Privacy policy

The controller of your personal data is the entity operating the RealHealers platform (see Impressum for company details). Send privacy enquiries to kontakt@realhealers.com.

We have not formally appointed a Data Protection Officer (DPO). GDPR requires one only when systematically processing special-category data at scale, which our current operations don't yet reach; we monitor the threshold.

Account data: email, password (hashed via Supabase), full name, country, language, role (client / healer), optionally tax ID.

Healer data (when applicable): bio, service categories, base city, languages, profile photo, website / YouTube links, phone, in-person address.

Booking data: scheduled time, service, price, session type (online / in-person), optionally reason for visit (treated as Article 9 sensitive health data).

Payment data: we do NOT process card numbers. Card details go directly to Stripe; we keep only the transaction (PaymentIntent) ID and amount.

Technical data: IP address (hashed for rate-limiting), user-agent, Supabase session cookie (httpOnly).

Contact form submissions and AI Concierge dialogue (forwarded to Anthropic — see section 5).

Providing the platform service (registration, profile, booking, payment) — Art. 6(1)(b) GDPR (contract).

Invoicing and bookkeeping — Art. 6(1)(c) GDPR (legal obligation — PL Accounting Act art. 74, KSeF from Feb 2026).

Platform security, fraud prevention — Art. 6(1)(f) GDPR (legitimate interest).

Marketing of our own services to registered users — Art. 6(1)(f); consent for non-customers — Art. 6(1)(a).

Reason for visit (health category) — Art. 9(2)(a) GDPR (explicit consent); the field is optional.

Supabase (Frankfurt, EU) — database, auth, storage. Standard DPA.

Vercel (Frankfurt + global edge) — application hosting.

Stripe (Ireland + USA, SCC) — payment processing and Stripe Connect Express payouts.

Resend (USA, SCC) — transactional email (confirmations, reminders).

Daily.co (Pluot Inc., USA, SCC) — video room provider for online sessions. Connections are end-to-end encrypted (DTLS-SRTP); we do not record or transcribe sessions. Daily receives only short-lived technical metadata (participant IP, room identifier in the form rh-<uuid>, session duration) needed for transmission quality. Geo-routing is forced to eu-central-1 (Frankfurt). Rooms are deleted 24h after the scheduled session end. DPA: https://www.daily.co/legal/dpa.

Cloudflare (Frankfurt + global) — CDN, DDoS protection, Email Routing for @realhealers.com.

Anthropic (USA, SCC) — AI model (Claude) powering Concierge. We send only your prompts (no other users' data). Anthropic does not train models on API customer data; API data is automatically deleted after 7 days (since 14 Sep 2025). The DPA is auto-accepted with the Commercial Terms — no separate signing required.

Mapbox (USA, SCC) — map tiles on the practitioners search page. Mapbox receives your IP and browser headers when tiles load.

PostHog (EU region, eu.posthog.com) — product analytics, loaded only after consent in the cookie banner.

Sentry (Functional Software Inc., EU region — Frankfurt) — application error monitoring to maintain service quality. Sentry receives technical error data: the URL where the error occurred, browser type and operating system, user identifier (UUID if signed in — no name or email), the error code and stack trace. Server-side Sentry always runs (we strip cookies, auth headers, and request bodies on /api/auth, /api/stripe, /api/concierge, /api/contact paths before they leave the server); the browser SDK initialises ONLY after consent in the cookie banner. Data is retained for 90 days, then automatically deleted. DPA: https://sentry.io/legal/dpa/. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining service quality).

All processors are bound by DPAs. US transfers rely on Standard Contractual Clauses (SCC) per EU Decision 2021/914.

Account data: until you delete the account.

Paid bookings: 5 years from end of fiscal year (PL Accounting Act art. 74). Anonymized after that.

Technical logs: up to 90 days.

AI Concierge transcripts: 30 days for debugging / guardrail tuning, then deleted.

