Privacy Policy

Cevlara (“we,” “us,” “our”) provides AI-powered revenue recovery software for medical spas and aesthetic clinics. This policy describes how we collect, use, and protect information when you visit our website at cevlara.com or use our platform at app.cevlara.com.

Information you provide directly:

• Name, email address, phone number, and clinic name (via forms)
• Revenue range and business details (via the Revenue Audit form)
• Account credentials when you create a Cevlara account
• Patient data that you or your staff enter into the platform (names, contact information, appointment history, treatment records)

Information collected automatically:

• Device type, browser type, and operating system
• IP address and approximate geographic location
• Pages visited, time spent, and referral source
• Cookies and similar tracking technologies

• To provide, maintain, and improve our services
• To respond to your inquiries and schedule consultations
• To send service-related communications (appointment reminders, rebooking sequences, system updates)
• To facilitate AI-powered voice and messaging interactions on behalf of your clinic
• To analyze usage patterns and improve our website and platform
• To comply with legal obligations, including HIPAA

We do not sell your personal information or your patients' information to third parties. We do not use patient data for advertising purposes. We use data only to deliver and improve the services you have contracted for.

Cevlara processes Protected Health Information (PHI) on behalf of medical spa clinics that are covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA). PHI includes any individually identifiable health information related to a patient's past, present, or future physical or mental health condition, treatment, or payment for healthcare.

Types of PHI we may process:

• Patient names and contact information
• Appointment dates, times, and service types
• Treatment history and rebooking schedules
• Voice call recordings and transcripts (AI Receptionist)
• Consent form records and signatures
• Before-and-after clinical photographs

Business Associate Agreement (BAA):

Before processing PHI on behalf of any covered entity, we enter into a Business Associate Agreement (BAA) that governs our obligations for the use, disclosure, and protection of PHI. The BAA defines the permitted uses of PHI, breach notification procedures, and termination conditions. We will not process PHI for any clinic without an executed BAA in place.

We maintain an active compliance program that includes the following administrative, technical, and physical safeguards:

Administrative safeguards:

• Designated privacy and security responsibilities
• Workforce access management — access to PHI is limited to roles that require it
• Business Associate Agreements with all downstream service providers that handle PHI
• Incident response procedures for potential data breaches

Technical safeguards:

• AES-256 encryption for data at rest and TLS encryption for data in transit
• Role-based access controls and row-level security at the database level
• Immutable audit logs for all PHI access and modifications
• PHI sanitization in application logs and external service calls
• Automatic session management and authentication enforcement

Physical safeguards:

• Infrastructure hosted in SOC 2 compliant data centers with physical access controls
• No PHI is stored on local devices or portable media

We regularly review and update our safeguards to reflect changes in technology, regulations, and best practices. Our full security controls documentation is available to covered entities upon request as part of the BAA process.

We implement industry-standard security measures to protect your information and your patients' information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
• API credentials and integration keys encrypted at the application layer before database storage
• Multi-tenant data isolation — each clinic's data is logically separated and access-controlled
• Continuous monitoring and logging of system access
• Regular security assessments of our infrastructure and application code

In the event of a data breach affecting PHI, we will notify affected covered entities within the timeframe required by HIPAA (no later than 60 days from discovery) and assist with their breach notification obligations.

We use essential cookies to operate our platform (authentication, session management). We may use analytics cookies to understand how visitors interact with our marketing site. You can disable non-essential cookies in your browser settings. Analytics data collected from our marketing site does not contain PHI.

We use the following categories of third-party services to operate Cevlara:

• Hosting & Infrastructure: Cloud hosting providers with SOC 2 compliance
• Email: Transactional email delivery for notifications and communications
• Voice AI: AI voice services for receptionist functionality
• CRM Integration: Syncing with your existing practice management software
• SMS: Text message delivery for appointment reminders and patient communications

All third-party services that process PHI are vetted for HIPAA compliance and bound by Business Associate Agreements or equivalent data processing agreements. We do not share PHI with any third party for marketing or advertising purposes.

We retain your information for as long as your account is active or as needed to provide services. Patient data (including PHI) is retained in accordance with the terms of the applicable BAA and relevant state and federal record retention requirements. Marketing form submissions are retained to fulfill your inquiry.

Upon account cancellation, your data is retained for 30 days to allow for export, after which it is securely deleted. You may request deletion of your data at any time by contacting us. We will respond within 30 days.

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Opt out of marketing communications at any time
• Request an accounting of disclosures of your PHI (for patients, via your clinic)

Patient rights regarding PHI (access, amendment, restriction of use) are exercised through the covered entity (your clinic). We will assist covered entities in fulfilling these requests in accordance with our BAA obligations.

To exercise your rights as a Cevlara user, contact us at [email protected].

We may update this privacy policy from time to time. We will notify users of material changes via email or a prominent notice on our website at least 30 days before they take effect. Your continued use of Cevlara after changes constitutes acceptance.

If you have questions about this privacy policy, our HIPAA compliance practices, or how we handle Protected Health Information, contact us at: