Privacy Notice

PRIVACY POLICY & DATA PROTECTION AGREEMENT

The Luxurious Massage and Spa, LLC
8620 Spring Cypress Road, Suite C
Spring, Texas 77379
Phone: (832) 652-5988
Email: spa@theluxuriousspa.com

Data Protection & Privacy Standards

INTRODUCTION

The Luxurious Massage and Spa ("we," "us," "our," or the "Spa") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our spa, use our website, or engage with our services. We comply with the Health Insurance Portability and Accountability Act (HIPAA), the Texas Data Privacy and Security Act (TDPSA), the Telephone Consumer Protection Act (TCPA), and other applicable federal and state privacy laws.

By using our services, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our services.

INFORMATION WE COLLECT

Personal Information

We collect information you provide directly to us, including:

Full name, mailing address, and contact information
Date of birth and age verification
Emergency contact information
Payment and billing information (credit card, debit card)
Appointment preferences and service history
Service preferences, feedback, and reviews
Government-issued identification (when required)

Health Information (Protected Health Information - PHI)

To provide safe and effective treatments, we collect:

Medical conditions, diagnoses, and health history
Current medications, supplements, and dosages
Allergies, sensitivities, and contraindications
Pregnancy status and related health considerations
Recent surgeries, procedures, or injuries
Skin conditions, disorders, or sensitivities
Treatment notes, session outcomes, and therapist observations
Health screening and intake form responses

Sensitive Personal Data (as defined by Texas TDPSA)

We may collect the following sensitive data categories with your explicit consent:

Racial or ethnic origin (for treatment customization only)
Health data and medical information
Precise geolocation data (only when using location-based services)
Biometric data (not currently collected)

Technical and Online Information

When you interact with our website or online booking system, we may collect:

IP address and approximate geographic location
Browser type, version, and operating system
Device identifiers and mobile device information
Pages visited, time spent, and navigation patterns
Referral URLs and search terms used to find us
Cookies, pixels, and similar tracking technologies
Online booking and form submission data
Advertising interaction data (via Meta Pixel)

Third-Party Platform Data

We receive and process information through the following third-party platforms and service providers:

Zenoti - Appointment scheduling, client management, and payment processing
Jotform - Intake forms, health questionnaires, and consent forms
Webflow - Website hosting and content management
Google Analytics (via Google Tag Manager) - Website analytics and user behavior tracking
Meta Pixel (Facebook/Instagram) - Advertising measurement and optimization
Nextiva - Business phone system and call management
Review platforms (Google, Yelp, Facebook)
Social media platforms (when you interact with our pages)

HOW WE USE YOUR INFORMATION

Service Provision

Schedule, confirm, and manage appointments via Zenoti
Provide personalized and safe treatments
Process payments and maintain transaction records
Send appointment reminders and confirmations
Deliver customer service and respond to inquiries
Maintain accurate service and treatment records

Health & Safety Compliance

Assess treatment suitability and contraindications
Modify services based on health conditions
Maintain HIPAA-compliant treatment records
Ensure therapist and guest safety
Comply with health regulations and licensing requirements
Execute emergency contact procedures when necessary

Business Operations

Improve services, facilities, and guest experience
Develop new treatments and service offerings
Conduct quality assessments and satisfaction surveys
Train staff and maintain professional standards
Maintain business records and accounting
Comply with legal and regulatory requirements

Marketing & Communications (With Consent)

Send promotional offers and special discounts
Share spa news, updates, and announcements
Invite you to special events and exclusive experiences
Request feedback, reviews, and testimonials
Send birthday and anniversary messages
Deliver membership communications and rewards
Measure advertising effectiveness via Meta Pixel

SMS/TEXT MESSAGE CONSENT & COMMUNICATIONS

Consent to Receive Text Messages

By providing your mobile phone number and opting in, you consent to receive text messages from The Luxurious Massage and Spa for the following purposes:

Appointment confirmations and reminders
Appointment rescheduling notifications
Service updates and important notices
Promotional offers and special discounts (if opted in separately)

