FarontoBeta
â–¾

Privacy Policy

How Tairi B.V. handles personal data when you use Faronto.

Effective: May 21, 2026 · Last updated: May 24, 2026

This Privacy Policy describes how Tairi B.V. ("Faronto", "we", "us") processes personal data in connection with the Faronto coaching platform: our marketing websites (faronto.com and our country-specific domains) and the application at app.faronto.com.

Faronto is a business-to-business service for professional coaches. There are two roles you may have when interacting with our platform, and our responsibilities differ in each case:

Coaches: when you are a coach who has signed up for an account with us, Faronto is the data controller for the personal data we collect about you (the data described in Section 4.1).

Coachees (clients of coaches): when a coach uses Faronto to manage their work with you, the coach is the data controller for your personal data and we act as a data processor on the coach's behalf, under the Data Processing Agreement. If you are a coachee with questions about how a specific coach processes your data, contact your coach directly. The information about cookies, security and our sub-processors in this policy still applies to you.

We have written this policy to comply with Regulation (EU) 2016/679 (the GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).

1. Who we are

The controller of personal data described in this policy (in our role as controller) is:

  • Tairi B.V.
  • Keizersgracht 520h, 1017 EK Amsterdam, the Netherlands
  • Trade register (KvK): 86626264
  • VAT (BTW): NL864027692B01
  • Privacy contact: privacy@faronto.com

1.1 Data Protection Officer

We have not appointed a designated Data Protection Officer because our processing activities do not require one under Article 37 GDPR. All privacy questions are handled by the privacy contact above.

1.2 UK data subjects

For UK-based data subjects, the equivalent rights and obligations apply under the UK GDPR and the UK Data Protection Act 2018. References to the GDPR in this policy should be read as including the UK GDPR where the data subject is located in the United Kingdom. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk); see also Section 11.2.

2. Scope of this policy

This policy covers personal data we process when you:

  • Visit our marketing websites (faronto.com and our country-specific domains)
  • Sign up for, log in to, or use the Faronto application at app.faronto.com
  • Communicate with us by email or other channels
  • Are added as a client (coachee) by a Faronto coach

3. Our approach

We process personal data lawfully, fairly and transparently. We collect only what we need for clearly defined purposes, retain it no longer than necessary, and protect it with appropriate technical and organisational measures.

Where we rely on consent, you can withdraw it at any time; where we rely on legitimate interests, you have the right to object. See Section 11 for details.

4. The personal data we process

We process the following categories of personal data, depending on whether you are a coach (our customer) or a coachee (a client of one of our coaches).

4.1 Data about coaches

When you sign up as a coach, we collect and process:

  • Account data: email address, full name, profile image, locale preference, account status flags. Faronto uses passwordless authentication; we do not store passwords.
  • Business profile: business name, biography, specialties, time zone, booking-page slug, accent colour, availability schedule, invoice footer, default currency.
  • Authentication data: session tokens, magic-link tokens, OAuth identifiers (where you sign in with Google or Microsoft).
  • Billing identifiers: Paddle customer ID, plan tier, subscription status. Card numbers are processed by Paddle directly and never reach our servers.
  • Connected-account identifiers: Stripe Connect account ID (for invoicing your clients), Google or Microsoft calendar OAuth tokens (encrypted at rest), Zoom OAuth tokens.
  • AI preferences: coaching methodology, session-summary style, how many hours before a session a prep briefing is generated, and whether session summaries are automatically prompted.
  • Usage and technical data: IP address, browser/device information, log data, page views, performance metrics, product analytics events, session replay metadata and masked interaction data. See Section 7.
  • Referral and marketing data: referral code, referral attribution, marketing source domain, locale, UTM parameters, referring page, handoff identifier, nurture-email unsubscribe status, and (where you opt in to product updates) a marketing-consent record: the timestamp, the form or setting through which you gave consent, and the version of the consent text shown to you.
  • Support correspondence: emails and other communications you send to us.

4.2 Data about coachees (clients of coaches)

When a coach uses Faronto to manage their work with clients, the coach uploads or generates personal data about those clients. We process this data on the coach's instructions as a processor, under the Data Processing Agreement.

