Privacy Policy

This Privacy Policy ("Policy") is published by B.E.S.A ("BESA Coaching," "we," "us," or "our") and describes how we collect, use, disclose, retain, and safeguard personal information about users of the BESA Coaching platform, including our website, mobile applications, APIs, and all related services (collectively, the "Platform").

This Policy applies to all individuals who interact with the Platform, including registered Coaches, Clients, event attendees, program participants, and website visitors. It covers personal information collected online through the Platform and, where applicable, through offline interactions with BESA Coaching.

This Policy is incorporated into and subject to our Terms of Service. By using the Platform, you consent to the data practices described in this Policy. If you do not agree, please discontinue use of the Platform.

We are committed to compliance with applicable data protection laws worldwide, including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25, Brazil's Lei Geral de Proteção de Dados (LGPD), Australia's Privacy Act 1988, Japan's Act on the Protection of Personal Information (APPI), South Africa's Protection of Personal Information Act (POPIA), Singapore's Personal Data Protection Act (PDPA), India's Digital Personal Data Protection Act (DPDP Act 2023), and other applicable national and regional privacy laws.

For purposes of applicable data protection law, the data controller responsible for your personal information is:

Note: Coaches who collect and process Client data through the Platform (e.g., session notes, intake forms, goal tracking) act as independent data controllers for that data. BESA Coaching acts as a data processor for such Coach-controlled data. See our Data Processing Agreement for details.

3.1 Information You Provide Directly

• Account Registration: Full name, email address, password (stored as a one-way cryptographic hash never in plaintext), account type (Coach, Client, or Admin), and profile photo (optional).
• Coach Profile Information: Professional biography, coaching specialty and sub-categories, geographic location, hourly rate, certifications, credentials, professional affiliations, and subscription plan selection.
• Payment & Billing Information: Billing name, billing address, and payment card details. Full card numbers are processed and stored exclusively by Stripe, Inc. BESA Coaching stores only tokenized payment references and transaction metadata.
• Booking & Transaction Data: Session bookings, event ticket purchases, program enrollments, booking history, and transaction records.
• Communications: Messages sent through the Platform's secure messaging system, support tickets submitted to BESA Coaching, and email correspondence with our team.
• Session & Coaching Content (Premium): Session notes, goal tracking entries, action plans, mood tracker data, intake form responses, resource library content, and other coaching materials created within Premium features.
• Reviews & Ratings: Feedback, star ratings, written reviews, and testimonials submitted about Coaches, sessions, programs, or events.
• Identity & Credential Verification: Documents submitted for credential verification, identity verification, or compliance purposes (if requested).
• Event & Program Participation: Registration information for events and programs, attendance records, and completion data.
• Payout Information (Coaches): Bank account or payment account details for receiving disbursements, submitted through Stripe Connect.
• Tax Compliance Information (Coaches): IRS Form W-9 (U.S. residents) or IRS Form W-8BEN/W-8BEN-E (non-U.S. residents), including legal name, address, taxpayer identification number (TIN/SSN/EIN/foreign TIN), residency declarations, and tax treaty claims. This information is collected as required by U.S. federal tax law and is stored in encrypted form in our secure tax compliance vault. See Section 3.4 below for full details.

3.2 Information Collected Automatically

• Usage & Activity Data: Pages visited, features used, search queries, booking history, session attendance records, time spent on pages, click patterns, and feature interaction logs.
• Device & Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, language settings, and referring URLs.
• Cookies & Tracking Technologies: Session cookies, persistent cookies, pixel tags, and similar technologies as described in our Cookie Policy.
• Log Data: Server logs including access times, error logs, and security event logs.
• Location Data: General geographic location inferred from IP address. We do not collect precise GPS location without your explicit consent.

3.3 Information from Third Parties

• Payment Processors (Stripe): Transaction confirmation, fraud signals, payment method verification, and payout status.
• Video Conferencing (Zoom): Session metadata including meeting IDs and attendance records. We do not access or store session content (audio/video) unless you explicitly share a recording through the Platform.
• Social Login Providers: If you register using a social media account (e.g., Google), we receive your name, email address, and profile photo from that provider, subject to your privacy settings with that provider.
• Credential Verification Services: Verification status from third-party credential verification providers (if used).

