Effective Date: June 17, 2026 · Version: 1.0
This Privacy Policy explains how Hubabble handles personal data when you visit our website, sign up as a coach, or use the Hubabble platform. It is written for the people who trust us with sensitive information, and we have tried to keep it plain. Where the law requires specific language, we use it, and we flag the legal mechanics so they are easy to find.
If you are a person being coached (a "client") who reached Hubabble through a link your coach sent you (to book a session, sign an agreement, pay, or view a receipt), please read the section "If you are a client of a coach" first. Your coach, not Hubabble, decides how your information is used.
1. Who we are
Hubabble is a business-in-a-box platform for coaches. It bundles scheduling, video sessions, a simple client relationship manager, transactional email, payments, e-sign documents, and coach website templates.
The company behind Hubabble is Hubabble, LLC, a member-managed multi-member limited liability company organized under Oregon law.
- Principal office and notice address: 403 Portway Avenue, Suite 300, Hood River, Oregon 97031, United States.
- Privacy and legal contact: privacy@hubabble.com
When this policy says we are a controller, we mean we decide why and how the personal data described is processed. When it says we are a processor, we mean we handle personal data on a coach's documented instructions, and the coach is the controller. The split between these two roles is the spine of this policy, so we set it out in full in the next section.
2. The two roles: when we are a controller and when we are a processor
Hubabble handles personal data in two different capacities, and your rights and our duties differ depending on which one applies.
We are the controller of:
- Information about coaches and the accounts they run (identity, login credentials, billing, support history).
- Information about visitors to our website and marketing pages.
- Operational and security telemetry about how the platform is used.
For all of the above, Hubabble decides the purposes and means of processing, and this policy governs.
We are a processor for the personal data a coach collects about their own clients inside Hubabble: client names and contact details, session history, intake answers, free-form notes, signed agreements, payment receipts, and similar. For that data, the coach is the controller. The coach decides what to collect, why, and for how long. Hubabble holds and processes it on the coach's behalf, under the coach's instructions.
Clients touch Hubabble surfaces directly through tokenized links their coach sends (to book, sign, pay, or view a receipt). Even though a client interacts with our systems directly, they are doing so on their coach's behalf, and the coach remains the controller of that client data. Hubabble's own role toward that client data stays that of a processor.
Stripe is a special case and plays two roles at once. When Hubabble or a coach uses Stripe to process a payment, Stripe acts as a subprocessor on the coach's (or our) behalf for that transaction. Stripe is also an independent controller in its own right for its own purposes, such as fraud prevention, regulatory and anti-money-laundering compliance, and meeting its legal obligations as a payments company. We state Stripe's dual role identically wherever it appears in our documents: Stripe acts as a subprocessor when it processes payments on the coach's behalf, and as an independent controller for its own fraud-prevention and legal-compliance purposes. Stripe's own privacy notice governs the controller side of what it does.
3. The personal data we collect (as controller)
This section covers data for which Hubabble is the controller. For client data, see "If you are a client of a coach."
Coach identity and authentication
When you sign up as a coach, we collect your name, email address, the name of your coaching practice, and the credentials you use to log in. We use a third-party authentication library to manage sessions and passwords, and we store hashed credentials and session records, never your plaintext password. If you connect your Google Calendar, we also process the Google account data described in the Google user data section below.
Billing data (platform subscription)
When you subscribe to a paid Hubabble plan, our payments provider collects and processes your payment details to charge you. We receive and store limited billing metadata (such as your plan, subscription status, the last four digits and brand of your card, and invoice records). We do not store full card numbers ourselves; the payments provider does.
Support and correspondence
When you email us, fill in a form, or otherwise contact us, we keep what you send and our replies so we can help you and keep a record of the conversation.
Usage and telemetry
To keep the platform fast and reliable, we collect technical and usage information through our hosting and edge provider, including performance measurements via that provider's Speed Insights telemetry (for example, page-load timing and basic device and browser characteristics). We use this to find and fix slow or broken pages, not to build advertising profiles.
Visitor and cookie data
When you visit our website, we collect minimal technical information needed to serve the site and keep it secure, such as your IP address, the pages you view, and basic browser and device information. We aim to keep non-essential cookies to a minimum.
We do not knowingly collect special-category (sensitive) personal data about coaches as part of running their account. Sensitive client data is addressed in the client and special-category data sections.