The data we may store on the coach's behalf includes:

  • Identity and contact: name, email address, phone number (optional), business title (optional).
  • Coaching content: coach notes about the client, private coach-only notes, session transcripts, AI-generated session summaries and prep briefings, client pre-session input, action items, goals, progress notes, files and articles shared in the client library.
  • Session data: scheduled sessions, meeting links, video meeting IDs, calendar event IDs, time zones, outcome ratings, feedback comments.
  • Communications: coaching nudges and reminders sent on behalf of the coach.
  • Client portal access: when a coach enables portal access for a client, the client signs in through the same login screen as coaches; we store session and authentication data and last-visit timestamps.
  • Billing: for coaches who use Stripe Connect to invoice their clients, we store invoice totals, status, due dates and Stripe invoice IDs. The actual invoice is created on the coach's connected Stripe account.

4.2.1 Special category data (Article 9 GDPR)

Coaching session notes, summaries, goals, action items and similar content can include information about a client's mental or physical health, wellbeing or other special category data. Where this is the case, the coach is responsible for obtaining a valid lawful basis under Article 9(2) GDPR - typically explicit consent from the client.

Faronto processes this content only on the coach's instructions and applies enhanced security measures as set out in Section 12.

4.3 Data about website visitors

When you visit our marketing website without signing up, we collect limited technical data: your IP address, user-agent, request paths and timing data, aggregated performance metrics via Vercel Analytics and Vercel Speed Insights, and product analytics data through PostHog EU when analytics is enabled. If you move from a marketing site to app.faronto.com, we may pass a limited attribution envelope so signup, login and referral flows can be measured correctly. See Section 7 for cookie and similar-technology details.

5. Why we process your data and on what legal basis

We process personal data for the purposes and on the legal bases set out below. The applicable Article 6 GDPR basis is shown in brackets.

PurposeCategories of dataLegal basis
Providing the Faronto service to coaches: account creation, authentication, booking tool, AI features, client management, invoicing, nudges.Account, business profile, authentication, AI preferences, connected-account identifiers, usage data.Performance of a contract: Art. 6(1)(b)
Processing payments and managing subscriptions through Paddle (the merchant of record for Faronto plan fees).Email, name, billing identifiers.Performance of a contract: Art. 6(1)(b)
Keeping invoice and accounting records for the statutory retention period.Billing data, invoices issued by us.Legal obligation: Art. 6(1)(c) (Art. 52 General Tax Act)
Securing the platform: detecting and preventing fraud, abuse, unauthorised access, and operational issues.Authentication data, IP address, log data, audit trails.Legitimate interests: Art. 6(1)(f) (security of the service)
Sending service emails (account confirmations, sign-in links, plan changes, billing receipts, invoice reminders, system notices).Account data, billing data.Performance of a contract: Art. 6(1)(b)
Sending product updates and coaching tips to coaches who have opted in (with one-click unsubscribe).Email, name, locale, marketing-consent record, nurture-email unsubscribe status.Consent: Art. 6(1)(a)
Operating AI features (session prep briefings, session summaries, nudge drafts) on coachees, where the coach has enabled AI features.Coachee profile, coach notes, goals, action items, session transcripts, prior session summaries.Coach is controller and obtains consent under Art. 9(2)(a) where required; we process as processor under the DPA
Improving the product through analytics, activation measurement and session replay so we can understand how Faronto is used and make it better.Page views, product events, performance metrics, device and browser info, IP-derived country, account identifiers, masked interaction data and replay metadata. We do not intentionally record coaching notes, goals, AI prompts or outputs, payment details, authentication secrets or private free-text content in replay.Consent where required for non-essential analytics/replay; otherwise legitimate interests: Art. 6(1)(f) (product improvement)
Attributing signups, logins and referrals across marketing domains and app.faronto.com.Referral code, marketing source domain, locale, UTM parameters, referring page, handoff identifier and, where available, an anonymous analytics identifier. Existing-coach logins may record referral-code presence for analytics, but do not create a new referral reward by default.Legitimate interests: Art. 6(1)(f) (measuring acquisition and preventing referral abuse)
Meeting legal requests, complying with court orders and resolving disputes.Whatever is reasonably required.Legal obligation: Art. 6(1)(c); legitimate interests: Art. 6(1)(f)

6. AI features

Faronto includes AI features that help coaches prepare for sessions, turn session transcripts into structured summaries, and draft personalised between-session nudges to send to their clients. These features are powered by OpenAI. We have a Data Processing Agreement with OpenAI and OpenAI does not train its models on data sent through its API.

