Cookie policy

Cookies are small text files stored in your browser. Local storage and session storage work similarly but are controlled by application code rather than the HTTP protocol.

RealHealers uses cookies in two categories: strictly necessary (site function, sign-in session, language preference, consent banner state) and analytics/marketing (loaded only after your explicit consent).

sb-access-token / sb-refresh-token (Supabase Auth) — signed-in session. HttpOnly, SameSite=Lax, Secure. Lifetime: until sign-out or 1 hour (access) / 7 days (refresh).

NEXT_LOCALE — language preference (pl/de/en). Lifetime: 1 year.

realhealers.consent (localStorage) — your choice in the cookie banner ("accepted" or "rejected"). Without this key the banner would appear on every visit. Lifetime: indefinite until cleared via "Cookie settings" in the footer.

rh_referral_code — referrer's code stored when you click a referral link (e.g. realhealers.com/?ref=ANNA-XYZ123). The value comes solely from the URL and contains no personal data. It attributes your sign-up to the person who referred you. Lifetime: 90 days. SameSite=Lax, Secure (in production), not HttpOnly (the referrals dashboard reads it client-side). Legal basis: Art. 6(1)(b) GDPR (contract performance with the referrer — the referral commission for the action you initiated cannot be settled without this cookie).

Legal basis for the remaining cookies in this category: Art. 6(1)(f) GDPR (legitimate interest — running the site you opened).

PostHog (product analytics, EU region eu.posthog.com) — anonymous visit counts, button clicks, navigation paths. Lifetime: 365 days. Session recording disabled — no mouse tracking or input capture.

Sentry (error monitoring) — error session ID and breadcrumbs (navigation just before a crash). No session replay. Lifetime: end of browser session.

These cookies/SDKs load ONLY if you click "Accept all" in the banner. With "Only necessary" or no interaction we don't load them at all.

The "Accept all" and "Only necessary" buttons in the banner are equally prominent (size, colour, position, visual weight) — in line with TTDSG/DDG and current case law (incl. VG Hannover 2025), no dark patterns nudging towards acceptance.

Legal basis: Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive (consent); for DE additionally § 25 TTDSG.

Stripe (Stripe Elements iframe on the checkout page) — sets its own cookies for fraud detection and device fingerprinting. Set only on the payment page. Privacy policy: stripe.com/privacy.

YouTube/Vimeo (videos embedded on healer profiles) — if present, activating the player may set platform cookies. We use youtube-nocookie.com where possible.

Footer of every page: "Cookie settings" link — clears stored consent and re-shows the banner.

Browser: Privacy/Cookies section lets you delete cookies for realhealers.com or block them entirely. Blocking strictly necessary cookies will prevent sign-in.

Withdrawing consent for analytics cookies does not affect site use — it just stops PostHog/Sentry loading on future visits.