Privacy Policy

Last updated:

1. Introduction

JourneyLoop ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our AI-powered coaching platform that transforms session transcripts into smart insights and enables client progress tracking.

This policy applies to both coaches using the platform and clients accessing their coaching materials through the client portal. By using JourneyLoop, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Business information (for coaches)
  • Account preferences and settings
  • Login credentials (username and securely hashed password)
  • Session access logs and login activity

Coaching Session Data

As part of our AI-powered coaching insights service, coaches may upload or record:

  • Session transcripts from recordings or typed notes
  • Virtual meeting recordings captured via Recall AI from Zoom, Google Meet, or Microsoft Teams sessions
  • Audio recordings and transcriptions of coaching conversations
  • Client information and coaching relationship details
  • Progress tracking data and action items
  • Generated session insights and prep briefs
  • Client portal engagement and accountability data
  • Notes and key takeaways from coaching sessions

Usage Information

We automatically collect:

  • Log data and usage patterns
  • Pages visited within the platform or portal
  • Time spent on different sections
  • Device and browser information
  • IP addresses and location data

3. How We Use Your Information

We use your information to:

  • Generate AI-powered session insights and personalized prep briefs
  • Create action items and progress tracking for coaches and clients
  • Provide secure client portals for accountability and progress tracking
  • Enable continuity and deeper conversations in coaching relationships
  • Deliver personalized insights and content based on coaching sessions
  • Communicate with you about your account and platform features
  • Ensure platform security and prevent unauthorized access to sensitive session data
  • Improve the platform's functionality and user experience
  • Analyze usage patterns and optimize platform performance
  • Comply with legal obligations and professional coaching standards

4. AI Processing and Data Usage

4.1 How AI Processes Your Data

We use advanced artificial intelligence to analyze your coaching sessions and generate insights. This processing includes:

  • Analyzing session transcripts to identify key themes and takeaways
  • Producing prep briefs and session summaries
  • Identifying action items and progress patterns

All AI-generated content is reviewed by coaches before being made available to clients through the portal.

4.2 Secure AI Processing Environment

Our AI processing occurs in secure, isolated, and monitored environments specifically designed for sensitive data:

  • Encrypted transmission: All data sent to AI providers is encrypted in transit
  • Zero persistence: Session content is never permanently stored by AI providers - processed in real-time, then immediately discarded
  • Enterprise-tier agreements: We use zero-retention data processing agreements with all AI providers
  • Access logging: All AI processing is logged and auditable for security purposes
  • Rate limiting: Abuse detection and rate limiting protect against unauthorized access

4.3 Data Minimization in AI Processing

We implement data minimization principles:

  • Only necessary session content is sent to AI processors
  • Personal identifiers are minimized where possible
  • Processing focuses on insights and patterns, not verbatim content retention
  • You can control what sessions are analyzed through your privacy settings

4.4 Your Control Over AI Processing

You have complete control over AI processing:

  • Session selection: Choose which sessions to analyze individually
  • Insight preferences: Set what types of insights to generate
  • Complete opt-out: Turn off AI features entirely if desired
  • Deletion rights: Delete AI-generated content at any time

4.5 Zero AI Model Training Policy

We NEVER use your data to train AI models

Your coaching content, session transcripts, and client data are never, under any circumstances, used to:

  • Train our AI models or any third-party AI models
  • Improve general AI model capabilities
  • Conduct cross-account learning or pattern analysis
  • Serve any purpose beyond your immediate, specific coaching needs

This is a fundamental commitment to your privacy and intellectual property. AI processing occurs strictly and exclusively to generate the insights, prep briefs, and content you request for your specific coaching practice.

5. Information Sharing and Disclosure

Your privacy is of utmost importance to us. We do not sell your personal information. We share information only in the following limited circumstances:

With Your Coach (For Clients)

Client session content and portal usage information are shared with your coach to facilitate your coaching relationship. Only your assigned coach can access your data.

