PRIVACY POLICY
Effective Date: April 1, 2026
Last Updated: March 28, 2026
Luxe Digital Collective, LLC (“we,” “us,” “our”) operates multiple software-as-a-service products
for medical spas and aesthetic practices. This Privacy Policy explains how we collect, use, and
protect your personal information across all our products.
Products covered by this Privacy Policy:
● SpotFill – Automated cancellation notification service
● Aesthetic Vault – SEO blog content subscription service
● Future products operated under Luxe Digital Collective
1. Information We Collect
1.1 Information You Provide
When you create an account with any of our products, we collect:
For All Products:
● Contact Information: Name, email address, business name, phone number
● Business Details: Medical spa/practice name, address, website URL
● Account Credentials: Username and password (encrypted)
● Payment Information: Credit card details (processed securely via Stripe)
SpotFill-Specific:
● Business Branding: Logo files, color preferences, aesthetic style selection
● Booking System Details: Integration credentials (Mindbody, Square, Vagaro)
● Appointment Data: Treatment types, time slots, pricing (submitted by you)
● SMS Consent: Mobile phone number (only if you opt-in to SMS notifications)
Aesthetic Vault-Specific:
● Treatment Preferences: Categories of blog content you’re interested in
● Blog Selections: Which blogs you choose from monthly library
● Practice Specialties: Treatment types you offer (for content matching)
1.2 Information Collected Automatically
When you use our services, we automatically collect:
● Usage Data: Pages viewed, features accessed, time spent, clicks
● Device Information: IP address, browser type, device type, operating system
● Log Data: Access times, error logs, API calls
● Cookies: Session tokens, preferences, analytics data
1.3 Information From Third Parties
We may receive information from:
● Payment Processors: Stripe (billing information, transaction history)
● Email Services: SendGrid (email delivery status, open rates)
● SMS Services: Twilio (delivery status, opt-out requests)
● Analytics: Google Analytics (aggregated, anonymized usage data)
● Booking Systems: Mindbody, Square, Vagaro (appointment cancellation webhooks)
2. How We Use Your Information
We use your information to:
Provide Services:
● SpotFill: Generate branded Instagram Story graphics, deliver via SMS/email
● Aesthetic Vault: Match you with relevant blog content, deliver selected blogs
● Process subscription billing and payments
● Manage your account and user preferences
Improve Services:
● Analyze usage patterns to enhance features
● Identify and fix bugs or technical issues
● Develop new products and features
● Conduct A/B testing and product research
Communicate:
● Send service notifications and updates
● Respond to customer support inquiries
● Deliver subscription confirmations and receipts
● Share product updates and new features (you can opt-out)
Legal Compliance:
● Meet regulatory requirements (HIPAA, TCPA, GDPR, CCPA)
● Prevent fraud and abuse
● Enforce our Terms of Service
● Respond to legal requests (subpoenas, court orders)
3. SMS Notifications & Consent (SpotFill Only)
3.1 Opt-In Process
SMS notifications are completely optional. SpotFill works with email-only delivery.
If you choose to receive SMS notifications:
1. You must check a clearly labeled opt-in box during registration or in account settings
2. You’ll see this consent language: “I agree to receive SMS notifications from SpotFill
including Story download links and service updates. Message frequency varies.
Message and data rates may apply. Reply STOP to opt out anytime.”
3. You’ll receive a confirmation SMS
3.2 Message Types & Frequency
If you opt-in, you’ll receive:
● Story Download Links (SpotFill)
● Submission Confirmations
● Account Alerts (payment failures, security notices)
● Service Updates (new features, maintenance)
Message Frequency: Varies based on your usage (typically 1-20 messages/month)
Carrier Charges: Standard messaging rates apply from your mobile carrier
3.3 How to Opt-Out
You can stop SMS messages anytime by:
● Texting STOP to our number
● Updating settings in your account dashboard
● Emailing us at support@luxe.dezysolutions.com
You’ll receive a confirmation of your opt-out
3.4 SMS Data Privacy
Text messaging originator opt-in data and consent will not be shared with any third parties.
