Coach Privacy Policy

1. Purpose and Scope

The Saturday Coach Portal ("Portal") enables coaches and organizations to manage athlete rosters, view compliance data, create and edit activities, adjust nutrition settings, and bill athletes through Stripe Connect. This addendum covers the data flows specific to these coach-facing functions.

Throughout this policy, "you" and "your" refer to the coach or organization administrator using the Portal. "Athlete" refers to the individual whose data is accessed through the Portal. "Saturday," "we," "us," and "our" refer to Saturday Inc.

2. Data Controller, Processor, and Independent Controller Framework

Data protection law assigns specific roles — controller, processor, and joint controller — to the parties involved in processing personal data. Under GDPR Article 4(7), a controller is the entity that determines the purposes and means of processing. A processor processes data on behalf of and under the instructions of a controller. These are functional concepts: the actual relationship, not the label in a contract, determines the role. The framework below reflects Saturday's analysis under EDPB Guidelines 07/2020 on the concepts of controller and processor.

Saturday as Controller

Saturday Inc. is the data controller for all athlete personal data stored in Saturday's systems, including Firestore databases, Firebase Authentication records, Cloud Functions processing, and associated infrastructure. Saturday determines the purposes and means of processing this data: providing personalized nutrition and hydration recommendations, maintaining account integrity, and operating the platform.

Data Controller: Saturday Inc.
8 The Green, STE A, Dover, DE 19901
Contact person: Alex Harrison
Contact email: support@saturdaymorning.fit

When a Coach Acts as a Limited Processor

When you access athlete data solely within the Portal for the purpose of viewing compliance indicators, reviewing activity history, or adjusting settings within the Portal interface, you are acting as a limited processor under Saturday's terms. In this capacity, you are accessing data that Saturday controls, for purposes Saturday defines (enabling coach-athlete coaching relationships), using means Saturday provides (the Portal). You do not independently determine why or how this data is processed — Saturday does.

When a Coach Becomes an Independent Controller

When you take athlete data beyond the Portal's boundaries, you become an independent controller for that processing. This includes, but is not limited to:

• Using athlete data to develop coaching plans, programs, or assessments outside Saturday
• Communicating athlete data to third parties (other coaches, medical professionals, team staff) outside the Portal
• Entering athlete data into third-party tools, spreadsheets, or coaching platforms
• Retaining notes, screenshots, or records of athlete data outside Saturday's systems
• Using athlete data for your own business analytics, marketing, or promotional purposes

As an independent controller, you bear your own obligations under applicable data protection law (including, where applicable, GDPR Articles 5, 6, 13, 14, and 30) for that processing. Saturday is not responsible for your compliance as an independent controller. This distinction is consistent with EDPB Guidelines 07/2020, which recognize that professional service providers who exercise independent judgment about data use are controllers for that processing, regardless of how the underlying data was originally obtained.

Why This Is Not Joint Controllership

Saturday and the coach do not jointly determine the purposes and means of any single processing activity. Saturday determines how the platform operates; the coach determines how to use data they take outside the platform. These are separate processing activities with separate purposes, not a common processing operation. Accordingly, this arrangement does not constitute joint controllership under GDPR Article 26.

Stripe Connect Billing Data

For billing data processed through Stripe Connect, you are the data controller for your own Stripe Connect account and your billing relationships with athletes. Saturday facilitates the connection and collects a platform fee, but you — not Saturday — are the merchant of record. You determine your rates, billing terms, and refund policies. Your processing of billing data is governed by Stripe's Privacy Policy and Stripe's Connected Account Agreement.

Data Processing Agreement

Saturday makes a Data Processing Agreement available for coaches who have athletes in the European Economic Area, United Kingdom, or Switzerland, or who otherwise require a formal DPA. The DPA covers Saturday's processing of athlete data on behalf of the coach in their capacity as controller for the purposes described above.

