Privacy policy.

PRIVACY POLICY

Nora Skin Spa LLC

1020 Southhill Drive, Suite 130, Cary, NC 27513

Phone: (919) 244-2787  |  Email: wellness@noraskinspa.com

Website: noraskinspa.com

Effective Date: April 29, 2026

Last Updated: April 29, 2026

1. Introduction

Nora Skin Spa LLC (“Nora Skin Spa,” “we,” “us,” or “our”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit noraskinspa.com (the “Website”), book a service, complete an intake form, contact us, or otherwise interact with our business.

By using our Website or services, you agree to the practices described in this Privacy Policy. If you do not agree with this Policy, please do not use our Website or services.

2. Scope

This Privacy Policy applies to information collected through:

•      Our Website noraskinspa.com

•      Our online appointment booking system

•      Contact forms, inquiry forms, and email communications

•      Newsletter and marketing email subscriptions

•      In-person and online client intake forms (including skin assessments)

•      Phone calls and text messages with our team

This Policy does not apply to third-party websites or services that may link to or from our Website. We encourage you to review the privacy policies of any third-party sites you visit.

3. Information We Collect

We collect information that you provide directly, information collected automatically when you use our Website, and information we receive from third parties.

3.1 Information You Provide

•      Identifiers and contact information: full name, email address, mailing address, phone number, and date of birth.

•      Booking and account information: appointment date and time, service requested, service-provider preference, transaction history, and gift card details.

•      Health and skin-related information: collected through intake forms and skin assessments, including skin type, skin concerns, allergies, current medications, medical conditions relevant to treatment, prior cosmetic procedures, dermatological history, lifestyle factors, and treatment-planning photos taken with your consent.

•      Payment information: credit/debit card details and billing address. Card numbers are processed by our PCI-DSS compliant payment processor and are not stored on our servers.

•      Communications: messages, emails, reviews, survey responses, and any other content you submit to us.

•      Marketing preferences: subscription status for newsletters and promotional SMS messages.

3.2 Information Collected Automatically

When you visit our Website, we automatically collect:

•      IP address, browser type and version, device type, and operating system

•      Referring/exit pages, pages visited, time spent on pages, and click data

•      Cookies, pixel tags, and similar tracking technologies

•      General location information derived from your IP address

3.3 Information from Third Parties

We may receive information from:

•      Booking and scheduling platforms used by the spa

•      Payment processors (transaction confirmations and fraud signals)

•      Analytics and advertising providers

•      Social media platforms when you interact with our pages

•      Referrals and reviews provided by other clients

4. Sensitive Personal Information

Skin assessments and intake forms may include sensitive information about your health, medications, allergies, and skin conditions. We treat this information with heightened care:

•      We collect it only for the purpose of safely and effectively providing services to you.

•      We do not sell or share sensitive personal information for cross-context behavioral advertising.

•      We limit access to staff who need it to provide your services.

•      You may request that we limit our use of sensitive personal information to what is necessary to perform the services you have requested, in accordance with applicable law.

While our services generally are not subject to the federal Health Insurance Portability and Accountability Act (HIPAA) — because we typically are not a HIPAA-covered entity — we voluntarily apply administrative, physical, and technical safeguards consistent with HIPAA principles to protect your health-related information.

5. How We Use Your Information

We use the information we collect to:

•      Provide, schedule, deliver, and customize spa services

•      Confirm, modify, or cancel appointments and send appointment reminders

•      Process payments, deposits, and refunds

•      Maintain client records and treatment history for safe service delivery

•      Respond to questions, requests, complaints, and reviews

•      Send newsletters, promotions, and marketing communications (with your consent where required by law)

•      Send service-related text messages (e.g., booking confirmations and reminders)

•      Operate, maintain, secure, and improve our Website and services

•      Detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity

•      Comply with applicable laws, regulations, and lawful requests

•      Establish, exercise, or defend legal claims

6. Legal Bases for Processing

Where required by law, we rely on the following legal bases to process your personal information: (a) your consent; (b) the performance of a contract with you (e.g., providing booked services); (c) compliance with our legal obligations; and (d) our legitimate interests in operating, securing, and improving our business, where those interests are not overridden by your rights.

7. How We Share Information

We do not sell your personal information for money. We share information only as described below:

•      Service providers and vendors: hosting, online booking and scheduling platforms, payment processors, email/SMS delivery providers, analytics providers, customer review platforms, and IT/security providers — bound by contracts that limit their use of your information to providing services to us.

•      Professional advisors: attorneys, accountants, auditors, and insurers, where reasonably necessary.

•      Legal and safety: to comply with subpoenas, court orders, or other legal processes; to enforce our terms; to protect the rights, safety, or property of Nora Skin Spa, our clients, employees, or others.

•      Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality obligations.

•      With your consent: when you direct us to share information (e.g., posting a testimonial).

We do not knowingly share personal information of clients under the age of 16 with third parties for cross-context behavioral advertising or sale, as those terms are defined under applicable law.

8. Online Booking and Appointment Information

If you book through our online scheduling system, the platform collects information needed to manage your appointment. That platform is bound by its own privacy practices and our agreement with it, which require appropriate safeguards. Treatment notes, intake responses, and service history are retained in our client management system and are used only to provide and improve the services you request.

9. Email Communications (CAN-SPAM Act)

We comply with the CAN-SPAM Act of 2003. Promotional emails will:

•      Identify the sender clearly

•      Include our valid physical postal address

•      Provide a clear unsubscribe link in every promotional message

•      Honor opt-out requests promptly (within 10 business days, as required by law)

You will continue to receive transactional messages — appointment confirmations, reminders, receipts, and policy updates — even after opting out of marketing emails, because those messages are necessary to provide the services you have requested.

