Privacy
policy.

Who we are

Seshman is operated by Inca Labs Limited, a private limited company registered in England and Wales (company number 14731709, VAT GB438261686). Registered office: 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.

For privacy-related questions, including subject access requests, contact privacy@seshman.com.

Roles: trainer, Seshman, client

Seshman is a tool trainers use to manage their clients. That creates a split between who decides what about which data, which is worth being clear about because it affects how rights work.

Trainer as data controller

When a trainer enters data about a client into Seshman — name, contact details, goals, injuries, sessions, packs, invoices, notes — the trainer is the data controller for that data under UK GDPR. They decide what to collect, why, and how it's used within their training relationship with the client. Seshman processes that data on the trainer's instructions, under the Data Processing Agreement embedded in our Terms of Service.

Seshman as data controller in its own right

Seshman is also a controller in its own right for things we decide independently of any individual trainer:

• Email delivery infrastructure — the sending domain, the from-address, bounce and complaint handling.
• Our persistent suppression list, so addresses that have bounced or marked us as spam never receive further mail.
• Audit logging, abuse detection, and infrastructure security.
• Anonymised retention of invoice records to support tax obligations.

This means a single piece of data may be processed by Seshman in two different capacities depending on what's happening with it. The rest of this policy makes the distinction clear where it matters.

Information we hold

Grouped by where the data comes from. Each category notes the purpose and the legal basis under UK GDPR (Article 6) we rely on. Special-category data (health information) is covered separately under Training-related personal information.

About your account

• Account details — your name, email, authentication credentials, business name (if you're a trainer). Used to provide the service. Legal basis: contract performance (Art 6(1)(b)).
• Username and rename history — your chosen public handle, plus a record of previous handles you've used, to keep handles unique across the platform. Legal basis: legitimate interest in handle-uniqueness enforcement (Art 6(1)(f)).
• Avatar, activity types you train, discoverability preference, timezone — captured during onboarding so the app fits your training practice. Legal basis: contract performance (Art 6(1)(b)).
• Email delivery state — whether emails to your address have bounced or been marked spam, when we last sent specific kinds of email, whether your welcome email has been sent. Legal basis: legitimate interest in deliverability and abuse handling (Art 6(1)(f)); legal obligation where required (Art 6(1)(c)).

About your clients (if you're a trainer)

• Names, optional phone, optional email — to identify the client and reach them where appropriate. Legal basis: contract performance for app clients (Art 6(1)(b)); legitimate interest for offline clients (Art 6(1)(f)).
• Goals — what the client wants to achieve, so trainer and client can track progress against them. Legal basis: consent (Art 6(1)(a)) — see Training-related personal information.
• Start date with the trainer. Legal basis: contract performance (Art 6(1)(b)).
• Per-client preferences (e.g. whether session summaries are emailed). Legal basis: contract performance (Art 6(1)(b)).
• Emergency contact name and phone — see Emergency contacts and minors.

About sessions, packs, and payments

• Session schedules, completion records, attendance, cancellations and their reasons. Legal basis: contract performance (Art 6(1)(b)).
• Private notes (visible only to the trainer) and shared notes (visible to both trainer and client). Legal basis: legitimate interest of the trainer in keeping training records, plus contract performance for the shared portion (Art 6(1)(b) / Art 6(1)(f)).
• Token packs, pricing, invoices, payment status, reminders sent. Legal basis: contract performance (Art 6(1)(b)); legal obligation for tax-record retention (Art 6(1)(c)).

About communication

• Coach messages — content of in-app messages between trainer and client, plus timestamps. Legal basis: contract performance (Art 6(1)(b)).
• Email send log — every transactional email Seshman has sent, including timestamp, recipient address, and which template was used. We do not track whether you open emails or click links in them (see Transactional email). Legal basis: legitimate interest in deliverability and abuse handling (Art 6(1)(f)).
• Push notification tokens — uniquely identify your device for push delivery. See Push notifications. Legal basis: contract performance (Art 6(1)(b)).

