Skip to main content
Vidal Coaching

Privacy Policy

Last updated: February 2026

1. Introduction

Vidal Coaching ("we," "us," or "our") operates the health and wellness coaching platform available at vidalfit.com (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform. We are committed to protecting your personal health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other applicable data protection laws.

By accessing or using the Platform, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Platform.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

Name, email address, and authentication credentials when you create an account. If you sign in via Google or Apple, we receive your name and email from the provider. We do not access your contacts, calendar, or other account data from third-party authentication providers.

2.2 Profile Information

Role (coach or client), avatar photo, gender, specializations, professional credentials, and business details.

2.3 Health and Wellness Data

  • Daily check-ins and pulse entries: mood ratings, energy levels, stress scores, sleep quality, and biofeedback data.
  • Nutrition data: meal logs, food photos, macro and micronutrient tracking, dietary preferences, and food sensitivities (including MRT/LEAP results).
  • Biometric data: body measurements, blood sugar readings, lab results, cycle tracking data, and other health metrics you voluntarily provide.
  • Fitness data: workout logs, exercise history, and training plans.
  • Progress photos: images you upload to track physical changes over time.
  • HealthKit data: heart rate samples, sleep sessions, and workout data synced from Apple Health (iOS app only, with your explicit permission).

2.4 Communication Data

  • Messages: text messages exchanged between coaches and clients.
  • Voice notes: audio recordings sent through the messaging system, which are transcribed for coaching purposes.
  • Session notes: notes created by coaches during or after coaching sessions.

2.5 AI Interaction Data

Questions and conversations you have with the AI coaching assistant, including topics, frequency, and content summaries. This data is used to improve coaching quality and is shared with your coach in aggregated form (see Section 5a).

2.6 Gamification Data

Experience points (XP), achievement progress, streaks, leaderboard rankings, and reward redemption history.

2.7 Usage and Device Data

IP addresses, browser type, device information, pages visited, and timestamps for security auditing and platform improvement.

3. How We Use Your Information

  • Providing and operating the coaching platform, including facilitating the coach-client relationship.
  • Enabling communication between coaches and clients via messages, voice notes, and session management.
  • Generating health insights, session preparation briefs, and personalized coaching recommendations.
  • AI-assisted features including draft response generation, coaching assistant conversations, and personalized AI concierge. Your data is processed by AI providers but is not used to train AI models.
  • Voice note transcription to create searchable text records of audio messages.
  • Providing coaches with aggregated insights about client AI interactions (question topics and themes) to improve coaching quality.
  • Gamification features including tracking progress, awarding achievements, maintaining streaks, and operating leaderboard rankings.
  • Operating the rewards marketplace where coaches and companies offer incentives to clients.
  • Sending transactional emails (session reminders, check-in nudges, account notifications).
  • Security monitoring, fraud prevention, and HIPAA-compliant audit logging.
  • Improving platform functionality, fixing bugs, and enhancing user experience.

4. HIPAA Compliance

Vidal Coaching is designed with HIPAA compliance as a foundational requirement. Protected Health Information (PHI) is handled with the following safeguards:

4.1 Technical Safeguards

  • Encryption in transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: all database storage is encrypted using AES-256 encryption.
  • Row-level security (RLS): database-enforced access controls ensure users can only access data they are authorized to view.
  • API key encryption: company-level API keys are encrypted using AES-256-GCM before storage.
  • Multi-factor authentication (MFA): available for coach accounts to add an additional layer of access security.

4.2 Administrative Safeguards

  • Session timeout: inactive sessions are automatically terminated after 15 minutes.
  • Comprehensive audit logging: all access to PHI is logged with timestamps, IP addresses, and user identifiers.
  • Role-based access controls: separate permissions for coach, client, and company administrator roles.
  • Consent tracking: explicit user acknowledgment is required before data processing begins, tracked via our consent management system.
  • Security headers: Content Security Policy (CSP), HSTS, and other HTTP security headers are enforced on all responses.

5. Data Sharing

We do not sell your personal information. We share data only in these circumstances:

  • Coach-Client Relationship: health data is shared between you and your assigned coach(es) as necessary for coaching services. This includes AI interaction insights (see Section 5a).
  • Company Administrators: if your coaching is provided through an employer or organization, company administrators may see aggregated engagement metrics. They do not have access to your individual health data.
  • Gamification and Leaderboard: your display name, XP level, and leaderboard ranking may be visible to other clients within the same coaching program or company.
  • Service Providers: we use third-party providers who process data on our behalf under contractual data protection obligations (see Section 6).
  • Legal Requirements: we may disclose information when required by law, subpoena, or court order, or to protect the safety of our users.

