What is online coaching and how does it work?

Online coaching is a confidential video session with a holistic facilitator from the comfort of your home. You book a time slot, pay securely via PayPal, and join the session through a private video link sent to your email. No software installation required.

Is this therapy or psychotherapy?

No. Riverstone & Willow offers holistic facilitation and wellness coaching — not psychotherapy, psychological counseling, or medical treatment. For conditions requiring clinical support, please consult a licensed healthcare professional.

What languages are sessions available in?

Sessions are conducted in English. German is also available on request.

How much do sessions cost?

Plans are priced at €250 per 4-week cycle (Monthly, 6-month, and 12-month options), each including up to 4 sessions. Payment is processed securely via PayPal. Services are not covered by statutory or private health insurance.

Can I book a session from anywhere in the world?

Yes, Riverstone & Willow serves clients worldwide. All sessions take place online via secure video call, so you can connect from anywhere.

How do I cancel or reschedule a session?

You can manage your booking through the link sent to your email after booking. Cancellations and rescheduling are available up to a certain time before your session.

Privacy Policy

Last Updated: April 2026
Effective Date: January 1, 2026

1. Introduction

Riverstone & Willow (“we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Riverstone & Willow

Online Coaching & Wellness Consulting

Email: contact@riverstonewillow.com

3. Data Residence & Processing Location

Primary Data Storage in the EU

Your account, booking and counselling-record data is stored on EU-based infrastructure (Supabase, Frankfurt — Germany; Vercel, EU region). Provider-level encryption at rest (AES-256) applies on both platforms.

Necessary International Transfers

A small number of operational processors are established in, or may process data in, the United States. These transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework:

Daily.co (Pluot, Inc.): video/audio hosting during live sessions — US.
Resend, Inc.: transactional email delivery — US.
PayPal (Europe) S.à r.l.: payment processing — EU primary, with onward transfers to the US under SCCs.
Sentry (Functional Software, Inc.): error and reliability monitoring — US or EU region.
Upstash, Inc.: Redis-backed rate limiting — EU region. Stores short-lived counters keyed on IP address (not the IP itself in plain form) for abuse protection.
Cloudflare, Inc.: DNS resolution and edge protection for the domain — global. Sees only request metadata (IP, URL, headers); does not see request bodies for HTTPS traffic.

Session content itself (your spoken words during a call) is streamed end-to-end during the session and is not recorded by default. Only connection metadata (timestamps, participant identifiers) is handled by the video provider.

Remote Access by the Counsellor

The counsellor accesses client records from a non-EU location (Serbia) through the web browser only, over authenticated HTTPS / TLS 1.2+ connections to the EU-based infrastructure described above. No client records are downloaded, exported, or stored on local devices outside the EU — all primary storage remains within EU jurisdiction at all times.

4. Data We Collect

We collect the following categories of personal data:

4.1 Identity & Contact Data

Name (first name, last name)
Email address
Phone number (optional)
Preferred language

4.2 Appointment Data

Booking dates and times
Service type selected
Session notes (stored with your consent)
Appointment history

4.3 Technical Data

IP address (anonymized after 7 days)
Browser type and version
Device type
Pages visited and usage patterns

4.4 Payment Data

Transaction records
Payment method (card details are processed by PCI-compliant payment processors and not stored by us)

4.5 Special Category Data

During counseling sessions, you may share information about your mental health, relationships, or personal circumstances. This information is treated with the highest level of confidentiality and is processed only with your explicit consent for the purpose of providing counseling services.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds (Art. 6 GDPR):

Contract Performance (Art. 6(1)(b)): Processing necessary to provide our counseling services
Consent (Art. 6(1)(a)): For special category data and marketing communications
Legitimate Interest (Art. 6(1)(f)): For website analytics and service improvement
Legal Obligation (Art. 6(1)(c)): For tax and accounting requirements

Processing of special category data (health-related information) is based on your explicit consent (Art. 9(2)(a) GDPR).

6. Reviews and Testimonials

We publish client reviews on our website to help prospective clients make informed decisions. The following describes how we handle data submitted through the review feature.

6.1 What We Collect When You Submit a Review

Name (as you choose to display it)
Email address
IP address (stored only as a one-way hash)
Review rating and text
Optional content warning
Timestamp of consent

6.2 Purpose

Publishing the review on our website
Contacting you about your review (e.g., sending removal links)
Abuse prevention and moderation

6.3 Lawful Basis (GDPR Art. 6/7)

Consent (Art. 6(1)(a)): for publication of your review on our website
Legitimate Interest (Art. 6(1)(f)): for storing the IP hash and email to prevent abuse and to honor right-to-erasure follow-up requests

6.4 What Is Shown Publicly

Only the following is visible on the public review card: your name (according to the display preference you chose — full name, first name only, or anonymous), the rating, the review text, the content warning (if any), and the date. Your email address and IP hash are never shown publicly.

