Privacy Policy
Your privacy matters to us. This policy explains how MedSpa Oversight collects, uses, and protects your information.
Last updated: May 13, 2026
Introduction
MedSpa Oversight, Inc. ("MedSpa Oversight," "we," "us," or "our") operates the MedSpa Oversight platform, which facilitates medical clearance video consultations between healthcare clinics and licensed nurse practitioners. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website and services.
MedSpa Oversight does not make diagnostic decisions. Clinical clearance determinations are made solely by the licensed Nurse Practitioner conducting the consultation.
By accessing or using MedSpa Oversight, you agree to the terms of this Privacy Policy. If you do not agree with these terms, please do not use our services.
Information We Collect
Account Information
When you create an account, we collect information such as your name, email address, phone number, business name, and professional credentials (for nurse practitioners). This information is necessary to provide our services and verify your identity.
Patient Information
When clinics initiate clearance consultations, we collect patient information required for the medical clearance process, including patient name, date of birth, medical history relevant to the clearance, and the services being requested. This information constitutes Protected Health Information (PHI) and is handled in accordance with HIPAA regulations.
Usage Information
We automatically collect certain information when you use our platform, including IP address, browser type, operating system, referring URLs, pages viewed, and the dates and times of your visits. This information helps us improve our services and maintain security.
Payment Information
When you make payments through MedSpa Oversight, your payment card information is processed by our third-party payment processor. We do not store complete credit card numbers on our servers.
Mobile App Permissions
Our iOS application requests the following device permissions. Each permission is requested only for the purpose described below.
- Camera and Microphone: Used solely to conduct WebRTC video consultations between clinics and nurse practitioners. Video and audio are streamed live; calls are never recorded and are never transmitted outside of the active consultation session.
- Push Notifications: Delivered via Amazon SNS and the Apple Push Notification service (APNs) to alert users to incoming calls and consultation reminders. You may disable notifications at any time in iOS Settings. Delivery of push notifications is provided on a best-effort basis by Apple and is not guaranteed.
- Biometric Authentication: Face ID and Touch ID, when enabled, are processed entirely on-device by Apple's Secure Enclave. Biometric data is never transmitted to or stored on MedSpa Oversight servers.
- Local Storage: Session tokens and the passcode token are stored in the encrypted iOS Keychain via expo-secure-store. No Protected Health Information is cached on-device beyond what is required to render the current screen.
How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain our medical clearance platform
- Facilitate video consultations between clinics and nurse practitioners
- Generate and deliver signed medical clearance letters
- Process payments and maintain billing records
- Verify provider credentials and licensure
- Maintain audit trails for compliance purposes
- Send transactional communications related to your account and services
- Improve our platform, monitor performance, and detect security threats
Data Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
- Between Clinics and Providers: Patient information is shared between the clinic initiating a clearance request and the NP conducting the consultation, as necessary to perform the clearance service.
- Service Providers: We engage third-party service providers who assist in operating our platform. These providers are bound by contractual obligations and, where applicable, Business Associate Agreements. The current list of sub-processors is:
- Amazon Web Services — hosting and storage; BAA in place
- Stripe, Inc. — payment processing (stripe.com/privacy)
- SendGrid / Twilio — transactional email delivery
- Amazon SNS APNs — push notification delivery via Apple PushKit and APNs
- Coturn / TURN relay on AWS — WebRTC media relay
- Sentry — crash and error reporting; Protected Health Information is scrubbed on both the client and the server before any event is sent
- Expo / EAS — over-the-air mobile app bundle delivery
- Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
Security
We implement administrative, technical, and physical safeguards designed to protect your information. These include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and secure authentication
- Regular security assessments and vulnerability monitoring
- Employee training on data privacy and security practices
While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.
Cookies and Tracking Technologies
MedSpa Oversight uses cookies and similar technologies to operate our platform, remember your preferences, and understand how you use our services. We use the following types of cookies:
- Essential Cookies: Required for the platform to function, including authentication and security cookies.
- Functional Cookies: Used to remember your preferences and settings.
- Analytics Cookies: Help us understand usage patterns and improve our services. These do not contain PHI.
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.
App Tracking Transparency
MedSpa Oversight does not use IDFA (Identifier for Advertisers) or any third-party advertising or cross-app tracking. We do not display third-party advertising. We do not share any data with data brokers.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Portability: Request a portable copy of your data in a commonly used format.
- Opt-Out: Opt out of non-essential communications at any time.
For requests related to Protected Health Information, please note that HIPAA provides specific rights regarding your health records, including the right to access, amend, and receive an accounting of disclosures. Contact us to exercise any of these rights.
Data Retention
We retain your information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.
Medical records and clearance documentation are retained for a minimum of six years per applicable healthcare record retention law; during that retention period these records may not be deleted on request. Other personal data may be deleted by contacting privacy@medspaoversight.com.
Children's Privacy
MedSpa Oversight's services are intended for use by healthcare professionals and clinics. We do not knowingly collect personal information from individuals under the age of 18 for account registration purposes. Patient information for minors may be collected as part of the medical clearance process as directed by the clinic.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
MedSpa Oversight, Inc.
Email: privacy@medspaoversight.com
For HIPAA-related inquiries: compliance@medspaoversight.com