top of page

Privacy Policy

PRIVACY, HIPAA, AND DATA SECURITY

April 25, 2026

Effective Date: April 25, 2026​

​

1. Introduction and Scope

This Privacy Policy describes how Aevua ("Aevua," "we," "us," or "our"), located at 449 W Mt Pleasant Ave, Livingston, NJ 07039, collects, uses, discloses, and protects your personal information when you visit our website (www.aevua.com), use our services, or communicate with us via any channel including SMS/text messaging, email, phone, or in person.

By using our website or services, you consent to the practices described in this Privacy Policy. Please review this policy carefully to understand:

  • What information we collect

  • How we use and share information

  • Your privacy rights and choices

  • Cookie and tracking technology use

  • Data security measures

  • SMS/text messaging terms

​

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide to us, including:

  • Name, address, phone number, and email address

  • Date of birth and demographic information

  • Appointment and booking details

  • Payment information (processed securely by our payment processor; we do not store full card numbers)

  • Communications you send us via forms, email, SMS, or phone

  • Account credentials for our Member Portal

 

2.2 Protected Health Information (PHI)

As a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164, we collect and maintain Protected Health Information (PHI) including medical history, treatment records, and health-related communications. PHI is governed by Section 3 of this Policy and our HIPAA Notice of Privacy Practices.

 

2.3 Information Collected Automatically

When you visit our website, we automatically collect:

  • IP address and approximate location

  • Browser type, device type, and operating system

  • Pages visited, time on site, and referring URL

  • Cookie identifiers and tracking pixel data (see Section 9)

 

2.4 SMS/Text Messaging Information

If you opt in to receive SMS communications from us, we collect your mobile phone number and your opt-in consent record, including the date, time, and method of consent.

 

3. HIPAA Compliance

Aevua complies with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. PHI is stored in encrypted systems, transmitted through secure channels, and accessed only by authorized personnel. In the event of a breach of unsecured PHI, Aevua will provide notifications as required under 45 C.F.R. §164.400-414.

Patients have the right to access, inspect, amend, and obtain copies of their PHI as permitted under HIPAA. By providing your mobile number or email, you consent to receive appointment reminders and administrative communications. Clinical information will not be sent via unencrypted email or SMS unless you provide written consent.

 

3.1 Notice of Privacy Practices

You will receive our HIPAA Notice of Privacy Practices (NPP) at your first appointment, which describes:

  • How we may use and disclose your PHI

  • Your rights regarding your PHI (access, amendment, accounting of disclosures, restrictions, confidential communications)

  • Our duties to protect your PHI

  • How to file a complaint if you believe your privacy rights have been violated

 

You will be asked to sign an acknowledgment that you received the NPP.

​

3.2 Uses and Disclosures of PHI

We may use and disclose your PHI without your authorization for the following purposes:

  • Treatment: Providing, coordinating, or managing your care

  • Payment: Billing and collecting payment for services (though most services are elective and self-pay)

  • Healthcare Operations: Quality improvement, training, business planning, and other operational activities

 

Other uses and disclosures require your written authorization, including:

  • Marketing uses (e.g., using your before-and-after photos in advertisements)

  • Sale of PHI

  • Psychotherapy notes (if applicable)

 

3.3 Your HIPAA Rights

You have the right to:

  • Access and copy your medical records (with certain exceptions)

  • Request amendment of incorrect or incomplete information

  • Request restrictions on uses and disclosures (we are not required to agree, except for disclosures to health plans for services you paid for out-of-pocket)

  • Request confidential communications (e.g., contact at an alternative address or phone number)

  • Receive an accounting of disclosures (for certain disclosures made in the past 6 years)

  • Receive a paper copy of our Notice of Privacy Practices

 

To exercise these rights, contact our HIPAA Privacy Officer at manager@flawless.center or (201) 540-9549.​​

​

4. SMS / Text Messaging Policy

4.1 Opt-In and Consent

By providing your mobile phone number and checking the SMS consent box on our intake forms, booking forms, or website contact forms, you expressly consent to receive text messages (SMS/MMS) from Aevua at the phone number provided. Consent to receive SMS messages is not a condition of purchasing any product or service.

 

Types of SMS messages we may send include:

  • Appointment reminders and confirmations

  • Post-treatment follow-up messages

  • Membership and account notifications

  • Promotional offers and special announcements (only if you opt in to marketing SMS)

  • Responses to your inbound inquiries

 

4.2 Message Frequency and Rates

Message frequency varies based on your interactions with us and your preferences. Message and data rates may apply. Contact your mobile carrier for details about your plan.

