Privacy Policy

Last updated: April 2026

1. Introduction

RHEA ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you visit our website at rhea.pt, use our booking platform at rhea.pt/booking, or engage with our home massage, corporate wellness, and gift card services.

This policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Portuguese data protection framework, including Law No. 58/2019, which implements the GDPR in Portugal.

2. Data Controller

The data controller responsible for your personal data is:

RHEA
Portugal
Email: [email protected]
Website: rhea.pt

For any questions or concerns about your personal data, you can reach our Data Protection contact at [email protected].

3. What Data We Collect

We collect different types of personal data depending on how you interact with RHEA:

3.1 Information You Provide Directly

• Identity data: Full name.
• Contact data: Email address, phone number.
• Service location data: The address where the massage will take place (your home, hotel, or office).
• Health questionnaire data: Information about medical conditions, injuries, allergies, pregnancy status, or other health concerns you disclose before a session. This is classified as special category data under the GDPR and is processed only with your explicit consent to ensure your safety during treatment.
• Booking preferences: Preferred dates, times, service types, and therapist preferences.
• Corporate account data: Company name and contact details for corporate wellness programmes.
• Communication data: Messages you send us via email, WhatsApp, or our website contact forms.

3.2 Information Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type, time zone, and language settings.
• Usage data: Pages visited, time spent on pages, referral source, and navigation paths on our website.
• Cookie data: Information collected through cookies and similar technologies (see Section 8).

3.3 Payment Data

RHEA does not directly collect or store your payment card details. All payments are processed securely through our third-party payment processor via rhea.pt/booking. We receive only confirmation of payment status (successful or failed) and a transaction reference. Please refer to the payment processor's own privacy policy for information on how they handle your payment data.

4. How We Use Your Data

We process your personal data for the following purposes and legal bases:

• To provide our services (contractual necessity) — Processing your bookings, assigning therapists, coordinating session logistics, and delivering massage and wellness services at your location.
• To ensure your safety (explicit consent for health data; legitimate interest) — Reviewing health questionnaire responses so our therapists can adapt or decline treatments when necessary to protect your wellbeing.
• To process payments (contractual necessity) — Managing invoicing, refunds, and gift card redemptions.
• To communicate with you (contractual necessity; legitimate interest) — Sending booking confirmations, reminders, schedule changes, and responding to your enquiries via email or WhatsApp.
• To improve our services (legitimate interest) — Analysing usage patterns on our website, gathering feedback, and refining our offerings.
• To send marketing communications (consent) — Sending promotional emails, special offers, or newsletters. You can opt out at any time by clicking the unsubscribe link in any marketing email or contacting us at [email protected].
• To comply with legal obligations (legal obligation) — Maintaining records required by Portuguese tax, accounting, and consumer protection law.

5. Who We Share Your Data With

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

• RHEA therapists: Your name, service location address, booking details, and relevant health information are shared with the therapist assigned to your session so they can provide the service safely and effectively.
• Supabase: Our backend database provider, used to store booking and account data. Supabase processes data in compliance with the GDPR. For more information, see Supabase's Privacy Policy.
• Vercel: Our website hosting provider. Vercel may process technical data such as IP addresses and request logs. See Vercel's Privacy Policy.
• WhatsApp (Meta): If you choose to contact us or receive communications via WhatsApp, your phone number and message content are processed by Meta Platforms. See WhatsApp's Privacy Policy.
• Trustpilot: If you choose to leave a review, Trustpilot processes your data according to their own policies. We may send your email address to Trustpilot to invite you to leave a review, based on our legitimate interest. See Trustpilot's Privacy Policy.
• Payment processors: Payment data is handled by our third-party payment processor. We do not have access to your full card details.
• Legal and regulatory authorities: We may disclose your data if required by law, court order, or regulatory request, including to the Portuguese tax authority or other competent bodies.

6. International Data Transfers

Some of our service providers (such as Supabase, Vercel, and Meta) may process data outside the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) or the service provider's adherence to an adequacy decision, to protect your data in accordance with the GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Booking and service data: Retained for up to 5 years after your last booking, as required for accounting, tax, and legal compliance under Portuguese law.
• Health questionnaire data: Retained for the duration of your active client relationship. Deleted within 12 months of your last session unless a longer retention is required by law.
• Marketing preferences: Retained until you withdraw consent or unsubscribe.
• Technical and cookie data: Retained for up to 13 months from collection, in line with CNPD guidance.
• Communication records: Retained for up to 2 years for quality and dispute resolution purposes.

After the applicable retention period, your data is securely deleted or anonymised.

8. Cookies

Our website uses cookies and similar technologies to enhance your experience and analyse site usage.

8.1 Types of Cookies We Use

• Strictly necessary cookies: Essential for the website to function (e.g., session management, security). These do not require your consent.
• Analytics cookies: Help us understand how visitors interact with our website by collecting information such as pages visited and time on site. These are placed only with your consent.
• Marketing cookies: Used to deliver relevant advertisements and track campaign effectiveness. These are placed only with your consent.

8.2 Managing Cookies

When you first visit our website, you will be presented with a cookie consent banner where you can accept or reject non-essential cookies. You can change your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You can request that we delete your personal data, subject to legal retention obligations.
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
• Right to object: You can object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on your consent (e.g., health data, marketing), you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to file a complaint with the Portuguese National Data Protection Commission (CNPD) at www.cnpd.pt or with another supervisory authority in the EU.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, as required by the GDPR.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (HTTPS/TLS), access controls limiting data access to authorised personnel, secure hosting infrastructure through Supabase and Vercel, and regular review of our data processing practices.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

11. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated policy will be posted on this page with a revised "Last updated" date. For significant changes, we will make reasonable efforts to notify you directly (e.g., via email). We encourage you to review this page periodically.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Data Protection enquiries: [email protected]
• General enquiries: [email protected]
• WhatsApp: +351 927 995 345
• Website: rhea.pt

You may also contact the Portuguese National Data Protection Commission (CNPD):

Comissao Nacional de Proteccao de Dados (CNPD)
Website: www.cnpd.pt