Early access·Early access is open for the first cohort of coaches → Try Grove

Trust

How we protect your clients’ data.

The things your clients share with you should stay private, encrypted, and yours. Here, plainly, is how Grove keeps them safe.

Grove is built so the things your clients share with you stay private, encrypted, and yours. We use the same identity and infrastructure standards as established software companies, and we deliberately keep every coach’s data partitioned so one coach can never see another’s clients.

What we do
  • Sign-in is handled by Auth0.

    We use Auth0, an industry-standard identity provider, to manage logins. Grove never stores or even sees your clients’ passwords, and every protected request is checked.

  • Your practice is isolated from every other coach’s.

    Every piece of data is tied to your Practice and filtered at the database layer on every query. One coach can never read another coach’s clients, notes, or messages, and no one outside the coaching relationship, including an employer who may be sponsoring the coaching, can see an individual client’s information. This is enforced in code, not just by a setting.

  • The AI never sees who your clients are.

    When Sage helps, your clients’ names, email addresses, and phone numbers are swapped for neutral placeholders before anything is sent to the AI, so the AI only ever works with de-identified information. The real details stay in Grove and are restored only in your own view of the result. This happens on every AI request, by design.

  • No one is quietly reading client content.

    Our application logs record activity and IDs, not the contents of messages, check-ins, or notes. We have no internal tools that surface what your clients write, and the production database is not openly accessible. There is no standing way for anyone, including the Grove team, to browse client content.

  • Encrypted in transit.

    All traffic runs over HTTPS (TLS 1.2 or higher), and anything insecure is redirected to a secure connection. Nothing your clients send travels in the clear.

  • Encrypted at rest.

    The production database and uploaded files are encrypted at rest using managed keys. On its own, the raw storage cannot be read.

  • Hosted on AWS, database kept private.

    Grove runs on Amazon Web Services. The database lives on a private network and is not reachable from the public internet. Secrets and credentials live in a managed vault, never in our code.

  • Backed up every day.

    The database is backed up automatically with retention, so data can be recovered.

  • Maintained for security.

    We monitor our software dependencies for security patches automatically, and an extensive automated test suite runs before any change reaches you.

  • You stay in control.

    Clients can delete their account and data. Role-based access means coaches, clients, and admins each see only what they should. Consent is part of the onboarding you and your clients complete.

What Grove is, and is not

Grove is a coaching platform, not a medical records system. It is a good home for the wellness context a client chooses to share with you, their goals, reflections, check-ins, and the notes that help you coach them well, all encrypted and private.

Grove is not intended for storing protected health information (PHI) or formal medical records. If your work involves clinical records such as diagnoses, lab results, or treatment notes, those belong in a system designed for that. A good rule of thumb: collect only the context you need to coach, and keep clinical records elsewhere. For the personal context your clients share in the normal course of coaching, the protections above apply.

If you ever leave

Your practice data is yours, in both directions. Grove imports your existing client list from any CSV, and the exit works the same way: ask us at hello@grove.coach and we will provide a complete export of your practice data, in open formats, usually within a few days. We are exploring a self-serve export as well. You should never need permission to leave your own tools.

And because every coach who lived through a platform shutdown knows to ask the harder question: if Grove ever winds down, we commit to at least 90 days of advance notice, a working export path through the very end, and hands-on help moving your practice somewhere good. We wrote about why this matters in What happened to Nudge Coach?

Questions welcome

Security should be legible, not a black box. If you want more detail on any of this, or you have a specific concern about a client’s information, reach out and I will walk you through it.

hello@grove.coach · Privacy & terms

Beth Richardson, Founder, Grove Coach