Med Spa

Privacy Policy

Last updated: April 11, 2026

This Privacy Policy explains how Med Spa ("we", "us") collects, uses, and protects information about you when you use our Service. We take privacy seriously — especially when it comes to photos and any data that could relate to your appearance or health.

1. What We Collect

  • Account data: name, email, password hash, optional phone number, user role.
  • Photos: selfies you upload to generate AI visualizations.
  • Generation data: the treatment you selected, the generated image, metadata about the generation (status, timestamps).
  • Booking data: contact info, preferred date and time slot, notes.
  • Usage data: pages visited, device type, browser, approximate location (from IP). We do not use third-party ad tracking.

2. How We Use Your Data

  • Generate the AI visualization you request.
  • Show you your generation history in your dashboard.
  • Send booking requests to the spa you select, and status updates to you.
  • Operate and secure the Service.
  • Comply with legal obligations.

We do not sell your data. We do not use your photos to train AI models. We do not share your photos with anyone except the AI processor needed to generate your visualization.

3. How Photos Are Processed

When you upload a selfie, it is stored on secure servers and sent to our AI processing partner (OpenAI) solely to generate your requested visualization. OpenAI's API terms prohibit using API inputs to train their models. Uploaded and generated images are stored with server-side encryption. EXIF metadata is stripped on upload so location and device data are not retained.

4. Photo Retention

  • Guest users: uploaded and generated images are deleted automatically within 30 days.
  • Registered users: images are retained until you delete them, either individually or by deleting your account.
  • You can delete any generation or your entire account at any time from your dashboard.

5. Third-Party Processors

We use the following third parties to operate the Service:

  • OpenAI — AI image generation and image face-validation. Receives uploaded photo and treatment prompt.
  • Amazon Web Services (AWS) — hosting, storage (S3), email (SES), SMS (SNS).
  • LocationIQ — geocoding spa addresses (no user data sent).
  • Google Places — business directory data for the initial spa directory (no user data sent).

6. Your Rights

You have the right to:

  • Access the data we hold about you — available via the data export feature in your dashboard.
  • Delete your data — available via the delete-account feature in your dashboard.
  • Correct inaccurate information by editing your profile.
  • Object to certain processing (for example, by not uploading a photo).

7. Children

The Service is restricted to users 18 years of age and older. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, contact us and we will delete it promptly.

8. Health Data & HIPAA

Med Spa is not a covered entity under HIPAA — we are not a healthcare provider. However, we recognize that photos of your face and selections of cosmetic treatments are sensitive. We apply industry-standard security practices, including encryption at rest and in transit, access controls, and the retention limits described above.

9. AI Disclosure

Consistent with emerging state AI transparency laws (including California SB 942 and similar statutes), we clearly label AI-generated content throughout the Service. Every generated image is marked as an "AI Simulation" and accompanied by a disclaimer explaining that the image is not a real photo and not a guaranteed outcome.

10. Cookies

We use essential cookies for session management and CSRF protection. We do not use advertising cookies or third-party tracking pixels.

11. Directory Data

Unclaimed spa listings in our directory are built from publicly available business information sourced from Google Places. Listing owners may claim their profile or request removal at any time; we respond to legitimate removal requests within 24 hours.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service.

13. Contact

Questions about this policy or your data? Contact us through the support link on our site.

We use essential cookies for login and security. No ad tracking. See our privacy policy.