← Back to RecallMD

Privacy Policy

Last updated: March 7, 2026

Overview

RecallMD (“we”, “us”, “our”) provides automated client recovery tools for med spas. This policy explains what data we collect, how we use it, and your rights regarding that data. We believe in keeping things simple and transparent.

Information We Collect

We collect the following types of information:

  • Account information — your email address and password when you create an account, and your spa name and timezone during onboarding.
  • Client data — the client names, phone numbers, email addresses, visit history, and treatment records you upload or sync through your booking platform. This is your data and you control it.
  • Integration credentials — API keys for your booking platform (Vagaro, Mindbody, Jane App, or Zenoti) and messaging services (Twilio). These are encrypted at rest using AES-256-GCM encryption.
  • Billing information — payment details are processed and stored by Stripe. We never see or store your full credit card number.
  • Usage data — basic information about how you use the service, such as page views and feature usage, to help us improve the product.

How We Use Your Information

  • To provide the RecallMD service — detecting lapsed clients and sending outreach messages on your behalf.
  • To send SMS and email messages to your clients using your configured messaging credentials.
  • To process your subscription payments through Stripe.
  • To sync client data from your connected booking platform.
  • To improve and maintain the service.
  • To communicate with you about your account, service updates, or support requests.

Third-Party Services

We use the following third-party services to operate RecallMD:

  • Supabase — authentication and database hosting.
  • Twilio — SMS message delivery (using your own Twilio credentials).
  • SendGrid — email delivery.
  • Stripe — payment processing and subscription management.
  • Netlify — application hosting.

Each of these services has their own privacy policy. We encourage you to review them.

Data Security

We take reasonable measures to protect your data. All sensitive credentials (API keys, tokens) are encrypted at rest using AES-256-GCM encryption. Data is transmitted over HTTPS. Access to production systems is restricted.

HIPAA Disclaimer

RecallMD is designed with privacy in mind, but we are not a HIPAA covered entity and do not currently offer a Business Associate Agreement (BAA). The client data you upload (names, phone numbers, visit history) is used solely to power the lapse detection and outreach features. We do not store or process protected health information (PHI) such as diagnoses, medical records, or clinical notes. If HIPAA compliance is a requirement for your practice, please evaluate accordingly.

Cookies

We use minimal cookies — only what's necessary for authentication sessions. We do not use tracking cookies or third-party advertising cookies.

Data Retention & Deletion

Your data is retained for as long as your account is active. If you cancel your subscription, your data will be deleted within 30 days of account termination. You can request immediate deletion of your data at any time by contacting us.

Your Rights

You have the right to:

  • Access your data — view all client data, visit history, and message logs in your dashboard.
  • Export your data — download your client list and records.
  • Delete your data — request complete deletion of your account and all associated data.
  • Opt out — disable automated messaging at any time from your settings.

Changes to This Policy

We may update this policy from time to time. If we make significant changes, we'll notify you via email. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or how we handle your data, please reach out through our contact page.