aestheticIQBetter insights. Better outcomes.
FeaturesHow It WorksPricingAboutFAQ
Sign InGet Started Free

Legal

HIPAA Compliance

Last updated: March 10, 2026

HIPAA Compliant DesignAES-256 EncryptedNo PHI StoredAudit Logging

Our HIPAA Approach

AestheticIQ is a business analytics platform, not a clinical records system. Our platform is architecturally designed to avoid handling Protected Health Information (PHI) altogether. We retrieve aggregated business metrics — revenue, appointment counts, practitioner performance — not individual patient records, clinical notes, diagnoses, or treatment histories.

This approach means you get powerful business intelligence without exposing patient data to additional third-party systems. It also simplifies your HIPAA compliance posture as a practice.

What Data We Do and Do Not Retrieve

✓ Data We Retrieve

  • Aggregate daily revenue totals
  • Appointment counts by date and status
  • Revenue attributed to each practitioner (by name only)
  • Service and product category sales totals
  • Location-level business metrics
  • Invoice totals (amounts, not patient identities)

✗ Data We Never Retrieve

  • Patient names, DOBs, or contact information
  • Medical record numbers or patient IDs
  • Clinical notes or treatment records
  • Diagnoses or procedure codes
  • Before/after photos
  • Insurance information
  • Any individually identifiable health information

Technical Safeguards

We implement the technical safeguards required under the HIPAA Security Rule:

🔐

Encryption at Rest

Aesthetic Record credentials are encrypted using AES-256-GCM with scrypt key derivation. Keys are managed via environment-level secrets and are never stored in the database. All other sensitive configuration is encrypted at rest on Render's SOC 2 certified infrastructure.

🔒

Encryption in Transit

All communications between your browser and our servers use TLS 1.2+. We enforce HTTPS with HSTS headers. Our sync workers also communicate over encrypted connections to both Aesthetic Record and our database.

👤

Access Controls

Role-based access control with four tiers: SUPER_ADMIN (platform operations only), OWNER, ADMIN, and MEMBER. Each role has defined read/write permissions. Authentication is handled by Clerk with secure session management. All admin operations are gated behind separate authorization checks.

📋

Audit Logging

Administrative operations are logged with timestamp, user ID, action type, and affected resource. Sync operations are logged in our sync_logs table for operational monitoring and troubleshooting.

💾

Data Backup and Recovery

Automated weekly database backups are retained for 90 days. Our database is hosted on Render's managed PostgreSQL service with point-in-time recovery capabilities.

Business Associate Agreement (BAA)

Because AestheticIQ does not retrieve or store PHI, a Business Associate Agreement (BAA) is typically not required for our service. However, if your legal or compliance team requires a BAA as a precautionary measure, please contact us at hello@aestheticiq.ai and we will work with you to determine the appropriate documentation.

Your Responsibilities

As a covered entity operating a medical spa, you are responsible for:

  • Ensuring your use of AestheticIQ complies with your own HIPAA obligations
  • Managing who on your team has access to AestheticIQ and at what permission level
  • Promptly notifying us if you believe your AestheticIQ account has been compromised
  • Maintaining compliance with Aesthetic Record's terms of service regarding third-party access

Questions

For HIPAA-related questions or to discuss your specific compliance requirements, contact us at hello@aestheticiq.ai.

This page describes our current security and compliance posture. It is informational and does not constitute legal advice. Consult your own legal counsel for compliance guidance specific to your practice.