Privacy Policy

Effective [date pending publication]

Sun Aesthetic Clinic (“we,” “us,” “our”) respects the privacy of the people who visit our website, request information about treatments, and entrust us with their care. This Privacy Policy explains what information we collect through our website and marketing channels, how we use it, who we share it with, and the choices you have. Where our website interacts with medical-records workflows, this policy explains where website-data privacy ends and where separate health-record protections take over.

Plain-English Summary

The short version: we collect contact information you submit, basic browsing data from your visit to our website, and limited information passed between us and the third-party tools we use to run the practice (analytics, booking software, financing partners, advertising platforms). We do not sell your information. We treat any treatment-related or health-related information you share with the heightened care that medical-spa context requires under federal and Washington-state law, including the privacy expectations established by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Washington My Health My Data Act (“MHMDA”) to the extent each applies.

If you would prefer to discuss your privacy directly with the practice rather than read the full policy, contact us at sunaestheticbellevue@gmail.com or (206) 556-6478.

1. Who We Are

Sun Aesthetic Clinic is a Washington-state medical spa located at 15600 NE 8th St, Suite A-8, Bellevue, WA 98008. The practice is owned and operated by Dr. Jay Sun, MD, who serves as Owner and Medical Director. This Privacy Policy applies to information collected through sunaestheticbellevue.com (the “website”), our consultation request and online booking forms, the email and SMS channels we use to communicate with prospective and current patients, and the marketing channels we operate (including paid search, Google Business Profile, and Instagram).

The website-data and marketing-data practices described in this policy are distinct from the protected health information (“PHI”) that the practice holds inside its medical-records system. Section 10 explains that distinction in detail.

2. Information We Collect

We collect the categories of information described below.

2.1 Information You Provide Directly

• Identifiers: name, email address, phone number, mailing address, date of birth where required for treatment intake.
• Appointment information: preferred dates and times, treatments you are interested in, the location you’d like to visit, and any context you provide about your goals.
• Health-related information you choose to share through the website: skin concerns, prior treatment history, medical history relevant to a consultation, allergies, medications, and any other information you include in a consultation request form, intake form, or message to us. (Note: detailed clinical history and examination findings are captured separately in our medical-records system, governed by Section 10.)
• Photographs: any images you submit with a consultation request or that you authorize us to capture during a clinical visit.
• Communications content: the content of emails, text messages, voicemails, Instagram direct messages, and form submissions you send to us.
• Payment and financing information: billing details processed through our payment processor; if you apply for patient financing, the application data you provide to our financing partners (see Section 4).

2.2 Information Collected Automatically

When you visit our website, we and our service providers may collect:

• Device and connection data: IP address, browser type and version, operating system, device type, referring URL, the pages you view, the links you click, the time spent on pages, and timestamps.
• Cookies, pixels, and similar technologies: session cookies that keep the website working as you move between pages, persistent cookies that remember preferences, and pixel-based analytics or advertising tags that help us measure how the website performs.
• Approximate location: city or region derived from your IP address; we do not collect precise GPS location through the website.

2.3 Information from Third Parties

We may receive information about you from third parties such as referring physicians (where you have asked them to send a referral), Google (for ads-conversion measurement and reviews left on our Google Business Profile), Meta (for Instagram engagement metrics and message threads), and our booking and financing partners (described in Section 4).

3. How We Use Information

We use the information we collect to:

• Schedule, confirm, reschedule, and follow up on consultations and treatment appointments.
• Respond to questions submitted through the website, by phone, or by message.
• Document patient charts and deliver clinical care, where information flows into our medical-records system.
• Communicate with you about appointment logistics, treatment plans, pre-care and post-care instructions, and the status of any financing application you have submitted.
• Process payments for services rendered.
• Operate, maintain, secure, troubleshoot, and improve the website, booking flows, and internal scheduling systems.
• Measure the performance of our marketing and understand which channels and pages are most useful to prospective patients.
• Comply with applicable legal obligations, including medical-records retention requirements under Washington law.
• With your consent where required, send educational communications about treatments, new service offerings, and practice updates; you may opt out at any time using the unsubscribe link in any email or by contacting us directly.

We do not use website-collected information to make automated decisions that produce legal or similarly significant effects about you.

4. Third-Party Partners and How They Touch Your Information

Running a medical-spa website involves a handful of third-party tools. We describe the most important ones below so you understand where your information may flow when you interact with the website.

