# Privacy Policy — The Aquatic Coach **Business name:** The Aquatic Coach **Data controller:** Andy Astfalck **Address:** Vaartweg 107, 1217 SM Hilversum, Netherlands **KVK:** 61356751 **BTW (VAT):** NL002517921B21 **Contact:** [andyastfalck@gmail.com](mailto:andyastfalck@gmail.com) **Last updated:** June 2026 > This policy describes how we handle personal and health-related coaching data under the EU General Data Protection Regulation (Regulation (EU) 2016/679). Consider a qualified adviser review before your first paid client if you want independent legal sign-off. --- ## 1. Introduction and scope This Privacy Policy explains how The Aquatic Coach (“we”, “us”, the **Data Controller**) collects, uses, stores, and protects your personal data when you apply for coaching, use our services, or interact with our website. Because endurance coaching requires analysis of training and recovery, we process **special category data** (health and biometric information) such as heart rate, power, pace, sleep, and wellness metrics. We treat this data with heightened care and only process it where we have a valid legal basis. This policy covers: - Our marketing website (`theaquaticcoach.com`) - One-to-one coaching services - The athlete portal (when enabled for your account) - Email and messaging related to your programme --- ## 2. Data we collect ### Standard personal data - Name, email address, phone number, and messaging handles (Telegram or WhatsApp if you use them) - Information you submit on application or onboarding forms - Billing and payment details (when applicable) - Coaching correspondence and programme preferences ### Special category data (health and biometrics) With your **explicit consent**, we process training and health-related data needed to coach you, including: - Activity files and summaries (duration, distance, pace, power, heart rate, cadence, etc.) - Wellness and recovery metrics (sleep, HRV, subjective readiness where recorded) - Physiological benchmarks (e.g. thresholds, FTP, CSS) and derived coaching analyses - Race results, plans, compliance records, and AI-assisted coaching summaries Data may originate from devices and platforms you connect (e.g. **Garmin**, **Strava**, or similar) via **Intervals.icu**, or from information you provide directly. ### Website data Our marketing site is static HTML. We do **not** use advertising or analytics cookies by default. If you email us via the Apply page, your email client sends your message directly to us — we do not store applications in a third-party form database unless we tell you otherwise. --- ## 3. Lawful basis for processing | Purpose | Legal basis | |--------|-------------| | Delivering coaching under our agreement | **Contract** (Art. 6(1)(b) GDPR) | | Billing, invoicing, and tax records | **Legal obligation** / **Contract** | | Processing biometric and health data for performance coaching | **Explicit consent** (Art. 9(2)(a) GDPR) | | Improving internal coaching systems (limited, anonymised where possible) | **Legitimate interest**, where consent is not required and rights are balanced | We do **not** rely on “legitimate interest” alone to process special category health or biometric data. You will be asked for clear, granular consent in our onboarding agreement before biometric tracking and analysis begin. You may withdraw consent at any time (see Section 8). Withdrawal does not affect processing that was lawful before withdrawal, but may limit the coaching services we can provide. --- ## 4. How we use your data - Design, prescribe, and adjust training plans - Review sessions and provide feedback (including automated analyses and coach-written reports) - Monitor load, recovery, and readiness - Communicate about your programme (email, Telegram, WhatsApp, or portal) - Meet legal, tax, and accounting obligations - Operate and secure our coaching systems We do **not** sell your personal data or health data. --- ## 5. Third-party processors We share data only with service providers that help us operate coaching, under appropriate agreements where required. These **data processors** may include: | Processor | Purpose | Notes | |-----------|---------|--------| | **Intervals.icu** | Training platform — plans, activities, wellness sync | Primary athlete-facing training hub | | **Google Workspace / Google Drive** | Encrypted cloud sync of coach workspace; email (SMTP) | EU/US processing; Google’s GDPR terms and SCCs apply | | **Google Gemini** | AI-assisted drafting of coaching summaries and reports | Only data necessary for each task; no public model training on your data under Google’s API terms | | **Garmin / Strava / device vendors** | Source of activity data (via your connections) | Governed by their own privacy policies | | **Open-Meteo** | Weather context for outdoor sessions | Approximate location/time only; not used to identify you | | **Vercel** | Hosting the public marketing website | Static pages only; no athlete dossiers stored on Vercel | | **Cloudflare** (when enabled) | Secure tunnel / edge access for athlete portal | Portal traffic only; credentials kept separate | | **Payment processors** (e.g. **Stripe**, when used) | Subscription and invoice payments | PCI-compliant; we do not store full card numbers | We maintain a Record of Processing Activities (ROPA) internally as required by Article 30 GDPR. **International transfers:** Some providers process data outside the EEA (including the United States). Where required, we rely on adequacy decisions, Standard Contractual Clauses, or equivalent safeguards offered by those vendors. --- ## 6. Data security We apply privacy-by-design principles appropriate to a solo coaching practice: - **Access control** — coaching data is accessible only to the coach; API keys and credentials are stored separately from public systems and are not published - **Device security** — password-protected devices, encryption where supported, and two-factor authentication on cloud accounts - **Separation** — secrets and portal credentials are kept in dedicated secure stores, not in public repositories - **Minimisation** — we collect and retain only what is needed for coaching and legal obligations - **Impact assessments** — where we deploy high-risk processing of biometric data, we assess and mitigate risks (DPIA) No online system is 100% secure. We will notify you and the Dutch supervisory authority (**Autoriteit Persoonsgegevens**) of a personal data breach where we are legally required to do so. --- ## 7. Data retention - **Coaching and biometric data** — kept for the duration of your coaching relationship and deleted or anonymised within a reasonable period after termination, unless you request earlier erasure and we have no overriding legal need to retain it - **Financial records** — retained as required by Dutch tax and KVK accounting law (typically up to seven years for invoices) - **Marketing enquiries** — kept only as long as needed to respond and manage applications --- ## 8. Your rights Under the GDPR you have the right to: - **Access** — receive a copy of personal data we hold about you - **Rectification** — correct inaccurate data or coaching interpretations - **Erasure** — request deletion when data is no longer necessary (subject to legal retention) - **Restriction** — ask us to limit processing in certain circumstances - **Data portability** — receive data you provided in a structured, commonly used format where applicable - **Object** — object to processing based on legitimate interests - **Withdraw consent** — at any time, as easily as you gave it To exercise these rights, email **andyastfalck@gmail.com**. We respond within one month unless the request is complex. You may also export or manage device-held data directly in **Intervals.icu**, **Garmin Connect**, or other platforms you use. If you believe we have not handled your data correctly, you may lodge a complaint with the **Autoriteit Persoonsgegevens** (AP): [autoriteitpersoonsgegevens.nl](https://www.autoriteitpersoonsgegevens.nl). --- ## 9. Cookies and this website The marketing website does not set tracking or analytics cookies by default. Essential technical cookies may be used by our host (Vercel) for delivery and security. If we add analytics later, this policy will be updated and, where required, we will ask for consent. --- ## 10. Changes to this policy We may update this policy when our services or legal requirements change. The “Last updated” date at the top will change accordingly. Material changes affecting existing athletes will be communicated directly. --- ## 11. Contact **The Aquatic Coach** Andy Astfalck Vaartweg 107, 1217 SM Hilversum, Netherlands KVK: 61356751 · BTW: NL002517921B21 Email: [andyastfalck@gmail.com](mailto:andyastfalck@gmail.com)