Overview
Sydekyck collects only what we need to run your coaching practice. We don't sell your data, we don't sell your clients' data, and we don't show ads. You can export and delete everything at any time.
This Privacy Policy describes how Sydekyck Inc. ("Sydekyck", "we", "us", or "our") collects, uses, and shares information when you use our website (sydekyck.com), our application, and any related services (collectively, the "Service").
It applies to two kinds of people: Coaches who hold a Sydekyck account, and the Clients those coaches manage through Sydekyck. Different rules apply to each — we'll be clear about which.
What we collect
Your account info, the data you put into Sydekyck about your practice, and basic usage logs. We try not to ask for anything we don't actually need.
From coaches (account holders)
- Account information. Name, email address, password (hashed), profile photo, time zone, and (if you tell us) practice name, role, and how you found us.
- Billing information. Payment method and billing address are processed by Stripe, our payment processor. Sydekyck stores only the last four digits of your card and a transaction ID; we never see the full card number.
- Practice content. Anything you put into Sydekyck — client records, session notes, agendas, recap drafts, files, invoices, curricula, goal tracking, internal tags.
- Usage data. Pages visited, features used, click events (aggregated), timestamps, and the IP address of your most recent session.
- Communications. Emails and messages you send to support, plus survey responses you choose to give us.
From clients (managed by a coach on Sydekyck)
- Identity. Name, email, and any contact information your coach has chosen to record.
- Session content. Notes your coach takes about you, agendas, action items, completion of curriculum modules, and any responses you provide to prompts your coach has sent.
- Communications. Messages exchanged with your coach inside Sydekyck, including video session recordings if your coach has enabled recording (recording requires you to consent).
If you are a client managed by a coach, that coach is the data controller for information about you; Sydekyck is the processor. Address rights requests to your coach first; they can route them to us.
How we use it
To run the product, charge you, support you, and (with your consent) improve Sydekyck. We never use your data to train AI models that benefit other customers.
- Provide the Service. Authenticate you, render your roster, send session reminders, generate invoices, build outcome reports.
- Bill you. Process subscription charges via Stripe; manage refunds and dunning.
- Support you. Respond when you write in; debug specific issues with your account; restore data on request.
- Improve the product. Aggregate, anonymized usage data informs roadmap decisions. Individual coach data is never used for product improvement without explicit opt-in.
- Keep things safe. Detect abuse, fraud, brute-force attempts, and unauthorized access.
- Comply with the law. Honor lawful requests, respond to subpoenas, and meet tax/accounting obligations.
Who we share with
A short list of vendors that help us run the product. No advertising, no data brokers, no sale.
We share information with a limited set of service providers under contract, who are bound to use it only on our instructions and only to provide the service we've engaged them for:
- Stripe — payments, billing, 1099 generation.
- Amazon Web Services (US-East) — primary hosting and database.
- Postmark — transactional email (receipts, password resets, session reminders).
- Daily.co — video session infrastructure.
- Cloudflare — DDoS protection, edge caching, DNS.
- Sentry — error tracking (we scrub PII before transmission).
We never sell your information. We never share it with advertising networks or data brokers. We will disclose information when legally compelled by a court order or government request that we cannot reasonably contest — and we'll let you know unless we are gagged from doing so.
How long we keep it
While your account is active, plus a short tail to handle refunds and legal needs. You can hit delete at any time.
- Active accounts. All data is retained as long as the account is active.
- Cancelled accounts. Account and practice content are kept for 30 days, then permanently deleted from production and from backups within an additional 60 days.
- Financial records. Invoice and tax records are retained for 7 years, as required by U.S. tax law.
- Backups. Encrypted, retained for 30 days on a rolling window.
- Server logs. 90 days, then anonymized or deleted.
Your rights
You can see what we have, get a copy, fix it, or delete it. Email us and we'll handle it in 30 days.
Wherever you live, you have the right to:
- Access a copy of the personal data we hold about you.
- Correct any inaccurate or incomplete information.
- Delete your data, subject to the retention requirements above.
- Port your data to another service in a machine-readable format (JSON or CSV).
- Withdraw consent at any time for anything that requires it.
- Object to processing on certain legal grounds.
To exercise any of these, email privacy@sydekyck.com. We'll verify your identity and respond within 30 days. There's no charge for a reasonable request. If you're in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.
Cookies & tracking
A small handful of first-party cookies to keep you logged in and to count page views in aggregate. No third-party advertising tracking.
- Essential cookies. Session, CSRF token, theme preference. Required.
- Analytics cookies. Plausible Analytics — privacy-friendly, no IP storage, no cross-site tracking. You can opt out via the toggle in your account settings.
We do not use Facebook pixels, Google Analytics, retargeting cookies, or any cross-site identifier.
Security
TLS in transit, AES-256 at rest, SOC 2 in-progress. We treat your client notes as if they were therapist notes — because for many coaches, they basically are.
- All data encrypted at rest (AES-256) and in transit (TLS 1.3).
- Database access restricted to a small group of engineers, audited monthly.
- Mandatory 2FA for all Sydekyck employees with production access.
- SOC 2 Type II audit scheduled for Q4 2026 (Drata in-flight).
- Quarterly penetration testing by an external firm.
- Bug bounty program — disclosure to security@sydekyck.com within 90 days.
No security regime is perfect. If you find something, please tell us; we'll respond within 48 hours and credit you (if you'd like) in our acknowledgments.
Children
Sydekyck isn't for kids. We don't knowingly collect data from anyone under 16.
The Service is intended for adult business coaches and their adult clients. We do not knowingly collect personal information from anyone under 16. If you believe we have, please contact us and we will delete the data.
International transfers
Data lives in the U.S. by default. EU and UK customers can request EU hosting on the Mastermind plan.
Sydekyck's primary infrastructure is in the United States (AWS us-east-1). For customers in the EU, UK, or other jurisdictions with cross-border transfer rules, we rely on Standard Contractual Clauses and (for the UK) the UK Addendum to ensure lawful transfer. Mastermind customers may request EU-hosted infrastructure (Frankfurt) — please contact hello@sydekyck.com.
Changes to this policy
We may update this policy from time to time. Material changes are announced at least 30 days in advance via email to every active account and a banner on this page. Non-material updates (typos, link fixes) are made silently and noted in the version log.
Contact us
If you have questions, concerns, or just want to talk through any of this, write to privacy@sydekyck.com. We read every message.
Sydekyck Inc.
2120 SE Hawthorne Blvd, Suite 4
Portland, OR 97214 · USA
DPO: Anita Coelho · dpo@sydekyck.com