6.5 Verified vs Unverified Reviews

Reviews submitted via a personal token sent to enrolled clients after a completed session are marked as verified. Reviews submitted through the public form (without a token) are marked as unverified. The label appears on each review card so readers can weigh them appropriately.

6.6 Right to Remove Your Review

You may remove your review at any time. Visit /reviews/remove to request removal. After publication we send a removal link to the email address you provided; if you lose that link, request a new one through the same page.

6.7 Retention of Reviewer Contact Data

The review content itself remains public until you remove it. The associated guest_email and guest_ip_hash fields are automatically nulled 24 months after publication, unless the review has been reported — in which case they are retained for the duration of moderation review.

6.8 DSA Notice-and-Action

Anyone may report a review using the “Report” link on each review card. Reports are reviewed within 48 hours in accordance with the EU Digital Services Act notice-and-action requirements.

7. Third-Party Services

We use the following EU-compliant third-party services:

Service	Purpose	Data Location
Supabase	Database & Authentication	EU (Frankfurt)
Vercel	Website Hosting	EU (Frankfurt)
PayPal (Europe) S.à r.l.	Payment Processing	EU (Luxembourg); US onward transfers under SCCs
Daily.co (Pluot, Inc.)	Video / audio session hosting	US; transfers under GDPR Standard Contractual Clauses
Resend, Inc.	Transactional email delivery	US; transfers under GDPR Standard Contractual Clauses
Functional Software, Inc. (Sentry)	Error monitoring & reliability	US or EU (depending on region); transfers under GDPR Standard Contractual Clauses
Upstash, Inc.	Rate limiting (abuse protection)	EU
Cloudflare, Inc.	DNS resolution & edge protection	Global; transfers under GDPR Standard Contractual Clauses

We use providers that offer GDPR-compliant data processing terms, with Standard Contractual Clauses applied to any onward transfers outside the EU/EEA where required.

8. Data Retention

We keep personal data only as long as is necessary for the purposes for which it was collected, or as long as is required by applicable law. Retention is governed by the principle of data minimisation (GDPR Art. 5(1)(c)).

Active vs. Archived: If a client has not booked a session for 12 consecutive months, their records are moved to a secure archived state — removed from day-to-day systems and held in a restricted-access vault until the applicable retention period ends.

Account & Session Data: up to 3 years after last session (archived after 12 months of inactivity). This aligns with the general civil-law limitation period and is not a clinical-record retention; our services are non-medical and non-therapeutic.
Invoices & Payment Records: 10 years, to comply with commercial bookkeeping and tax obligations (e.g. § 147 AO in Germany; equivalent rules apply in other EU jurisdictions).
Technical Logs: anonymised or deleted after 7 days.
Marketing Data: until consent is withdrawn.
Support & Contact-Form Correspondence: up to 2 years after the last exchange, unless tied to an ongoing matter.

You may request earlier deletion under Art. 17 GDPR; records subject to legal retention (e.g. tax and bookkeeping) will remain in a minimised form until their statutory period ends.

9. Your Rights

Under GDPR, you have the following rights:

Right of Access (Art. 15)

Request a copy of your personal data

Right to Rectification (Art. 16)

Correct inaccurate data

Right to Erasure (Art. 17)

Request deletion of your data

Right to Restrict Processing (Art. 18)

Limit how we use your data

Right to Data Portability (Art. 20)

Receive your data in a portable format

Right to Object (Art. 21)

Object to certain processing activities

To exercise these rights, contact us at: contact@riverstonewillow.com

Right to Lodge a Complaint: You have the right to lodge a complaint with the data protection supervisory authority of your country of residence (or place of work, or place of the alleged infringement) if you consider that the processing of your personal data infringes the GDPR.

10. Cookies & Tracking

Our website uses the following types of cookies:

Essential Cookies: Required for website functionality (no consent needed)
Analytics Cookies: Help us understand how visitors use our site (consent required)

We use Vercel Analytics for privacy-focused website analytics. This tool is designed to be GDPR-compliant and does not use cookies for tracking visitors across websites.

11. Security Measures

We implement the following security measures to protect your data:

TLS/SSL encryption for all data in transit (HTTPS)
AES-256 encryption for data at rest
Authenticated HTTPS access only for remote counsellor work — no client records stored on local devices outside the EU
Regular security audits and vulnerability assessments
Access controls and authentication requirements
Staff training on data protection

12. Children's Privacy

Our services are intended for individuals 18 years of age or older. We do not knowingly collect personal data from children under 16. For minors between 16-18, parental consent is required for counseling services.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or website notice. The “Last Updated” date at the top of this policy indicates when it was last revised.

14. Contact Us

For privacy-related inquiries:

Data Protection Contact

Riverstone & Willow

Email: contact@riverstonewillow.com