4.1 Google Analytics

We use Google Analytics to understand aggregate website traffic — for example, how many people visited a service page, how long they stayed, and which marketing channels they came from. Google Analytics sets cookies in your browser and receives event data such as page views, clicks, and approximate geographic region. We have IP-anonymization enabled where the configuration supports it, and we do not pass identifying information (such as your name or email) into Google Analytics. Google’s use of this data is governed by Google’s own privacy policy. You can opt out of Google Analytics tracking site-wide by installing the Google Analytics Opt-out Browser Add-on.

4.2 Booking and Scheduling Widget

Our website embeds a third-party booking widget that lets you request or schedule an appointment without leaving the page. When you interact with the widget, information you enter (name, contact details, requested treatment, requested time) is transmitted directly to our booking and practice-management vendor, where it is stored to manage your appointment. Information you enter into the booking widget is governed by both this Privacy Policy and the booking vendor’s own privacy terms. We have a business-associate or service-provider relationship with the vendor that contractually limits how they may use your information.

4.3 Care Credit (Patient Financing)

For patients who prefer to pay over time, we link out to Care Credit, an independent third-party patient-financing provider. If you apply for Care Credit, you complete the application on Care Credit’s own platform and provide your information directly to Care Credit, not to us. Care Credit determines its own credit terms and underwriting. We may receive limited confirmation (for example, that an application has been approved and that a specific charge has been authorized) so we can process your treatment payment. Care Credit’s collection, use, and sharing of your application data is governed by Care Credit’s own privacy policy, available on their website.

4.4 Cherry (Patient Financing)

For patients who prefer an alternative financing path, we also link out to Cherry, an independent third-party patient-financing provider. As with Care Credit, you complete any Cherry application on Cherry’s own platform and provide your application information directly to Cherry. We may receive limited confirmation of approval and authorized charge amounts so we can complete your treatment payment. Cherry’s handling of your application data is governed by Cherry’s own privacy policy.

4.5 Advertising and Conversion Measurement

We run paid advertising on Google and on Meta (Instagram and Facebook) and use the conversion-measurement pixels these platforms provide. Those pixels report aggregate events — for example, that a consultation request form was submitted — back to the advertising platform so we can understand which campaigns are effective. We do not pass identifying patient information (such as your name, email, or treatment selection) through advertising pixels.

4.6 Email and SMS Delivery

We use email-delivery and SMS-delivery vendors to send appointment confirmations, reminders, intake forms, and (with consent) marketing communications. These vendors process delivery metadata (your email address or phone number and message status) on our behalf under contract.

4.7 Other Service Providers

The other service providers we rely on — including our electronic medical records system, payment processor, website host, and content-delivery network — each receive only the information needed to perform their service, under contracts that require them to handle information consistent with this policy and applicable law.

5. How We Share Information

Sun Aesthetic Clinic does not sell personal information. We share information only as follows:

• Service providers and third-party partners, as described in Section 4, each under contract to handle information consistent with this policy and applicable law.
• Treatment partners, if your care includes coordination with an outside dermatologist, primary-care physician, or referring surgical practice, where you have asked us or consented for us to share clinically relevant information.
• Legal, regulatory, and safety disclosures, when required by law, valid legal process, subpoena, or governmental request, or when we reasonably believe disclosure is necessary to protect the rights, safety, or property of patients, staff, or the practice.
• Business transfers, in the unlikely event of a merger, acquisition, financing transaction, or sale of substantially all of the practice’s assets, information may transfer to the successor entity, subject to this policy.

6. Cookies and Tracking

Our website uses cookies and similar technologies to operate features, remember preferences, measure performance, and — where you have consented — support advertising-conversion measurement. You can control cookies through your browser settings, including clearing cookies and blocking new ones. Many browsers also offer “Do Not Track” signals; because there is no broadly agreed standard for honoring these signals, we do not currently respond to them, but we honor opt-out requests submitted directly to us. Disabling cookies may affect site functionality, particularly the booking widget and forms.

7. Data Retention

We retain information for as long as needed to fulfill the purposes described in this policy and to meet our legal, accounting, and reporting obligations. Specifically:

• Website analytics data is retained for the default retention window configured in our analytics tools (typically 14 to 26 months) and is then automatically aggregated or deleted.
• Consultation request and inquiry data that does not result in an appointment is retained for a reasonable inquiry-follow-up period and then deleted or archived.
• Patient medical records are retained for the period required under Washington medical-records law and applicable federal regulations, which is significantly longer than website-data retention.
• Financial and payment records are retained for the periods required by tax and accounting rules.
• Marketing-list data is retained until you unsubscribe or until we determine the data is no longer useful for the purpose collected.

