Privacy & security

What we do to keep this safe.

The conversations you have here are some of the most personal you’ll have anywhere. Here’s exactly what’s in place to protect them — in plain language.

Encrypted in transit

Every page, message, and upload uses TLS 1.3. Nothing between your device and the app travels in the clear.

Encrypted at rest

Messages, journal entries, notes, and uploaded files are stored with AES-256 encryption at the database and storage layer.

Payments never touch us

Card details go straight from your browser to Stripe. We never see or store them — that's Stripe's job, and they're audited for PCI-DSS continuously.

Row-level data isolation

Postgres row-level security walls each client's records off at the database layer. Another client's queries physically cannot return yours.

Tamper-evident agreements

When you sign a coaching agreement, the document is hashed (SHA-256) and the signature is logged with timestamp, IP, and user agent. The PDF certificate is immutable and stored independently.

What we don't do

We don't sell your data. We don't share it with advertisers. We don't train third-party AI models on it. The list of vendors we use is small and named below.

Confidentiality

What I won’t share.

What you tell me in sessions, in messages, and in your journal stays between us. I don’t share names, stories, or details with other clients, with marketing, or with anyone you haven’t explicitly approved. This is bound in your signed coaching agreement and it’s how I do this work.

One exception: if I ever form a reasonable belief that you’re in immediate danger of harm — to yourself or someone else — I’ll reach out to you and, if needed, emergency services. The exact language is in your coaching agreement.

Coaching is not therapy.

This matters legally. Practice is not HIPAA-covered because coaching is not a clinical health service. If you’re working through a clinical mental-health concern, that’s important and worth real care — I can help you find it. But the records here aren’t subject to medical-record law, and I want to be plain about that.

If you’re in crisis: in the US, call or text 988(Suicide & Crisis Lifeline). Outside the US, contact your local emergency services.

TLS 1.3
AES-256
PCI-DSS via Stripe
Row-level security
What we collect

Account information (name, email, password hash, optional pronouns and timezone), payment information (handled by Stripe — we never see card numbers), and the work product of our engagement: session bookings, messages you send, journal entries you choose to share, worksheet and form responses, and notes I take.

How we use it

To deliver coaching: scheduling, session reminders, secure messaging, credit tracking, and the record-keeping you would expect of an ongoing professional relationship. We also use it for billing and tax records, and — in aggregated, non-identifying form — to improve the service.

Where it's stored

Your data lives in a Supabase Postgres database hosted in the United States, encrypted at rest. Files you upload are stored in Cloudflare R2 with auth-gated access — every download is gated by a server-side permission check. Payment data is held by Stripe under their PCI-DSS compliance.

Third parties

The service uses a small number of vendors, each scoped to a specific purpose:

  • Stripe·Payments, subscriptions, refunds
  • Supabase·Database, authentication
  • Cloudflare R2·File storage (course content, signed PDFs, uploads)
  • Resend·Transactional email and inbound message bridging
  • Zoom·Video sessions
  • Vercel·Web hosting and analytics
Your rights

You can request a copy of your data or deletion of your account at any time by emailing hello@zachdornisch.com. We will retain the minimum required for tax and legal compliance (typically seven years for invoices and signed agreements) and confirm the rest is gone within 30 days. You can correct or update your profile information yourself from your account settings.

Cookies & analytics

We use a small set of essential cookies for authentication and session state. We use privacy-respecting analytics (Vercel Analytics) that does not set tracking cookies and does not share data with advertisers. We do not use Google Analytics, Meta pixels, or similar.

Sessions, recordings, and notes

Coaching sessions are confidential between you and me. If a session is recorded for your own reference, I’ll tell you before we start and the recording is yours — stored alongside the session in your account.

I use Zoom AI Companion — its built-in transcription and meeting-summary features — by default in our sessions, so I can stay present with you rather than splitting my attention between you and my notes. You’ll see a banner in the meeting whenever it’s running. If you’d rather we run without it, just tell me — at the start of a session or in advance — and I’ll turn it off, no reason needed.

The AI output is for me. It doesn’t get filed into your record in this app, and I don’t share it. After our session I pull what matters — action items, themes worth carrying forward, anything I need for continuity — into your file here, then delete the Zoom transcript.

You can ask to see what I have in your file anytime.

Changes to this policy

If this policy changes in a way that affects how your data is handled, you’ll get an email with at least 14 days’ notice before the change takes effect.

Contact

Questions about this policy or how your information is handled? hello@zachdornisch.com. I read every message myself.

Last updated: May 2026.