Your phone number and SMS consent data will NEVER be:
● Sold to third parties
● Shared with marketers or advertisers
● Used for purposes other than delivering our services
● Disclosed without your explicit consent (except as legally required)
4. How We Share Your Information
4.1 We DO NOT Sell Your Data
Your personal information is NEVER:
● Sold to data brokers or third parties
● Shared with advertisers for marketing purposes
● Rented or leased to other companies
● Used for purposes unrelated to our services
4.2 Service Providers We Use
We share limited data with trusted service providers who help us operate:
All Products:
● Stripe: Payment processing (billing information)
● SendGrid: Email delivery (email addresses)
● Google Cloud: Data storage and hosting (all account data)
● Google Analytics: Usage analytics (anonymized)
SpotFill:
● Twilio: SMS delivery (phone numbers for users who opt-in)
● Placid: Graphic generation (business branding, logos)
Aesthetic Vault:
● Google Drive: Blog content storage and delivery (email addresses)
All providers are contractually bound to:
● Protect your data with industry-standard security
● Use data only for providing our services
● Not sell or share your data with third parties
● Comply with GDPR, CCPA, and other privacy laws
4.3 Legal Requirements
We may disclose information if required by:
● Court orders or subpoenas
● Legal processes or government requests
● Law enforcement investigations
● Protection of our rights, property, or safety
● Prevention of fraud, abuse, or illegal activity
4.4 Business Transfers
If Luxe Digital Collective is acquired, merged, or sells assets, your information may be
transferred to the new owner. We’ll notify you via email before any transfer.
5. Data Security
We implement industry-standard security measures:
Encryption:
● SSL/TLS encryption for all data transmission
● AES-256 encryption for data at rest
● Encrypted database backups
Access Controls:
● Role-based access permissions for team members
● Two-factor authentication for admin accounts
● Regular access audits and reviews
Infrastructure:
● Secure cloud hosting on Google Cloud Platform
● Regular security patches and updates
● Automated threat detection and monitoring
● Annual penetration testing
Passwords:
● Bcrypt hashing (one-way encryption)
● Password strength requirements enforced
● Secure password reset processes
However, no system is 100% secure. While we implement best practices, we cannot
guarantee absolute security. You are responsible for keeping your account credentials
confidential.
5.5 Data Breach Notification
If we experience a data breach:
● We will notify affected users via email within 72 hours of discovering the breach
● We will provide details about what data was compromised
● We will outline steps we’re taking to address the breach
● We will offer guidance on protective measures you should take
If the breach involves potential PHI (Protected Health Information):
● YOU are responsible for notifying your patients if required by HIPAA
● YOU are responsible for reporting the breach to HHS and state authorities if required
● We will provide you with available information to support your notification obligations
● We are NOT responsible for your patient notification costs or legal obligations
Your Responsibilities:
● Report any suspected unauthorized access to your account immediately
● Change your password if you suspect compromise
● Monitor your account for suspicious activity
● Comply with your own breach notification obligations under HIPAA, state laws, or
contracts
6. HIPAA Compliance & Medical Data
6.1 Minimal PHI Collection
Our services are designed to minimize collection of Protected Health Information (PHI).
