← Back to home
Legal · Privacy Policy

Privacy Policy

Effective date: July 3, 2026

This Privacy Policy applies to TOX DEN's website, patient portal, marketing communications, and other consumer-facing services. The way we use and disclose your protected health information (PHI) for treatment, payment, and healthcare operations is governed by our Notice of Privacy Practices, which controls in the event of any conflict with this Policy with respect to PHI.

1. Who we are

TOX DEN (the “Practice,” “we,” or “us”) is a Texas aesthetic and wellness practice. We are a HIPAA “covered entity” with respect to PHI we maintain about our patients.

2. Information we collect

We collect the following categories of information:

  • Identifiers: legal name, date of birth, address, email, phone number, emergency contact, and government-issued ID where required by law.
  • Health information: intake responses, medical and surgical history, allergies, medications, vital signs, lab results, treatment notes, photographs, consents, and after-visit instructions. This is treated as PHI under HIPAA.
  • Financial information: billing address and the last four digits and expiration of cards on file. Full card numbers are submitted directly to our payment processor (Stripe) and are not stored on our servers.
  • Account & authentication data: email, hashed credentials, multi-factor tokens, login timestamps, and IP address.
  • Device & usage data: browser type, device identifiers, pages viewed, referrer, and approximate location derived from IP. We use this to operate, secure, and improve the Services.
  • Communications: secure messages, emails, SMS messages, and call recordings (where lawful and disclosed).

Sources. We collect information directly from you, automatically through your use of the Services, and from authorized service providers (e.g., labs and pharmacies you instruct us to interact with). We do not buy patient lists.

3. How we use information

We use information for the following purposes:

  • Treatment: scheduling, intake, evaluation, documentation, prescribing, and follow-up.
  • Payment: processing charges, deposits, memberships, and refunds; resolving billing disputes.
  • Healthcare operations: quality review, peer review, credentialing, training, audit, accreditation, and compliance.
  • Service operation & security: authenticating users, preventing fraud and unauthorized access, monitoring uptime, and investigating incidents.
  • Communications: appointment reminders, intake links, balance notices, recall messages, and (with your consent) optional marketing.
  • Legal: responding to lawful requests, enforcing our Terms, and meeting record-retention obligations.

4. Legal bases (where applicable)

Our processing is grounded in (i) the provision of medical care and other contractual obligations, (ii) HIPAA-permitted treatment, payment, and healthcare-operations uses, (iii) our legitimate interests in operating, securing, and improving the Services, (iv) compliance with law, and (v) your consent or authorization where required.

5. How we share information

We do not sell or rent your personal information or PHI, and we do not share PHI for cross-context behavioral advertising. We share information only as follows:

  • Providers and clinical staff involved in your care.
  • Business associates bound by HIPAA-compliant Business Associate Agreements (BAAs), including our backend infrastructure provider (Lovable Cloud / Supabase), email and SMS providers used for transactional communications, and laboratory and pharmacy partners you direct us to use.
  • Payment processor: Stripe, Inc., which receives card data directly from your browser and processes charges on our behalf.
  • Legal & safety: to comply with subpoenas, court orders, public-health reporting, mandated abuse reporting, or to prevent serious harm.
  • Corporate transactions: to a successor in connection with a merger, acquisition, or sale of assets, subject to continued protection consistent with this Policy.
  • With your written authorization: any other disclosure (e.g., to a family member who is not a personal representative, or for marketing testimonials).

6. Cookies and similar technologies

We use only strictly necessary cookies and similar storage to keep you signed in, maintain session state, and protect against cross-site request forgery. We do not use third-party advertising cookies, social-media trackers, session-replay tools, or behavioral-advertising pixels on pages that handle PHI. You can manage cookies through your browser settings; disabling necessary cookies will impair the portal's functionality.

7. Security

We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of personal information and PHI, including: encryption in transit (TLS) and at rest, role-based access control, row-level security on the database, audit logging, electronic-signature attestations under 21 CFR Part 11 principles, vendor due diligence, and workforce training. No system is impenetrable, and we cannot guarantee absolute security. If we discover a breach of unsecured PHI we will notify you and the U.S. Department of Health and Human Services as required by the HIPAA Breach Notification Rule and applicable Texas law (Tex. Bus. & Com. Code ch. 521).

8. Data retention

We retain medical records for the longer of (a) seven (7) years from the date of last treatment for adult patients, (b) the period a minor is required to be retained under Texas Medical Board rule 22 TAC §165.1, or (c) any longer period required by applicable law or contract. Non-clinical account data is retained as long as your account is active and for a reasonable period thereafter for legal, audit, and security purposes. Backups are deleted on a rolling schedule consistent with our disaster-recovery plan.

9. Your rights and choices

HIPAA rights. Patients may access, request amendment of, request restrictions on, receive an accounting of disclosures of, and request confidential communications of their PHI as described in our Notice of Privacy Practices.

Texas Data Privacy and Security Act (TDPSA, eff. July 1, 2024). Texas residents who interact with non-PHI consumer features (such as marketing) may request to know, delete, correct, and obtain a portable copy of their personal data, opt out of sale or targeted advertising (we do not engage in either), and appeal a denial. Submit requests by emailing or messaging the clinic; we will verify your identity before acting.

Marketing. You may unsubscribe from marketing emails using the link in any such message and opt out of marketing SMS by replying STOP. Transactional clinical communications may continue.

Do Not Track. Our website does not respond to browser DNT signals because there is no industry consensus on their meaning.

10. Children's privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 outside the context of treatment authorized by a parent or legal guardian. If you believe a child has provided personal information improperly, contact us so we can delete it.

11. International users

We operate in the United States. If you access the Services from outside the U.S., you understand your information will be transferred to and processed in the U.S., which may have different data-protection rules than your jurisdiction.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The “Effective date” above indicates the most recent revision. We will notify you of material changes by email or prominent portal notice and, for changes affecting PHI uses, will update the Notice of Privacy Practices accordingly.

13. Contact

Privacy questions, complaints, or rights requests may be directed to our Privacy Officer through the patient portal or by contacting the clinic during business hours. You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against anyone who files a complaint.

This Policy is provided as a general framework and does not constitute legal advice. Consult Texas-licensed healthcare counsel before relying on it for a specific transaction or compliance program.