Privacy Policy

At a glance

• We are a software tool, not a clinic. LaunchSite OS is an educational wellness and coaching platform — not a medical service, and not a HIPAA covered entity or business associate.
• Your coach controls your records. For information a client enters or a coach records in a workspace, the Coach is the decision-maker (controller) and we act as their service provider (processor).
• We never sell your data, and we never use client health-related information for advertising or to train AI models.
• Access is locked down by design — encryption in transit and at rest, database row-level security, and server-side role checks on every request.
• You have rights to access, correct, export, and delete your information, and to withdraw consent for consumer health data. See Your privacy rights.

1. Who we are and our role

LaunchSite OS provides software that lets wellness, fitness, and functional-health coaches ("Coaches") manage their clients. It is an educational wellness and coaching tool — not a medical service, and not a HIPAA "covered entity" or "business associate." The platform is not intended for use by HIPAA covered entities, or to create, receive, or process Protected Health Information (PHI) on a covered entity's behalf. The client information handled here is treated as sensitive consumer health-related information and protected accordingly, but it is governed by general consumer-privacy and consumer-health-data laws, not HIPAA. For how we handle "consumer health data" and your related rights under laws like the Washington My Health My Data Act, see our Consumer Health Data Privacy Policy.

Our role depends on the information involved:

• Coach account information — we are the controller (we decide how it is used to operate the service).
• Client information inside a Coach's workspace — the Coach is the controller of that information and we act as a service provider / processor on the Coach's behalf, handling it only to deliver the service and on the Coach's documented instructions. Clients should direct requests about their own information to their Coach; we help Coaches fulfill them.

2. Information we collect

• Account information — name, email, password (stored only as a salted hash), and practice/brand details for Coaches.
• Client health-related information — check-ins, symptoms, system grades, supplement/peptide schedules, meal plans, training programs, lab uploads, body composition, progress photos, goals, messages, and notes entered by Coaches and clients.
• Billing information — subscription status and limited payment metadata. Card details are handled by our payment processor; we do not store full card numbers.
• Usage and device data — log data, IP address, browser type, and actions taken in the app, used for security and reliability.
• Cookies — strictly necessary cookies for authentication and session management.

Sources. We collect this information directly from you, from the Coach who invited you, and automatically from your device as you use the platform. We do not buy personal information from data brokers.

3. How we use information

• To provide, operate, secure, and improve the platform.
• To authenticate users and enforce role-based access (coach vs. client).
• To generate features you request (e.g., grading, PDFs, AI-assisted program drafting acting only on your own workspace data).
• To process subscriptions and send service and account notices.
• To detect, prevent, and respond to security incidents and abuse.
• To comply with our legal obligations.

We do not sell or rent personal information, and we do not use client health-related information for advertising, targeted advertising, or profiling that produces legal or similarly significant effects.

4. AI-assisted features

Some features (for example, draft program suggestions and lab-result summaries) are generated with the help of an AI provider, Microsoft Azure OpenAI Service. When you use these features, the relevant workspace data is sent to that provider solely to produce the output you requested. By contract, your data is not used to train or improve any AI models and is not retained by the provider for its own purposes. AI output is assistive and informational only — it is a drafting aid for the Coach, not medical advice, and the Coach remains responsible for any decisions.

5. How we protect information

• Encryption of data in transit (HTTPS/TLS) and at rest at the database and storage layers.
• Database row-level security so a Coach can reach only their own clients, and a client only their own records.
• Server-side enforcement of coach and client roles on every request.
• Hardened HTTP security headers (HSTS, anti-clickjacking, MIME protection).
• Least-privilege, scoped access for automated/AI tooling.

No method of transmission or storage is perfectly secure, but we work to protect your information using safeguards appropriate to its sensitivity.

6. Service providers (subprocessors)

We use a small set of trusted infrastructure providers to operate the platform. We enter into standard data-processing terms (DPAs) with each that require appropriate safeguards, and none are permitted to use client data to train AI models or for their own purposes:

• Supabase — database, authentication, and file storage.
• Microsoft Azure — application hosting and infrastructure.
• Microsoft Azure OpenAI Service — AI-assisted features (see Section 4).

This list may change as the platform evolves; the current list of subprocessors is available on request at support@launchsite-os.com.

7. Sharing and disclosure

We disclose information only: (a) to the Coach who owns the client relationship; (b) to subprocessors under contract, as described above; (c) to comply with law or valid legal process; (d) to protect the rights, safety, and security of users and the platform; or (e) in connection with a merger, acquisition, or sale of assets, in which case we will require the recipient to honor this policy and will notify you of any material change. We will not otherwise disclose client health-related information without authorization.

8. Breach notification

If we discover a breach of security affecting health-related or other personal information, we will notify affected individuals and any authorities as required by applicable law — including the U.S. FTC Health Breach Notification Rule and applicable state breach-notification laws (including Kentucky's) — within the timeframes those laws require.

9. Data retention

We retain information for as long as an account is active or as needed to provide the service, then delete or de-identify it within a commercially reasonable period (generally within 90 days of account closure), subject to legal, tax, and security retention obligations. Coaches control client records within their workspace and may request export or deletion at any time. Backups are purged on a rolling schedule.

10. Your privacy rights

Depending on where you live, you may have the right to:

• Access and obtain a copy of the personal information we hold about you;
• Correct inaccurate information;
• Delete your information;
• Obtain a portable copy of information you provided;
• Withdraw consent for the processing of consumer health-related data; and
• Not be discriminated against for exercising these rights.

These rights are provided under laws such as the California Consumer Privacy Act (CCPA/CPRA), the Kentucky Consumer Data Protection Act (effective January 1, 2026), the Washington My Health My Data Act, and other state comprehensive privacy laws. Because we do not sell personal information or use it for targeted advertising, there is nothing to opt out of in those categories.

How to exercise your rights. Clients should direct requests about their own information to their Coach, who controls that workspace; we will assist Coaches in fulfilling them. Coaches and other users may contact us at support@launchsite-os.com. We will verify your request and respond within the timeframe required by applicable law. If we decline a request, you may appeal by replying to our decision, and we will reconsider and respond as required by law.

11. Cookies and tracking

We use only strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Because we do not engage in tracking for advertising, "Do Not Track" and Global Privacy Control signals do not change what we collect.

12. Children

The platform is not directed to children under 13 (or the applicable age in your jurisdiction) without verifiable parental/guardian consent obtained by the Coach. We do not knowingly collect information from children without that consent; if you believe we have, contact us at support@launchsite-os.com and we will delete it.

13. International users

The platform is operated from the United States (Kentucky). If you access it from outside the United States, your information will be processed in the United States, and you consent to that processing in accordance with this policy and applicable law.

14. Changes to this policy

We may update this policy from time to time. Material changes will be posted here with a revised "Last updated" date, and where required by law we will provide additional notice.

15. Contact

Questions about privacy or this policy: support@launchsite-os.com · LaunchSite OS, LLC (Kentucky, USA). Our mailing address is available on request.

This document describes our practices and safeguards. It is not legal advice. LaunchSite OS is a wellness and coaching tool and is not a HIPAA covered entity or business associate; Coaches are responsible for handling their clients' information consistent with the consumer-privacy and consumer-health-data laws that apply to them.