3. What Coaches Can Access

When an athlete grants you access, you gain read and write permissions to the following data categories, enforced at the database level through Firestore Security Rules:

Profile Information

• Display name — read and write
• Email address — read only (coaches cannot modify)
• Firebase UID — read only
• Insider/early adopter flags — read only
• All other profile fields — read and write, including but not limited to weight, sex, year of birth, sweat profile (sweat level, saltiness), fueling profile and concerns, activity-related profile data, sport preferences, and fitness level

Health and Biometric Data

• Body data: weight, sex, year of birth
• Sweat profile: sweat level, saltiness
• Fueling profile: eating disorder flag, weight loss preference, fitness level, satiety, cravings, carb intake range, usual carb consumption
• Fueling concerns: gut distress, cramps, faintness, heat tolerance, hunger, thirst, drinking resistance, performance concerns

Coaches have read and write access to all health and biometric data listed above. This access is broader than what the athlete consent dialog summarizes as "Adjust nutrition settings." We disclose this here for full transparency.

Activities

Coaches have full create, read, update, and delete access to an athlete's activities, including: activity type, duration, intensity, thermal stress, nutrition consumed during activity, notes, and ratings.

Products

Coaches have full create, read, update, and delete access to an athlete's products subcollection, including custom products created by the coach for the athlete and product preferences.

Subscription and Coverage Status

• Whether the athlete has an active Saturday subscription — read only
• Coverage source (self-paid, coach-included, organization-included) — read only
• Coverage tier — read only

Real-Time Compliance Indicators

• Activity recency indicators (red, yellow, green status dots)
• Activity counts over recent periods
• Days since last activity

Compliance indicators are computed in real time and are not stored as persistent records.

4. What Coaches Cannot Access

The following data categories are explicitly denied to coaches, enforced by Firestore Security Rules at the database level:

• Integration tokens: OAuth tokens for TrainingPeaks, Intervals.icu, and other third-party integrations. These tokens authenticate as the athlete on third-party services. Coaches cannot read, write, or enumerate them.
• Purchase records: The athlete's payment history, transaction records, and purchase details. Purchase data is readable only by the account owner.
• Payment method details: Credit card numbers, billing addresses, and payment instruments are handled entirely by Apple, Google, or Stripe and are never stored in Saturday's database.
• Authentication credentials: Passwords, password hashes, and authentication tokens.
• Data from non-consenting athletes: A coach can only access data for athletes who have an active relationship with that specific coach. Firestore Security Rules verify the coach-athlete relationship status on every request.
• Other coaches' relationships: A coach cannot see which other coaches an athlete has relationships with, or access data through those other relationships.

5. Default-Permissive Access Control

Saturday's per-relationship access control system uses seven permission keys: view_profile, view_activities, create_activities, edit_activities, edit_settings, view_products, and view_ai_insights.

Important: If a permission key is absent from the relationship's access control list, the system treats it as permitted. This means newly created coach-athlete relationships grant broad access by default unless an athlete has explicitly restricted specific permissions.

Athletes can review and restrict individual permissions at any time through Settings > My Coaches in the Saturday app. We encourage athletes to review their coach's permissions after establishing a relationship. We disclose this default-permissive design here because we believe athletes should understand how access works before relying on assumptions about what their coach can or cannot see.

6. How Athletes Consent to Coach Access

Athletes grant coach access through one of three entry paths:

Case A: Coach-Created Account

A coach may create an athlete account on the athlete's behalf by entering the athlete's email address, name, sex, date of birth, weight, sweat profile, sports, and fitness level. The coach may use either the Quick Setup (eight core fields) or Full Onboarding (twenty-five or more onboarding pages) flow.

Disclosure: When a coach creates an athlete account on the athlete's behalf, the coach represents to Saturday that the athlete has consented to the creation of the account and to the coach's access to the data entered. Saturday relies on this representation. No independent verification of athlete consent occurs at the time of account creation. Athletes should review their account upon first login and may revoke coach access at any time.

Case B: Coach Invitation

A coach enters the athlete's email address, and Saturday sends an invitation email. The athlete must affirmatively accept the invitation through a consent dialog in the Saturday app. The consent dialog displays:

What your coach can do:

• View activities
• View profile
• Create activities
• Adjust nutrition settings
• Chat with Saturday AI about your data

What your coach cannot do:

• Delete account
• Change email
• Access payment info
• Make purchases

The dialog includes a "You're in control" reminder: "You can remove your coach at any time from Settings > My Coaches."

