Glitzy Medical Spa (Glitzy Lashes LLC) Privacy Policy
Effective Date: May 7, 2025 (or latest update)
Introduction
Glitzy Medical Spa (“Glitzy,” “we,” “us,” or “our”) is committed to protecting your privacy and
ensuring the security of your personal and health information. This Privacy Policy describes how
we collect, use, disclose, and protect information when you visit our website or use our services,
including any information provided through online forms, appointment bookings, and telehealth
sessions. It also serves as our Notice of Privacy Practices for Protected Health Information
(PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and applicable
Colorado laws. Please review this policy carefully, as it explains your rights and our obligations
regarding your information.
Glitzy Medical Spa is a Colorado-based medical spa offering services such as injectables,
testosterone replacement therapy (TRT), weight loss injections, Botox, and laser treatments. As a
provider of medical services, we are a “covered entity” under HIPAA. Certain health and
medical information you provide to us is protected by HIPAA and state law . In this Policy,
“Personal Information” refers to any information that can identify you (such as your name or
email), and “Protected Health Information” (PHI) refers to individually identifiable health
information that is protected by HIPAA. If there is any conflict between this Privacy Policy and
our HIPAA Notice of Privacy Practices with respect to PHI, the terms of the HIPAA Notice will
control .
By using our website or services, you consent to the practices described in this Privacy Policy. If
you do not agree with the terms, please do not use our site or services. We may update this Policy
from time to time as described in the “Changes to This Policy” section below.
Scope of this Privacy Policy
This Policy applies to information we collect from: (1) visitors to our website (including via
cookies and analytics tools); (2) individuals who fill out forms or book appointments online; (3)
patients who engage in telehealth sessions with our providers; and (4) any other individuals who
provide personal information to us in connection with using our site or services. It covers both
health-related information (which may be PHI protected by HIPAA) and other personal data
collected for business or marketing purposes.
Please note that this Policy does not cover information you may provide to third-party websites
that are not operated by Glitzy (for example, if our website links to an external site). We are not
responsible for the privacy practices of third-party sites, and we recommend you review their
policies before submitting any information.
- Information We Collect
We collect information from you in several ways, including information you provide directly and
information collected automatically when you use our website or services.
1. Information You Provide Directly
a. Contact and Identity Information: When you fill out forms on our site (such as a
contact form or appointment request) or create an account, we may ask for personal
details like your name, email address, phone number, mailing address, date of birth, or
other identifiers. This is to allow us to contact you and schedule services.
b. Medical and Health Information (PHI): When you inquire about or receive medical
spa services (either in person or via telehealth), you may provide health-related
information. This can include your medical history, health conditions, treatment or
therapy information, photos of treatment areas, and any other health information you
share with us. If you use our telehealth services, any information you communicate
during those sessions (such as symptoms, lab results, or images you share) is considered
part of your medical record and PHI .
c. Appointment and Treatment Information: Through our online booking platform or
patient intake forms, we collect information necessary to schedule and administer your
treatments. This may include the specific services you are interested in (e.g., Botox,
TRT), appointment dates and times, and preferences. We also keep records of the
treatments and services you receive at Glitzy for continuity of care and compliance
purposes.
d. Payment Information: If you purchase services or place a deposit online, we (or our
third-party payment processor) may collect payment details such as credit card
information. We do not store full credit card numbers on our servers; payments are
processed via secure, PCI-compliant services.
e. Telehealth Session Data: If you engage in a telehealth consultation, we may collect
audiovisual data (e.g., video or audio recordings or transcripts of the session) only if
necessary and with your consent. By default, we do not record telehealth video
sessions unless explicitly informed. However, notes taken by our providers during
telehealth (or in-person) visits become part of your health record.
f. Other Communications: If you contact us by email, phone, or text, we may keep a
record of that correspondence, which could include personal and health information you
choose to share. This helps us respond to your inquiries and improve our services.
2. Information Collected Automatically
a. Cookies and Similar Technologies: When you visit our website, we use “cookies” and
similar tracking technologies to enhance your experience. Cookies are small text files
stored on your device that help websites remember your preferences and recognize you
on return visits . For example, we may use cookies to remember that you’ve filled out a
form so you don’t have to re-enter information, or to keep you logged into a patient portal
if applicable. We also utilize cookies and tracking scripts to collect information about
how you use our site, such as which pages you visited and what links you clicked. This data helps us understand user interests and improve site functionality. (See “Cookies and
Tracking Technologies” below for more details.)
b. Analytics Data: We use third-party analytics tools (such as Google Analytics) that
automatically collect technical data about your browsing. This includes your IP address,
browser type, device type, operating system, referring website, pages viewed, and the
dates/times of your visits. These analytics tools use cookies or other identifiers to
generate aggregate statistics (for instance, to tell us how many users visit a certain page
and how they found our site). This information is generally not used to identify you
individually, but if you are logged into our site or provide info, it may be linked to you.
We use this data to understand website traffic and improve our content and layout.
c. Online Advertising Identifiers: We do not currently sell your data to advertisers.
However, we may use services like Google or Facebook for advertising our services.
Those platforms might use cookies or pixels on our site to track when you visit, in order
to show you Glitzy advertisements on other sites. Any such tracking is subject to your
consent for cookies (where required by law), and you can opt out as described below.
d. Device and Network Information: When you use our telehealth platform or fill forms,
our systems may log information about your device (e.g., whether you’re using a
smartphone or computer, which browser or app version) and network (e.g., IP address
and approximate geolocation, internet provider). We use this to ensure compatibility and
security (for example, to detect suspicious login attempts).
3. Information from Third Parties
In some cases, we may receive information about you from third-party sources that are helping
us provide services to you:
a. If another healthcare provider (like your primary care physician or a specialist) shares
your medical information with us for coordination of care, we will treat that information
as PHI under HIPAA.
b. If a friend or family member purchases a gift card or refers you to us, they might provide
your name and contact details. We will use that information only for the purpose it was
provided (e.g., to deliver the gift card or referral benefit).
c. We use a third-party CRM (Customer Relationship Management) platform for
scheduling appointments and facilitating telehealth sessions. When you book an
appointment online or attend a telehealth visit, the information entered is stored in that
CRM system (see Third-Party Service Providers below). We may receive notifications
or data exports from the CRM to our internal systems. All such data is handled as
described in this Policy.
