Is AestheticMatch HIPAA-Compliant? How We Protect Your Privacy

Updated November 2025

When you’re talking about cosmetic or plastic surgery, you’re not just sharing “preferences.” You’re sharing photos of your body, medical history, medications, and sometimes very personal concerns. It’s normal to ask:

• Is AestheticMatch HIPAA-compliant?
• Who can see my information?
• Is my data being sold or used for advertising?

Our philosophy is simple: collect only what we need, protect it as if it were our own, and never treat your information as a product.

This guide explains what HIPAA actually covers, how AestheticMatch fits into that landscape, what we collect (and don’t), how we protect it, and what privacy rights you have when you use our service.

What HIPAA Actually Covers (And What It Doesn't)

When HIPAA Applies to Healthcare Services

HIPAA (the Health Insurance Portability and Accountability Act) is a U.S. law that sets standards for protected health information (PHI).

In plain language, HIPAA typically applies to:

• Covered entities – like healthcare providers, health plans, and healthcare clearinghouses when they transmit health information in certain standard electronic transactions.
• Their business associates – third parties that handle PHI on behalf of those covered entities.

HIPAA is designed to regulate how PHI is used, disclosed, stored, and secured. It does not turn every website or wellness app into a “covered entity” automatically. Many consumer health tools, beauty apps, or generic directories fall outside HIPAA but may still hold very sensitive data.

Where AestheticMatch Fits in the Privacy Landscape

AestheticMatch is a concierge and matching service, not a medical practice. We don’t treat patients or bill insurance. Instead, we:

• Help you clarify your goals
• Match you with vetted surgeons
• Coordinate consults and logistics

Because we handle health-related details to prepare your consults, we treat your information as if it were PHI, whether or not a specific data element technically falls under HIPAA in every context.

In practice, that means:

• We use HIPAA-aligned security safeguards (like encryption and access controls).
• We limit access to your data to a small, need-to-know team.
• We only share information with surgeons you choose to engage with.

Our Privacy Standards Go Beyond Legal Minimums

Legal minimums are just that—minimums. Our internal privacy standards are built around three principles:

1. Minimum necessary: We only ask for the information we truly need to help you, nothing more.
2. Purpose-bound: We use your information to match, coordinate, and support your care journey—not for unrelated marketing or resale.
3. Control: You can ask what we have, how it’s used, and request deletion or closure of your profile where legally and operationally possible.

Whether a specific piece of data is or is not technically PHI under HIPAA, we treat everything about your case as sensitive and confidential.

What Information We Collect (And What We Don't)

Data We Need to Match You With the Right Surgeon

To do our job well, we typically ask for:

• Basic contact details
  • Name
  • Preferred contact method (phone, email, text)
  • City or general location
• Procedure goals and preferences
  • Areas you’re considering (for example, abdomen, nose, breasts, face)
  • Whether you’re open to surgical, non-surgical, or both
  • Timeline and budget range
• Relevant medical background
  • Prior surgeries or major procedures
  • Known medical conditions that affect candidacy or safety
  • Medications, allergies, nicotine use, and similar factors
  • Optional photos to help the surgeon understand your anatomy and goals

We collect this information so we can:

• Avoid matching you with surgeons or treatment types that are clearly inappropriate for your situation
• Help practices prepare for a productive, efficient consult
• Give you more accurate and realistic responses about cost ranges and options

Information We Never Ask For

There are certain data points we do not need and do not ask for as part of our normal intake:

• Full Social Security numbers
• Full banking login details
• Unnecessary employer or insurance account logins
• Passwords to any of your other accounts
• Highly unrelated personal details that are not relevant to your care or logistics

If payment is needed for a consult or deposit, those details are handled through the surgeon’s office or a payment processor, not via unsecured messages with your concierge.

What Gets Shared With Providers (And When)

We only share information with surgeons or practices you agree to be matched with.

Typically, that includes:

• Your name and contact details
• Your stated goals and areas of concern
• Relevant medical history you’ve chosen to share
• Photos you’ve consented to send for the purpose of planning the consult or quote

We do not:

• Blast your information to dozens of practices as “leads”
• Share unrelated personal details that aren’t needed for your case
• Share your information with providers you haven’t opted into

Our role is to ensure your chosen surgeon has enough context to give you a meaningful consultation—not to circulate your data widely.

How We Protect Your Personal Information

Minimal Data Collection Philosophy

The safest data is the data that never exists in the first place.

That’s why we continually review our intake questions and workflows to make sure we:

• Ask only for what actually helps us match and support you
• Avoid collecting sensitive details that are unnecessary
• Let you decline to answer certain questions if you’re not comfortable, while explaining how that might affect matching or safety

Less information collected means less information to protect and less risk in the unlikely event of any issue.

Secure Storage and Transmission

Internally, we use technical and organizational safeguards consistent with HIPAA-style security practices, including:

• Encryption in transit for data sent between your device and our systems
• Secure storage with restricted access, logging, and monitoring
• Role-based access controls, so only the team members who need your information to help you can view it
• Staff training on privacy, confidentiality, and proper handling of sensitive information

We treat your photos, messages, and case details as sensitive by default.

No Selling or Sharing Data With Third Parties

We do not:

• Sell your information to advertisers
• Monetize your data via data brokers
• Allow third parties to use your case details to build advertising profiles on you

Any third-party services we use (for example, secure communications or storage tools) are selected with privacy and security in mind and are used solely to deliver our service to you.

