Health Coach Privacy Policy Template: Keep Client Data Safe
A 2,000+ word privacy policy template for health coaches covering client intake data, HIPAA/ GDPR considerations, marketing, and consent.
Health coaches collect sensitive information: goals, habits, health history, and payment details. A thorough privacy policy shows clients you respect their data, meets GDPR/UK GDPR and CPRA expectations, and prepares you for platform reviews. This guide delivers a full template, consent tips, and compliance checklists tailored to coaching practices.
Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator on your booking pages, portals, and emails to present a consistent legal stack.
What to include in a health coach privacy policy
Data collected
Client intake details (name, contact info, goals, lifestyle notes), session notes, nutrition preferences, scheduling data, payments, website analytics, and marketing preferences.
Purposes and legal bases
Service delivery, scheduling, payment processing, coaching follow-ups, analytics, marketing (with consent), and security. Map GDPR bases: contract for sessions, consent for marketing and sensitive data, legitimate interests for security.
Sharing and vendors
Payment processors, scheduling tools, video platforms, email/SMS providers, analytics, website hosts, and contractors. Link to partner policies and note regions.
Sensitive data handling
If you collect health-related data, be clear about purpose, minimization, retention, and who can access it. Avoid sharing with marketers without explicit consent.
Cookies and tracking
If your site uses analytics or ads, disclose cookies, provide consent for EU/UK, and Do Not Sell/Share for CPRA where applicable.
Rights and controls
Describe access, deletion, correction, objection, and withdrawal of consent. Provide an email/contact and response timeframe.
Data and purpose table
| Data type | Purpose | Legal basis | Retention | Controls |
|---|---|---|---|---|
| Intake info (name, goals) | Plan sessions and track progress | Contract/consent | Program duration + defined period | Delete on request after program |
| Session notes | Continuity of care | Legitimate interests/consent | Program duration + X months | Export or delete on request |
| Payments | Billing and receipts | Contract/legal obligation | Tax period | Contact processor for card removal |
| Marketing preferences | Send tips and offers | Consent | Until opt-out | Unsubscribe link |
| Analytics cookies | Improve site and funnels | Consent in EU/UK | 13 months | Cookie banner choices |
Step-by-step drafting process
1) Map your data flows
List intake forms, scheduling tools, payment providers, video platforms, CRM, and analytics. Note what data each handles and where it is stored.
2) Draft concise clauses
Cover collection, purposes, legal bases, sharing, sensitive data, cookies, retention, rights, security, and contact. Avoid jargon.
3) Implement consent
Use explicit consent checkboxes for intake forms that gather health details. For marketing, use separate opt-in and easy unsubscribe. Add cookie consent for EU/UK visitors.
4) Set retention rules
Define how long you keep intake forms, session notes, and backups. Use short retention for sensitive notes when possible.
5) Publish and link
Add policy links to booking pages, portals, emails, and invoices. Link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now6) Prepare request handling
Create a simple process for access and deletion. Set a 30-day SLA and document verification steps.
Common mistakes to avoid
Collecting too much
Only collect what you need for coaching. Avoid unnecessary medical history unless essential and consented.
No separation of marketing
Do not bundle marketing consent with service agreements. Use separate checkboxes and clear language.
Unlisted vendors
Disclose scheduling, video, and payment tools. Keep a live list and update it when vendors change.
Weak retention
Holding notes indefinitely increases risk. Set timelines and purge schedules for old clients.
Ignoring regional rules
Honor GDPR rights for EU/UK clients and CPRA opt-outs for California visitors if you use advertising identifiers.
Enforcement examples and references
- Sephora (2022): $1.2M CPRA settlement for tracker disclosures and opt-out failures (California AG).
- Meta (2023): about €1.2B GDPR fine for transfer issues (Reuters) highlights transparency and safeguards.
- FTC guidance emphasizes truthful health claims and data transparency (FTC).
Implementation checklist
- Publish a privacy policy with clear categories, purposes, and legal bases.
- Add explicit consent for sensitive intake data and separate marketing opt-in.
- Provide cookie consent for EU/UK; add Do Not Sell/Share if using advertising identifiers.
- List all vendors and link to their policies; keep regions and retention noted.
- Offer access, correction, deletion, and objection with a documented SLA.
- Keep a changelog and review quarterly.
30/60/90 plan
- 30 days: Inventory tools, draft policy, add consent checkboxes, and link policies on booking and intake pages.
- 60 days: Publish vendor list, set retention schedules, and test access/deletion flows.
- 90 days: Re-audit data collection, refresh policy language, and update cookie/consent settings.
Metrics and QA
- Opt-in rates for marketing and intake consent.
- Request handling time for access/deletion.
- Accuracy of vendor list vs. actual tools.
- Cookie banner opt-in rates by region.
- Changelog updates and link uptime.