5a. AI Coaching Insights

When you use the AI coaching assistant ("Ask AI"), your questions and conversation topics are analyzed to help your coach better understand your needs. Specifically:

  • Your coach may see summaries of question topics and themes you discuss with the AI assistant — for example, "asked 5 questions about protein intake this week."
  • Your coach does not see the full text of your AI conversations. Only topic-level summaries and question counts are shared.
  • These insights appear in your coach's session preparation tools and client overview, helping them tailor sessions to your actual concerns.
  • This data sharing is covered under your Data Processing consent. You may withdraw consent at any time from your account settings, which will stop AI insight sharing with your coach.

6. Third-Party Services

We use the following third-party services to operate the Platform. Each processes data on our behalf under contractual obligations and is not permitted to use your data for their own purposes:

  • Supabase: database hosting, authentication, and file storage. Data is stored in SOC 2 Type II compliant infrastructure.
  • Vercel: application hosting and content delivery.
  • Anthropic (Claude): AI-powered coaching assistant, draft generation, and session intelligence features. Your data is not used to train AI models.
  • OpenAI: embedding generation for knowledge base search and optional AI chat capabilities. Your data is not used for model training when accessed via API.
  • Groq: voice note transcription via the Whisper speech-to-text model.
  • Resend: transactional email delivery (session reminders, notifications, account communications).
  • Sentry: error monitoring and crash reporting for the mobile application. No PHI is included in error reports.
  • PostHog: product analytics for the mobile application. Analytics data is anonymized and does not include PHI.

7. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

  • Health records: retained in accordance with applicable healthcare record retention requirements (typically 6-10 years depending on jurisdiction).
  • Audit logs: retained for a minimum of 6 years as required by HIPAA.
  • Account data: retained while your account is active and for 30 days after deletion to allow for recovery.
  • Communication data: messages, voice notes, and session notes are retained for the duration of the coaching relationship and according to healthcare record retention laws.

You may request deletion of your account and associated data by contacting us at privacy@vidalfit.com. Upon receiving a verified deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 All Users

  • Access and receive a copy of your personal data in a portable format.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data (subject to legal retention requirements).
  • Withdraw consent for data processing at any time from your account settings.
  • Request a copy of your complete health records.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the additional right to:

  • Know what personal information we collect, use, and disclose about you.
  • Request deletion of your personal information.
  • Opt out of the sale or sharing of personal information. We do not sell your personal information.
  • Not be discriminated against for exercising your privacy rights.
  • Limit the use and disclosure of sensitive personal information.

To exercise your CCPA rights, contact us at privacy@vidalfit.com. We will verify your identity before processing any request.

8.3 European Economic Area Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have the additional right to:

  • Object to processing of your personal data based on legitimate interests.
  • Request restriction of processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Lodge a complaint with your local data protection authority.

Our legal basis for processing personal data under GDPR is: (a) your consent, (b) performance of a contract (providing the coaching service), and (c) legitimate interests (platform security and improvement).

9. Cookies and Tracking

The Platform uses the following types of cookies and similar technologies:

  • Essential cookies: required for authentication, session management, and security. These cannot be disabled.
  • Authentication tokens: secure, HTTP-only cookies used to maintain your logged-in session. These expire after 15 minutes of inactivity (HIPAA requirement).
  • Preference cookies: store your theme preference (dark/light mode) and other UI settings.

We do not use third-party advertising cookies or cross-site tracking. The Platform does not serve ads and does not participate in ad networks.

10. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@vidalfit.com.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. When data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant regulatory authorities, to protect your data in accordance with this Privacy Policy and applicable law.

12. Security Measures

We implement industry-standard and HIPAA-required security measures including: encryption at rest (AES-256) and in transit (TLS 1.2+), secure authentication with optional MFA, comprehensive audit logging, automated session timeouts, role-based access controls, Content Security Policy headers, and regular security monitoring. Our infrastructure providers maintain SOC 2 Type II compliance.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and sending a notification through the Platform or via email. Your continued use of the Platform after the changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.