Skip to content

Legal

Privacy Policy

Last updated: March 12, 2026

GlowScript (“we,” “our,” “the platform”) is a practice management platform for med spas and aesthetic clinics, operated by Distinctly Developed LLC. This Privacy Policy explains what data we collect, how we use and protect it, and the rights you have regarding your information, including Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (“HIPAA”).

Our Role Under HIPAA

GlowScript acts as a Business Associate under HIPAA. Your practice (the “Covered Entity”) owns and controls all client and patient data entered into the platform. We process PHI only as directed by your practice and in accordance with our Business Associate Agreement (“BAA”), which is executed with each practice during onboarding. A copy of our standard BAA is available at glowscript.ai/baa.

Information We Collect

Account & Practice Information

When you create an account, we collect identifiers such as your name, email address, phone number, and practice details (business name, address, license information) to provision your workspace and support your team.

Protected Health Information (PHI)

GlowScript stores data entered by your practice, which may include client profiles, appointment history, consent forms, treatment notes, clinical photographs, medical history, and communications. This information may constitute PHI under HIPAA and is treated with the highest level of protection. We do not access, use, or disclose PHI except as permitted by your BAA and applicable law.

Usage & Device Data

We collect usage analytics (pages viewed, features used, timestamps) and technical data (browser type, device information, IP address) to monitor system performance, detect security threats, and improve the platform. This data does not include PHI.

How We Use Data

  • Provide core scheduling, charting, consent, photo management, and communication features
  • Authenticate users with multi-factor authentication and enforce role-based access controls
  • Deliver operational notifications, appointment reminders, and system alerts
  • Monitor system performance, detect unauthorized access, and maintain audit logs
  • Support integrations (e.g., Stripe for payments) configured by your practice
  • Comply with legal obligations, including HIPAA requirements

Data Storage & Security

We implement administrative, technical, and physical safeguards to protect your data in accordance with the HIPAA Security Rule. Our security measures include:

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher (HTTPS)
  • Encryption at rest: All data is encrypted using AES-256 with AWS Key Management Service (KMS) customer-managed keys
  • Multi-factor authentication: Required for all user accounts using time-based one-time passwords (TOTP)
  • Role-based access controls: Users can only access data appropriate for their role within the practice
  • Audit logging: All access to PHI is logged and retained for a minimum of six years in accordance with HIPAA requirements
  • Network isolation: Application infrastructure runs within a private virtual network with no direct public access to databases or internal services

All data is stored in the United States on Amazon Web Services (AWS) infrastructure covered by an AWS Business Associate Addendum. We do not transfer data outside the United States.

Sharing & Third Parties

We do not sell, rent, or trade your data. We share data only in the following circumstances:

  • Infrastructure providers: AWS provides our hosting, database, and storage services under a BAA. No PHI is shared with AWS beyond what is necessary for data storage and processing.
  • Payment processing: Stripe processes payments on your behalf. We do not share PHI with Stripe — only billing identifiers and transaction amounts necessary to process payments.
  • Practice-enabled integrations: If your practice enables third-party integrations, data may be exchanged according to your configuration. You are responsible for ensuring those services meet your compliance requirements.
  • Legal requirements: We may disclose information if required by law, regulation, subpoena, or court order.

Breach Notification

In the event of a breach of unsecured PHI, we will notify affected practices without unreasonable delay and no later than 60 days after discovery of the breach, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Our notification will include the nature of the breach, the types of information involved, steps we are taking to investigate and mitigate harm, and recommendations for affected individuals to protect themselves.

Data Retention

We retain your data for as long as your account is active. Audit logs related to PHI access are retained for a minimum of six years as required by HIPAA. Upon account termination, you may request a full export of your data. After the export period (90 days), we will securely delete your data from our systems, except where retention is required by law or for legitimate compliance purposes.

Your Rights

As a practice using GlowScript, you retain full control over your client data. Your clients may exercise rights under HIPAA through your practice directly. These rights include:

  • Right to access: Patients may request copies of their health records
  • Right to amendment: Patients may request corrections to their health records
  • Right to an accounting of disclosures: Patients may request a record of when and to whom their PHI was disclosed
  • Right to restrict disclosures: Patients may request restrictions on certain uses of their information

GlowScript will cooperate with your practice to fulfill these requests in accordance with our BAA.

Practice Controls

  • Update practice and account information in Settings
  • Manage team member access, roles, and permissions
  • Export client data at any time
  • Request account deletion by contacting support

Children's Privacy

GlowScript is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. Client records for minor patients are entered and managed by the practice, which is responsible for obtaining appropriate parental or guardian consent.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active account holders of material changes via email at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

For questions about this Privacy Policy, data protection, or to exercise your rights, contact our Privacy Officer at privacy@glowscript.ai.

Privacy Policy - GlowScript