Privacy Policy

This Privacy Policy applies to:

• Visitors to athryl.com
• Users of app.athryl.com
• Coaches/businesses who create an Athryl account (our customers)
• People who contact us (e.g., email, forms, scheduling)

Important Roles

• For customer account, admin, billing, and service communications, Athryl acts as a data controller.
• For end-client data uploaded or processed through Athryl by a coach/business, Athryl typically acts as a data processor on behalf of that coach/business (who is the data controller).

If you are an end client of a coach using Athryl, your relationship is primarily with that coach/business. They control what is collected and how it is used. If you have questions about how your coach uses your data, contact them directly.

3.1 Information You Provide Directly (Controller Data)

• Account information: name, email address, business name, login/authentication details
• Billing/admin information: billing contact details, invoices, payment status, subscription tier
• Support and communications: messages, files, and information you send to us for support

3.2 Information Processed on Behalf of Customers (Processor Data)

When a coach/business uses Athryl, Athryl may process data relating to that coach's end clients under the coach's instructions, which may include:

• names, email addresses, and identifiers
• check-in responses and related metadata
• compliance/adherence signals and engagement indicators
• payment-status metadata (non-card)

Card details: Athryl does not store or process full payment card details. Payments are handled by Stripe.

3.3 Automatically Collected Data

• IP address, device type, browser type, operating system
• logs of activity within the Services (e.g., sign-in events, feature usage, error logs)

3.4 Cookies and Similar Technologies

Athryl does not currently use advertising cookies or third-party analytics trackers.

We may use strictly necessary cookies or similar technologies required for core functionality (e.g., session management, keeping you signed in, and security protections). If we introduce analytics or non-essential cookies later, we will update this policy and (where required) implement a cookie notice/consent mechanism.

We use personal data to:

• provide and operate the Services
• authenticate users and manage accounts
• generate operational reporting and platform metrics for customers
• process payments, subscriptions, and invoices
• maintain security, prevent abuse, and monitor reliability
• communicate with you about the Services (service notices and support replies)
• comply with legal obligations (e.g., accounting/tax and fraud prevention)

Athryl does not sell personal data.

Where UK GDPR/EU GDPR applies, we process personal data under:

• Contractual necessity – to provide the Services you requested
• Legitimate interests – security, fraud prevention, and improving reliability and performance
• Legal obligation – accounting/tax/regulatory compliance
• Consent – only where explicitly requested/obtained (e.g., optional marketing communications)

Where Athryl acts as a processor, the customer (coach/business) determines the lawful basis and provides instructions.

We share personal data only as needed to run the Services, including with:

• Stripe – payment processing, billing, and subscription management
• Supabase – database, authentication, and storage infrastructure
• Vercel – application hosting and delivery
• Resend – transactional email delivery
• Calendly – scheduling (where you choose to use it)

These providers act under contractual obligations appropriate to their role (processor/sub-processor as applicable).

We may also disclose information:

• to comply with law, lawful requests, or legal process
• to protect rights, safety, and prevent fraud/abuse
• in connection with a merger, acquisition, financing, or sale of assets (with appropriate safeguards)

Your data may be processed in the UK, EU, United States, or Canada depending on service providers and hosting.

Where UK/EU transfer restrictions apply, we use appropriate safeguards such as:

• the UK International Data Transfer Addendum and/or
• the EU Standard Contractual Clauses (SCCs)

We retain personal data only as long as necessary to:

• provide the Services
• meet legal/accounting obligations
• resolve disputes and enforce agreements
• maintain security and auditability where appropriate

Customer processor data (end-client data): customers can request deletion/export upon termination. Unless legally required otherwise, Athryl will delete or anonymise customer processor data within 30 days of termination or verified deletion request (consistent with the DPA / contract terms).

Depending on your jurisdiction, you may have rights including:

• access to your personal data
• correction of inaccurate data
• deletion of data (where applicable)
• restriction or objection to processing (where applicable)
• data portability (where applicable)
• withdrawing consent (where processing is based on consent)

How to exercise rights: contact us at privacy@athryl.com or write to our registered address.

If Athryl processes your data as a processor for a coach/business, you should also contact that coach/business (the controller). We will assist controllers where required.

UK: you may lodge a complaint with the UK ICO (Information Commissioner's Office).

EU: you may lodge a complaint with your local supervisory authority.

Athryl implements reasonable technical and organisational safeguards designed to protect personal data, including:

• access controls and least-privilege
• encryption in transit and (where applicable) at rest via infrastructure providers
• logging/monitoring for reliability and security

No system is fully secure. You are responsible for safeguarding your login credentials and using strong passwords.

Athryl is not intended for individuals under 18. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. The updated version will be posted on athryl.com and/or within the Services with the “Last updated” date revised.

13.1 United States (including California)

Athryl does not sell personal information and does not share personal information for cross-context behavioural advertising.

Where applicable, you may have rights to access, delete, or correct personal information. We will take reasonable steps to verify your request before responding.

13.2 Canada

We process personal information in line with Canadian privacy principles, including transparency, safeguards, and access/correction. You can contact us using the details in Section 1.