About your use of the service

• Device type, operating system, app version. Legal basis: legitimate interest in service operation and troubleshooting (Art 6(1)(f)).
• IP address and access logs — retained briefly in cloud-infrastructure logs for security and abuse handling. Legal basis: legitimate interest in security (Art 6(1)(f)).
• Activity events — an audit trail of significant actions you take in the app (sessions completed, packs issued, and so on), held so your trainer or you can see history. Legal basis: legitimate interest in providing the history surface, plus contract performance (Art 6(1)(b) / Art 6(1)(f)).

Training-related personal information

Seshman has a category of data we treat with extra care — information that might relate to your health, fitness, or physical condition. Specifically:

• Your goals (which may be health-related — for example, injury recovery or weight management)
• Injuries and health notes recorded by your trainer
• Session notes — both private (trainer-only) and shared — that may include health-related observations

Under UK GDPR Article 9, this is "special category" data and we may only process it with an additional legal basis on top of the usual Article 6 one. We rely on your explicit consent (Article 9(2)(a)).

For clients who use the Seshman app, we ask for that consent in-app the first time the relevant fields are used, and you can withdraw it from settings at any time. Withdrawing consent deletes the data held in those fields.

For offline clients (who don't use the app), the trainer confirms to Seshman that they have obtained explicit consent from the client to record this information. The trainer is responsible for ensuring that consent is real and that the client knows where the data is kept. See Offline clients for more on the split of responsibilities.

Offline clients

A trainer can add a client to Seshman who doesn't use the app themselves — an "offline client". Seshman holds data about that client (name, optional contact details, training records) entirely on the trainer's behalf.

Who tells the client we exist

Under UK GDPR Article 14, where we hold personal data about someone we didn't collect it from directly, that person is entitled to be informed. We split this responsibility:

• Where the offline client has an email address on file, Seshman includes a footer in every transactional email we send to them linking back to this policy. The welcome email we send on first contact explicitly explains that Seshman is now holding their training records.
• Where the offline client has no email address on file, the trainer takes responsibility for informing the client that Seshman is the platform their records live on. We require this of trainers under our Terms of Service and surface it as an attestation in the app when an offline client is added.

Rights of offline clients

Offline clients have the same UK GDPR rights as anyone else — access, correction, deletion, objection, portability. These can be exercised either through the trainer who added them or directly with Seshman by emailing privacy@seshman.com. We will route the request appropriately and respond within one month.

Emergency contacts and minors

Emergency contacts

Seshman can hold the name and phone number of an emergency contact for each client. That contact is a third party — they are not a Seshman user and they did not give us their data directly. Whoever entered the data (the client or their trainer) confirms to Seshman that they have permission from the emergency contact to share their details with us. If you are an emergency contact named in Seshman and would like your details removed, contact privacy@seshman.com.

Minors

Seshman is not intended for direct use by anyone under 13, and we do not knowingly create accounts for under-13s. Trainers can record clients who are under 13 in Seshman, but only where the trainer has obtained parental or guardian consent for that data to be recorded. We require this of trainers under our Terms of Service. If you are a parent or guardian and would like records of your child removed from Seshman, contact privacy@seshman.com.

Transactional email

Seshman sends transactional email to trainers and clients as part of running the service. We do not send marketing email of any kind.

Categories of email we send

• Invoices — when a trainer raises an invoice in the app, we email it to the client on the trainer's behalf, with the invoice attached as a PDF.
• Payment receipts — when a trainer marks an invoice as paid, we email a receipt to the client confirming what was paid and when.
• Payment reminders — when a trainer asks the app to nudge a client about an overdue invoice, we email the reminder to clients with an email address on file. Where the client also uses the app, a push notification goes out in addition.
• Session schedule confirmations — when a trainer schedules a session with a client, we email the client the details so it lands in their inbox.
• Session cancellations — when a scheduled session is cancelled by either side, we email the affected party.
• Session summaries — after a completed session, a trainer can optionally email the client a recap including notes, goals, and remaining sessions.
• Welcome messages — when a client first appears in Seshman (added by a trainer or signing up themselves), we send a welcome email that explains what Seshman is and how to use it.
• Security and account alerts — we may email you about meaningful events on your own account, such as a password reset or a sign-in from a new device.

