Privacy Policy
Updated March 18, 2026
1. Introduction
Aesthetix CRM LLC (“Aesthetix CRM,” “we,” “us,” “our”) is a customer relationship management and marketing automation platform built for the medical aesthetics industry. We are committed to protecting the privacy of our customers, their patients, and visitors to our website.
This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website (https://aesthetixcrm.com), use our platform, or otherwise interact with us. Please read this policy carefully. By accessing or using our Services, you agree to the practices described in this Privacy Policy.
2. Our Role: Controller vs. Processor
It is important to understand the two distinct contexts in which we handle personal information:
2A. Aesthetix CRM as Data Controller
When you visit our website, create an account, or interact with us directly (e.g., submitting a demo request, contacting support, making a purchase), we are the data controller. This means we decide why and how your personal information is collected and used. Sections 3 through 8 of this Privacy Policy describe our practices as a data controller.
2B. Aesthetix CRM as Data Processor
When our customers (healthcare practices) use the Aesthetix CRM platform to store and manage their patient data, contact lists, communications, and marketing campaigns, we are the data processor (or “service provider” under CCPA). We process this data solely on our customers’ instructions and in accordance with our agreements with them. If you are a patient or contact whose information is stored in our platform by a healthcare practice, that practice — not Aesthetix CRM — is the controller of your data. Please contact the practice directly to exercise your privacy rights. Our obligations as a processor are governed by our Data Processing Addendum (https://aesthetixcrm.com/dpa) and, where applicable, our Business Associate Agreement.
3. Information We Collect as Controller
3A. Information You Provide
When you create an account, request a demo, subscribe to our Services, contact support, or otherwise interact with us, we may collect: your name, email address, phone number, billing address, company/practice name, and job title.
3B. Payment Information
All payment processing is handled by Stripe, Authorize.net, or Nuvei, our third-party payment processors. We do not directly collect, store, or have access to your full credit card numbers, CVV security codes, or complete payment card details. Stripe tokenizes your payment information and provides us only with a confirmation of successful payment, last four digits of the card, and card type for display purposes. For Stripe’s privacy practices, visit https://stripe.com/privacy.
3C. Automatically Collected Information
When you visit our website or use the platform, we automatically collect: IP address, device identifiers, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, and interaction data. This information is collected through cookies, pixels, and similar technologies (see Section 7).
4. How We Use Your Information
We use the information we collect as a controller for the following purposes: providing, operating, and maintaining the Services; processing transactions and sending related information (confirmations, invoices); providing customer support and responding to inquiries; sending administrative communications (service updates, security alerts, policy changes); analyzing usage patterns to improve the Services; detecting, preventing, and addressing fraud, security issues, and technical problems; enforcing our Terms of Service and legal rights; complying with legal obligations; and, with your consent, sending marketing communications about our products and services.
5. How We Share Your Information
We do not sell your personal information. We share personal information only in the following circumstances:
Infrastructure Providers. Our platform is built on GoHighLevel (CRM infrastructure), Twilio (telephony and messaging), DigitalOcean (hosting), Vercel (application hosting), and Supabase (database services). These providers process data as necessary to deliver the Services. We maintain BAAs with each. See our sub-processor list at https://aesthetixcrm.com/sub-processors.
Payment Processors. Stripe processes payment transactions on our behalf.
Analytics Providers. We use Google Analytics and similar tools to analyze website traffic and usage. You may opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout/.
Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Aesthetix CRM, our customers, or the public.
Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction.
6. Information We Process on Behalf of Customers (Processor Role)
Our customers use the Aesthetix CRM platform to store and process their own data, which may include patient and contact information such as: names, email addresses, phone numbers, appointment history, communications history (SMS, email, call recordings), marketing engagement data, custom fields, and uploaded files.
We process this data solely on our customers’ instructions and in accordance with our Data Processing Addendum and, where applicable, our Business Associate Agreement. We do not use customer data for our own marketing or advertising purposes. We do not sell, share, or otherwise make available customer data to third parties except as necessary to provide the Services or as required by law.
6A. Protected Health Information (PHI)
Many of our customers are HIPAA Covered Entities. When we process PHI on their behalf, we do so under a signed Business Associate Agreement. HIPAA compliance mode is enabled across all customer sub-accounts. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). For details, visit https://aesthetixcrm.com/hipaa-compliance/.