Service Providers and Subprocessors

We work with carefully selected third-party service providers who assist in platform operations. All service providers are bound by strict data processing agreements:

  • Database & Infrastructure: Supabase (United States) - secure database storage and backend infrastructure. Supabase is SOC 2 Type II certified and HIPAA compliant, providing enterprise-grade security for all coaching data.
  • Cloud Hosting: Heroku/AWS (United States) - application hosting services
  • AI Processing: OpenAI and Anthropic (United States) - content generation with zero-retention agreements
  • Session Recording: Recall AI (United States) - virtual meeting recording and transcription for Zoom, Google Meet, and Microsoft Teams sessions
  • Payment Processing: Stripe (United States) - billing and subscription management
  • Email Delivery: SendGrid (United States) - transactional emails and notifications

We require all subprocessors to maintain the same level of data protection we provide. We will notify you of any material changes to our subprocessor list. For a complete, up-to-date list of subprocessors, please contact privacy@journeyloop.ai

Legal Requirements

We may disclose your information when:

  • You provide explicit consent
  • Required by law or legal process (subpoena, court order)
  • Necessary to protect our rights, property, or safety
  • Necessary to prevent fraud or security threats

6. Data Security and Protection

Security Infrastructure

We understand that coaching session data is highly sensitive and confidential. We implement comprehensive security measures specifically designed for protecting sensitive personal information:

  • Bank-level encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Isolated client portals: Each client accesses only their own information through secure, individual portals
  • Healthcare-grade standards: Security measures aligned with HIPAA technical safeguards
  • Secure authentication: Multi-factor authentication available, secure password hashing (bcrypt)
  • Access controls: Role-based access with principle of least privilege
  • 24/7 monitoring: Continuous security monitoring and intrusion detection

Data Storage and Infrastructure Security

Your data is stored securely with Supabase, a SOC 2 Type II certified and HIPAA compliant database provider:

  • Location: United States - secure data centers with enterprise-grade infrastructure
  • Compliance: SOC 2 Type II certified and HIPAA compliant
  • Physical security: 24/7 monitoring, biometric access controls, video surveillance
  • Redundancy: Multi-availability zone deployment for high availability
  • Disaster recovery: Daily encrypted backups with 90-day retention
  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit

Administrative Access Controls

JourneyLoop administrators have very limited access to your data:

  • No routine content access: Admins cannot read session content without explicit permission
  • System maintenance only: Access limited to infrastructure monitoring and technical support
  • All access logged: Any administrative access is automatically tracked and auditable
  • Legal compliance: Access only when required by law or with your written consent

Data Isolation

Each coach's data is kept completely separate with strict isolation controls:

  • Database-level tenant isolation
  • Application-layer access controls
  • No cross-coach data sharing or analysis
  • Zero data pooling or aggregate analytics across accounts

7. Data Retention and Deletion

Active Account Retention

We retain coaching session data and generated insights only as long as necessary to provide our services or as required by law:

  • Active session data is retained while your coaching relationship continues
  • Generated insights and prep briefs remain available for continuity
  • Client portal data is maintained for ongoing progress tracking

Backup and Archive Policies

Understanding Our Backup System:

For disaster recovery and business continuity, we maintain encrypted backups of all data:

  • Backup frequency: Daily automated backups
  • Backup retention: 90 days, then permanently and irreversibly deleted
  • Backup encryption: AES-256 encryption at rest
  • Backup location: Geographically separate from primary data

When you request data deletion: We immediately remove data from active, production systems. Backup copies are marked for deletion and will be permanently purged within 90 days as backups naturally age out of our retention window. This backup retention period is necessary for disaster recovery and cannot be shortened, but backups are encrypted and inaccessible for normal operations.

Account Termination and Data Deletion

Upon account termination or data deletion request:

  • All data is immediately deleted from active, production systems
  • Backup copies are permanently deleted within 90 days as they age out of our retention window
  • You can delete specific client data or entire accounts at any time with a single click in your user profile
  • Clients can request deletion of their data through their secure portals or by contacting their coach

Legal Retention Requirements

In some cases, we may be required to retain certain data longer to comply with legal obligations, resolve disputes, or enforce our agreements. We will inform you if this applies to your data.

