Privacy Policy

1. Who We Are

This Privacy Policy describes how Nick Dan Consulting LLC, doing business as MedSpas AI (“MedSpas AI,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes your personal information in connection with the website located at medspas.ai (the “Site”) and the services we provide (collectively, the “Services”).

Nick Dan Consulting LLC is a California limited liability company. For purposes of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), we are the “Business” responsible for your personal information. For purposes of the EU General Data Protection Regulation (“GDPR”), we are the “Data Controller.”

By accessing or using the Site or Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Site or Services.

2. HIPAA Compliance

MedSpas AI operates as a HIPAA Business Associate when processing Protected Health Information (“PHI”) on behalf of its clients. All managed service infrastructure is HIPAA-compliant and built on SOC 2 Type 2 certified infrastructure. Self-hosted components run on HIPAA-compliant, SOC 2 Type 2 certified AWS infrastructure. We execute a Business Associate Agreement (“BAA”) with each client before processing any PHI.

All infrastructure and sub-processors involved in the handling of PHI are covered by Business Associate Agreements. We maintain BAAs with all applicable vendors, including cloud hosting, database, communication, and payment processing providers.

2.1 PHI Handling Practices

We implement the following safeguards for all Protected Health Information:

• All PHI is encrypted at rest and in transit.
• Row Level Security (“RLS”) is enforced on all patient data tables to ensure data isolation between clients.
• Audit logging is maintained for all access to PHI.
• No PHI is used for AI model training.

2.2 Encryption

We use TLS 1.2 or higher for all data in transit. Data at rest is protected with AES-256 encryption across our infrastructure, including Supabase and AWS environments.

3. Information We Collect

3.1 Information You Voluntarily Provide

We collect personal information that you voluntarily provide when you use our Site and Services, including:

• Contact information: first name, last name, email address, phone number.
• Business information: Med Spa name, city, state, job title, number of locations.
• Form submissions: messages submitted through our contact form, referral form, data request form, or communication preferences form.
• Account information: login credentials if you create an account.
• Payment information: billing details processed through our third-party payment processors. We do not store full credit card numbers on our servers.
• Communications: any information you provide when you communicate with us by email, phone, or other channels.

3.2 Information Collected Automatically

When you visit the Site, we automatically collect certain information, including:

• Device and browser information: device type, operating system, browser type and version, screen resolution.
• Usage data: pages viewed, time spent on pages, links clicked, referring URL, and general navigation patterns.
• IP address: your Internet Protocol address, which may indicate your approximate geographic location.
• Log data: access times, server logs, and error data.

4. How We Use Your Information

4.1 Business Purposes

We use the personal information we collect for the following business purposes:

• To provide, maintain, and improve our Site and Services.
• To process and fulfill your requests and transactions.
• To communicate with you about your account, inquiries, and customer support.
• To send you transactional emails (receipts, security alerts, service updates).
• To detect, prevent, and address fraud, security issues, and technical problems.
• To comply with legal obligations and enforce our Terms of Service.
• To verify your identity when you submit data requests under applicable privacy laws.

We may use anonymized and aggregated data derived from your information and from client engagements to improve, train, and develop our AI models, tools, and internal systems. This data is stripped of personally identifiable information before use. We do not use raw, identifiable personal information to train AI models.

4.2 Commercial Purposes

With your consent or as otherwise permitted by law, we may use your information for commercial purposes, including:

• To send you marketing and promotional communications about our Services.
• To personalize your experience and deliver content relevant to your interests.
• To analyze usage trends and improve our marketing strategies.

5. Cookies, Tracking, and Analytics

We use minimal tracking technologies on our Site:

• Vercel Analytics: We use Vercel Web Analytics for privacy-friendly, aggregated analytics. Vercel Analytics does not use cookies and does not track individuals across websites.
• Cloudflare Turnstile: We use Cloudflare Turnstile for bot detection on our forms. Turnstile may set cookies necessary for its security function. See Cloudflare’s Privacy Policy for details.
• Calendly: We embed Calendly scheduling widgets on certain pages. Calendly may set cookies to enable booking functionality and analytics. See Calendly’s Privacy Policy for details. By using our scheduling features, you consent to Calendly’s use of cookies as described in their policy.
• Vidalytics: We embed Vidalytics video players on certain pages. Vidalytics may set cookies to enable video playback and collect viewing analytics. See Vidalytics’ Privacy Policy for details.
• Essential cookies: We may use strictly necessary cookies for site functionality (session management, authentication). These cannot be disabled.

We do not use third-party advertising cookies. We do not engage in cross-site behavioral advertising. We do not sell your data to advertisers.

6. Sharing of Personal Information

We do not sell your personal information. We may share your personal information in the following circumstances:

• Service providers: We share information with vendors who perform services on our behalf. These vendors are contractually obligated to use your information only to provide services to us. Our key service providers and their compliance certifications include:
  • AWS: SOC 2 Type 2 certified, HIPAA eligible, BAA signed.
  • Supabase: SOC 2 Type 2 certified, HIPAA add-on enabled, BAA executed.
  • Vercel: SOC 2 Type 2 certified, ISO 27001 certified, HIPAA compliant, BAA executed.
  • Twilio: SOC 2 Type 2 certified, HIPAA eligible (Security Edition), BAA executed.
  • Paubox: HITRUST CSF certified, SOC 2 Type 2 certified, HIPAA-compliant encrypted email, BAA executed.
  • Deepgram: SOC 2 Type 2 certified, speech-to-text processing, BAA executed.
  • Stripe: SOC 2 Type 2 certified, PCI DSS Level 1 compliant. No PHI stored.
• Legal compliance: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Protection of rights: We may disclose information when we believe it is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud.
• Business transfers: If MedSpas AI is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.
• With your consent: We may share your information for any other purpose with your explicit consent.