The athlete may accept or decline. Declined invitations are recorded and the coach is notified.

Case C: Coach-to-Coach Transfer

An athlete may be transferred from one coach to another via a deep link and transfer code. When a transfer is completed, the source coach's relationship is revoked and the target coach gains access. Activities and custom products created during the prior coaching relationship are migrated with the athlete's account to ensure continuity of the athlete's historical data.

7. How Athletes Revoke Coach Access

Athletes may revoke coach access at any time through Settings > My Coaches in the Saturday app. Revocation takes effect immediately: the coach loses Firestore access on the next database request.

When access is revoked:

• The coach-athlete relationship status is set to "revoked" and a revocation timestamp is recorded
• The coach can no longer read the athlete's profile, activities, products, or settings
• Activities, products, and other data created by the coach during the relationship remain in the athlete's account
• Historical audit log entries pertaining to the relationship are retained (see Section 12)

Limitation: Revocation removes the coach's access to Saturday's systems. It does not retroactively withdraw data the coach may have already seen, downloaded, recorded in notes, or entered into external tools. Once data has left Saturday's platform, Saturday cannot control it. If you have concerns about a coach's use of your data outside Saturday, you should address those concerns directly with the coach.

8. Sub-Processors

Saturday uses the following sub-processors to operate the Coach Portal. Each sub-processor receives only the data necessary to perform its function.

Sub-Processor	Purpose	Data Shared	Location
Google Cloud Platform (Firebase, Firestore, Cloud Functions, Secret Manager)	Data storage, authentication, hosting, serverless compute	All Coach Portal data including profiles, activities, relationships, audit logs	United States (us-central1)
Stripe, Inc.	Payment processing via Stripe Connect	Coach identity and banking information (KYC), athlete payment methods, charge amounts, billing arrangement metadata	United States
Brevo (formerly Sendinblue)	Transactional email (organization invites, billing notifications, impersonation alerts)	Coach email address, content of transactional emails	European Union
Klaviyo, Inc.	Marketing email (coach onboarding sequences, product updates)	Coach email, name, tier, sport profile	United States
Cloudflare, Inc.	Edge hosting, CDN, DNS for coach.saturday.fit	Request metadata (IP address, HTTP headers)	Global edge network

Saturday will provide at least 30 days' written notice before engaging a new sub-processor for Coach Portal data. Coaches who have executed a Data Processing Agreement may object to a new sub-processor during a 14-day objection window following notice.

9. Saturday's Data Practices

We state the following unequivocally:

• Saturday does not sell coach personal data.
• Saturday does not sell athlete data accessed through the Coach Portal.
• Saturday does not use Coach Portal data for advertising.
• Saturday does not share Coach Portal data with data brokers.
• Saturday does not use Coach Portal data for purposes unrelated to providing and improving the coaching service.

10. Legal Basis for Processing (GDPR)

Where the GDPR applies, Saturday processes personal data in connection with the Coach Portal under the following legal bases:

• Contract performance (Article 6(1)(b)): Processing coach account data, athlete relationship records, billing data, and compliance metrics is necessary to provide the Coach Portal service you signed up for.
• Consent (Article 6(1)(a) and Article 9(2)(a)): Athletes consent to sharing health and biometric data with their coach through the consent mechanisms described in Section 6. Athletes may withdraw consent at any time by revoking coach access.
• Legitimate interest (Article 6(1)(f)): Audit logging, fraud prevention, platform security monitoring, and aggregated analytics serve Saturday's legitimate interest in maintaining a secure and reliable service. We have balanced these interests against data subject rights and concluded that these processing activities are proportionate and expected.
• Legal obligation (Article 6(1)(c)): Retention of billing and financial records as required by applicable tax and accounting law.

11. Automated Decision-Making

The Coach Portal uses algorithms to compute real-time compliance indicators (activity recency dots, activity counts) and to generate aggregated organizational metrics. These computations summarize raw data for display purposes. They do not produce decisions with legal effects or similarly significant effects on athletes or coaches. Coaches exercise their own professional judgment about how to act on the information presented.