6B. Patient and Contact Rights
If you are a patient or contact whose information is stored in Aesthetix CRM by a healthcare practice, please contact that practice directly to exercise your privacy rights (access, correction, deletion, etc.). We will cooperate with our customers to fulfill data subject requests as described in our DPA.
7. Cookies and Tracking Technologies
We use cookies and similar technologies to analyze website traffic, identify logged-in users, store preferences, test content, and recognize returning visitors. You can control cookies through your browser settings. Disabling cookies may limit some functionality.
7A. Global Privacy Control (GPC)
We recognize and honor Global Privacy Control (GPC) signals as a valid opt-out mechanism for the sale or sharing of personal information under applicable state privacy laws, including the California Consumer Privacy Act.
8. Your Privacy Rights
Depending on where you reside, you may have rights under applicable privacy laws. The following is a summary of rights available under major frameworks:
8A. California Residents (CCPA/CPRA)
If you are a California resident, you have the right to: know what personal information we collect and how we use it; request deletion of your personal information; opt out of the sale or sharing of personal information (we do not sell personal information); correct inaccurate personal information; limit use of sensitive personal information; and not be discriminated against for exercising your rights.
8B. Virginia, Colorado, Connecticut, and Other US State Residents
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have rights including: access, correction, deletion, data portability, and the right to opt out of targeted advertising, profiling, and sale of personal data. We honor these rights as applicable.
8C. European Economic Area and UK Residents (GDPR/UK GDPR)
If you are located in the EEA or UK, you have the right to: access your personal data; rectify inaccurate data; erase your data; restrict processing; data portability; object to processing; and not be subject to automated decision-making. Our legal basis for processing is typically contractual necessity or legitimate interest. International transfers are governed by Standard Contractual Clauses as described in our DPA.
8D. Canadian Residents (PIPEDA)
Canadian residents have the right to access, correct, and withdraw consent for the processing of personal information. You may lodge complaints with the Office of the Privacy Commissioner of Canada.
8E. Exercising Your Rights
To exercise any privacy right, contact us at privacy@aesthetixcrm.com. We will verify your identity and respond within the timeframe required by applicable law (typically 30-45 days). If we deny your request, we will provide the reasons for such denial.
9. Data Retention
We retain personal information we collect as a controller for as long as your account is active or as needed to provide Services, comply with legal obligations, resolve disputes, and enforce agreements. When we no longer need personal information, we securely delete or anonymize it.
For customer data we process as a processor: we retain data for the duration of the customer’s subscription. Upon cancellation, we provide a 90-day export window, after which data is permanently deleted from active systems within 30 days and from backups within 90 days. See our Terms of Service for details.
10. International Data Transfers
The Services are primarily hosted in the United States through our Infrastructure Providers. Data may also be processed in locations where our Infrastructure Providers and sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses as described in our Data Processing Addendum. By using the Services, you consent to the transfer and processing of your data in these locations.
11. Data Security
We implement administrative, technical, and organizational measures to protect personal information, including: encryption at rest (AES-256) and in transit (TLS 1.2+) provided through our Infrastructure Providers (primarily through HighLevel’s Google Cloud infrastructure); role-based access controls; employee confidentiality obligations and security training; regular security assessments; incident response procedures; and physical security measures. No method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
12. Children’s Privacy
The Services are intended for use by a general audience of business professionals and are not directed to children under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will promptly delete it.
13. Third-Party Websites and Services
The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of third-party websites. We encourage you to read their privacy policies before providing personal information.
14. Do Not Track / Global Privacy Control
We honor Global Privacy Control (GPC) signals as a valid opt-out mechanism under applicable state privacy laws. We do not currently respond to “Do Not Track” browser signals, as there is no industry-standard technology for recognizing DNT signals.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page and, for material changes, by posting a notice on our website or sending an email notification. Your continued use of the Services after any changes constitutes acceptance of the updated Privacy Policy.
16. Contact Us
Privacy Officer
Eric Dunn
Aesthetix CRM LLC
2541 N Pleasantburg Dr, Ste 338
Greenville, SC 29609
Email: privacy@aesthetixcrm.com
Phone: (833) 479-1777