We will not collect personally identifiable information (including health information) unless you
voluntarily provide it to us or it is collected automatically as described. You may choose not to
provide certain information (for example, you can browse our website without revealing who
you are), but then you might not be able to use some services like online booking or telehealth.
How We Use Your Information
We use the information we collect for various purposes related to our operations as a medical spa
and the maintenance of our website. The use of Protected Health Information (PHI) is
specifically governed by HIPAA, which means we only use and disclose your health information
as permitted or required by law. The use of other personal information (such as data collected by
cookies) is governed by this privacy policy and applicable consumer privacy laws.
1. Use of PHI for Treatment, Payment, and Health Care Operations (TPO): Under HIPAA,
we may use and disclose your PHI without your explicit authorization for purposes of treatment,
payment, and health care operations :
a. Treatment: We use your health information to provide and coordinate your care. For
example, our providers and staff review your medical history and treatment records to
decide the best course of treatment for services like TRT or laser therapy. We may also
share relevant PHI with other healthcare professionals for consultation or referral if
needed (e.g., discussing lab results with a collaborating physician or referring you to a
specialist).
b. Payment: We may use and disclose PHI to obtain payment for the services we provide .
For instance, if you use insurance (in the event our services are covered) or health
spending accounts, we might need to share certain information with your health plan to
process claims or get pre-approval for a procedure. We may also use your information to
bill you or send invoices, and to collect outstanding payments.
c. Health Care Operations: We use PHI for our internal operations to ensure we continue
to provide quality care . This includes activities like quality assessment, employee
training, credentialing of practitioners, medical reviews, auditing functions, compliance
monitoring, and customer service. For example, we might review records to evaluate the
performance of our staff or to determine what services are of most interest to patients. We
may anonymize or de-identify your information and aggregate it with others’ data to
analyze trends (e.g., the percentage of patients interested in weight loss treatments).
2. Other Uses and Disclosures of PHI without Authorization: In addition to TPO, HIPAA and
state law allow or require us to use/disclose PHI in certain other circumstances without your
written authorization. Glitzy will only disclose the minimum necessary information and only as
permitted by law. Such situations may include:
Public Health and Safety: We might disclose PHI to public health authorities for
reasons such as controlling disease outbreaks, reporting adverse reactions to medications,
or notifying people of product recalls . We may also share information as needed to report
communicable diseases or infections as required by law.
Required by Law: If federal, state, or local law requires us to disclose PHI, we will
comply . For example, we must report certain wounds or injuries, or respond to a court
order or subpoena that meets legal requirements.
Law Enforcement and Legal Proceedings: We may disclose PHI to law enforcement
officials in specific circumstances, such as to comply with a warrant, court order, or
subpoena, or to report a crime that happened on our premises . We will only do so as allowed under HIPAA and Colorado law. Similarly, if we are involved in a lawsuit or
legal dispute, we may be required to disclose PHI in response to a court or administrative
order.
Abuse, Neglect, or Domestic Violence: We are required by law to report suspected cases
of child abuse or neglect, or abuse of vulnerable adults (like elders), to appropriate
authorities . We will provide only the information necessary for the report.
Health Oversight Activities: Regulatory agencies may require PHI for oversight
activities such as audits, inspections, and licensure actions . For example, the Colorado
Department of Regulatory Agencies or the U.S. Department of Health and Human
Services (HHS) may access records to ensure we comply with health care laws.
Serious Threats to Health or Safety: If we believe in good faith that disclosing PHI is
necessary to prevent or lessen a serious and imminent threat to a person’s or the public’s
health or safety, we may share information with someone able to prevent the threat (such
as law enforcement or the potential victim) . This would be done in accordance with the
law and ethical standards.
Coroners, Medical Examiners, and Funeral Directors: We may disclose PHI to a
coroner or medical examiner for purposes of identifying a deceased person or
determining a cause of death, or to funeral directors as necessary for them to carry out
their duties, consistent with law .
Organ or Tissue Donation: If you are an organ donor, we may release PHI to
organizations involved in procuring or transplanting organs and tissues, as permitted by
law.
Workers’ Compensation: We can release PHI as authorized by and to the extent
necessary to comply with laws relating to workers’ compensation or similar programs,
which provide benefits for work-related injuries or illness .
Research: We will generally seek your authorization for use of PHI in research.
However, we may use or disclose PHI for research purposes without your explicit
consent in limited cases where approved by an Institutional Review Board or privacy
board under HIPAA’s rules (for example, if the PHI is needed to prepare a research
protocol and will not leave our premises, or if it’s for a retrospective study with minimal
risk and the board grants a waiver). Any such disclosure would be done in accordance
with law .
Appointments and Services: We may use your contact information to remind you of
upcoming appointments or follow-up on your treatments. For example, we might call,
text, or email you to remind you of an appointment or to tell you about rescheduling or
preparation instructions. We may also contact you with information about treatment
alternatives or other health-related services that may be of interest, such as new
services we offer. You have the right to opt out of receiving certain communications (see
“Your Rights” below).
Individuals Involved in Your Care: With your verbal permission (or if you do not
object when given the opportunity), we may share relevant PHI with a family member,
close personal friend, or caregiver who is involved in your medical care or payment for
your care . For example, if a spouse or adult child comes with you to a consultation, we
may discuss your treatment in their presence if you agree. In an emergency or if you are
incapacitated, we may share information with a person you have previously identified or,
if none, someone we determine is involved in your care, if we believe it is in your best
interest. We will only share information directly relevant to that person’s involvement.
3. Uses and Disclosures of PHI Requiring Your Authorization: For any use or disclosure of
your PHI that is not described above, we will obtain your written authorization before
proceeding. In particular, unless you give us permission, we will not use or disclose your PHI
for:
Marketing Purposes: We will not use or share your health information for marketing
communications without your authorization, except in limited cases allowed by law (such
as face-to-face communications or promotional gifts of nominal value). If we ever were
to receive payment for using your PHI in marketing, we would disclose that to you and
obtain your explicit consent . Generally, you may receive marketing communications
from us (e.g., our newsletter or special promotions) only if you have separately opted-in
with your contact information, and you can opt-out at any time. We do not use any PHI in
those communications without consent – for example, we might send a general email
about a Botox special, but we wouldn’t specifically reference that you personally use
Botox unless you gave permission.
