Legal

Privacy policy

Draft for legal review. This is a substantive draft, not filler text — but it has not yet been reviewed by a solicitor, and it references an entity name and address that you still need to finalise (see “Who we are” below). Do not publish this as your live policy until both are done.

Last updated: 12 July 2026

In plain English
  • We collect your name, email, phone and coaching business details to run your account. Rosta has no dedicated field for health or medical information, and we ask you not to record special-category data about your clients in the app's general notes fields.
  • When you use Rosta to manage your own clients, you're in charge of that data (the “controller”) — we just process it for you (the “processor”), under a separate Data Processing Agreement.
  • We never sell personal data, and we only share it with the specific service providers that make Rosta work (listed below).
  • You can access, correct, export or delete your data at any time — email us and we'll act on it.

1. Who we are

Rosta is a product of [YOUR FULL LEGAL NAME], trading as TRNDSTTR (a sole trader), of [ADDRESS FOR SERVICE — see note below] (“Rosta”, “we”, “us”). We are the controller of the personal data described in this policy, for the purposes of UK GDPR and the Data Protection Act 2018.

Note on the address: as a sole trader trading under a name other than your own, UK law requires a real name and an address for service to be disclosed — but that address does not have to be your home. A Royal Mail PO Box, a virtual office / registered-agent address, or your accountant’s address (with their agreement) all satisfy this and keep your home address private.

Contact us about privacy at rosta@trndsttr.co.uk.

2. Scope of this policy

This policy covers personal data we collect and control directly: about visitors to this website, people who register interest, and coaches who hold an account (“you”).

It does not cover the data you, as a coach, collect about your own clients inside the app. For that data, you are the controller and we are your processor — see our Data Processing Agreement and Security & GDPR page, which explain how that data is protected.

3. What we collect

When you register interest or contact us: your name, email address, what you coach, and any message you send.

When you hold an account: your name, email, phone number, business name, sector, chosen app appearance, and the services/pricing/clients/sessions/payment records you enter to run your coaching business.

Billing: subscription plan and status. Card details are entered directly with Stripe and never reach our servers — see clause 6.

Automatically: basic technical logs (e.g. sign-in activity, error logs) needed to run and secure the service.

Rosta has some general free-text fields (such as client and session notes) for running your practice, but no dedicated field for health, medical or other special-category information (e.g. injuries, medical conditions), and we ask you not to enter that kind of information — about you or your clients — into any free-text field. If you need to record it, please keep it outside Rosta, in a system designed for it. Anything you do type into free-text fields is data you control as the “controller” (see our Data Processing Agreement).

4. Why we use it, and our legal basis

  • To provide the service (run your account, sync your data, send session reminders you configure) — necessary to perform our contract with you.
  • To take payment and manage your subscription — necessary to perform our contract with you.
  • To respond to enquiries and provide support — our legitimate interest in running the business, and/or performing our contract with you.
  • To tell you about Rosta (e.g. product updates, early-access invitations) if you've registered interest or hold an account — our legitimate interest in reasonable, low-volume marketing; you can opt out at any time.
  • To keep the service secure and improve it — our legitimate interest in operating a reliable, secure product.
  • To meet legal obligations, e.g. tax and accounting records.

5. Who we share it with

We share personal data only with the service providers that operate Rosta on our behalf, under contract, and never for their own marketing purposes:

  • Supabase — database, authentication and secure backend hosting.
  • Netlify — hosting for this website and the Rosta app.
  • Resend — sending transactional emails (e.g. session reminders, account emails).
  • Stripe — payment processing and subscription billing. Stripe acts as an independent controller for its own regulatory (e.g. anti-fraud, financial) obligations — see Stripe’s own privacy policy.

We do not sell personal data, and we do not share it with third parties for their own advertising purposes.

6. Payments

Card payments are handled entirely by Stripe via its hosted checkout. We never see or store your full card number — only your subscription status and plan.

7. International data transfers

Your account data and your Clients’ data is hosted with Supabase in the London (UK) region, and reminder emails are sent via Resend from the Ireland (EU) region — both within the UK/EEA. Netlify hosts our application code and website assets, but does not store your personal data at rest. Where any provider processes data outside the UK/EEA (for example, Stripe operates internationally as part of running its payment network), we rely on appropriate safeguards recognised under UK GDPR — such as the UK International Data Transfer Addendum or an applicable adequacy decision — to protect it to the same standard.

8. How long we keep it

While your account is active, we keep your data so the service works. If you close your account, we delete your personal data from our active systems within 30 days, and from encrypted backups within a further 60 days, except where we must keep limited records for legal, tax or dispute-resolution purposes (such as billing history), which we keep for up to 6 years as required by UK law.

9. Children

Rosta’s own users are coaches, who must be 18 or over. If a coach adds a client who is under 18 to their workspace (e.g. a young athlete), the coach — not Rosta — is responsible for having the appropriate parental or guardian consent and for complying with any additional obligations that apply to that client’s data. We do not knowingly collect personal data directly from children.

10. Cookies and analytics

This website uses only the cookies or local storage strictly necessary for it to function (e.g. remembering your chosen appearance). If we introduce analytics in future, we will use privacy-friendly, non-invasive tools and update this policy — and add a cookie banner first if that ever becomes necessary.

11. Security

We protect personal data with encryption in transit and at rest, database-level access controls that isolate every coach’s data, and hosted authentication. See our Security & GDPR page for detail.

12. Your rights

Under UK GDPR, you have the right to:

  • be informed about how your data is used (this policy);
  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased, in certain circumstances;
  • restrict or object to certain processing;
  • receive your data in a portable format; and
  • withdraw consent at any time, where we rely on consent.

To exercise any of these rights, email rosta@trndsttr.co.uk. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk).

13. Changes to this policy

We may update this policy as Rosta evolves. We’ll change the “last updated” date above, and tell registered coaches directly about any material change.

14. Contact

Questions or concerns? Email rosta@trndsttr.co.uk.