8. Your Rights

Depending on the laws that apply to you, you may have the following rights regarding the information we hold about you:

• Access: request a copy of the information we hold about you.
• Correction: ask us to correct information that is inaccurate or out of date.
• Deletion: ask us to delete information, subject to medical-records retention obligations and other legal exceptions that may require us to keep certain records.
• Portability: request a portable copy of certain information you have provided to us.
• Opt out of marketing: unsubscribe from marketing emails using the link in any marketing message, reply STOP to any marketing SMS, or contact us directly.
• Withdraw consent: where we rely on your consent (for example, to send marketing communications or to share information with an outside provider), withdraw that consent at any time.

8.1 Washington Residents (My Health My Data Act)

For Washington residents, the Washington My Health My Data Act (“MHMDA”) provides specific rights with respect to “consumer health data,” which is broadly defined under that statute. These rights include the right to access consumer health data we have collected about you, the right to withdraw consent from the collection and sharing of that data, and the right to request deletion. To exercise any MHMDA right, contact us using the information at the bottom of this page. We will respond within the timeframes required by the statute.

8.2 How to Exercise a Right

To exercise any of the rights above, contact us by email, phone, or mail using the information in Section 12. We may need to verify your identity before responding, particularly for access and deletion requests; this is to protect your information from being disclosed to or altered by someone else.

9. How We Protect Information

The practice maintains administrative, technical, and physical safeguards designed to protect personal and health-related information. These include access-controlled charting and scheduling systems, encrypted communication channels for sensitive content where supported, staff confidentiality training, limited disclosure to staff with a clinical or operational need to know, and contractual safeguards with the third-party providers described in Section 4. No system is perfectly secure, and we cannot guarantee absolute security of any information transmitted over the internet or stored electronically; if you become aware of a security concern, please contact us promptly.

10. Website Privacy vs. Medical Records (HIPAA Framing)

This Privacy Policy governs information collected through the website and marketing channels described above. Once you become a patient and information about you flows into the practice’s medical-records system, that information — your chart, your clinical photographs, your treatment plan, your billing for clinical services, and related communications — is governed by a separate framework, including the Health Insurance Portability and Accountability Act (“HIPAA”) and Washington-state medical-records law.

In practice, that means:

• Information you submit through a consultation request form, the booking widget, an email, or an SMS to the practice is treated as website / marketing data under this policy until and unless it is transferred into the medical-records system.
• Once transferred into the medical-records system as part of intake or treatment, that information is treated as protected health information (“PHI”) and is governed by the standards applicable to PHI, including stricter access controls, audit logging, disclosure restrictions, and breach-notification requirements.
• Requests for access to, correction of, or release of your medical records are handled under medical-records procedures, not under this Privacy Policy. To request medical records, contact the practice directly using the information in Section 12.
• Where the practice provides patients with a separate Notice of Privacy Practices (“NPP”) covering PHI handling, that notice controls over this policy for PHI questions.

If you are unsure which category your information falls into — website or medical records — contact us and we will help you identify the right path.

11. Children’s Privacy

Sun Aesthetic Clinic provides certain teen-appropriate aesthetic protocols (see our Teen Corner page for detail). For all patients under 18, we collect information only with parental or legal-guardian consent and do not knowingly market services directly to children. If you believe we have collected information from a child without appropriate consent, contact us and we will delete it.

12. Third-Party Links

The website may contain links to third-party sites, including Care Credit and Cherry (for patient financing), our Google Business Profile, our Instagram account, and other resources that may be added over time. This Privacy Policy does not apply to those external sites. Review their privacy policies separately before submitting information to them.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of the page reflects the most recent revision. Material changes will be communicated through the website and, where appropriate, by direct notice to patients on file. Your continued use of the website after a revised policy takes effect indicates your acceptance of the updated terms.

14. Contact Us

If you have questions about this Privacy Policy, would like to exercise any of the rights described above, or need to file a privacy-related concern, contact us at:

Sun Aesthetic Clinic 15600 NE 8th St, Suite A-8 Bellevue, WA 98008 (206) 556-6478 sunaestheticbellevue@gmail.com

See also our Terms of Service and Accessibility Statement.