Last updated August 10, 2024
This privacy notice for L&P Aesthetics Medical, Inc. (“we,” “us,” or “our”), describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you:
- Visit our website at https://www.fortheface.com, or any website of ours that links to this privacy notice
- Engage with us in other related ways, including any sales, marketing, or events
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].
Summary Of Key Points
This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.
Data Minimization: We are committed to collecting and processing only the personal information necessary to provide our services and comply with legal obligations. We regularly review our data collection practices to ensure we’re not collecting excessive or unnecessary information. This approach helps us protect your privacy while still delivering high-quality aesthetic medical services.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.
Do we process any sensitive personal information? We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law. Learn more about sensitive information we process.
Do we collect any information from third parties? We may collect information from public databases, marketing partners, social media platforms, and other outside sources. Learn more about information collected from other sources.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties. Learn more about when and with whom we share your personal information.
How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe.
What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights.
How do you exercise your rights? The easiest way to exercise your rights is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.
Meta Pixel Tracking: We use Meta (Facebook) Pixel on our website for analytics and advertising purposes. This tool may collect and process certain personal information about your online activities.
Want to learn more about what we do with any information we collect? Review the privacy notice in full.
Table Of Contents
1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
5. HOW LONG DO WE KEEP YOUR INFORMATION?
6. HOW DO WE KEEP YOUR INFORMATION SAFE?
7. DO WE COLLECT INFORMATION FROM MINORS?
8. WHAT ARE YOUR PRIVACY RIGHTS?
9. CONTROLS FOR DO-NOT-TRACK FEATURES
10. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
11. DO WE MAKE UPDATES TO THIS NOTICE?
12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
1. What Information Do We Collect?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:
- names
- phone numbers
- email addresses
Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:
- health data
When we collect sensitive personal information, particularly health data, we obtain your explicit consent. This consent is separate from other consents and clearly explains why we need this information and how we’ll use it. You have the right to withdraw this consent at any time, though this may impact our ability to provide certain services.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Information automatically collected
In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies.
The information we collect includes:
- Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called “crash dumps”), and hardware settings).
- Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
Meta Pixel Data Collection
We use Meta (Facebook) Pixel on our website, which collects and processes the following types of data:
- HTTP Headers: Anything present in HTTP headers, including IP address, web browser information, page location, document, referrer and person using the website.
- Pixel-specific Data: Pixel ID and the Facebook Cookie.
- Button Click Data: Any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
- Optional Values: Values used for Custom Data events.
- Form Field Names: Website field names like ’email’, ‘address’, ‘quantity’ for when you purchase a product or service.
The Facebook Pixel may also set and read Facebook cookies, which may track your behavior across other websites that also use Facebook Pixel.
Google API
Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Information collected from other sources
In Short: We may collect limited data from public databases, marketing partners, and other outside sources.
In order to enhance our ability to provide relevant marketing, offers, and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, and from other third parties. This information includes mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), Internet Protocol (IP) addresses, social media profiles, social media URLs, and custom profiles, for purposes of targeted advertising and event promotion.
2. How Do We Process Your Information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.
- To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
- To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
- To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
- To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time. For more information, see “WHAT ARE YOUR PRIVACY RIGHTS?” below.
- To deliver targeted advertising to you. We may process your information to develop and display personalized content and advertising tailored to your interests, location, and more.
- To evaluate and improve our Services, products, marketing, and your experience. We may process your information when we believe it is necessary to identify usage trends, determine the effectiveness of our promotional campaigns, and to evaluate and improve our Services, products, marketing, and your experience.
- To determine the effectiveness of our marketing and promotional campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
- To comply with our legal obligations. We may process your information to comply with our legal obligations, respond to legal requests, and exercise, establish, or defend our legal rights.
- To enhance our advertising efforts: We use Meta Pixel data to measure the effectiveness of our advertising, understand our audience better, and improve our marketing strategies. This includes using your information for custom audience creation and lookalike audience targeting on Meta platforms.
3. When And With Whom Do We Share Your Personal Information?
In Short: We may share information in specific situations described in this section and/or with the following third parties.
Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents (“third parties”) who perform services for us or on our behalf and require access to such information to do that work.