 

4.3 How to Opt Out

You may opt out of SMS messages at any time by replying STOP to any text message you receive from us. After opting out, you will receive a single confirmation message and no further SMS messages, except as required by law. To re-subscribe, reply START.

 

4.4 Help

For help with SMS communications, reply HELP to any text message or contact us at contact@aevua.com or (201) 540-9549.

 

4.5 No Sharing of SMS Opt-In Data

We do not sell, rent, share, or otherwise disclose your mobile phone number or SMS opt-in consent data to any third party for their own marketing or promotional purposes. Your phone number may be shared only with our SMS/communications service providers (such as Twilio) acting as our service providers solely to deliver messages on our behalf, and with parties as required by law.

 

4.6 Supported Carriers

SMS services are available on most major U.S. carriers including AT&T, T-Mobile, Verizon, Sprint, Boost Mobile, MetroPCS, U.S. Cellular, and others. Carrier liability is not assumed.

 

​5. How We Use Your Information

We use the personal information we collect to:

  • Schedule and manage appointments

  • Provide medical aesthetic treatments and related services

  • Process payments and manage memberships

  • Send appointment reminders, follow-up messages, and service notifications

  • Respond to inquiries and support requests

  • Send marketing communications (with your consent)

  • Comply with legal and regulatory obligations, including HIPAA

  • Improve our website and services through analytics

  • Enforce our Terms and Conditions

 

Legal Bases for Processing (GDPR — for EU/UK Visitors)

If you are located in the European Union or United Kingdom, our legal bases for processing your personal data are:

  • Consent: Where you have given clear consent (e.g., marketing emails, SMS opt-in)

  • Contract: Where processing is necessary to provide services you have requested

  • Legal Obligation: Where processing is required to comply with applicable law (including HIPAA)

  • Legitimate Interests: Where processing is in our legitimate business interests and does not override your fundamental rights (e.g., fraud prevention, website analytics)

 

6. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers (Business Associates)

 

We share personal data with third-party vendors who perform services on our behalf, including:

  • Electronic health records and practice management platforms

  • Appointment scheduling and booking platforms

  • SMS/text messaging providers (including Twilio)

  • Email marketing platforms

  • Payment processors

  • Website hosting and analytics providers (including Wix, Google Analytics)

  • IT support and cybersecurity providers

 

All service providers who handle PHI are required to execute Business Associate Agreements (BAAs) with us in accordance with HIPAA. All service providers are contractually required to protect your data and use it only for the purposes we specify.

 

6.2 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

 

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website prior to any such transfer.

 

6.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so (e.g., before-and-after photos used in marketing).

​

7. Data Security

Aevua implements administrative, physical, and technical safeguards to protect your personal information and PHI from unauthorized access, use, or disclosure, including:

  • Encryption of data in transit (SSL/TLS) and at rest

  • Secure, password-protected Member Portal with multi-factor authentication

  • Role-based access controls limiting staff access to PHI on a "need-to-know" basis

  • Regular security risk assessments and audits

  • Staff training on privacy and security practices

  • Business Associate Agreements (BAAs) with third-party vendors who handle PHI

 

8. Data Breach Notification

In the unlikely event of a breach of unsecured PHI, we will notify affected individuals in accordance with HIPAA Breach Notification Rule (45 C.F.R. § 164.404) requirements:

  • Individual notification within 60 days of discovery of the breach (by first-class mail, email, or substitute notice if contact information is insufficient)

  • Media notification (if breach affects 500+ individuals in a state or jurisdiction)

  • Notification to the U.S. Department of Health and Human Services (HHS)

 

For non-PHI personal data breaches affecting New Jersey residents, we will also comply with the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163 et seq.) notification requirements.

​

​

​

9. Data Retention

Medical Records: In accordance with New Jersey medical records retention laws (N.J.A.C. 13:35-6.9), we retain medical records for a minimum of seven (7) years from the date of the last treatment or, in the case of minors, until the patient reaches age 23 (whichever is longer).

 

Non-PHI Personal Data: We retain non-PHI personal data (such as website contact form submissions, marketing email addresses, and SMS opt-in records) for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specifically:

  • Marketing contact data: retained until you opt out or request deletion, plus 3 years

  • SMS opt-in records: retained for a minimum of 4 years to comply with telecommunications regulations

  • Website analytics data: retained for up to 26 months (per Google Analytics default settings)

  • Booking and transaction records: retained for 7 years for tax and legal compliance purposes

 

Upon closure of the practice or upon your request, we will provide:

  • Copies of Records: Available upon written request (processing fee may apply as permitted by law)

  • Transfer to New Provider: Records can be sent directly to another healthcare provider with your written authorization