12. Audit Logging

All coach actions within the Portal are recorded in an append-only audit log. This includes, but is not limited to: roster changes, billing actions, impersonation events, terms of service acceptance, role assignments, session management, privacy requests, and API key management. Saturday maintains over 40 auditable action types.

Each audit log entry captures:

• Actor UID (who performed the action)
• Action type
• Target (what was affected)
• IP address and User-Agent
• Timestamp
• Before and after state, where applicable
• Whether the action was performed while impersonating another user, and if so, the impersonation justification

Audit log entries are append-only and are never updated or deleted. They are retained indefinitely. Saturday relies on GDPR Article 17(3)(b) (establishment, exercise, or defense of legal claims) and Article 17(3)(e) (defense of legal claims) as the lawful basis for retaining audit log entries beyond what would otherwise be required under the right to erasure. We acknowledge that this position may be subject to evolving regulatory guidance and will update our retention practices if required.

Coaches and organization administrators can view audit log entries pertaining to their organization through the Portal's Audit Log page, with search and CSV export capabilities.

13. Impersonation

Organization administrators, head coaches, and Saturday staff with impersonation permission may impersonate users within their organization for legitimate administrative and support purposes. Impersonation is subject to the following controls:

• Justification required: A free-text justification must be provided before impersonation begins. Empty justifications are rejected.
• Time-limited: Impersonation sessions automatically expire after 30 minutes.
• Fully logged: Both the start and end of every impersonation session are recorded in the audit log, including the actor, target, justification, IP address, and User-Agent.
• Scoped: Impersonation does not grant access beyond what the impersonated user already has.
• Notification: Brevo email notification to the impersonated user is in development. As of this policy's effective date, impersonated users are not yet notified in real time. Saturday intends to enable this notification and will update this policy when it is active.

Saturday staff impersonation is used for support purposes and is not used for billing, purchasing, or accessing payment information.

14. Silent Grace Period

When an athlete's coverage source changes — for example, because a coach downgrades their tier, an organization is dissolved, or a billing arrangement ends — the athlete enters a 14-day grace period during which they retain full access to Saturday.

Disclosure: During this grace period, no user-facing notification is sent to the athlete at the start or end of the grace window. If no replacement coverage is established within 14 days, the athlete's access lapses silently. We disclose this because we believe athletes should understand that coverage changes may not be immediately visible to them.

15. Organization Hierarchy and Data Visibility

For coaches operating within an organization (Head Coach, Business, or Enterprise tiers):

• Parent organizations can read data for descendant organizations they created, including member rosters, roles, and aggregated metrics.
• Child organizations cannot read parent organization data.
• Organization administrators can view the member roster, roles, billing arrangements, financial summaries, and audit logs for their organization.
• Aggregated compliance and financial metrics roll up the organization hierarchy.

16. Data Retention

We retain Coach Portal data for the following periods:

Data Category	Retention Period	Basis
Coach account data	Duration of account + 30 days	Contract performance; account closure cleanup
Athlete-coach relationship records	Duration of relationship + 90 days	Dispute resolution; legal claims defense
Audit log entries	Indefinite	GDPR Art. 17(3)(b) and (e); legal claims
Billing and financial records	7 years after transaction	Tax and financial regulatory requirements
Compliance indicators	Not stored (computed in real time)	N/A
Stripe Connect account data	Subject to Stripe's retention policy	Independent of Saturday's retention
Impersonation session records	Indefinite (part of audit log)	Security; legal claims defense

Once a retention period expires, personal data is deleted. Saturday does not retain personal data beyond the stated periods unless required by law.

17. Data Subject Rights

Athletes whose data is accessed through the Coach Portal retain the same rights described in the App Privacy Policy, including the rights to access, correction, deletion, portability, restriction of processing, objection, withdrawal of consent, and the right to lodge a complaint with a supervisory authority.

For Athletes

If your data is accessed by a coach through the Portal and you wish to exercise a data subject right, contact Saturday directly at support@saturdaymorning.fit. Saturday is the controller for data stored in its systems and will respond to your request. You do not need to go through your coach.

For Coaches

You may exercise rights over your own coach account data (profile, billing history, audit log entries where you are the actor) by contacting support@saturdaymorning.fit. For data you process as an independent controller outside Saturday's systems, you are responsible for responding to data subject requests under applicable law.