Sale of PHI: We will not sell your protected health information. “Sale” of PHI
(exchanging it for remuneration) is prohibited without your authorization under HIPAA ,
and we do not engage in such activities.
Psychotherapy Notes: Although it’s unlikely we maintain psychotherapy notes (written
analyses by a mental health professional separate from the medical record) in our spa
setting, any such notes are given special privacy protections. We would not use or
disclose psychotherapy notes without your written authorization except as allowed by law
(e.g., for certain treatment by the note-taker, or in legal defense of a claim by you).
Other Uses: Any other uses or disclosures of your health information not covered in this
Policy will be made only with your written authorization. If you do provide us an
authorization for some purpose, you can later revoke it in writing at any time, and we will
stop the future use/disclosure of your PHI for that purpose. (Note that we cannot undo
any actions we took in reliance on your authorization before you revoked it.)
4. Use of Personal Information (Non-PHI): We also use personal information that is not PHI
(for example, information collected via cookies or when you’re browsing our site and not
entering health data) for the following purposes:
To Provide and Improve Our Website Services: We use usage data and feedback to
troubleshoot technical issues, analyze how users navigate our site, and improve design
and content. This helps us create a better user experience. For instance, knowing which
pages are most visited or if certain online forms are confusing allows us to make
improvements.
To Respond to Inquiries: If you submit a question through our website or request
information about a service, we use your contact details to respond to you. We will use
the information you provided (such as your email or phone and the content of your
inquiry) to address your request and provide customer support.
Scheduling and Client Management: Personal information you provide through our
online forms or CRM system is used to schedule appointments, send confirmations and
reminders, and manage your client account. We may also use it to follow up with you
post-treatment for any aftercare or satisfaction reasons.
Marketing Communications (With Consent): If you sign up for our mailing list or
otherwise consent, we will use your email or phone number to send you newsletters,
promotions, or alerts about new services and specials at Glitzy Medical Spa. We might
also send seasonal offers or event invitations. You can opt out of these communications at
any time by using the unsubscribe link in emails or contacting us (opting out of
marketing will not affect your ability to receive services or administrative
communications, like appointment reminders or billing statements). We do not spam and
we do not share your contact information with unrelated third parties for their own
marketing.
Compliance and Legal Obligations: We may process personal data as necessary to
comply with applicable laws, regulations, and legal obligations that are not specifically
related to health data. For example, keeping transaction records for accounting and tax
purposes, or using personal information to verify identity if you exercise certain privacy
rights. We also use information to enforce our website’s Terms of Use, to detect and
protect against fraud or security issues, and to assert or defend against legal claims when
necessary.
Other Business Purposes: We might use de-identified or aggregated information (which
can no longer identify you) for business analytics, research, and strategic development.
For example, calculating the percentage of website visitors from different regions of
Colorado, or determining the effectiveness of an online advertising campaign (without
using any names or individually identifiable info).
We will not use your personal information in a way that is incompatible with the purposes
described in this Policy without first obtaining your consent.
How We Disclose or Share Information
We are very careful to protect your information. We do not sell your personal information to
third parties . However, we do share certain information with others in the following
circumstances, in accordance with applicable law:
1. Disclosures of PHI (Health Information):
We will disclose your PHI only as needed for the uses described above or as otherwise
permitted/required by law. Key instances in which we may share PHI include:
With You or Your Representatives: We can share your medical information with you,
and (upon your request and authorization) with your personal representative (such as
someone who has legal authority to make healthcare decisions for you). This includes
fulfilling your requests for copies of records or forwarding records to another provider at
your direction.
With Our Workforce and Facilities: Your PHI will be shared internally with staff
members who need it to perform their job duties (for example, our nurses, doctors,
technicians, billing staff, and administrative personnel may all have appropriate access).
All our staff are trained on privacy and required to keep your information confidential.
Business Associates: We may share PHI with third-party companies that perform
services for us which involve handling PHI, known as “business associates” under
HIPAA . For example, our third-party CRM and telehealth platform provider, any
cloud storage or electronic medical record system we use, our billing and payment
processing service, or an IT consultant who manages our software—these may all need
access to PHI to perform their functions. We require all business associates to sign a
Business Associate Agreement (BAA), which contractually obligates them to safeguard
your PHI to the same standards we follow and to use it only for the contracted purposes .
In other words, our business associates are not allowed to use or disclose your PHI for
their own unrelated purposes, and must notify us if your data is compromised.
With Other Healthcare Providers: We may disclose PHI to other healthcare
professionals or facilities involved in your care, as part of treatment coordination. For
example, if we refer you to a specialist or coordinate with your primary care physician or
a lab (for blood tests related to TRT), we will share necessary information with them.
This sharing might be done electronically via a health information exchange or directly
provider-to-provider (fax, secure email, etc.), and always in a manner consistent with
privacy laws.
Health Plans or Insurance: If applicable, we might share PHI with your health insurer
or plan for payment purposes (e.g., to get pre-authorization or to appeal a denied claim) .
We will only share the minimum necessary information. Please note: Many services at a
med spa may not be covered by insurance and are paid out-of-pocket; in such cases, this
may not apply. If you pay in full for a service out-of-pocket and you request that we do
not disclose information about that service to your health plan, we will honor that request
and not share it for payment or operations with your insurer, as long as it’s not otherwise
required by law .
Family, Friends, or Others Involved: As noted, we may share limited PHI with
individuals you have identified or who are involved in your care, with your agreement or
in situations allowed by HIPAA (e.g., if you are present and do not object, or in an
emergency) . You have the right to stop or limit such disclosures—if you do, we will
comply (except if needed in a crisis as allowed).
Legal and Safety Disclosures: We will disclose PHI to third parties such as law
enforcement, courts, public health authorities, etc., when required by law or permissible
under the special circumstances outlined in the prior section (e.g., to report a disease,
respond to a court order, avert a threat, etc.). We will make a reasonable effort to inform
you of such disclosures when required by law.
