WhiteboardRx — Privacy Policy

Last updated: May 14, 2026  ·  Version 2026-05-14

Introduction

Cascade Software Solutions LLC ("Company," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information when you use WhiteboardRx, our business-to-business coaching platform (the "Service").

This Policy applies to coaches who hold an account with us (our direct customers). Where we process personal data about a coach's clients on that coach's behalf, the coach acts as the "data controller" and we act as the "data processor"; for questions about that processing, please contact the coach directly.

Information We Collect

Information Coaches Provide

When you create and use a WhiteboardRx coaching account, we may collect:

• Account info — full name, email, password (hashed), timezone
• Business info — business name, business type (solo / team / gym), coaching focus, certifications, bio, specialties, years of experience, brand colors, logos
• Billing info (if paid plans are active) — payment method, billing address, tax ID, all tokenized through Stripe
• Content you author — messages, intake forms, check-in templates, training programs, meal plans, notes, annotations, automation sequences
• Legal acceptance records — timestamps when you accepted the Terms of Service, Privacy Policy, Beta Participation Agreement, and Data Processing Addendum
• Support correspondence — emails, chat transcripts, and similar

Client Data Processed on Your Behalf

When your clients use WhiteboardRx-connected apps (such as NutritionRx or GymRx) or complete intake forms and check-ins, data about them may flow into the Service. This includes:

• Client identity (name, email, phone when provided)
• Health-related metrics voluntarily logged (body weight, measurements, activity, nutrition)
• Check-in responses, photos, and narrative content clients share with you
• Messages exchanged between you and the client
• Progress photos and video form-review recordings
• Habits, workouts, and meal plans completed

As coach, you are the data controller for this Client Data. You are responsible for the lawful basis to collect it and for providing your clients a privacy notice. We process this data only on your documented instructions — see our Data Processing Addendum for details.

Information We Collect Automatically

• Device and usage data — browser type and version, operating system, IP address (truncated), session timestamps, referring URL, pages viewed, features used
• Performance and error data — diagnostic logs, crash reports, latency telemetry
• Security events — login attempts, password resets, IP address of authentication requests, multi-factor authentication events

Information We Do Not Knowingly Collect

• We do not use advertising trackers, third-party ad cookies, or behavioral advertising pixels in the Service.
• We do not collect precise device location unless you explicitly grant it for a specific feature (none currently require it on the coaching dashboard).
• We do not knowingly collect Protected Health Information (PHI). Please see our Terms of Service regarding the scope of permitted use.

How We Use Information

We use the information we collect to:

• Provide, maintain, and secure the Service
• Authenticate you and prevent unauthorized access
• Process your coaching workflows (messaging, check-ins, sequences, calendar)
• Deliver AI features you opt into (summarization, drafting, insights) — see the "AI Features" section below
• Provide customer support and respond to requests
• Improve reliability, performance, and feature quality
• Send transactional notifications (security alerts, service notices, invoices)
• Comply with legal obligations and enforce our Terms

We do not:

• Sell personal information to third parties
• Rent or trade personal information for marketing purposes
• Use Client Data to train machine-learning models without explicit coach opt-in
• Target advertising based on personal information

Data Sharing and Sub-Processors

We share personal information only with the following categories of recipients:

• Supabase, Inc. — database, authentication, storage, and hosting infrastructure. Data is stored in the United States. Supabase Privacy Policy
• Vercel Inc. — web hosting for the dashboard front-end. Vercel Privacy Policy
• Stripe, Inc. — payment processing and tax calculation (if paid plans active). Stripe Privacy Policy
• OpenAI, L.L.C. — AI features (summarization, drafting, semantic search). When you use AI features, the relevant text context is transmitted to OpenAI's API. Under our API tier, OpenAI states it does not retain inputs for model training. OpenAI API Data Usage Policy
• Terra API, Inc. — wearable-device integrations (if enabled by your clients). Terra Privacy Policy
• Google LLC and Microsoft Corporation — calendar OAuth integrations (only if you connect your Google or Microsoft calendar). These providers process OAuth tokens and calendar events you choose to share.
• Sentry, Inc. — error and performance monitoring. Sentry Privacy Policy
• PostHog Inc. — product analytics (anonymized or pseudonymized usage metrics). PostHog Privacy Policy
• Legal authorities and professional advisors — only when required by law, valid legal process, or to protect rights, safety, or property
• In a business transfer — if we sell or merge the business, personal information may be transferred as part of the transaction, subject to a successor entity's commitment to honor this Policy or provide 30 days' notice of change

A current and updated list of sub-processors is maintained in our Data Processing Addendum.