The third parties we may share personal information with are as follows:
- Advertising, Direct Marketing, and Lead Generation
Facebook Audience Network, Bing Ads, Google AdSense, Google Analytics, Constant Contact, CallRail, Google Tag Manager, GA4, Meta Ads, Instagram Ads, Reddit Ads, Youtube Ads, Yelp Ads, TikTok Ads, Linktree and Linkedin Ads
- Communicate and Chat with Users
Constant Contact and Facebook Customer Chat
- Content Optimization
YouTube video embed, JotForm widget, Instagram embed and Google Site Search
- Data Backup and Security
Google Drive Backup
- Retargeting Platforms
Facebook Remarketing, Facebook Custom Audience, Google Ads Remarketing , Google Analytics Remarketing and LinkedIn Website Retargeting
- Social Media Sharing and Advertising
Facebook advertising, Facebook social plugins, Instagram advertising, LinkedIn advertising, Pinterest advertising, Pinterest social plugins and YouTube social plugins
Meta (Facebook): We share data collected by Meta Pixel with Meta platforms. This data is used for analytics, ad targeting, and measuring ad effectiveness. For more information on how Meta processes this data, please refer to Meta’s Data Policy.
Social Media Privacy: When using social media for marketing purposes, particularly for sharing before and after photos:
- We obtain explicit, written consent from patients before sharing any identifiable images.
- We de-identify all patient information associated with shared images.
- We do not tag or identify patients in any social media posts without their explicit consent.
- Patients can request removal of their images from our social media at any time.
- We regularly review and update our social media privacy settings to ensure maximum protection of patient information.
- Web and Mobile Analytics
Amplitude, Facebook Ads conversion tracking, Facebook Analytics, Google Ads, Google Analytics, Google Tag Manager, Hotjar and WordPress Stats
- Website Hosting
WordPress.com and GoDaddy
- Website Testing
Google Play Console, Visual Website Optimizer , Optimizely and Cloudflare
We also may need to share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- When we use Google Maps Platform APIs. We may share your information with certain Google Maps Platform APIs (e.g., Google Maps API, Places API).
- Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
- Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
3A. How Do We Handle Health Information?
As a medical practice, we understand the sensitivity of health information. We comply with the Health Insurance Portability and Accountability Act (HIPAA) in our handling of protected health information (PHI). This includes:
- Maintaining the privacy and security of your health information.
- Providing you with notice of our legal duties and privacy practices regarding health information.
- Following the terms of our notice currently in effect.
- Notifying you following a breach of unsecured PHI.
For more detailed information about our HIPAA practices, please refer to our HIPAA Privacy Policy.
Interplay between HIPAA and CCPA: As a medical practice, we are subject to both HIPAA and CCPA. In general, HIPAA takes precedence over CCPA for protected health information (PHI). This means that for your medical records and other health data, HIPAA rules about privacy, access, and disclosure will apply. For non-medical personal information, such as website usage data or marketing preferences, CCPA rights and protections may apply. If you have questions about which law applies to specific information, please contact us.
To protect sensitive health information, we implement the following measures:
- All health data is encrypted both in transit and at rest using industry-standard encryption protocols.
- Access to health data is strictly limited to authorized personnel on a need-to-know basis.
- We conduct regular security audits and vulnerability assessments of our systems containing sensitive information.
- Our staff undergoes regular HIPAA training to ensure they understand the importance of protecting health information.
3B. International Data Transfers
While we primarily serve clients in the United States, if you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us and our affiliates in our facilities in the United States and other countries. By using our Services, you consent to any transfer of your information outside of your country. We will ensure that any such international transfers comply with applicable data protection laws and that your information remains protected to the standards described in this privacy policy.
4. Do We Use Cookies And Other Tracking Technologies?
In Short: We may use cookies and other tracking technologies to collect and store your information.
We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.
We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders (depending on your communication preferences). The third parties and service providers use their technology to provide advertising about products and services tailored to your interests which may appear either on our Services or on other websites.
To the extent these online tracking technologies are deemed to be a “sale”/”sharing” (which includes targeted advertising, as defined under the applicable laws) under applicable US state laws, you can opt out of these online tracking technologies by submitting a request as described below under section “DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?“
Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.
