Privacy Policy

PRIVACY POLICY

Last updated: May 21, 2026

This Privacy Notice for Elevate Medical Aesthetics PLLC (“we,” “us,” or “our”) describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

Visit our website at https://www.elevatemedaesthetic.com or any website of ours that links to this Privacy Notice.
Engage with us in other related ways, including booking workflows, email newsletters, automated marketing communications, SMS Text Blasts, or clinical events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at amandola@elevatemedaesthetic.com.

SUMMARY OF KEY POINTS

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the features you use (e.g., website contact forms or our online booking portal).
Do we process any sensitive personal information? Yes. Because we operate a medical aesthetics practice, we process health data, clinical history, and financial billing information with your consent and in compliance with state medical retention laws.
Do we collect any information from third parties? We do not collect information about you from public third-party databases.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you for booking, dispatch automated marketing campaigns and SMS blasts, maintain safety, and comply with state and federal laws.
In what situations and with which parties do we share personal information? We share information with core infrastructure partners—specifically our electronic medical record (EMR) and practice management software (Boulevard) and its integrated payment processors—to safely fulfill your services and execute communications.
How do we keep your information safe? We utilize industry-standard technical and organizational processes via our HIPAA-compliant, SOC 2 certified cloud vendor. However, no transmission over the internet can be guaranteed 100% secure.
What are your rights? Depending on your state of residence (such as Texas), you have specific statutory rights to access, correct, delete, or obtain a copy of your personal data.

WHAT INFORMATION DO WE COLLECT?
HOW DO WE PROCESS YOUR INFORMATION?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
HOW LONG DO WE KEEP YOUR INFORMATION?
HOW DO WE KEEP YOUR INFORMATION SAFE?
DO WE COLLECT INFORMATION FROM MINORS?
WHAT ARE YOUR PRIVACY RIGHTS? (INCLUDING SMS/EMAIL MARKETING DISCLOSURES)
CONTROLS FOR DO-NOT-TRACK FEATURES
DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
LINKS TO OTHER WEBSITES
DO WE MAKE UPDATES TO THIS NOTICE?
HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register an account on our booking system, express interest in obtaining information about our treatments, fill out medical intake paperwork, sign up for promotions, or contact us directly.

The personal information we collect may include:

Names, phone numbers, and email addresses.
Mailing and billing addresses.
Usernames and passwords created for our patient portals.
Marketing, communication, and notification channel preferences.
Debit/credit card numbers (processed securely via encrypted tokenization).

Sensitive Information

When necessary, with your explicit consent or as permitted by law, we process the following categories of sensitive data:

Health Data: Medical history, skin conditions, aesthetic goals, treatment records, allergies, and before/after clinical photographs.
Financial Data: Stored credit card tokens used to secure appointments, protect against cancellation/no-shows, or process recurring membership plans.
Demographic Data: Age, date of birth, and biological sex required for safe clinical evaluations and prescriptions.

Payment Data

All payment data is handled securely by our integrated practice management and point-of-sale provider, Boulevard (BMS). Boulevard is a certified Level 1 PCI-Compliant provider that tokenizes your financial information. We do not store raw credit card numbers on our local business servers. You may view their data handling protections directly via the Boulevard Customer Privacy Policy at https://www.joinblvd.com/legal/customer-privacy-policy.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate our website. This usage data does not reveal your specific identity (like your name) but includes device and usage characteristics, such as your IP address, browser type, browser version, operating system, language preferences, referring URLs, unique device identifiers, time and date logs, and generalized location data.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of legitimate business and clinical reasons, including:

Account Management: To facilitate secure account creation, user authentication, and maintenance of your patient profile.
Service Delivery: To administer, execute, and track clinical medical aesthetic treatments.
Customer Support: To respond to your online inquiries, coordinate appointment scheduling, and resolve technical booking errors.
Administrative Messages: To distribute operational alerts, transactional booking confirmations, form requests, receipts, and scheduling updates.
Marketing, Promotions, & Automations: To distribute customized newsletters, birthday wishes, win-back alerts, or promotional text messages via Boulevard’s marketing blast suites matching your designated opt-in permissions.
Legal Compliance: To comply with regulatory obligations, respond to valid legal requests, or defend our legal rights under Texas medical board frameworks.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We only share personal information in limited, essential business situations:

