Back Coach

Privacy Policy

1. Who We Are

Back Coach is operated by Tom Lowes (trading as Back Coach), a workplace back health platform for desk-based workers. Contact: support@backcoach.app | backcoach.app. For UK GDPR and Data Protection Act 2018 purposes, Back Coach is the data controller for individual users and acts as data processor where processing personal data on behalf of employer clients.

2. Scope

Applies to employees enrolled via company invite, individual users signing up directly, and company administrators.

3. Data We Collect

Account data (first name, email, hashed password, company association, registration timestamp). Back Health Score data if assessment completed (question responses, composite scores, sub-scores, pathway, timestamp). Workstation assessment data if completed. Calendar data if connected (read-only, today only — event timing and duration only, no titles, descriptions, attendees, or locations; tokens encrypted server-side, never exposed to employer). Smart Break data (breaks delivered, feedback responses, reset timestamps). Usage and technical data (session info, device, browser, push notification tokens, IP address for timezone only).

4. How We Use Your Data

Service delivery (account, load calculation, pathway, Smart Breaks, push notifications). Service communications (reconnection emails, support). Aggregate anonymised employer reporting only — minimum 5 employees enrolled before any data shown, no individual data ever visible to employers. Platform improvement via de-identified analytics.

5. Lawful Basis

Performance of contract (Art 6(1)(b)). Legitimate interests for analytics (Art 6(1)(f)). Consent for calendar connection, withdrawable at any time via Settings (Art 6(1)(a)). Explicit consent for health-related assessment data (Art 9(2)(a)), withdrawable by contacting support@backcoach.app.

6. How We Share Your Data

We do not sell data. Infrastructure providers: Supabase (database, EU region) and Resend (email), both under data processing agreements. Employer clients receive anonymised aggregate data only. Google LLC and Microsoft Corporation via their OAuth infrastructure when calendar is connected. Legal obligation if required by law.

7. International Transfers

Data stored in EEA via Supabase EU infrastructure. Any transfers outside UK or EEA use standard contractual clauses approved by the ICO.

8. Retention

Data retained while account is active. Deletion within 30 days of account deletion request. Calendar tokens deleted immediately on disconnection or account deletion.

9. Your Rights

Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Contact support@backcoach.app. Response within one calendar month. Right to complain to the ICO (ico.org.uk, 0303 123 1113).

10. Cookies

Session cookies and local storage for authentication only. No advertising cookies, no third-party tracking.

11. Security

AES-symmetric encryption of calendar tokens. Bcrypt password hashing. Row-level security. TLS in transit. Employer clients cannot access individual data.

12. Children

Platform for adults in employment. No data knowingly collected from under-16s. Contact support@backcoach.app to report.

13. Changes

Material changes notified by email or in-platform before taking effect.

14. Complaints

ICO: ico.org.uk | 0303 123 1113. Please contact us first at support@backcoach.app.

15. Contact

Back Coach | support@backcoach.app | backcoach.app. Effective date: 15 May 2026.