3.4 Tax Compliance Data (Coaches — Special Category)

• Data Collected: Legal name (as it appears on tax filings), mailing address, taxpayer identification number (SSN, EIN, or foreign TIN), tax residency declaration (U.S. or international), entity type (individual, corporation, partnership, etc.), tax treaty country and article (for W-8 filers), and certification signatures.
• Legal Basis for Collection: Legal obligation (GDPR Art. 6(1)(c); IRC §§ 3406, 6041, 6041A, 6050W). Collection is mandatory for Coaches earning $600 or more through the Platform in a calendar year. For Coaches earning below this threshold, collection is a contractual condition of payout eligibility.
• Storage & Encryption: Tax forms and TINs are stored in an encrypted tax compliance vault (/private/besa-tax-docs/) using AES-256 encryption at rest. Access is restricted to authorized BESA Coaching compliance personnel only, protected by vault-level access controls and a separate administrative credential.
• Access Logging: Every access to a Coach's tax document by BESA Coaching personnel is logged with the accessor's identity, timestamp, IP address, and stated purpose. These access logs are retained for audit purposes.
• Sharing: Tax data is shared only with: (a) the IRS and applicable U.S. tax authorities as required by law; (b) BESA Coaching's tax filing service providers (e.g., Track1099, Tax1099) under strict data processing agreements; and (c) BESA Coaching's external auditors or legal counsel under confidentiality obligations. Tax data is never shared with other Coaches, Clients, or third parties for any other purpose.
• Retention: Tax forms and withholding records are retained for a minimum of seven (7) years from the end of the relevant tax year, as required by IRS regulations. After the retention period, records are securely destroyed.
• Your Rights: Because tax data retention is mandated by law, the right to erasure (GDPR Art. 17) does not apply to tax compliance records during the legally required retention period. You may request a copy of your tax data held by BESA Coaching by contacting [email protected]. Corrections to TIN or name information must be submitted through the Platform's tax compliance portal.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human review, except for fraud detection systems where automated flags are always reviewed by our team.

For users in the European Economic Area, United Kingdom, or Virginia, we process personal data on the following legal bases:

• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide Platform services, process bookings, facilitate payments, and fulfill our contractual obligations to you. This is the primary basis for most processing.
• Legitimate Interests (GDPR Art. 6(1)(f)): Fraud prevention, platform security, abuse detection, service improvement, and direct marketing to existing users — where our interests are not overridden by your rights and interests.
• Legal Obligation (GDPR Art. 6(1)(c)): Compliance with tax laws (including U.S. IRS reporting requirements under IRC §§ 3406, 6041, 6041A, and 6050W), financial reporting requirements, anti-money laundering obligations, and responses to lawful government requests. This basis applies specifically to the collection and processing of W-9/W-8BEN forms, taxpayer identification numbers, withholding calculations, and 1099-NEC filings.
• Consent (GDPR Art. 6(1)(a)): Marketing communications to new users, optional analytics features, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Vital Interests (GDPR Art. 6(1)(d)): In emergency situations where processing is necessary to protect the vital interests of a data subject or another person.

5.1 Special Category Data — Financial Identifiers (GDPR Art. 9 Analogue). While taxpayer identification numbers (TINs, SSNs, EINs) are not classified as "special category data" under GDPR Art. 9 in the strict sense, BESA Coaching treats them as equivalent to special category data given their sensitivity and the potential for harm if disclosed. We apply the following additional safeguards:

• TINs and SSNs are never displayed in full in any user interface — only the last four digits are shown for verification purposes
• Access to full TIN data is restricted to a named set of authorized compliance personnel and is logged on every access
• TINs are stored encrypted at rest and are never transmitted in plaintext
• TINs are never included in marketing databases, analytics systems, or any system other than the tax compliance vault
• BESA Coaching does not use TINs or SSNs for identity verification purposes beyond tax compliance — identity verification uses separate document verification processes

5.2 Cross-Border Transfer of Tax Data. Tax compliance data (W-9/W-8 forms, TINs, withholding records) may be transferred to the United States Internal Revenue Service and to U.S.-based tax filing service providers. For EEA/UK users, such transfers are made under the following safeguards:

• Legal Obligation: Transfers to the IRS are made under GDPR Art. 49(1)(e) (transfer necessary for important reasons of public interest) and applicable U.S.-EU tax treaty obligations.
• Standard Contractual Clauses: Transfers to U.S.-based tax filing service providers are covered by EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as applicable.
• Adequacy Decisions: Where available, we rely on adequacy decisions for transfers to countries recognized by the European Commission as providing adequate data protection.