Incidentals: We make efforts to avoid incidental disclosures, but note that certain minor
sharing might occur as an incident to an otherwise permitted use. For example, other
patients might inadvertently see or hear something during a visit (like overhearing your
name in the lobby). We use safeguards like private treatment rooms and not speaking
loudly about PHI to minimize this. Incidental disclosures are not entirely avoidable but
are permitted under HIPAA as long as reasonable safeguards are in place.
2. Disclosures of Personal Information (Non-PHI):
For personal data that is not related to your medical care (or not identifiable as PHI), we may
share such information in these ways:
Service Providers: We use third-party companies to assist in operating our website and
business, and we may give them access to personal information as needed. For example,
we may use an email service provider to send out our newsletters, a cloud hosting
provider to store our website data, an analytics provider (like Google) to analyze site
traffic, or a scheduling software company (our CRM) to manage appointments . These
providers might process personal information on our behalf (such as your name and email
for email campaigns, or your IP and browsing info for analytics). We ensure that any
service providers handling personal data are obligated to protect it and use it only for
providing services to Glitzy.
Analytics and Advertising Partners: As described, we use Google Analytics and
similar tools. These tools set their own cookies to collect usage data . We may share
certain identifiers or segments with advertising platforms (for instance, to create a custom
audience of people who have visited our site, so that we can advertise to them). However,
we do not disclose your identity to these analytics or advertising partners; they generally
collect information under their own policies. You can opt out of many analytics and
advertising cookies as explained in Cookies below.
Legal Compliance and Protection: If we need to disclose personal information to
comply with a legal obligation (outside of PHI contexts) or to protect our rights, we will
do so. For example, providing information to a tax auditor, or disclosing data to law
enforcement if our website is used for fraudulent activity. We may also share information
as necessary to detect, prevent, or address fraud, security, or technical issues.
Business Transactions: If Glitzy Medical Spa is involved in a merger, acquisition, asset
sale, financing, or transfer of some or all of our business to another company, personal
information (including PHI if applicable, in accordance with law) may be transferred to
the successor organization as part of that transaction. In such an event, we would ensure
the recipient agrees to protect your information in a manner consistent with this Policy
(and of course PHI would still be protected under HIPAA by the acquiring entity). You
would be notified via a prominent notice on our website or by email of any change in
ownership or uses of your personal information.
With Your Consent: Apart from the scenarios above, if you request or consent to us
sharing information with a third party (for example, if you ask us to share your
testimonial or to send your information to a family doctor), we will do so with your
authorization.
3. Cookies and Tracking Technologies (Detailed Section)
Our use of cookies and similar technologies may involve sharing some information with third-
party providers (like those who provide analytics or advertising as noted). See the next section
for details on what cookies we use and how data is shared.
Importantly, we do not sell or rent your personal information to outside parties for their
own marketing . We also do not share any PHI with third parties for purposes unrelated to your
care, payment, our operations, or the specific circumstances allowed by law. Any third party that
gets access to PHI is under strict contractual obligations to keep it confidential . Any third party
that gets personal data (not PHI) for processing is similarly bound by confidentiality where
appropriate.
Cookies and Tracking Technologies
As mentioned, our website uses cookies and similar technologies to improve user experience and
analyze usage. This section explains those practices in more detail and how you can manage your
preferences.
1. What Are Cookies?
Cookies are small text files that websites send to your computer or device to store bits of
information about your visit. Cookies can have various functions: they may be necessary for the
website to function (e.g., keeping you logged in or remembering items in a cart), or they may be
used for convenience (remembering your preferences like language or font size). They are also
used for analytics and advertising, to understand user behavior and deliver relevant content .
Cookies do not typically identify you by name, but they assign a unique identifier to your
browser. Each time you return to the site, the browser sends back that cookie, allowing the site to
recognize you.
2. Types of Cookies We Use:
Essential Cookies: These are necessary for the basic operation of our website. For
example, if our site has a patient login area or an appointment scheduling module, the
session cookie remembers your login so you can navigate securely. Without these
cookies, some site functionalities may not work. Because they are necessary, they are
always active.
Preference Cookies: These cookies remember choices you have made on our site to
provide a more personalized experience. For instance, if you select a location or fill a
form partially, a cookie might save your inputs so you don’t have to retype information
when you come back.
Analytics/Performance Cookies: We use these to collect information about how visitors
interact with our site. For example, Google Analytics cookies allow us to see aggregate
data such as how many people visited each page, how long they stayed, and what website
referred them . The information collected is generally anonymous (e.g., we see that “a
user on a Chrome browser in Denver visited the Laser Treatments page at 3pm”), but if
you are logged in or fill a form, it might be associated with you. We use this data to
improve site content and performance.
Advertising and Social Media Cookies: Currently, we might use advertising pixels (like
Facebook Pixel or Google Ads cookies) that help us with marketing. These cookies
collect information about your browsing habits on our site and potentially elsewhere, to
show you targeted ads. For example, if you visit our TRT service page, you might later
see an ad for our clinic on Facebook (because a cookie told Facebook you visited our
site). We also have social media plugins (like an Instagram feed or Facebook link) that
might set cookies if you interact with them. These cookies are used only with your
consent where required, and you can opt out as described below. We do not share PHI
through these cookies—only general website usage data.
3. Why We Use Cookies:
We use cookies to:
Understand and save your preferences for future visits (so the site can be tailored to you)
.
Keep track of advertisements or campaigns effectiveness (so we know if our Google or
Facebook ads are bringing people to the site).
Compile aggregate data about site traffic and interactions to improve our site in the future
. For example, cookies tell us which pages are popular or if certain pages have high error
rates. We can then fix problems or enhance content.
Facilitate scheduling and security. If our scheduling system is embedded on the site,
cookies help maintain your session. Similarly, cookies can help us identify suspicious
activity (like a rapid barrage of page requests) for security purposes.
4. Other Tracking Technologies:
In addition to cookies, we may use web beacons or pixels. These are tiny graphic images or
lines of code placed on pages or emails that track when they are viewed. For instance, we might
include a pixel in an email newsletter to know if you opened it. This helps us gauge engagement.
