1. Introduction

This privacy policy applies to the CoachCraft application (hereinafter: "the App"), offered by Maak Jouw Impact B.V., a company registered in the Netherlands.

We respect your privacy and handle your personal data with care. In this policy, we explain what data we collect, why we do so, and what your rights are under the GDPR, the CCPA/CPRA, and other applicable privacy laws.

Controller:

Maak Jouw Impact B.V.

Industrieweg 9

2254 AE Voorschoten, the Netherlands

KvK number: 78341396

support@coachcraft.io

2. What data do we collect?

2.1 Account data

Email address
Name
Password (stored encrypted via Supabase Auth)

2.2 Profile data

Tone of voice profile (text you provide or voice recording you submit)
Voice recordings (optional, used to capture your natural speaking style — the audio is transcribed by ElevenLabs, then sent to OpenAI for processing, and the original recording is permanently deleted; only the resulting text profile is retained)
Ideal client profile (information you fill in)
Personal stories (experiences you share)

2.3 LinkedIn data (only with your explicit consent)

When you connect your LinkedIn account, we collect:

Profile information (name, headline, photo URL)
OAuth authentication tokens (encrypted at rest)
References to posts published through CoachCraft
Engagement statistics (views, likes, comments, reposts)

For full details on LinkedIn OAuth scopes, stored data, and disconnection, see section 7.

2.4 Generated content

AI-generated content ideas
Personalized content variants
Customized and edited texts
Carousel and quote images
Scheduled and published posts

2.5 Images

Images you upload for use in posts
Carousel and quote templates

2.6 Usage data

Login timestamps
AI usage metrics (for cost management, not linked to content)
Page visits and navigation within the App (via PostHog analytics, only with your consent)
Device and browser information (type, version)
Error reports and crash data (via Sentry, for debugging and service reliability)

3. Why do we collect this data?

Data	Purpose	Legal basis
Account data	Creating and managing account, login	Contract performance
Profile data	Personalizing AI-generated content	Contract performance
LinkedIn data	Displaying your profile in previews, posting to LinkedIn, showing statistics	Consent
Generated content	Delivering the service, storing your content	Contract performance
Images	Adding to posts, storing in your library	Contract performance
Usage data (server-side)	Service operation, AI cost management	Legitimate interest
Analytics cookies (PostHog)	Usage insights, improving the App	Consent

4. Data minimization

We collect only the minimum data necessary to provide the CoachCraft service. Specifically:

We request only the LinkedIn OAuth scopes strictly needed for the features you use (profile display, posting, and analytics).
We do not access your LinkedIn connections, messages, or email address.
Where possible, data is processed locally in your browser (e.g., image editing, content previews) rather than being sent to our servers.
We do not build profiles of you for advertising or sell your data to any third party.

5. AI processing

The App uses artificial intelligence (AI) from OpenAI and Google (Gemini) to generate content. This means:

What is sent: Your tone of voice profile (including text derived from voice recordings, if you use that feature), ideal client profile, and personal stories are sent to OpenAI and/or Google Gemini to generate personalized content.
Voice recordings: If you use the optional voice profile feature, your audio recording is sent to ElevenLabs for transcription. The transcribed text is then processed by AI into your tone profile. The original audio recording is permanently deleted immediately after transcription — we only store the resulting text.
Where: OpenAI and Google process data in the United States.
Security: The transfer is secured via Standard Contractual Clauses (SCCs) in compliance with the GDPR.
No training: Your data is not used to train AI models. We use the OpenAI API with zero data retention and Google Gemini API with equivalent data protection terms.

Important: Do not share sensitive personal data of third parties in your personal stories or profiles.

6. Sub-processors

We use the following service providers to operate CoachCraft:

Service	Function	Location
Supabase	Database, authentication, storage	US East
OpenAI	AI content generation	United States
Google (Gemini)	AI content generation and analysis	United States
LinkedIn (Microsoft)	OAuth, posting, statistics	US/EU
Vercel	Hosting, edge functions	EU/US
Stripe	Payment processing (planned)	US/EU
PostHog	Product analytics (consent-based)	EU (Frankfurt)
ElevenLabs	Voice recording transcription (optional voice profile feature)	US
Sentry	Error monitoring and crash reporting	EU/US

We may add or change sub-processors as the service evolves. Significant changes will be communicated via email or in-app notification.

7. LinkedIn integration

7.1 OAuth scopes and purpose

When you connect your LinkedIn account, we request access to the following scopes via LinkedIn's OAuth 2.0 authorization flow:

r_basicprofile — Display your name and profile photo in content previews within CoachCraft.
w_member_social — Publish posts to LinkedIn on your behalf. A post is only published when you explicitly click "Publish" or schedule it.
r_member_postAnalytics — Retrieve engagement metrics (views, likes, comments, reposts) for posts published through CoachCraft.
openid — Standard OpenID Connect scope for authentication.