4. Why we use your data, and our lawful basis (GDPR)
For coaches, visitors, and others in the UK, EU, or EEA, the law requires us to identify a lawful basis for each purpose. The table below sets out the main purposes and the basis we rely on.
| Purpose | Personal data used | Lawful basis (UK / EU GDPR) |
|---|---|---|
| Create and run your coach account; provide the platform's features | Identity, authentication, account content | Performance of a contract (Art. 6(1)(b)) |
| Charge you for a paid plan; keep billing records | Billing metadata, invoice records | Performance of a contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)) |
| Authenticate you and keep your account secure | Authentication data, security telemetry | Legitimate interests in securing the service (Art. 6(1)(f)); contract (Art. 6(1)(b)) |
| Provide calendar and scheduling features you connect | Google Calendar data (see Limited Use) | Performance of a contract (Art. 6(1)(b)); your consent to connect the integration |
| Answer your support requests | Support correspondence | Legitimate interests in helping you (Art. 6(1)(f)); contract (Art. 6(1)(b)) |
| Keep the platform fast, reliable, and secure | Usage and performance telemetry | Legitimate interests in operating and improving the service (Art. 6(1)(f)) |
| Send service and transactional emails (confirmations, receipts, password resets, security notices) | Identity, account events | Performance of a contract (Art. 6(1)(b)); legal obligation where applicable |
| Comply with law, respond to lawful requests, and defend legal claims | As needed | Legal obligation (Art. 6(1)(c)); legitimate interests in establishing or defending claims (Art. 6(1)(f)) |
Where we rely on legitimate interests, you can ask us to explain our balancing assessment, and you have the right to object (see your rights). Where we rely on consent (such as connecting an integration), you can withdraw it at any time without affecting processing that already happened.
Whether you have to provide this data (Art. 13(2)(e)). Providing your account, identity, and billing data is a contractual requirement: we need it to create your coach account, charge you for a paid plan, and operate the service for you under our Terms of Service. If you do not provide it, we cannot create or run your account or process your payments. Optional fields and operational or performance telemetry are not a contractual requirement, and choosing not to provide an optional field does not stop us from running your account, though it may limit specific features you have asked for (for example, calendar scheduling without a connected calendar).
Where your data comes from when you did not give it to us directly (Art. 14). Most of the personal data we hold about you, we collect directly from you when you sign up and use the platform. In some cases we may also receive coach or prospective-coach information from a third party, such as a certification or referral partner through which a coach reaches Hubabble (for example, your name and email to set up a trial account bundled with your certification). Where we receive your data from a source like this, the categories are the same identity and contact details described in section 3, and we use them for the purposes and on the lawful bases set out in this section.
We do not use coach or client content to train external machine-learning models, and we do not sell personal data or share it for cross-context behavioral advertising.
5. Who we share data with (recipients and subprocessors)
We keep the list of third parties small and use them to run the service, not to monetize you. Each one processes personal data only as needed to do its job, under contract.
The Subprocessor List is the single canonical list of the third parties we use. The table below is a convenience summary, and the Subprocessor List takes precedence. Rows marked FUTURE / not yet active describe capabilities we are building: the data is not flowing to those providers yet, and we will update the status before it does.
| Subprocessor | What it does for us | Status / notes |
|---|---|---|
| Neon | Hosts our Postgres database (the system of record) | Live. Stores account and platform data |
| Vercel | Hosts and serves the application and website (edge and compute); provides Speed Insights performance telemetry | Live |
| Stripe | Processes platform subscription billing | Live. Dual role: Stripe acts as a subprocessor when it processes payments on the coach's behalf, and as an independent controller for its own fraud-prevention and legal-compliance purposes |
| Your video room provider | Powers white-labeled video sessions | Live. The provider is never named to coaches or clients; in coach- and client-facing surfaces we say "video session" or "your video room" |
| Provides the per-coach Calendar integration | Live for coaches who connect their calendar. See Limited Use | |
| Resend | Sends transactional and e-sign emails | Live. Our email provider can record delivery and engagement events such as opens and clicks where that is enabled |
| AWS S3 (AWS region us-east-1 (US East, N. Virginia)) | Stores signed PDF documents | Live |
| Inngest | Runs background jobs (queued and scheduled platform tasks) | Live |
| Cloudflare | Provides DNS and inbound email handling | Live |
| Stripe (client payments) | Processes your clients' payments to you through Hubabble | Imminent / not yet live. Same dual role: subprocessor when it processes client payments on the coach's behalf, and independent controller for its own fraud-prevention and legal-compliance purposes |
| Recording and transcription of video sessions | Optional session recording and (separately) transcription of recordings | FUTURE / not yet active. When chosen, the transcription provider will not be named to coaches or clients |
We publish and maintain a current Subprocessor List as a companion to this policy, and that list is the canonical, authoritative source. Where the summary table above and the Subprocessor List differ, the Subprocessor List controls, including its live, imminent, and future split.
