Privacy Policy

Last updated: 5 March 2026

This Privacy Policy explains how Nicholas James Hancock (trading as Maximum Mileage Coaching) (“we”, “us”, “our”) collects, uses, discloses and protects your personal information when you use our websites, applications, coaching portals, community spaces, and related services (together, the “Services”).

We are committed to using your data responsibly and in line with the UK GDPR and the Data Protection Act 2018, and — where relevant — the Privacy and Electronic Communications Regulations (PECR).

At a glance

  • We only collect what we need to deliver coaching and run our business.
  • We never sell your data.
  • We use trusted processors and protect data with technical and organisational measures.
  • You control your marketing preferences and can withdraw consent at any time.
  • You have rights over your data — how to exercise them is set out below.

1. Who we are (Data Controller)

Controller: Nicholas James Hancock, trading as Maximum Mileage Coaching
Registered/Postal address: 2 St Philip St, Corsham, SN13 0FS
Email: nick@maximummileagecoaching.com
Data protection contact: Privacy Lead (same email as above)
ICO Registered Person — Nicholas Hancock t/a Maximum Mileage Coaching

2. The data we collect

We collect and process the following categories of personal data, depending on how you interact with us:

Identity & Contact Data

Name, email, phone number, postal address, country, emergency contact (optional).

Account & Communications Data

Login details, preferences, messages you send us (email, chat, forms, WhatsApp/DM where applicable), call/meeting recordings where you’ve agreed.

Coaching & Athlete Data (may include special category data)

Training history, performance metrics, race results, injury status, goals, scheduling constraints, and health-related information you choose to share (e.g. past injuries, nutrition notes, relevant medical information). This is considered special category data under UK GDPR.

Transaction Data

Purchase history (plans, subscriptions), invoice details. Card data is handled by our payment processor — we do not store full card numbers.

Technical & Usage Data

IP address, device identifiers, browser type, pages viewed, time on site, clicks, referral URLs, approximate location, and cookie identifiers.

Marketing & Engagement Data

Your marketing preferences, email opens/clicks, webinar attendance, lead magnet downloads, community participation.

Third-Party Integration & Wearable Platform Data

Data we receive if you connect third-party services to your account. This includes training platforms, calendar tools, and fitness wearable platforms. When you authorise a connection to a device platform (such as Garmin Connect or Coros), we may receive:

  • Activity data (runs, workouts, session summaries)
  • GPS and route data
  • Heart rate, pace, cadence, and power metrics
  • Performance estimates (e.g. VO2max, training load, recovery status) where provided by the platform
  • Sleep and daily activity data, where you have enabled sharing of this data

We only request the permissions necessary to deliver your coaching service. You can revoke access to any connected platform at any time through that platform’s own settings or through your account on our platform. Examples of platforms we integrate with include: Garmin Connect, Coros, Intervals.icu, TrainingPeaks, Google/Apple calendars, GoHighLevel, Zapier, Stripe, Calendly, and similar tools. We will only connect or ingest what is needed to deliver the Services you request.

3. How we collect data

Directly from you: forms, checkout, email/DM, calls, questionnaires, webinars, coaching portal.

Automatically: through cookies, pixels, and similar technologies when you use our websites/apps.

From third parties (when you authorise it): training platforms, calendars, payment providers, scheduling tools, analytics providers, and social networks.

From connected wearable platforms (when you authorise it): fitness data from Garmin Connect, Coros, and similar platforms, accessed via OAuth 2.0 authorisation. We store access tokens securely using encryption at rest to maintain your connection.

4. Our lawful bases for processing

We use your data under one or more of the following lawful bases:

Contract — to provide and support the Services you’ve asked for (e.g. coaching, subscriptions, training plans, support).

Consent — for:

  • Special category data (health/medical information shared for coaching). We’ll ask for explicit consent (e.g. a clear tick box or written confirmation) and you can withdraw consent at any time.
  • Marketing communications (email/SMS/DMs where consent is required under PECR).
  • Non-essential cookies and similar technologies.
  • Third-party platform connections (e.g. Garmin Connect, Coros) — we will ask for your explicit authorisation before connecting to any wearable or training platform.

Legitimate Interests — to run, improve, and protect our Services (e.g. usage analytics, service improvement, network security, preventing fraud, reasonable personalisation). We balance these interests against your rights and expectations.

Legal Obligation — to meet tax, accounting, and regulatory requirements.

If we rely on consent, you can withdraw it at any time — this won’t affect processing that already happened lawfully.

5. How we use your data

  • Delivering and personalising coaching and training plans.
  • Setting up and managing your account, subscriptions, and payments.
  • Communicating with you (including support, service updates, and feedback requests).
  • Analysing usage to improve content, programming, and the user experience.
  • Running webinars, events, groups, and communities.
  • Preventing misuse, protecting security, and enforcing our terms.
  • Creating aggregated or anonymised insights (e.g. general trends) that don’t identify you.
  • With your permission, using testimonials/case studies (we’ll ask you before publishing anything identifiable).

We do not use your data for automated decision-making that produces legal or similarly significant effects.

6. Special category (health) data

We may process health-related data that you choose to share to enable tailored coaching. Because this is sensitive data, we process it only with your explicit consent (UK GDPR Art. 9(2)(a)).

You can decline to share health data, but it may limit our ability to coach safely and effectively.

You can withdraw consent at any time — if you do, we’ll stop processing going forward and securely delete or anonymise this data unless retention is required by law or to establish/exercise/defend legal claims.

7. Cookies & similar technologies

We use cookies, pixels, and similar technologies to operate our site and understand usage.

