Legal

Privacy Policy

Last updated: May 11, 2026

1. Introduction

This Privacy Policy explains how Straton collects, uses, shares, and protects personal information.

Straton is a software platform for fitness and nutrition coaching businesses.

2. Controller and Processor Roles

Privacy law distinguishes between a controller (decides why and how data is processed) and a processor(acts on the controller's instructions).

  • For coach account data (name, email, billing, workspace settings), Straton is the controller.
  • For client data that a coach uploads, organizes, or manages through Straton (programs, check-ins, photos, metrics, notes), Straton acts as a processoron the coach's behalf. The coach is the controller of that data.

Clients should contact their coach first for requests related to coach-controlled data. Straton will support coaches in fulfilling those requests.

3. Information We Collect

Account & workspace data: name, email, login credentials, workspace settings, coach profile, team membership.

Client data uploaded by coaches: client profile, contact info, workout programs and logs, nutrition targets and logs, check-in responses, intake forms, habits, progress photos, body metrics and measurements, notes, messages.

Billing data: subscription metadata, plan, billing email, tax info. Full card numbers are stored by our payment provider, not by Straton.

Integration data: information from third-party services you connect (e.g. calendar, fitness trackers).

Technical data: device, browser, IP address, app usage, logs, error reports.

Support data: messages and feedback you send us.

Sensitive / special category data

Some client data uploaded to Straton may qualify as special category personal data under GDPR Article 9 or equivalent (e.g. body metrics, progress photos, nutrition logs, injury notes that reveal health information).

Coaches are responsible for obtaining explicit consent from clients before uploading such data, and must do so under a lawful basis (typically the client's explicit consent or another Article 9 ground). Straton's onboarding flow surfaces this consent requirement to coaches.

Straton is not HIPAA-compliant and must not be used to process Protected Health Information.

4. How We Use Information

We use information to:

  • provide and operate Straton;
  • create and manage accounts;
  • enable coaches to manage clients, programs, workouts, check-ins, habits, nutrition, and forms;
  • process subscriptions and billing;
  • provide customer support;
  • improve and secure the product;
  • detect abuse or fraud;
  • send service notifications;
  • send marketing where allowed (with opt-out);
  • provide AI and automation features;
  • comply with legal obligations.

Legal basis for processing (EU/UK users)

PurposeLegal basis
Providing the platform to a paying coachContract (Art. 6(1)(b))
Processing client data on a coach's behalfThe coach's chosen lawful basis, under our DPA
Billing, fraud prevention, securityLegitimate interest (Art. 6(1)(f))
Marketing emails to coachesConsent or legitimate interest with opt-out
Legal compliance, tax recordsLegal obligation (Art. 6(1)(c))
Special category data (health, photos)Coach must obtain client explicit consent (Art. 9(2)(a))

5. Payments

Straton uses Polar (or another payment provider) to process platform subscriptions. The payment provider collects billing, tax, invoice, and payment information directly. Straton does not store full card numbers.

Coach-client payments are handled by the coach's own connected payment provider. The coach and that provider are responsible for the underlying transaction.

6. AI and Automation

Straton processes selected workspace or client content to provide AI-assisted features such as summaries, suggestions, insights, reminders, and draft actions.

Straton does not use coach or client content to train AI models. We send only the minimum content required to AI providers (e.g. OpenAI, Anthropic) under their no-training data policies. AI outputs should be reviewed by coaches before use.

The list of AI providers we use is published on the Subprocessors page.

7. How We Share Information

We may share information with:

  • coaches, clients, team members, and workspace admins, based on permissions;
  • hosting, database, email, storage, analytics, support, security, payment, and AI providers (see Subprocessors);
  • third-party integrations you connect;
  • legal authorities where required;
  • professional advisors (e.g. lawyers, auditors);
  • parties involved in a merger, acquisition, or sale of assets, under confidentiality.

We do not sell personal information.

8. Data Retention

We keep personal information as long as needed to provide Straton, comply with legal obligations, resolve disputes, maintain security, and operate the business.

  • Active account data is retained while the account is active.
  • After account termination, data is retained for up to 90 days to allow export or reactivation, then deleted.
  • Some data may persist in encrypted backups for up to 30 additional days.
  • Billing, tax, and legal records may be retained longer where required by law.

9. Security

Straton uses reasonable technical and organizational measures to protect personal information, including:

  • authentication required for all access to coach and client data;
  • workspace-based permissions limiting visibility to authorized users;
  • TLS encryption for data in transit and encryption at rest on managed infrastructure;
  • PCI-compliant payment processing through Polar (we do not store full card numbers);
  • regular automated backups;
  • application and infrastructure monitoring for errors, abuse, and security events;
  • limited internal access to customer data on a need-to-know basis;
  • ongoing dependency monitoring and security updates.

Straton has not yet completed SOC 2 or ISO 27001 audits. We will update this section when that changes.

In the event of a confirmed personal-data breach, Straton will notify affected customers in line with applicable law and, where required, regulators within statutory timeframes (e.g. 72 hours under GDPR).

No system is 100% secure. Users are responsible for keeping login credentials safe. To report a vulnerability, contact [email protected].

10. International Data Transfers

Straton may process and store data in countries different from where users live. Where data leaves the EEA, UK, or other restricted regions, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

11. Your Rights

Depending on your location, you may have rights to:

  • access, correct, delete, export, or restrict processing of your personal data;
  • object to processing or withdraw consent;
  • lodge a complaint with a supervisory authority (EU/UK users);
  • opt out of “sale” or “share” of personal information (California users — Straton does not sell data).

To exercise your rights, contact [email protected]. Clients should typically contact their coach first for coach-controlled data.

12. Children and Minors

Straton is intended for users 18 or older. Coaches must not invite clients under 18 unless required parent/guardian consent has been obtained and Straton's age-gated flow has been enabled.

We do not knowingly collect personal information from children under 13 (or under 16 in the EU). If you believe a minor has provided personal data without proper consent, contact us and we will remove it.

13. Changes to This Policy

Straton may update this Privacy Policy from time to time. We will post the updated version here and update the “Last updated” date. For material changes, we will provide additional notice (e.g. email or in-app).

14. Contact

For privacy questions or to exercise your rights:

[email protected]

For EU users with concerns we cannot resolve, you may contact your local data protection authority.