← Home
Legal

Privacy Policy

Effective Date: May 21, 2026  · Last Updated: May 21, 2026  · Entity: In&Out Digital Ltd.

In&Out Digital Ltd. ("we," "us," or "our") operates as a patient-acquisition agency for US medical spas. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. By engaging our services or visiting our website, you agree to the practices described here.

1. Who This Policy Covers

This policy applies to two groups: (a) prospective and current clients — med spa owners and operators who contact us or purchase our services; and (b) website visitors who browse our site. It does not govern the data practices of our clients' own patient relationships, which are addressed under a separate Business Associate Agreement (BAA).

2. Information We Collect

Information you give us directly

  • Name, email address, phone number, and practice name when you fill out a contact form or book a strategy call
  • Billing and payment information processed securely through our payment processor
  • Communications you send us via email, WhatsApp, or phone
  • Practice details you share during onboarding (services, pricing, schedules, providers)

Information collected automatically

  • IP address, browser type, device type, and pages visited on our website
  • Analytics data via cookies and similar technologies (see Section 8)
  • Google Ads performance data tied to your account (click-through rates, conversions, call tracking)

Information collected through our services

  • Call recordings and transcripts processed by our AI receptionist (Synthflow) on your practice's behalf
  • Appointment booking data routed through your scheduler integration
  • Lead contact information captured for your practice during AI-handled calls
Important: Call recordings involving your patients are processed exclusively within Synthflow's HIPAA-certified infrastructure. We do not store patient health information (PHI) on our own servers. See Section 5 for full details.

3. How We Use Your Information

  • Service delivery: to build, configure, and manage your AI receptionist and Google Ads campaigns
  • Account management: to communicate about your account, deliver performance reports, and process payments
  • Optimization: to improve campaign performance and AI agent behavior based on call outcomes
  • Legal compliance: to meet our obligations under HIPAA, applicable state laws, and our contractual agreements with you
  • Security: to detect fraud, abuse, or unauthorized access to our systems
  • Communications: to send service updates, invoices, and — with your consent — educational content relevant to your practice

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Third-Party Services We Use

We engage trusted third-party providers to deliver our services. Each processes data only as necessary for the described purpose:

  • Synthflow: AI voice receptionist platform. SOC 2 Type II, HIPAA, PCI DSS Level 1, ISO 27001, and GDPR certified. Handles call recordings and patient interactions under a BAA.
  • Google LLC: Google Ads platform for campaign management and conversion tracking. Subject to Google's Privacy Policy and Healthcare Advertising Policies.
  • Calendly: Strategy call scheduling. Data is subject to Calendly's Privacy Policy.
  • WhatsApp / Meta: Used for lead delivery notifications to your team. Subject to Meta's Data Policy.
  • Payment Processor: We use a PCI-compliant payment processor. We do not store raw card numbers.

All third-party providers are vetted for compliance with applicable US data protection laws. Where required, we execute data processing agreements before sharing any client or patient data.

5. HIPAA and Protected Health Information

Medical spas that collect or process individually identifiable health information may qualify as HIPAA Covered Entities. Where this applies, In&Out Digital acts as a Business Associate as defined under 45 CFR § 160.103.

  • We execute a signed Business Associate Agreement (BAA) with every client whose practice involves PHI
  • All patient call recordings and related data are processed and stored exclusively within Synthflow's HIPAA-certified infrastructure
  • We apply the minimum necessary standard — we access PHI only to the extent required to perform agreed services
  • We maintain reasonable administrative, physical, and technical safeguards consistent with the HIPAA Security Rule
  • In the event of a suspected breach involving PHI, we will notify you within 60 days of discovery in accordance with 45 CFR § 164.410

If your practice does not handle PHI (e.g., purely cosmetic services with no medical records), standard data protection terms apply instead of HIPAA-specific provisions.

6. Data Retention

  • Client account data: retained for the duration of your engagement plus 3 years to satisfy tax and legal record-keeping requirements
  • Call recordings: retained per Synthflow's data retention settings, which you control within your account configuration
  • Google Ads data: retained in your Google Ads account, which you own and control at all times
  • Website analytics: retained for up to 26 months in aggregate, anonymized form

On termination of our engagement, all assets — including your Google Ads account, Synthflow build, call recordings, and any other materials created for you — are transferred to you in full within 14 days.

7. Your Rights

Depending on your state of residence, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information (subject to legal retention obligations)
  • Opt out of any marketing communications at any time
  • Receive a copy of your data in a portable format

California residents (CCPA/CPRA): You have the right to know what personal information is collected, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising your rights.

To exercise any of these rights, contact us using the details in Section 10.

8. Cookies and Analytics

Our website uses cookies and similar tracking technologies to understand how visitors use the site and to improve performance. These include:

  • Essential cookies: required for the site to function; cannot be disabled
  • Analytics cookies: help us understand traffic patterns and page performance
  • Advertising cookies: used by Google Ads to track conversions from our campaigns

You can manage cookie preferences through your browser settings. Disabling analytics or advertising cookies will not affect your ability to use our site.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. If changes are material, we will notify active clients by email at least 14 days before the changes take effect. Continued use of our services after that date constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related requests, questions, or to exercise your rights:

In&Out Digital Ltd.

Email: Hello@InAndOutDigital.com

Phone: +1 (210) 618-9158

For HIPAA-specific matters, please mark your communication "HIPAA Privacy Request."