Legal
Privacy Policy
Last updated: June 28, 2026 — CLV Media, LLC
1. Introduction and Scope
CLV Media, LLC (“Company,” “we,” “us,” or “our”) operates Med Spa Radar at medsparadar.com (“Platform” or “Service”). This Privacy Policy explains how we collect, process, store, disclose, and protect personal data in connection with your use of the Platform. It is incorporated by reference into our Terms of Service. By using the Platform, you acknowledge that you have read and understood this Policy.
This Platform does not process Protected Health Information (PHI) under HIPAA. No patient-identifiable data of any kind enters the Platform. Med Spa Radar is a professional intelligence tool that monitors government-published regulatory and legislative data relevant to medical-aesthetic practices (med spas, injectors, and their medical directors).
2. Data Controller
The data controller responsible for personal data processed through the Platform is:
CLV Media, LLC
10850 Providence Rd #1325
Charlotte, NC 28277
privacy@medsparadar.com
3. Data We Collect
3.1 Subscription & Email Data. When you sign up for The Med Spa Radar Brief or create an account, we collect your email address (and, for accounts, a hashed password credential managed by our authentication provider, Supabase, never stored in plaintext). Newsletter signups use double opt-in; you may unsubscribe at any time via the link in any email.
3.2 Billing Data. When you subscribe, Stripe, Inc. (“Stripe”) collects and processes your payment card details in its PCI-DSS Level 1 environment. The Company receives only a Stripe Customer ID, subscription status, tier, billing dates, and transaction metadata. The Company never receives, stores, or accesses your full card number, CVV, or bank account information.
3.3 Usage & Interaction Data. We collect interaction data to operate and improve the Service, including pages visited, alerts viewed or filtered, emails opened and links clicked (reported in aggregate by Resend), session duration, and approximate geographic region (country/state level, derived from IP; individual IPs are not persistently stored).
3.4 Technical Metadata. Standard session metadata — browser, operating system, device category, referring URL, and Vercel request identifiers — used solely for performance monitoring, error diagnostics, and abuse detection. Not used for behavioral profiling or advertising.
3.5 Voluntary Communications. If you email us or submit a support request, we retain the content and your email address to respond and improve the Service.
4. AI Data Processing
4.1 What the AI does. The Platform uses large language models operated by OpenAI, L.L.C. via API to classify government-published legislation and regulatory actions by topic/modality, refine an algorithmic signal score, and generate plain-language summaries and “what to do” recommendations.
4.2 What is sent to the AI. API calls to OpenAI contain exclusively the text of public-domain government documents (state bills via LegiScan, Federal Register notices, FDA actions) and system prompts authored by the Company. No personally identifiable User information is included in any AI API call.
4.3 No training use. The Company’s OpenAI API integration is configured pursuant to OpenAI’s API Data Usage Policy, under which API-submitted data is not used to train OpenAI’s foundation models. The Company does not authorize use of any data processed through its API calls for training, fine-tuning, or evaluation of any third-party model.
4.4 No user prompts. The Platform does not currently route any free-form User input to an LLM; all AI processing is internal to the ingestion pipeline and operates on government document content.
5. How We Use Your Data
- Operating your account/subscription and delivering the feed and alerts;
- Sending The Med Spa Radar Brief and transactional emails (account, billing) via Resend;
- Processing payments and managing billing through Stripe;
- Detecting and preventing fraud, abuse, and Terms violations;
- Monitoring performance, diagnosing errors, and improving reliability;
- Complying with legal obligations, including tax record-keeping.
We do not use your data for advertising, build advertising profiles, or sell, rent, or trade personal data to any third party.
6. Third-Party Sub-Processors
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase, Inc. | Database, authentication, row-level security | Email, hashed password, subscription metadata, usage records |
| Stripe, Inc. | Payment processing & subscriptions | Email, Stripe Customer ID; card details collected directly by Stripe |
| Resend, Inc. | Transactional & digest email delivery | Email address, email content |
| Vercel, Inc. | Hosting, edge network, anonymized analytics | Anonymized request logs; no PII in analytics |
| OpenAI, L.L.C. | AI document analysis (internal pipeline only) | Public-domain government document text only; no User PII |
We do not share personal data with other third parties except (a) as required by valid legal process, or (b) in connection with a merger or sale of substantially all assets, with advance disclosure.
7. Data Security
- Encryption in transit: TLS 1.2+ for all browser and API connections.
- Encryption at rest: AES-256 via Supabase’s cloud infrastructure (AWS).
- Row-Level Security: RLS policies restrict data access; the service-role credential is server-only and never exposed to client code.
- Authentication: passwords never stored in plaintext.
- Secrets: production credentials stored only as environment secrets (Vercel/GitHub), never in source control.
No system is impenetrable. In the event of a breach reasonably likely to create risk to your rights, we will notify affected Users and authorities within the timeframes required by law.
8. Data Retention & Deletion
Personal data is retained for the life of your account/subscription and for ninety (90) days after closure to enable reinstatement and resolve billing disputes. You may request permanent deletion by emailing privacy@medsparadar.com; we will delete your email, hashed password, and usage records within thirty (30) days and request removal from Resend, retaining only a Stripe Customer ID and transaction records as required for tax/accounting (up to seven years; no card data).
9. Your Privacy Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your data, to opt out of non-transactional email (via any unsubscribe link), and — under GDPR (EEA/UK) or CCPA/CPRA (California) and similar US state laws (VA, CO, CT, UT, TX) — additional rights including restriction, objection, and non-discrimination. To exercise any right, contact privacy@medsparadar.com; we respond within thirty (30) days of a verified request. We do not sell or share personal information for cross-context behavioral advertising.
10. Cookies
The Platform uses a minimal set of first-party cookies for session/authentication and Stripe fraud prevention on checkout. No third-party advertising or cross-site tracking cookies are used. Session cookies are httpOnly and transmitted over HTTPS. See our Cookie Policy for the full list.
11. International Transfers & Children
The Company is based in the United States; data is processed and stored on US servers (Supabase on AWS; Vercel edge). For EEA/UK Users, transfers rely on Standard Contractual Clauses via our sub-processors. The Service is a professional B2B tool not directed at, or intended for, individuals under eighteen (18); we do not knowingly collect data from minors.
12. Changes & Contact
We may update this Policy to reflect changes in our practices or law; the “Last updated” date reflects the latest revision, and material changes will be emailed to registered Users at least fourteen (14) days before taking effect. For all privacy inquiries and data-subject requests: privacy@medsparadar.com.