Privacy Policy

Elite Med Spa - Website Privacy Policy

Last Updated: 4/17/26

This Privacy Policy governs Elite Med Spa’s websites and digital platforms. It is separate from, and should be read alongside, our Notice of Privacy Practices (NPP), which governs how we handle Protected Health Information (PHI) under HIPAA in the clinical context. If you are a patient, both documents apply to you.

1. Who We Are

Elite Med Spa (“we,” “us,” or “our”) operates medical spa locations and associated websites in Washington, Texas, and Nebraska. Our principal business address is 412 N Mission St. Suite AB, Wenatchee, WA. For privacy-related inquiries, contact us at contact@amarahealth.us.

This Policy applies to all websites, booking portals, online forms, email communications, and digital marketing platforms operated by Elite Med Spa or on our behalf (“the Site”).

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide, including when you:

  • Complete a contact, consultation, or booking form (name, email, phone, date of birth, reason for inquiry);

  • Purchase products or gift cards online (payment details, billing address);

  • Subscribe to our email or SMS marketing list;

  • Respond to a survey or promotion; or

  • Communicate with us by email, text, phone, or social media.

2.2 Information Collected Automatically

When you visit our Site, we and our third-party partners may automatically collect:

  • Device and browser information (IP address, browser type, operating system);

  • Usage data (pages visited, time spent, links clicked, referral URLs);

  • Approximate location data derived from your IP address; and

  • Cookies, pixels, and similar tracking technologies (see Section 5).

2.3 Information That May Constitute Consumer Health Data (Washington)

Under the Washington My Health My Data Act (MHMDA), certain information we collect may qualify as “consumer health data,” including:

  • Services or treatments you inquire about or book (e.g., injectables, laser, hormone therapy, weight loss);

  • Health-related information you voluntarily share in forms or consultations;

  • Inferences about your health status drawn from your browsing behavior on health-related pages of our Site; and

  • Precise geolocation that could be used to infer a visit to a healthcare facility.

Washington residents: We treat this information with heightened protections and will not collect, share, or sell your consumer health data without your express consent, except as permitted by the MHMDA or HIPAA.

2.4 Sensitive Personal Data

Across all states, we treat the following categories as sensitive and will only process them with your consent or as required by law:

  • Health and medical information;

  • Precise geolocation data;

  • Financial account information; and

  • Government-issued ID numbers.

3. How We May Use Your Information

We use the information we collect for the following purposes:

  • to book appointments, process payments, and provide the services you request; Appointment Scheduling & Service Delivery:

  • to respond to your inquiries, send appointment reminders, and provide customer support; Communications:

  • to send promotional emails, SMS messages, or targeted digital advertising about our services, with your consent where required; Marketing:

  • to understand how visitors use our Site and improve our content and user experience; Analytics & Site Improvement:

  • to comply with applicable federal and state laws, regulations, court orders, or lawful government requests; Legal Compliance:

  • to detect, prevent, and respond to fraudulent, illegal, or harmful activity; and Fraud Prevention & Security:

  • for internal purposes such as auditing, staff training, and financial recordkeeping. Business Operations:

We do not sell your personal data for monetary consideration. We do not use your health information for automated profiling that produces legal or similarly significant decisions about you without human review.

4. How We May Share Your Information

4.1 Service Providers (Processors)

We share your information with trusted third-party vendors who perform services on our behalf, including:

  • Booking and practice management platforms (e.g., Aesthetic Record, Jane, Vagaro);

  • Email and SMS marketing platforms (e.g., Klaviyo, Mailchimp, Podium);

  • Payment processors (e.g., Stripe, Square, CareCredit);

  • Analytics and advertising platforms (e.g., Google Analytics, Meta Ads); and

  • Website hosting and IT providers.

All service providers are required by contract to process your data only on our behalf, in accordance with our instructions, and subject to appropriate security measures. Where required, we execute Data Processing Agreements and/or HIPAA Business Associate Agreements with these vendors.

4.2 Business Transfers

If Elite Med Spa is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Site before your information is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information when required by law or in good-faith belief that such disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud, or protect the safety of our users or the public.

4.4 With Your Consent

We may share your information for any other purpose with your prior written consent.

4.5 What We Do Not Do

We do not:

  • Sell your personal data to data brokers or third parties for their own marketing purposes;

  • Share your consumer health data (WA) for targeted advertising without your express consent; or

  • Disclose your PHI except as described in our Notice of Privacy Practices.

5. Cookies and Tracking Technologies

5.1 What We Use

Our Site uses the following categories of cookies and tracking tools:

  • required for the Site to function (e.g., session management, booking portal authentication). Cannot be disabled. Essential Cookies:

  • help us understand how visitors interact with the Site (e.g., Google Analytics, Hotjar). Analytics Cookies:

  • used to deliver targeted ads and measure campaign effectiveness (e.g., Meta Pixel, Google Ads tag, TikTok Pixel). Marketing/Advertising Pixels:

  • remember your preferences (e.g., language, location). Functionality Cookies:

5.2 Washington — Health Data & Tracking

Under the Washington My Health My Data Act, placing a tracking pixel on a health-related webpage may constitute collection of consumer health data if it captures information that could be used to infer a health condition or healthcare visit. We have taken the following steps for our Washington Site:

  • We do not pass health-related URL parameters or page content to third-party advertising platforms without your consent;

  • We have reviewed our Meta Pixel and Google Analytics configurations to limit transmission of sensitive health data; and

  • We provide a consent mechanism for non-essential tracking on health-related pages.

Washington residents may have a private right of action under the Consumer Protection Act (CPA) for MHMDA violations. If you have concerns about our tracking practices, contact us at contact@amarahealth.us.

