Privacy Policy

1. Introduction

Riverd ("we," "us," or "our") operates the Riverd platform at www.riverd.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

The Service is intended for users located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfer and processing. If you do not agree, you should not use the Service.

2. Information We Collect

Information You Provide

• Account Information: Name, email address, phone number, and professional credentials when you create an account.
• Profile Information: Professional bio, specializations, certifications, photos, and practice page details for service providers.
• Booking Information: Session details, scheduling preferences, and communication between providers and clients.
• Clinical Data: Patient books, session notes, and body map annotations that providers create within the platform. This data is considered sensitive personal information and is subject to enhanced protections described in Section 4.
• Communications: Messages sent through contact forms, support requests, or waitlist signups.

Information Collected Automatically

• Usage Data: Pages visited, features used, session duration, and interaction patterns.
• Device Information: Browser type, operating system, IP address, and device identifiers.
• Cookies and Tracking: We use essential cookies for authentication and session management. We also use Google Tag Manager (GTM) for analytics purposes and PostHog (hosted in the EU) for product analytics — both may set cookies. PostHog records aggregated product events and a user identifier so we can understand how users navigate Riverd; we do not send health, clinical, or other PHI data to PostHog. You can manage cookie preferences through your browser settings.

3. How We Use Your Information and Legal Basis

We process your personal information for the following purposes, each with a corresponding legal basis:

• To provide the Service (contract performance): Operating your account, processing bookings, and facilitating connections between providers and clients.
• To send transactional communications (contract performance): Booking confirmations, reminders, and account updates.
• To improve the Service (legitimate interest): Analyzing usage patterns, performance monitoring, and feature development.
• To ensure security (legitimate interest): Detecting fraud, preventing abuse, and maintaining platform integrity.
• To send marketing communications (consent): Promotional emails and product updates, only with your explicit opt-in consent, which you may withdraw at any time.
• To comply with legal obligations (legal obligation): Tax records, regulatory requirements, and responding to lawful requests.

4. Clinical Data Protection

Clinical and health-related data, including patient books, session notes, body map annotations, and treatment records, is classified as sensitive personal information under applicable privacy laws. We process this data on the basis of your explicit consent, which you provide when creating clinical records within the platform.

This data receives the highest level of protection:

• Clinical data is encrypted in transit and at rest.
• Only the creating provider can access their clinical records through role-based access controls.
• We do not sell, share, or use clinical data for advertising or marketing purposes.
• Clinical data is permanently deleted when a provider deletes their account.
• You may withdraw your consent to clinical data processing at any time by deleting the relevant records or your account.

5. Artificial Intelligence

Riverd uses AI-powered features to assist with practice management, including practice page generation, service suggestions, and administrative automation. Regarding AI and your data:

• AI processes are used to assist and suggest, they do not make automated decisions that produce legal or similarly significant effects on you.
• AI does not access clinical patient data unless you explicitly invoke an AI feature on that data.
• You always have the right to human review of any AI-assisted output.
• AI-generated content (such as suggested bios or service descriptions) is always presented for your approval before publishing.

6. Information Sharing

We do not sell or share your personal information as defined by the California Consumer Privacy Act (CCPA). We may share information with:

• Service Providers (Sub-processors): Third-party services that help us operate the platform, including:
  • Supabase, database hosting and authentication
  • Vercel, application hosting and deployment
  • Google (GTM/Analytics), usage analytics
  • PostHog Inc. (EU), product analytics — we use PostHog to understand how users navigate the product and improve UX. PostHog stores aggregated event data and user identifiers; no health/PHI data is sent.
  • Sentry, application error monitoring
  • Email delivery services, transactional and notification emails
  Each sub-processor is contractually bound to process data only for the purposes we specify.
• Legal Requirements: When required by law, subpoena, or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

7. Google Calendar Integration

Riverd offers an optional two-way integration with Google Calendar so providers can prevent double-booking and have Riverd sessions appear alongside their other commitments. Connecting your Google Calendar is entirely optional, and the integration only activates after you complete the Google OAuth consent flow inside Riverd.