Message Frequency & Charges

Message frequency varies based on your appointment schedule
Typically 2-4 messages per appointment (confirmation, reminder, follow-up)
Promotional messages limited to 4 per month maximum
Message and data rates may apply based on your mobile carrier plan
We do not charge for SMS messages; carrier rates apply

Opting Out of Text Messages

You may opt out of text messages at any time by:

Replying STOP to any text message from us
Calling us at (832) 652-5988
Emailing spa@theluxuriousspa.com with "Unsubscribe SMS" in subject line
Requesting removal in person at our spa

After opting out, you will receive one final confirmation message. Opting out of promotional texts does not opt you out of transactional appointment messages unless specifically requested.

TCPA Compliance

We comply with the Telephone Consumer Protection Act (TCPA). We will never send text messages without your prior express consent. Your consent is not a condition of purchasing any services from us.

PHOTOGRAPHY, VIDEO & SOCIAL MEDIA CONSENT

Before/After Treatment Photography

We may request permission to photograph treatment results for the following purposes:

Documenting treatment progress for your personal records
Internal training and quality improvement
Marketing materials (only with separate written consent)

Consent Requirements

All photography requires separate, explicit written consent
You may decline photography without affecting your service
Consent for treatment documentation does not equal consent for marketing use
Marketing use requires a separate Photo/Video Release Form
You may withdraw consent at any time for future use

Social Media & Testimonials

We will never post your image or testimonial without written consent
Testimonials may be edited for length but not meaning
You may request removal of your content at any time
Tagged photos on our social media require your approval before posting
We do not share your personal information on social media platforms

Guest Photography Policy

Photography and recording by guests is prohibited in treatment areas
Photography in common areas requires staff permission
Photographing other guests without their consent is strictly prohibited
Violations may result in service termination

INFORMATION SHARING & DISCLOSURE

We Do NOT Sell Your Personal Information

The Luxurious Massage and Spa does not sell, rent, lease, or trade your personal information to third parties for their marketing purposes. This includes all categories of personal and sensitive data.

We Do NOT Share Your Information With:

Third-party marketers or advertisers (we only share anonymized/aggregated data)
Data brokers or data aggregators
Unauthorized personnel or businesses
Competitors or other spa businesses
Family members or friends (without your authorization)

Limited Sharing Occurs Only When:

Required by law, court order, or legal process
Necessary for your health and safety or others' safety
You provide explicit written consent
Required for emergency medical care
Necessary for authorized service providers to perform services
Required to protect our legal rights or defend against claims

Authorized Service Providers & Data Processors

We share information with these specific service providers under contractual data protection agreements:

Zenoti - Scheduling, CRM, and payment processing (processes appointment, contact, payment, and service history data)
Jotform - Form hosting and data collection (processes intake form and health questionnaire responses)
Webflow - Website hosting (processes website interaction data)
Google LLC - Analytics via Google Tag Manager (processes anonymized website behavior data)
Meta Platforms, Inc. - Advertising measurement via Meta Pixel (processes anonymized conversion and website interaction data)
Nextiva - VoIP phone system (processes call logs and voicemail)
Cloud storage and backup providers
Legal, accounting, and professional services

DATA HOSTING & SECURITY INFRASTRUCTURE

Our Data Infrastructure

To maximize data security and control, we employ a hybrid infrastructure approach:

Self-Hosted Systems: Critical automation workflows and internal applications are hosted on our own secure infrastructure, giving us complete control over data access and processing
SOC 2 Compliance Path: Our self-hosted infrastructure is designed to meet SOC 2 Type II compliance standards, supporting our commitment to HIPAA compliance for protected health information
Third-Party Services: We carefully select vendors who maintain appropriate security certifications and sign Business Associate Agreements (BAAs) where required for HIPAA compliance

Physical Security

Locked file cabinets for all paper records containing PHI
Restricted access to sensitive areas and records storage
Secure shredding and disposal of documents containing personal information
Visitor access controls and sign-in requirements
Security cameras in common areas (not treatment rooms)
Background checks for all employees with data access