6.1 Between Platform Users

• Coach profiles (name, bio, specialty, location, ratings, hourly rate) are publicly visible to all Platform visitors
• Client names, booking details, and contact information are shared with the Coach for confirmed bookings
• Reviews and ratings submitted by Clients are publicly displayed on Coach profiles
• Event attendee lists may be shared with the Coach hosting the event

6.2 Service Providers (Data Processors)

We share information with carefully selected third-party service providers who assist in operating the Platform, under contractual obligations that require them to protect your data and use it only for specified purposes:

• Stripe, Inc. Payment processing, fraud prevention, and Coach disbursements. Stripe Privacy Policy
• Zoom Video Communications Video session facilitation. Zoom Privacy Policy
• Cloud Infrastructure Providers Hosting, database management, and storage services
• Email Service Providers Transactional and marketing email delivery
• Analytics Providers Aggregated, anonymized usage analytics
• Security & Fraud Prevention Providers Threat detection and abuse prevention

6.3 Legal Requirements & Safety

• When required by applicable law, regulation, court order, subpoena, or government authority
• To protect the rights, property, safety, or security of BESA Coaching, our users, or the public
• To detect, prevent, or address fraud, security breaches, or technical issues
• In connection with legal proceedings, to enforce our Terms of Service, or to establish, exercise, or defend legal claims

6.4 Business Transfers

In the event of a merger, acquisition, sale of all or substantially all assets, reorganization, or bankruptcy, your personal information may be transferred to the successor entity. We will provide at least 30 days' notice before your information is transferred and becomes subject to a materially different privacy policy, and you will have the opportunity to delete your account if you do not consent.

6.5 Aggregated & Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, analytics, marketing, or other purposes.

6.6 With Your Consent

We may share your information for any other purpose with your explicit, informed consent.

When data is no longer needed for its stated purpose and no legal retention obligation applies, we securely delete or irreversibly anonymize it. Upon request, we will provide written confirmation of data deletion.

We implement comprehensive technical and organizational security measures appropriate to the risk level of the data we process:

Technical Measures

• TLS 1.2+ encryption for all data transmitted between your browser/app and our servers
• AES-256 encryption for sensitive data stored at rest in our databases
• Bcrypt hashing with unique random salts for all user passwords we never store plaintext passwords
• Tokenization of payment card data through Stripe we never store raw card numbers
• Database encryption, access logging, and anomaly detection
• Web Application Firewall (WAF) and DDoS mitigation
• Automated vulnerability scanning and dependency security monitoring
• Secure session management with configurable timeout and automatic expiration
• Multi-factor authentication (MFA) support for all user accounts

Organizational Measures

• Role-based access controls (RBAC) data access limited to personnel with a documented need-to-know
• Employee security awareness training and annual security policy acknowledgment
• Confidentiality agreements for all personnel with access to personal data
• Documented incident response plan with defined breach notification procedures
• Regular security assessments, penetration testing, and third-party security audits
• Vendor security assessments for all sub-processors handling personal data
• Privacy-by-design principles applied to all new feature development
• Data minimization we collect only the data necessary for stated purposes

Breach Notification. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours for GDPR-covered breaches). We will provide information about the nature of the breach, data affected, likely consequences, and measures taken.

No method of data transmission or storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security against all threats.