We also disclose personal data when the law requires it, to respond to lawful requests from public authorities, to enforce our terms, or to establish, exercise, or defend legal claims. If Hubabble is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, and we will give notice as required.
We do not treat the following as recipients of your personal data, because they do not receive it in a form that identifies you: our icon library, our self-hosted web fonts, our internal webhook-delivery and secrets tooling. Future technologies are listed in section 12 and are not in use today.
6. International data transfers
Hubabble stores and processes personal data in the United States. If you are in the UK, EU, or EEA, your personal data is transferred to and processed in the United States and may be processed by the subprocessors listed above in the United States or elsewhere.
For transfers out of the EU and EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs). For transfers out of the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable. We also rely, where available, on a subprocessor's certification under an approved transfer framework.
You can ask us for more detail about the safeguards that apply to a specific transfer using the contact details above.
7. Your rights (EU, UK, and EEA)
If you are in the UK, EU, or EEA and we are the controller of your data, you have the right to:
- Access the personal data we hold about you and get a copy.
- Rectify inaccurate or incomplete data.
- Erase your data in certain circumstances ("right to be forgotten").
- Restrict processing in certain circumstances.
- Portability: receive certain data in a structured, machine-readable format and have it sent to another controller where technically feasible.
- Object to processing based on legitimate interests, and to direct marketing at any time.
- Withdraw consent where we rely on it, without affecting prior processing.
To exercise any of these, contact us at privacy@hubabble.com. We will respond within the timeframe the law requires (generally one month under the GDPR, extendable for complex requests). We will not charge a fee unless your request is manifestly unfounded or excessive, and we may need to verify your identity first.
You also have the right to lodge a complaint with your data protection authority. In the UK that is the Information Commissioner's Office (ICO). In the EU it is the supervisory authority in your country.
How to exercise these rights. To exercise these rights, contact privacy@hubabble.com and we will action your request within the timeframe the law requires.
Append-only records. Some records are kept in append-only form for integrity, audit, and legal reasons, and they survive a deletion request with identifying references removed or anonymized rather than the row being deleted. These include our events audit log, the financial ledger, records of legal acceptances, and executed signed agreements. We disclose this honestly: when you exercise erasure, these specific records persist in anonymized form, and we will tell you which categories were retained and why.
8. Your rights (United States: California and other states)
Notice at collection (California: CCPA / CPRA)
We collect the categories of personal information described in section 3: identifiers (name, email), commercial information (billing and subscription records), internet and network activity (usage and telemetry), and the contents of your support communications. We collect them for the purposes described in section 4, and we retain them as described in section 10.
No sale, no sharing. We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law.
Sensitive personal information. Where we are the controller, we do not collect sensitive personal information about coaches for the purpose of inferring characteristics, and we do not use or disclose it beyond the purposes the law permits. Sensitive information clients provide to a coach (such as wellbeing or health-related intake answers) is controlled by the coach; see sections If you are a client and special-category data.
Your California rights. If you are a California resident, you have the right to know, access, correct, and delete your personal information, the right to opt out of sale or sharing (which we do not do), the right to limit use of sensitive personal information, and the right not to receive discriminatory treatment for exercising any right. To exercise these rights, contact privacy@hubabble.com. You may use an authorized agent, and we will verify your request as the law allows.
Other US state privacy laws
Several other US states have comprehensive privacy laws that give residents similar rights to know, access, correct, delete, and opt out of certain processing. We extend the substance of the rights above to residents of states where these laws apply.