Sample clauses to adapt
Collection and use
“We collect your name, contact details, goals, and session notes to deliver coaching services. We collect payment information through our processor and do not store full card numbers. Analytics cookies help us improve the site after consent.”
Sharing
“We share data with scheduling, payment, email, hosting, and analytics providers as needed to deliver services. A current list is available at [link]. We do not sell personal data.”
Sensitive data
“If you share health information, we use it only to personalize coaching. We minimize and retain it only as long as necessary for your program.”
Rights
“You may request access, correction, or deletion. Contact us at [email]; we respond within 30 days.”
Resources
Testing and QA checklist
- Test intake forms to confirm consent checkboxes appear for sensitive data and marketing.
- Verify cookie banner behavior for EU/UK visitors and that analytics do not fire before consent.
- Check that policy links are present on booking pages, portals, and email footers.
- Run a mock access or deletion request and confirm retention and backups follow the timeline.
- Ensure contractor access is limited and logged for session notes and client files.
Audit workbook
- List of tools (scheduling, payments, video, CRM, email, analytics) with data categories and regions.
- Consent records for intake and marketing with timestamps.
- Retention schedules for intake forms, session notes, and backups.
- Subprocessor/vendor list with links and safeguards.
- Policy version history and dates of client notifications.
- SLA tracking for rights requests.
Case example
- Situation: A coach collected detailed health history via an online form without separate consent or retention rules.
- Impact: Clients questioned data use, and some abandoned onboarding.
- Fix: Simplified intake to essentials, added explicit consent for sensitive questions, set 12-month retention after program end, and updated the privacy policy and portal links. Completion rates improved.
Key takeaways
- Collect only what you need, and separate consent for sensitive data and marketing.
- Keep vendor and retention details accurate and visible to clients.
- Honor regional rules for cookies and opt-outs, and practice deletion workflows regularly.
- Maintain changelogs and SLAs to prove your privacy program is active, not static.
Team roles and responsibilities
- Coach/Operator: Limit intake questions to essentials, manage client communications, and trigger deletion when programs end.
- Legal/Privacy: Maintain the privacy and cookie policies, vendor list, and consent language for sensitive data.
- Engineering/Website: Keep forms, banners, and links working; ensure analytics and pixels respect consent.
- Support/Admin: Handle access and deletion requests, verify identity, and log SLA performance.
Operational playbook
- Intake update: When adding new questions, review necessity, update the policy, and adjust consent text.
- Vendor change: Update the vendor list and policy, and notify clients if the change is material.
- Consent review: Check that marketing and sensitive data checkboxes remain separate and required as appropriate.
- Rights handling: Use a simple ticketing flow to track requests and deadlines.
- Security hygiene: Rotate access to notes and CRMs, and review sharing settings quarterly.
Metrics to monitor
| Metric | Target/owner | Cadence |
|---|---|---|
| Intake completion rate post-consent changes | Coach/Marketing | Monthly |
| Access/deletion SLA compliance | Support | Monthly |
| Policy link uptime on booking/intake pages | Website/QA | Quarterly |
| Vendor list accuracy vs. actual tools | Privacy | Quarterly |
| Cookie banner opt-in rate (EU/UK) | Website/Privacy | Monthly |
Change management checklist
- Update privacy and cookie policies when adding new questions, tools, or pixels.
- Re-test banners and forms after site edits or new landing pages.
- Keep archived policy versions with dates and change summaries.
- Notify clients of material changes, especially if vendors or data uses change.
Sample policy outline
- Scope and audience (clients, leads, site visitors).
- Data collected (intake details, session notes, payments, analytics).
- Purposes and legal bases.
- Sharing and vendors with links.
- Sensitive data handling and consent.
- Cookies and consent, including CPRA opt-outs if ad identifiers are used.
- Security and retention timelines.
- Rights and request process with contact.
- Changes and version history.
Glossary
- Sensitive data: Health-related information that should only be collected with clear purpose and consent.
- Suppression list: Emails retained only to honor unsubscribe requests.
- Non-essential cookies: Analytics or advertising cookies needing consent in EU/UK.
- GPC: Global Privacy Control signal indicating an opt-out preference for certain tracking; honor it when applicable.
Quarterly review checklist
- Reconfirm that intake questions remain minimal and necessary.
- Review vendor list and access controls for session notes and files.
- Test cookie banner and consent checkboxes on booking and intake pages.
- Verify deletion/export workflows and SLA logs for rights requests.
- Update the changelog and note any client notifications.
Quick recap
- Collect only essential data, with separate consent for sensitive info and marketing.
- Disclose vendors, retention, and rights clearly, and keep consent tools working.
- Maintain changelogs and SLAs to show ongoing privacy governance.
- Re-check consent and cookie behavior whenever you launch a new program or landing page.
Conclusion
A health coach privacy policy should be clear, consent-driven, and transparent about vendors and retention. By collecting only what you need, separating marketing consent, and honoring regional rights, you protect clients and your business. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator to keep every touchpoint aligned.