OAuth Scopes We Request

When you connect your Google Calendar, Riverd requests the narrowest set of scopes that supports the feature. We do not request, and cannot use, broader calendar access:

• https://www.googleapis.com/auth/calendar.events.owned, used to write Riverd bookings into the calendar you choose as the write target. This is the narrowest write scope Google offers and only permits Riverd to insert, update, or delete events that Riverd itself created. Events created outside Riverd cannot be modified or deleted by Riverd under this scope.
• https://www.googleapis.com/auth/calendar.events.readonly, used to read events from the calendars you select so Riverd can mark those times as "busy" and prevent double-booking. This scope is also required for Google's push notification channels (events.watch), which is how Riverd stays in sync without constantly polling. Google does not expose a free/busy-only OAuth scope, so events.readonly is the closest available option. At ingest, Riverd projects every event down to four fields, start time, end time, source calendar id, and source event id, and never stores titles, descriptions, attendees, locations, conference links, or attachments.
• https://www.googleapis.com/auth/calendar.calendarlist.readonly, used once at connect time so we can show you a list of your calendars and let you pick which ones to read as busy and which single calendar to write Riverd bookings to. This scope is not used after the initial setup.

What We Do With Google User Data

• Read events from the calendars you select so Riverd can mark those times as busy and prevent double-booking on the platform.
• Write Riverd bookings into the single target calendar you select, so they appear alongside your other commitments.
• Riverd never reads, stores, or displays event titles, descriptions, attendees, locations, or conference links from your Google Calendar. Only generic "Busy" blocks are surfaced inside Riverd.

What We Never Do With Google User Data

• We do not sell Google user data.
• We do not transfer Google user data to third parties, other than Supabase as our infrastructure provider, who is bound by the same restrictions described in this policy.
• We do not use Google user data to train AI or machine learning models.
• We do not use Google user data for advertising of any kind.

How Google Data Is Stored

• Refresh tokens are stored in Supabase Vault, an encrypted secret store. They are never returned to the browser and can only be decrypted server-side through a service-role-gated view used by Riverd's sync workers.
• Busy-block records contain only four fields per event: start time, end time, source calendar id, and source event id. No titles, descriptions, attendees, locations, or links are persisted.

Data Retention for Google Calendar Data

We retain busy-block data only as long as your Google Calendar is connected to Riverd. When you disconnect, all imported busy-block records are deleted and our stored tokens are revoked within 24 hours.

How to Revoke Access

You can disconnect Riverd from your Google Calendar at any time:

• Inside Riverd: open your integrations settings page and click "Disconnect Google Calendar." When you disconnect, Riverd revokes the stored refresh token with Google, closes all active webhook channels (events.watch) so Google stops sending us notifications, deletes the refresh token secret from Supabase Vault, and purges all imported busy-block records. This is completed within 24 hours.
• From your Google account: visit https://myaccount.google.com/permissions and remove Riverd from the list of apps with access to your Google account. This invalidates our tokens immediately on Google's side; the corresponding cleanup on Riverd's side runs on next sync attempt.

Limited Use Compliance

Riverd's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your personal data without undue delay, typically within 30 days, except where retention is required by law (e.g., tax or accounting records).

9. Your Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information.
• Data Portability: Receive your data in a structured, machine-readable format (JSON).
• Object/Restrict: Object to or restrict certain processing of your data.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at our contact page. We will respond without undue delay, typically within 30 days.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities within 72 hours of discovering the breach, or as otherwise required by applicable law. Notification will include the nature of the breach, the data affected, and steps we are taking to address it.

11. Security

We implement industry-standard security measures including encryption in transit and at rest, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will provide notice through the Service or via email.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us.

Riverd, www.riverd.app