1. About this policy
Bravo MedSpa ("we", "us", "our") operates two medical aesthetics practices in Connecticut — 61 South Main Street, Suite 309, West Hartford and 825 Cromwell Avenue, Rocky Hill. This policy explains how we collect, use, and protect personal and health information when you visit bravomedspa.com, contact us, or receive treatment. It is governed by the Health Insurance Portability and Accountability Act (HIPAA), the Connecticut General Statutes governing medical privacy, and applicable federal and state consumer-protection law.
2. Information we collect
We collect three categories of information. Information you provide directly: name, email, phone number, location preference, service interests, and consultation notes you supply via our contact form, phone calls, or in-person intake. Protected Health Information (PHI): medical history, medication lists, allergies, photographs, treatment records, consent forms, and aftercare notes collected during consultations and appointments. Technical information: IP address, browser type, device information, referring URLs, pages viewed, time on site, and cookies via analytics tools. Website forms do not collect PHI; medical information is collected only in-clinic or through secure, HIPAA-compliant channels.
3. How we use your information
We use your information to respond to enquiries, schedule appointments, provide aesthetic medical treatment, maintain accurate medical records as required by Connecticut law, send appointment reminders and post-treatment aftercare communications, process payments, improve the website and our services, and comply with legal obligations. We do not sell personal information or PHI to third parties, and we do not use PHI for advertising. Non-PHI website analytics may inform marketing in aggregate, de-identified form only.
4. HIPAA & your health information
Protected Health Information at Bravo MedSpa is handled under a full HIPAA compliance framework. PHI is stored in encrypted practice-management systems with role-based access, backed up regularly, and retained for the period required by Connecticut law (typically seven years from date of last treatment). PHI is disclosed only to you, to providers directly involved in your care, to third parties you specifically authorise in writing, or when required by law. You have the right to request access to your records, request amendments, request an accounting of disclosures, and request restrictions on how we use and share your PHI. To exercise these rights, email privacy@bravomedspa.com or ask any front-desk team member for our full Notice of Privacy Practices.
5. Cookies & tracking
We use first-party and third-party cookies for essential site functions, analytics (to understand how visitors use the site), and occasionally for advertising attribution on non-PHI marketing. You can disable cookies through your browser settings; doing so may affect site functionality such as form submissions. We use Vercel Analytics and, where enabled, Google Analytics with IP anonymisation. We do not run pixels that collect health-related events or PHI.
6. Third-party service providers
We share limited information with vetted service providers strictly as needed: our hosting and analytics platforms (Vercel), our form-processing and email service (Resend), our practice-management and scheduling software (HIPAA Business Associate Agreement in place), our payment processor (PCI-compliant), and our appointment-reminder SMS provider. Every provider that touches PHI operates under a signed Business Associate Agreement as required by HIPAA.
7. Data security
We protect your information with industry-standard technical, administrative, and physical safeguards: HTTPS/TLS encryption in transit, encrypted storage at rest, multi-factor authentication on staff accounts, background checks on team members with PHI access, locked physical storage for any paper records, and annual staff HIPAA training. No transmission over the internet is 100% secure, so while we work hard to protect your data, we cannot guarantee absolute security.
8. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict use of your personal data. Connecticut residents have specific rights under the Connecticut Data Privacy Act (CTDPA). You may also opt out of marketing emails at any time via the unsubscribe link in any communication, or by emailing privacy@bravomedspa.com. For medical records (PHI), your rights are governed by HIPAA and described in Section 4.
9. Children
Our services are intended for adults (18+). We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will post the updated policy here with a new "last updated" date and, for material changes affecting PHI, will notify existing patients directly.
11. Contact us
Questions, requests, or complaints about privacy can be directed to our Privacy Officer at privacy@bravomedspa.com or by mail to Bravo MedSpa, 61 South Main Street, Suite 309, West Hartford, CT 06107. You may also call either location — West Hartford on (860) 478-8877 or Rocky Hill on (860) 257-0470. Under HIPAA, you also have the right to file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights if you believe your privacy rights have been violated.