Types of cookies:

  • Strictly necessary (essential for login, security, load balancing).
  • Analytics/performance (to help us improve content and features).
  • Functionality (remember preferences).
  • Advertising/retargeting (where used).

Under PECR, we seek your consent for non-essential cookies. You can change your preferences at any time via our Cookie Settings link (where available) or your browser settings.

8. Disclosures & sharing

We share personal data with trusted processors that help us deliver the Services, under contracts that require them to protect your data and only act on our instructions. Typical categories include:

  • Hosting, storage, and infrastructure (e.g. cloud providers).
  • Coaching platforms and integrations (e.g. Garmin Connect, Coros, Intervals.icu, TrainingPeaks, calendars, webinar tools).
  • Communications and CRM (e.g. email service, support/chat, community).
  • Payments and billing (e.g. Stripe).
  • Analytics and tag management.
  • Forms, surveys, e-signatures, and automations (e.g. Calendly, Zapier, Notion, form tools).

We also share data where required by law, to protect rights and safety, to respond to lawful requests, or in connection with a business reorganisation. We never sell your personal data.

9. International transfers

Some processors are located outside the UK/EEA (e.g. in the United States). When we transfer your data internationally, we use lawful safeguards such as:

  • UK adequacy regulations (where available), and/or
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), plus supplementary measures where appropriate.

You can request more information about international transfer safeguards by contacting us.

10. Data security

We use a combination of technical and organisational measures to protect personal data, including encryption in transit, access controls, least-privilege permissions, audit logging where supported, and staff confidentiality obligations. No method is 100% secure, but we work to prevent unauthorised access, alteration, disclosure, or loss.

Access tokens for connected third-party platforms (such as Garmin Connect and Coros) are stored using field-level encryption and are never exposed in logs or to unauthorised parties.

11. Data retention

We keep personal data only as long as needed for the purposes described, including to meet legal/accounting obligations, resolve disputes, and enforce agreements. Typical retention periods are:

  • Account & coaching records: for the duration of your engagement and up to 2 years after it ends (unless you ask us to delete sooner and we have no legal reason to keep them).
  • Special category (health) data: for the duration of your engagement and up to 2 years after, or earlier on withdrawal of consent (unless required to retain for legal claims).
  • Wearable/activity data from connected platforms: retained for the duration of your coaching engagement and deleted or anonymised within 90 days of you disconnecting the integration or closing your account, unless you request earlier deletion.
  • Financial/transaction records: 6 years to meet UK tax requirements.
  • Marketing data: until you unsubscribe or after 24 months of inactivity.
  • Technical/analytics logs: typically 12–24 months, depending on the provider.

We may retain anonymised data (which no longer identifies you) for research and business insights.

12. Your rights

Under UK GDPR, you have rights to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to processing (including profiling based on legitimate interests).
  • Data portability (where technically feasible).
  • Withdraw consent at any time (for consent-based processing), including revoking access to connected platforms such as Garmin Connect or Coros.
  • Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

To exercise any right, email nick@maximummileagecoaching.com. We may need to verify your identity. There’s no fee unless your request is excessive or unfounded.

13. Marketing

You’ll only receive marketing from us if you:

  • opted in, or
  • are an existing customer and we’re contacting you about similar products/services (“soft opt-in” under PECR).

You can unsubscribe at any time via the link in any marketing email or by contacting us. We don’t send third-party marketing without your permission.

14. Children

Our Services aren’t directed to children. We don’t knowingly collect data from anyone under 13 without parental/guardian consent. If you believe a child has provided us personal data, please contact us and we’ll delete it.

15. Third-party links

Our Services may include links to third-party sites, apps, or platforms. We’re not responsible for their privacy practices. Please review their policies before you share data with them.

16. Changes to this policy

We may update this Privacy Policy to reflect changes to our practices or for legal/regulatory reasons. We’ll post the updated version with a new “Last updated” date and, if changes are significant, we’ll notify you.

17. Contact us

Questions about this policy or your data?
Email: nick@maximummileagecoaching.com
Postal: 2 St Philip St, Corsham, SN13 0FS

Appendix A — Common processors we use (illustrative)

Exact providers may change from time to time. We keep contracts in place with each provider to ensure UK GDPR-level protections.

  • Hosting & storage: reputable UK/EU/US cloud providers (e.g. AWS, Google Cloud, Microsoft Azure, Railway).
  • Analytics & tags: Google Analytics/Tag Manager (IP anonymisation where configured), privacy-respecting analytics where used.
  • Coaching platform: Intervals.icu (activity normalisation, performance analytics, training plan delivery); TrainingPeaks (plans, workouts, performance tracking).
  • Fitness wearable platforms: Garmin (Garmin Connect API — activity, GPS, and health metrics where authorised); Coros (Coros API — activity and performance data where authorised). Data is received via OAuth-authorised API connections and used solely to deliver your coaching service.
  • Error monitoring & performance: Sentry (error tracking, performance monitoring — may receive user email addresses to associate errors with affected users).
  • Product analytics & feature flags: PostHog (usage analytics, feature flag management — receives behavioural/interaction data).
  • Scheduling & video: Calendly; Zoom/Google Meet.
  • CRM & communications: GoHighLevel (or equivalent), email service provider, webinar tools.
  • Automation: Zapier (data routing between systems).
  • Docs & notes: Notion/Google Workspace (internal operations).
  • Payments: Stripe (PCI-DSS compliant).
  • Surveys/forms & e-sign: secure form tools for questionnaires and agreements.

If you’d like the current, detailed list of processors and sub-processors, contact us at the email above.

Legal note: This policy is provided for information and transparency. It does not create any contractual or legal rights for third parties. For tailored legal advice, please consult a solicitor.