Every transactional email carries a footer with a link back to this policy and to privacy@seshman.com so recipients can see who is sending the mail and why.

Why we can email clients added by their trainer

A trainer can add a client to their Seshman account list using the email address the client previously gave them as part of their existing service relationship. By adding the client, the trainer authorises Seshman to send transactional email — the categories listed above — to that address on their behalf. We rely on the established trainer-client relationship as the lawful basis for sending these messages. We do not use these addresses for any other purpose, and we never use them for marketing.

How to stop receiving email

You can stop receiving email from Seshman in any of the following ways:

• Reply to any email and ask to be removed. A real person reads replies.
• Ask the trainer who added you to clear or update your email address in their app.
• If you have your own Seshman account, deleting it from inside the app terminates all further contact.

Open and click tracking

We do not include open-tracking pixels in our transactional email, and we do not rewrite links to track clicks. Whether you open a Seshman email, and whether you click links inside it, is not recorded.

Bounces and complaints

See Bounce and complaint suppression.

Push notifications

If you use the Seshman app on iOS or Android, the app may send you push notifications about events on your account — a session being scheduled or completed, a pack being issued, an approval needed, and similar.

To deliver these notifications, the app registers a push token with the operating system's push service:

• On iOS, this is Apple Push Notification Service (APNs).
• On Android, this is Google Firebase Cloud Messaging (FCM).
• We use Expo Push (operated by 650 Industries, Inc.) as the intermediary that hands notifications off to APNs and FCM.

The push token uniquely identifies your device. The notification payload contains the minimum needed to give the notification context (event type, a short message, a deep link). Sensitive content is not included in the payload.

You can disable push notifications at the operating system level from your phone's settings. Disabling push does not stop you receiving transactional email or in-app notifications.

Analytics and search-engine tools

The Seshman marketing website uses Plausible Analytics, a privacy-respecting analytics product. Plausible does not use cookies, does not collect personal data, and does not track you across sites. Because of this, no cookie consent banner is required.

We also use Google Search Console to understand how Seshman appears in Google search results. Search Console shows us aggregate data Google already holds about searches on our site; it does not process personal data of visitors to the Seshman website.

The Seshman mobile app does not contain third-party analytics SDKs.

Sub-processors and international transfers

Seshman uses third-party processors to run parts of the service. Our current sub-processor list is published at seshman.com/sub-processors, with vendor name, purpose, location, and the transfer mechanism we rely on where the vendor is outside the UK.

Most of our infrastructure is hosted in the UK / EU (AWS eu-west-2, London). Some sub-processors are located in the United States — specifically Apple, Google, Expo Push (650 Industries, Inc.), and the App Store / Google Play distribution platforms. For these transfers we rely on:

• The UK Extension to the EU-U.S. Data Privacy Framework where the recipient is self-certified, and
• The UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum, as a fallback or in addition.

We notify trainers in advance of material additions to our sub-processor list, so they can object if they need to.

How long we keep your data

We hold data for as long as it's needed for the purpose we collected it for, then delete or anonymise it. The headline retention periods are:

Deleting accounts and removing clients

Closing your account

You can close your account at any time from inside the app. When you do:

• Your personal data is removed within 30 days, with the exceptions noted in the retention table above.
• Invoices and receipts you have raised are anonymised — your name and email are replaced with a placeholder, and the amounts, dates, and items are retained for the UK tax-record retention period of 6 years.
• Backup copies age out within 35 days.

