Privacy Policy

The Aesthetic Generator LLC ("Company," "we," "us," or "our"), a limited liability company organized under the laws of the Commonwealth of Virginia, is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, disclose, store, and protect information when you visit our website at aestheticgenerator.com (the "Site"), use our services, interact with our tools, submit forms, create an account, make a purchase, or otherwise engage with us (collectively, the "Services").

This Policy applies to all visitors, users, clients, and any other individuals who access the Site or use the Services. By accessing the Site or using the Services, you consent to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with this Policy, please do not access the Site or use the Services.

This Policy is designed to comply with applicable privacy laws, including but not limited to the Virginia Consumer Data Protection Act ("VCDPA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the General Data Protection Regulation ("GDPR") where applicable, the CAN-SPAM Act, the Telephone Consumer Protection Act ("TCPA"), and other applicable federal and state privacy laws.

We collect information in several ways depending on how you interact with our Site and Services. The categories of information we collect include:

2.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, business name, business address, and job title when you fill out forms, create an account, schedule a consultation, or contact us.
• Business Information: Practice type, number of locations, number of providers, monthly revenue, current marketing strategies, business goals, and other practice-related information submitted through our audit forms, intake questionnaires, or consultation processes.
• Account Information: Username, password (encrypted), profile information, and account preferences when you create an account on our Site.
• Payment Information: Billing name, billing address, and payment method details when you make a purchase. Note: We use Stripe as our payment processor. Full credit card numbers are processed and stored by Stripe in accordance with PCI DSS standards and are never stored on our servers.
• Communication Data: The content of emails, messages, chat interactions, form submissions, and other communications you send to us or through our Services.
• Marketing Preferences: Your preferences regarding marketing communications, newsletter subscriptions, and notification settings.
• Feedback and Survey Responses: Information you provide in response to surveys, feedback forms, reviews, or testimonials.

2.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and device identifiers.
• Usage Data: Pages visited, time spent on pages, links clicked, scroll depth, navigation patterns, referring URLs, exit pages, and other interaction data.
• Cookie and Tracking Data: Information collected through cookies, web beacons, pixels, and similar tracking technologies (see Section 8 for details).
• Location Data: Approximate geographic location based on IP address. We do not collect precise GPS location data.
• Log Data: Server logs that record requests made to our Site, including timestamps, URLs, HTTP methods, and response codes.

2.3 Information from Third Parties

• Authentication Providers: If you sign in using a third-party authentication service, we may receive your name, email address, and profile information from that provider.
• Advertising Platforms: We may receive aggregated and anonymized data from advertising platforms (Meta, Google, etc.) regarding the performance of campaigns we manage on behalf of clients.
• Analytics Providers: We receive analytics data from third-party analytics services that help us understand Site usage patterns.
• Business Partners: We may receive referral information from business partners, including name and contact information of individuals who have expressed interest in our Services.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our Services, including processing transactions, managing accounts, delivering marketing services, and fulfilling contractual obligations.
• Communication: To communicate with you about your account, Services, appointments, billing, and to respond to your inquiries and requests.
• Marketing and Promotional Communications: To send you marketing emails, newsletters, promotional offers, and other communications about our Services, subject to your marketing preferences and applicable opt-out rights.
• AI-Powered Services: To power our AI audit tool, chatbot, lead qualification systems, and other AI-driven features. Information submitted through these tools is processed to generate personalized recommendations, reports, and insights.
• Analytics and Improvement: To analyze usage patterns, measure the effectiveness of our Site and Services, conduct research, and make improvements to our offerings.
• Personalization: To personalize your experience on our Site, including displaying relevant content, recommendations, and service offerings.
• Security and Fraud Prevention: To detect, prevent, and address security incidents, fraud, abuse, and other harmful activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
• Business Operations: To support our internal business operations, including billing, accounting, auditing, and administrative functions.

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with third-party service providers who perform services on our behalf, including payment processing (Stripe), email delivery, hosting, analytics, and customer support. These providers are contractually obligated to use your information only for the purposes of providing services to us.
• Third-Party Partners (with Consent): If you express interest in or request services from one of our Partners (LegitScript, Project Blue, TrueEval, VeinLife IV, MorphRx, or others), we may share your contact information and relevant business information with that Partner to facilitate the introduction. This sharing occurs only with your knowledge and consent, and the Partner's use of your information is governed by their own privacy policy.
• Advertising and Analytics Partners: We share aggregated, anonymized, or de-identified data with advertising and analytics partners to measure campaign performance and improve our Services. This data cannot reasonably be used to identify you.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
• With Your Consent: We may share your information for any other purpose with your express consent.

We implement commercially reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access, use, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols;
• Encryption of sensitive data at rest;
• Access controls limiting employee access to personal information on a need-to-know basis;
• Regular security assessments and vulnerability testing;
• Secure payment processing through PCI DSS-compliant providers (Stripe);
• Incident response procedures for addressing security breaches.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The retention period may vary depending on the context and our obligations:

• Account Information: Retained for the duration of your account and for up to three (3) years after account closure or last activity.
• Transaction Records: Retained for a minimum of seven (7) years to comply with tax and accounting obligations.
• Marketing Communications: Retained until you opt out, after which we retain only the minimum information necessary to honor your opt-out preference.
• Audit and Consultation Data: Retained for up to three (3) years after the last engagement.
• Log and Analytics Data: Retained for up to two (2) years for analytics purposes.

When personal information is no longer needed, we will securely delete or anonymize it in accordance with our data retention policies.

Depending on your jurisdiction, you may have certain rights regarding your personal information. We respect and honor these rights in accordance with applicable law.