Our website might also use log files that record events (like errors or page loads) and device
fingerprinting which is a way of recognizing a device by its settings. These technologies often
work in conjunction with cookies to gather analytics data.
5. Your Choices for Cookies:
When you first visit our site, you may see a cookie banner or pop-up allowing you to consent to
or manage non-essential cookies. You can adjust your preferences there. Additionally, most web
browsers allow you to control cookies through their settings. You can set your browser to notify
you when cookies are being used, to refuse all cookies, or to delete cookies periodically. Please
note that if you disable cookies, some features of our website may not function properly – for
example, you might not be able to book appointments online or the site may not remember your
preferences .
If you want to opt out of Google Analytics, Google provides an opt-out browser add-on. For
interest-based advertising, you can often opt out via industry sites like the Digital Advertising
Alliance (DAA) or Network Advertising Initiative (NAI) websites. Opting out does not mean
you will no longer see ads, but the ads may be less relevant to your interests.
6. Do Not Track Signals:
“Do Not Track” (DNT) is a setting in some browsers that signals a preference not to be tracked
across websites. There is currently no industry standard as to how to interpret DNT signals, and
our site does not respond differently to browsers with DNT enabled. We will still deploy cookies
as described (unless you opt out or block them manually). However, you can always adjust
cookie settings as noted above. We will update our practices if an official standard for DNT is
established in the future.
By using our site without disabling cookies, you consent to our use of cookies and similar
technologies as described here. You can change your cookie settings at any time.
Data Security and Protection
Glitzy Medical Spa takes the security of your personal and health information very seriously. We
have implemented a variety of administrative, physical, and technical safeguards to protect
against unauthorized access, use, alteration, or destruction of the information we hold. Under the
HIPAA Security Rule, we are required to ensure the confidentiality, integrity, and availability of
electronic PHI by using reasonable and appropriate security measures .
1. Technical Safeguards: We use encryption and secure protocols to protect data. For example,
our website and patient portal (if applicable) are secured with HTTPS, meaning data transmitted
between your browser and our site is encrypted. Sensitive information (like medical data or login
credentials) is stored in secure systems that require authentication and are encrypted at rest where
possible. If we maintain electronic medical records or customer data in the cloud, those systems
are protected by firewalls, encryption, and access controls. We regularly update our software and
apply security patches to guard against vulnerabilities. We also utilize anti-malware and anti-
virus tools to prevent malicious attacks .
2. Administrative Safeguards: We have internal policies and training for our staff to ensure
they handle your information properly. Only authorized personnel with a legitimate “need to
know” are permitted to access PHI or sensitive personal data. Our employees and contractors
receive training on patient privacy, HIPAA requirements, and cybersecurity practices. We have a
designated Privacy Officer (and/or Security Officer) responsible for overseeing HIPAA
compliance and data protection efforts. We conduct risk assessments and have procedures for
identifying and managing security incidents.
3. Physical Safeguards: Access to our facilities and systems is controlled. For any physical
records (like paper forms you might fill on-site) or printed medical records, we keep them in
secure areas (locked cabinets or offices) when not in use. Our computers and devices are
password-protected and often encrypted. If we use portable devices (like laptops or tablets for
telehealth), we ensure they have appropriate security and are not left unattended. Our offices
have measures to prevent unauthorized entry into areas where sensitive information is stored.
4. Third-Party Security: When we use third-party service providers (business associates) to
store or process data (such as our CRM, telehealth platform, or cloud host), we vet their security
practices. We enter into Business Associate Agreements requiring them to implement safeguards
to protect PHI . For non-PHI data processors, we also require contractual assurances of data
protection. We strive to choose reputable vendors with strong security certifications or standards
(for example, data centers with SOC 2 or ISO 27001 certification, or software providers who are
HIPAA-compliant).
5. Data Retention and Disposal: We retain your personal information and medical records for
as long as necessary to fulfill the purposes for which it was collected and to comply with legal
requirements. Under Colorado and federal regulations, medical records are generally kept for a
minimum period (often at least 7 years for adult patients, or longer for minors) . We follow
applicable guidelines to retain PHI for at least the minimum required period. When records or
data are no longer needed and past any required retention period, we will dispose of them
securely. For electronic data, secure deletion or destruction methods are used (e.g., wiping
drives, deleting database entries in a manner that prevents recovery). Paper records are shredded
or incinerated. We also have policies for secure disposal of devices or media that may contain
PHI.
6. Breach Notification: Despite all safeguards, no system is completely foolproof. In the
unlikely event that a security breach occurs that compromises the privacy or security of your PHI
or sensitive personal data, we will notify you as soon as reasonably possible and as required by
law . HIPAA and Colorado law may require us to send notices to affected individuals (and
regulators) within a certain timeframe if certain criteria are met. We will follow all relevant
breach notification laws , which generally include providing details of what happened, what
information was involved, steps we are taking in response, and recommendations for you to
protect yourself. We will also investigate the incident thoroughly and take appropriate remedial
measures to prevent future occurrences.
While we strive to protect your data, it’s important to remember that no method of transmission
over the Internet or method of electronic storage is 100% secure. We cannot guarantee
absolute security. It is also important for you to play a role: for example, keep your portal login
credentials confidential, be cautious about what information you send via email (we recommend
using our secure messaging or portal for any sensitive info), and alert us if you suspect any
unauthorized activity related to your information.
If you have reason to believe that your interaction with us or your information is no longer
secure (for instance, if you feel your account has been compromised), please immediately
contact us using the information in the Contact section below.
Your Privacy Rights
As a patient or consumer, you have important rights regarding your personal and health
information. We want you to be aware of these rights and how to exercise them. Below, we
outline your rights under HIPAA (for your protected health information) and under Colorado
state law (for personal data that may not be covered by HIPAA). We will honor all applicable
rights to the fullest extent of the law.