We strongly recommend you:
● ❌ DO NOT include patient names in any submissions
● ❌ DO NOT include dates of birth, SSNs, or medical record numbers
● ❌ DO NOT include diagnosis codes or medical history
● ❌ DO NOT upload patient photos without proper consent
● ✅ DO use generic treatment names (“Botox appointment” not “Jane Smith’s Botox for
migraines”)
● ✅ DO use time slots and service types only (“2:00 PM Filler appointment available”)
6.2 What We Process
SpotFill processes:
● ✅ Treatment type (Botox, Fillers, Laser, Hydrafacial)
● ✅ Appointment time slot (“Today at 3:00 PM”)
● ✅ Your business name and location
● ✅ Pricing (optional)
● ❌ NOT patient names, medical records, or PHI
Aesthetic Vault processes:
● ✅ Your treatment specialties and preferences
● ✅ Blog content categories you’re interested in
● ❌ NOT patient data or medical records
6.3 Your HIPAA Responsibilities
YOU are solely responsible for:
● Ensuring your use of our services complies with HIPAA
● Obtaining proper patient consent before posting any information
● Not including PHI in submissions or content
● Training your staff on HIPAA-compliant use of our tools
● Maintaining HIPAA compliance in your practice
● Patient breach notification if PHI is compromised
● Reporting breaches to HHS, state authorities, and patients as required by law
● Conducting your own HIPAA Security Risk Assessments
● Determining whether a Business Associate Agreement (BAA) is required
We are NOT:
● A HIPAA Covered Entity or Business Associate (unless a BAA is executed)
● Providing medical services or advice
● Responsible for your HIPAA compliance
● Liable for your HIPAA violations
● Responsible for patient breach notifications
● Monitoring your content for PHI before you submit it
6.4 Business Associate Agreement (BAA)
When a BAA May Be Required:
● If you are a HIPAA Covered Entity
● AND you submit appointment data that could be considered PHI (even if de-identified)
● AND our access to your booking system API involves PHI
When a BAA Is Likely NOT Required:
● You follow our guidelines and do NOT include patient names, DOB, medical records, or
identifiable information
● You only submit treatment types, time slots, and pricing
● Your booking system integration only shares cancellation events, not patient identities
To request a BAA: Contact us at support@luxe.dezysolutions.com
Important:
● BAA requests will be reviewed on a case-by-case basis
● Additional fees may apply for BAA coverage
● You are responsible for determining whether a BAA is required based on your data
practices
● Consult your legal counsel to determine BAA necessity
6.4 Business Associate Agreement (BAA)
When a BAA May Be Required:
● If you are a HIPAA Covered Entity
● AND you submit appointment data that could be considered PHI (even if de-identified)
● AND our access to your booking system API involves PHI
When a BAA Is Likely NOT Required:
● You follow our guidelines and do NOT include patient names, DOB, medical records, or
identifiable information
● You only submit treatment types, time slots, and pricing
● Your booking system integration only shares cancellation events, not patient identities
To request a BAA: Contact us at support@luxe.dezysolutions.com
Important:
● BAA requests will be reviewed on a case-by-case basis
● Additional fees may apply for BAA coverage
● You are responsible for determining whether a BAA is required based on your data
practices
● Consult your legal counsel to determine BAA necessity
4. How We Share Your Information
6.4 Business Associate Agreement (BAA)
You have the right to:
Access:
● Request a copy of all data we have about you
● Review your account information and usage history
Correct:
● Update inaccurate or outdated information
● Modify your account settings and preferences
Delete:
● Request deletion of your account and all associated data
● Erase specific data upon request
Export:
● Download your data in a portable format (JSON, CSV)
● Transfer data to another service
Opt-Out:
● Stop SMS notifications (SpotFill)
● Unsubscribe from marketing emails
● Disable cookies (some features may not work)
To exercise these rights: Email support@luxe.dezysolutions.com
We’ll respond within 30 days (or 45 days if complex).
8. Data Retention
Active Accounts:
● Data retained while your subscription is active
● Regular backups for disaster recovery
Canceled Accounts:
● Account data deleted within 90 days of cancellation
● You can request immediate deletion by emailing us
Billing Records:
● Retained for 7 years (tax and legal compliance requirements)
● Includes invoices, payment history, subscription records
Backups:
● May exist in backup systems for up to 90 days after deletion
● Backups are encrypted and securely stored
Legal Holds:
● Data subject to legal disputes or investigations may be retained longer
9. Children's Privacy
Our services are NOT intended for users under 18 years old.