If an athlete contacts you directly with a data subject request relating to data stored in Saturday's systems, you may forward the request to Saturday. You are not obligated to fulfill such requests yourself for data Saturday controls.

Response Times

Saturday will respond to data subject requests within 30 days, or sooner if required by applicable law. These requests are free of charge. If we deny a request, we will explain why and inform you of your right to appeal.

18. International Data Transfers

Saturday stores Coach Portal data in the United States (Google Cloud, region us-central1). If you or your athletes are located outside the United States, data will be transferred to and processed in the US.

For transfers of personal data from the European Economic Area, United Kingdom, and Switzerland, Saturday relies on the following transfer mechanisms:

• 2021 EU Standard Contractual Clauses — Module 2 (Controller-to-Processor) for Saturday's processing on behalf of the coach in their capacity as controller; Module 1 (Controller-to-Controller) where applicable.
• UK International Data Transfer Addendum (2022) for transfers from the United Kingdom.

Saturday has conducted Schrems II transfer impact assessments and applies supplementary technical and organizational measures where appropriate, including encryption in transit and at rest, access controls, and audit logging.

Copies of the applicable Standard Contractual Clauses are available upon request by contacting support@saturdaymorning.fit.

19. Security Measures

Saturday implements the following technical and organizational measures to protect Coach Portal data:

• Encryption in transit: TLS 1.3 for all API, web, and Portal traffic.
• Encryption at rest: AES-256 via Google Cloud Platform default encryption for all stored data.
• Access control: Firestore Security Rules enforce per-relationship, per-document access scoping. The Portal's role-based access control (RBAC) system enforces 23 granular permissions across 9 roles for administrative actions.
• Audit logging: All administrative actions, data access events, and impersonation sessions are logged in an append-only audit log.
• Multi-factor authentication: Available for all Portal users. Enforceable at the organization level for Enterprise tier, with configurable grace periods and allowed methods (TOTP, SMS).
• Session management: Coaches can view active sessions, revoke individual sessions, or revoke all other sessions from the Portal settings.
• Rate limiting: Per-tier request rate limits protect against abuse.
• Breach notification: Saturday will notify affected coaches and athletes without undue delay and no later than 72 hours after becoming aware of a personal data breach that poses a risk to rights and freedoms, as required by GDPR Article 33. We will also notify relevant supervisory authorities as required by law.

20. Children's Data

The Coach Portal may be used by coaches who work with minors. When a coach creates an account for an athlete under the age of 16 (Case A in Section 6), the coach represents that they have obtained verifiable parental or guardian consent as required by applicable law, including GDPR Article 8, COPPA (for athletes under 13 in the United States), and equivalent laws in other jurisdictions. Saturday relies on the coach's representation. If Saturday becomes aware that an account has been created for a child without proper consent, Saturday will take steps to delete the data and may suspend the coach's access.

21. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify coaches via email and an in-app banner at least 14 days before the changes take effect. For non-material changes (clarifications, formatting, corrections), we will update this page and note the revision date.

Your continued use of the Coach Portal after the effective date of a material change constitutes acceptance. Where applicable law requires affirmative consent for a change, we will seek it before the change takes effect.

22. Definitions

• Personal Data: Any information that directly or indirectly identifies or could identify a natural person, as defined in GDPR Article 4(1).
• Health Data: Data related to the physical health, body measurements, or biometric indicators of an athlete, processed to provide fueling and hydration recommendations or to support coaching.
• Data Controller: The entity that determines the purposes and means of processing personal data. See Section 2 for role assignments.
• Data Processor: An entity that processes personal data on behalf of and under the instructions of a controller.
• Independent Controller: A controller that determines its own purposes and means of processing, separate from any other controller involved in the data flow.
• Sub-Processor: A third party engaged by Saturday to process personal data on behalf of a controller.
• Coach Portal: The web application at coach.saturday.fit through which coaches manage athlete rosters, access athlete data, and administer billing.
• Athlete: An individual whose personal data is accessed through the Coach Portal.
• Coach: An individual or organization using the Coach Portal to manage athletes.
• Relationship: The Firestore record linking a coach to an athlete, including the consent status and access control permissions.