WhiteboardRx — Privacy Policy

Last updated: April 17, 2026  ·  Version 1.0 (Beta)

Introduction

Cascade Software Solutions LLC ("Company," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information when you use WhiteboardRx, our business-to-business coaching platform (the "Service").

This Policy applies to coaches who hold an account with us (our direct customers). Where we process personal data about a coach's clients on that coach's behalf, the coach acts as the "data controller" and we act as the "data processor"; for questions about that processing, please contact the coach directly.

Information We Collect

Information Coaches Provide

When you create and use a WhiteboardRx coaching account, we may collect:

• Account info — full name, email, password (hashed), timezone
• Business info — business name, business type (solo / team / gym), coaching focus, certifications, bio, specialties, years of experience, brand colors, logos
• Billing info (if paid plans are active) — payment method, billing address, tax ID, all tokenized through Stripe
• Content you author — messages, intake forms, check-in templates, training programs, meal plans, notes, annotations, automation sequences
• Legal acceptance records — timestamps when you accepted the Terms of Service, Privacy Policy, Beta Participation Agreement, and Data Processing Addendum
• Support correspondence — emails, chat transcripts, and similar

Client Data Processed on Your Behalf

When your clients use WhiteboardRx-connected apps (such as NutritionRx or GymRx) or complete intake forms and check-ins, data about them may flow into the Service. This includes:

• Client identity (name, email, phone when provided)
• Health-related metrics voluntarily logged (body weight, measurements, activity, nutrition)
• Check-in responses, photos, and narrative content clients share with you
• Messages exchanged between you and the client
• Progress photos and video form-review recordings
• Habits, workouts, and meal plans completed

As coach, you are the data controller for this Client Data. You are responsible for the lawful basis to collect it and for providing your clients a privacy notice. We process this data only on your documented instructions — see our Data Processing Addendum for details.

Information We Collect Automatically

• Device and usage data — browser type and version, operating system, IP address (truncated), session timestamps, referring URL, pages viewed, features used
• Performance and error data — diagnostic logs, crash reports, latency telemetry
• Security events — login attempts, password resets, IP address of authentication requests, multi-factor authentication events

Information We Do Not Knowingly Collect

• We do not use advertising trackers, third-party ad cookies, or behavioral advertising pixels in the Service.
• We do not collect precise device location unless you explicitly grant it for a specific feature (none currently require it on the coaching dashboard).
• We do not knowingly collect Protected Health Information (PHI). Please see our Terms of Service regarding the scope of permitted use.

How We Use Information

We use the information we collect to:

• Provide, maintain, and secure the Service
• Authenticate you and prevent unauthorized access
• Process your coaching workflows (messaging, check-ins, sequences, calendar)
• Deliver AI features you opt into (summarization, drafting, insights) — see the "AI Features" section below
• Provide customer support and respond to requests
• Improve reliability, performance, and feature quality
• Send transactional notifications (security alerts, service notices, invoices)
• Comply with legal obligations and enforce our Terms

We do not:

• Sell personal information to third parties
• Rent or trade personal information for marketing purposes
• Use Client Data to train machine-learning models without explicit coach opt-in
• Target advertising based on personal information

Data Sharing and Sub-Processors

We share personal information only with the following categories of recipients:

• Supabase, Inc. — database, authentication, storage, and hosting infrastructure. Data is stored in the United States. Supabase Privacy Policy
• Vercel Inc. — web hosting for the dashboard front-end. Vercel Privacy Policy
• Stripe, Inc. — payment processing and tax calculation (if paid plans active). Stripe Privacy Policy
• OpenAI, L.L.C. — AI features (summarization, drafting, semantic search). When you use AI features, the relevant text context is transmitted to OpenAI's API. Under our API tier, OpenAI states it does not retain inputs for model training. OpenAI API Data Usage Policy
• Terra API, Inc. — wearable-device integrations (if enabled by your clients). Terra Privacy Policy
• Google LLC and Microsoft Corporation — calendar OAuth integrations (only if you connect your Google or Microsoft calendar). These providers process OAuth tokens and calendar events you choose to share.
• Sentry, Inc. — error and performance monitoring. Sentry Privacy Policy
• PostHog Inc. — product analytics (anonymized or pseudonymized usage metrics). PostHog Privacy Policy
• Legal authorities and professional advisors — only when required by law, valid legal process, or to protect rights, safety, or property
• In a business transfer — if we sell or merge the business, personal information may be transferred as part of the transaction, subject to a successor entity's commitment to honor this Policy or provide 30 days' notice of change

A current and updated list of sub-processors is maintained in our Data Processing Addendum.

