Privacy Policy

This policy applies when you visit our website, create an account, connect third-party services, interact with features like analytics or coaching, or contact us for support. It covers personal data we control as a controller under the EU General Data Protection Regulation (GDPR).

If you enable integrations, some providers process personal data as independent controllers or processors. Please review their policies for details about their processing.

The protection of your personal data is of great importance to us. Digital Engineering Herbst handles all personal information confidentially and in accordance with this Privacy Policy and applicable data protection laws.

When using this website or associated services, certain personal data may be collected. Personal data refers to information that can be used to identify you personally. This section explains which data we collect, how we use it, and the purposes involved.

Please note that data transmission on the internet (e.g., communication by email) may have security gaps. Complete protection of data from third-party access cannot be guaranteed.

Data Controller

Digital Engineering Herbst
Tobias Thomas Herbst
64380 Roßdorf, Germany
Phone: +49 (0)151 57 36 96 02
Email: info@proengage-digital.de

The data controller is the individual or entity that determines the purposes and means of processing personal data.

Our website and related backend services are hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (“IONOS”). When you access DEHcoach.com, IONOS automatically collects server log files, which may include your IP address, browser type, referrer URL, and time of access. For more details, please see the IONOS privacy statement at https://www.ionos.de/terms-gtc/terms-privacy.

Hosting with IONOS is based on our legitimate interest (Article 6(1)(f) GDPR) in ensuring reliable, secure, and efficient provision of our online presence. Where consent is required under applicable law, such as the use of cookies or accessing device information, processing takes place on the basis of Article 6(1)(a) GDPR and §25(1) TDDDG (Germany). You can withdraw your consent at any time with future effect.

We have entered into a Data Processing Agreement (DPA) with IONOS as required by Article 28 GDPR. This contract ensures that IONOS processes personal data of our website visitors only in accordance with our instructions and in compliance with data protection law.

• Identity & contact data such as name and email to create and manage your account.
• Authentication data (e.g., user ID, role claims, login email) to maintain secure sessions.
• Billing & payment metadata (e.g., Stripe customer ID) to handle subscriptions. we do not store full card details on our servers.
• Connected service credentials (e.g., provider name/ID, encrypted tokens) when you link external services you choose to use.
• Profile, training & performance data (e.g., activity metrics, power curves, workout details) if you connect sources that provide these.
• Wellness indicators (e.g., weight, RHR, HRV, sleep, menstrual phase, mood), when enabled by you via an integrated source.
• User-generated content such as feedback, notes, comments, or messages you submit in the app.
• Device & usage information like browser type, pages visited, and approximate location/timezone for security and product analytics.
• Cookies and similar technologies for core functionality (authentication, preferences) and, if configured, analytics.

We may collect the above directly from you, from your device, or from third-party services you authorize.

• You: information you provide during signup, profile edits, feedback, or support requests.
• Your devices: technical, diagnostic, and usage data collected via cookies or similar technologies.
• Third-party integrations you enable: for example, training data platforms or AI providers you choose to connect.

• Provide, maintain, and improve the Service and core features.
• Authenticate users, secure accounts, and prevent misuse or fraud.
• Process payments, manage subscriptions, and send essential service communications.
• Deliver analytics, personalized insights, and coaching features you request.
• Operate integrations you connect and honor your configuration choices.
• Respond to inquiries, provide support, and communicate about updates or changes.
• Comply with legal obligations and enforce our terms.

The legal basis for processing personal data on this website depends on the specific context in which we collect it. In general, we process personal data in accordance with the following provisions of the General Data Protection Regulation (GDPR):

• Article 6(1)(a) GDPR , where you have given your explicit consent, e.g., for analytics, cookies, or certain integrations. For special categories of data (Article 9(1) GDPR), your consent under Article 9(2)(a) applies. If consent also involves data transfer to a third country, Article 49(1)(a) GDPR serves as the basis.
• Article 6(1)(b) GDPR , where processing is required to perform a contract or pre-contractual measures (for example, when you create an account or subscribe to a paid plan).
• Article 6(1)(c) GDPR , where processing is necessary to comply with a legal obligation, such as accounting or tax retention duties.
• Article 6(1)(f) GDPR , where processing is based on our legitimate interest in maintaining, optimizing, and securing the functionality of the website or service.
• Where consent is obtained for the use of cookies or access to device information (e.g., device fingerprinting), processing additionally relies on § 25(1) TDDDG. Consent can be withdrawn at any time.