Oregon Consumer Privacy Act (OCPA). Because Hubabble is being formed in Oregon, we call it out specifically. If you are an Oregon resident, the OCPA gives you the right to confirm whether we process your personal data, to access it, to obtain a list of specific third parties to whom we have disclosed personal data, to correct and delete it, to obtain a portable copy, and to opt out of the sale of personal data, targeted advertising, and certain profiling. We do not sell personal data or use it for targeted advertising. To exercise OCPA rights, contact privacy@hubabble.com.
Right to appeal a decision
If we decline to act on a privacy-rights request, you have the right to appeal that decision. This right is required by the OCPA and by most other US state privacy laws. To appeal, reply to our decision or email privacy@hubabble.com with the subject line "Privacy request appeal" and tell us which request you are appealing. We will respond to your appeal within 45 days of receiving it, telling you whether we will change our decision and explaining our reasons. If we deny your appeal, we will give you a way to contact your state Attorney General to submit a complaint. Oregon residents can contact the Oregon Department of Justice; residents of other states can contact their own Attorney General's office.
Consumer health data (Washington My Health My Data Act and similar laws)
Coaching can involve wellbeing and mental-health information. Where a coach collects wellbeing or mental-health intake answers through Hubabble systems, that information may qualify as "consumer health data" under the Washington My Health My Data Act (MHMDA) and similar laws in other states (such as Nevada and Connecticut).
If and where these laws apply, we commit that:
- We do not sell consumer health data without a valid, separate written authorization that meets the law's requirements.
- We do not use geofencing around any location that provides health-care services to identify, track, collect data from, or send notifications to consumers about their consumer health data.
Wellbeing and mental-health intake answers that a client provides to a coach are controlled by the coach. Hubabble processes that data only on the coach's instructions, as described in the client and special-category data sections.
9. Special-category (sensitive) personal data
Coaching often involves sensitive information. Client wellbeing and mental-health intake answers, free-form client notes and session notes, and (in the future) recordings and transcripts can reveal health or other sensitive details. Under the GDPR, these are special-category data (Art. 9) and need stronger protection.
For this data the coach is the controller, and the coach is responsible for having a valid basis to collect it, which in most cases means the client's explicit consent that is unbundled from other consents and can be withdrawn. Hubabble's role is to provide the tools and to process this data only on the coach's instructions.
We do not use special-category data for any purpose other than providing the service to the coach, and we never use it for advertising or sell it.
10. How long we keep data (retention)
We keep personal data for as long as your account is active and for as long as we need it for the purposes in this policy, then we work to delete or anonymize it. Billing and tax records are kept for the period the law requires.
Retention criteria by category (CPRA). California law asks us to state, for each category of personal information, the criteria we use to decide how long to keep it. Rather than fixed periods that we cannot yet enforce automatically across the board, we use these criteria:
| Category | Criteria for how long we keep it |
|---|---|
| Identity and account data (name, email, practice name, login records) | Kept while your account is active and for a short wind-down period after closure; then deleted or anonymized once it is no longer needed to operate or close your account. |
| Billing and subscription records (plan, status, card brand and last four, invoices) | Kept for the period tax, accounting, and financial-recordkeeping law requires, which is typically several years, then deleted. |
| Support and correspondence | Kept for as long as needed to resolve and keep a record of the matter, and to handle related follow-up or disputes, then deleted or anonymized. |
| Usage, performance, and security telemetry | Kept for the shorter period needed to operate, secure, and troubleshoot the service, then deleted or aggregated so it no longer identifies you. |
| Documents and signed agreements | Document files are retained until the coach-stamped "purge after" date, when set, removes them; executed signed agreements are retained in append-only form for legal-defense and integrity reasons (see below). |
| Append-only integrity records (audit events, financial ledger, legal-acceptance records) | Retained for integrity, audit, and legal-defense reasons; on erasure, identifying references are anonymized rather than the row deleted (see below). |
We want to be honest rather than aspirational about deletion:
As noted in section 7, certain append-only records (the events audit log, the financial ledger, legal-acceptance records, and executed signed agreements) are retained in anonymized form even after a deletion request, for integrity, audit, and legal-defense reasons.
11. How Hubabble uses Google user data (Limited Use)
If you connect your Google Calendar to Hubabble, we access a limited set of Google user data to provide calendar and scheduling features. This section describes that use and our compliance with Google's Limited Use requirements.
