HelloCoach® provides a unique software as a service product to Users globally, connecting them to professional coaches through a unique booking App. Security is a key component from the moment a User visits the App, through to the point where they make a booking and finally when they engage with their coach via a selected video portal. At all times, we strive to ensure that your Personal Information is secure, and many steps have been taken to provide the safest possible environment when it comes to data storage.

HelloCoach® (and its service provider partners), subscribe to the PoPI Act (and/or GDPR) and have aligned its own procedures, policies and conduct to the PoPI Act and GDPR guidelines, and should you wish to view our Privacy Policy, the link can be found in the footer of our website.

Organizational security

We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

1.    Employee background checks

Each employee and coach undergo a process of background verification, and we have certain minimum criteria to which applicants must conform before being considered to be part of HelloCoach®.

2.    Security Awareness

Each employee and coach, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes after which further training is given. We provide training on specific aspects of security, that they may require based on their roles.

3.    Dedicated security monitoring

We have dedicated information security officer that implements and manages our security and privacy protocols. They engineer and maintain our defense systems, and regularly review processes for security upgrades.

4.    Internal audit and compliance

We have a dedicated tech team manager who reviews procedures and policies internally, and with partner service providers, ensuring they remain aligned to the HelloCoach® standards and protocols.

5.    Endpoint security

All workstations issued to HelloCoach® employees and coaches run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, and the anti-virus of choice is PANDA These workstations each have secure access through passwords and get locked when they are idle.

6.    Workplace security

We control access to our resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of a sign in system.

The HelloCoach® CRM platform (back-end management system)

1.    Infrastructure security

1.1. Network security

Our network (CRM service provider’s) security and monitoring techniques provide multiple layers of protection and defense. They use firewalls to prevent our network from unauthorized access and undesirable traffic. Their systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting our CRM service provider’s production infrastructure.

Further to this they monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall every day. Additionally, these changes are reviewed every three months to update and revise the rules. The Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using a proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in the production environment.

1.2. DDoS prevention

Our CRM service providers use technologies from well-established and trustworthy service providers to prevent DDoS attacks on their servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our website, App and APIs highly available and performing.

1.3. Data security

1.3.1.      Data isolation

Our framework distributes and maintains the cloud space for our customers. Each customer’s service data is logically separated from other customers’ data in a series of Modules and each contact having its own record. This ensures that no customer’s service data becomes accessible to another customer.

The service data is stored on our CRM service providers servers and our customers’ data is owned by you, and not by HelloCoach®. We do not share this data with any third-party without your consent.

1.3.2.      Encryption in the ecosystem

In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally, for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.

At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.

2.    Data retention and disposal

We hold the data in your account as long as you choose to use HelloCoach. If you terminate your HelloCoach User account, your data will get deleted from the active database during the next clean-up that occurs once every 3 months. The data deleted from the active database will be deleted from backups after 3 months.

A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).

3.    Administrative access

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords and passphrase-protected SSH keys.

4.    Vulnerability management

Our CRM platform service providers have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, their security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.

Once they identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. They further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

5.    Malware and spam protection used by our CRM Platform service provider

They scan all user files using their automated scanning system that’s designed to stop malware from being spread through our ecosystem. Their custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns.

Incremental backups are run every day and weekly, full backups. All backed up data are retained for a period of three months. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.

6.    Incident Management – Reporting

We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us through tech@hellocoach.co.uk , with high priority. For general incidents, we will notify users through our forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).

HelloCoach® App data storage and website hosting

1.    What do we collect?

  • Information which you upload to our service or otherwise give us such as your name, surname, age, city of residence, username, email address and other contact details such as “Rate you State” information, which our coaches use to assess your mental fitness prior to taking a coaching session.
  • Your billing address as well as the last four digits and expiry date of your credit card, which may be sent to us by our payment providers (If you are buying coaching sessions through the HelloCoach®)
  • Automated information such as the internet protocol (IP) address used to connect your device to the internet, connection information such as browser type and version, information about your device including device-type and device identifier, operating system and platform, mobile network data, a unique reference number linked to the data you enter on our system, login details, the site from which you arrived at our service, details of your activity with date / time stamps including pages you visited and your searches / transactions.
  • Personal information of your customers or others which you choose to store on our servers in connection with our supply of services.
  • HelloCoach® is not directed to children under eighteen (18) years of age and we do not knowingly collect Personal Information from children under 18. If we discover that a child under 18 has provided us with Personal Information, we will promptly delete such Personal Information from our systems.