We do not knowingly collect data from minors. If we discover we’ve collected data from a minor,
we’ll delete it immediately.
If you believe a minor has created an account, contact us at support@luxe.dezysolutions.com
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights:
Right to Know:
● What categories of personal information we collect
● What sources we collect from
● How we use your information
● Who we share it with
Right to Delete:
● Request deletion of your personal information (subject to legal exceptions)
Right to Opt-Out:
● Stop sale of your personal information (we don’t sell data, but you can opt-out
preventatively)
Right to Non-Discrimination:
● Equal service regardless of whether you exercise privacy rights
● No price discrimination for privacy choices
To exercise your CCPA rights: Email support@luxe.dezysolutions.com with “CCPA Request” in
the subject line.
We’ll verify your identity and respond within 45 days
11. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, you have rights under GDPR:
Legal Basis for Processing:
● Consent: You’ve agreed to our terms and opted in to services
● Contract: Processing necessary to provide our services
● Legitimate Interest: Improving our products and preventing fraud
Your GDPR Rights:
● Right to access, rectify, erase, restrict, and port your data
● Right to object to processing
● Right to withdraw consent anytime
● Right to lodge a complaint with your local data protection authority
Data Transfers:
● Our servers are located in the United States
● We use Standard Contractual Clauses (SCCs) for international transfers
● Your data is protected with the same safeguards regardless of location
To exercise your GDPR rights: Email support@luxe.dezysolutions.com
12. International Users
Luxe Digital Collective is based in the United States. If you access our services from outside
the US:
● Your data will be transferred to and processed on US servers
● US privacy laws will apply
● Your data may be subject to US government access (e.g., lawful requests)
● By using our services, you consent to this transfer and processing
We comply with applicable international privacy frameworks and regulations.
13. Cookies & Tracking Technologies
We use cookies and similar technologies:
Essential Cookies (Required):
● Session management and login authentication
● Security and fraud prevention
● Core functionality
Analytics Cookies (Optional):
● Google Analytics (anonymized usage data)
● Performance monitoring
● User behavior analysis
Preference Cookies (Optional):
● Remember your settings and choices
● Personalize your experience
You can control cookies:
● Most browsers allow you to block or delete cookies
● Disabling cookies may affect functionality
● You can opt-out of Google Analytics:
https://tools.google.com/dlpage/gaoptout
14. Third-Party Links
Our services may link to third-party websites or services:
● Instagram, Facebook, TikTok (SpotFill)
● Google Docs (Aesthetic Vault)
● Booking systems (Mindbody, Square, Vagaro)
● Payment processors (Stripe)
We are NOT responsible for:
● Third-party privacy practices
● Third-party data collection
● Third-party security breaches
● Content on external websites
Review their privacy policies before providing any information.
15. Changes to This Policy
We may update this Privacy Policy from time to time.
How we notify you:
● Changes posted at luxedigitalcollective.co/privacy
● New “Last Updated” date at the top
● Email notification for material changes
● In-app notice in your dashboard
Material changes (e.g., new data uses, new third parties) will be communicated 30 days in
advance.
Continued use after changes = acceptance. If you disagree with changes, cancel your
account before they take effect.
16. Contact Us
Questions about this Privacy Policy or data practices?
Email: support@luxe.dezysolutions.com
Mail:
Luxe Digital Collective, LLC
Attn: Privacy Team
9100 Wilshire Blvd., East Tower
Suite 333 PMB 1119
Beverly Hills, CA 90212
Websites:
● luxedigitalcollective.co
● spotfill.co
● aestheticvault.co
Response Time: We aim to respond to all privacy inquiries within 30 days.
By using any Luxe Digital Collective product or service, you acknowledge that you have
read, understood, and agree to this Privacy Policy