Google Analytics
We may share your information with Google Analytics to track and analyze the use of the Services. The Google Analytics Advertising Features that we may use include: Remarketing with Google Analytics, Google Analytics Demographics and Interests Reporting and Google Display Network Impressions Reporting. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. You can opt out of Google Analytics Advertising Features through Ads Settings and Ad Settings for mobile apps. Other opt out means include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page.
For more detailed information about the cookies we use and your choices regarding cookies, please see our Cookie Policy.
Meta Pixel
We use Meta (Facebook) Pixel, which uses cookies to help us track your activity on our website, understand the effectiveness of our advertising on Meta platforms, and serve targeted advertisements to you on other websites. You can control or opt out of these cookies through your browser settings or through Meta’s ad preferences.
4A. Third-party Links
Our Services may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
4B. Meta Pixel Opt-out
You can opt-out of Meta Pixel tracking by adjusting your browser settings to block third-party cookies or by using Meta’s opt-out tool in your Facebook ad preferences. Please note that opting out of Meta Pixel tracking doesn’t mean you will no longer see ads from us on Meta platforms, but it does mean that the ads you see may be less relevant to your interests.
4C. Telehealth Privacy
If we offer telehealth services:
- We use HIPAA-compliant video conferencing platforms for all telehealth appointments.
- Telehealth sessions are not recorded without your explicit consent.
- Any data transmitted during telehealth sessions is encrypted.
- We advise patients to conduct telehealth sessions in private settings to protect their privacy.
- Telehealth-related data is subject to the same privacy protections as in-person visit data.
5. How Long Do We Keep Your Information?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Specific retention periods for different types of data include:
- Health records: Retained for 10 years after last treatment to ensure continuity of care and comply with California’s medical record retention laws.
- Payment information: Retained for 7 years to comply with IRS regulations and to handle any potential billing disputes.
- Website usage data: Retained for 2 years to analyze long-term trends in website usage and improve our online services.
Protection of Financial Information: We take extra precautions to protect financial information:
- All financial transactions are processed through secure, PCI-DSS compliant payment gateways.
- We do not store complete credit card numbers on our servers.
- Access to financial information is strictly limited to authorized personnel.
- Financial data is encrypted both in transit and at rest.
- We regularly conduct security audits of our financial data handling processes.
6. How Do We Keep Your Information Safe?
In Short: We aim to protect your personal information through a system of organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
Our security measures include:
- Encryption of data in transit and at rest
- Regular security assessments and penetration testing
- Employee training on data security best practices
- Access controls to limit data access to authorized personnel only
- Regular software updates and patch management
- Use of firewalls and anti-malware software
- Regular employee training on data privacy and security best practices, including HIPAA compliance and handling of sensitive information
Our employees undergo comprehensive privacy training upon hiring and refresher courses at least annually. This training covers HIPAA compliance, proper handling of sensitive medical information, recognition and reporting of potential data breaches, and the specifics of this privacy policy. We maintain records of all employee privacy training completions.
We are committed to continuously improving our privacy and security practices. To this end, we conduct regular privacy impact assessments to identify and mitigate potential risks to personal information. These assessments help us ensure that our practices remain up-to-date with evolving privacy laws and industry best practices.
6A. Data Breach Notification
In the event of a data breach that compromises your personal information:
- For breaches involving Protected Health Information (PHI) under HIPAA:
- We will notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
- If the breach affects 500 or more individuals, we will also notify the Department of Health and Human Services (HHS) and the media.
- For breaches involving personal information under California law:
- We will notify affected California residents in the most expedient time possible and without unreasonable delay.
- If the breach affects more than 500 California residents, we will also notify the California Attorney General.
- For all breaches:
- We will provide notification of what happened, what information was involved, what we are doing to investigate and mitigate the situation, and what you can do to protect yourself.
- We will provide free credit monitoring services if financial or particularly sensitive information was compromised.
We maintain a comprehensive incident response plan that is regularly reviewed and updated. In the event of a data breach, we use a risk assessment framework to determine the potential harm to individuals. This assessment considers factors such as the nature of the compromised data, the likelihood of malicious use, and the potential consequences for affected individuals.
7. Do We Collect Information From Minors?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. We do not knowingly process data of users under the age of 13. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].
In compliance with the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personally identifiable information from children under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from children without verification of parental consent, we take steps to remove that information from our servers.
