New: Voice AI outbound calls — lead to booked appointment in under 60 seconds — See it live
Book a Demo
Home
Features
Use Cases
Pricing
Resources
Blog Marketing Playbook Revenue Calculator Getting Started Guide
About
Contact
Book a Demo
Legal

Privacy Policy

How NeedleMoved collects, uses, and safeguards information across our marketing website and SaaS platform.

Effective [EFFECTIVE_DATE]. Questions? Contact us at [CONTACT_EMAIL_PRIVACY] (privacy) or [CONTACT_EMAIL_LEGAL] (terms). This Privacy Policy will be updated as our business evolves; we will revise the effective date and, where changes are material, provide additional notice.

1. Introduction

This Privacy Policy ("Policy") describes how [LEGAL_ENTITY_NAME], a [STATE_OF_FORMATION] company doing business as "NeedleMoved" ("NeedleMoved," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with (a) the marketing website located at needlemoved.com and any related web properties (the "Site"), and (b) the NeedleMoved software-as-a-service platform, including Voice AI, Conversation AI, CRM, scheduling, automation, analytics, and related services (collectively, the "Platform," and together with the Site, the "Services").

This Policy applies to prospective customers and website visitors, current customers of the Platform and their authorized users, job applicants, and other individuals who interact with us. If you are an end consumer or patient of a med spa that uses the Platform, please note that our customer (the med spa) is the controller of your personal information, and you should review that practice's privacy notice first. Our handling of information on behalf of our customers is governed by our agreements with them, including any applicable Business Associate Agreement ("BAA").

2. Information We Collect

2.1 Information You Provide Directly

We collect information you submit to us when you:

  • Fill out a form on the Site, request a demo, subscribe to emails, or download a resource (e.g., name, email, phone number, practice name, role, practice size, and any message content you include).
  • Register for or administer a Platform account (e.g., account credentials, billing contact, business and tax identifiers, staff directory data, practice locations, and integration credentials).
  • Contact customer support or communicate with us by email, chat, phone, or social media (we may retain the content of those communications and any related attachments).
  • Submit billing information through our payment processor (we do not store full payment card numbers; see Section 4).
  • Participate in surveys, webinars, user research, or promotional events.

2.2 Information Collected Automatically

When you visit the Site or use the Platform, we and our service providers may automatically collect:

  • Device and browser information such as IP address, device identifiers, operating system, browser type and version, language preferences, and referral URLs.
  • Usage and log data such as pages viewed, links clicked, features used, time spent, search queries within the Platform, session identifiers, timestamps, crash reports, and diagnostic information.
  • Cookies, pixels, local storage, and similar technologies (see Section 6).
  • Approximate location derived from IP address.

2.3 Information From Third Parties

We may receive information about you from:

  • Integration partners you connect to your Platform account (e.g., Google, Meta, calendar providers, practice management or EMR systems, review platforms, and other authorized integrations) — limited to the scopes you grant.
  • Analytics and marketing providers that help us measure campaign performance and improve the Site.
  • Our payment processor, Stripe, which provides transaction metadata, authorization status, and fraud signals.
  • Communications providers (e.g., Twilio and email delivery vendors) that return delivery, engagement, and error signals.
  • Publicly available sources and data enrichment vendors used for sales, marketing, and fraud-prevention purposes.

2.4 What We Do Not Seek From Site Visitors

The Site is not intended to collect Protected Health Information (PHI) or patient-identifiable medical information. Please do not submit PHI through web forms, chat, or email to unencrypted addresses. If you are an existing customer and need to share PHI, use the Platform or a channel covered by your BAA with us.