Depending on your jurisdiction, you have the following rights regarding your personal information. We will respond to all verified requests within the timeframes required by applicable law:

• Right of Access: Request a copy of the personal information we hold about you, including the categories of data, purposes of processing, and recipients. Response within 30 days (GDPR) or 45 days (CCPA/VCDPA).
• Right to Rectification / Correction: Request correction of inaccurate, incomplete, or outdated personal information. Response within 30 days.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information. We will comply unless retention is required by law (e.g., tax records) or for legitimate purposes (e.g., fraud prevention). Response within 30 days.
• Right to Data Portability: Receive your personal information in a structured, commonly used, machine-readable format (e.g., JSON or CSV) for transfer to another service. Response within 30 days.
• Right to Restriction of Processing: Request that we restrict processing of your personal information in specified circumstances (e.g., while accuracy is contested). Response within 30 days.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes. Marketing objections are effective immediately. Other objections are evaluated against our legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. Effective immediately.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority (e.g., your EU Member State's DPA, the UK ICO, or the Virginia Attorney General).

To exercise any of these rights, contact us at [email protected] with "Privacy Rights Request" in the subject line. We may need to verify your identity before processing your request to protect against unauthorized access.

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. We do not knowingly allow children under 18 to register for accounts or purchase services.

If we become aware that we have inadvertently collected personal information from a child under 18 without verifiable parental consent, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe your child under 18 has provided personal information to the Platform, please contact us immediately at [email protected].

BESA Coaching is based in the United States. If you access the Platform from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the European Economic Area (EEA) or United Kingdom to the United States, we rely on the following appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA transfers)
• UK International Data Transfer Agreements (IDTAs) (for UK transfers)
• The EU-U.S. Data Privacy Framework (where applicable)
• Binding Corporate Rules or other approved transfer mechanisms as applicable

Copies of applicable transfer mechanisms are available upon request at [email protected].

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), effective January 1, 2023:

• Right to Know (Categories & Specific Pieces): Request disclosure of the categories and specific pieces of personal information collected about you in the past 12 months, including sources, business purposes, and third parties with whom it is shared.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, security, legal obligations).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is currently required, but we honor opt-out requests.
• Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information (e.g., financial data, health data) to purposes necessary to provide services.
• Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different level of service because you exercised your CCPA/CPRA rights.

To submit a California privacy request, contact us at [email protected] with "California Privacy Request" in the subject line. We will respond within 45 days, with a possible 45-day extension for complex requests.

You may also designate an authorized agent to submit requests on your behalf. We will require written authorization and may verify your identity directly.

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023:

• Right to access personal data we process about you
• Right to correct inaccuracies in your personal data
• Right to delete personal data provided by or obtained about you
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of processing for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

To submit a Virginia privacy request, contact [email protected]. We will respond within 45 days. If we decline your request, you may appeal by contacting us at the same address. If your appeal is denied, you may contact the Virginia Attorney General.

If you are located in Canada, your personal information is protected under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation including Québec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64).

Your rights under PIPEDA and Law 25 include:

• Right to access personal information we hold about you and to know how it is used and disclosed
• Right to challenge the accuracy and completeness of your information and request corrections
• Right to withdraw consent to the collection, use, or disclosure of your personal information (subject to legal and contractual restrictions)
• Right to be informed of any privacy breach that poses a real risk of significant harm
• Right to data portability (Québec Law 25): request your personal information in a structured, commonly used technological format
• Right to de-indexation (Québec Law 25): request that hyperlinks to information about you be de-indexed where the information is injurious or disseminated without lawful authority

We appoint a Privacy Officer responsible for PIPEDA compliance. To exercise your rights or lodge a complaint, contact [email protected]. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or, for Québec residents, the Commission d'accès à l'information at cai.gouv.qc.ca.

If you are located in Brazil, your personal data is protected under the Lei Geral de Proteção de Dados Pessoais (LGPD — Federal Law No. 13,709/2018), enforced by the Autoridade Nacional de Proteção de Dados (ANPD).

Your rights under the LGPD include:

• Confirmation of the existence of processing of your personal data
• Access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the LGPD
• Portability of your personal data to another service or product provider
• Deletion of personal data processed with your consent
• Information about public and private entities with which we have shared your data
• Information about the possibility of not providing consent and the consequences of refusal
• Revocation of consent at any time
• Review of automated decisions affecting your interests

Our legal bases for processing under the LGPD include: consent (Art. 7, I), contract performance (Art. 7, V), legitimate interest (Art. 7, IX), and legal obligation (Art. 7, II). To exercise your rights, contact [email protected]. Unresolved complaints may be directed to the ANPD at gov.br/anpd.