Digital Security

SSL/TLS encryption for all data transmission
Encrypted storage for sensitive data at rest
Strong password requirements and multi-factor authentication
Regular security updates and patch management
Firewall protection and intrusion detection
Antivirus and anti-malware protection
Regular automated and manual backups
Access controls and role-based permissions

Staff Training & Compliance

Annual privacy and HIPAA training for all staff
Signed confidentiality agreements from all employees
Clear data handling procedures and protocols
Regular security awareness updates
Incident reporting protocols and accountability
Ongoing compliance monitoring and audits

DATA BREACH NOTIFICATION

Our Commitment

In the event of a data breach involving your personal information, we are committed to prompt notification and transparent communication in compliance with Texas law and HIPAA requirements.

Notification Timeline

We will notify affected individuals within 60 days of discovering a breach
For breaches affecting 250+ Texas residents, we will also notify the Texas Attorney General
HIPAA-covered breaches affecting 500+ individuals will be reported to HHS
We may delay notification only if law enforcement determines it would impede a criminal investigation

Notification Contents

Our breach notification will include:

Description of the incident and date(s) of occurrence
Types of personal information involved
Steps we are taking to investigate and remediate
Steps you can take to protect yourself
Contact information for questions and assistance
Information about credit monitoring services (if applicable)

Notification Methods

Written notice sent to your last known mailing address
Email notification (if you have provided and verified an email address)
Phone call for urgent situations
Website posting for breaches affecting large numbers of individuals
Media notification when required by law

YOUR PRIVACY RIGHTS

General Rights (All Guests)

Request copies of your personal records
Review information we hold about you
Verify and correct inaccurate data
Understand how your data is used and shared
Request data portability in a usable format
Withdraw consent for optional data processing
Opt out of marketing communications

HIPAA Rights (Health Information)

Access and obtain copies of your health records
Request amendments to your health information
Request restrictions on certain uses and disclosures
Request confidential communications
Receive an accounting of disclosures
File a complaint if you believe your rights have been violated

TEXAS RESIDENTS' RIGHTS (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) provides you with specific rights regarding your personal data, effective July 1, 2024.

Your TDPSA Rights Include:

Right to Know: Confirm whether we are processing your personal data and access that data
Right to Correction: Correct inaccuracies in your personal data
Right to Deletion: Delete personal data you have provided or we have obtained
Right to Data Portability: Obtain a copy of your data in a portable, readily usable format
Right to Opt Out: Opt out of processing for targeted advertising, sale of personal data, or profiling
Right to Appeal: Appeal our decision regarding your privacy request

Exercising Your Rights

To exercise any of these rights, please contact us using the information below. We will respond to your request within 45 days. If we need additional time (up to 45 more days), we will notify you of the extension and the reason.

Appeal Process

If we decline your request, you may appeal by:

Submitting a written appeal to spa@theluxuriousspa.com within 30 days
Including "Privacy Appeal" in the subject line
Explaining why you believe the decision was incorrect

We will respond to your appeal within 60 days. If we deny your appeal, you may file a complaint with the Texas Attorney General at https://www.texasattorneygeneral.gov/.

Non-Discrimination

We will not discriminate against you for exercising your privacy rights. You will not receive different prices, quality of services, or denial of services for exercising these rights.

ADVERTISING & TRACKING TECHNOLOGIES

Meta Pixel (Facebook/Instagram)

We use Meta Pixel on our website to:

Measure the effectiveness of our advertising campaigns
Understand how visitors interact with our website after viewing our ads
Create custom audiences for advertising (using anonymized data)
Optimize ad delivery to reach interested audiences

Meta Pixel collects information about your device, browser, and website interactions. This data is shared with Meta Platforms, Inc. in accordance with their Data Policy. We do not share your name, email, phone number, or health information with Meta for advertising purposes.

