Privacy Policy

1. Introduction

This Privacy Policy describes how MedSpa CRM ("we," "us," or "our"), a cloud-based practice management platform operated by CodeCanvas Collective, collects, uses, discloses, and protects your personal information when you use our services.

MedSpa CRM is a multi-tenant medical software-as-a-service (SaaS) platform. Our customers are tattoo removal clinics, medical spas, and aesthetic practices ("Clinic Customers"). Their patients, staff, and end-users ("End Users") may interact with our platform through their clinic's use of our services.

By using our services, you agree to the collection and use of information in accordance with this policy. Please also review our Terms of Service and Cookie Policy.

Notice to Patients

If you are a patient at a clinic that uses MedSpa CRM, your clinic or healthcare provider controls your patient information, including your contact details, medical history, treatment records, and photos. Please contact your clinic directly for questions about how your health information is used or to exercise your patient privacy rights. Your clinic's own Notice of Privacy Practices (NPP) governs the use and disclosure of your protected health information. We process patient data on behalf of clinics as a service provider under a Business Associate Agreement.

2. Who We Are

MedSpa CRM is developed and operated by CodeCanvas Collective. We provide cloud-based practice management software for tattoo removal and aesthetic clinics, including appointment scheduling, patient management, treatment tracking, payment processing, and communications.

3. Information We Collect

We collect the following categories of information:

3.1 Account Information

When Clinic Customers register, we collect names, email addresses, phone numbers, business information, and login credentials.

3.2 Clinic & Patient Data

Clinic Customers enter patient information into our platform, which may include names, contact information, medical history, treatment records, consent forms, and payment information. Clinics are the data controllers for their patient data — we process this data on their behalf as a data processor/service provider.

3.3 Photos & Biometric-Adjacent Data

Our platform allows Clinic Customers to upload and store clinical photographs (such as before-and-after treatment photos) as part of patient treatment records. These images may contain identifiable facial or body features. This data is stored using HIPAA-compliant encrypted storage, accessible only to the Clinic Customer who uploaded it, and is governed by the Business Associate Agreement between us and the clinic. We do not use patient photos for any purpose other than providing the platform service to the clinic. We do not perform facial recognition, biometric analysis, or any automated processing of these images.

3.4 Usage Data

We automatically collect information about how you interact with our platform, including IP addresses, browser type, pages visited, access times, and referring URLs.

3.5 Cookies & Similar Technologies

We use cookies and similar technologies for authentication, preferences, and platform functionality. See our Cookie Policy for details.

4. How We Use Your Information

We use collected information to:

Provide, maintain, and improve our platform
Process transactions and send related information
Send appointment reminders, notifications, and service updates via SMS, email, or in-app messaging
Respond to support requests and customer service inquiries
Monitor and analyze usage patterns and trends
Detect, prevent, and address technical issues and security threats
Comply with legal obligations, including HIPAA

5. SMS/Text Messaging

Our platform enables Clinic Customers to send SMS/text messages to their patients for appointment reminders, notifications, and other service-related communications.

Mobile phone numbers are collected by Clinic Customers and stored in our platform for the purpose of delivering these communications via our SMS service provider (Twilio).

Mobile information will NOT be shared with or sold to third parties for marketing or promotional purposes. Mobile phone numbers are used solely for service-related communications initiated by your healthcare provider.

Patients may opt out of SMS communications at any time by replying STOP to any message. For help, reply HELP or contact [email protected]. Message frequency varies based on appointment schedule and account activity. Message and data rates may apply.

6. HIPAA & Protected Health Information

As a platform that processes health-related data on behalf of healthcare providers, we recognize our obligations under the Health Insurance Portability and Accountability Act (HIPAA).

Business Associate Agreements (BAAs): We enter into BAAs with our Clinic Customers as required by HIPAA. BAAs are available upon request.
Protected Health Information (PHI): Any PHI stored on our platform is governed by the BAA between us and the Clinic Customer, and the clinic's own Notice of Privacy Practices (NPP) governs how patient data is used.
Shared Responsibility: We are responsible for safeguarding PHI on our platform. Clinic Customers are responsible for ensuring they have proper patient authorizations and comply with their own HIPAA obligations.

7. Third-Party Service Providers

We use the following third-party services to operate our platform:

Twilio — SMS/text message delivery
Square — Payment processing
MinIO/S3-compatible storage — File and document storage
Email service provider — Transactional email delivery

These providers only process data as necessary to perform their services and are bound by their own privacy policies and, where applicable, data processing agreements.

We do not sell your personal information. We may share information only in the following circumstances:

With Clinic Customers: Patient data is accessible to the Clinic Customer who entered it
Service Providers: As described in Section 7, to operate our platform
Legal Requirements: When required by law, subpoena, court order, or government request
Safety: To protect the rights, safety, or property of our users or the public
Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice)

9. Do Not Sell or Share My Personal Information

We do not sell or share your personal information for cross-context behavioral advertising as defined by the California Consumer Privacy Act (CCPA/CPRA) or any other applicable state privacy law.

If you are a California resident and wish to exercise your rights under the CCPA/CPRA, please contact us at [email protected].

10. Data Security

We implement industry-standard security measures to protect your data, including:

Encryption at rest using AES-256-GCM for sensitive data
Encryption in transit using TLS (HTTPS) for all communications
Multi-factor authentication (MFA) support for user accounts
Audit logging of access to sensitive data and administrative actions
Row-level security (RLS) in PostgreSQL ensuring strict tenant data isolation
Regular security reviews and updates

No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Data Retention

We retain personal information for as long as your account is active or as needed to provide services. Clinic Customer data is retained for the duration of the service agreement. Upon account termination, data may be retained for a reasonable period to comply with legal obligations, resolve disputes, and enforce agreements. Under HIPAA, records containing protected health information must be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later.

Clinic Customers may request data export or deletion in accordance with their service agreement and applicable law.

12. Your Privacy Rights

12.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect, use, and disclose
Request deletion of your personal information
Opt out of the sale or sharing of personal information (we do not sell or share)
Non-discrimination for exercising your privacy rights
Correct inaccurate personal information
Limit use of sensitive personal information

12.2 Other U.S. State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, correct, delete, and port their data. Contact us to exercise these rights.

12.3 European Economic Area (GDPR)

If you are located in the EEA, you may have additional rights under the General Data Protection Regulation, including the right to access, rectification, erasure, data portability, restriction of processing, and objection to processing. Our platform is primarily directed at U.S.-based clinics, but we will honor GDPR requests where applicable.

12.4 Exercising Your Rights

To exercise any privacy rights, contact us at [email protected]. We will respond within the timeframes required by applicable law. Note that for patient data entered by Clinic Customers, you may need to contact your healthcare provider directly, as they are the data controller.

13. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. The "Last updated" date at the top indicates when this policy was last revised.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: [email protected]
Support: [email protected]

CodeCanvas Collective
MedSpa CRM Platform