Privacy Policy
Last updated: June 19, 2026
Last reviewed: June 19, 2026, v1.8
Privacy at a Glance
- We never sell your data. Your personal information is not sold or shared for advertising.
- Clinical data is yours. Session notes and patient records are encrypted and only accessible by the creating provider.
- AI is transparent. Our AI assists with practice management but never makes automated decisions about you.
- You control your data. You can access, correct, request an export (JSON) of, or delete your data by contacting us.
- US-focused service. Riverd is designed for users in the United States.
1. Introduction
Riverd LLC, a Wyoming limited liability company ("we," "us," or "our"), operates the Riverd platform at www.riverd.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
The Service is intended for users located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfer and processing. If you do not agree, you should not use the Service.
2. Information We Collect
Information You Provide
- Account Information: Name, email address, phone number, and professional credentials when you create an account.
- Profile Information: Professional bio, specializations, certifications, photos, and practice page details for service providers.
- Booking Information: Session details, scheduling preferences, and communication between providers and clients.
- Clinical Data: Patient books, session notes, and body map annotations that providers create within the platform. This data is considered sensitive personal information and is subject to enhanced protections described in Section 4.
- Payment Information: When a Provider you book with uses card payments, you enter your card into payment fields hosted by our payment processor. We do not receive or store your full card number. We store a secure payment token and your card's type, last four digits, and expiration date so the Provider can charge it under its stated policy and so you can manage your saved cards.
- Communications: Messages sent through contact forms, support requests, or waitlist signups.
Information Collected Automatically
- Usage Data: Pages visited, features used, session duration, and interaction patterns.
- Device Information: Browser type, operating system, IP address, and device identifiers.
- Cookies and Tracking: We use essential cookies for authentication and session management. We also use Google Tag Manager (GTM) for analytics purposes and PostHog (hosted in the EU) for product analytics — both may set cookies. PostHog records aggregated product events and a user identifier so we can understand how users navigate Riverd; we do not send health, clinical, or other PHI data to PostHog. Essential cookies are required to use the Service. You can block or delete non-essential analytics cookies (Google Tag Manager and PostHog) through your browser settings.
3. How We Use Your Information and Legal Basis
We process your personal information for the following purposes, each with a corresponding legal basis:
- To provide the Service (contract performance): Operating your account, processing bookings, and facilitating connections between providers and clients.
- To connect clients with their providers (contract performance): When a provider adds a client to their practice, we check the email address or phone number the provider entered against existing Riverd accounts solely to offer that client the option to connect their account to the provider's records. A connection is only created when the account holder confirms it from their own logged-in account using a contact detail they have verified as their own. We do not reveal to the provider whether the person they entered has a Riverd account; the provider only ever sees whether a connection is pending or completed, never the underlying account status.
- To send transactional communications (contract performance): Booking confirmations, reminders, and account updates.
- To improve the Service (legitimate interest): Analyzing usage patterns, performance monitoring, and feature development.
- To ensure security (legitimate interest): Detecting fraud, preventing abuse, and maintaining platform integrity.
- To send marketing communications (consent): Promotional emails and product updates, only with your explicit opt-in consent, which you may withdraw at any time.
- To comply with legal obligations (legal obligation): Tax records, regulatory requirements, and responding to lawful requests.
4. Clinical Data Protection
Clinical and health-related data, including patient books, session notes, body map annotations, and treatment records, is classified as sensitive personal information under applicable privacy laws. We process this data on the basis of your explicit consent, which you provide when creating clinical records within the platform.
This data receives the highest level of protection:
- Clinical data is encrypted in transit and at rest.
- Only the creating provider can access their clinical records through role-based access controls.
- We do not sell, share, or use clinical data for advertising or marketing purposes.
- Clinical data is permanently deleted when a provider deletes their account.
- You may withdraw your consent to clinical data processing at any time by deleting the relevant records or your account.
5. Artificial Intelligence
Riverd uses AI-powered features to assist with practice management, including practice page generation, service suggestions, and administrative automation. Regarding AI and your data:
- AI processes are used to assist and suggest, they do not make automated decisions that produce legal or similarly significant effects on you.
- AI does not access clinical patient data unless you explicitly invoke an AI feature on that data.
- You always have the right to human review of any AI-assisted output.
- AI-generated content (such as suggested bios or service descriptions) is always presented for your approval before publishing.
- Our in-product assistant may proactively send you email to help you set up and run your practice. Every such message identifies itself as AI and includes a way to stop the emails.
Connecting Clients and Providers
Providers may invite the clients in their own records to connect a Riverd account so the client can see and manage their sessions. To make this offer, Riverd matches the email address or phone number a provider enters against existing accounts. This matching is used only to present a connection offer to the matched account holder, who must affirmatively accept it from within their own account using a verified contact detail. It is never used to tell a provider, or anyone else, whether a given email address or phone number belongs to a Riverd member. If the matched person declines or does not respond, the provider receives no information about why, and no account data is disclosed. Health and clinical information (patient books, session notes, and body-map annotations) is never shared with a client through this feature and remains governed by Section 4.
6. Information Sharing
We do not sell or share your personal information as defined by the California Consumer Privacy Act (CCPA). We may share information with:
- Service Providers (Sub-processors): Third-party services that help us operate the platform, including:
- Supabase, database hosting and authentication
- Vercel, application hosting and deployment
- Google (GTM/Analytics), usage analytics
- PostHog Inc. (EU), product analytics — we use PostHog to understand how users navigate the product and improve UX. PostHog stores aggregated event data and user identifiers; no health/PHI data is sent.