On erasure request (Art. 17) data is anonymized immediately — booking ledger entries stay in anonymized form for tax retention.

Right of access (Art. 15) — email kontakt@realhealers.com, response within 30 days.

Right to rectification (Art. 16) — most fields editable in /dashboard.

Right to erasure (Art. 17) — button in account or POST /api/account/delete.

Right to restrict processing (Art. 18) — email kontakt@realhealers.com.

Right to data portability (Art. 20) — GET /api/data/export returns a complete JSON.

Right to object to direct marketing (Art. 21) — unsubscribe link in every marketing email.

Right to lodge a complaint with the supervisory authority — the operator (Profit Vector AG) is established in Switzerland, so the lead authority is the Federal Data Protection and Information Commissioner (EDÖB / FDPIC, edoeb.admin.ch). EU residents may also file with their national authority — PL: UODO, DE: BfDI, AT: DSB.

Strictly necessary cookies (Supabase session, locale preference, cookie banner state) — Art. 6(1)(f).

Analytics and marketing cookies (PostHog, Sentry session replay) — load ONLY after explicit consent in the banner. Withdraw any time via the footer's "Cookie settings".

Some processors (Stripe, Resend, Anthropic) operate US infrastructure. Transfers rely on Standard Contractual Clauses (SCC) per EU Decision 2021/914 plus supplementary measures (encryption at rest, SOC-2 audits).

Stripe Ireland Ltd. is the EU controller; intra-group DPAs regulate transfers to Stripe USA Inc.

Data at rest encrypted (Postgres TDE in Supabase). Transport via HTTPS only (TLS 1.2+).

Passwords hashed with bcrypt by Supabase Auth — we never see plaintext passwords.

Row Level Security (RLS) on all public tables — healers see only their bookings, clients only theirs.

Security disclosures: security@realhealers.com.

The platform is not directed at people under 16. We do not knowingly create accounts for minors. If a parent / guardian discovers such an account, contact us — we'll delete it immediately.

Some platform features are delivered through external AI and SMS providers. They all act as our data processors under signed DPAs and process data only on our instructions.

Anthropic (Claude) — text generation and editing (AI text-assist, AI audio-assist). Location: USA / EU. Legal basis: Art. 6(1)(b) GDPR (contract performance for the chosen feature) and (f) (legitimate interest — practitioner workflow). Data sent: client first name, service title, note / transcript content. Zero retention on Anthropic's side (zero-retention API).

OpenAI (Whisper) — transcription of session audio to text. Location: USA / EU. Legal basis: Art. 6(1)(a) GDPR (client's consent to audio recording). Data sent: session audio file and language preference. OpenAI does not use API data to train models.

Twilio — SMS delivery (T-2h reminders, phone number verification). Location: USA / EU. Legal basis: Art. 6(1)(a) GDPR (consent after opt-in). Data sent: client phone number, SMS body.

The session audio file is deleted promptly after transcription — it is not retained on the operator's infrastructure or by the AI provider. Prompts to Anthropic / OpenAI never include the client's email, phone number or other identifiers beyond the first name and service title.

Voice Intake — recordings made by the client before the first session with a given practitioner (4 short answers, up to 60s each). Audio is stored in a private Supabase Storage bucket with RLS scoped to the client and assigned practitioner only, and auto-deleted 30 days after recording. Transcripts and the AI summary remain in the client record. The client may delete the entire recording at any time in /panel/privacy.

Bonus Audio Messages (post-session) — optional questions from the client and answers from the practitioner after the session (2 questions, up to 2 min each; answer up to 5 min). Audio is auto-deleted 90 days after recording; transcripts remain. Either party may delete their own recording at any time.

The client may withdraw consent for audio recording (per booking or in account settings) and for SMS reminders (account panel or STOP reply) at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand.

The full list of processors appears in section 4 (Third-party data processors). DPAs are available on request at kontakt@realhealers.com.

We notify registered users by email at least 14 days before any material change. The current version is always at this URL with the "Last updated" date in the header.