Privacy Policy

Lilo AI, Inc. is a Delaware corporation that provides appointment booking, client management, point-of-sale, communications, and business operations software to businesses in the beauty, wellness, and personal care industries. This Policy covers information processed through:

• The Lilo platform at heylilo.co and our web application
• Subscriber-branded public booking pages hosted at *.heylilo.me
• The Lilo mobile applications for iOS and Android
• Our marketing website and pages
• Communications we send and receive on a Subscriber's behalf (email, SMS, push notifications)

This Policy does not cover the websites, products, or services of third parties, including the websites of our Subscribers (where they exist independently of the Service). When you click a link to a third-party site, that third party's privacy practices apply.

Lilo plays two distinct roles depending on whose information is being processed.

For information about Subscribers and their staff or team members — including the account holder, owners, administrators, service providers, and front-desk users — Lilo determines the purposes and means of processing. We act as the controller of that information, and this Policy governs our handling of it directly.

For information about End Clients — the customers and patients of our Subscriber businesses — the Subscriber determines what information is collected, why, and how it is used. The Subscriber is the controller of End Client information, and Lilo acts as a processor on the Subscriber's behalf, under our Data Processing Addendum and the Subscriber's instructions.

If you are an End Client and you have questions, want to access or correct your information, or want it deleted, you should contact the Subscriber business directly. If you contact Lilo, we will refer your request to the Subscriber and assist them in responding.

We collect information in three broad ways: information you or a Subscriber provides directly, information generated automatically as you use the Service, and information we receive from third parties.

When a Subscriber creates an account or invites a team member, we collect:

• Name, email address, phone number, and job title
• Business name, business address, business phone, and business website
• Subscription tier, billing cycle, and payment-method information (handled by our payment processors — see Section 6)
• Authentication credentials (managed by our identity provider — we do not store passwords)
• For staff invited to an organization: role, employment type, bio, profile photo, and social-media links the staff member elects to publish on a booking page
• For Subscribers who use our compensation features: compensation type and related employment data

When an End Client books an appointment, completes an intake form, or uses a Subscriber's client portal, the Service may collect, on the Subscriber's behalf:

• Contact and identity information: first name, last name, preferred name, pronouns, email, phone number and phone type, mailing address, date of birth, gender, and preferred language
• Service preferences: preferred location, preferred provider, preferred days and times, communication-method preference, and notes
• Household and relationship data: household membership, guardian relationships for minor clients, and emergency contacts
• Communications consent: separate opt-in choices for transactional and marketing communications by email and SMS, together with the exact disclosure text shown, the time of consent, the IP address, the user-agent string, and the page on which consent was given (this audit information is required by federal communications law)
• Booking and visit history: appointments scheduled, services received, providers seen, and visit notes recorded by the Subscriber's staff
• Photographs the Subscriber uploads to a client record, which may include before-and-after photos, progress photos, consultation photos, identification photos, or — for medical-aesthetic services — clinical photographs (each subject to the Subscriber's consent practices and, where applicable, our photo and HIPAA consent records)
• Health and medical information collected by Subscribers operating in medical-aesthetic, wellness, or healthcare-adjacent contexts, including general health rating, conditions, medications and supplements, allergies and adverse reactions, prior procedures, and answers to health-questionnaire fields. This information is access-controlled in our systems and is visible only to authorized staff of the Subscriber business that collected it
• Form responses: answers to dynamic intake, consultation, and consent forms, which may include health and other sensitive information depending on the form's design
• Electronic signatures on consent forms, waivers, and other documents
• Payment-method display fields (card brand, last four digits, expiration) — full card details are handled by Stripe and never reach Lilo's servers (see Section 6)

When you use the Service, we and our service providers automatically collect:

• Device and connection information: IP address, browser type, operating system, device type and identifiers, time zone, and language settings
• Usage information: pages viewed, features used, links clicked, session timing, error events, and referrer URLs
• For mobile-app users: app version, OS version, device model, and push-notification tokens issued by Apple Push Notification service or Firebase Cloud Messaging
• For users who access a Subscriber's client portal: session tokens, session creation and last-active times, IP address, and user-agent
• Cookies and similar technologies as described in Section 7

We may receive information about you from third parties, including:

• Identity provider: authentication, multi-factor, and login-event data from Clerk
• Payment processors: charge, refund, payout, dispute, and subscription-status events from Stripe; transaction status from Apple In-App Purchases for iOS subscribers
• Communications providers: delivery, bounce, complaint, and inbound-reply events from Resend (email) and Twilio (SMS)
• Error and performance monitoring: diagnostic information from Sentry and Vercel Analytics

We use information to:

• Provide, maintain, and operate the Service, including scheduling appointments, processing payments, sending appointment-related communications, generating invoices, and supporting client portals
• Authenticate users and protect accounts from unauthorized access
• Communicate with Subscribers and staff about their account, billing, support requests, product updates, and policy changes
• Send transactional communications (appointment confirmations, reminders, cancellations, receipts, password resets, account notices) and, where the recipient has opted in, marketing communications
• Develop, debug, and improve the Service, including diagnosing errors, monitoring performance, and analyzing usage patterns
• Enforce our Terms of Service, prevent fraud and abuse, and protect the rights, property, and safety of Lilo, our Subscribers, and others
• Comply with applicable laws, respond to lawful requests, and maintain audit and consent records that federal and state law require us to keep

For End Client information, we use it only as needed to provide the Service to the Subscriber and as the Subscriber instructs.

