Privacy Policy

Last updated: 19 May 2026

Version 3.0

1. Data Controller

Wholeding Ltd, 11 Triq Giovanni Ricasoli, KKR106 Kalkara, Malta is the data controller responsible for your personal data. For any privacy-related enquiries, contact us at privacy@wholeding.eu.

2. Personal Data We Collect

We collect the following categories of personal data:

Account data: full name, email address, date of birth (for age verification), preferred language, and timezone.

Provider professional data: professional biography, specialisations, spoken languages, years of experience, profile photo, session pricing, availability schedule, and professional credentials.

Booking and session data: session date/time, duration, format (e.g. individual or couples), booking status, cancellation reasons, and rescheduling history.

Payment data: payment amounts, currency, and transaction references. We do not store your card details — these are processed directly by Stripe and never reach our servers.

Communication data: contact form submissions and email delivery records for transactional notifications (booking confirmations, session reminders).

Matching quiz data: your answers to our therapist-matching quiz are collected anonymously. We cannot link quiz responses to your identity. This data is used solely for matching you with a suitable therapist and for improving the matching experience.

Technical data: authentication session tokens, IP address (for security monitoring), and browser information (for bot protection).

Analytics and advertising data (with consent): when you accept analytics and advertising cookies, we collect pseudonymous interaction events (pages visited, clicks on key call-to-action elements, language switches, performance metrics such as Core Web Vitals) and conversion data (which Google Ads click led to a booking). For authenticated clients, this data is associated with an opaque internal user ID; administrators and providers are excluded from this tracking. See our Cookie Policy for the full list of cookies and configuration details.

Administrative and security logs: we maintain internal audit logs recording administrator actions (with IP address and timestamp) and security event logs (authentication attempts, rate limit triggers, and suspicious activity). These logs protect the platform and help us investigate incidents.

Prospective provider data: if you are invited to join as a provider, we temporarily retain your name, email address, and professional credentials for up to 24 hours to process the invitation.

3. How and Why We Use Your Data

We process your personal data for the following purposes and legal bases:

Service delivery (legal basis: contract, Art. 6(1)(b)): creating and managing your account, matching you with therapists, scheduling and managing bookings, processing payments, and delivering session links.

Communication (legal basis: contract, Art. 6(1)(b)): sending booking confirmations, session reminders, and account notifications. These are transactional emails necessary for the service.

Age verification (legal basis: legal obligation, Art. 6(1)(c)): verifying you meet the minimum age requirement to use the platform.

Financial record-keeping (legal basis: legal obligation, Art. 6(1)(c)): retaining payment records as required by tax and financial regulations.

Security and fraud prevention (legal basis: legitimate interest, Art. 6(1)(f)): monitoring for suspicious activity, logging administrative actions, recording security events, and using bot protection on forms.

Analytics and conversion measurement (legal basis: consent, Art. 6(1)(a)): measuring how visitors discover and use the platform, assessing the performance of marketing campaigns and the booking funnel, and informing improvements to the user experience. This processing only takes place after you grant consent via the cookie banner; you may withdraw consent at any time with the same ease.

Platform improvement (legal basis: legitimate interest, Art. 6(1)(f)): analysing anonymous quiz data and aggregated usage patterns to improve the matching algorithm and user experience.

4. Third-Party Processors

We share personal data with the following trusted third-party processors, each of which processes data on our behalf under a Data Processing Agreement:

Supabase (database and authentication hosting) — hosts all platform data in the EU (Frankfurt). Receives: all account data, booking data, and authentication credentials.

Stripe (payment processing) — processes payments and provider payouts. Receives: email address, payment amounts, and booking reference IDs. Card details are handled directly by Stripe's secure payment form and never touch our servers. Stripe retains transaction data for a minimum of 7 years as required by financial regulations — this data cannot be deleted upon account closure.

Google (Calendar and Meet) — when a provider connects their Google Calendar, we create calendar events for booked sessions. Receives: session date/time, participant email addresses, and a booking reference. Google Meet links are generated for video sessions. This integration is optional and requires the provider's explicit consent via Google's OAuth consent screen.

Google (Analytics and Ads) — with your consent, we use Google Analytics 4 (G-N8J2V47W6K) and Google Ads (AW-18159589539) to measure site usage, performance, and the effectiveness of paid campaigns. Receives: pseudonymous interaction events, page paths, language, screen size, anonymised IP-derived approximate location, an opaque internal user ID for authenticated clients, and conversion data. Google Signals is disabled, so no cross-device or demographic tracking based on signed-in Google profiles is performed. See our Cookie Policy for full details, including the cookies set and retention periods.

Resend (email delivery) — delivers transactional emails on our behalf. Receives: recipient email address, name, and email content (booking details, session times). Resend does not retain email content after delivery. Delivery logs are retained for approximately 30 days.

Cloudflare (bot protection) — provides CAPTCHA protection on sign-up, sign-in, and contact forms via Cloudflare Turnstile. This is a privacy-focused alternative to traditional CAPTCHAs that does not use tracking cookies. Cloudflare may collect IP address and browser interaction data to verify you are human.