For minors between the ages of 13 and 18, we take additional precautions:
We obtain parental consent before collecting or using personal information from these minors.
Parents have the right to review, delete, or prohibit further collection of their child’s information.
We do not knowingly share personal information of minors with third parties other than those necessary to provide our medical services.
Marketing communications are not sent to minors without parental consent.
Special care is taken to protect the privacy of minors in any before/after photographs or testimonials.
8. What Are Your Privacy Rights?
In Short: You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.
Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section “HOW CAN YOU CONTACT US ABOUT THIS NOTICE?” below.
However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, replying “STOP” or “UNSUBSCRIBE” to the SMS messages that we send, or by contacting us using the details provided in the section “HOW CAN YOU CONTACT US ABOUT THIS NOTICE?” below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.
If you have questions or comments about your privacy rights, you may email us at [email protected].
8A. Email Communications And Can-spam Compliance
We are committed to complying with the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM Act) in all our email communications. To that end:
- We never use false or misleading subjects or email addresses.
- We identify the message as an advertisement in some reasonable way.
- We include the physical address of our business headquarters.
- We monitor third-party email marketing services for compliance, if one is used.
- We honor opt-out/unsubscribe requests promptly.
- We allow users to unsubscribe by using the link at the bottom of each email.
If at any time you would like to unsubscribe from receiving future emails, you can email us at [email protected] or follow the instructions at the bottom of each email, and we will promptly remove you from ALL correspondence.
For more information about CAN-SPAM compliance, you can visit the official FTC website: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
8B. Fair Information Practices
L&P Aesthetics Medical, Inc. is committed to adhering to the Fair Information Practices Principles. These principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.
In order to be in line with Fair Information Practices, we will take the following responsive actions, should a data breach occur:
- Notice: We will notify you via email within 7 business days of discovering the breach.
- Access: We will provide you access to any of your personal data that we have collected upon request.
- Choice: We will provide you with choices about how we use and share your data.
- Security: We take reasonable precautions to protect personal information from loss, misuse, and unauthorized access.
- Correction: We allow you to correct or update your personal information if it is inaccurate.
The Fair Information Practice Principles are:
- Collection Limitation: We collect only the personal information necessary for the purposes identified.
- Data Quality: We make reasonable efforts to ensure that the personal information we collect is accurate, complete, and up-to-date.
- Purpose Specification: We specify the purposes for which personal information is collected at or before the time of collection.
- Use Limitation: We do not use or disclose personal information for purposes other than those specified, except with the consent of the individual or as required by law.
- Security Safeguards: We protect personal information with appropriate security safeguards against risks such as loss, unauthorized access, destruction, use, modification or disclosure.
- Openness: We maintain a policy of openness about our practices and policies with respect to the management of personal information.
- Individual Participation: We allow individuals to access their personal information and challenge the accuracy and completeness of the information.
- Accountability: We are accountable for complying with these principles.
By adhering to these principles, we demonstrate our commitment to protecting your privacy and handling your personal information responsibly.
For more information about the Fair Information Practice Principles, you can visit the FTC website: https://www.ftc.gov/news-events/news/speeches/fair-information-practice-principles-united-states-historical-context-future-role
9. Controls For Do-not-track Features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.
California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
10. Do United States Residents Have Specific Privacy Rights?
In Short: If you are a resident of California, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. More information is provided below.
L&P Aesthetics Medical, Inc. complies with the California Online Privacy Protection Act (CalOPPA). We will not distribute your personal information to outside parties without your consent except as necessary to provide our services or as required by law.
Given our annual revenue and the number of consumers whose personal information we process, L&P Aesthetics Medical, Inc. may not be required to comply with all provisions of the California Consumer Privacy Act (CCPA). However, we voluntarily choose to offer many of the rights provided by the CCPA to all our patients and website visitors as a demonstration of our commitment to privacy. Specifically, we voluntarily offer rights related to data access, deletion, and opt-out of certain data uses.
