Privacy Policy

This Policy covers information collected through our website, online booking, contact forms, paid advertising, email, SMS, and phone. It does not replace our separate Notice of Privacy Practices under the Health Insurance Portability and Accountability Act ("HIPAA"), which governs your Protected Health Information ("PHI") — including medical history, treatment notes, photos taken during a visit, lab results, prescriptions, and anything else created or received during clinical care. A printed copy of our HIPAA Notice is provided at your first appointment and is available on request at concierge@tuluamedspa.com.

Marketing data collected on our website (page views, ad clicks, form fills before you become a patient) is generally not PHI and is governed by this Policy.

You give us:

• Identifiers: name, email, phone, date of birth, mailing address.
• Booking and intake data: service requested, appointment preferences, referral source, health-history forms, consent forms, before/after photos (with separate written consent).
• Payment data: card details processed by our PCI-compliant payment processor; financing applications submitted directly to Cherry or PatientFi (we never see your full SSN or credit report).
• Communications: SMS, email, voicemail, and chat content you send us.
• Reviews, testimonials, and social media tags that mention us.

We collect automatically:

• Device and browser data (IP address, user agent, screen size, referring URL, language).
• Site activity (pages viewed, time on page, links clicked, scroll depth, form interactions).
• Approximate location derived from IP (city / region only — we do not collect GPS).
• Cookies, pixels, and similar technologies — see Section 7.

We receive from third parties:

• Ad platforms (Google, Meta, TikTok) — reports about which ads you clicked and aggregate conversion data.
• Booking and CRM partners — appointment confirmations and lead data when you contact us through a partner site.
• Public review platforms (Google, Yelp, BBB) — reviews and ratings you post about us.

• Schedule, confirm, reschedule, and follow up on appointments.
• Provide medical aesthetic and wellness services.
• Process payments and financing applications.
• Send appointment reminders, post-care instructions, and important account notices.
• Send marketing (only with your consent) — promotions, new services, events.
• Measure ad performance, attribute leads, and improve our website.
• Prevent fraud, enforce our policies, and comply with law.

We do not sell your personal information. We do not use PHI for marketing without your separate, written HIPAA authorization.

When you give us your mobile number — by booking, filling out a form, or texting us first — you agree that Tulua Medspa may send you text messages related to your care and our services. Message categories include:

• Transactional: appointment confirmations, reminders, intake links, post-care follow-up, payment receipts. These continue as long as you are an active patient.
• Promotional: specials, events, and new-service announcements. Sent only if you opt in.

Message frequency varies. Message and data rates may apply. Reply HELP for help or STOP to unsubscribe at any time. You can also call us at (480) 485-4975 or email concierge@tuluamedspa.com to be removed. Opting out of promotional texts will not stop essential appointment-related messages while you have a scheduled visit.

We use OpenPhone / Quo as our business messaging platform. We do not share your mobile number or SMS opt-in data with third parties or affiliates for their marketing. SMS consent is collected separately from any other agreement and is not a condition of purchase.

Calls to and from (480) 485-4975 may be recorded or transcribed for quality, training, scheduling accuracy, and clinical documentation. Arizona is a one-party-consent state; by continuing the call after our greeting notice, you consent to recording. If you do not wish to be recorded, please tell the team member at the start of the call and we will document the call by written note instead.

Voicemails and missed-call data (number, time, duration) are stored in our business phone system and used to return your call.

We run paid advertising on Google Ads, Meta (Facebook and Instagram), TikTok, and other platforms. To measure performance we use conversion pixels and tags from these providers, plus Google Analytics. These tools may set cookies in your browser and report back:

• That you clicked one of our ads, viewed certain pages, or submitted a form.
• A hashed (one-way encrypted) version of your email or phone — used only to match conversions, never to read your contact info.
• Aggregated audience characteristics so we can show our ads to people similar to our existing visitors.

We do not transmit medical condition, diagnosis, or treatment data to ad networks. Pixels on sensitive pages (e.g., specific health concerns) are configured to send only generic pageview signals, not URL keywords that could reveal health status. We continue to audit this configuration to align with HHS / OCR guidance on online tracking technologies.

You can opt out of personalized ads at: Google Ads Settings, Meta Ad Preferences, TikTok Ad Settings, and optout.aboutads.info. Most browsers also let you send a Global Privacy Control signal, which we honor as an opt-out of sale/sharing.

We use first-party cookies to keep the site functional (e.g., remembering you're logged into the admin) and third-party cookies for analytics and advertising as described above. You can clear or block cookies in your browser settings; blocking them may break booking or login features.

We share information only with:

• Service providers bound by contract to handle data on our behalf — EHR/booking, payment processing, SMS/email delivery, cloud hosting, analytics, ad measurement.
• Pharmacies, labs, and referring providers as needed for your care, per HIPAA.
• Financing partners (Cherry, PatientFi) only when you choose to apply.
• Legal authorities when required by subpoena, court order, or to protect rights and safety.
• A successor entity in the event of a merger, acquisition, or sale of assets — your information would continue to be protected by this Policy or one materially similar.

We do not sell personal information for money.

Depending on where you live, you may have the right to:

• Request a copy of personal information we hold about you.
• Correct inaccurate information.
• Delete information (subject to legal/medical record retention requirements — Arizona requires us to keep adult medical records for at least 6 years).
• Opt out of marketing email, SMS, and targeted advertising.
• Withdraw a previously given consent (e.g., photo release).
• Appeal a denied request.

California residents (CCPA/CPRA), Colorado, Connecticut, Virginia, and other state-law residents have specific rights, including the right to opt out of "sharing" for cross-context behavioral advertising. To exercise any right, email concierge@tuluamedspa.com or call (480) 485-4975. We will verify your identity before responding and reply within 45 days.

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data — encryption in transit (HTTPS/TLS), encryption at rest in our database and EHR, access controls, audit logging, and staff HIPAA training. No system is perfectly secure; we will notify you of a breach affecting your information as required by law.

We keep marketing data only as long as needed for the purpose described, then delete or de-identify it. Medical records are retained per Arizona law and our HIPAA Notice.

Our services are for adults 18 and over. We do not knowingly collect information from anyone under 18 on this website. If you believe a minor has provided information to us, contact concierge@tuluamedspa.com and we will delete it.

We may update this Policy as our services, the law, or industry best practices evolve. Material changes will be posted here with a new "Last updated" date, and — when required — communicated by email or SMS to active patients.

Privacy questions, requests, and complaints:

Looking for our HIPAA Notice of Privacy Practices? Request a copy at concierge@tuluamedspa.com or ask the front desk at your next visit. See also our FAQ.