AI Features

WhiteboardRx offers AI-assisted features (summarization of client activity, draft message composition, insight generation, and similar). When you invoke an AI feature:

• The relevant text context (e.g., recent check-ins or messages you selected) is transmitted to our AI provider over TLS
• AI inputs and outputs are not retained for model training under our current OpenAI API tier
• AI output is probabilistic; you are responsible for reviewing it before relying on or sending it to a client
• You can opt out of AI features on a per-coach basis in Settings

Data Retention

• Active accounts: we retain your coach data and the Client Data you process while your account is active and as needed to provide the Service
• After termination: you have access to data export tools for 30 days after account termination, after which we begin deletion from active systems
• Backups: residual copies may persist in encrypted backups for up to 90 days after deletion from active systems, after which they are overwritten per our backup rotation policy
• Legal holds: we may retain data longer where required by law or to resolve a dispute
• Anonymized / aggregate analytics: may be retained indefinitely because it is no longer personal information

Your Rights

Depending on your jurisdiction, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — request deletion of your account data (subject to legal-retention requirements)
• Portability — receive your data in a structured, machine-readable format
• Restriction and objection — restrict certain processing or object to it
• Withdraw consent — where processing is based on consent, withdraw at any time

To exercise any of these rights, email garrett@cascademobile.dev. We will respond within 30 days (45 days for complex requests, with notice).

If you are a client whose data is processed through WhiteboardRx on a coach's behalf, please contact your coach first — the coach is the data controller. If the coach is unresponsive, you may contact us for assistance.

Children's Data

The Service is not intended for use by individuals under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has registered or had data collected, contact us and we will delete it promptly.

Coaches must not invite clients under 13 without verifiable parental consent, and must comply with any applicable children's privacy laws (COPPA in the U.S., GDPR-K in the EU, etc.).

International Data Transfers

The Service is operated from the United States and data is stored primarily in the United States (Supabase US region). If you access the Service from outside the U.S., your information will be transferred to, and processed in, the United States. Where required, we rely on Standard Contractual Clauses ("SCCs") or equivalent safeguards for international transfers.

Security

We implement technical and organizational measures designed to protect personal information, including:

• Encryption in transit (TLS 1.2+) for all data transfers
• Encryption at rest for database and storage
• Row-level security ("RLS") policies on our database to enforce tenant isolation
• Password hashing using industry-standard algorithms
• Access controls limiting employee access to production data on a need-to-know basis
• Security monitoring, error logging, and periodic review of access
• Backups with limited retention and secure destruction procedures

No security program is perfect. You should maintain independent backups of any data you cannot afford to lose.

Data Breach Notification

If we become aware of a personal data breach affecting your account or the Client Data you process through the Service, we will notify you without undue delay and in any event consistent with legal requirements, and will assist you in assessing and responding to the incident. Details of notification timelines and roles are set out in the Data Processing Addendum.

Cookies and Local Storage

The dashboard uses minimal cookies and browser local storage for:

• Session authentication (essential — cannot be disabled without breaking login)
• Theme preference (light / dark)
• UI preferences (sidebar width, table column visibility)
• CSRF protection tokens

We do not use third-party advertising cookies or cross-site tracking pixels.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know what personal information we collect and how we use it
• Right to delete your personal information (subject to legal exceptions)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising)
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising these rights

Categories of personal information collected in the past 12 months: identifiers (name, email), commercial information (billing history), internet and device activity (log data), professional information (business details, certifications), and inferences drawn from the above (engagement scores for your own clients). We do not sell this information.

European Privacy Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland:

• Data Controller for the coach's own account data: Cascade Software Solutions LLC, 5441 S Macadam Ave, Ste N, Portland, OR 97239, USA
• Data Processor for Client Data: Cascade Software Solutions LLC, per the Data Processing Addendum signed with the coach
• Legal bases for processing: performance of contract (providing the Service), legitimate interests (securing and improving the Service), consent (optional features), and legal obligations (tax, accounting)
• Right to lodge a complaint with your local supervisory authority

Changes to This Policy

We may update this Privacy Policy from time to time. We will announce material changes in the dashboard and/or by email to active coaches at least 14 days before the change takes effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

Contact

For privacy questions or to exercise any of the rights described above:

Cascade Software Solutions LLC
Website: https://www.cascademobile.dev/
Email: garrett@cascademobile.dev
Address: 5441 S Macadam Ave, Ste N, Portland, OR 97239, USA