PINCH Club

PRIVACY POLICY

Last updated March 5, 2026

PRIVACY POLICY
NOTICE: This Privacy Policy (this “Policy”) describes the data processing practices of PINCH CLUB LLC, a Wyoming Limited Liability Company (the “Company,” “we,” “us,” or “our”). This Policy is a component of the Master Terms of Service and is designed to comply with applicable data privacy regulations in the United States, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Washington My Health My Data Act (MHMDA), and the Colorado Privacy Act (CPA).

Effective Date: March 5, 2026

Version: 1.0

ARTICLE I: GOVERNANCE AND SCOPE

1.1. Uniform Privacy Standard. PINCH Club operates a nationwide digital directory. Because state-level privacy laws are increasingly extraterritorial, we do not geofence privacy rights. We apply the most protective privacy standards—specifically those mandated by Washington’s MHMDA and California’s CPRA—to all Users regardless of their state of residence.

1.2. Non-HIPAA Status. User acknowledges that PINCH Club is a Direct-to-Consumer (DTC) technology platform, not a healthcare provider or a “Covered Entity” as defined by the Health Insurance Portability and Accountability Act (HIPAA). While we collect and transmit data that may eventually become a medical record once received by a medical practice, our processing of data prior to that transmission is governed by the Federal Trade Commission (FTC) Act and state-level consumer privacy statutes, rather than HIPAA.

1.3. Governing Law. This Policy is governed by and construed in accordance with the laws of the State of Wyoming. Dispute resolution provisions are set forth in the Master Terms of Service.

1.4. Geographic Scope. The Platform is intended exclusively for users located within the United States. We do not knowingly collect data from individuals outside the United States. If you are accessing the Platform from outside the U.S., you do so at your own risk and are responsible for compliance with local laws.

ARTICLE II: CATEGORIES OF COLLECTED DATA

We collect and process various categories of information based on your interaction with the Platform and your designated role.

2.1. Personal Information (PI) — General. In the preceding 12 months, we have collected the following categories of PI as defined by Cal. Civ. Code § 1798.140:

  • Identifiers: Real name, alias, postal address, unique personal identifier, IP address, email address, and account name.
  • Commercial Information: Records of services purchased, obtained, or considered (e.g., verification fee history).
  • Internet/Electronic Activity: Browsing history, search history, and information regarding a consumer’s interaction with the Platform.

2.2. Sensitive Personal Information (SPI) — CPRA Standard. We collect “Sensitive Personal Information” which requires enhanced protection and “Limit Use” rights for the consumer:

  • Precise Geolocation: Zip codes and city/state data used to facilitate geographic matchmaking.
  • Account Credentials: Logins and passwords for the Platform dashboard.

2.3. Consumer Health Data (CHD) — MHMDA Standard. Consistent with Washington’s MHMDA, we collect “Consumer Health Data” from Patients/Consumers. This is a special category of data that identifies a consumer’s past, present, or future physical health status. This includes:

  • Health-Seeking Behavioral Data: Your search queries for specific aesthetic procedures (e.g., “Botox,” “Fillers,” “IV Therapy”).
  • Clinical Affiliations: Information regarding which practice invited you, which identifies you as a patient of a specific medical facility.
  • Treatment Interests: Explicit procedure selections made via interest forms.

ARTICLE III: ROLE-SPECIFIC DATA COLLECTION

We collect data tailored to your role on the Platform:

3.1. For Practice Owners:

  • Practice Name and physical Zip Code (used for geographic matching and network integrity).
  • Your Role (Owner/Manager).
  • Financial Data: Approximate annual revenue (collected solely for anonymized, aggregated benchmarking; never shared in identifiable form).
  • Operational Status: Existence of a Medical Director (used to determine verification eligibility).

3.2. For Injectors and Providers:

  • License Type (NP, PA, RN, MD/DO, Esthetician).
  • Years in aesthetic practice (used for provider vetting).
  • Employment Status: Current employment and availability (used for the Talent Discovery service).
  • City and State of licensure.

3.3. For Physicians:

  • Specialty and Board Certification status.
  • Total practices currently overseen (used to monitor network integrity).
  • States where you maintain an active license.

3.4. For Patients/Consumers:

  • City/State of residence.
  • Inviting Practice Name (CHD).
  • Aesthetic interests and goals (CHD).