AI features only run when:

  • The coach has enabled AI features for their Faronto account.
  • The coach manually triggers a generation, the system runs a scheduled prep briefing for an upcoming session, or the system drafts a nudge for the coach to review.

6.1 What is sent to OpenAI

We send only the minimum context required to produce the requested output:

  • Prep briefing: client first name and bio, the coach's notes about the client, active goals and recent goal-progress notes, open action items, summaries of the most recent past sessions, and the coach's custom instructions (if any).
  • Session summary: the session transcript text the coach has added to the session, the client's active goals, and the coach's coaching-methodology preference.
  • Nudge draft: client first name, active goals and recent progress, open action items, summaries of recent sessions, the coach's chosen tone and custom instructions (if any).

6.2 What is not sent to OpenAI

Important clarification: the free-text fields the coach edits (the client's bio and goals, individual action-item descriptions, session prep notes, session summary notes, and uploaded session transcripts) are sent to OpenAI as written when the corresponding feature is used. We do not parse or scrub those fields before sending. If a coach types a phone number, an email address, or a billing amount inside one of those free-text fields, that information will be included in the request to OpenAI even though we would not have sent the equivalent structured field. Coaches should treat AI features as if everything they type into a client record could be read by OpenAI.

  • Email addresses, phone numbers, billing data and invoices as structured fields.
  • Audio or video recordings; we do not record sessions.
  • Files, images or attachments stored in the client library.

6.3 No automated decision-making

AI output is shown to the coach as suggestions to review. Faronto does not make decisions that produce legal or similarly significant effects on coachees solely through automated processing. Article 22 GDPR is therefore not triggered.

7. Cookies and similar technologies

We use a limited set of cookies and similar technologies. Strictly necessary cookies do not require consent. Product analytics, session replay and similar non-essential technologies are used only where we have the required consent or another lawyer-reviewed lawful basis. We do not use marketing or advertising cookies.

NamePurposeTypeLifetime
authjs.session-tokenAuthenticates a signed-in user (coach or coachee).Strictly necessarySession / up to 30 days
NEXT_LOCALERemembers your interface language.Strictly necessary (preference)1 year
faronto_consentRemembers whether you accepted or refused non-essential cookies, so we do not ask again.Strictly necessary (preference)12 months
faronto_refRemembers a referral code so the right coach gets credit if you sign up.Strictly necessary (functional)7 days
faronto_handoff / attribution handoff storageCarries a limited attribution envelope from a marketing domain to app.faronto.com for signup, login and referral attribution.Functional / attributionShort-lived, normally 24 hours or less
authjs.csrf-tokenProtects sign-in and other authentication requests against cross-site request forgery.Strictly necessarySession
authjs.callback-urlRemembers where to return you after a successful sign-in.Strictly necessarySession
oauth_intent, legal_accepted_intent, marketing_consent_intent, pending_coach_signupShort-lived signup-flow cookies that carry your signup intent, your acceptance of the legal documents and your marketing-consent choice through the OAuth sign-in round-trip (Google or Microsoft) so they are not lost. pending_coach_signup holds a signed token with the in-progress signup details.Strictly necessary (functional)Up to 10 minutes
PostHog EU analytics and session replay storageHelps us understand how coaches use Faronto so we can improve the product. Session replay is configured to mask sensitive fields and exclude coaching content, goals, notes, AI prompts/outputs, payment details and authentication secrets.Analytics / session replaySession-scoped to the configured PostHog retention period
Vercel Analytics / Speed InsightsAggregated, anonymised performance and usage analytics. No advertising profiles are built.AnalyticsSession-scoped

7.1 How to control cookies

When you first visit our marketing site or sign in to the application, you are shown a cookie banner that lets you accept or refuse non-essential cookies and trackers (including PostHog product analytics, session replay, and Vercel Speed Insights). Strictly necessary cookies (authentication, session, locale, referral attribution) load without consent because the service cannot work without them. You can change your choices at any time using the "Manage Preferences" link in the footer of our websites and the application. You can also clear cookies in your browser at any time; disabling strictly necessary cookies will prevent you from logging in. If your browser sends a Global Privacy Control or Do-Not-Track signal, we treat it as a refusal of non-essential cookies and trackers.

8. Sub-processors and other recipients

We rely on a small number of carefully selected service providers to operate Faronto. Each provider is bound by a written agreement that meets the requirements of Article 28 GDPR, and may process personal data only on our documented instructions.