Your Rights Under HIPAA (Health Information Privacy)
Under federal law (the HIPAA Privacy Rule), you have specific rights with respect to your
protected health information :
Right to Access and Obtain a Copy of Your PHI: You have the right to inspect and get
a copy of the medical and billing records that we maintain about you . This includes
records of your treatments and any other information used to make decisions about your
care. You may request an electronic copy of your records, and if we maintain them
electronically (which we do in many cases), we will provide them in a commonly used
electronic format if you prefer . To exercise this right, you can submit a written request to
us (see Contact section). We will respond within the time frame required by law
(generally 30 days, with one possible 30-day extension under HIPAA). We may charge a
reasonable, cost-based fee for copying and mailing the records, or for an agreed-upon
summary of the records, in accordance with HIPAA and Colorado law . In rare cases, we
may deny your request to inspect or copy in part or in full (for example, if a licensed
health professional determines that seeing the records would endanger you or someone
else). If we deny access, we will provide you a written explanation and let you know if
you have the right to have the denial reviewed by an independent professional .
Right to Request an Amendment: If you believe that any health information we have
about you is incorrect or incomplete, you have the right to request that we amend (correct
or add to) the information . Your request must be in writing and provide a reason to
support the amendment. We will review your request and usually respond within 60 days.
If we agree, we will amend the information in our records and notify you. If we deny
your request (for example, if we determine the record is accurate and complete, or we did
not create the information), we will give you a written denial explaining the reason . You
have the right to submit a statement of disagreement, which we will keep with your
records. Note that even if we amend, we generally will not erase the original record; we
will mark it as amended.
Right to an Accounting of Disclosures: You have the right to request a list (an
“accounting”) of certain disclosures of your PHI that we have made to third parties in the
past up to six years, counting from the date of your request . This accounting will not
include disclosures made for treatment, payment, or healthcare operations, and certain
other disclosures (for example, you won’t get an accounting of disclosures you authorized
or disclosures made directly to you, among other exceptions) . But it would include, for
instance, a disclosure required by law or a report to a public health agency. If you request
an accounting more than once in a 12-month period, we may charge a reasonable cost-
based fee for additional requests. We will inform you of any fee in advance and give you
a chance to withdraw or modify the request if needed.
Right to Request Restrictions: You have the right to ask us to limit the use or disclosure
of your PHI for treatment, payment, or healthcare operations . You may also request that
we limit the PHI we disclose to someone involved in your care or payment, like a family
member. While we will consider all requests, in general we are not required to agree to a
restriction, except in one situation described below. If we do agree to a restriction, we
will comply with it unless the information is needed to provide you emergency treatment
or as otherwise required by law .
o Special Restriction – Self-Pay: If you pay for a service in full out-of-pocket (not
billing any insurance) and you request that we do not disclose information about
that specific service to your health insurer, we must honor that request, as long as
the disclosure is not otherwise required by law . This is a right under
HIPAA/HITECH. You must make this request before or at the time of service (so
we know not to bill insurance), and you must pay in full. We will then flag that
information and not share it with your insurer.
To request any restriction, please contact us in writing with details of what
information you want to restrict and to whom the restriction applies.
Right to Request Confidential Communications: You have the right to request that we
contact you in a certain way or at a certain location to preserve confidentiality . For
example, you might ask us to only contact you via email and not call, or to send mail to a
P.O. box instead of your home address. We will accommodate reasonable requests. You
do not have to give a reason, but your request must specify how or where you wish to be
contacted. If a method is impractical, we might reach out to arrange an alternative. We
aim to honor all reasonable accommodations to protect your privacy.
Right to a Paper Copy of This Notice: You have the right to obtain a paper (or
electronic) copy of our HIPAA Notice of Privacy Practices at any time, even if you have
agreed to receive the privacy policy electronically. You may request a copy in person at
our location or by contacting us (and we will mail it). This Privacy Policy (which
includes the Notice content) is also available on our website for your reference. If you
would like a separate stand-alone HIPAA Notice document, we can provide that as well .
Right to Notification of a Breach: Although not usually listed in the standard “rights”
section, we want you to know that you have the right to be informed in case your
unsecured PHI is ever compromised due to a data breach. We are required by law to
notify you without unreasonable delay, and no later than 60 days from discovery, in the
event of a breach of your PHI that compromises its security or privacy . (As noted in the
Data Security section, we would provide you with information and steps to take, etc., per
HIPAA and Colorado requirements.)
We will not retaliate against you for exercising any of these rights. For instance, we will still
treat you and provide services even if you’ve filed a privacy complaint or requested restrictions.
To exercise any HIPAA privacy right, please see “Exercising Your Rights / Contact Us” below
for instructions on how to submit a request.
Your Rights Under Colorado Law (Personal Data)
Colorado’s privacy laws, including the Colorado Privacy Act (CPA), grant Colorado residents
certain rights over their personal data that is not otherwise governed by HIPAA. While much of
the health-related information we handle is exempt from the CPA because it is PHI under HIPAA
, we still strive to extend privacy rights to all personal information we hold. If you are a Colorado
resident, the following rights may apply to personal data we process about you in contexts such
as marketing, website usage, or other consumer interactions (essentially, data not covered as
medical records by HIPAA):
Right to Access: You have the right to confirm whether we are processing your personal
data and to access that data . In practice, this is similar to the HIPAA access right, but it
can also cover information like what personal details we have in our marketing database
or website logs about you. Upon request, we will provide you with a copy of the personal
data we have collected about you, in a readily usable format (often electronic). This
allows you to understand what information we have. (For PHI, we would provide access
as described under HIPAA; for other personal data, CPA gives a similar access right.)
Right to Correction: You have the right to request that we correct inaccuracies in your
personal data, taking into account the nature of the data and the purposes of processing .
If you find that, for example, your contact information or other details we have are
incorrect, you can ask us to update them. For PHI, the analogous right is the HIPAA
amendment right discussed above. For non-PHI data, we will correct factual errors upon
verification. Some data (like opinions in a record) may not be subject to objective
correction, but we’ll work with you to make sure data is as accurate as possible.
Right to Deletion: You have the right to request deletion of personal data that we have
collected from or about you . This is subject to certain exceptions – for instance, we
cannot delete data that we are required to maintain by law or that is necessary for us to
provide you services. Medical records, for example, we generally must retain for a period
of time and cannot simply erase upon request due to legal requirements and patient safety
considerations. However, if you provided personal information through our website (say
you subscribed to a newsletter or made an inquiry) and you want it removed, you can ask
us to delete that information. We will honor deletion requests for any data we are not
obligated to keep. If an exception applies (for example, we need the data to complete a
transaction you requested, or to exercise or defend legal claims, or the data is PHI we
must retain), we will let you know. Otherwise, we will delete the requested personal data
from our active systems and inform you when completed. (Backups and archival copies
may not be immediately deleted but will be purged in the normal course per our retention
policy.)