3. How We Use Information

We use the information we collect for the following purposes:

  • Service delivery. To provide, operate, maintain, secure, and improve the Services, including hosting Customer Content, routing communications, generating AI outputs, and reporting analytics.
  • Account management. To authenticate users, administer billing, enforce usage limits, and provide customer support.
  • Communications. To send transactional messages (receipts, security alerts, service notices) and, where permitted, marketing communications about new features, events, and resources. You can opt out of marketing messages at any time.
  • Product analytics and development. To understand how users interact with the Services, diagnose problems, and build new features. We may create aggregated or de-identified data that no longer identifies an individual; we may use and disclose such data for any lawful purpose.
  • Marketing and advertising. To measure the performance of our marketing, retarget past visitors, and deliver relevant content.
  • Security and fraud prevention. To detect, investigate, and prevent abuse, security incidents, and unlawful activity, and to enforce our Terms of Service.
  • Legal and compliance. To comply with applicable laws, respond to lawful requests, and exercise or defend legal claims.

Where required by law, we rely on one of the following lawful bases for processing: performance of a contract, our legitimate interests (balanced against your rights), your consent, or compliance with a legal obligation.

4. How We Share Information

We do not sell personal information for monetary consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, except where you have opted in or where otherwise described in Section 6. We disclose information only as described below.

4.1 Service Providers and Subprocessors

We share information with vendors that perform services on our behalf under written contracts that restrict their use of the information. Categories include:

  • Cloud hosting and infrastructure providers.
  • Payment processing — Stripe, Inc., which processes card and bank transactions on our behalf.
  • Communications delivery — Twilio and similar providers for SMS, MMS, voice calls, and telephony.
  • Email delivery and marketing automation providers.
  • Analytics, product telemetry, and error-monitoring providers.
  • Artificial intelligence and large language model providers that power features such as Voice AI and Conversation AI. Customer inputs processed for AI features are subject to contractual restrictions on use and, where applicable, our BAA with the customer.
  • Customer support, CRM, and ticketing tools.
  • Professional services firms (legal, accounting, auditors).

4.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of the transaction, subject to customary confidentiality protections. We will notify affected users where required by law.

4.3 Legal Requirements and Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, subpoena, court order, or other legal process; (b) enforce our agreements or investigate potential violations; (c) protect the rights, property, safety, or security of NeedleMoved, our users, or the public; or (d) respond to an emergency.

4.4 With Your Consent or At Your Direction

We may share information with third parties when you authorize us to do so, including when you enable an integration or request that we transfer information to another service.

4.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

5. HIPAA and Protected Health Information

Many of our customers are "Covered Entities" under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). When NeedleMoved processes Protected Health Information ("PHI") on behalf of a Covered Entity through the Platform, we act as a "Business Associate" as that term is defined under HIPAA.

For Covered Entity customers, we enter into a Business Associate Agreement ("BAA") that governs our permitted uses and disclosures of PHI, our safeguard obligations, breach notification obligations, and our obligations with respect to subcontractors. To the extent any term of this Policy conflicts with the terms of an executed BAA with respect to PHI, the BAA controls.

We implement administrative, physical, and technical safeguards designed to satisfy the HIPAA Security Rule as applicable to the features enabled for a given customer, and we pass through HIPAA-equivalent obligations to our subcontractors that handle PHI. Customers are responsible for configuring and using the Platform in a manner consistent with their own regulatory obligations, including obtaining appropriate patient authorizations before sending marketing communications or recording calls where applicable.

Important for Site visitors: The marketing Site is not a HIPAA-covered channel. Do not submit PHI, patient health records, or protected medical details through web forms, live chat, or unencrypted email. Information submitted through the Site is governed by this Policy, not by a BAA.

6. Cookies and Similar Technologies

We use cookies and similar technologies to operate, analyze, secure, and market the Services. The categories we use include:

  • Strictly necessary. Required for core functionality such as authentication, session management, and load balancing. These cannot be disabled.
  • Functional. Remember your preferences and settings.
  • Analytics and performance. Help us understand how the Services are used so we can improve them.
  • Advertising and measurement. Measure the effectiveness of our marketing campaigns and, where permitted, deliver relevant ads on other sites. We do not use cookies for advertising on pages where PHI is present.