ProviderPurposeLocationTransfer mechanism
Vercel Inc.Application hosting and edge delivery.EU region (with edge cache)EU SCCs / EU-US Data Privacy Framework
Neon Inc.Managed PostgreSQL database (primary data store).Frankfurt, EUEU SCCs
Cloudflare, Inc. (R2)Object storage for avatars, library files and attachments.EU jurisdictionEU SCCs
Resend (Resend.com Inc.)Sending transactional and product emails.United StatesEU SCCs / EU-US Data Privacy Framework
OpenAI Ireland Ltd / OpenAI L.L.C.AI prep briefings, session summaries and nudge drafts.United StatesEU SCCs; OpenAI does not train on API data
Stripe Payments Europe Ltd / Stripe, Inc.Stripe Connect: coaches use this to invoice their own clients. Faronto only stores connected-account identifiers and invoice metadata.Ireland / United StatesEU SCCs / EU-US Data Privacy Framework
PostHog EUProduct analytics, activation measurement, session replay and attribution analysis.European Union (Frankfurt instance)EU processing under PostHog data processing terms
Upstash, Inc.Background job queue (QStash) and rate-limiting store (Redis). QStash carries session, client and export identifiers in transit; Redis stores IP addresses and hashed-email request counters used to limit abuse.European Union (AWS eu-central-1, Frankfurt)EU SCCs / EU-US Data Privacy Framework
Functional Software, Inc. (Sentry)Application error and performance monitoring. Receives error stack traces, request metadata and diagnostic context when a request fails. Configured with personal-data capture disabled - coaching content, request bodies and user identifiers are not attached to error reports.United StatesEU SCCs / EU-US Data Privacy Framework
Paddle.com Market LtdMerchant of record for Faronto plan subscriptions: payment processing, tax handling, invoicing.United Kingdom (adequacy decision)UK adequacy
Google LLC (Google Sign-In, Google Calendar)Sign-in for coaches and coachees who choose Google; calendar synchronisation when a coach connects a Google calendar.United StatesEU SCCs / EU-US Data Privacy Framework
Microsoft Corporation (Microsoft Entra ID, Microsoft Graph)Sign-in for coaches and coachees who choose Microsoft (work, school or personal accounts); calendar synchronisation when a coach connects a Microsoft 365 calendar.United States / EUEU SCCs / EU-US Data Privacy Framework
Zoom Communications, Inc.Optional video meeting integration when a coach connects a Zoom account.United StatesEU SCCs / EU-US Data Privacy Framework

8.1 Changes to sub-processors

We may add or replace sub-processors over time. The list above is the authoritative current list. Coaches will be notified of material changes by email at least 30 days in advance, with a right to object on reasonable grounds, as set out in the Data Processing Agreement.

8.2 Other recipients

We may also share personal data with our professional advisors (lawyers, accountants), and with public authorities where required by law. We do not sell personal data and we do not share it for advertising purposes.

9. International data transfers

Most personal data we process is stored in the European Union. Some of our sub-processors are based in the United States or process data outside the EU. Where this is the case, we rely on:

  • The European Commission's Standard Contractual Clauses (Module 2 or 3, as applicable);
  • The EU-US Data Privacy Framework, where the recipient is certified;
  • Adequacy decisions where one applies (currently the United Kingdom).

9.1 Non-EEA Controllers

For Controllers established outside the EEA, additional or alternative transfer mechanisms apply: the UK Addendum to the EU SCCs for UK Controllers; the FDPIC-amended SCCs for Swiss Controllers; service-provider obligations under applicable US state privacy laws (CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA and successor or equivalent laws) for US Controllers; and other jurisdiction-specific mechanisms agreed in good faith, as set out in §§11.3–11.6 of the Data Processing Agreement.

10. How long we keep your data

We retain personal data only as long as necessary for the purposes for which we collected it.