Your information exists to serve your care journey, not to fuel unrelated marketing ecosystems.

The Privacy Problem With Most Surgeon Directories

Lead Generation Platforms That Sell Your Information

Many traditional directories and “matching” sites operate as lead-generation businesses. Their incentives can include:

• Capturing your contact details and procedure interest
• Selling those “leads” to multiple practices
• Charging clinics per lead, regardless of your consent expectations

That can result in:

• Unexpected calls, emails, or texts from offices you’ve never heard of
• Your information being passed along internally or externally in ways you didn’t fully understand when you signed up

AestheticMatch is built around patient-first matching, not wholesale lead resale.

Retargeting Ads and Data Brokers

Another common practice is retargeting:

• You browse a site, share your email or phone, or fill out a quiz
• That data is used to follow you around the internet with ads
• In some cases, your information is packaged with other datasets and sold to third-party brokers

We do not operate as a data broker and do not use your surgical or aesthetic interests as fodder for unrelated advertising campaigns.

Hidden Marketing Consent in Terms of Service

Some sites bury broad “marketing consent” inside long terms and privacy policies. You may accidentally agree to things like:

• Sharing your data with “trusted partners” without clear limits
• Allowing use of your information for “service improvement,” which can include advertising models
• Receiving ongoing promotional outreach, even unrelated to your original query

Our approach is to explain, in plain language, why we’re asking for something and how we’ll use it, and to keep your data tied tightly to your care journey.

Your Privacy Rights With AestheticMatch

What You Can Request or Delete

You have rights over your information. Within the limits of applicable law and operational needs, you can:

• Ask what personal and case information we hold about you
• Request corrections to inaccurate details
• Request that we delete or anonymize certain data, especially once your journey is complete and retention is no longer necessary

Some data may need to be retained for legal, security, fraud-prevention, or operational reasons, but we aim to give you as much control as possible.

How Long We Retain Your Information

We retain your information for as long as it is reasonably needed to:

• Match and coordinate your care
• Support post-op follow-up or subsequent consultations
• Maintain basic records for compliance, audit, or security purposes

After that period, we work to minimize or anonymize retained data whenever feasible so that it can no longer be tied back to you personally.

Who to Contact About Privacy Concerns

If you have questions or concerns about how your information is handled, you can:

• Reach out to your concierge directly and ask for clarification
• Request to speak with someone responsible for privacy or data protection
• Ask for a plain-language explanation of what’s stored, why, and how it’s used

You should never feel like your questions about privacy are an inconvenience. If something is unclear, you have every right to ask.

How We Share Information With Your Chosen Surgeon

When you decide to move forward with consultations, we:

• Share only the necessary details with your chosen surgeons and practices
• Focus on information that helps them assess candidacy and prepare for your visit, such as goals, medical history, and relevant photos
• Avoid sharing extraneous personal details that are not required for clinical or logistical reasons

Once your information is in the hands of a surgeon’s practice, it is also protected by their own privacy and confidentiality obligations. They may collect additional details directly from you as part of their medical intake, and their own privacy notices will govern how they handle that information.

Questions to Ask Any Surgeon-Matching Service About Privacy

Whether you use AestheticMatch or any other service, you should feel confident asking questions like:

• How do you store and protect the information I share with you?
• Who inside your organization can see my data?
• Do you sell or share my information with advertisers, data brokers, or unrelated third parties?
• How many clinics receive my information, and do I control which ones?
• How long do you keep my information, and can I request deletion?
• What happens to my photos if I decide not to move forward?

A trustworthy platform should be able to answer these clearly, in plain language, without hiding behind jargon.

FAQs

Is AestheticMatch legally required to be HIPAA-compliant?

AestheticMatch is a concierge and matching service, not a medical practice or health plan. Depending on the scenario and relationships with providers, different aspects of HIPAA may or may not apply in a strict legal sense.

Regardless of classification, we treat your information with HIPAA-level care: limited access, secure storage and transmission, and a minimum-necessary approach. Our internal standards are built to align with the spirit of HIPAA even where the law might not strictly require it.

What personal information does AestheticMatch collect during intake?

During intake we typically collect:

• Your name and contact information
• Your city or general location
• The procedures or areas you’re interested in
• Your timeline and budget range
• Relevant medical history, medications, and prior surgeries
• Optional photos to help surgeons understand your anatomy and goals

We focus on the information needed to safely and effectively match you with appropriate surgeons and to coordinate meaningful consultations.

Will my information be sold to advertisers or other companies?

No. We do not sell your information to advertisers or data brokers. Your details are used only to:

• Understand your goals and needs
• Match you with vetted surgeons and providers
• Coordinate consults, quotes, and logistics
• Support you throughout your decision and recovery process

We do not treat your personal or medical information as a product.

How do I know my data is secure when I share it with AestheticMatch?

We protect your information by:

• Collecting only what is necessary
• Using secure channels for communication
• Encrypting data in transit and in storage
• Limiting access internally to team members who genuinely need it
• Training staff on privacy and confidentiality best practices

No system can promise zero risk, but our policies and technical safeguards are designed to keep your information as secure and private as reasonably possible.

Can I delete my information after using your service?

In many cases, yes. You can request:

• That we remove or anonymize your profile and case details once your journey is complete
• A summary of what information we still retain and why

Some information may need to be kept for legal, compliance, or security reasons, but we aim to respect your preferences and minimize retention where we can.