ARTICLE IV: SOURCES OF DATA

4.1. Direct Submission. The primary source of data is the User’s voluntary submission of interest forms, account registration, and profile updates.

4.2. Automated Collection (Cookies & Pixels). We utilize cookies, web beacons, and pixels to collect usage data. Healthcare Pixel Disclosure: To prevent the unauthorized sharing of health data with third-party advertisers, PINCH Club restricts its advertising pixels (e.g., Meta Pixel, Google Analytics) so that they do not fire on pages where a Patient/Consumer inputs specific Treatment Interests or clinical affiliation data.

4.3. Cookie Management. You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Note that disabling certain cookies may limit Platform functionality. For more information about the specific cookies we use and how to manage them, please contact privacy@pinchclub.com.

4.4. Third-Party Verification Sources. We may cross-reference your submitted information (e.g., license numbers) with public databases provided by state regulatory boards (e.g., DORA in Colorado) to fulfill our verification obligations.

ARTICLE V: PURPOSE OF DATA PROCESSING

PINCH Club does not collect data for generalized harvesting or the creation of a secondary data marketplace. Our processing is strictly limited to the “Business Purposes” defined by Cal. Civ. Code § 1798.140(e) and the “Necessary” service provisions of the Washington MHMDA.

5.1. Matchmaking and Platform Connectivity. The primary purpose of processing is to facilitate connections between a Consumer (Patient) and a Verified Practice, or between a Provider/Physician and a Practice. Data processing is essential to the Talent Discovery and Practice Discovery features.

5.2. Verification and Network Integrity. We process professional identifiers (license numbers, specialty certifications) to execute the Initial Administrative Verification required to maintain network standards. This includes verifying state-level regulatory status and insurance validity.

5.3. Anonymized Industry Benchmarking. For Practice Owner Users, we process financial data (approximate annual revenue) to generate aggregated peer intelligence. This processing is governed by the following protocols:

  • De-Identification: Revenue data is de-identified and combined with at least ten (10) other data points from a specific metropolitan area before being displayed.
  • Antitrust Compliance: Data is processed to provide historical benchmarks only, preventing real-time wage or price coordination in violation of the Sherman Act.

5.4. Security and Fraud Prevention. We process usage data and identifiers to maintain Platform security, debug software errors, and prevent unauthorized access or misuse of the network directory.

5.5. Automated Decision-Making. The Platform uses automated systems to rank, sort, and route user inquiries based on objective criteria including geographic proximity, chronological registration order, and randomization algorithms. These automated processes do not use sensitive personal information to infer characteristics about you for purposes beyond providing the matchmaking service. No automated decisions are made that would produce legal or similarly significant effects without human review.

ARTICLE VI: CONSUMER HEALTH DATA CONSENT

Because PINCH Club adopts the standards of the Washington My Health My Data Act (MHMDA), we utilize a bifurcated consent approach. We distinguish between “General Personal Information” and “Consumer Health Data” (CHD).

6.1. Separate Consent Requirement. Collection of CHD (e.g., treatment interests, clinical history, inviting practice) is never bundled with general acceptance of the Terms of Service. A User must provide an affirmative opt-in—via an un-pre-checked checkbox—at the point of collection.

6.2. Disclosures at Point of Collection. Pursuant to MHMDA, before a Consumer submits a form containing CHD, PINCH Club provides a just-in-time notice disclosing:

  • The specific categories of CHD being collected.
  • The specific purpose of the collection (e.g., “To transmit your inquiry to [Practice Name]”).
  • How the Consumer can withdraw consent and request deletion of the CHD.

6.3. Revocation of Consent. Users possess the right to revoke consent for the processing of CHD at any time. Upon revocation, PINCH Club will cease processing the data and, subject to the retention requirements in Article XII, will delete the data from its active servers within thirty (30) days.

ARTICLE VII: DATA TRANSMISSION MODEL

A core principle of PINCH Club’s architecture is the “Consumer Direction” model, which ensures that PINCH Club acts as a passive data conduit and does not become a health data broker.

7.1. Explicit Transmission Instruction. When a Consumer selects a Practice and clicks “Introduce Yourself” or “Submit,” the Consumer is issuing an affirmative instruction to PINCH Club to transmit their CHD to the selected third-party medical provider.