AI Features

WhiteboardRx offers AI-assisted features (summarization of client activity, draft message composition, insight generation, and similar). When you invoke an AI feature:

• The relevant text context (e.g., recent check-ins or messages you selected) is transmitted to our AI sub-processor over TLS
• AI inputs and outputs are not retained for model training by Cascade or by the AI sub-processor under the API tier we currently use (OpenAI's "no-training" API tier, as documented in OpenAI's API Data Usage Policy). We will give the 30 days' notice described in our DPA before changing AI sub-processors or moving to an API tier with different retention behaviour.
• AI output is probabilistic; you are responsible for reviewing it before relying on or sending it to a client (see Section 10 of the Terms of Service for the coach-review obligation)
• We do not make solely automated decisions that produce legal or similarly significant effects regarding you or your clients. The engagement scores and insights we generate are presented for your review and are not used to suspend accounts, deny services, or take any other consequential action without human intervention
• You can opt out of AI features on a per-coach basis in Settings

Data Retention

• Active accounts: we retain your coach data and the Client Data you process while your account is active and as needed to provide the Service
• After termination: you have access to data export tools for 30 days after account termination, after which we begin deletion from active systems
• Backups: residual copies may persist in encrypted backups for up to 90 days after deletion from active systems, after which they are overwritten per our backup rotation policy
• Legal holds: we may retain data longer where required by law or to resolve a dispute
• Anonymized / aggregate analytics: may be retained indefinitely because it is no longer personal information

Your Rights

Depending on your jurisdiction, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — request deletion of your account data (subject to legal-retention requirements)
• Portability — receive your data in a structured, machine-readable format
• Restriction and objection — restrict certain processing or object to it
• Withdraw consent — where processing is based on consent, withdraw at any time

To exercise any of these rights, email privacy@whiteboardrx.com. We will respond within 30 days (45 days for complex requests, with notice).

If you are a client whose data is processed through WhiteboardRx on a coach's behalf, please contact your coach first — the coach is the data controller. If the coach is unresponsive, you may contact us for assistance.

Children's Data

The Service is not intended for use by individuals under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has registered or had data collected, contact us and we will delete it promptly.

Coaches must not invite clients under 13 without verifiable parental consent, and must comply with any applicable children's privacy laws (COPPA in the U.S., GDPR-K in the EU, etc.).

International Data Transfers

The Service is operated from the United States and data is stored primarily in the United States (Supabase US region). If you access the Service from outside the U.S., your information will be transferred to, and processed in, the United States. Where required, we rely on Standard Contractual Clauses ("SCCs") or equivalent safeguards for international transfers.

Security

We implement technical and organizational measures designed to protect personal information, including:

• Encryption in transit (TLS 1.2+) for all data transfers
• Encryption at rest for database and storage
• Row-level security ("RLS") policies on our database to enforce tenant isolation
• Password hashing using industry-standard algorithms
• Access controls limiting employee access to production data on a need-to-know basis
• Security monitoring, error logging, and periodic review of access
• Backups with limited retention and secure destruction procedures

No security program is perfect. You should maintain independent backups of any data you cannot afford to lose.

Data Breach Notification

If we become aware of a personal data breach affecting your account or the Client Data you process through the Service, we will notify you without undue delay and in any event consistent with legal requirements, and will assist you in assessing and responding to the incident. Details of notification timelines and roles are set out in the Data Processing Addendum.

Cookies and Local Storage

The dashboard uses minimal cookies and browser local storage for:

• Session authentication (essential — cannot be disabled without breaking login)
• Theme preference (light / dark)
• UI preferences (sidebar width, table column visibility)
• CSRF protection tokens

We do not use third-party advertising cookies or cross-site tracking pixels.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know what personal information we collect and how we use it
• Right to delete your personal information (subject to legal exceptions)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell, and do not share for cross-context behavioural advertising; see the "Do Not Sell or Share" section below)
• Right to limit the use and disclosure of Sensitive Personal Information (see below)
• Right to non-discrimination for exercising these rights
• Right to designate an authorized agent to make requests on your behalf

Categories of Personal Information We Collect

In the past 12 months we collected the following categories of personal information, mapped to the CCPA statutory categories. We do not sell any of these categories and do not share them for cross-context behavioural advertising.

