Privacy Policy

⚠️ DRAFT — PENDING ATTORNEY REVIEW. This document has not been reviewed by a licensed attorney. CCPA/CPRA, GDPR (if applicable), and state-specific disclosures require attorney verification. Subject to material changes.

Effective Date: [TO BE SET AT GO-LIVE] Version: 0.1-DRAFT

About this Policy

This Privacy Policy describes how BodyEnhance ("we," "our") collects, uses, and shares non-medical information about users of bodyenhance.co and related services (the "Platform").

For information about how we handle protected health information (PHI), including medical intake data, photos, and Consult-related information, please refer to our separate HIPAA Notice of Privacy Practices. PHI is handled under HIPAA rules, not under this general Privacy Policy.

1. Information we collect

1.1 Information you provide

• Account information: Email, first and last name, password (hashed), role (patient, provider), phone number (optional).
• Communications: Support emails, feedback, replies to our messages.
• Provider profile info (if you are a Provider): practice name, license numbers, biography, portfolio images, availability schedule.

1.2 Information collected automatically

• Usage data: Pages viewed, features used, timestamps, session duration
• Device data: IP address, user-agent string, browser type, operating system, screen size
• Cookies and similar technologies: Authentication cookies, session cookies, and first-party analytics cookies. We do not use third-party advertising or tracking cookies at launch.

1.3 Information from third parties

• Payment processors (Stripe): Payment status, last four digits of card number, billing ZIP. We never receive full card details.
• Email deliverability (Resend): Delivery status of our transactional emails (did they deliver, bounce, open).

1.4 Information we do NOT collect

• Full credit card numbers (handled by Stripe)
• Advertising identifiers / cross-site tracking data
• Location data beyond IP-level (we don't track you with GPS or Wi-Fi triangulation)

2. How we use your information

We use your information to:

• Provide and operate the Platform (create accounts, process bookings, deliver consultations)
• Send transactional notifications (confirmations, reminders, summary-ready notices)
• Communicate with you about support requests and policy updates
• Improve the Platform (bug fixes, feature development, performance monitoring)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations (recordkeeping, tax, subpoenas)

We do not:

• Sell your information to third parties
• Share your information with advertisers
• Use your information to train generic AI models (internal, privacy-scoped AI features described in the HIPAA Notice are distinct and limited)

3. How we share information

We share information only with:

• Service providers who help us run the Platform (Vercel for hosting, Supabase for databases, Stripe for payments, Resend for email, Daily for video, Anthropic for AI summarization if enabled). These providers are contractually limited to using the information only for the services they provide us, and to protect it with reasonable safeguards. PHI-handling providers are under Business Associate Agreements (see HIPAA Notice).
• Providers on the Platform (for your selected Consult) — to the extent necessary to facilitate the Consult. Your account email is shared so the Provider can reply to you; your PHI is shared per the HIPAA Notice.
• Legal and safety: To respond to lawful requests, defend our rights, enforce these terms, investigate fraud, or protect the safety of users or others.
• Business transfers: If BodyEnhance is involved in a merger, acquisition, or asset sale, user information may be transferred as part of that transaction. We will notify users of any such change and, to the extent required by law, offer choices about how information is handled.

4. Cookies and tracking

We use a small number of first-party cookies:

We do not currently use third-party analytics cookies. If we add analytics in the future, we will update this Policy and (for jurisdictions that require it) add a consent banner.

You can control cookies via your browser settings. Disabling authentication cookies will prevent you from logging in.

5. Data retention

• Account data: Retained while your account is active. Deleted on account closure, with a 30-day grace period for recovery, after which only residual backups remain and are rotated out within 90 days.
• Booking + payment records: Retained for 7 years for tax, dispute, and legal compliance, regardless of account closure.
• Usage logs: Retained for 90 days, unless needed for security investigation.
• PHI: Governed by the HIPAA Notice, not this Policy.

6. Your rights

6.1 California residents (CCPA/CPRA)

Even though BodyEnhance launches in Florida only, the Platform is accessible from other states. If you are a California resident:

• Right to know: You may request a summary of the categories of personal information we have collected, used, and shared about you.
• Right to delete: You may request deletion of your personal information, subject to exceptions (legal retention, ongoing consultations, etc.).
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: Our processing is limited to what's necessary to provide the service; no further limitation is needed.
• Right to non-discrimination: We will not treat you differently for exercising any of these rights.

Submit requests to privacy@bodyenhance.co. We will respond within 45 days (extendable by 45 days with written notice).

6.2 Other state laws

If you are a resident of a state with a comprehensive consumer privacy law (e.g., Virginia, Colorado, Connecticut, Utah), you may have analogous rights. Contact privacy@bodyenhance.co with your state and your request.

6.3 International users

BodyEnhance does not target users outside the United States and is not designed for compliance with foreign data-protection laws (including GDPR). If you are accessing the Platform from outside the U.S., you are doing so at your own initiative and understand that your information will be processed in the United States.

7. Security

We implement reasonable administrative, physical, and technical safeguards to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable)
• Access control with least privilege — staff access is audited
• Supabase row-level security on sensitive tables
• Regular security review and dependency updates
• Incident response plan

No system is perfectly secure. We cannot guarantee that unauthorized access will not occur. If a breach affecting your personal information occurs, we will notify you as required by applicable law.

8. Children

The Platform is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided us information, please contact us at privacy@bodyenhance.co and we will promptly delete the information.

9. Third-party links

The Platform may contain links to third-party sites (e.g., Provider websites). This Policy does not apply to those sites. Please review their privacy policies separately.

10. Changes to this Policy

We may update this Policy periodically. Material changes will be notified by email and/or a notice on the Platform at least 30 days before taking effect.

11. Contact

• General privacy: privacy@bodyenhance.co
• HIPAA-specific: privacy@bodyenhance.co (same contact; subject line "HIPAA")
• Security issues / vulnerabilities: security@bodyenhance.co
• Mailing address: [TBD — business mailing address to be added before publishing]

Revision history