We collaborate with selected external service providers to support our operations. Personal data is shared only when necessary for contract fulfillment, when required by law, when based on our legitimate interest, or when consent has been granted. Each processing activity is governed by a valid Data Processing Agreement (DPA) as required under Article 28 GDPR.

Our website uses only strictly necessary cookies required for basic functionality and secure operation of the Service. These cookies enable core features such as session management, language preferences, and account login persistence.

Such cookies are stored on the basis of Article 6(1)(f) GDPR, representing our legitimate interest in providing a technically stable, secure, and optimized user experience. Under the EU ePrivacy Directive and the German TDDDG, these essential cookies do not require your prior consent.

We do not use analytics, advertising, tracking, or profiling cookies. No third-party marketing pixels, social media embeds, or external tracking tools are loaded when you visit our website.

You may configure your browser to notify you before cookies are stored, allow cookies only in specific cases, block them entirely, or delete cookies automatically when closing your browser. However, disabling essential cookies may affect the functionality of certain site features.

Summary of Cookies Used

Cookie Name	Purpose	Type	Duration
.AspNetCore.Identity.Application	Maintains the authenticated user session.	Security cookie (essential)	Deleted when the browser session ends.
.AspNetCore.Antiforgery	Prevents cross-site request forgery (CSRF) attacks.	Security cookie (essential)	Deleted when the browser session ends.
DXCurrentTheme	Stores the selected user interface theme to ensure the layout is displayed correctly.	Essential (layout functionality)	Deleted after one year.

If in the future we introduce any non-essential cookies or tracking technologies, we will update this notice and provide a consent mechanism before such cookies are set.

We share personal data only as needed to run the Service or when you ask us to. Typical recipients include:

• Service providers who support infrastructure, payments, analytics, or communications under appropriate contracts.
• Third-party integrations you enable (e.g., training data platforms or AI/LLM providers) to deliver features you request.
• Legal and compliance recipients when required by law, to protect rights, safety, or prevent fraud.
• Business transfers in the event of a reorganization, merger, or similar transaction, subject to applicable law.

We do not sell personal data. Where required, we offer opt-outs for targeted advertising or sale/sharing under applicable laws.

Some processors or integrations may be located outside your country. Where applicable, we rely on lawful transfer mechanisms, such as the EU-U.S. Data Privacy Framework participation of a provider or standard contractual clauses, as appropriate for the specific service. Details depend on the providers you choose to enable.

We retain personal data only as long as necessary for the purposes described in this policy, including providing the Service, complying with legal obligations, resolving disputes, and enforcing agreements. You can request deletion of your account and associated data, subject to legal or operational retention requirements.

Under the GDPR, you have several rights regarding your personal data. You can exercise these at any time by contacting us using the details in the “Controller Details” section.

• Right to withdraw consent . You may withdraw any consent previously given at any time. The legality of processing prior to withdrawal remains unaffected.
• Right to object (Article 21 GDPR) . You have the right to object to processing of your personal data based on Article 6(1)(e) or (f) GDPR for reasons arising from your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or rights, or where processing is necessary for the establishment, exercise, or defense of legal claims.
• Objection to direct marketing . If your data is processed for direct marketing, you may object at any time. Once you do, your data will no longer be used for such purposes.
• Right to lodge a complaint . You may file a complaint with a supervisory authority, particularly in your place of residence, work, or the location of the alleged infringement, without prejudice to other legal remedies.
• Right of access . You may request information about the data we hold about you, its origin, recipients, and processing purpose.
• Right to rectification and erasure . You may request correction of inaccurate data or deletion where permissible by law.
• Right to restriction of processing . You may request temporary restriction of data processing in specific situations, e.g., while verifying accuracy, contesting lawfulness, or pending legal claims.
• Right to data portability . You may request transfer of your data in a structured, machine-readable format or direct transfer to another controller where technically feasible.