Categories of Personal Information We Collect
We have collected the following categories of personal information in the past twelve (12) months:
| Category | Examples | Collected |
| A. Identifiers | Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name | YES |
| B. Personal information as defined in the California Customer Records statute | Name, contact information, education, employment, employment history, and financial information | YES |
| C. Protected classification characteristics under state or federal law | Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data | YES |
| D. Commercial information | Transaction information, purchase history, financial details, and payment information | YES |
| E. Biometric information | Fingerprints and voiceprints | NO |
| F. Internet or other similar network activity | Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements | YES |
| G. Geolocation data | Device location | NO |
| H. Audio, electronic, sensory, or similar information | Images and audio, video or call recordings created in connection with our business activities | YES |
| I. Professional or employment-related information | Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us | NO |
| J. Education Information | Student records and directory information | NO |
| K. Inferences drawn from collected personal information | Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics | NO |
| L. Sensitive personal Information | Contents of email or text messages and health data | YES |
We only collect sensitive personal information, as defined by applicable privacy laws or the purposes allowed by law or with your consent. Sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. You may have the right to limit the use or disclosure of your sensitive personal information. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
We collect the following additional categories of personal information via Meta Pixel:
- Online identifiers
- Internet or other electronic network activity information
- Inferences drawn from other personal information to create a profile about a consumer
We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of:
- Receiving help through our customer support channels;
- Participation in customer surveys or contests; and
- Facilitation in the delivery of our Services and to respond to your inquiries.
We will use and retain the collected personal information as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. The duration of retention for specific categories is as follows:
- Category A (Identifiers): We will retain this information for 7 years from the last point of contact or service provision, whichever is later.
- Category B (Personal information as defined in the California Customer Records statute): We will retain this information for 7 years from the last point of contact or service provision, whichever is later.
- Category C (Protected classification characteristics under state or federal law): We will retain this information for 7 years from the last point of contact or service provision, whichever is later.
- Category D (Commercial information): We will retain this information for 10 years to comply with tax and financial record-keeping requirements and to handle any potential disputes or claims.
- Category F (Internet or other similar network activity): We will retain this information for 5 years from the date of collection.
- Category H (Audio, electronic, visual, and similar information): We will retain this information for 7 years from the date of collection or last service provision, whichever is later.
- Category L (Sensitive personal Information): We will retain health data in accordance with HIPAA requirements and state laws, which is typically 10 years from the last date of service or 3 years after a minor patient reaches the age of majority, whichever is later. Other sensitive personal information will be retained for 7 years from the last point of contact or service provision, whichever is later.
For all categories, we may retain the information for a longer period if:
- Retention is required or allowed by law;
- The information is necessary for the establishment, exercise, or defense of legal claims;
- Retention is necessary for legitimate business purposes, such as long-term patient care, analysis of long-term trends, or historical record-keeping;
- You have given consent for extended retention.
These retention periods apply whether you become a patient or simply submit a form or make an inquiry. We retain information from all interactions to handle inquiries, improve our services, maintain comprehensive records for returning patients, and comply with legal obligations.
You may request that we delete your personal information at any time, subject to certain exceptions provided by law. Upon receiving a verified request for deletion, we will delete your personal information from our records unless an exception applies.
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfill our statutory obligations. We will securely delete or anonymize your personal data when we no longer need it for the purposes we collected it for, or for legal, accounting, or reporting requirements.
Sources of Personal Information
Learn more about the sources of personal information we collect in “WHAT INFORMATION DO WE COLLECT?“
How We Use and Share Personal Information
Learn about how we use your personal information in the section, “HOW DO WE PROCESS YOUR INFORMATION?“
We collect and share your personal information through:
- Targeting cookies/Marketing cookies
- Beacons/Pixels/Tags
- Social media plugins: Instagram Feed by Unlimited Elements. We use social media features, such as a “Like” button, and widgets, such as a “Share” button, in our Services. Such features may process your Internet Protocol (IP) address and track which page you are visiting on our website. We may place a cookie to enable the feature to work correctly. If you are logged in on a certain social media platform and you interact with a widget or button belonging to that social media platform, this information may be recorded to your profile of such social media platform. To avoid this, you should log out from that social media platform before accessing or using the Services. Social media features and widgets may be hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy notices of the companies that provide them. By clicking on one of these buttons, you agree to the use of this plugin and consequently the transfer of personal information to the corresponding social media service. We have no control over the essence and extent of these transmitted data or their additional processing.
- We use Meta Pixel for analytics and advertising purposes, which involves sharing certain personal information with Meta platforms.