• Identifiers (Cal. Civ. Code §1798.140(o)(1)(A)) — name, email address, account ID, IP address (truncated), device identifiers. Source: directly from you, automatically from your device.
• Personal information categories listed in the California Customer Records statute (§1798.80(e)) — name, address (billing), telephone number, payment-method identifier (tokenised by Stripe). Source: directly from you.
• Commercial information — billing history, plan tier, transaction records. Source: directly from you, from Stripe.
• Internet or other electronic network activity information — feature-use logs, session timestamps, error traces. Source: automatically from your interactions with the Service.
• Professional or employment-related information — coaching business name, business type, coaching focus, certifications, years of experience, bio. Source: directly from you.
• Inferences — engagement scores and insights we derive about your own clients for your dashboard. Source: derived from data you and your clients provide.

We do not knowingly collect the other CCPA statutory categories (characteristics of protected classifications, biometric information about you as a coach, geolocation data beyond truncated IP, audio/electronic/visual information beyond what you upload, education records).

Sensitive Personal Information (SPI) and Right to Limit

The CCPA defines certain categories as Sensitive Personal Information. We collect SPI from coaches only to the limited extent inherent in operating a secure SaaS product:

• Account log-in / password combination — used solely to authenticate you. Passwords are stored hashed, never in plaintext.
• Precise geolocation — we do not collect this.
• Health information — we do not collect health information about you as a coach. Health-related data your clients log through the connected apps is Client Data, processed on your behalf as the data controller (see "Client Data Processed on Your Behalf" above).

We use SPI only for the purposes the CCPA permits without a separate use-limitation right (authentication, fraud prevention, service security). You may still exercise the right to limit by emailing us; we will confirm in writing the limits we are applying.

Do Not Sell or Share My Personal Information

We do not sell personal information and we do not share it for cross-context behavioural advertising as those terms are defined under the CCPA, the Virginia CDPA, the Colorado CPA, or analogous laws.

We do use a small number of analytics and error-monitoring sub-processors (PostHog and Sentry) to operate and improve the platform. Some U.S. state privacy laws treat that as "sharing." If you would like to opt out of these uses, you can do so in your coach dashboard at Settings → Legal & Compliance → Do Not Sell or Share My Personal Information, via the footer link of the same name, or by emailing privacy@whiteboardrx.com. Opting out stops product-analytics and session-replay events for your account immediately. Essential cookies (sign-in, theme, CSRF) continue to operate.

Global Privacy Control (GPC)

We honour the Global Privacy Control signal sent by your browser as a request to opt out of the sale or sharing of personal information for the device or browser sending the signal. Where you are signed in to a coach account, we extend the GPC opt-out to that account as well.

Other U.S. State Privacy Rights

Depending on where you reside, you may have additional rights under the privacy laws of your state, including:

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (CPA), and similar U.S. state consumer privacy laws — rights to access, correct, delete, port, and (where applicable) appeal denials of these requests, and rights to opt out of targeted advertising, sale, and certain profiling.
• We do not engage in targeted advertising, do not sell personal information, and do not use solely automated decision-making for legal or similarly significant decisions about you. You may exercise applicable state rights by emailing privacy@whiteboardrx.com. We will verify the request as required by law and respond within the statutory timeframe (typically 45 days, extendable as permitted).
• If we deny your request, you have a right to appeal. Submit appeals to the same email address with subject line "Privacy Request Appeal."

European Privacy Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland:

• Data Controller for the coach's own account data: Cascade Software Solutions LLC, 5441 S Macadam Ave, Ste N, Portland, OR 97239, USA
• Data Processor for Client Data: Cascade Software Solutions LLC, per the Data Processing Addendum signed with the coach
• Legal bases for processing: performance of contract (providing the Service), legitimate interests (securing and improving the Service), consent (optional features), and legal obligations (tax, accounting)
• Right to lodge a complaint with your local supervisory authority

Changes to This Policy

We may update this Privacy Policy from time to time. We will announce material changes in the dashboard and/or by email to active coaches at least 14 days before the change takes effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

Contact

For privacy questions or to exercise any of the rights described above:

Cascade Software Solutions LLC
Website: https://www.cascademobile.dev/
Email: privacy@whiteboardrx.com
Address: 5441 S Macadam Ave, Ste N, Portland, OR 97239, USA