7.2. Data Custody Hand-Off. The moment data is transmitted to the Practice’s designated intake system (email, CRM, or EMR), the Practice becomes the primary custodian of that data. The Practice’s use of that data is governed by the Practice’s own Notice of Privacy Practices (NPP) and its specific HIPAA obligations. PINCH Club’s role as a processor for that specific transaction is terminated upon successful delivery.

7.3. No Sale of Health Data. PINCH CLUB DOES NOT SELL CONSUMER HEALTH DATA. We do not trade, rent, or lease CHD to third-party data brokers, pharmaceutical companies, or advertisers. The transmission of data to a Practice at the Consumer’s direction is a service provision, not a “Sale” as defined by the CCPA/CPRA.

7.4. Interstate Data Transfers. As a nationwide platform, your data may be transmitted across state lines when connecting you with practices or providers in different states. All such transfers occur via encrypted channels and are governed by the same privacy protections regardless of the destination state.

ARTICLE VIII: THIRD-PARTY DATA DISCLOSURE

We disclose PI and CHD to third parties only under the following defined conditions:

8.1. Disclosures to Verified Practices. As described in Article VII, we disclose Consumer data to Practices specifically selected by the Consumer.

8.2. Disclosures to the MSO Partner. The MSO Partner does not have general access to the PINCH Club database. The MSO Partner only receives data if:

  1. The Consumer specifically selects an MSO Partner practice for an inquiry; or
  2. The MSO Partner is a party to a specific business transaction (e.g., licensing a Branded Experience).

8.3. Disclosures to Service Providers. We utilize third-party vendors to perform essential Platform functions. These vendors are “Service Providers” under the CCPA and are contractually prohibited from using User data for any purpose other than providing the specific service to PINCH Club. Current service providers include:

  • Amazon Web Services (AWS) — Cloud hosting and data storage
  • SendGrid — Email delivery and notifications
  • SignWell — Electronic signature services
  • Google Analytics — Website analytics (with healthcare pixel restrictions)

A complete and current list of all service providers with access to user data is available upon request to privacy@pinchclub.com.

8.4. Disclosures for Legal Protection. We may disclose PI if required by a valid subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the safety of our Users or the integrity of the Platform.

ARTICLE IX: DATA SECURITY

While PINCH Club is not a HIPAA-covered entity, we maintain strong security practices to mitigate the risk of breach.

9.1. Encryption. All PI and CHD are encrypted in transit via TLS 1.3 and at rest via AES-256 encryption. Our database architecture utilizes row-level security to ensure that data from one Practice cannot be accessed by another.

9.2. Access Controls. Access to the PINCH Club backend is restricted to authorized personnel and essential technical contractors. All access requires Multi-Factor Authentication (MFA). No employee or contractor of the MSO Partner has administrative access to PINCH Club’s consumer data.

9.3. Data Breach Response. In the event of a data breach involving Personal Information or Consumer Health Data, PINCH Club will:

  1. Investigate and contain the breach within 24 hours of discovery;
  2. Notify affected users via email within seventy-two (72) hours of confirmed breach;
  3. Provide specific information about: (i) the nature of the breach, (ii) types of data compromised, (iii) steps taken to mitigate harm, and (iv) resources for affected individuals;
  4. Notify applicable regulatory authorities as required by state law (California Attorney General if 500+ California residents affected, Washington Attorney General for MHMDA violations); and
  5. Offer identity protection services if Social Security numbers or financial account information was compromised.

ARTICLE X: CONSUMER DATA RIGHTS

Regardless of your geographic location, PINCH Club grants all Users the following rights, which reflect the most robust protections found in the CCPA/CPRA, MHMDA, and the Colorado Privacy Act (CPA).

10.1. Right to Access and Portability. You have the right to request that we disclose the categories and specific pieces of Personal Information (PI) and Consumer Health Data (CHD) we have collected about you. Upon a verifiable consumer request, we will provide this data in a portable, readily usable format (typically JSON or CSV) that allows you to transmit the information to another entity without hindrance.

10.2. Right to Correction. You have the right to request that we correct inaccurate PI or CHD that we maintain about you. Given the professional nature of the Platform (e.g., physician specialties, injector licenses), PINCH Club may require supporting documentation (such as a copy of a renewed state license) to verify the accuracy of the requested correction.