8. Your Rights and Choices

You have the right to:

  • Access: View all personal information we hold about you
  • Rectification: Update or correct inaccurate information
  • Deletion: Request complete removal of your data (subject to legal obligations)
  • Restriction: Limit how we process your information
  • Portability: Receive your data in a machine-readable format
  • Object: Object to certain types of processing
  • Opt-out: Unsubscribe from certain communications
  • Withdraw consent: Revoke previously granted consent

How to Exercise Your Rights

To exercise these rights:

  • Coaches: Use account settings or contact privacy@journeyloop.ai
  • Clients: Contact your coach directly or email privacy@journeyloop.ai

We will respond to requests within 30 days (or as required by applicable law). There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

Data Portability Formats

When you request data export, we provide your information in structured, commonly used formats:

  • JSON: For structured data (sessions, clients, action items)
  • CSV: For tabular data (session lists, analytics)
  • PDF: For reports and human-readable summaries
  • Plain text: For transcripts and notes

9. International Data Transfers

Your information may be processed in countries other than your own, primarily in the United States where our infrastructure is located. We ensure appropriate safeguards are in place for international data transfers:

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers from the EU/EEA
  • Adequacy decisions: We rely on adequacy decisions where applicable
  • Additional safeguards: Technical and organizational measures supplement transfer mechanisms

GDPR Compliance for EU/EEA Users

For users in the European Union or European Economic Area, we comply with GDPR Article 46 requirements for international data transfers. Our data processing addendum (DPA) includes SCCs and can be provided upon request.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your user experience, authenticate you, and collect usage information:

Types of Cookies We Use

  • Essential cookies: Required for platform functionality (authentication, security)
  • Performance cookies: Help us understand how you use the platform
  • Functional cookies: Remember your preferences and settings

You can control cookie settings through your browser, but disabling cookies may limit your ability to use certain features of the platform.

11. Privacy Law Compliance

GDPR Compliance (European Union)

We are fully committed to GDPR compliance with comprehensive protections:

  • Right to access: View all personal data we hold about you
  • Data portability: Export your data in machine-readable formats
  • Right to correction: Update or correct inaccurate information
  • Right to deletion: Request complete data removal ("right to be forgotten")
  • Right to restriction: Limit certain data processing activities
  • Right to object: Object to specific types of processing
  • Automated decision-making: We do not make automated decisions that significantly affect you

CCPA Compliance (California)

For California residents, we provide additional rights under CCPA:

  • Know what's collected: Transparency about data collection practices
  • Opt-out rights: Control over data sharing and processing
  • Non-discrimination: No penalties for exercising privacy rights
  • Timely responses: Responses within CCPA-required timeframes (45 days)
  • Authorized agents: Ability to designate an agent to exercise rights on your behalf

Additional Compliance Measures

  • Clear consent: Transparent consent processes for all data uses
  • Privacy impact assessments: Conducted for all new features that process personal data
  • Regular audits: Ongoing compliance monitoring and reviews
  • Data Protection Officer: Dedicated privacy expert available for questions at privacy@journeyloop.ai

12. Data Processing for Coaches (Controller/Processor Relationship)

Understanding the Relationship

For GDPR and Privacy Law Purposes:

Coaches are Data Controllers: You determine what client data to collect and how it's used in your coaching practice.

JourneyLoop is a Data Processor: We process client data on your behalf according to your instructions, solely to provide the platform services you've requested.

Coach Responsibilities as Data Controller

As a coach using JourneyLoop, you are responsible for:

  • Obtaining proper consent from clients before uploading their data
  • Ensuring your use of the platform complies with applicable privacy laws
  • Informing clients about how their data will be processed
  • Responding to client data rights requests (access, deletion, etc.)
  • Maintaining your own privacy policy for your coaching practice

JourneyLoop Responsibilities as Data Processor

As your data processor, we commit to:

  • Processing client data only according to your documented instructions
  • Implementing appropriate technical and organizational security measures
  • Assisting with data subject rights requests
  • Notifying you of any data breaches within 72 hours
  • Ensuring all subprocessors meet the same data protection standards
  • Deleting or returning data upon termination of services

Data Processing Addendum (DPA)

For coaches who require a formal Data Processing Addendum (particularly for GDPR compliance), we provide a comprehensive DPA that includes Standard Contractual Clauses. To request a DPA, please contact privacy@journeyloop.ai

13. Children's Privacy

The platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@journeyloop.ai and we will take steps to delete such information.

14. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovering the breach
  • Provide details about what information was affected
  • Explain steps we're taking to address the breach
  • Recommend actions you can take to protect yourself
  • Notify relevant regulatory authorities as required by law

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes:

  • By email to your registered email address
  • By posting a notice in the platform or portal
  • By updating the "Last updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of JourneyLoop after changes indicates your acceptance of the updated policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

For clients: You may also contact your coach directly for questions about how your specific data is handled in your coaching relationship.