Data categoryRetention period
Coach account dataFor the lifetime of your account, plus 30 days after deletion (soft-delete buffer), then permanent erasure - except data we must keep for legal reasons.
Coachee data (processed on coach's behalf)Controlled by the coach. We delete it when the coach deletes the client, or 30 days after the coach's account is deleted.
Invoices and accounting recordsSeven (7) years from the end of the relevant tax year, in line with Article 52 of the Dutch General Tax Act (AWR).
Authentication tokensMagic link: 15 minutes, single-use. Sessions: 30-day rolling JWT, revocable at any time.
Application logsUp to 90 days, then deleted by our hosting provider.
BackupsRolling 30-day window.
Nurture email recordsWe keep a log of the nurture emails sent to your account, and a record of your unsubscribe choice, for as long as your account exists.
Email bounce/complaint suppression listWhen an email to an address hard-bounces or is reported as spam, we record that address on a suppression list so our marketing and nurture emails stop being sent to it. The entry is minimal, the email address and the reason (bounce or complaint), and is not linked to any account. Because its purpose is to prevent further sending, it is retained independently of, and may outlive, any related account, for as long as needed to protect deliverability. To ask us to review or remove an entry, contact privacy@faronto.com.
Application error reportsError stack traces and diagnostic context sent to our error-monitoring sub-processor are retained for that tool's configured window (up to 90 days), then deleted.
Cookies and similar technologiesAs listed in Section 7, subject to the applicable tool configuration and consent/preference settings.
Product analytics and session replayRetained according to the configured PostHog EU retention period, then deleted or aggregated. Sensitive coaching content is not intentionally captured in replay.
Goal revision historyRetained for the life of the client record; deleted on client deletion or account closure.
Attribution and referral handoff recordsShort-lived pending handoff records are normally retained for 24 hours or less. Bound signup/referral attribution is retained with the account or referral record while needed for analytics, fraud prevention and referral administration.

11. Your rights

Under the GDPR you have the following rights in relation to your personal data:

  • Access (Art. 15) - obtain confirmation of processing and a copy of your data.
  • Rectification (Art. 16) - have inaccurate data corrected.
  • Erasure (Art. 17) - have your data deleted, subject to limits (e.g., we cannot delete invoices we are required by law to keep).
  • Restriction (Art. 18) - have processing restricted in specified circumstances.
  • Portability (Art. 20) - receive your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21) - object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent (Art. 7) - at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Not be subject to automated decision-making (Art. 22) - see Section 6.3.

11.1 How to exercise your rights

If you are a coach, you can exercise most of these rights from inside your account, or by contacting privacy@faronto.com. We respond within one month and may extend by two further months for complex requests, with notice.

If you are a coachee, the coach is the controller for your data. Please address your request to your coach directly. If you are unable to reach your coach, contact us and we will help relay the request.

11.2 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The Dutch authority is the Autoriteit Persoonsgegevens (AP), autoriteitpersoonsgegevens.nl. You may also contact the supervisory authority of the EU member state where you live or work. For UK-based data subjects, the competent authority is the Information Commissioner's Office (ico.org.uk).

12. Security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

  • Encryption of data in transit (TLS 1.2+);
  • Encryption at rest for the database, file storage, and high-sensitivity fields such as third-party OAuth tokens (AES-256-GCM);
  • Passwordless authentication via magic links and Google or Microsoft OAuth; no passwords are stored. Magic-link tokens are short-lived (15 minutes) and one-time use;
  • Role-based access control and the principle of least privilege for our personnel;
  • Audit logging of administrative actions;
  • Regular dependency updates and security reviews;
  • Confidentiality obligations for all personnel with access to production data;
  • An incident response process for personal data breaches, including notification to the supervisory authority within 72 hours where required by Article 33 GDPR.

12.1 Breach notification: who notifies whom

The 72-hour figure above refers to the controller's onward notification obligation to the supervisory authority under Article 33 GDPR. Where Faronto acts as a processor on a coach's behalf (for example, in relation to coachee data), we notify the controlling coach of a personal data breach within the period set out in Section 9 of the Data Processing Agreement so the coach can in turn discharge their own Article 33 obligation in time.

13. Children

Faronto is a business-to-business service for professional coaches. It is not directed to children under 16, and we do not knowingly collect personal data from children. If a coach or coachee under 16 has been onboarded by mistake, please contact us so we can delete the data.

14. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the latest version. If we make material changes, we will notify coaches by email at least 30 days before the change takes effect. Non-material clarifications and corrections take effect on the date the updated policy is published. Continued use of the service after the effective date constitutes acceptance of the updated policy.

15. Contact

Questions, requests or complaints relating to this Privacy Policy or to your personal data:

  • Email: privacy@faronto.com
  • Postal: Tairi B.V., Keizersgracht 520h, 1017 EK Amsterdam, the Netherlands
↑ Back to top