the short answer
Online coaches handle sensitive data - health answers, measurements, progress photos, and payments - which makes you a data controller with real obligations under laws like GDPR. In practice that means collecting only what you need with clear consent, keeping it in one secure place instead of scattered across chat apps and camera rolls, limiting who can see it, getting separate permission before anything goes public, and deleting it cleanly when a client asks.
This article is general information, not legal advice. Data-protection law varies by country and region, so treat what follows as a practical starting point and confirm the specifics for your jurisdiction - or with a qualified professional - before you rely on it. Keep the wider scope-of-practice line in mind too: collecting a client's health history to coach safely is fine, but diagnosing or treating a medical condition belongs to a clinician.