SECURITY CAPABILITIES

Med Spas

Transmission of Payment & Personal Data

Last Updated: 03.11.2026.

[email protected]  | Med Spas

At Med Spas, the security of your personal, health, and payment information is a top priority. This Security Capabilities & Policy document explains the technical and organizational measures we have in place to protect your data when you interact with our website, book appointments, complete intake forms, or make payments.

We are committed to handling your information — especially sensitive health and payment data — with the highest standard of care, in line with applicable privacy laws including HIPAA and PCI-DSS requirements.

1. Information We Collect & Why

When you interact with our website or book a service, we may collect the following types of information:

  • Contact details — your name, email address, phone number, and mailing address, used to confirm appointments and communicate with you about your care
  • Payment information — credit or debit card details collected at the time of booking or payment. This information is transmitted securely and is never stored on our servers (see Section 3)
  • Health and medical information — provided through our online intake forms, consultation questionnaires, or consent documents. This information is collected solely to deliver safe, personalized aesthetic treatments
  • Booking and account information — appointment history, service preferences, and any notes recorded during your care
  • Technical data — IP address, browser type, and device information collected automatically to maintain website security and performance

We collect only the information necessary to provide our services safely and effectively. We do not collect unnecessary or excessive personal data.

2. How We Protect Your Information

We implement multiple layers of technical and organizational security controls to protect your data from unauthorized access, loss, misuse, or disclosure.

Security FeatureDescriptionStatus
SSL / TLS EncryptionAll data transmitted between your browser and our website is encrypted using TLS 1.2 or higher.Active
PCI-DSS Compliant PaymentsPayment processing is handled by a PCI-DSS Level 1 compliant payment gateway. Card data is never stored on our servers.Active
No Storage of Card DataWe do not store, log, or retain full credit/debit card numbers, CVV codes, or PINs at any point.Active
TokenizationPayment credentials are replaced with a secure token by our payment processor. Only the token is stored for recurring billing purposes.Active
HTTPS ProtocolOur website runs exclusively over HTTPS, ensuring encrypted connections for all visitors at all times.Active
Access ControlsAccess to client data and administrative systems is restricted to authorized personnel only, using role-based access controls.Active
Health Data EncryptionMedical intake forms, consent documents, and health records are stored with additional encryption layers consistent with HIPAA security standards.Active
Regular Security AssessmentsWe conduct periodic reviews of our security posture and update our practices in line with industry standards.Ongoing

3. Payment Security

We take the security of your payment information extremely seriously. The following measures are in place for all payment transactions:

SSL / TLS Encryption

All pages on our website — including our booking and payment pages — operate over HTTPS using SSL/TLS encryption. This means that all data you enter, including payment card details, is encrypted in transit between your browser and our systems before it reaches us.

PCI-DSS Compliant Payment Processing

Payments made through our website are processed by a third-party payment gateway that is certified to Payment Card Industry Data Security Standard (PCI-DSS) Level 1 — the highest level of certification available. Our payment processor handles the full transaction flow in a secure, isolated environment.

No Card Data Stored on Our Systems

Med Spas does not store, log, or retain your full credit card number, card verification value (CVV), expiration date, or PIN on our servers or databases at any time. Once your payment is authorized, only a secure token and the last four digits of your card are retained for reference purposes.

Tokenization

Where recurring billing or saved payment methods are used (e.g., for package payments or membership plans), your card details are replaced with a unique, encrypted token issued by our payment processor. This token cannot be reverse-engineered to expose your actual card information.

Your full payment card details are never visible to Med Spas staff, stored in our systems, or transmitted in unencrypted form.

4. Health Data Security

Because we are a medical aesthetic practice, we collect sensitive health and medical information as part of our client intake and treatment process. We treat this information with additional layers of protection beyond standard data security practices.

  • Health information collected through our online intake forms and consultation questionnaires is transmitted over encrypted connections (HTTPS/TLS)
  • Stored health records are encrypted at rest using industry-standard encryption methods
  • Access to health records is restricted to licensed practitioners and authorized staff directly involved in your care
  • We do not use your health information for advertising, profiling, or any purpose other than providing and improving your care
  • Where applicable, our data handling practices comply with the Health Insurance Portability and Accountability Act (HIPAA). Please refer to our HIPAA Notice of Privacy Practices for full details

5. Access Controls & Internal Security

Access to client data and our internal systems is governed by strict access controls designed to prevent unauthorized access by both external threats and internal personnel:

  • Role-based access controls (RBAC) ensure that staff members can only access the information necessary to perform their specific job functions
  • Administrative access to sensitive systems requires multi-factor authentication (MFA)
  • All staff members with access to client data receive training on data privacy, security best practices, and HIPAA obligations
  • System activity and access logs are maintained and reviewed regularly to detect any unusual or unauthorized activity
  • Former employees are promptly removed from all systems upon departure

6. Third-Party Service Providers

We work with carefully selected third-party service providers to support our website, booking, and payment systems. We require all third-party providers who handle personal or payment data on our behalf to:

  • Maintain security standards equal to or greater than our own
  • Comply with applicable data protection laws, including HIPAA where relevant
  • Enter into data processing agreements or business associate agreements (BAAs) as required by law
  • Refrain from using client data for any purpose other than providing the agreed service

We do not authorize third-party providers to sell, share, or otherwise exploit your personal information for their own commercial purposes.

7. Data Breach Response

Despite our best efforts, no security system is impenetrable. In the unlikely event of a data breach that may compromise your personal information, we will:

  • Promptly investigate and contain the breach
  • Notify affected individuals as required by applicable law (typically within 72 hours under certain regulations, or as required by state breach notification laws)
  • Report the breach to relevant regulatory authorities where legally required
  • Take corrective steps to prevent recurrence

If you believe your account or personal information may have been compromised, please contact us immediately at [email protected].

8. Your Responsibility

While we take every reasonable precaution to protect your data, security is a shared responsibility. We encourage you to take the following steps to protect your own information:

  • Use strong, unique passwords for any online accounts, including our client portal
  • Do not share your login credentials with others
  • Avoid accessing your account or submitting personal information over unsecured public Wi-Fi networks
  • Log out of your account when using a shared or public computer
  • Contact us immediately at [email protected] if you suspect any unauthorized access to your account

9. Contact Us

If you have any questions or concerns about our security practices, data handling, or this policy, please do not hesitate to contact us:

Med Spas

Email: [email protected]

Website: Med Spas

Scroll to Top