2.    What’s our reason / legal basis for collecting the information?

  • Because it’s necessary to provide you with our services under our contract with you. In order to render a more meaningful and useful service to our User’s, their personal information is important in evaluating the emotional and mental status prior to executing a coaching session. Not also that we may use it for other purposes (such as email marketing) if you consent. These marketing messages may also be related to your profile and you can withdraw permission at any time as explained on our service or by emailing us at info@hellocoach.co.uk
  • To provide our service, e.g. send service messages, process payments, fulfil coaching sessions and notify Users of their up-coming coaching sessions.
  • Use it to recognise you when you visit or return to our service to track anonymised traffic and usage patterns, prevent or detect fraud or abuses and help us improve our service.
  • If you use someone else’s email address to share consoles, we will keep this information until you cancel sharing, at which point we will immediately delete it.

3.    What about cookies?

  • We and/or third parties use cookies and other tracking technologies on our website. A cookie is an identifier (a small file of letters and numbers) that is sent to your computer. Our website’s functionality will be limited if you configure your browser to reject cookies.
  • Cookies are widely used to make websites work, or work more efficiently, as well as to provide information to the website owner or others. Session cookies are temporary cookies that remain in the cookie file of your browser only until your browser is closed. They allow websites to link your actions during a browser session. Persistent cookies stay in the cookie file of your browser for longer (how long will depend on the lifetime of the specific cookie). For further information on cookies, including how to use your browser to block them and how to delete cookies already stored on your device, visit: allaboutcookies.org.
  • The following kinds of cookies may be used on this website:
    • Session cookies These enable us to keep track of your movement from page to page and store your selections so you do not get asked repeatedly for the same information. They allow you to proceed through many pages of the site quickly and easily without having to authenticate or reprocess each new area you visit. For example, a session cookie remembers your shopping cart selection so you will have the items you selected when you are ready to check out.
    • Operational cookies: We use persistent cookies (up to 12 months) to manage sessions on our service including to help with logging in and out and security as well as to track whether you visited us from an affiliate site.
    • Google cookies: Persistent cookies (up to four years we believe) are set in connection with the following Google services on our site and these cookies may involve certain information (such as your IP address and web address of the page you’re visiting) being sent to Google:

By continuing to use our website, having seen our cookie notice, we assume that you consent to use of the cookies outlined above.

4.    How long do we keep it?

  • We will generally delete your personal information when you delete your account (which you can request by emailing us at tech@hellocoach.co.uk).
  • We may keep some limited information for up to six years after your account is closed — for tax reasons and/or to help deal with any disputes. That timeframe may vary if we are legally required to keep information for a particular period. We will keep your information which we use for marketing until you tell us to stop sending you marketing messages (or your account is closed, if that happens sooner).

5.    To whom do we send or make available your personal information?

  • To other people who supply us with a service, e.g. website hosts, content delivery networks and businesses which help us send communications or monitor our website.
  • To the public, if you include personal information in a forum post (which will also display your username), testimonial or other public action on our service or if you include it in a website created via our service.
  • To the police or other relevant authorities or to complainants, if we think the personal information breaches our terms and conditions, or it is necessary to protect us or others, or that a criminal offence may have been committed, or where required by law or where requested by the police or other appropriate authorities.
  • To potential buyers so far as reasonably necessary, in the case of an actual or proposed (including negotiations for a) sale or merger or business combination involving all or the relevant part of our business.

6.    What happens to your payment details?

These go direct to our payment partners. We do not receive such information except as stated above. To ensure your details are not being used without consent, our payment partners may send your personal information to relevant third parties including credit reference and fraud prevention agencies, who may keep a record of that information.

