SPASYNC PRIVACY POLICY

Effective Date: April 16, 2026

Published at: https://spasync.ai/spasync-privacy

Last Updated: April 16, 2026

This Privacy Policy describes how Newly Booked Co., doing business as Mirrored Aesthetics ("Newly Booked," "we," "us," or "our"), collects, uses, stores, and protects information in connection with the SpaSync mobile application (the "App").

This policy is specific to the SpaSync app. For information about data practices on our marketing website and other services, see our general Privacy Policy at https://newlybooked.com/privacy-policy.

If you have questions about this policy or our data practices, contact Ivan Merlo-Iglikov at [email protected].

1. WHO USES SPASYNC

SpaSync is a professional tool licensed to medical spa businesses ("Clinics") for use by their providers and staff ("Users"). Patients do not directly use the App. SpaSync is not intended for, and should not be used by, individuals under 18 years of age.

2. OUR ROLE

Clinics use SpaSync to record consultations, capture media, and manage appointment workflows as part of their services to their patients. Newly Booked acts as a service provider to each Clinic. Each Clinic is responsible for its own relationship with its patients, including obtaining any necessary consents prior to media capture.

3. INFORMATION WE COLLECT

Information Users provide:

(a) Account information: name, email address, clinic affiliation, and role.

(b) Authentication data: login credentials (handled through Google Firebase Authentication; we do not store raw passwords).

(c) On-device biometric credential cache: if Face ID or a similar biometric unlock is enabled, the User's login credentials are saved to the device's secure storage (iOS Keychain / Android encrypted preferences) so the App can sign in without re-entry. This cache never leaves the device. The biometric data itself (face or fingerprint template) is held by the operating system and is never accessible to the App.

Information captured through App features:

When Users perform Clinic workflows in the App, the following data may be created and transmitted to our systems on behalf of the Clinic:

(a) Audio recordings of consultations.

(b) Photos and videos ("before" and "after" media) captured via the in-app camera.

(c) Patient reference data (name, date of birth, contact information, appointment details) pulled from the Clinic's point-of-sale or electronic medical record system through authorized API connections, used to label and organize captured media.

(d) Consultation notes checklist status retrieved from Clinic systems.

All such information is handled on the Clinic's behalf. The Clinic determines what is collected, for which patients, and for what purpose.

Information collected automatically:

(a) Device information: device model, operating system version, App version, and a device identifier used for audit logging.

(b) Usage and audit data: login timestamps, screens viewed, actions taken (e.g., recording started, media uploaded), and outcomes (success/failure). These events are logged for security and accountability.

(c) Diagnostic data: crash reports and error information used to improve stability. Diagnostic data is scrubbed of identifying fields before transmission.

We do not use third-party analytics SDKs, advertising SDKs, or behavioral tracking.

4. HOW WE USE INFORMATION

We use the information described above to:

(a) Provide the App's core features (recording, media capture, calendar sync, patient-linked media organization).

(b) Authenticate Users and secure access to Clinic data.

(c) Maintain audit logs of access and activity for security and accountability.

(d) Troubleshoot errors, diagnose crashes, and improve the App.

(e) Communicate important service updates, security notices, and policy changes.

We do not sell personal information. We do not use personal information for advertising or third-party marketing.

5. DEVICE PERMISSIONS

SpaSync requests the following permissions on iOS:

(a) Camera — to capture photos and videos during consultations.

(b) Microphone — to record consultation audio.

(c) Photo Library — to allow Users to select existing media from the device when appropriate. No unsolicited access to the Photo Library is performed.

(d) Face ID / Biometrics — to unlock the App using the device's built-in authentication. The biometric data never leaves the device.

(e) Background modes — to complete uploads of captured media after the App is backgrounded, so Users can continue their workflow without waiting.

Permissions may be revoked at any time in the device's Settings. Some features will not function without the associated permission.

6. HOW WE STORE AND PROTECT INFORMATION

Security measures include:

(a) Encryption in transit: TLS 1.3 for all network traffic between the App and our servers.

(b) Encryption at rest: AES-256-GCM encryption for sensitive fields in our databases. Captured media files are stored in cloud storage with server-side encryption enabled. Files persisted on the device are protected using iOS file protection, rendering them unreadable while the device is locked.

(c) Access controls: role-based authentication, session timeouts, and automatic logout after inactivity.

(d) Audit logging: every access to patient-related data is recorded.

(e) Integrity checks: the App detects jailbroken or compromised devices and prevents use in release builds.

(f) Screen-capture awareness: the App detects and logs screen recording and screenshot events.

(g) Secure key management: encryption keys are managed server-side and rotated as needed.

No system is perfectly secure. We work to maintain industry-standard safeguards, and we promptly investigate any suspected security incident.

7. SUBPROCESSORS

We use the following service providers to operate the App. Each is bound by a data-processing agreement:

(a) Amazon Web Services (AWS) — cloud storage for captured media and infrastructure logs.

(b) Google (Firebase Authentication) — user authentication.

(c) Fly.io — application and database hosting (United States region).

We do not share information with other third parties except as described in Section 8.

8. SHARING AND DISCLOSURE

We share information only:

(a) With the Clinic — the Clinic owns the patient records and captured media associated with its users. Clinic administrators can access and manage data their providers created.

(b) With our subprocessors — as described in Section 7, strictly to operate the App.

(c) When required by law — in response to valid legal process or to protect against fraud, abuse, or harm.

(d) With the User's consent — for any purpose not described in this policy.

We do not sell or rent information to any third party. We do not share information for advertising or cross-context behavioral profiling.

9. DATA RETENTION

(a) Captured media and patient-linked records are retained until the Clinic deletes them or terminates its account. Deletion is performed as a soft delete followed by a hard delete within 30 days.

(b) Audit logs are retained as required by applicable law and industry norms.

(c) Account information is retained while the account is active, and for a reasonable period after closure for security and legal purposes.

Users may request the deletion of their account by contacting [email protected].

10. YOUR RIGHTS

Depending on where the User resides, applicable privacy laws (including the California Consumer Privacy Act and the European Union General Data Protection Regulation) provide the following rights:

(a) Access — request a copy of the personal information we hold about you.

(b) Correction — request correction of inaccurate information.

(c) Deletion — request deletion of personal information, subject to legal or contractual retention requirements.

(d) Portability — request a machine-readable copy of your data.

(e) Objection / restriction — object to or restrict certain processing.

(f) Non-discrimination — we will not retaliate against a User who exercises these rights.

To exercise any of these rights, contact [email protected]. Because patient records are owned by the Clinic, requests related to patient information must be routed through the Clinic.

11. CHILDREN

SpaSync is not intended for, and does not knowingly collect information from, individuals under 18. If we learn we have collected information from a user under 18, we will delete it promptly.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated through an in-app notice and, where we have email contact information for the User, by email. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

Continued use of the App after the effective date of a change constitutes acceptance of the updated policy.

13. CONTACT

Privacy questions, data requests, or security reports:

Newly Booked Co. DBA Mirrored Aesthetics

Attn: Ivan Merlo-Iglikov

Email: [email protected]

For postal correspondence, please use the mailing address listed on our general Privacy Policy at https://newlybooked.com/privacy-policy.