Privacy Policy

1. Introduction

Total Beauty Clinic (“we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect information when you interact with our website (https://totalbeautyclinic.net), our booking and contact forms (https://totalbeautyclinic.net/book), our SMS and email messaging programs, our appointment scheduling and reminder systems, and any in-person or telephone interactions with our staff.

By using our services or opting into our communications, you agree to this Privacy Policy and our Terms and Conditions. If you do not agree, please do not use our services.

2. Information We Collect

We collect the following categories of information:

• Contact Information:Your name, email address, phone number, and mailing address — collected when you submit a form, book an appointment, contact us by phone or email, or otherwise interact with our services.
• Communications Data: Your messaging preferences and records of consent (including timestamp, opt-in method, the specific consent language presented at the time of opt-in, IP address where applicable, and any separate consent provided for clinical or treatment-related communications), and records of opt-out activity related to our SMS and email programs.
• Appointment and Service Data: Information related to consultations, services requested, services received, dates of visits, and notes maintained as part of your client record.
• Health and Treatment Information (where applicable): Information relevant to the services you receive, including medical history forms, treatment consents, before-and-after photographs, and clinical notes. This information is treated as Protected Health Information (PHI) and is governed by Section 8 below.
• Payment Information: Limited transaction details (such as the last four digits of a card, transaction amounts, and dates) for the purpose of processing payments and maintaining business records. We do not store full payment card numbers; payment processing is handled by PCI-DSS-compliant third-party processors.
• Usage and Device Information: Cookies, pixel data, IP addresses, device type, browser information, referring URLs, and other technical data collected automatically when you visit our websites.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide the services you request, including consultations, treatments, scheduling, and follow-up care.
• To send appointment confirmations and reminders via SMS or email (transactional communications).
• To send promotional offers, seasonal specials, and service updates via SMS or email — but only if you have explicitly consented to receive marketing communications.
• To send provider-initiated clinical follow-up communications via SMS — such as post-visit check-ins, after-care reminders, treatment plan questions, and direct provider-to-patient conversation regarding your care — but only if you have provided explicit consent for clinical communications during your in-person treatment intake (see Section 8).
• To respond to inquiries, requests, and customer service needs.
• To maintain compliance records required by federal and state regulations, including A2P 10DLC consent and opt-out documentation.
• To comply with legal obligations, including HIPAA, CMIA, TCPA, FTC, and California Medical Board requirements.
• To protect against fraud, abuse, and unauthorized access.
• To improve our website, services, and customer experience.

4. Cookies and Tracking Technologies

We use cookies and similar technologies to personalize your experience and understand how our websites are used. You can control cookies through your browser settings. Disabling cookies may affect functionality.

We do not use cross-site tracking for behavioral advertising purposes.

5. How We Share Your Information

We do not sell your personal information.

We share information only as described below:

• A2P 10DLC Mobile Information Non-Sharing Clause: No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted.
• Service Providers:We may share information with subcontractors and vendors who perform services on our behalf — including but not limited to scheduling software, payment processors, communications platforms, IT and security services, and analytics providers. These providers may only use your information to perform services for us, and we require Business Associate Agreements (BAAs) with any vendor that handles Protected Health Information.
• Legal and Safety: We may disclose information when required by law, in response to a valid subpoena or legal process, or when necessary to protect the safety, rights, or property of our patients, staff, or business.
• Business Transfers: In the event of a merger, acquisition, or sale of business assets, your information may be transferred to the successor entity, subject to the same protections described in this Policy.

6. Your Choices

• SMS Opt-Out:You may opt out of any SMS communications (transactional, marketing, or clinical) at any time by replying STOP, UNSUBSCRIBE, CANCEL, QUIT, END, or any reasonable opt-out request to any message we send. After processing, we will send a one-time confirmation SMS, and you will no longer receive transactional, marketing, or clinical text messages from us unless you opt back in. We process opt-out requests within 10 business days, and typically in real time. You may also opt out of clinical SMS specifically while remaining opted in for transactional or marketing — see Section 8.
• SMS Help: Reply HELP to any of our messages to receive support information. You may also contact us directly using the information in Section 12.
• Email Opt-Out:You may unsubscribe from marketing emails by clicking the “unsubscribe” link at the bottom of any email. Transactional emails (appointment confirmations, account notices) will continue as needed to deliver requested services.
• Update or Correct Information: Contact us at info@totalbeautyclinic.net or +1 909-323-0015 to update, correct, or request access to information we maintain about you.

7. California Consumer Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions (such as information we are required to retain for legal, accounting, or healthcare recordkeeping purposes).
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell personal information and we do not share personal information for cross-context behavioral advertising. If our practices change, you have the right to opt out at any time.
• Right to Limit Use of Sensitive Personal Information: Request that we limit our use of sensitive personal information to purposes necessary for providing requested services.
• Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different level of service based on your exercise of these rights.

To exercise any of these rights, contact us at info@totalbeautyclinic.net or +1 909-323-0015. We will verify your identity before responding to ensure the security of your information.

Note on medical information: Personal information governed by California's Confidentiality of Medical Information Act (CMIA) and HIPAA is subject to those laws' protections in addition to CCPA. See Section 8.

8. Medical Information Protections (HIPAA + CMIA)

To the extent that we collect, maintain, or transmit Protected Health Information (PHI) in the course of providing aesthetic and medical services, we comply with:

• The federal Health Insurance Portability and Accountability Act (HIPAA), including the Privacy, Security, and Breach Notification Rules.
• California's Confidentiality of Medical Information Act (CMIA), Civil Code § 56 et seq.

PHI is handled separately from marketing data, and we do not use PHI for SMS or email marketing purposes.

Business Associate Agreements: We maintain active Business Associate Agreements with all vendors and service providers that may handle PHI on our behalf, including at both the agency-level platform and the sub-account messaging provider. These agreements obligate our vendors to safeguard PHI consistent with HIPAA, CMIA, and our internal policies.

We do not disclose medical information for marketing, advertising, or any unauthorized purpose.

If you have questions about how your medical information is handled, or wish to exercise rights under HIPAA or CMIA (including the right to access, amend, or receive an accounting of disclosures of your medical records), contact us using the information in Section 12.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Medical records: retained for at least seven years from the date of last service, or as otherwise required under California Medical Board recordkeeping rules.
• SMS consent records: retained for at least four years from opt-in, per A2P 10DLC and TCPA recordkeeping recommendations.
• Marketing data: retained until you opt out or request deletion, subject to applicable legal exceptions.
• Financial records: retained as required under federal and California tax law.

10. Data Security

We use reasonable administrative, technical, and physical safeguards to protect your information, including access controls, encryption where appropriate, secure storage of paper records, and staff training on confidentiality. While we strive to protect your information, no method of transmission over the internet or storage is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach, we will notify affected individuals and regulatory authorities as required under HIPAA, CMIA, the California Customer Records Act, and other applicable laws.

11. Children's Privacy

Our services are not intended for children under 13, and we do not knowingly collect personal information from children. Additionally, by opting into our SMS messaging program, you represent that you are at least 18 years of age. If you believe we have inadvertently collected information from a child, contact us immediately at the information in Section 12.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact:

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, regulatory requirements, or carrier requirements. The updated version will be posted at https://totalbeautyclinic.net/privacy-policywith a new “Last Updated” date. Material changes will be communicated through reasonable means.