If you are located in Australia, your personal information is protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) administered by the Office of the Australian Information Commissioner (OAIC).

Your rights under the Privacy Act include:

• Right to access the personal information we hold about you (APP 12)
• Right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
• Right to know why a request for access or correction is refused and to complain about that refusal
• Right to opt out of direct marketing communications (APP 7)
• Right to request that we not use your information for direct marketing

We will respond to access and correction requests within 30 days. If you are not satisfied with our handling of your personal information, you may lodge a complaint with the OAIC at oaic.gov.au.

BESA Coaching is committed to respecting the privacy rights of users worldwide. The following additional regional frameworks apply to users in those jurisdictions:

• Japan (APPI — Act on the Protection of Personal Information): We handle personal information in accordance with the APPI as amended. You have the right to request disclosure, correction, addition, deletion, suspension of use, and erasure of your personal information. Contact [email protected] to exercise these rights.
• South Africa (POPIA — Protection of Personal Information Act 4 of 2013): We process personal information in accordance with POPIA's eight conditions for lawful processing. You have the right to access, correct, and object to the processing of your personal information. Complaints may be directed to the Information Regulator at inforegulator.org.za.
• Singapore (PDPA — Personal Data Protection Act 2012): We comply with the PDPA and its amendments. You have the right to access and correct your personal data, and to withdraw consent subject to legal or contractual restrictions. Contact our Data Protection Officer at [email protected].
• India (DPDP Act — Digital Personal Data Protection Act 2023): We process personal data in accordance with the DPDP Act 2023. You have the right to access information about processing, correct and erase your personal data, nominate a representative, and grieve against our decisions. Contact us at [email protected].
• Other Jurisdictions: Regardless of where you are located, we are committed to handling your personal information responsibly and in accordance with applicable local law. If you have questions about your rights in your jurisdiction, please contact us at [email protected].

We use cookies and similar tracking technologies to operate the Platform, remember your preferences, analyze usage, and support security. For detailed information about the specific cookies we use, their purposes, durations, and how to manage your preferences, please see our Cookie Policy.

You can manage cookie preferences through your browser settings or our cookie consent tool. Note that disabling essential cookies will prevent you from logging in and using core Platform features.

We may send you promotional emails about new features, events, programs, and coaching opportunities. Where required by law, we will obtain your consent before sending marketing communications.

You may opt out of marketing emails at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at [email protected]

Opting out of marketing communications does not affect transactional emails related to your account, bookings, or purchases (e.g., booking confirmations, receipts, password resets).

The Platform integrates with third-party services (Stripe, Zoom, etc.) and may contain links to third-party websites. These third parties have their own privacy policies, which we encourage you to review. BESA Coaching is not responsible for the privacy practices of any third-party service or website.

When you connect a third-party service to your BESA Coaching account (e.g., Google Calendar for Premium features), you authorize that service to share data with us as described in their privacy policy and your authorization.

We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Policy on the Platform with a new "Last Updated" date
• Sending an email notification to registered users for material changes
• Displaying a prominent notice on the Platform

For material changes that affect how we use previously collected data, we will obtain your consent where required by applicable law. Your continued use of the Platform after the effective date of the updated Policy constitutes acceptance of the changes.

For privacy-related questions, rights requests, or concerns:

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority:

• EU/EEA: Your Member State's Data Protection Authority (list at edpb.europa.eu)
• UK: Information Commissioner's Office (ico.org.uk)
• Virginia: Virginia Attorney General's Office
• California: California Privacy Protection Agency (cppa.ca.gov)
• Canada: Office of the Privacy Commissioner (priv.gc.ca) / Québec: Commission d'accès à l'information (cai.gouv.qc.ca)
• Brazil: Autoridade Nacional de Proteção de Dados — ANPD (gov.br/anpd)
• Australia: Office of the Australian Information Commissioner (oaic.gov.au)
• South Africa: Information Regulator (inforegulator.org.za)
• Singapore: Personal Data Protection Commission (pdpc.gov.sg)
• India: Data Protection Board of India (once operational)
• Other jurisdictions: Your applicable national or regional data protection authority