Riverd

Privacy Policy

Last updated: March 6, 2026

Last reviewed: March 6, 2026 — v1.1

Privacy at a Glance

  • We never sell your data. Your personal information is not sold or shared for advertising.
  • Clinical data is yours. Session notes and patient records are encrypted and only accessible by the creating provider.
  • AI is transparent. Our AI assists with practice management but never makes automated decisions about you.
  • You control your data. You can access, correct, export (JSON), or delete your data at any time.
  • US-focused service. Riverd is designed for users in the United States.

1. Introduction

Riverd ("we," "us," or "our") operates the Riverd platform at www.riverd.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

The Service is intended for users located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfer and processing. If you do not agree, you should not use the Service.

2. Information We Collect

Information You Provide

  • Account Information: Name, email address, phone number, and professional credentials when you create an account.
  • Profile Information: Professional bio, specializations, certifications, photos, and storefront details for service providers.
  • Booking Information: Session details, scheduling preferences, and communication between providers and clients.
  • Clinical Data: Patient books, session notes, and body map annotations that providers create within the platform. This data is considered sensitive personal information and is subject to enhanced protections described in Section 4.
  • Communications: Messages sent through contact forms, support requests, or waitlist signups.

Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns.
  • Device Information: Browser type, operating system, IP address, and device identifiers.
  • Cookies and Tracking: We use essential cookies for authentication and session management. We also use Google Tag Manager (GTM) for analytics purposes, which may set additional cookies. You can manage cookie preferences through your browser settings.

3. How We Use Your Information and Legal Basis

We process your personal information for the following purposes, each with a corresponding legal basis:

  • To provide the Service (contract performance): Operating your account, processing bookings, and facilitating connections between providers and clients.
  • To send transactional communications (contract performance): Booking confirmations, reminders, and account updates.
  • To improve the Service (legitimate interest): Analyzing usage patterns, performance monitoring, and feature development.
  • To ensure security (legitimate interest): Detecting fraud, preventing abuse, and maintaining platform integrity.
  • To send marketing communications (consent): Promotional emails and product updates — only with your explicit opt-in consent, which you may withdraw at any time.
  • To comply with legal obligations (legal obligation): Tax records, regulatory requirements, and responding to lawful requests.

4. Clinical Data Protection

Clinical and health-related data — including patient books, session notes, body map annotations, and treatment records — is classified as sensitive personal information under applicable privacy laws. We process this data on the basis of your explicit consent, which you provide when creating clinical records within the platform.

This data receives the highest level of protection:

  • Clinical data is encrypted in transit and at rest.
  • Only the creating provider can access their clinical records through role-based access controls.
  • We do not sell, share, or use clinical data for advertising or marketing purposes.
  • Clinical data is permanently deleted when a provider deletes their account.
  • You may withdraw your consent to clinical data processing at any time by deleting the relevant records or your account.

5. Artificial Intelligence

Riverd uses AI-powered features to assist with practice management, including storefront generation, service suggestions, and administrative automation. Regarding AI and your data:

  • AI processes are used to assist and suggest — they do not make automated decisions that produce legal or similarly significant effects on you.
  • AI does not access clinical patient data unless you explicitly invoke an AI feature on that data.
  • You always have the right to human review of any AI-assisted output.
  • AI-generated content (such as suggested bios or service descriptions) is always presented for your approval before publishing.

6. Information Sharing

We do not sell or share your personal information as defined by the California Consumer Privacy Act (CCPA). We may share information with:

  • Service Providers (Sub-processors): Third-party services that help us operate the platform, including:
    • Supabase — database hosting and authentication
    • Vercel — application hosting and deployment
    • Google (GTM/Analytics) — usage analytics
    • Email delivery services — transactional and notification emails
    Each sub-processor is contractually bound to process data only for the purposes we specify.
  • Legal Requirements: When required by law, subpoena, or to protect our rights and safety.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your personal data without undue delay, typically within 30 days, except where retention is required by law (e.g., tax or accounting records).

8. Your Rights

You have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Request deletion of your personal information.
  • Data Portability: Receive your data in a structured, machine-readable format (JSON).
  • Object/Restrict: Object to or restrict certain processing of your data.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at our contact page. We will respond without undue delay, typically within 30 days.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities within 72 hours of discovering the breach, or as otherwise required by applicable law. Notification will include the nature of the breach, the data affected, and steps we are taking to address it.

10. Security

We implement industry-standard security measures including encryption in transit and at rest, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will provide notice through the Service or via email.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us.

Riverd — www.riverd.app