Legal
Privacy Policy
Effective June 4, 2026 · Last updated June 4, 2026
Tulua Medical, LLC ("Tulua Medical," "we," "us," or "our") respects your privacy. This Policy explains what we collect when you visit https://tuluamedspa.com, call or text us at (480) 485-4975, book an appointment, interact with our ads on Google, Meta (Facebook/Instagram), TikTok, or other platforms, or receive care at our studio in Gilbert, Arizona.
1. Scope & HIPAA notice
This Policy covers information collected through our website, online booking, contact forms, paid advertising, email, SMS, and phone. It does not replace our separate Notice of Privacy Practices under the Health Insurance Portability and Accountability Act ("HIPAA"), which governs your Protected Health Information ("PHI") — including medical history, treatment notes, photos taken during a visit, lab results, prescriptions, and anything else created or received during clinical care. A printed copy of our HIPAA Notice is provided at your first appointment and is available on request at concierge@tuluamedspa.com.
Marketing data collected on our website (page views, ad clicks, form fills before you become a patient) is generally not PHI and is governed by this Policy.
2. Information we collect
You give us:
- Identifiers: name, email, phone, date of birth, mailing address.
- Booking and intake data: service requested, appointment preferences, referral source, health-history forms, consent forms, before/after photos (with separate written consent).
- Payment data: card details processed by our PCI-compliant payment processor; financing applications submitted directly to Cherry or PatientFi (we never see your full SSN or credit report).
- Communications: SMS, email, voicemail, and chat content you send us.
- Reviews, testimonials, and social media tags that mention us.
We collect automatically:
- Device and browser data (IP address, user agent, screen size, referring URL, language).
- Site activity (pages viewed, time on page, links clicked, scroll depth, form interactions).
- Approximate location derived from IP (city / region only — we do not collect GPS).
- Cookies, pixels, and similar technologies — see Section 7.
We receive from third parties:
- Ad platforms (Google, Meta, TikTok) — reports about which ads you clicked and aggregate conversion data.
- Booking and CRM partners — appointment confirmations and lead data when you contact us through a partner site.
- Public review platforms (Google, Yelp, BBB) — reviews and ratings you post about us.
3. How we use your information
- Schedule, confirm, reschedule, and follow up on appointments.
- Provide medical aesthetic and wellness services.
- Process payments and financing applications.
- Send appointment reminders, post-care instructions, and important account notices.
- Send marketing (only with your consent) — promotions, new services, events.
- Measure ad performance, attribute leads, and improve our website.
- Prevent fraud, enforce our policies, and comply with law.
We do not sell your personal information. We do not use PHI for marketing without your separate, written HIPAA authorization.
4. SMS & text messaging (TCPA / 10DLC disclosure)
Program name: Tulua Medical Patient & Marketing Messaging. Sending number: (480) 485-4975. Operator: Tulua Medical, LLC, Gilbert, AZ.
How you opt in. You opt in to receive text messages from Tulua Medical by (a) checking the SMS consent box on our online booking form, contact form, or VIP card; (b) providing your mobile number on a paper intake form that includes the SMS consent language; or (c) texting us first from your mobile number. At the moment you opt in, we record the exact consent language shown to you, the timestamp, the page URL (for web opt-ins), and the method used. We retain this record for as long as required by the TCPA and carrier rules.
What you agree to. By opting in, you agree that Tulua Medical may send you text messages — including messages sent using an automatic telephone dialing system or other automated technology — at the mobile number you provided. Consent is not a condition of purchase of any goods or services. Message categories include:
- Transactional / care-related: appointment confirmations, reminders, intake links, post-care follow-up, payment receipts, two-way conversations with the front desk.
- Promotional / marketing: specials, events, new services, monthly news. Sent only if you opted in to marketing texts.
Frequency & cost. Message frequency varies based on your appointments and current promotions (typically 2–8 messages per month). Message and data rates may apply depending on your mobile carrier and plan.
How to get help or opt out. Reply HELP at any time for help, or STOP to unsubscribe — you will receive one confirmation message and no further marketing texts. You can also call us at (480) 485-4975 or email concierge@tuluamedspa.com to be removed. Opting out of promotional messages will not stop essential, care-related messages tied to a scheduled appointment; to stop those, cancel the appointment or reply STOP and we will switch you to phone/email only.