Will your information be shared with anyone else?
We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information to in the section, “WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?“
We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be “selling” of your personal information.
We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months:
- Category A. Identifiers
- Category B. Personal information as defined in the California Customer Records law
- Category C. Characteristics of protected classifications under state or federal law
- Category D. Commercial information
- Category F. Internet or other electronic network activity information
- Category H. Audio, electronic, visual, and similar information
The categories of third parties to whom we disclosed personal information for a business or commercial purpose can be found under “WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?“
We have sold or shared the following categories of personal information to third parties in the preceding twelve (12) months:
The categories of third parties to whom we sold personal information are:
The categories of third parties to whom we shared personal information with are:
- Advertising, Direct Marketing, and Lead Generation
Facebook Audience Network, Bing Ads, Google AdSense, Google Analytics, Constant Contact, CallRail, Google Tag Manager, GA4, Meta Ads, Instagram Ads, Reddit Ads, Youtube Ads, Yelp Ads, TikTok Ads, Linktree and Linkedin Ads
- Retargeting Platforms
Facebook Remarketing, Facebook Custom Audience, Google Ads Remarketing , Google Analytics Remarketing and LinkedIn Website Retargeting
- Social Media Sharing and Advertising
Facebook advertising, Facebook social plugins, Instagram advertising, LinkedIn advertising, Pinterest advertising, Pinterest social plugins and YouTube social plugins
- Web and Mobile Analytics
Amplitude, Facebook Ads conversion tracking, Facebook Analytics, Google Ads, Google Analytics, Google Tag Manager, Hotjar and WordPress Stats
Your Rights
You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:
- Right to know whether or not we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request the deletion of your personal data
- Right to obtain a copy of the personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”)
Depending upon the state where you live, you may also have the following rights:
- Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including California’s privacy law)
- Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including California’s privacy law)
How to Exercise Your Rights
To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at [email protected], or by referring to the contact details at the bottom of this document.
You can opt out from the selling of your personal information, targeted advertising, or profiling by disabling cookies in Cookie Preference Settings.
Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.
Request Verification
Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.
If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.
California “Shine The Light” Law
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section “HOW CAN YOU CONTACT US ABOUT THIS NOTICE?“
Role of the California Privacy Protection Agency (CPPA): The CPPA is responsible for implementing and enforcing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). While we may not be directly subject to all CCPA/CPRA requirements due to our size, we respect the CPPA’s role in protecting California residents’ privacy rights. The CPPA provides guidelines that inform our privacy practices, and California residents have the right to file complaints with the CPPA if they believe their privacy rights have been violated.
11. Do We Make Updates To This Notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this privacy notice from time to time. The updated version will be indicated by an updated “Revised” date at the top of this privacy notice. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
If we make material changes to this privacy notice, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website at least 7 days prior to the changes taking effect.
We review this privacy policy at least semi-annually to ensure it remains current with our practices, new technologies, and legal requirements. Even if no significant changes are made, we update the “Last updated” date at the top of this policy to reflect our recent review.
12. How Can You Contact Us About This Notice?
If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:
L&P Aesthetics Medical, Inc.
105 Addison Ave
Palo Alto, CA 94301
United States
12A. Dispute Resolution
If you have any complaints regarding our privacy practices, please contact us at [email protected]. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this privacy notice and applicable laws. Before initiating arbitration, we are open to participating in non-binding mediation to attempt to resolve any disputes. This can often lead to faster, more cost-effective resolution for all parties involved.
For any unresolved complaints:
- We offer an internal appeal process where a different member of our team will review the complaint.
- If the issue remains unresolved, we agree to participate in the dispute resolution procedures of the American Arbitration Association pursuant to the AAA Healthcare Dispute Resolution Rules.
- You also have the right to contact your local data protection authority or to pursue litigation.
This dispute resolution process is without prejudice to your right to file a complaint with the relevant data protection authority.
13. How Can You Review, Update, Or Delete The Data We Collect From You?
Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please fill out and submit a data subject access request.
ACCESSIBILITY
We are committed to ensuring this privacy policy is accessible to individuals with disabilities. If you wish to access this policy in an alternative format, please contact us at [email protected]. We can provide this policy in large print, Braille, or audio format upon request.