7. Email Communications and Marketing

If you provide your email address, we may send you marketing and promotional emails. You may opt out of marketing emails at any time by:

• Clicking the “unsubscribe” link in any email.
• Visiting our Manage Communication page.
• Emailing legal@medspas.ai with the subject “Unsubscribe.”

Even if you opt out of marketing emails, we may still send you transactional or service-related emails that are necessary to provide the Services (for example, receipts, security alerts, policy changes, and legal notices).

8. Your Privacy Rights. California Residents

If you are a California resident, the CCPA and CPRA provide you with the following rights:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt Out of Sale/Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information. We do not sell or share your personal information as defined by the CCPA/ CPRA.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information. Under California law, sensitive personal information includes social security numbers, financial account details combined with access codes, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail or text messages, genetic data, biometric data, health information, and information about sex life or sexual orientation. We do not intentionally collect sensitive personal information beyond payment-related details necessary to process transactions through our third-party payment processors.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your rights.
• Right to Appeal: If we deny your verifiable consumer request in whole or in part, you have the right to appeal our decision. We will provide instructions for submitting an appeal in our response to your request.

To submit a request, please visit our Do Not Sell My Info page, use our Contact page, or email legal@medspas.ai. We will verify your identity before processing your request and respond within 45 calendar days.

You may designate an authorized agent to submit a request on your behalf by providing a signed written authorization or a power of attorney. We may require verification of both the agent’s identity and the consumer’s identity before processing the request.

We do not offer financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of your personal information.

9. Your Privacy Rights. Other U.S. States

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, or other states with comprehensive privacy laws, you may have similar rights to access, delete, correct, and opt out of certain processing of your personal information. To exercise these rights, please contact us. We will process your request in accordance with applicable law.

10. Your Privacy Rights. International Users

If you are located in the European Economic Area (EEA), United Kingdom (UK), or other jurisdictions with data protection laws, you may have the following rights under the GDPR or UK-GDPR:

• Right of access to your personal data.
• Right to rectification of inaccurate data.
• Right to erasure (“right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.
• Right to withdraw consent at any time (where processing is based on consent).
• Right to lodge a complaint with a supervisory authority.

Our legal bases include: contract performance (providing Services you requested), legitimate interests (improving our Site, communicating with you), legal compliance (tax and regulatory obligations), and consent (marketing communications). If you wish to exercise your rights, please email legal@medspas.ai.

If we transfer personal data outside the EEA/UK, we implement appropriate safeguards in accordance with applicable data protection law.

11. Children’s Privacy

Our Site and Services are intended for individuals 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from an individual under 18, we will promptly delete that information. If you believe someone under 18 has provided us with personal information, please contact us immediately.

12. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access, use, alteration, and destruction. These measures include encryption in transit (TLS/HTTPS), access controls, rate limiting, bot protection (Cloudflare Turnstile), and secure hosting infrastructure (Vercel, Supabase).

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your personal information.

In the event of a security breach involving your unencrypted personal information, we will notify you in accordance with applicable law, including California Civil Code § 1798.82. Notification may be provided by email, postal mail, or by posting a notice on our Site, depending on the circumstances and as permitted by law.

13. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. When we no longer need your information, we will securely delete or anonymize it. Factors we consider in determining retention periods include the nature of the data, the purposes for processing, legal obligations, and business needs. As a general practice, we retain contact information for up to 3 years after your last interaction with us, transactional records for up to 7 years for tax and legal compliance, and aggregated analytics data for up to 24 months.

14. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no industry standard for DNT, we do not currently respond to DNT signals specifically. However, we do honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as a valid opt-out request under the CCPA/CPRA.

15. International Users

Our Site and Services are operated from the United States. If you access the Site from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Site, you consent to the transfer of your information to the United States.

16. AI and Automated Systems

MedSpas AI may use artificial intelligence systems, machine learning models, and automation tools (including our proprietary AI Employees, which are systems of AI agents and automations built for Med Spas) to analyze information, generate insights, and improve our services.

These systems may process anonymized or aggregated data for system improvement and operational optimization.

MedSpas AI does not use identifiable personal information or protected health information for AI model training unless explicitly authorized by the client and governed by a separate written agreement such as a Business Associate Agreement.

AI-generated outputs may contain inaccuracies and should not be relied upon as the sole basis for business, operational, or patient-facing decisions. Human oversight and review are required.

MedSpas AI does not provide HIPAA compliance advisory services, regulatory compliance auditing, or legal guidance regarding healthcare privacy laws.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, provide additional notice (such as by email or a prominent notice on our Site). Your continued use of the Site after any changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

18. Contact Us

If you have any questions about this Privacy Policy, your personal information, or wish to exercise your privacy rights, please contact us:

• Online: medspas.ai/contact
• Email: legal@medspas.ai
• Data requests: medspas.ai/do-not-sell
• Communication preferences: medspas.ai/manage-communication

MedSpas AI
2205 Hilltop Dr #1014, Redding, California 96002