Trainer removing a client

When a trainer removes a client from their roster:

• For app clients, the client's own Seshman account is not affected. The trainer-client relationship is closed and the trainer no longer sees that client's data; the client may still use Seshman with other trainers, or alone.
• For offline clients, the client's profile data (phone, email, goals, injuries, emergency contact) is deleted. Historical session and invoice records are kept in anonymised form so the trainer's training and tax records survive intact.

Bounce and complaint suppression

If an email to your address bounces (the address doesn't exist or has been retired) or you mark one of our emails as spam, we automatically and persistently suppress your address — no further mail will be sent to it.

The suppression list is kept indefinitely to honour the signal you gave us, and persists even if the trainer who originally added you closes their account. An address comes off suppression only when an affirmative correction is made — usually by the trainer updating to a corrected address, or by you (if you have a Seshman account) contacting us.

Your rights

Under UK GDPR you have the following rights over your personal data:

• Right of access — ask us for a copy of the data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your data ("right to be forgotten"), subject to the legal-obligation retention items above.
• Right to restrict processing — ask us to pause processing in specific circumstances.
• Right to data portability — ask for your data in a structured, machine-readable format.
• Right to object — object to processing we carry out under the "legitimate interest" basis. This applies in particular to transactional email sent on a trainer's behalf to an offline client, our use of audit logs for security, and our bounce / complaint suppression handling. We will stop unless we have compelling legitimate grounds that override your objection.
• Right to withdraw consent — where we rely on consent (specifically for training-related personal information), you can withdraw consent at any time. Withdrawal does not affect processing that already happened before withdrawal.
• Right to lodge a complaint — with the UK Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.

How to exercise your rights

Email privacy@seshman.com. We will respond within one month, may ask for additional information to verify your identity, and will not charge a fee unless your request is manifestly unfounded or excessive. We are building in-app self-service tools for some rights (notably access and portability); until those are live, the email route is the way in.

If you are an offline client and want to exercise rights over data your trainer has entered into Seshman, you can ask either Seshman or your trainer. We will route the request as needed and respond together.

Children and under-18s

Seshman is not directed at children. We don't knowingly let anyone under 13 create their own Seshman account. Trainers can record younger clients in Seshman where they have obtained parental or guardian consent; the trainer is responsible for confirming and maintaining that consent. If you are a parent or guardian and would like data about your child removed from Seshman, contact privacy@seshman.com.

Security and breach notification

We use industry-standard security measures (encryption at rest and in transit, hardened cloud infrastructure, scoped access controls, audit logging) to protect personal data. No system is perfectly secure, however, so we also commit to:

• Notifying the UK Information Commissioner's Office within 72 hours of becoming aware of a personal data breach that poses a risk to your rights.
• Notifying you and other affected users without undue delay where the risk to your rights is high.

Automated decision-making

We do not make decisions about you using only automated processing.

Marketing

Seshman does not send marketing email. If that ever changes, we will update this policy in advance and any marketing email will be opt-in, with a one-click unsubscribe.

Cookies

The Seshman website does not set non-essential cookies. Plausible Analytics, our website analytics product, is cookieless by design. The Seshman app uses local storage on your device for authentication state and similar essential session data; this is not cookie-based and is not shared with third parties.

Changes to this policy

We keep this policy current as Seshman evolves. Material changes — new processing purposes, new categories of data, new sub-processors, changes to retention, or changes to legal basis — trigger an in-app banner and an email to all users at least 30 days before the change takes effect, so you can object or close your account first.

Minor changes (wording, structure, clarifications) are made silently and noted on our change log. The effective date at the top of this policy is bumped on material changes.

Contact us

Privacy questions: privacy@seshman.com.

General contact: seshman.com/contact.

Postal address: Inca Labs Limited, 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom.

Language

This policy is provided in English. If we provide translations, the English version is the authoritative one for legal purposes.