Scopes we access:
https://www.googleapis.com/auth/calendar.events(to read and write calendar events so scheduling, availability, and session bookings work). This is a sensitive Google API scope.https://www.googleapis.com/auth/calendar.readonly(to read your calendars and existing events so we can show your availability and avoid double-booking). This is a sensitive Google API scope.userinfo.email(to identify your connected Google account by email).userinfo.profile(to identify your connected Google account by basic profile).
How we use this data:
- We use Google user data only to provide and improve the user-facing calendar and scheduling features you connect it for.
- We do not transfer this data to others except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice (the narrow Limited Use exceptions).
- We do not use this data for serving advertisements of any kind.
- We do not allow humans to read this data, except with your affirmative consent for specific messages, when necessary for security purposes such as investigating abuse, to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.
- We do not sell this data.
Disconnecting the integration. You can disconnect your Google Calendar from Hubabble at any time in your settings. When you disconnect, we revoke the access token so Hubabble can no longer access your Google account, and we stop accessing your Google Calendar data. We delete the stored connection credentials, and we delete or anonymize Google-derived calendar data we no longer need to keep, except where an append-only or legal-defense record (such as a session that was already booked) must persist as described in the retention section. You can also revoke Hubabble's access directly from your Google Account permissions page at any time.
Consent screen. Google's OAuth consent screen, which you see when you connect your calendar, links to this published Privacy Policy so you can review how we handle Google user data before you grant access.
Hubabble's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
12. Future features (not yet live)
For transparency, some capabilities are planned but not in use today, and we list them so it is clear they are future, not current. We will update this policy and our Subprocessor List before any of these process your personal data:
- Video session recordings.
- Transcription of sessions (a transcription provider that, like our video provider, would not be named in coach- or client-facing surfaces).
- Alternative or bring-your-own video providers.
- Product analytics.
These are described here for honesty. None of them is active, and none is a current recipient of personal data.
13. If you are a client of a coach
If a coach invited you to Hubabble to book a session, sign an agreement, pay, or view a receipt, your coach is the controller of your information. The coach decides what to collect, why, and for how long. Hubabble processes that information on the coach's behalf as a processor.
That means:
- To exercise your rights over your data (access, correction, deletion, and so on), contact your coach first. They control your data.
- Hubabble will support a coach in responding to your request, consistent with our agreement with them.
- The links your coach sends you are single-purpose, time-limited tokenized links. We design them so they reveal only what they need to for the task at hand.
- Your use of those tokenized pages is governed by the Hubabble Client Terms of Use, which sets the rules for the client-facing surfaces (booking, signing, paying, and viewing receipts).
If you cannot reach your coach, or you believe your data is being handled improperly, you can contact us at privacy@hubabble.com and we will help route your request to the right controller.
14. Security
We take reasonable technical and organizational measures to protect personal data, including encryption in transit, hashed credentials, tenant isolation so one coach's data is not exposed to another, scoped tokenized links for client-facing actions, and access controls on our systems.
On encryption at rest: our database provider (Neon) provides encryption at rest for the database that holds your data. Per-coach calendar OAuth tokens (the credentials that let Hubabble connect to your Google Calendar) are additionally application-encrypted with AES-256-GCM before they are stored, so they are protected by a second layer beyond the database's own encryption.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as the law requires.
15. Children
Hubabble is sold to and intended for adult coaches, and clients are presumed to be adults. The platform is not designed for and is not directed to children. We exclude under-16 users (the GDPR Art. 8 threshold) and under-13 users (the COPPA threshold) by contract through our Terms of Service and Data Processing Agreement, and we provide a path to delete data that should not have been collected. We do not knowingly collect personal data from children. If you believe a child's data has been provided to us, contact privacy@hubabble.com and we will delete it.
16. Changes to this policy
We may update this policy as the platform and the law change. When we do, we will revise the Effective Date and Version at the top and, for material changes, give you reasonable notice through the platform or by email before the change takes effect. Continued use after a change takes effect means the updated policy applies to you.
17. Governing law and contact
This policy and any dispute relating to it are governed by the laws of the State of Oregon, without regard to its conflict-of-laws rules. The forum for disputes is Hood River County, Oregon.
Questions, requests, or complaints about this policy or your data:
Hubabble, LLC 403 Portway Avenue, Suite 300 Hood River, Oregon 97031 United States privacy@hubabble.com