Privacy Policy

Zero to Hero Coaching ("we", "us"), based in Franklin / Nashville, Tennessee, USA, is the data controller for personal information processed through the Platform. Contact: cody@zeroherocoaching.com.

Account & profile data — name, email, phone (optional), age, sex, height, weight, training experience, goals, lifestyle context you provide during onboarding.

Coaching activity — workout sessions, exercise logs, food logs, water intake, mindset entries, habit completions, scheduled blocks, meal plans, shopping lists.

Health data (if you opt in) — lab report uploads (PDFs, images), biomarker values, body composition, vitals. Treated under our Health Data Policy.

Communications — messages with your coach, check-in notes, support requests.

Technical data — IP-hint (region only, not full IP), browser/device user-agent strings, session tokens, error logs.

Payment data — handled by our payment processor; we receive metadata (tier, billing date, last 4) but do not store your full card number.

• To deliver the coaching, training, and nutrition services you signed up for
• To let your assigned coach see your activity and tailor your program
• To run AI features you trigger (label scan, meal estimate, lab extract)
• To process payments and manage your account
• To send transactional emails about your account (no marketing unless you opted in)
• To improve the Platform via aggregated, de-identified analytics
• To meet legal, accounting, and security obligations

• We do NOT sell, rent, or trade your data. Ever. To anyone. Full stop.
• We do NOT serve third-party advertising inside the Platform.
• We do NOT use your personal data, photos, lab results, or messages to train external AI models. AI features that act on your data (label scan, meal estimate, lab extract) call the AI provider on a per-request basis with the minimum data needed for that single request, and providers are contractually prohibited from retaining or training on it.
• We do NOT share your data with insurers, employers, or government agencies unless legally compelled by a valid court order, subpoena, or statutory requirement — in which case we will notify you wherever the law allows.

• Your assigned coach — sees your profile, training, nutrition, and (if you opt in) health data so they can coach you.
• Infrastructure providers — Lovable Cloud / Supabase (database and file storage), Cloudflare (hosting), payment processor (billing). These are processors acting on our instructions, bound to confidentiality.
• AI providers — per-request only, when you trigger an AI feature, with the minimum data required. Providers are bound by contract to not retain or train on the content.
• Email delivery — for transactional account emails only.
• Legal compliance — only when compelled by valid legal process.

We do not use third-party analytics or advertising trackers inside the authenticated Platform.

You always have the right to:

• Access and export — download a full audit ZIP of everything we hold on you: profile, all coaching activity, every health marker and lab file, every message, every consent signature.
• Correct — fix anything inaccurate from your profile or directly in the app.
• Delete — permanently erase your account and every piece of associated data. We will generate your audit export first (so you walk away with a complete copy), give you a 24-hour cancel window, then wipe everything: storage files, database rows, auth record. No backups retained beyond legally required minimums.
• Restrict / object — pause certain processing where applicable.
• Withdraw consent — at any time, with no penalty (though it may end your ability to use specific features).

You can act on all of this yourself from the Your Data & Privacy page in your account settings, or by emailing cody@zeroherocoaching.com. We respond to verified requests within 30 days.

When you delete your account, here is exactly what happens:

1. We generate your full audit export ZIP and make it available to you (emailed and downloadable).
2. Your account enters a 24-hour grace window. You can cancel and keep your account intact during this time.
3. After the window closes, we permanently delete: every uploaded file (lab documents, food photos, meal plan uploads, exercise media you owned), every database row tied to you (profile, hero profile, all logs, all health markers, all messages, all schedules, all enrollments), and your authentication record.
4. We leave no trace beyond what is strictly required by law (e.g. payment records may be retained for tax/accounting compliance, with all unnecessary fields removed).
5. If you come back, you start fresh. There is no recovered history. If you want continuity, keep the audit ZIP you exported and we can help re-import what's salvageable.

Data in transit is encrypted via TLS. Data at rest in our database and storage buckets is encrypted at the infrastructure layer. Health data has stricter access rules (see Health Data Policy), with every read and download recorded in an immutable access log. We use row-level security to ensure your data is only accessible to you and your assigned coach.

No system is 100% secure. If we ever experience a breach affecting your data, we will notify you within 72 hours of discovery where required by law, and sooner if possible.

We keep your data only as long as your account is active, plus the time required to fulfill the purposes outlined here or meet legal obligations. On account deletion, all personal data is purged within 30 days except (a) records of legal compliance, (b) financial records required by tax law, and (c) anonymized aggregate statistics that cannot be tied back to you.

The Platform is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, email us and we will delete it immediately.

The Platform is hosted in the United States. If you are accessing it from outside the US, your data will be transferred to and processed in the US. We rely on the GDPR / UK GDPR data-subject-rights framework for users from those regions: access, rectification, erasure, portability, restriction, objection, and the right to lodge a complaint with your supervisory authority. EU/UK users should email us to exercise these rights.

We use first-party cookies and browser localStorage only for what is strictly necessary: keeping you signed in, remembering UI preferences (e.g. sidebar collapsed), and security. No third-party advertising cookies, no cross-site trackers.

We may update this Policy. When we do, we post the new version with an updated effective date and prompt you to acknowledge it on your next sign-in if the changes are material. You can review past versions on request.

Questions, requests, or complaints about this Policy: cody@zeroherocoaching.com.