- Sentry, application error monitoring
- Resend (with Brevo as a backup provider), transactional and notification emails
- Telnyx, SMS delivery for phone verification and notifications
- Square, card payment processing and card-on-file storage for Providers who enable card payments. Square hosts the card-entry fields and stores card data; Riverd never receives your full card number.
- OpenAI, AI features (practice page generation, service suggestions, and clinical note drafting only when you explicitly invoke an AI feature)
- Anthropic, AI model processing for our in-product assistant and practice-management AI features. Where this assistant is used, we send operational account information about your practice (such as counts, dates, and status indicators) to Anthropic's models to generate guidance and replies. We do not send your clients' clinical notes or other free-text patient records to this assistant.
- Vercel AI Gateway, the routing layer that forwards AI requests to model providers (such as Anthropic) and helps us manage usage and reliability. This is provided by Vercel, also our application hosting provider listed above.
- Legal Requirements: When required by law, subpoena, or to protect our rights and safety.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
7. Google Calendar Integration
Riverd offers an optional two-way integration with Google Calendar so providers can prevent double-booking and have Riverd sessions appear alongside their other commitments. Connecting your Google Calendar is entirely optional, and the integration only activates after you complete the Google OAuth consent flow inside Riverd.
OAuth Scopes We Request
When you connect your Google Calendar, Riverd requests the narrowest set of scopes that supports the feature. We do not request, and cannot use, broader calendar access:
- https://www.googleapis.com/auth/calendar.events.owned, used to write Riverd bookings into the calendar you choose as the write target. This is the narrowest write scope Google offers and only permits Riverd to insert, update, or delete events that Riverd itself created. Events created outside Riverd cannot be modified or deleted by Riverd under this scope.
- https://www.googleapis.com/auth/calendar.events.readonly, used to read events from the calendars you select so Riverd can mark those times as "busy" and prevent double-booking. This scope is also required for Google's push notification channels (events.watch), which is how Riverd stays in sync without constantly polling. Google does not expose a free/busy-only OAuth scope, so events.readonly is the closest available option. At ingest, Riverd projects every event down to four fields, start time, end time, source calendar id, and source event id, and never stores titles, descriptions, attendees, locations, conference links, or attachments.
- https://www.googleapis.com/auth/calendar.calendarlist.readonly, used once at connect time so we can show you a list of your calendars and let you pick which ones to read as busy and which single calendar to write Riverd bookings to. This scope is not used after the initial setup.
What We Do With Google User Data
- Read events from the calendars you select so Riverd can mark those times as busy and prevent double-booking on the platform.
- Write Riverd bookings into the single target calendar you select, so they appear alongside your other commitments.
- Riverd never reads, stores, or displays event titles, descriptions, attendees, locations, or conference links from your Google Calendar. Only generic "Busy" blocks are surfaced inside Riverd.
What We Never Do With Google User Data
- We do not sell Google user data.
- We do not transfer Google user data to third parties, other than Supabase as our infrastructure provider, who is bound by the same restrictions described in this policy.
- We do not use Google user data to train AI or machine learning models.
- We do not use Google user data for advertising of any kind.
How Google Data Is Stored
- Refresh tokens are stored in Supabase Vault, an encrypted secret store. They are never returned to the browser and can only be decrypted server-side through a service-role-gated view used by Riverd's sync workers.
- Busy-block records contain only four fields per event: start time, end time, source calendar id, and source event id. No titles, descriptions, attendees, locations, or links are persisted.
Data Retention for Google Calendar Data
We retain busy-block data only as long as your Google Calendar is connected to Riverd. When you disconnect, all imported busy-block records are deleted and our stored tokens are revoked within 24 hours.
How to Revoke Access
You can disconnect Riverd from your Google Calendar at any time:
- Inside Riverd: open your integrations settings page and click "Disconnect Google Calendar." When you disconnect, Riverd revokes the stored refresh token with Google, closes all active webhook channels (events.watch) so Google stops sending us notifications, deletes the refresh token secret from Supabase Vault, and purges all imported busy-block records. This is completed within 24 hours.
- From your Google account: visit https://myaccount.google.com/permissions and remove Riverd from the list of apps with access to your Google account. This invalidates our tokens immediately on Google's side; the corresponding cleanup on Riverd's side runs on next sync attempt.
Limited Use Compliance
Riverd's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
8. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your personal data without undue delay, typically within 30 days, except where retention is required by law or for legitimate business records (e.g., tax, accounting, and transaction history such as bookings and invoices, which are retained as part of our financial audit trail).
9. Your Rights
You have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your personal information.
- Data Portability: Receive your data in a structured, machine-readable format (JSON).
- Object/Restrict: Object to or restrict certain processing of your data.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To exercise these rights, contact us at our contact page. We will respond without undue delay, typically within 30 days.
10. Data Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities within 72 hours of discovering the breach, or as otherwise required by applicable law. Notification will include the nature of the breach, the data affected, and steps we are taking to address it.
11. Security
We implement industry-standard security measures including encryption in transit and at rest, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure.
12. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will provide notice through the Service or via email.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us.
Riverd LLC, www.riverd.app