7.2 What we store

Your LinkedIn member URN and profile data (name, headline, photo URL)
OAuth access and refresh tokens, encrypted at rest in our database
URN references to posts published through CoachCraft
Engagement statistics of those posts

7.3 No sharing of LinkedIn data

Your LinkedIn data is used solely to provide the CoachCraft service. We do NOT sell, share, or transfer your LinkedIn data to any third party. Your LinkedIn data is never used for advertising, profiling, or any purpose unrelated to CoachCraft's core functionality.

7.4 Token management

LinkedIn OAuth tokens are stored encrypted in our database. Access tokens are automatically refreshed as needed. Tokens are immediately deleted when you disconnect your LinkedIn account.

7.5 Disconnecting

You can disconnect your LinkedIn account at any time via Settings > LinkedIn. Upon disconnection:

Your OAuth access and refresh tokens are immediately deleted from our database
Your LinkedIn profile data (name, photo URL) is deleted
A record of posts published through CoachCraft is retained (without LinkedIn tokens)

For complete revocation, we recommend also revoking access via LinkedIn: LinkedIn > Settings > Data and Privacy > Other Applications.

8. Retention periods

Data	Retention period
Account data	Up to 30 days after account deletion (for recovery), then permanently deleted
Financial data	7 years after end of agreement (Dutch legal obligation)
Generated content	Until you delete it or terminate your account
LinkedIn tokens	Until disconnection or token expiry (60 days)
LinkedIn statistics	Until you terminate your account
Personal stories	Until you delete them or terminate your account

9. Security

We take appropriate technical and organizational measures to protect your data:

Encrypted connections (HTTPS/TLS) for all data in transit
Encrypted storage of passwords (bcrypt) and OAuth tokens
Row Level Security at database level (each user can only access their own data)
Role-based access control and session-based authentication
Regular security updates and dependency auditing

10. Cookies and tracking

The App uses the following categories of cookies and local storage:

Essential (always active)

These are required for the App to function and cannot be disabled.

Cookie / storage	Purpose	Retention period
Supabase auth cookies	Login and session management	Until logout or 7 days
coachcraft:cookie-consent (localStorage)	Remembering your cookie preference	Until you clear it

Analytics (consent required)

These cookies are only set if you accept analytics via the cookie consent banner.

Cookie / storage	Purpose	Retention period
PostHog analytics cookies	Product analytics and App improvement	1 year

PostHog analytics are processed within the EU (Frankfurt). We use analytics solely to understand how the App is used and to improve it. We do not use this data for advertising or share it with third parties.

You can change your cookie preference at any time using the button below or in your browser settings.

11. International data transfers

CoachCraft is operated by a Dutch company, but some of our sub-processors are based in the United States. Specifically:

Supabase (database, authentication) — US East
OpenAI (AI content generation) — United States
Vercel (hosting) — EU/US
ElevenLabs (voice transcription) — United States

For transfers from the EU/EEA to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as well as the recipient's own data protection commitments. We regularly review these safeguards to ensure adequate protection of your personal data.

12. Your rights

Under the GDPR, you have the following rights:

Access: You can request to see what data we hold about you
Rectification: You can have incorrect data corrected
Erasure: You can have your data deleted
Restriction: You can have the processing of your data restricted
Portability: You can request your data in a common, machine-readable format
Objection: You can object to processing based on legitimate interest
Withdraw consent: Where processing is based on consent (analytics, LinkedIn), you can withdraw it at any time

How can you exercise your rights?

In the App: You can view, modify, and delete much of your data yourself via Settings
Via email: Send a request to support@coachcraft.io

We will respond to your request within 30 days.

Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale or sharing of your personal information (we do not sell or share your data — see section 14)
Not be discriminated against for exercising your privacy rights

To exercise these rights, email support@coachcraft.io or use the self-service options in the App.

Filing a complaint

If you believe we are not handling your data correctly, you have the right to file a complaint with a supervisory authority. For EU residents, the lead authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): www.autoriteitpersoonsgegevens.nl

You may also contact your local data protection authority.

13. Children's privacy

CoachCraft is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

In compliance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13.

14. Do Not Sell or Share

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes. This applies to all users, including California residents under the CCPA/CPRA.

The only third parties that receive your data are the sub-processors listed in section 6, and only to the extent necessary to provide the CoachCraft service.

15. Account deletion

You can delete your account by:

Contacting us via support@coachcraft.io
Or (if available) via the account settings in the App

Upon deletion:

Your account will be fully deleted within 30 days
You can request recovery within those 30 days
Financial data is retained for 7 years (Dutch legal obligation)

16. Changes

We may modify this privacy policy. In case of significant changes, we will inform you via email or a notification in the App. The current version is always available in the App.

17. Contact

Do you have questions about this privacy policy or about how we handle your data?