Privacy Policy

Riverstone & Willow (“we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

The data controller responsible for your personal data is:

EU Representative (Art. 27 GDPR): Riverstone & Willow does not currently designate an EU representative under Article 27 GDPR. The controller relies on the exemption in Article 27(2)(a) on the basis that the processing volume is presently below the “large scale” threshold described in the WP29 Guidelines on the Data Protection Officer (WP243 rev.01). This reliance is reviewed quarterly and an EU representative will be appointed within 90 days of the first paid booking, or sooner if the active EU data subject count exceeds 75, the processing scope expands, or any supervisory authority inquiry is received.

Supervisory Authority (operator-jurisdiction): Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Serbia). EU/EEA-resident data subjects retain the right to lodge a complaint with the supervisory authority of their country of residence (Art. 77 GDPR).

We collect the following categories of personal data:

4.1 Identity & Contact Data

• Name (first name, last name)
• Email address
• Phone number (optional)
• Preferred language

4.2 Appointment Data

• Booking dates and times
• Service type selected
• Internal scheduling notes maintained by the operator (e.g. rescheduling reasons, no-show records). The booking form does not accept free-text notes from clients; if context for a session is needed, it is captured verbally rather than written to our database.
• Appointment history

4.3 Technical Data

• Application logs do not store raw IP addresses — review submissions store a one-way HMAC hash for abuse prevention only. Edge-network providers (Cloudflare, Vercel) retain raw connection metadata for their own operational windows; see § 7.
• Browser type and version
• Device type
• Pages visited and usage patterns

4.4 Payment Data

• Transaction records
• Payment method (card details are processed by PCI-compliant payment processors and not stored by us)
• Invoices and credit notes. For online payments accepted through the website, a PDF invoice is generated and stored alongside the transaction record. When a refund is issued against such an online payment, a separate credit-note PDF (file name prefixed “CN-”) is generated and stored alongside the original invoice as the formal reversal artefact. Manual-mode activations do not trigger these automated payment documents. Any documents that are created are retained under the bookkeeping rules in § 10.

4.5 Special Category Data

We process your personal data based on the following legal grounds (Art. 6 GDPR):

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide our coaching services
• Consent (Art. 6(1)(a)): For marketing communications and the precautionary Article 9(2)(a) consent described below
• Legitimate Interest (Art. 6(1)(f)): For website analytics and service improvement
• Legal Obligation (Art. 6(1)(c)): For tax and accounting requirements

Riverstone & Willow does not actively collect, request, or store health data, medical history, diagnoses, symptoms, medications, or clinical assessments. Live coaching sessions are not recorded and session content is not stored. The application captures only contract-necessary personal data (name, email, payment, appointment metadata) under Article 6(1)(b) GDPR. As a precaution, the booking and discovery-call flows include an Article 9(2)(a) explicit-consent checkbox covering the possibility that clients may voluntarily disclose health-adjacent information during live video sessions (which are never recorded or stored), or via the three free-text input fields described in § 7 below.

We publish client reviews on our website to help prospective clients make informed decisions. The following describes how we handle data submitted through the review feature.

6.1 What We Collect When You Submit a Review

• Name (as you choose to display it)
• Email address
• IP address (stored only as a one-way hash)
• Review rating and text
• Optional content warning
• Timestamp of consent

6.2 Purpose

• Publishing the review on our website
• Contacting you about your review (e.g., sending removal links)
• Abuse prevention and moderation

6.3 Lawful Basis (GDPR Art. 6/7)

• Consent (Art. 6(1)(a)): for publication of your review on our website
• Legitimate Interest (Art. 6(1)(f)): for storing the IP hash and email to prevent abuse and to honor right-to-erasure follow-up requests

6.4 What Is Shown Publicly

Only the following is visible on the public review card: your name (according to the display preference you chose — full name, first name only, or anonymous), the rating, the review text, the content warning (if any), and the date. Your email address and IP hash are never shown publicly.

6.5 Verified vs Unverified Reviews

Reviews submitted via a personal token sent to enrolled clients after a completed session are marked as verified. Reviews submitted through the public form require email verification but are still marked as unverifiedbecause email verification does not confirm that the author was a client. The label appears on each review card so readers can weigh them appropriately.

6.6 Right to Remove Your Review

You may remove your review at any time. Visit /reviews/remove to request removal. After publication we send a removal link to the email address you provided; if you lose that link, request a new one through the same page.

6.7 Retention of Reviewer Contact Data

The review content itself remains public until you remove it. The associated guest_email and guest_ip_hash fields are automatically nulled 24 months after publication, unless the review has been reported — in which case they are retained for the duration of moderation review.

6.8 DSA Notice-and-Action

We use the following EU-compliant third-party services:

We use providers that offer GDPR-compliant data processing terms, with Standard Contractual Clauses applied to any onward transfers outside the EU/EEA where required.

Current payment mode: The site is in manual payment mode. Payments are coordinated off-site, so the website does not currently send payment data to PayPal. If online payment mode is enabled in the future, PayPal (Europe) S.à r.l. et Cie, S.C.A. will act as an independent data controller for that checkout flow; see § 9.

7.1 Free-text input fields

The application accepts user-supplied free text in three places:

Riverstone & Willow is the data controller for your personal data. Certain vendors process personal data on our behalf, on documented instructions, under their respective Data Processing Agreements (DPAs). Where personal data is transferred outside the European Economic Area, the transfer relies on the European Commission's Standard Contractual Clauses (Commission Decision 2021/914, Module Two) unless the vendor is EEA-based. We have reviewed each vendor's published DPA and consider their technical and organisational measures appropriate for the data categories involved.