7.    Do we send your information outside the European Union?

  • HelloCoach® uses Pythonanywhere.com EU-hosted service, and User’s personal information which we collect is stored within the EU and is not transferred to any third countries.
  • If you use PythonAnywhere.com, your personal data is transferred to the US by Amazon Web Services, which is certified under the EU-US Privacy Shield Framework. This provides certain safeguards in relation to the handling of your personal data. See here for more information.

HelloCoach® Calendar session booking system – Calendly®

HelloCoach® has integrated the Calendly® cloud Application into our CRM back-end system. Calendly is integrated into our system in order to secure and schedule coaching sessions between our coaches and Users.

The Calendly® Application and database servers are located in the United States.

If you are an individual located in the European Economic Area, the United Kingdom, Canada or another jurisdiction outside of the United States with laws and regulations governing personal data collection, use, and disclosure that differ from United States laws, please be aware that information Calendly collects (including through the use of methods such as Cookies and other web technologies) will be processed and stored in the United States or in other countries where we or our third-party Service Providers have operations. By using Calendly, you expressly consent to have your personal data transferred to, processed, and stored in the United States or another jurisdiction which may not offer the same level of privacy protection as those in the country where you reside or are a citizen.

In connection with the operation of its Website, Calendly may transfer your personal data to various locations, which may include locations both inside and outside of the European Economic Area. We process personal data submitted relating to individuals in Europe via the Standard Contractual Clauses.

1.    Log & Device data.

By using Calendly, our servers automatically record information (“log data”), including information that your browser sends whenever you visit our Website. This log data may include the web address you came from or are going to, your device model, operating system, browser type, unique device identifier, IP address, mobile network carrier, and time zone or location. Whether we collect some or all of this information often depends on what type of device you’re using and its settings. For example, different types of information are available depending on whether you’re using a Mac or PC, or an iPhone or an Android phone. To learn more about what information your device makes available to us, please check the policies of your device manufacturer or software provider.

2.    Other Web Site Analytics Services.

Subject to your opt-out preferences, Calendly use third-party Service Providers such as Google Analytics to provide certain analytics and Viewer interactions services to Calendly in connection with our operation of our Website, including the collection and tracking of certain data and information regarding the characteristics and activities of visitors to Calendly. You may opt-out of relevant cookies using opt-out features on Calendly’s respective websites.

3.    Use of your personal information in performing HelloCoach® the booking service

We do not sell your information to any third parties or disclose it in exchange for money or other valuable consideration. We do not share your Personal Data with others except as indicated within this Notice, or when we inform you and give you an opportunity to opt-out of having your Personal Data shared. We will never use Invitee/User data to send direct marketing via emails, SMS, physical mailings, or other similar communication channels to advertise or promote the use of our product and services or those of a third-party, without your consent, or if it is of material importance to do so in order to render the HelloCoach® service, or aspects of our service.

  • With third-party Service Providers, agents, contractors, or government entities:
    • We use other companies, agents or contractors (“Service Providers”) to perform services on our behalf or to assist us with providing services to you. We may engage Service Providers to provide services such as monitoring and developing HelloCoach® services; aiding in communications, infrastructure, and IT services; customer service; debt collection; analyzing and enhancing data. These Service Providers may have access to your personal or other information in order to provide these functions.
    • In addition, some of the above-listed types of information that we request may be collected by third-party Service Providers on our behalf. Sharing personal information may be done in order to enforce policies or contracts, address security breaches, and assist in the investigation of fraud, security issues, or other concerns.
    • We require Service Providers to agree to take reasonable steps to keep the Personal Data that we provide to them secure. We do not authorize them to use or disclose your Personal Data except in connection with providing their services.
    • When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing your contract.

Conclusion

Customer controls for security.

Here are the things that you as a customer can do to ensure security from your end:

  • Choose a unique, strong password and protect it.
  • Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features
  • Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account and manage roles and privileges to your account.
  • Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating HelloCoach® or other services you trust.

Security of your data is your right and a never-ending mission of HelloCoach®. We will continue to work hard to keep your data secure. For any further queries on this topic, write to us at tech@hellocoach.co.uk