Where Your Coaching Data Actually Lives

Most AI tools cannot tell you where your client's data is stored, who can access it, or what happens to it after you stop paying. Here is what to ask before you sign up for anything.

You record a coaching session. You upload notes. You store session summaries somewhere - maybe in a shared doc, maybe in a platform you signed up for last year. Have you ever checked where that data actually goes? Most coaches have not. And the answer matters more than you think.

The question most coaches skip

When I work with organisations on data governance, the first thing I ask is: "Do you know where your data live?" The most common answer is a pause, followed by something like "the cloud." That is not an answer. That is a marketing term.

The cloud is not a physical place. It is a data centre. That data centre is in a country. That country has laws. Those laws determine who can access your clients' most sensitive professional conversations - and under what circumstances.

If you are a European coach working with European clients, this is not an abstract concern. It is the core of your professional responsibility. And if you are using providers that store personal data in the United States, be aware there is no overarching national privacy law, as the EU's General Data Protection Regulation ("GDPR"), and this data may be subject to access by American intelligence services, although under strict conditions. GDPR provides strict protection and justified legal access rights.

What happens when session data crosses a border

GDPR is clear on this point. Personal data can only leave the European Economic Area if the destination country provides an adequate level of protection, or if specific safeguards are in place.

For US-based services, the current mechanisms are Standard Contractual Clauses or the EU-US Data Privacy Framework. The Framework is functional for now - but it has already faced legal challenges, and privacy advocates argue it does not resolve the underlying conflict between EU privacy rights and US surveillance law.

What does this mean for coaching data? It means that if you use a US-based platform to store session recordings, transcripts, or notes, your clients' data is subject to US jurisdiction. Even if the platform promises encryption. Even if they say they are "GDPR compliant". Compliance is not the same as immunity from foreign access requests.

This is not about being alarmist. It is about understanding what you are consenting to when you click "agree" on a terms of service page.

The tools coaches actually use

Let me walk through the most common setup I see.

Video calls. Most coaches use Zoom, Google Meet, or Microsoft Teams. All three are operated by US companies. Zoom processes data through US servers by default, and while EU data routing is available on certain paid plans, most coaches have not configured it. Google Meet and Teams route through global data centres, with limited control over which region handles your specific call.

Session notes. Google Docs, Notion, Evernote - all US-based. If you write session notes in any of these tools, that data is stored on US infrastructure and subject to US law.

AI transcription. Otter.ai, Rev, Whisper-based tools - these are increasingly popular for automating session notes. Most process audio through US-based servers. Some use the data to train their models, unless you opt out. This means your client's words become training data for a product they never consented to contribute to.

CRM and scheduling. HubSpot, Calendly, Acuity - the entire backbone of most coaching practices is US-hosted. Client names, email addresses, session histories, billing details - all sitting on American servers.

None of this is illegal. But it does create a specific set of risks that most coaches have never thought about, and that most clients have never been informed about.

What "GDPR compliant" actually means

GDPR compliant means not just having a Privacy Policy in place. This does not mean data is stored in the EU. Real compliance is structural. It means:

• Data minimisation. Only collecting data that is necessary for the stated purpose.
• Purpose limitation. Collect data only for specific, explicit and legitimate purposes. Meaning, not using data collected for coaching for other undisclosed purposes, such as to train AI models, serve ads, or build user profiles.
• Storage limitation. Keeping personal data only for as long as it is required for the stated purpose - deleting data when it is no longer needed, not keeping it indefinitely "just in case."
• Data subject rights. Giving clients access to their data, the ability to export it, and the ability to request deletion.
• Data processing agreements. Formal contracts with every processor and sub-processor that touches your data, specifying exactly what they can and cannot do. Where data processing involves partners outside EU/EEA/UK, approved data transfer mechanisms under GDPR are used, such as Standard Contractual Clauses or EU-US Data Privacy Framework.

When you evaluate a coaching platform, next to asking "Are you GDPR compliant?", ask: "Where is my data stored? Who are your sub-processors? What happens to session recordings after transcription? How is my data used?"

Why this matters for the coaching relationship

Coaches build their practice on trust. Clients share things in coaching sessions that they would not say to their manager, their partner, or their best friend. The vulnerability is the point, it is what makes coaching work.

I am not arguing that every coach needs to become a data protection expert. But I am arguing that every coach should be able to answer one simple question: where does my client data live, and who can access it?

What good infrastructure looks like

The alternative is not complicated. It just requires choosing tools that were built with European data protection as a starting point, not as an afterthought. If presented with a choice, choose providers that host their infrastructure in the EU/UK where robust data protection law applies. GDPR (and UK GDPR) is the world's most comprehensive data protection framework, influencing legislation across jurisdictions from California to Japan.

At CoachNova, I advised on exactly this question during the platform's development. The architecture is EU-hosted. Data is never used for AI model training. Client data is isolated per coach - meaning no other coach can access your sessions. Only authorised CoachNova personnel on a need-to-know basis (such as technical support) can access data. Data is stored only as long as it is needed and deleted after the client relationship has ended. That is what GDPR-native looks like. Not a checkbox on a compliance page. A set of architectural decisions that protect the coaching relationship at the infrastructure level.

Three things you can do this week

You do not need to overhaul your entire practice. Start with three steps:

1. Audit your tools. Make a list of every platform that touches client data - video calls, notes, scheduling, billing, AI tools. For each one, find out where they store data and whether they have a Data Processing Agreement available that details where they transfer your data to and how they use your data.
2. Read the fine print. Especially in the era of AI - read the fine print to understand whether your and your customer's data is used to train their AI. Often providers set opt-in automatically when you sign up and you are required to actively opt-out, if you do not agree.
3. Update your client consent forms. If you use tools to record client conversations - transcription, session summaries, anything automated, your clients need to know. Informed consent is not optional under the GDPR. It is a legal requirement.
4. Ask questions that cut to the core. The next time a platform tells you they are "GDPR compliant," ask them: "Where is my data stored? Who are your sub-processors? What happens to session recordings after transcription? How is my data used?" If they cannot answer clearly, that tells you everything you need to know.

About the author
Laura Foltina is a certified AI Governance Professional (AIGP) and certified Information Privacy Professional (CIPP/E). She guides companies on AI governance frameworks, EU AI Act compliance, AI vendor governance and privacy. She serves as a Founding AI Governance Advisor to CoachNova.