CoachFile
Start free

Security

Last updated June 2, 2026.

CoachFile stores the real, sensitive things a coach's clients say. This page explains how that data is protected, who can reach it, and what we can and cannot see. We would rather be specific than impressive.

The short version

  • Your data is encrypted in transit and at rest, with an additional layer of encryption on your most sensitive fields.
  • Each coach's data is isolated at the database level. One coach cannot reach another coach's data.
  • No one on our side has standing access to your client notes. Access happens only when you authorize it or the law compels it, and both are logged.
  • We do not sell your data, do not use it for advertising, and do not use your client records to train AI models.
  • You can export or delete all of your data at any time.

Our security model

CoachFile uses a two-tier security model: strong technical controls plus strong policy commitments. It is the standard approach for SaaS platforms handling sensitive operational data, used by tools like Notion, Asana, and Practice Better.

It is deliberately not zero-knowledge encryption (the model used by tools like Signal or a password manager). Zero-knowledge means a forgotten password permanently destroys all of your data, because we could not decrypt it even to help you. For a coach with years of client history, that tradeoff is unacceptable. We chose recoverable, strongly protected data plus written, auditable commitments, and we are transparent about what we can and cannot see.

Encryption

Your data is encrypted in transit and at rest. On top of that, the most sensitive fields get their own column-level encryption inside the database.

  • In transit. TLS 1.3 between your browser and our servers. All endpoints are HTTPS-only, with HSTS enforced.
  • At rest, across the platform. The entire database and all uploaded files are encrypted with AES-256. The keys are managed by our infrastructure and are never accessible to application code.
  • At rest, column by column. The most sensitive fields are encrypted individually inside the database: your clients' full names, the custom fields you choose to track, your session notes (the written notes and the bullet summaries), and the data extracted while importing your existing notes. These columns are stored as unreadable ciphertext and are decrypted only in memory, and only for the coach whose row-level security policy authorizes the read. The key is held in a managed key vault, kept separate from our application code, and our internal analytics roles cannot decrypt these columns at all.
  • Uploaded files. Documents and photos are stored with access scoped per coach. Upload links expire after minutes; download links expire after an hour.

In plain terms: that column-level layer means even a stolen database backup, or a compromised internal credential, would surface ciphertext for your most sensitive client data rather than readable text. Encryption protects the data itself, and it is one layer of several. It does not replace good account security on your end. If your own sign-in were phished, that is what step-up reverification on high-stakes actions is for, described under Platform hardening below.

Database-level isolation

Every table that holds customer data is protected by row-level security enforced inside the database itself, keyed to your authenticated identity. This means:

  • A coach signed in as one account literally cannot query another account's data.
  • A bug in application code that tried to read across coaches would fail at the database, not just in the app.
  • Even a compromised session token only grants access to that one account's data.

This isolation is verified by automated tests that run on every change before it ships.

Who can access your data

No CoachFile staff have standing access to your client data. Standing access means the ability to read your data at any time without your involvement. Running the platform (deploying code, monitoring uptime, fixing non-data issues) does not require reading your client records.

Access to customer data happens in only two situations:

  • You authorize it. For example, you ask support to recover something you deleted. That access is time-limited, logged, and you are told when it begins and ends.
  • The law compels it. A valid court order or legal request. We notify you where we are permitted to, and produce only the specific records named.

Access to customer data is recorded in audit logs, which we retain for 7 years. Internal analytics (signups, revenue, error rates) run only on aggregate views that strip names, session content, and demographics before anyone sees them.

Platform hardening

Beyond encryption and isolation, CoachFile runs a set of application and edge protections:

  • A strict Content Security Policy and standard security headers on every response.
  • Rate limiting on sensitive actions to slow abuse and automated attacks.
  • Step-up reverification before high-stakes actions like deleting your account or changing your payment method.
  • Automatic DDoS mitigation and bot protection at the network edge through Cloudflare.
  • Error monitoring with personal data scrubbed before any report is sent.
  • Multi-factor authentication is available in your account settings, and we recommend turning it on.

Subprocessors

We rely on a small set of trusted providers to operate CoachFile. Each has its own security and privacy commitments:

  • Cloudflare: hosting, content delivery, file storage, edge security.
  • Supabase: database and authentication backing.
  • Clerk: sign-in and account authentication.
  • Stripe: payment processing.
  • Anthropic: AI extraction during note migration.
  • Resend: transactional and account email.
  • Sentry: error monitoring, with personal data scrubbed.
  • PostHog: privacy-safe product analytics, with client content masked and never sent.

If we add or change a subprocessor, we give 30 days advance notice by email, and you may end your subscription without penalty if you object.

AI and your data

When you use the migration tool to import existing notes, the text of those documents is sent to Anthropic's API so it can be organized into structured client records. We use Anthropic's standard API tier:

  • Anthropic does not use that content to train its models (the default on the API tier we use).
  • Anthropic retains API logs for about 30 days, for abuse monitoring only, never for content review, and then deletes them.
  • That content is not shared with any other third party.

We do not use your client records, session notes, demographics, custom fields, or uploaded documents to train any AI model, ours or anyone else's. The migration tool organizes what you give it and presents the result to you for review. It does not invent client details.

Your data, your rights

You own 100% of the data you put into CoachFile. For the client information you record, you are the data controller and CoachFile is the data processor: that data belongs to you, and we store and organize it on your behalf.

  • Export. Download all of your data, as JSON or CSV, any time from your data settings.
  • Deletion. Delete your account yourself from your account settings, with a 30-day grace period during which it can be reversed, then permanent deletion across our systems.

A Data Processing Agreement is available; see our DPA.

Where your data lives

CoachFile data is stored in the United States. EU data residency is available on the Mastermind plan on request. When you use CoachFile from outside the United States, your data is transferred to and processed in the United States by us and our subprocessors.

Compliance and boundaries

We handle data in line with GDPR (access, deletion, portability, correction) and with CCPA and CPRA for California residents. Our infrastructure providers maintain their own SOC 2 Type 2 compliance today. CoachFile is pursuing its own SOC 2 attestation as part of our roadmap; we do not claim a certification we do not yet hold.

CoachFile is built for non-clinical coaching and is not HIPAA-compliant. It must not be used as a system of record for licensed clinical mental-health care, emergency or crisis intervention, or Protected Health Information. Those boundaries are spelled out in our Terms of Service.

Incident response

We monitor for anomalies, track application errors, and rely on Cloudflare's edge protections. If a material data-exposure event is confirmed, our policy is to notify affected customers within 24 hours and to keep system-status information current during incidents. No service can promise zero incidents; we commit to handling them transparently.

Contact

Security questions, or want to report something? Email support@coachfile.app. See also our Privacy Policy and Terms of Service.