Our website uses SSL/TLS encryption to protect the transmission of confidential data. You can recognize an encrypted connection by the padlock symbol in your browser and “https://” in the address bar. When SSL/TLS is active, transmitted data cannot be read by third parties.

Use of contact data published under the legal notice obligation for sending unsolicited advertising material is prohibited. We reserve the right to take legal action in the event of unsolicited marketing (e.g., spam emails).

We apply technical and organizational measures designed to protect personal data. No system is perfectly secure, and we encourage you to use strong passwords, enable available security settings, and notify us promptly of any suspected unauthorized activity.

Our Service is not directed to children under the age required by local law to consent to online services without parental authorization. We do not knowingly collect such data. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps.

You can choose to connect certain providers to enrich your experience (for example, a training data platform or an AI/LLM service). If you enable an integration, we will exchange only the data needed to operate that feature per your configuration.

• Payment processing: e.g., Stripe, used to handle subscription billing and related notices.
• Email delivery: e.g., SMTP infrastructure (such as a MailKit-based sender) to send service emails.
• Training data platforms: e.g., Intervals.icu, if you connect it, we may retrieve activity metrics and athlete history that you request.
• AI/LLM providers: e.g., OpenAI or a configured model, if you use AI features, relevant prompts and context you supply may be processed to generate outputs.

Each provider has its own privacy practices. Please review their policies to understand how they handle your data.

Data Processing Agreement (DPA): A DPA has been executed with OpenAI to ensure that any personal data processed via AI-powered features is handled in compliance with Article 28 GDPR.

Categories of Personal Information	Business Purpose	Legal Basis for Processing	Categories of Service Providers
Identity, contact & billing identifiers (first name, last name, nickname, mailing address, Stripe customer ID, email) stored on the application user profile.	Provision accounts, synchronize billing profiles, honor email preferences, and send account communications.	Performance of contract (account setup and billing) and legitimate interest (service notifications).	Payment processor (Stripe) and SMTP email delivery infrastructure (MailKit-based sender).
Authentication identifiers (user ID, login email, role claims persisted to the client).	Maintain authenticated sessions between server and WebAssembly client for secure access.	Performance of contract (provide secure account access).	None, managed within the server and client authentication components.
Connected service credentials (provider name, provider ID, provider username, encrypted API keys, stored OpenAI key associations).	Enable user-requested integrations such as Intervals.icu data retrieval and AI-powered coaching prompts.	Performance of contract / user-requested integrations (connect external services needed for coaching flows).	Training data platform (Intervals.icu) and AI/LLM provider (OpenAI or configured) receive these credentials when invoked.
Athlete profile & training performance data (activity metrics, power curves, athlete IDs, names, location/timezone, sex, email, workout details).	Generate analytics, personalize workouts, and populate AI prompts with athlete history and profile context.	Performance of contract (deliver individualized coaching insights).	Training data platform (Intervals.icu) supplies and AI/LLM provider consumes this data via request payloads when composing advice.
Wellness & biometric indicators (weight, resting heart rate, HRV, menstrual phase, sleep, mood, readiness, hydration, blood markers).	Assess recovery/readiness and feed health context into athlete advice flows.	Performance of contract (provide personalized readiness insights for coaching). Where required, we will obtain consent.	Intervals.icu sources these wellness metrics and the AI/LLM provider processes them when building readiness prompts (if you enable these features).
Coaching feedback & user-generated content (daily feedback sections, athlete IDs/dates, workout feedback text, stored comments).	Record athlete interactions and provide tailored coaching recommendations through AI prompts and stored feedback history.	Performance of contract (deliver personalized coaching based on user input).	AI/LLM provider processes this content when generating advice and summaries for the athlete.

• You can update profile details and integration settings in your account.
• You can disconnect integrations at any time. this stops new data flows from that provider.
• You can request account deletion. some data may be retained as required by law or for legitimate business needs (e.g., billing records).

We may update this policy to reflect operational, legal, or regulatory changes. If changes are material, we will provide appropriate notice in the Service or by other reasonable means. The “Effective date” above shows when the latest version took effect.