decision (unless you enrol)
• Training and certification records: typically 6 years for credential verification and auditability

6.4 Marketing communications

• Marketing consent: retained until you unsubscribe or withdraw consent
• Suppression list (unsubscribed users): retained to ensure compliance with opt-out

Where services are provided via our SaaS platform hosted on a subdomain, that platform operates under the same data protection principles described in this policy.

7. Sharing your data and third parties

We use carefully selected third-party processors to run our services.

7.1 Typical processors

Depending on your setup, we may use:

• Hosting / Infrastructure: Cloudflare, Railway
• Payment provider: Lemon Squeezy (subscriptions)
• Email provider: Google Workspace
• Video calls: Google Meet
• Analytics: Google Analytics

We only share personal data necessary for each provider to perform services on our behalf, under contractual confidentiality and data processing terms.

7.2 No sale of data

We do not sell your personal data.

8. International transfers

Some service providers may process data outside the UK.

Where data is transferred internationally, we use appropriate safeguards such as:

• UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs)
• adequacy regulations where applicable (e.g., UK adequacy decisions)

If you want details of safeguards for a specific provider, contact us.

9. Security measures

We implement technical and organisational measures designed to protect your personal data, including:

• encryption in transit (TLS/HTTPS)
• restricted access controls and least-privilege permissions
• monitoring and logging for security events
• regular backups and disaster recovery practices
• access to production systems limited to authorised staff
• secure authentication and password management via industry-standard providers

No system is 100% secure, but we take reasonable steps to protect your data.

10. Your rights (UK GDPR)

You may have the right to:

• access your personal data
• correct inaccurate data
• request deletion (right to erasure)
• restrict processing
• object to processing (including marketing)
• data portability (where applicable)
• withdraw consent (where processing is based on consent)

To exercise your rights, contact us at legal@yrootcoaching.com

11. Cookies

We use cookies and similar technologies for essential functions and analytics.

On our main website, cookies are used for:

• essential functionality (such as security and cookie preferences)
• analytics (Google Analytics, where consent is provided)

Our SaaS platform, hosted on a separate subdomain, may also use essential cookies for authentication, session management, and platform security.

Where required, we request consent for non-essential cookies via a cookie banner.

You can manage cookies via browser settings.

A separate Cookie Policy provides more detailed information.

12. Marketing communications

We may send marketing emails only where permitted under applicable laws.

You can unsubscribe at any time via:

• the unsubscribe link in emails, or
• emailing support@yrootcoaching.com

Service-related communications (e.g., policy changes, security notices, subscription notices) are not marketing and may still be sent where necessary.

13. Children

Our services are intended for individuals aged 18+.

If we process data related to minors (e.g., certification candidates under 18 or exceptional coaching circumstances), we require written parental/guardian consent and additional safeguards.

14. Data breaches

In the event of a personal data breach, we will:

• assess risk and impact promptly,
• notify the ICO within 72 hours where required,
• notify affected individuals without undue delay where the breach is likely to result in high risk to rights and freedoms.

15. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website and will apply from the effective date.

16. Complaints

If you have concerns about our handling of personal data:

• contact us at legal@yrootcoaching.com, and we will respond within a reasonable timeframe
• you can also complain to the UK regulator:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk

Appendix A: Data categories and legal basis

Coaching

• Data: contact details, goals, coach notes
• Purpose: service delivery
• Legal basis: contract

Coaching (optional recording)

• Data: recording
• Purpose: quality/training
• Legal basis: consent

App

• Data: account, content, usage
• Purpose: platform delivery
• Legal basis: contract + legitimate interest

Payments

• Data: subscription status
• Purpose: access management
• Legal basis: contract

Website contact

• Data: message/email
• Purpose: respond to enquiry
• Legal basis: legitimate interest / contract

Certification

• Data: CV, assessments
• Purpose: evaluate + deliver programme
• Legal basis: contract / legitimate interest

Marketing

• Data: email
• Purpose: newsletters
• Legal basis: consent

---

Last updated: 22 January 2026