​

10. Email and Electronic Communication Security

10.1 Unencrypted Email Risks

Standard email is not a secure method of communication for PHI. By providing your email address and communicating with us via email, you acknowledge and accept the risks, including:

  • Interception by unauthorized third parties

  • Misdirection to incorrect recipients

  • Unlimited forwarding without your knowledge

10.2 Secure Communication Options

For sensitive communications, we offer:

  • Member Portal Secure Messaging: HIPAA-compliant, encrypted platform

  • Encrypted Email: Available upon request for high-sensitivity communications

  • Phone or In-Person: Always available for confidential discussions

​

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Our website uses cookies, web beacons, and similar tracking technologies. We use the following categories of cookies:

  • Strictly Necessary Cookies: Essential for the website to function (e.g., login sessions, booking functionality). These cannot be disabled.

  • Functional Cookies: Remember your preferences and settings (e.g., language, login state for Member Portal).

  • Analytics Cookies: Help us understand how visitors use our site (e.g., Google Analytics, which collects anonymized data about pages visited and time on site).

  • Marketing/Advertising Cookies: Used to deliver relevant advertisements and track campaign effectiveness (e.g., Google Ads, Meta/Facebook Pixel, if applicable).

 

11.2 Managing Cookie Preferences

You may manage cookie preferences through your browser settings or through our cookie consent banner. Disabling certain cookies may affect website functionality, including your ability to:

  • Stay logged into the Member Portal

  • Receive member-specific pricing

  • Complete the Treatment Quiz

 

You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.

 

For more details, see our Cookie Policy at www.aevua.com/cookies.

 

11.3 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not wish to be tracked. Our website does not currently respond to DNT signals, as there is no universal standard for how DNT signals should be interpreted. You may use the opt-out methods described in Section 11.2 to limit tracking.

​

12. Your Privacy Rights

12.1 New Jersey Data Privacy Act (NJDPA) — New Jersey Residents

Effective January 15, 2025, New Jersey residents have the following rights under the New Jersey Data Privacy Act (N.J.S.A. 56:8-166.1 et seq.):

  • Right to Know: The right to confirm whether we are processing your personal data and to access that data

  • Right to Correction: The right to correct inaccurate personal data we hold about you

  • Right to Deletion: The right to request deletion of your personal data (subject to certain exceptions)

  • Right to Data Portability: The right to obtain a copy of your personal data in a portable format

  • Right to Opt Out: The right to opt out of the processing of your personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

 

To exercise your NJDPA rights, submit a request to contact@aevua.com or (201) 540-9549. We will respond within 45 days of receiving a verifiable request (extendable by an additional 45 days when reasonably necessary with prior notice).

 

12.2 California Consumer Privacy Act (CCPA/CPRA) — California Residents

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.):

  • Right to Know: The right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it

  • Right to Delete: The right to request deletion of your personal information (subject to certain exceptions)

  • Right to Correct: The right to request correction of inaccurate personal information

  • Right to Opt Out of Sale/Sharing: We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising

  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

 

To submit a CCPA request, contact us at contact@aevua.com or (201) 540-9549. We will respond within 45 days.

 

12.3 EU/UK Residents — GDPR/UK GDPR Rights

If you are located in the European Union or United Kingdom, you have the following rights under GDPR/UK GDPR:

  • Right of access to your personal data

  • Right to rectification of inaccurate data

  • Right to erasure ("right to be forgotten")

  • Right to restriction of processing

  • Right to data portability

  • Right to object to processing based on legitimate interests

  • Right to withdraw consent at any time (without affecting the lawfulness of prior processing)

  • Right to lodge a complaint with your local supervisory authority

 

To exercise any of these rights, contact us at contact@aevua.com.

​​

13. Children's Privacy

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@aevua.com and we will take steps to delete such information. For patients who are minors, parental or guardian consent is obtained prior to treatment, and PHI for minor patients is handled in accordance with applicable HIPAA and New Jersey law.

​​

14. Third-Party Links

Our website may contain links to third-party websites (e.g., social media platforms, partner providers). We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.

​

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or by prominent notice on our website. Your continued use of our website or services after any changes constitutes your acceptance of the updated policy.

​​

16. Contact Us / Privacy Rights Requests

For questions about this Privacy Policy, to exercise your privacy rights, or to submit a complaint, contact us:

Aevua 449 W Mt Pleasant Ave Livingston, NJ 07039 Phone: (201) 540-9549 Email: contact@aevua.com

 

HIPAA Privacy Officer: manager@flawless.center

 

We will respond to all verifiable privacy requests within 45 days. If we require additional time, we will notify you within the initial 45-day period.

​

​

bottom of page