Right to Data Portability: Colorado law gives you the right to obtain your personal data
in a portable and, to the extent technically feasible, readily usable format that allows you
to transmit the data to another entity if desired . For example, if you wanted to take
information you provided to us and provide it to another service, you can request it in a
common format (like CSV or JSON file). For your medical records, HIPAA also supports
getting electronic copies which you could then give to another provider. For other data,
we will work with you to provide an appropriate export of information.
Right to Opt Out of Certain Processing: You have the right to opt out of specific types
of data processing, namely: (a) the sale of personal data, (b) use of personal data for
targeted advertising, and (c) profiling in furtherance of decisions that produce legal or
similarly significant effects.
o Sale of Personal Data: As noted, we do not sell your data in exchange for
money. The Colorado Privacy Act defines “sale” broadly to include some sharing
of data for valuable consideration. We do not share your personal data with third
parties for their own independent marketing or commercial purposes.
Nevertheless, you have the right to direct us to not sell your personal data. We
honor that by default – we don’t engage in selling. If you have any concerns about
particular data transfers, please let us know.
o Targeted Advertising: If we participate in targeted advertising (for example,
using cookies to show you ads on other sites), you can opt out of this. Practically,
you can do so by rejecting advertising cookies on our site (through the cookie
banner or your browser settings). You can also send us an opt-out request and we
will ensure your data is not used for targeted advertising. Note that you might still
see generic ads from us, but they wouldn’t be tailored using your personal data
from our site.
o Profiling: We do not engage in any profiling that produces legal or similarly
significant effects (such as credit worthiness, employment decisions, etc.) with
your data. Med spas do not typically do that. So this is likely not applicable.
Regardless, if it were, you could opt out.
Right to Non-Discrimination: Though not explicitly called out in Colorado’s CPA in the
same way as California’s law, we will not discriminate against you for exercising any
of these privacy rights. That means we won’t deny you our services or charge you
different prices just because you made a privacy request or opted out of something. Your
quality of care and access to our services will remain the same.
Please note: If an exclusion or exemption under Colorado law or other law applies to your
request, we will explain that to you. For example, as mentioned, if the data is PHI under HIPAA,
HIPAA’s rules (not the CPA) govern our handling of that data . In many cases, that means your
request might be handled under the HIPAA framework. We will, however, attempt to honor the
spirit of all requests to the extent feasible and allowed.
Exercising Your Rights and Submitting Requests
To exercise any of your rights described above, or to inquire about your information, you
may contact us using the information provided in the “Contact Us” section at the end of
this Policy. For rights like access, correction, deletion, or an accounting, we may require you to
submit a written request for our records. We will respond within the timeframe required by
applicable law (for Colorado CPA requests, generally within 45 days of receiving a valid
request, with the possibility of a 45-day extension; for HIPAA, generally 30 days with a possible
30-day extension, depending on the right). If we need an extension, we will inform you of the
reason and the length of the extension in writing.
When you submit a request, for your security, we will need to verify your identity before
processing it. This may involve checking information we have on file (for example, verifying
your name, email, phone number, or asking for a piece of identification) to ensure that the person
making the request is indeed you or your authorized representative. Authorized representatives
(like someone holding power of attorney or a legal guardian) must provide proof of authority.
For Colorado residents: If you make a request under CPA and are dissatisfied with our decision
(for example, if we deny it based on an exemption), you may have the right to appeal our
decision. We will provide instructions in our response on how to submit an appeal. Typically, you
can contact us again expressing that you are appealing our decision, and we will have a
designated person review the issue. If after appeal you are still not satisfied, you can contact the
Colorado Attorney General’s office. We will inform you of that process if it occurs.
We do not usually charge a fee for handling a request. However, if requests become excessive or
manifestly unfounded (as defined by law), we may charge a reasonable fee or refuse to act on the
request. But our aim is to be transparent and helpful, so we will work with you to fulfill your
requests whenever possible.
Third-Party Service Providers and Business Associates
Glitzy Medical Spa utilizes certain third-party platforms and service providers to support our
operations, including the management of appointments, telehealth sessions, communications, and
other services. We want to be transparent about these relationships because they involve sharing
and storing your information on external systems.
1. Appointment Scheduling and CRM Platform: We use a third-party Customer
Relationship Management (CRM) system to handle online appointment bookings, patient
scheduling, and record-keeping for our spa services. When you book an appointment through our
website or patient portal, the information you provide (contact details, appointment date/time,
selected service, etc.) is entered into this platform. This platform may also facilitate telehealth
sessions (for example, it might have a video conferencing feature for remote consultations). The
CRM platform is a cloud-based service provided by a reputable vendor. As a Business Associate
under HIPAA, this vendor is contractually obligated to protect your PHI with appropriate
security measures and to use it only for purposes of providing services to Glitzy . We have a
Business Associate Agreement in place, and the platform employs industry-standard security
(such as encryption and access controls). Your data in the CRM is accessible to our staff through
secure logins. The benefit of using this system is that it streamlines your experience (allowing
online booking and telehealth) while keeping your data organized and secure. If you have any
questions about the specific platform we use, we can provide more information upon request.
2. Telehealth Services: For remote consultations or follow-ups, we may use a telehealth video
conferencing tool that could be integrated with our CRM or separate. This could be a service like
Zoom for Healthcare, Doxy.me, JaneApp, or other HIPAA-compliant telemedicine solution.
These services ensure that video and audio communications are encrypted end-to-end, meaning
nobody can eavesdrop on the call. They also typically do not store the content of your sessions
(unless we were to record with permission, which we normally do not do). The telehealth
provider is also a Business Associate and is required to safeguard any PHI that passes through
their system. We will give you instructions on how to use the telehealth platform before your
session. Important: To maintain privacy on telehealth, we advise you to join the session from a
private location (e.g., your home or an office with the door closed) and use a secure internet
connection. We also verify your identity at the start of each telehealth session to ensure we are
speaking with the correct patient.