5.3 Managing Cookies

You can control cookies through:

  • Your browser settings (disabling or deleting cookies);

  • Our cookie consent banner, which allows you to accept or reject non-essential cookies;

  • The Global Privacy Control (GPC) browser signal, which we honor as an opt-out of sale/sharing of personal data (required in WA and NE); and

Opt-out tools provided by third parties, including Google Analytics Opt-Out (tools.google.com/dlpage/gaoptout) and the NAI opt-out (optout.networkadvertising.org).

6. Your Privacy Rights

6.1 Rights Available to All Users

Regardless of your state, you have the right to:

  • Opt out of marketing emails by clicking “Unsubscribe” in any email we send;

  • Opt out of SMS marketing by replying STOP to any text message; and

  • Request information about the personal data we hold about you.

6.2 Washington Residents

Under the My Health My Data Act and Washington Consumer Protection Act, Washington residents have the right to:

  • Know whether we are collecting, sharing, or selling your consumer health data;

  • Withdraw consent to the collection or sharing of your consumer health data at any time;

  • Request deletion of your consumer health data;

  • Obtain a list of all third parties with whom we have shared your consumer health data; and

  • Not be retaliated against for exercising these rights.

Washington residents also have rights under the Washington Foundational Data Privacy Act (if applicable), including the right to access, correct, delete, and port personal data, and to opt out of targeted advertising, sale of data, and certain profiling.

6.3 Texas Residents

Under the Texas Data Privacy and Security Act (TDPSA), Texas residents have the right to:

  • Confirm whether we process your personal data and access it;

  • Correct inaccuracies in your personal data;

  • Delete personal data you have provided to us or that we have obtained about you;

  • Obtain a portable copy of your personal data in a machine-readable format;

  • Opt out of the processing of your personal data for targeted advertising, sale, or certain profiling; and

  • Appeal our denial of any of the above rights (see Section 6.5 below).

6.4 Nebraska Residents

Under the Nebraska Data Privacy Act (NDPA), Nebraska residents have the right to:

  • Confirm whether we process your personal data and access it;

  • Correct inaccuracies in your personal data;

  • Delete personal data you have provided to us;

  • Obtain a portable copy of your personal data;

  • Opt out of targeted advertising, sale of personal data, or profiling with significant legal effects; and

  • Appeal our denial of any of the above rights (see Section 6.5 below).

Nebraska residents: We honor Global Privacy Control (GPC) signals as a valid opt-out of sale and targeted advertising, as required by the NDPA.

6.5 How to Submit a Privacy Rights Request

To exercise any of the rights described above, please contact us using one of the following methods:

Email: contact@amarahealth.us

We will respond to verified requests within 45 days of receipt. We may extend this period by an additional 45 days if reasonably necessary and will notify you of any extension. We will not discriminate against you for exercising your privacy rights.

To protect your information, we may need to verify your identity before processing your request. We will not process requests we cannot verify.

6.6 Appeal Process

If we deny your privacy rights request, we will explain the reason in writing. You may appeal our decision by submitting a written appeal to contact@amarahealth.us within 30 days of receiving our denial. We will respond to your appeal within 45 days. If your appeal is denied, you may contact your state’s Attorney General:

7. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Patient/client records: as required by applicable state medical records laws (Washington: 10 years; Texas: 10 years for adults; Nebraska: 10 years);

  • Marketing contact data: until you unsubscribe or request deletion;

  • Website analytics data: as configured in the applicable platform (typically 14–26 months); and

  • Transaction and billing records: 7 years for tax and accounting purposes.

Deletion of your data from active systems does not guarantee removal from all backup systems immediately. Backup data is purged on a rolling schedule.

8. Data Security

We implement reasonable and appropriate technical, physical, and administrative safeguards to protect your personal data from unauthorized access, use, disclosure, alteration, or destruction. These include:

  • SSL/TLS encryption for data in transit;

  • Access controls limiting data access to authorized personnel only;

  • HIPAA-compliant platforms for handling Protected Health Information;

  • Regular security assessments; and

  • Staff training on data privacy and security practices.

  • No method of transmission over the internet is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, please notify us immediately at contact@amarahealth.us.

9. Children’s Privacy

Our Site and services are not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it promptly. If you believe we have collected information from a child under 13, please contact us at contact@amarahealth.us.

10. Third-Party Links

Our Site may contain links to third-party websites, social media platforms, or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the privacy practices of third parties.

11. Marketing Communications

Email Marketing

We may send you promotional emails about our services, events, and offers if you have opted in or have an existing relationship with us. You may unsubscribe at any time by clicking the “Unsubscribe” link in any email or contacting us directly. We comply with the federal CAN-SPAM Act.

SMS / Text Marketing

If you opt in to SMS communications, you may receive appointment reminders and promotional messages. Message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for help. We comply with the Telephone Consumer Protection Act (TCPA) and applicable carrier guidelines.

Before-and-After Photography

We may request your written consent to use photographs or videos of your treatment results in our marketing materials, website, or social media. This consent is entirely voluntary, separate from your treatment consent, and may be revoked in writing at any time.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page;

  • Post the revised Policy on our website; and

  • Where required by law, notify you directly by email or prominent notice on our Site.

Your continued use of our Site after we post changes constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, please stop using our Site and contact us to request deletion of your data.

13. Contact Us

For questions, concerns, or to exercise your privacy rights, please contact our Privacy Officer at contact@amarahealth.us.

This Policy is designed for compliance with: HIPAA (45 C.F.R. Parts 160 & 164) · Washington My Health My Data Act (RCW Ch. 70.372) · Washington Consumer Protection Act (RCW 19.86) · Texas Data Privacy and Security Act (Bus. & Com. Code Ch. 541) · Nebraska Data Privacy Act (LB 1074) · CAN-SPAM Act · TCPA