Privacy Policy

Last updated: April 15, 2026

1. Introduction

This Privacy Policy explains how RHEA collects, uses, shares, stores, and protects personal data of customers, website visitors, gift card recipients, business contacts, therapist applicants, partner therapists, and other individuals who interact with us.

This policy applies to https://www.rhea.pt, the booking platform, forms, communications by email, phone and WhatsApp, marketing campaigns, customer support, and other interactions related to RHEA's business activities.

2. Data controller

Unless otherwise stated, the data controller is:

Entity: RHEA
Website: https://www.rhea.pt
General email: [email protected]
Privacy email: [email protected]

If a data protection officer (DPO) or legally designated representative is appointed, the relevant details will be provided here.

3. Categories of personal data processed

3.1. Identification and contact data

We may process:

name;
email address;
phone number;
service address;
billing details;
customer support and communication history.

3.2. Booking and operational data

We may process:

the type of service requested;
the date, time, duration, and location of the session;
booking preferences;
booking status;
history of cancellations, refunds, incidents, and reviews.

3.3. Health and wellness data

Where necessary for the safety and suitability of the service, we may collect health-related data, including:

injuries, pain, pregnancy, allergies, physical restrictions, relevant medication;
declared contraindications;
areas to avoid and therapeutic preferences.

Such data will only be collected where relevant to the safe provision of the service and on an appropriate legal basis, including explicit consent where required.

3.4. Payment and billing data

We may process transaction data, payment status, payment reference information, tax identification details, and information necessary for issuing invoices. Full card details are, as a rule, processed by payment providers rather than by RHEA.

3.5. Technical and usage data

We may process:

IP address;
device identifiers;
browser, operating system, and language;
pages visited, timestamps, referrer data, and interaction with the website;
data collected by cookies and similar technologies, where applicable.

3.6. Marketing data and preferences

We may process contact preferences, subscriptions, campaign responses, promo code usage, and interactions with newsletters or advertisements.

3.7. Incident and fraud prevention data

We may process information relating to complaints, chargebacks, suspected fraud, abusive use of the platform, account blocks, and information needed to defend the rights of RHEA or third parties.

4. Purposes of processing

We process personal data for the following purposes:

to manage requests, bookings, rescheduling, cancellations, and payments;
to assign the service to a Professional and enable operational delivery of the session;
to contact the Customer regarding bookings, support, and incidents;
to collect and manage information necessary for service safety;
to prevent fraud, abuse, inappropriate conduct, and operational risk;
to issue invoices and comply with accounting, tax, and legal obligations;
to manage reviews, quality control, and service improvement;
to send marketing communications where a valid legal basis exists;
to manage disputes, complaints, audits, and the establishment, exercise, or defense of legal claims.

5. Legal bases for processing

Depending on the context, we process personal data on the basis of:

performance of a contract or pre-contractual steps;
compliance with legal obligations;
legitimate interests pursued by RHEA, including safety, fraud prevention, service improvement, incident handling, and legal defense;
consent, where required, including for certain marketing communications and for certain special categories of data such as health data;
the establishment, exercise, or defense of legal claims, where applicable.

6. Processing of health data

Health-related data may constitute special-category personal data under data protection law.

RHEA seeks to limit collection of such data to the minimum necessary to assess whether the service can be delivered safely. Where required, such processing is based on the data subject's explicit consent. Failure to provide relevant health information may make it impossible to provide the service safely.

Health data may be shared with the Professional responsible for the session only to the extent strictly necessary for safe delivery of the service.

RHEA does not use health data for behavioral marketing, sensitive commercial profiling, or sale to third parties.

7. Sharing of personal data

We may share personal data with:

7.1. Independent Professionals

Name, contact details, service address, booking-related operational data, and, where necessary, health information relevant to the safety and suitability of the service.

7.2. Service providers / processors

Including providers of hosting, cloud services, databases, CRM, automation, communications, analytics, customer support, billing, and payments, who process data on our behalf under appropriate contractual safeguards.

7.3. Payment providers

For authentication, payment collection, fraud prevention, processing, and financial reconciliation.

7.4. Marketing and technology partners

Only where an appropriate legal basis exists and within applicable limits, including in connection with pixels, consent management, advertising campaigns, and performance measurement.

7.5. Authorities, insurers, advisors, and courts

Where necessary to comply with law, respond to valid requests, investigate incidents, prevent fraud, manage claims, or establish, exercise, or defend legal rights.

RHEA does not sell personal data to third parties.

8. International transfers

Where personal data is processed outside the European Economic Area, RHEA will implement legally appropriate safeguards, such as adequacy decisions, standard contractual clauses, or equivalent measures, where required.

9. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including:

account and booking data: for the period necessary to manage the contractual relationship and related complaints;
billing data: for the legally required retention period;
marketing data: until objection or withdrawal of consent, where applicable;
incident/fraud data: for as long as necessary for investigation, legal defense, and legal compliance;
health data: only for the period strictly necessary for safety and service-management purposes, subject to minimization and appropriate internal retention standards.

Specific retention periods may vary depending on the type of data, legal obligations, limitation periods, and evidentiary needs.

10. Cookies and similar technologies

The website may use strictly necessary, functional, analytical, and marketing cookies.

Non-essential cookies will only be used in accordance with applicable law and, where required, with the user's consent through the relevant consent management platform.

Users may generally configure their browser to block or delete cookies, although doing so may affect website functionality.

11. Security

RHEA implements reasonable and proportionate technical and organizational measures to protect personal data, including access controls, encryption where appropriate, permission segregation, activity logs, vendor management, and incident response measures.

Despite these efforts, no system is completely infallible. If a personal data breach occurs that is likely to pose a relevant risk, RHEA will act in accordance with applicable legal requirements.

12. Data subject rights

Under applicable law, data subjects may, where applicable, exercise the following rights:

access;
rectification;
erasure;
restriction of processing;
objection;
data portability;
withdrawal of consent at any time, without affecting the lawfulness of prior processing;
the right to lodge a complaint with the competent supervisory authority.

To exercise your rights, contact: [email protected].

RHEA may request reasonable proof of identity before responding to a request.

13. Marketing

RHEA may send marketing communications by electronic means where consent exists or another lawful basis permits it. The data subject may object or withdraw consent at any time through the unsubscribe link, account settings, or direct contact.

14. Children's data

RHEA does not intentionally direct its platform to children. If we become aware that children's personal data has been collected without an appropriate legal basis, we will take reasonable steps to delete such data.

15. Sources of data

Personal data may be obtained:

directly from the data subject;
through use of the website and platform;
through payment providers and technology tools;
through complaints, support interactions, reviews, and communications;
through third parties authorized to make bookings on the Customer's behalf.

16. Automated decision-making

RHEA may use operational automations and anti-fraud mechanisms for triage, risk scoring, abuse prevention, anomaly detection, and booking management. As a rule, such mechanisms are not intended to produce solely automated decisions with legal or similarly significant effects without adequate human involvement; where they do and the law so requires, RHEA will ensure the rights provided by law.

17. Third-party sites and services

The website may contain links to third-party websites, platforms, or services. RHEA does not control their privacy practices, and users should review the privacy policies of those third parties.

18. Complaints and supervisory authority

Without prejudice to any other remedy, data subjects may lodge a complaint with the competent supervisory authority in Portugal, namely the CNPD — Comissão Nacional de Proteção de Dados.

19. Changes to this policy

RHEA may update this Privacy Policy at any time. The current version will be published on the website together with the relevant revision date.

20. Contact details

For privacy questions or to exercise your rights:

Privacy email: [email protected]
General email: [email protected]
Website: https://www.rhea.pt