Camas, WA
Your privacy is deeply important to us. This Privacy Policy (together with any notices or additional policies linked herein) explains how Skin by Lovely (“we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you interact with our website, mobile applications, or in connection with our services. It also describes your privacy rights under California, Oregon, and Washington law, and how you may exercise them.
Personal Information means information that identifies, relates to, describes, or is capable of being associated with a particular individual (e.g. name, contact, email, location).
Sensitive Personal Information (SPI) includes certain data that is more protected, such as health, biometric, genetic, precise geolocation, or racial/ethnic origin.
Healthcare / Medical / Health Data / CHD (Consumer Health Data) means data that is linked or reasonably linkable to an individual’s past, present, or future physical or mental health or condition, treatments, or seeking health care services. This includes data that may not otherwise be considered PHI under HIPAA but is regulated under Washington’s MHMD.
Protected Health Information (PHI) is data covered by HIPAA when handled by a HIPAA-covered entity or business associate.
Ordinary Personal Information refers to non-sensitive personal data not involving health or other protected categories.
This Policy applies to information collected by Skin by Lovely from or about individuals in California, Oregon, and Washington. It applies when you visit our website, book appointments, provide contact or health details, or otherwise interact with us online or in-clinic.
We collect personal information in the following ways:
Forms / Booking / Contact: name, phone, email, ZIP or city (general location), and any optional information you provide (e.g. skin goals, medical history) to facilitate communication or scheduling.
Health / Medical Information: collected during consultations or visits to support diagnosis, treatment planning, or follow-up care (this may include medical conditions, medications, allergies, past treatment history).
Usage & Analytics: cookies, pixels (Google Analytics, Facebook Pixel), server logs, device identifiers.
Marketing & Communications: preferences for communications (e.g. newsletters, promotions) if you opt in.
Other Data: any additional details you choose to share with us (e.g. photographs, feedback).
We identify the purpose before or at collection. We only collect what is reasonably needed to serve those purposes, or as required by law.
We rely on various legal bases to use your information:
Consent: For health or sensitive data (especially in Washington under MHMD, Oregon under OCPA, and under California’s CPRA), we require your explicit, informed, opt-in consent for collection, use, or sharing beyond what is necessary for treatment, payment, or healthcare operations.
Necessary for Treatment / Services: We process health, medical, or personal data to deliver care, provide follow-up, manage your account, and coordinate with other providers, insurance, or labs.
Legal / Regulatory Compliance: When required by law or court order.
Legitimate Interests (for non-sensitive data): Running our business, improving services, fraud prevention, marketing (with your consent where required).
You have the right to withdraw consent for certain uses, subject to legal and operational constraints.
We may use or disclose your information for:
Treatment, Payment & Healthcare Operations: coordinating care, billing, scheduling, record-keeping, contacting you.
Third-party Providers / Business Associates / Vendors: e.g. scheduling software, lab, marketing platforms — under contractual safeguards.
Legal Obligations / Safety: responding to subpoenas, protecting against fraud, emergencies.
Aggregate / De-identified Data: we may anonymize data and use it for research or internal analysis.
With Your Consent: marketing, promotional communications, or health data sharing beyond direct care.
We do not sell your personal health data or medical information to third parties without your explicit consent.
Washington Geofencing / Targeting: In compliance with Washington’s MHMD, we do not use geofencing or other location-based targeting tied to health care services or data in Washington.
Right to know (categories and sources of personal data)
Right to delete personal data (with exceptions)
Right to correct inaccurate data
Right to opt out of sale or sharing of personal data
Right to limit use of sensitive personal data
Additional protections for medical information under CMIA
Right to access (confirm if data is processed and categories)
Right to correct, delete, or export your non-PHI data
Right to opt out of targeted advertising, profiling, or sale
For sensitive data (including health), opt-in consent before processing
Right to confirm whether your CHD is processed
Right to access, delete, and withdraw consent for CHD
Right to appeal denials
Requirement that consent be clear, specific, and opt-in
Strict restrictions on geofencing and health data sharing
To exercise a right, contact us at legal@skinbylovely.com or call 877-568-3594. We may require you to verify your identity. We will respond to valid requests within 30 days, with one possible 30-day extension.
We retain your personal and health data only as long as necessary:
Clinical / medical records: per state and federal regulations
Booking / business records: up to 7 years
Marketing or promotional data: until you unsubscribe or request deletion
When practical or required, we deidentify or anonymize data so it is no longer linked to an individual.
We maintain administrative, technical, and physical safeguards to protect your data (e.g. encryption, access controls, secure backups). We continuously review security practices to keep them up to date.
However, no system is perfect. In the event of a data breach, we will follow applicable breach notification laws in the states of operation, inform affected individuals, and cooperate with authorities.
Our website or booking platform may use third-party services (e.g. scheduling software, email platforms, analytics). These services may collect or process data on our behalf — we require them to comply with privacy and security standards.
When you click on third-party links, you are subject to their privacy policies.
Our services are intended for adults (18+) unless parental consent is given for facials. We do not knowingly collect personal data from minors under 18.
We may update this Policy to reflect changes in our practices or legal obligations. Material changes will be posted with a revised “Last Revised” date and, where required, we’ll notify you (e.g. via email, site banner).
If you have questions or complaints, contact us at:
Skin by Lovely
Email: legal@skinbylovely.com
Phone: 877-568-3594
If you believe we failed to address your request or violated applicable privacy law, you also have the right to complain to the Californian, Oregon, or Washington data protection authorities or health oversight agencies.
Last Revised: 10-15-2025