3. Electronic Communications and Records: We may use third-party email or text messaging
services to communicate with you (for appointment reminders, for example). We try to use
secure messaging when sending any sensitive information. However, standard email and texts
are not fully secure. By providing us with your email or phone and requesting us to communicate
with you in that way, you acknowledge the risk. We will limit sensitive details in unencrypted
messages (for instance, an email reminder might say “You have an appointment tomorrow at
3pm” but not include detailed medical info). If you prefer not to be contacted by email or text,
you can request confidential communications by alternative means (as described in your rights).
4. Payment Processing: If you pay for services via credit card on our website or in the office,
payments may be processed by a third-party payment gateway (such as Stripe, Square, etc.).
Those payment processors specialize in secure transactions and may collect payment data
directly to process the payment. We do not store full payment card details on our site. The
payment processors are PCI-DSS compliant and use encryption. They will only use your
payment information to process transactions you’ve authorized and for compliance/audit
purposes.
5. Other Vendors: We might also use other vendors for things like sending out newsletters (e.g.,
MailChimp or Constant Contact for email distribution), running promotional campaigns,
maintaining our IT infrastructure, or consulting services. Whenever these vendors might come
into contact with personal data or PHI, we ensure they are under appropriate contractual
obligations. For instance, an IT support firm that might occasionally need to access our systems
to troubleshoot would sign a Business Associate Agreement if PHI is involved, or a
confidentiality agreement for any personal data.
In all cases, we do not allow our third-party providers to use your information for their own
purposes. They act on our instructions. If any provider has terms of use or a privacy policy of
their own that is relevant (for example, if you interact directly with our scheduling widget that is
powered by a third party, that third party’s privacy statement might be applicable in addition to
ours), we will make that available or you can find it via links on the scheduling page.
We want you to feel confident that the tools and platforms we use are chosen with privacy and
security in mind. If you have questions about any particular third-party service we use, please
reach out to us.
Children’s Privacy
Our services and website are not primarily directed to children under the age of 13. Glitzy
Medical Spa does treat adolescent patients in some cases (for example, certain treatments for
teens may be offered with parental consent), but we do not seek to collect personal information
online from anyone under 13 without parental or guardian consent. If you are a minor (under 18),
you should only use our website and provide personal information with involvement of a parent
or guardian. If we become aware that we have inadvertently received personal information from
a child under 13 through our website without proper consent, we will delete that information.
Parents or guardians who believe we might have any information from or about a child under 13
may contact us to request removal.
For minors who are patients: There are specific privacy protections under HIPAA and Colorado
law regarding minors’ health information (especially for certain types of sensitive services). We
adhere to those laws and obtain appropriate permissions from parents or as allowed by law for
minors’ treatments. Any information collected about minors in the course of providing services
is handled with the same care as adult information, and with additional attention to parental
rights or minor consent rights as applicable.
Changes to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices,
technology, legal requirements, or for other reasons. We reserve the right to change the terms of
this Policy at any time. If we make material changes, we will notify users by posting a prominent
notice on our website (for example, via a banner or pop-up) and updating the effective date at the
top of the Policy. In some cases, especially if changes significantly affect how we handle PHI,
we may also provide notice through other means, such as email or a notice in our office.
Any changes will become effective when we post the revised Policy on our website. The new
terms will apply to all current and past data we have, as well as future information, except as
may be limited by applicable law. However, we will not use your personal information or PHI in
a materially new way without first providing you an opportunity to consent if required by law.
For example, if we ever decided to participate in a new data sharing program not covered by this
Policy, we would update the Policy and obtain any necessary authorizations.
We encourage you to review this Privacy Policy periodically to stay informed about how we are
protecting your information. Your continued use of our website or services after any update
constitutes your acknowledgment of the changes and agreement to the updated policy.
If you would like a copy of this Policy or any past version, you may contact us at any time. We
can provide a PDF or printed copy for your records.
Contact Us (Questions, Concerns, or Requests)
If you have any questions about this Privacy Policy or our privacy practices, or if you need to
contact us for any reason related to your information (to exercise your rights, file a complaint,
etc.), please reach out to us:
Glitzy Medical Spa – Privacy Officer
Address: 2871 N Speer Blvd, Denver, CO 80211 (USA)
Phone: (303) 981-4485
Email: brandi@glitzymedspa.com
(This contact information is for privacy inquiries only. For general inquiries or appointments,
please use our main contact information as listed on our website.)
You may contact our Privacy Officer with questions or to request access/amendment/deletion of
your data, etc. We will respond as promptly as possible.
Complaints: If you believe your privacy rights have been violated, you have the right to file a
complaint. You can file a complaint with us by contacting our Privacy Officer at the
address/phone/email above. Please provide details of your concern so we can investigate
thoroughly. We take all privacy complaints seriously and will not retaliate against you for filing a
complaint .
Additionally, you can file a complaint with the U.S. Department of Health and Human Services,
Office for Civil Rights (OCR). You can find information on how to do so on the HHS website or
by contacting:
Office for Civil Rights, U.S. Department of Health & Human Services
999 18th Street, Suite 417, Denver, CO 80202 (for example, the regional office)
Phone: (800) 368-1019 | TDD: (800) 537-7697
Website: hhs.gov/ocr – Online Complaint Portal.
If your concern pertains to your rights under Colorado law (such as a Colorado Privacy Act
issue), and you are not satisfied after contacting us, you may reach out to the Colorado Attorney
General’s Office. They oversee consumer privacy rights under the CPA . The Colorado
Department of Law (Attorney General) can be contacted at:
Colorado Department of Law, Consumer Protection Section
1300 Broadway, 10th Floor, Denver, CO 80203
Website: coag.gov (see Privacy or Consumer Complaint sections).
We welcome the opportunity to address any concerns directly and ask that you first reach out to
us so we can assist you. Your privacy is extremely important to us, and we want to ensure you
feel safe and respected in all your interactions with Glitzy Medical Spa.
Thank you for trusting Glitzy Medical Spa with your care and your information. We are
dedicated to safeguarding your privacy while providing you with high-quality medical spa
services.
(Glitzy Lashes LLC)