Carriers. Supported carriers include AT&T, T-Mobile, Verizon Wireless, Sprint, Boost, U.S. Cellular, MetroPCS, Cricket, Virgin Mobile, and most other U.S. carriers. Carriers are not liable for delayed or undelivered messages.
No sharing of your number or consent. Mobile phone numbers, SMS opt-in data, and the contents of your text messages are never shared, sold, or rented to any third party or affiliate for their own marketing purposes — period. We use OpenPhone / Quo as our business messaging platform under a contract that limits use of your data to delivering messages on our behalf. SMS consent is collected separately from any other agreement and is not bundled with another consent.
Privacy of message content. Two-way text conversations with our team are stored in our business messaging platform and treated as part of your patient communication record. Do not send sensitive medical information by SMS unless you are comfortable doing so; for detailed clinical questions we will move the conversation to phone or the patient portal.
5. Phone calls & voicemail
Calls to and from (480) 485-4975 may be recorded or transcribed for quality, training, scheduling accuracy, and clinical documentation. Arizona is a one-party-consent state; by continuing the call after our greeting notice, you consent to recording. If you do not wish to be recorded, please tell the team member at the start of the call and we will document the call by written note instead.
Voicemails and missed-call data (number, time, duration) are stored in our business phone system and used to return your call.
6. Advertising, retargeting & analytics
We run paid advertising on Google Ads, Meta (Facebook and Instagram), TikTok, and other platforms. To measure performance we use conversion pixels and tags from these providers, plus Google Analytics. These tools may set cookies in your browser and report back:
- That you clicked one of our ads, viewed certain pages, or submitted a form.
- A hashed (one-way encrypted) version of your email or phone — used only to match conversions, never to read your contact info.
- Aggregated audience characteristics so we can show our ads to people similar to our existing visitors.
We do not transmit medical condition, diagnosis, or treatment data to ad networks. Pixels on sensitive pages (e.g., specific health concerns) are configured to send only generic pageview signals, not URL keywords that could reveal health status. We continue to audit this configuration to align with HHS / OCR guidance on online tracking technologies.
You can opt out of personalized ads at: Google Ads Settings, Meta Ad Preferences, TikTok Ad Settings, and optout.aboutads.info. Most browsers also let you send a Global Privacy Control signal, which we honor as an opt-out of sale/sharing.
9. Your rights & choices
Depending on where you live, you may have the right to:
- Request a copy of personal information we hold about you.
- Correct inaccurate information.
- Delete information (subject to legal/medical record retention requirements — Arizona requires us to keep adult medical records for at least 6 years).
- Opt out of marketing email, SMS, and targeted advertising.
- Withdraw a previously given consent (e.g., photo release).
- Appeal a denied request.
California residents (CCPA/CPRA), Colorado, Connecticut, Virginia, and other state-law residents have specific rights, including the right to opt out of "sharing" for cross-context behavioral advertising. To exercise any right, email concierge@tuluamedspa.com or call (480) 485-4975. We will verify your identity before responding and reply within 45 days.
10. Security & retention
We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data — encryption in transit (HTTPS/TLS), encryption at rest in our database and EHR, access controls, audit logging, and staff HIPAA training. No system is perfectly secure; we will notify you of a breach affecting your information as required by law.
We keep marketing data only as long as needed for the purpose described, then delete or de-identify it. Medical records are retained per Arizona law and our HIPAA Notice.
11. Children
Our services are for adults 18 and over. We do not knowingly collect information from anyone under 18 on this website. If you believe a minor has provided information to us, contact concierge@tuluamedspa.com and we will delete it.
12. Changes to this Policy
We may update this Policy as our services, the law, or industry best practices evolve. Material changes will be posted here with a new "Last updated" date, and — when required — communicated by email or SMS to active patients.
13. Contact us
Privacy questions, requests, and complaints:
Tulua Medical, LLCAttn: Privacy Officer
3303 S Lindsay Rd Suite 124
Gilbert, AZ 85297
concierge@tuluamedspa.com · (480) 485-4975
Looking for our HIPAA Notice of Privacy Practices? Request a copy at concierge@tuluamedspa.com or ask the front desk at your next visit. See also our FAQ.