10. Text Message Communications (TCPA)

If you provide your mobile number and opt in, we may send you text messages for appointment reminders, confirmations, follow-up care, and promotional offers, in accordance with the Telephone Consumer Protection Act (TCPA) and applicable Federal Communications Commission rules.

•      Message and data rates may apply.

•      Frequency varies based on your activity and preferences.

•      Reply STOP to any message to unsubscribe; reply HELP for assistance.

•      Your consent to receive marketing texts is not a condition of any purchase.

We do not share your mobile number with third parties for their own marketing purposes.

11. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to:

•      Operate basic site functionality

•      Remember your preferences

•      Analyze traffic and usage

•      Support advertising and remarketing efforts

Categories we may use:

•      Strictly necessary cookies — required for site operation.

•      Performance/analytics cookies — such as Google Analytics.

•      Functional cookies — remember your preferences.

•      Advertising cookies — measure ad effectiveness and support remarketing.

You can control cookies through your browser settings. Disabling some cookies may limit Website functionality. Where required by law, we will display a cookie banner allowing you to consent to or reject non-essential cookies.

12. Do Not Track and Global Privacy Control

Some browsers send “Do Not Track” (DNT) signals. Because there is no industry standard for responding to DNT, we do not respond to DNT signals at this time. Where required by law (e.g., California), we treat the Global Privacy Control (GPC) signal as a valid request to opt out of the sale or sharing of personal information.

13. Third-Party Services

We may use third-party services such as Google Analytics, Meta (Facebook/Instagram) advertising tools, online review platforms (e.g., Google, Yelp), email marketing services, payment processors, and online booking platforms. These services have their own privacy policies, and we encourage you to review them.

14. Data Security

We implement reasonable administrative, physical, and technical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. These include:

•      Encryption of data in transit (TLS) and, where appropriate, at rest

•      Restricted access on a need-to-know basis

•      Secure password policies and access controls

•      Use of PCI-DSS compliant payment processors

•      Regular review of our security practices

No system is completely secure. We cannot guarantee absolute security, but we work continuously to safeguard your information.

15. Data Breach Notification (North Carolina Identity Theft Protection Act)

In the event of a security breach involving North Carolina residents’ personal information, we will provide notice in accordance with the North Carolina Identity Theft Protection Act (N.C. Gen. Stat. §§ 75-60 through 75-66), including N.C. Gen. Stat. § 75-65, and any other applicable state and federal breach notification laws. Notification will be made without unreasonable delay and will include the information required by law.

16. Data Retention

We retain personal information for as long as needed to:

•      Provide the services you have requested

•      Maintain client treatment records, in accordance with industry standards and applicable law

•      Comply with legal, tax, accounting, and recordkeeping obligations

•      Resolve disputes and enforce our agreements

When personal information is no longer required, we securely delete or anonymize it.

17. Your Privacy Rights

Depending on your state of residence, you may have the right to:

•      Know what personal information we collect, use, disclose, and (if applicable) sell or share

•      Access a copy of your personal information

•      Request correction of inaccurate personal information

•      Request deletion of your personal information

•      Opt out of the sale or sharing of personal information for cross-context behavioral advertising

•      Limit the use and disclosure of sensitive personal information

•      Withdraw consent where processing is based on consent

•      Not be subject to retaliation for exercising your privacy rights

To exercise these rights, contact us at wellness@noraskinspa.com or (919) 244-2787. We will verify your identity before responding and will respond within the time required by law (generally 45 days, with possible extensions). You may designate an authorized agent to make a request on your behalf, subject to verification.

18. California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to:

•      Know categories and specific pieces of personal information collected

•      Request deletion or correction of personal information

•      Opt out of the sale or sharing of personal information

•      Limit the use and disclosure of sensitive personal information

•      Non-discrimination for exercising your rights

We do not knowingly sell personal information of consumers under 16 without affirmative authorization. To exercise your rights, contact us using the methods listed above.

19. Other State Privacy Laws

Residents of states with comprehensive privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others as applicable — may have similar rights to access, correct, delete, and obtain a portable copy of personal information, and to opt out of targeted advertising and certain processing. To exercise these rights, please use the contact methods at the end of this Policy.

20. North Carolina Residents

In addition to the rights described above, North Carolina residents are protected by the North Carolina Identity Theft Protection Act and related consumer protection laws. We do not require your Social Security number for any purpose other than as permitted or required by law (e.g., tax reporting). When we collect, use, or share Social Security numbers, we do so only as permitted under N.C. Gen. Stat. § 75-62 and related statutes, and we apply enhanced safeguards to that information.

21. Children’s Privacy (COPPA)

Our Website and services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us, and we will promptly delete it. We do not knowingly market to or solicit information from minors.

22. International Visitors

Our Website and services are intended for users in the United States. If you access our Website from outside the United States, you understand that your information will be processed and stored in the United States, which may have different data protection laws than your country.

23. Links to Other Websites

Our Website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any websites you visit.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last Updated” date and, where appropriate, provide additional notice (such as posting a notice on our Website or sending an email). Your continued use of our Website or services after the effective date constitutes acceptance of the revised Policy.

25. How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Nora Skin Spa LLC

1020 Southhill Drive, Suite 130

Cary, NC 27513

Phone: (919) 244-2787

Email: wellness@noraskinspa.com

Website: noraskinspa.com

We will respond to your inquiry within a reasonable timeframe and as required by applicable law.