The Service includes features powered by artificial intelligence, including a staff-facing chat assistant, automated content generation, and operational suggestions. These features are built on Amazon Web Services Bedrock, operated by Amazon Web Services in the United States.

We do not send Service data to public model providers. All prompts and responses for our AI features stay inside our AWS environment under our existing AWS contractual relationship. The underlying model provider does not have access to your data through our Bedrock-based architecture, and your data is not used to train any AI model. AWS's data-handling commitments for Bedrock are described at aws.amazon.com/bedrock/security-compliance and aws.amazon.com/service-terms.

We log internal access to End Client information by our AI features so that the Subscriber can audit how the AI used client data on their behalf.

AI-generated outputs are provided as suggestions and require human review. They do not constitute professional, medical, legal, or financial advice.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

We share information in the following circumstances.

We use the following service providers to operate the Service. Each is contractually required to protect the information they process and to use it only for the purposes we direct.

• Amazon Web Services — object storage (Amazon S3) and generative-AI inference (Amazon Bedrock); processes photos, signed forms, branding assets, and AI prompts and responses
• Neon — managed PostgreSQL database hosting; processes all Service data
• Stripe — payment processing, Stripe Connect for Subscriber payouts, and subscription billing; processes cardholder data, charge and refund records, and customer email and address
• Apple — In-App Purchases for iOS subscribers; processes subscription transaction identifiers
• Twilio — SMS delivery and inbound messaging; processes phone numbers, message contents, and delivery events
• Resend — transactional and marketing email delivery; processes email addresses, message contents, and delivery and bounce events
• Clerk — user authentication, multi-factor authentication, and session management; processes staff name, email, and authentication factors
• Upstash (QStash) — asynchronous job queue and scheduled message delivery; processes recipient identifiers and message-template payloads
• Vercel — hosting and analytics for our marketing website; processes aggregated, non-identifying performance metrics
• Sentry — application error and performance monitoring; processes error stack traces and request metadata
• Apple Push Notification service / Firebase Cloud Messaging — mobile push-notification delivery; processes push tokens and notification contents

We may add or change service providers from time to time. The list above reflects our current sub-processors; please contact us at privacy@heylilo.co for the most up-to-date list.

End Client information is shared with — and is, in fact, collected on behalf of — the Subscriber business with which the End Client booked services or interacted. The Subscriber's own staff access this information through the Service.

We may disclose information when we believe in good faith that doing so is necessary to:

• Comply with a subpoena, court order, or other legal process
• Respond to a lawful request from a government or law-enforcement authority
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of Lilo, our Subscribers, our users, or the public
• Investigate or prevent fraud, security incidents, or other unlawful activity

If Lilo is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its business or assets, information we hold may be transferred as part of that transaction. We will notify affected Subscribers of any change in control of their information.

We may share information for any other purpose with your consent or at your direction.

We use a small number of cookies and similar technologies. We do not use third-party advertising cookies, marketing pixels, retargeting tags, or cross-site tracking.

The technologies we use are:

• Strictly necessary cookies and tokens that authenticate users, maintain sessions, and enable core platform features such as the client portal
• Aggregated performance analytics on our marketing website (heylilo.co) provided by Vercel Analytics, which does not collect personally identifying information
• Error and performance instrumentation that records diagnostic information about errors and slow requests so we can fix them

You can configure your browser to block or delete cookies, but doing so may affect the functionality of the Service.

We retain information for as long as we need it to provide the Service and to meet legal and operational requirements. Specifically:

• Active Subscriber accounts and the data they contain: while the account is active
• Account-deletion requests: a 30-day grace period during which the request can be canceled, after which the account is processed for deletion
• Soft-deleted ("tombstoned") account data, after deletion processing: retained in soft-deleted form for legal, audit, and financial-record purposes
• Communications-consent records (TCPA / CAN-SPAM audit trail): minimum of four (4) years
• Medical-record access logs and HIPAA-related audit logs: six (6) years
• Financial records (invoices, payments, refunds): seven (7) years following account deletion
• AI access and PII-access logs: one (1) year
• Backups: retained according to our backup-rotation schedule and overwritten on rotation

Some information must be retained even after deletion in order to comply with law (for example, financial-recordkeeping rules and federal communications-consent rules). Where we retain information after deletion, we limit access and use it only for the legal purpose for which it is retained.

Subscribers and staff may access and update most of their information directly through their account settings. To request access to, correction of, or deletion of information that is not editable in-product, contact us at privacy@heylilo.co. We will respond within a reasonable time and may verify your identity before acting on your request.