You can control cookies through your browser settings, device controls, and our cookie preference tool (where available). You can also opt out of certain interest-based advertising through industry tools such as the Network Advertising Initiative (thenai.org/opt-out) and the Digital Advertising Alliance (optout.aboutads.info). We honor Global Privacy Control ("GPC") signals as an opt-out of sale/sharing for browsers that transmit them, consistent with applicable law. Disabling certain cookies may affect Site functionality.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Customer account data is retained for the duration of the subscription and for a reasonable period afterward to support wind-down, dispute resolution, and legal obligations. Customer Content and Patient Data retention is further governed by the Terms of Service and any applicable BAA.
  • Marketing inquiry data (e.g., demo requests, newsletter signups) is retained for a reasonable period unless you ask us to delete it or unsubscribe.
  • Website logs and security data are retained for a limited period sufficient to support troubleshooting, analytics, and incident response.
  • Billing and tax records are retained for the periods required under applicable tax, accounting, and commercial laws.

When personal information is no longer needed, we will delete, anonymize, or de-identify it in accordance with our data retention and disposal procedures.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These safeguards include encryption of data in transit and, where applicable, at rest; role-based access controls and least-privilege principles; secure software development practices; logging and monitoring; vendor security assessments; and employee training. Despite these efforts, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

9. Your Privacy Rights

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights, subject to verification and applicable exceptions:

  • Right to know the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom we share it.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. As stated above, we do not sell personal information and do not share it for cross-context behavioral advertising, except as disclosed in Section 6 regarding advertising cookies where applicable; you may opt out at any time using our cookie preference tool or by sending a GPC signal.
  • Right to limit use of sensitive personal information to the purposes necessary to provide the Services.
  • Right to non-discrimination for exercising your rights.

To exercise these rights, email [CONTACT_EMAIL_PRIVACY] or submit a request through our contact page. We will verify your identity before responding. You may designate an authorized agent to make requests on your behalf; we will require written authorization and verification. If we deny your request, you may appeal by emailing [CONTACT_EMAIL_PRIVACY] with the subject line "Privacy Appeal."

Categories of personal information collected in the preceding 12 months and the business purposes for which they are used are described throughout Sections 2 and 3 of this Policy.

9.2 Residents of Other U.S. States

Residents of other U.S. states that have enacted comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others — may have similar rights to access, correct, delete, obtain a portable copy of, and opt out of certain processing (including targeted advertising, "sale" of personal data, and profiling that produces legal or similarly significant effects). To exercise these rights, contact us at [CONTACT_EMAIL_PRIVACY]. Where applicable state law provides an appeal mechanism, you may appeal a denial by replying to our response.

9.3 EU, UK, and Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR (and UK GDPR) including the rights of access, rectification, erasure, restriction of processing, data portability, and objection, as well as the right to withdraw consent and the right to lodge a complaint with your local supervisory authority. We identify a lawful basis for each processing activity (typically performance of a contract, legitimate interests, consent, or legal obligation). Where we transfer personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. To exercise these rights, contact [CONTACT_EMAIL_PRIVACY].

10. Children's Privacy

The Services are intended for business use by med spa practices and are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact [CONTACT_EMAIL_PRIVACY] and we will take appropriate steps to delete it.

11. Third-Party Links and Services

The Services may contain links to third-party websites, products, or services that we do not own or control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third-party services you access.

12. International Data Transfers

NeedleMoved is operated from the United States. If you are accessing the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and in other countries where our service providers operate. Laws in those countries may differ from those in your country of residence. By using the Services, you consent to this transfer where such consent is required by law.

13. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the effective date above. If the changes are material, we will provide additional notice (for example, through the Platform, by email, or through a prominent Site banner). Your continued use of the Services after the revised Policy becomes effective constitutes acceptance of the changes.

14. Contact Us

If you have questions, concerns, or complaints about this Policy or our privacy practices, contact us at:

  • Email: [CONTACT_EMAIL_PRIVACY] (privacy) or [CONTACT_EMAIL_GENERAL] (general)
  • Mail: [LEGAL_ENTITY_NAME], [COMPANY_ADDRESS]

For data protection inquiries from residents of the EU, UK, or Switzerland, please use the email address above and include "Data Protection Inquiry" in the subject line.

See also: Terms of Service.