With Our Practice Management Platform (Boulevard): Your clinical records, intake questionnaires, contact entries, and transaction histories are securely processed through Boulevard, which acts as our Business Associate under HIPAA guidelines and hosts our communication routing infrastructure.
Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Google Maps Platform APIs: Our booking features may use Google Maps APIs to facilitate address autofill tools. Google Maps utilizes device network signals to estimate location features according to its own privacy rules.

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We use cookies, web beacons (clear gifs, pixel tags), and tracking scripts to track activity on our Service and store preference metrics. You can instruct your browser to refuse all cookies, though some portions of our booking workflows may rely on them to function. We use both Session Cookies (deleted when you close your browser) and Persistent Cookies (remain on your device until they expire) for the following purposes:

Necessary / Essential Cookies: Session cookies administered by us to authenticate users, protect account integrity, and prevent fraudulent use of booking profiles.
Cookies Policy / Notice Acceptance Cookies: Persistent cookies that record whether you have acknowledged or accepted our on-site cookie tracking banner.
Functionality Cookies: Persistent cookies that allow our website to remember choices you make (such as saving login details or language settings) to provide a streamlined experience.

Google Analytics

We share anonymized site traffic metrics with Google Analytics to monitor user behaviors. To opt out of tracking by Google Analytics across the web, you can install the official browser opt-out extension at https://tools.google.com/dlpage/gaoptout. You can also adjust your tracking visibility settings directly through Google Ads Settings or via the Network Advertising Initiative opt-out portal.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

We retain your information only as long as necessary to fulfill the purposes outlined in this notice, unless a longer retention period is explicitly mandated by law.

Medical Record Notice (Texas Law): In the State of Texas, medical aesthetic practices must retain adult patient medical records for a minimum of seven (7) years from the date of the last recorded treatment. For minor patients, records must be kept until the patient reaches the age of 21, or for seven (7) years from the last treatment, whichever period is longer.

When we no longer have an ongoing regulatory or clinical need to retain your data, we will delete or anonymize it in accordance with standard data security practices.

6. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have deployed rigorous technical and organizational security controls designed to safeguard all handled personal data. Boulevard securely stores practice data centrally utilizing Amazon Web Services (AWS) and undergoes independent third-party SOC 2 Type 2 audits annually to ensure data integrity. However, despite these safeguards, no transmission over the open internet can be guaranteed 100% secure. Transmission of personal data to and from our Services remains at your own risk.

7. DO WE COLLECT INFORMATION FROM MINORS?

Our clinical Services are targeted exclusively toward adults. We do not knowingly market to or solicit data from children under 18 years of age. By utilizing these Services, you represent that you are at least 18 years old, or that you are the parent or legal guardian of a minor dependent consenting to their treatment. If we discover that personal records from a minor under 18 have been improperly harvested without explicit legal guardian verification, we will deactivate the account and clear the matching records from our systems immediately.

8. WHAT ARE YOUR PRIVACY RIGHTS?

You have the right to review, update, modify, or deactivate your booking account profile at any time.

Withdrawing Consent

If we process your data based on explicit consent, you have the right to withdraw that consent at any time by contacting us directly. Doing so will not impact the lawfulness of any processing handled prior to the withdrawal.

Email and Text (SMS) Marketing Tools

We use Boulevard’s automated and manual marketing frameworks to build and send promotional communications to clients who have given proper authorization.

