Privacy Policy

Introduction

This Privacy Policy explains how ZAPS Hair Removal, LLC collects, uses, stores, discloses, and protects personal information of customers and clients in the United States and the State of Maryland, including electronic communications (SMS), use of third‑party applications, and storage of personally identifying information and medical records. This policy describes individual rights and business practices required by applicable federal law, including HIPAA where applicable, and Maryland law.

Definitions

  • Personal Information (PI): any information that identifies or can reasonably identify an individual, including name, address, email, phone number, date of birth, government identifiers, and payment information.

  • Protected Health Information (PHI): individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate as defined under HIPAA.

  • Third‑Party Services: software, cloud storage, analytics, messaging, or other providers we use to support business operations.

  • SMS: text messages sent to or received from customers’ mobile devices.

Scope and Applicability

This policy applies to all personal information we collect in the course of providing services, including information collected in person, by phone, via SMS, through third‑party apps, on our website, and in physical or electronic records. Where PHI is created or maintained in connection with health care operations and we are a HIPAA‑covered entity or business associate, PHI is handled in accordance with HIPAA rules.

Categories of Information Collected

  • Contact and identifiers: name, postal address, email, phone number.

  • Health and medical information: medical history, diagnoses, treatment notes, test results, medication information, clinical records, and other PHI collected as part of service delivery.

  • Account and payment: billing, insurance, payment card information.

  • Communications records: SMS content and metadata, call logs, email messages.

  • Technical data: IP address, device identifiers, logs, cookies when using our website or apps.

Lawful Bases and Purposes for Processing

  • To provide services, treatment, and related health care operations, including scheduling, billing, clinical documentation, and care coordination.

  • To communicate with clients by SMS for appointment reminders, treatment notices, billing reminders, and essential service updates. SMS messages will be limited to necessary content and, where possible, will avoid including sensitive medical details.

  • To comply with legal obligations under federal and Maryland law, including mandatory disclosures required by statute, court order, or public health reporting.

  • To maintain business operations, quality assurance, security, and record retention obligations under Maryland law and professional standards.

  • To engage third‑party processors and business associates who assist in storage, processing, and communications.

SMS/Text Messaging Practices

  • We obtain express consent to receive SMS from customers where required, and individuals may opt out of non‑essential messages at any time using the procedures described below.

  • SMS will be used for time‑sensitive communications such as appointment reminders, customer inquiries, and billing notices. We will not include unnecessary clinical details in SMS messages unless the client explicitly authorizes such communications and we have implemented appropriate safeguards.

  • SMS is inherently less secure than encrypted channels; when SMS is used to convey PHI, we will document patient/provider communications preferences and provide an advisement of SMS risks where required under HIPAA guidance and best practices.

  • Third Parties that Help Provide the Messaging Service: We will not share your opt-in to an SMS short code campaign with a third party for purposes unrelated to supporting you in connection with that campaign. We may share your Personal Data with third parties that help us provide the messaging service, including, but not limited to, platform providers, phone companies, and other vendors who assist us in the delivery of text messages.

  • Additional Disclosures: Affiliates: We may disclose the Personal Data to our affiliates or subsidiaries; however, if we do so, their use and disclosure of your Personal Data will be subject to this Policy. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Use of Third‑Party Applications and Business Associates

  • We use third‑party services to store, process, and transmit personal information and PHI. We evaluate vendors for appropriate security and enter written agreements (e.g., Business Associate Agreements) where the vendor will have access to PHI, requiring compliance with HIPAA obligations and reasonable security measures.

  • Third‑party vendors may include cloud storage providers, electronic health record systems, appointment and billing platforms, SMS gateways, analytics providers, and practice management tools.

  • We require encryption in transit and at rest from vendors where technical and contractual controls are reasonable and available, and we require vendors to implement access controls, audit logging, and breach notification obligations consistent with law.

Storage, Retention, and Recordkeeping

  • Medical records and related documentation are retained in accordance with Maryland statutory retention requirements and professional standards; medical records will be stored for no less than the minimum period required by Maryland law and professional boards.

  • We maintain administrative, technical, and physical safeguards to protect records from unauthorized access, alteration, loss, or disclosure, including role‑based access controls, encryption where practical, secure backups, and secure disposal procedures when retention periods expire.

Disclosure and Mandatory Reporting

  • Disclosures of PHI and other information occur only as permitted by HIPAA, Maryland law, or other applicable legal requirements, including disclosures for treatment, payment, health care operations, public health reporting, and mandatory disclosures such as subpoenas or court orders.

  • We will disclose only the minimum necessary information to satisfy a legitimate legal or business need unless the client provides an authorization permitting broader disclosure.

Individual Rights and Choices

  • Individuals have rights to access and obtain copies of their health records, request corrections, obtain an accounting of disclosures, and request restrictions or confidential communications as provided under HIPAA and Maryland law; we will process such requests in accordance with applicable timelines and procedures.

  • Individuals may opt out of promotional or non‑essential SMS messages by replying with an opt‑out keyword, following instructions in the message, or contacting us directly. Opt‑out requests will be honored promptly.

  • Requests to access, amend, or restrict use of records may be submitted using the contact details below and will be handled in compliance with federal and Maryland legal requirements.

Minimization, De‑Identification, and Research Use

  • We limit collection and disclosure of PHI and PI to what is necessary for the stated purposes. When feasible and appropriate, data will be de‑identified in accordance with HIPAA standards before use for analytics, quality improvement, or research.

  • Any use of de‑identified data for research or analytics will comply with applicable legal and ethical requirements.

Children’s Information

We do not knowingly collect medical information from individuals under the age required by applicable law without appropriate parental or guardian consent. For patients who are minors, parental or guardian rights and applicable Maryland statutes regarding access and consent apply.

Changes to This Policy

We will update this policy from time to time to reflect legal, technical, and operational changes. Material changes that affect rights or uses of PHI will be posted and provided to clients in the manner required by law.

Contact, Requests, and Complaints

For access requests, to opt out of SMS, to request corrections or restrictions, or to raise privacy concerns, contact:

Attn: Privacy Officer
ZAPS Hair Removal, LLC
110 Thomas Johnson Drive
Suite 340
Frederick, MD 21702
240-608-6300
info@zapshair.com

Individuals retain the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights for HIPAA‑related concerns and with relevant Maryland authorities for state law issues.