The website is currently operating in manual payment mode. Payments are coordinated off-site, so the site does not initiate on-site payment processing through PayPal at this time.

If online payment mode is enabled and you make a payment through the on-site checkout, we share the necessary personal data (name, email address, transaction amount, billing details) with PayPal (Europe) S.à r.l. et Cie, S.C.A.(22–24 Boulevard Royal, L-2449 Luxembourg). PayPal processes that data as an independent data controller, not as a processor acting on our instructions. PayPal independently determines the purposes and means of processing for payment execution, fraud detection, anti-money laundering compliance, and dispute handling.

PayPal's own Privacy Statement governs how PayPal handles personal data it collects and processes. You may exercise your GDPR rights in respect of PayPal's processing directly with PayPal.

The legal basis for our sharing payment data with PayPal, when that online payment flow is used, is Art. 6(1)(b) GDPR (processing necessary to perform our contract with you — executing the payment you requested).

We keep personal data only as long as is necessary for the purposes for which it was collected, or as long as is required by applicable law. Retention is governed by the principle of data minimisation (GDPR Art. 5(1)(c)).

Active vs. Archived: If a client has not booked a session for 12 consecutive months, their records are moved to a secure archived state — removed from day-to-day systems and held in a restricted-access vault until the applicable retention period ends.

• Booking metadata (appointments, payment IDs): up to 3 years after last session (archived after 12 months of inactivity). This aligns with the general civil-law limitation period and is not a clinical-record retention; our services are non-medical and non-therapeutic.
• Session content (audio/video): not stored — sessions are not recorded; see § 5.
• Invoices & Payment Records: where such records are created, 10 years, to comply with commercial bookkeeping and tax obligations (e.g. § 147 AO in Germany; equivalent rules apply in other EU jurisdictions).
• Credit notes (refunds): where a formal credit note is generated, 10 years, matching the invoice retention period. The credit note is stored alongside the original invoice as the formal reversal artefact.
• Administrative audit log records: retained alongside the booking and payment records they refer to (typically 3 to 10 years depending on the underlying record), so the forensic trail and the records it audits expire together. Audit rows are non-PII aggregates plus the actor account identifier; they are not surfaced to clients and are accessible to administrators only.
• IP-hash forensic records (anonymous attempts): retained alongside the audit log they belong to. The stored value is a salted SHA-256 truncation, not a reversible address, and is used only for abuse-pattern detection.
• Technical Logs: application logs do not store raw IP addresses; edge-network providers (Cloudflare, Vercel) retain raw connection metadata for their own operational windows.
• Marketing Data: until consent is withdrawn.
• Support & Contact-Form Correspondence: up to 2 years after the last exchange, unless tied to an ongoing matter.

You may request earlier deletion under Art. 17 GDPR; records subject to legal retention (e.g. tax and bookkeeping) will remain in a minimised form until their statutory period ends.

Under GDPR, you have the following rights:

To exercise these rights, contact us at: [email protected]

Right to Lodge a Complaint: You have the right to lodge a complaint with the data protection supervisory authority of your country of residence (or place of work, or place of the alleged infringement) if you consider that the processing of your personal data infringes the GDPR.

If you believe that we have handled your personal data in a way that infringes data protection law, you have the right to complain. You can raise your concern with us first, and you may also escalate to your supervisory authority at any time — you are not required to come to us first.

12.1 Complain to Us

Send your complaint by email to [email protected] with the subject line “Data complaint”. Please include:

• Your name and the email address associated with your account (if any)
• A description of what happened and which personal data is involved
• What outcome you are seeking (for example: correction, deletion, an explanation, or a change to how we process your data)

If sending email is not workable for you, contact us through the channels listed at /legal-notice and we will arrange an alternative intake route.

12.2 How We Will Handle Your Complaint

• Acknowledgement within 30 days. We will confirm receipt of your complaint within 30 days of it reaching us.
• Investigation without undue delay. We will look into the subject matter of your complaint, keep you informed of progress, and tell you the outcome and any steps we have taken or will take.
• Free of charge. Raising a complaint with us is free and you will not be disadvantaged for doing so.
• Records. We log the complaint, our response, and the resolution in a restricted-access register held under the retention rules in § 10.

12.3 Complain to a Supervisory Authority

Independently of complaining to us, you have the right to complain to your local data protection supervisory authority. If you are not satisfied with our response, you should escalate within one month of receiving it.

• United Kingdom residents: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint.
• EU / EEA residents: The data protection authority of your country of residence, place of work, or place of the alleged infringement. A current list of national authorities is published by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.

Our website uses the following types of cookies:

• Essential Cookies: Required for website functionality (no consent needed)
• Analytics Cookies: Help us understand how visitors use our site (consent required)

We use Vercel Analytics for privacy-focused website analytics. This tool is designed to be GDPR-compliant and does not use cookies for tracking visitors across websites.

We implement the following security measures to protect your data:

• TLS/SSL encryption for all data in transit (HTTPS)
• AES-256 encryption for data at rest
• Authenticated HTTPS access only for remote coach access — no client records stored on local devices outside the EU
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements
• Staff training on data protection

Our services are intended for individuals 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If you are a parent or guardian and believe a minor has provided personal data, please contact us at [email protected] and we will delete it.

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or website notice. The “Last Updated” date at the top of this policy indicates when it was last revised.