Skip to content
AAesthera
Legal

Privacy Policy

Last updated: 2026-05-04

Aesthera ("we", "us") provides medspa management software to clinics and their authorized staff. This page explains, in plain language, what data we collect, how we use it, and the controls you have over it.

What we collect

  • Marketing site visitors: name, email, phone (if provided), clinic name, and the form-field choices you submit. We log IP and user-agent for abuse prevention. Standard analytics events (page views, anonymized scroll/click counts) are recorded so we can improve the site.
  • Clinic accounts (tenant_owner / tenant_provider / tenant_client): the data you enter and the data your clients provide through booking and consent flows — names, contact info, appointments, services rendered, SOAP notes, photos, and payment metadata. This is treated as protected health information (PHI) under HIPAA when it identifies a patient.
  • Authentication: hashed credentials and 2FA factors via Google Identity Platform. We never see your password in plaintext.

How we use it

  • To operate Aesthera for you (booking, charting, billing, marketing).
  • To send transactional email and SMS — sign-in links, appointment reminders, receipts, security alerts. Marketing emails go out only to contacts who haven't opted out (email_consent / sms_consent).
  • To prevent abuse (rate limits, lockout, audit log).
  • To run aggregated analytics for our own product decisions. We never sell or share your data with third parties for advertising.

Subprocessors

The platform runs on services that may process your data on our behalf:

  • Google Cloud (Firestore, Cloud Run, Identity Platform, Vertex AI): hosting, auth, AI drafts. Covered by the Google Cloud BAA on Growth+ tiers.
  • Stripe: payments + Stripe Connect. PCI-DSS Level 1.
  • Twilio: SMS (per-tenant subaccounts). HIPAA-eligible.
  • Resend: transactional email.

HIPAA

We sign a Business Associate Agreement (BAA) with clinics on Growth and Enterprise tiers. The BAA is a separate document — request it via support@aesthera.io.

Your rights

You can request access to, correction of, or deletion of your personal data by emailing support@aesthera.io. Clinics retain ultimate control over their tenant data — we delete on request within 30 days of a verified deletion request, except where retention is legally required.

Contact

Privacy questions: support@aesthera.io. For DMCA or law-enforcement requests, the same address — we'll route appropriately.

This policy may be updated; material changes will be announced by email to clinic owners. Back to home →