Email Marketing: You can opt out of marketing distributions or seasonal newsletters at any time by clicking the “Unsubscribe” link embedded in the footer of any promotional email we send, or by modifying your preferences inside your client portal profile.
Text Message (SMS) Marketing Compliance: In compliance with TCPA and mobile carrier requirements, text marketing blasts are strictly limited to users who have explicitly opted in (such as checking a communication authorization box during online self-booking).
Granular SMS Opt-Out: You can control or rescind text message delivery using standard mobile keyword replies:
- Texting “NO PROMOS” in response to any message will unsubscribe you from marketing and promotional text blasts only. You will continue to receive critical operational text alerts (e.g., appointment confirmations, intake form links, and clinical reminders).
- Texting “STOP”, “UNSUBSCRIBE”, “CANCEL”, or “QUIT” will immediately opt you out of ALL automated text communications from our practice, including both promotional and operational/transactional updates.
SMS Privacy Safeguards: Mobile telephone numbers collected for SMS enrollment and individual opt-in consent logs are kept strictly confidential. No mobile information, telephone numbers, or text consent data will be shared with, sold to, or distributed to external third parties or corporate affiliates for marketing or advertising purposes.

9. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers provide a Do-Not-Track (“DNT”) signal mechanism to express your online tracking preferences. Because no industry or legal standard has been established to interpret these signals, our systems do not currently alter data gathering routines upon receiving standard browser DNT alerts.

We do, however, recognize Global Privacy Control (GPC) signals. If your browser broadcasts an active GPC signal, we interpret that signal as a valid directive to opt out of the commercial sharing of your information for targeted ad placement under prevailing US state frameworks.

10. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

Texas Residents Notice

If you are a resident of Texas, the Texas Data Privacy and Security Act (TDPSA) grants you specific controls over your personal data. These rights include the right to confirm if we process your data, the right to access the data we maintain, the right to correct clinical or personal profile inaccuracies, and the right to delete data (subject to the overriding 7-year medical retention mandates enforced by the Texas Medical Board).

Summary of Personal Data Disclosures (Past 12 Months)

The following table reflects categories of information we handle and whether they have been collected or shared for commercial profit:

Data Category	Specific Examples Collected	Collected?	Sold or Shared for Profit?
A. Identifiers	Real name, postal address, mobile number, IP address, email address, account login credentials.	YES	NO
B. Protected Demographics	Biological sex, age, date of birth.	YES	NO
C. Commercial History	Treatment purchase history, transaction records, billing details, membership selections.	YES	NO
D. Biometric Fields	Fingerprints, voiceprints, or retinal scans.	NO	NO
E. Network Activity	Browsing history, search behavior, and site clicks.	YES	NO
F. Geolocation Data	Device coordinates or generalized IP locations.	YES	NO
G. Audio / Visual Data	Clinical photographs of treatment zones (before & after imagery).	YES	NO
H. Professional History	Job application details or resume elements.	NO	NO
K. Sensitive Information	Health profiles, medical history intake responses, encrypted debit/credit tokens.	YES	NO

11. LINKS TO OTHER WEBSITES

Our Service contains digital redirections and links to third-party portals not owned or controlled by us (including our online scheduling application hosted by Boulevard). If you click an external link, you will be directed to that third party’s domain. We heavily advise you to evaluate the privacy notice of every outside portal you interface with, as we assume no responsibility for the data architecture or processing frameworks of outside operations.

12. DO WE MAKE UPDATES TO THIS NOTICE?

Yes. We will update this Privacy Notice periodically to maintain compliance with evolving privacy laws, platform updates, and clinical state requirements. The modified timeline will be noted via an adjusted “Revised” date positioned at the top of the document. We recommend checking this page periodically to remain informed about how your data is protected.

13. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions, comments, or legal inquiries concerning this document, please contact us by mail or email at:

Elevate Medical Aesthetics PLLC 3322 E Walnut St, Ste 112

Pearland, TX 77581

United States

Email: amandola@elevatemedaesthetic.com

Phone: 281-305-3234

14. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT?

To submit a formal request to inspect, update, correct, or request deletion of personal information collected by our practice, you may email us directly at amandola@elevatemedaesthetic.com or use the contact forms provided at https://elevatemedaesthetic.com/contact-us/. We will review and fulfill your request within the designated response timelines required by your state’s privacy framework, subject to overriding medical record retention laws.