7.1 Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, you have the following rights under the VCDPA:

• Right to Know: The right to confirm whether we are processing your personal data and to access such data.
• Right to Correct: The right to correct inaccuracies in your personal data.
• Right to Delete: The right to delete personal data that you have provided to us or that we have obtained about you.
• Right to Data Portability: The right to obtain a copy of your personal data in a portable and readily usable format.
• Right to Opt Out: The right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
• Right to Appeal: If we decline to take action on your request, you have the right to appeal our decision. We will respond to your appeal within sixty (60) days.

7.2 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: The right to know what personal information we collect, use, disclose, and sell about you.
• Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: The right to request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: The right to opt out of the sale or sharing of your personal information. We do not sell personal information. If we share personal information for cross-context behavioral advertising, you may opt out.
• Right to Limit Use of Sensitive Personal Information: The right to limit the use and disclosure of sensitive personal information.
• Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your privacy rights.

California "Shine the Light" Law: California residents may request information regarding the disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

7.3 General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the GDPR, including:

• Right of Access: The right to obtain confirmation of whether we process your personal data and to access such data.
• Right to Rectification: The right to have inaccurate personal data corrected.
• Right to Erasure: The right to have your personal data erased under certain circumstances.
• Right to Restriction: The right to restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: The right to object to the processing of your personal data for certain purposes, including direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time.
• Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority.

The legal bases for our processing of personal data under the GDPR include: performance of a contract, legitimate interests, consent, and compliance with legal obligations.

7.4 Exercising Your Rights

To exercise any of the above rights, please contact us at [email protected] with the subject line "Privacy Rights Request." We will verify your identity before processing your request and will respond within the timeframes required by applicable law (generally within 45 days for CCPA/CPRA, 30 days for VCDPA, and one month for GDPR). We may extend the response period as permitted by law, with notice to you.

You may also designate an authorized agent to make a request on your behalf. We may require verification of the agent's authority before processing the request.

We use cookies and similar tracking technologies to collect information about your browsing activities and to personalize your experience on our Site. The types of cookies we use include:

• Essential Cookies: Necessary for the Site to function properly, including authentication, security, and session management. These cookies cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our Site by collecting and reporting information anonymously. We use these to improve our Site and Services.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.
• Marketing Cookies: Used to track visitors across websites to display relevant advertisements. These cookies may be set by third-party advertising partners.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when a cookie is being set. Please note that disabling certain cookies may affect the functionality of our Site.

We may also use web beacons (clear GIFs/pixel tags) in our emails to track open rates and click-through rates for the purpose of improving our email communications.

Do Not Track Signals: Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals, as there is no industry-standard interpretation of DNT signals. We will update this Policy if a standard for responding to DNT signals is established.

Our Site may contain links to third-party websites, services, and applications, including but not limited to our Partners' websites (LegitScript.com, tryprojectblue.com, TrueEval.com, VeinLifeIV.com, MorphRX.co), social media platforms, payment processors, and other external services. These third-party services have their own privacy policies and practices, which are not governed by this Policy.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services before providing your personal information. Your interactions with third-party services are governed solely by those third parties' terms and privacy policies.

Our Site and Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that we may have collected information from a child under 18, please contact us immediately at [email protected].

Our Services include AI-powered tools, including but not limited to our practice audit tool, chatbot, lead qualification systems, and content recommendation engines. When you interact with these tools:

• Information you submit (business details, practice information, marketing data) is processed by AI systems to generate personalized recommendations, reports, and insights.
• AI-generated outputs are based on the information you provide and general industry data. They do not constitute professional advice.
• We may use aggregated and anonymized data from AI interactions to improve our models and Services.
• You have the right to request human review of any significant decisions made solely through automated processing, where required by applicable law.
• AI-processed data is subject to the same security measures and retention policies described in this Policy.

We may send you marketing and promotional communications via email, SMS, or other channels. You can manage your communication preferences as follows:

• Email Opt-Out: You may unsubscribe from marketing emails by clicking the "unsubscribe" link at the bottom of any marketing email. Please note that you may continue to receive transactional and service-related emails even after opting out of marketing communications.
• SMS Opt-Out: You may opt out of SMS communications by replying "STOP" to any SMS message. Standard message and data rates may apply.
• Account Notifications: Certain communications are necessary for the operation of your account and cannot be opted out of, including billing notifications, security alerts, and service updates.

We comply with the CAN-SPAM Act and will honor opt-out requests within ten (10) business days. We comply with the TCPA and will not send SMS communications without proper consent.

The Aesthetic Generator LLC is based in the United States. If you access our Site or Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

By using our Site or Services, you consent to the transfer of your information to the United States. Where required by applicable law (such as the GDPR), we will implement appropriate safeguards for international data transfers, including Standard Contractual Clauses or other approved transfer mechanisms.

In the event of a data breach that compromises the security of your personal information, we will notify affected individuals and relevant authorities in accordance with applicable law. Notification will be provided without unreasonable delay and will include:

• A description of the nature of the breach;
• The categories of personal information affected;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach;
• Contact information for further inquiries.

The Aesthetic Generator LLC is a marketing services company and is not a covered entity or business associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Our Site and Services are not designed to collect, store, or process Protected Health Information ("PHI") as defined under HIPAA.

If you are a healthcare provider or practice, you are solely responsible for ensuring that no PHI is transmitted to us through our Site, forms, or Services. Any information you provide to us should be de-identified in accordance with HIPAA de-identification standards. If your engagement with us requires the processing of PHI, a separate Business Associate Agreement must be executed prior to any such processing.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy;
• Post the updated Policy on our Site;
• For material changes, provide notice through email or a prominent notice on our Site.

Your continued use of the Site or Services after the posting of changes constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Pursuant to the CCPA/CPRA, the following table summarizes the categories of personal information we collect, the purposes for collection, and whether we sell or share such information:

We retain each category of personal information for the periods described in Section 6 of this Policy. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.