Google Analytics & Google Tag Manager

We use Google Analytics to:

Understand website traffic and user behavior patterns
Measure website performance and identify improvements
Analyze which pages and content are most valuable to visitors
Track conversion goals (appointment bookings, form submissions)

Google Analytics uses cookies to collect anonymized data about your website visits. We have enabled IP anonymization to protect your privacy.

Opting Out of Tracking

Meta Pixel: Adjust your ad preferences at facebook.com/adpreferences or use the "Off-Facebook Activity" tool
Google Analytics: Install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
Browser Settings: Enable "Do Not Track" in your browser settings (we honor DNT signals)
Cookie Settings: Adjust cookie preferences in your browser or use our cookie consent banner

Types of Cookies We Use

Essential Cookies: Required for website functionality (Webflow, form submissions) - cannot be disabled
Analytics Cookies: Google Analytics for website improvement
Advertising Cookies: Meta Pixel for advertising measurement
Preference Cookies: Remember your settings and preferences

DATA RETENTION

Retention Periods

Appointment and service records (Zenoti): 7 years
Health and treatment information: 7 years (as required by Texas law)
Intake forms (Jotform): 7 years
Payment and financial records: 7 years
Marketing consent records: Until consent is withdrawn
Communication logs (Nextiva): 3 years
Legal documents and contracts: As required by applicable law
Website analytics data (Google Analytics): 26 months
Meta Pixel data: Per Meta's data retention policies

Secure Disposal

Paper documents: Cross-cut shredding
Digital data: Secure deletion with verification
Storage media: Physical destruction or secure wiping
Documentation of disposal maintained
Regular disposal schedule enforced

CHILDREN'S PRIVACY

Age Restrictions

Our services are generally intended for adults 18 and older
Guests ages 14-17 may receive services with parental/guardian consent
We do not knowingly collect personal information from children under 14
Parents/guardians may review, correct, or delete their child's information

Parental Rights

Parents/guardians must provide consent for minors' services
Parents/guardians have access to their minor child's records
Parents/guardians may request deletion of minor's data
Special protections apply to all minor guest data

CHANGES TO THIS POLICY

Policy Updates

We review and update this policy periodically
Material changes will be communicated via email to active clients
Updated policy will be posted on our website with new effective date
Continued use of services after changes constitutes acceptance
Previous versions available upon request

CONTACT INFORMATION

Privacy Officer

The Luxurious Massage and Spa, LLC
8620 Spring Cypress Road, Suite C
Spring, Texas 77379

Phone: (832) 652-5988
Email: spa@theluxuriousspa.com
Website: www.theluxuriousspa.com

Privacy Inquiries

Privacy questions and concerns
Data access, correction, or deletion requests
Consent withdrawal
SMS opt-out requests
Advertising opt-out assistance
Complaint submissions
Policy clarification
TDPSA rights requests
Appeals of privacy decisions

Response Times

General inquiries: 48 business hours
Data access requests: 45 days (TDPSA)
HIPAA requests: 30 days
Urgent matters: 24 hours
Complaints: 14 days initial response
Appeals: 60 days

LEGAL BASIS FOR PROCESSING

Processing Justification

Consent: Marketing communications, photography, advertising tracking, optional data collection
Contract Performance: Providing requested spa services via Zenoti
Legal Obligation: Health records, tax records, regulatory compliance
Legitimate Interest: Business operations, fraud prevention, security, website analytics
Vital Interests: Emergency health and safety situations

Regulatory Compliance

HIPAA (Health Insurance Portability and Accountability Act)
Texas Data Privacy and Security Act (TDPSA)
Telephone Consumer Protection Act (TCPA)
Texas Identity Theft Enforcement and Protection Act
Texas Medical Records Privacy Act
FTC Act and consumer protection regulations
PCI-DSS for payment card data
SOC 2 Type II (infrastructure compliance pathway)

ACKNOWLEDGMENT

By using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy. This policy is effective as of the date listed below and applies to all information collected by The Luxurious Massage and Spa.

If you have any questions about this Privacy Policy or our data practices, please contact us using the information provided above.

Document Version: 2025.3
Effective Date: December 1, 2025
Last Updated: November 30, 2025