Vercel (planned: web performance monitoring) — Not currently active. We have integrated the infrastructure for Vercel Analytics and Speed Insights, but no data is currently being sent to Vercel. When enabled in the future, this service will be opt-in via our cookie consent banner, and we will update this Privacy Policy before activation.

We do not sell your personal data to any third party. Data is shared only as described above and only to the extent necessary to deliver our services.

5. International Data Transfers

Your data is primarily stored in the EU (Frankfurt) via Supabase. Some of our processors are based in the United States:

  • Stripe — protected by EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework
  • Google (Calendar, Meet, Analytics, Ads) — protected by EU SCCs and the EU-US Data Privacy Framework
  • Resend — protected by EU SCCs
  • Cloudflare — protected by EU SCCs and the EU-US Data Privacy Framework

These mechanisms ensure your data receives an adequate level of protection as required by GDPR Chapter V.

6. Data Retention

We retain your personal data for the following periods:

  • Account and profile data: retained for the lifetime of your account. Deleted when you request account deletion.
  • Booking and session data: retained for the lifetime of your account. Deleted when either party's account is removed.
  • Payment references: retained for up to 10 years after the transaction, as required by tax and financial regulations. This applies even after account deletion.
  • Email delivery records: automatically purged after 7 days.
  • Security and audit logs: retained for 1 year in our operational systems, then archived for a further 2 years before deletion (3 years total).
  • Webhook event data: stripped of detailed content after processing and automatically purged after 30 days.
  • Provider invitations: valid for 24 hours, then automatically purged.
  • Anonymous quiz data: retained indefinitely for improving the matching experience. Since this data is anonymous, it cannot be linked to you and is not affected by account deletion.
  • Google Analytics event data: retained for 14 months by Google, after which event-level data is automatically deleted. Aggregated reports remain available beyond that period.
  • Google Ads attribution data: the _gcl_* cookies expire after 90 days, after which they can no longer be used to attribute a conversion to a click.

When you delete your account, all personal data linked to your account is permanently removed from our systems, except where we have a legal obligation to retain it (e.g. financial records) or where a third-party processor retains data independently (e.g. Stripe transaction records).

7. Cookies and Tracking

We use the following cookies and tracking technologies:

Strictly necessary (no consent required):

  • Authentication session cookies — managed by Supabase to keep you signed in
  • Cookie consent preference — records whether you have accepted or rejected optional cookies

Bot protection (legitimate interest):

  • Cloudflare Turnstile — a privacy-focused CAPTCHA that does not set tracking cookies. Used on sign-up, sign-in, and contact forms to prevent automated abuse.

Analytics and advertising (with consent):

  • Google Analytics 4 — measures site usage and performance. Sets the _ga, _ga_N8J2V47W6K and (in some configurations) _gid cookies.
  • Google Ads — measures the effectiveness of paid campaigns. Sets the _gcl_au, _gcl_aw and _gcl_dc cookies.

A single consent toggle in the cookie banner covers both analytics and advertising. We use Google Consent Mode v2, so before consent these tags load in a restricted, cookieless mode and transmit no measurement or advertising data. You can withdraw consent at any time. Full details — including expiry periods and how data is configured — are in our Cookie Policy.

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights under GDPR:

  • Right of access (Art. 15): request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate personal data. You can update your profile information directly in your account settings.
  • Right to erasure (Art. 17): request deletion of your personal data. Note that some data may be retained where we have a legal obligation (e.g. financial records).
  • Right to restriction (Art. 18): request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): receive your personal data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent (such as analytics and advertising cookies), you may withdraw your consent at any time, with the same ease with which it was given, via the cookie preferences control.

How to exercise your rights: send your request to privacy@wholeding.eu. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Right to lodge a complaint: if you are unsatisfied with how we handle your data, you have the right to lodge a complaint with your local data protection authority. For Malta, this is the Office of the Information and Data Protection Commissioner (IDPC) at idpc.org.mt.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • Sensitive tokens (e.g. Google OAuth refresh tokens) are encrypted at the application level before storage
  • Row-level security policies restrict database access to authorised users only
  • Administrative actions are logged in an audit trail with timestamps and IP addresses
  • Authentication uses PKCE OAuth flow and bcrypt password hashing
  • Bot protection prevents automated abuse of forms and authentication

10. Automated Decision-Making

Our therapist-matching quiz uses your answers to suggest suitable providers. This matching is performed on anonymous data and produces a non-binding recommendation — you are free to choose any available provider. No automated decisions with legal or similarly significant effect are made about you.

11. Children's Privacy

Wholeding is not intended for individuals under the age of 18. We collect date of birth to verify age eligibility. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the date at the top of this page and, where appropriate, by email. We encourage you to review this page periodically.

13. Contact

For any questions about this Privacy Policy or to exercise your data protection rights, contact us at:

Wholeding Ltd
11 Triq Giovanni Ricasoli
KKR106 Kalkara, Malta

Email: privacy@wholeding.eu

We use cookies to ensure our platform works properly. You can choose which optional cookies to allow. Privacy Policy and Cookie Policy.