A self-serve data-export feature is not yet available. In the meantime, we will provide an export of your data on request to privacy@heylilo.co.

You may opt out of marketing email at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@heylilo.co. You may opt out of marketing SMS at any time by replying STOP to any marketing message; we record opt-outs in our consent log and suppress further marketing messages to that number.

Transactional messages (appointment confirmations, reminders, receipts, account notices) are part of the Service and are not subject to marketing opt-out, but you may discontinue them by canceling the underlying account or appointment.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising. If you have questions about this commitment or want to make a request related to it, contact privacy@heylilo.co.

If you are an End Client of a Subscriber business, please direct access, correction, and deletion requests to that business; the Subscriber controls your information. If you contact privacy@heylilo.co, we will refer your request to the Subscriber and assist them in responding.

Subscribers may request deletion of their organization's account from within the Service. The deletion process is:

• Submission. You initiate the request from your account. We send confirmation to the email address on file.
• Grace period. Your request enters a thirty (30) day pending state. During this period you can cancel the request from your account and resume normal use.
• Processing. After the grace period, we cancel your subscription, cancel your future appointments and notify affected clients on your behalf, disable online booking, mark your organization as deleted in our systems, and remove your authenticated user account where you do not also belong to other Subscribers.
• Retention after deletion. Certain records — financial records, communications-consent audit logs, account-deletion audit logs, and medical-record access logs — are retained after deletion as described in Section 8 in order to comply with legal, accounting, and audit obligations.

Each step is recorded in an immutable internal audit trail.

End Clients of a Subscriber business should contact that business to request deletion of their information. When a Subscriber's account is deleted, End Client information collected on the Subscriber's behalf is treated according to this process.

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. The Service is intended for use by adult business owners and their adult staff.

We recognize that Subscribers in some industries (for example, salons that cut children's hair) may book minors as End Clients. When a Subscriber records information about a minor in the Service, the Subscriber is responsible for obtaining any required parental or guardian consent and for complying with applicable laws regarding minors. The Service supports recording guardian consents for minors as part of its consent-management features.

If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@heylilo.co and we will take appropriate steps to delete it.

We use a combination of technical, organizational, and physical safeguards to protect information processed through the Service, including:

• TLS encryption in transit
• Encryption at rest in our database, object storage, and AI-inference environments
• Multi-tenant isolation enforced at the database layer (row-level security keyed on organization)
• Heightened access controls and audit logging for medical-record fields
• Role-based access control within Subscriber accounts
• Authentication and session management through a dedicated identity provider, with multi-factor authentication available
• Tokenized payment processing (full card details never reach our servers)
• Vendor-management controls and contractual data-protection commitments with our service providers

No system is perfectly secure. We work continuously to harden the Service and respond promptly to any security event we discover.

Photographs of clients — including face, body, and clinical photographs uploaded by Subscribers — may, depending on jurisdiction, be considered biometric or sensitive personal information under laws such as the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, and the Washington Biometric Privacy Act.

Lilo does not use photographs to train biometric algorithms, perform face recognition, or identify individuals. Photographs are stored in private encrypted storage and are visible only to authorized staff of the Subscriber that uploaded them, except when the Subscriber and the End Client have both consented to broader use (for example, marketing).

Subscribers are responsible for obtaining consent from clients before capturing or storing photographs, and for honoring consent revocations. The Service supports recording, versioning, and revoking photo consents.

In its standard configuration, the Service is not intended to be used as a "Business Associate" for purposes of the Health Insurance Portability and Accountability Act ("HIPAA"), and Subscribers should not submit Protected Health Information ("PHI") to the Service unless they are operating under our HIPAA tier and have executed a Business Associate Agreement ("BAA") with Lilo.

A HIPAA-compliant tier — including a BAA, heightened controls, and the technical foundations described above (Bedrock-based AI with BAA coverage, RLS-isolated medical fields, medical-access audit logging) — is available for Subscribers operating in regulated medical or healthcare-adjacent contexts. To request access, contact privacy@heylilo.co.

The Service is offered in and intended for the United States only. Information is processed and stored in the United States by us and our service providers. We do not offer the Service to residents of the European Economic Area, the United Kingdom, or other jurisdictions outside the United States, and this Policy does not provide for the rights granted under the European Union's General Data Protection Regulation, the United Kingdom General Data Protection Regulation, or comparable laws of jurisdictions outside the United States.

If we become aware of a security incident that compromises the confidentiality, integrity, or availability of personal information processed through the Service, we will notify affected Subscribers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the incident. Subscribers are responsible for notifying their own End Clients and any regulators where the law of their jurisdiction requires it; we will provide reasonable assistance.

We may update this Policy from time to time. If we make material changes, we will notify Subscribers by email or by posting a notice in the Service before the changes take effect. The "Last Updated" date at the top of this Policy reflects the date of the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

For questions about this Policy or to exercise any of the rights or choices it describes, contact us at:

Privacy inquiries: privacy@heylilo.co
General support: contact@heylilo.co