10.3. Right to Delete. Pursuant to the Washington MHMDA, you have an expansive right to delete your CHD. Upon receipt of a verifiable consumer request, we will delete your CHD from our records and notify all service providers and affiliates (including the MSO Partner, if applicable) to delete the data from their records.

  • Exceptions: We reserve the right to deny a deletion request, in whole or in part, if retaining the information is required by law or necessary to: (a) complete a transaction for which the data was collected; (b) detect or prevent security incidents or fraud; or (c) comply with a legal obligation, such as the retention requirements for financial records.

10.4. Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights. Unless permitted by law, we will not: (a) deny you services; (b) charge different prices; or (c) provide a different level of service based on your exercise of these rights.

10.5. Verifiable Consumer Request Process. To protect your privacy and security, we employ a multi-step verification process for data requests:

  1. Initial Submission: Submit your request via email to privacy@pinchclub.com or through the Platform’s data request portal.
  2. Email Verification: We will send a verification link to the email address associated with your account. You must click this link within 48 hours.
  3. Account Authentication: For access or deletion requests involving Consumer Health Data, you must log into your account to confirm the request.
  4. Additional Verification: For high-risk requests or if we cannot verify your identity through the above steps, we may require: (i) government-issued ID, (ii) answers to security questions, or (iii) notarized documentation.
  5. Authorized Agent: If submitting a request through an authorized agent, you must provide the agent with written permission and we must verify both your identity and the agent’s authority.

ARTICLE XI: CALIFORNIA-SPECIFIC RIGHTS (CPRA COMPLIANCE)

In addition to the rights listed in Article X, California residents possess specific protections regarding “Sensitive Personal Information” (SPI).

11.1. Right to Limit Use of Sensitive Personal Information. PINCH Club collects SPI (Precise Geolocation and Account Credentials) solely for the purpose of providing the matchmaking service. You have the right to limit our use of this SPI to only that which is necessary to perform the services reasonably expected by an average consumer. Because we do not use SPI to infer characteristics about you for advertising purposes, this right is built into our data practices by default.

11.2. “Shine the Light” Law. California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of PI to third parties for their direct marketing purposes. Consistent with our no-sale policy, we do not disclose PI to third parties for their own direct marketing.

11.3. CCPA Registration. PINCH Club, LLC is registered with the California Attorney General as a data broker under the California Consumer Privacy Act. Our registration number and compliance filings are available upon request.

ARTICLE XII: DATA RETENTION

PINCH Club does not retain data indefinitely. Our retention policy is governed by consumer privacy rights and applicable statutes of limitation in the aesthetic medical industry.

12.1. Standard Retention Period. Because aesthetic medical procedures may result in claims years after the initial match, we retain record-of-match data (Consumer Name, Practice Selected, Date of Inquiry) for a period of seven (7) years from the date of the last interaction. This period aligns with the longest state statutes of limitation for medical malpractice and breach of contract in the United States and constitutes a documented business necessity.

12.2. De-Identification. Data not subject to the 7-year retention requirement (e.g., browsing behavior, abandoned search queries) is automatically de-identified or purged after twenty-four (24) months. De-identified data is stripped of all identifiers and precise geolocation data and is retained solely for historical benchmarking.

12.3. Account Closure. Upon the voluntary closure of a User account, we will move all associated PI and CHD into a secure archive, inaccessible to the active Platform, for the remainder of the 7-year retention window before permanent erasure.

12.4. Children’s Data. In the event we discover that we have inadvertently collected data from a child under 13 years of age, we will delete such data within forty-eight (48) hours of discovery. Parents or guardians who believe their child’s data has been collected should immediately contact privacy@pinchclub.com with the subject line “COPPA Deletion Request.”

ARTICLE XIII: OPT-OUT MECHANISMS AND “DO NOT SELL/SHARE”

13.1. “Do Not Sell or Share My Personal Information.” While PINCH Club does not “sell” data for monetary value, the CPRA defines “sharing” broadly to include certain types of digital advertising. Because we restrict advertising pixels from firing on pages where Consumer Health Data is collected, we do not “share” CHD for cross-context behavioral advertising. The Platform is also engineered to recognize Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will automatically treat it as a request to opt out of any sharing of PI for advertising purposes.

13.2. Marketing Communications. You may opt out of our marketing emails at any time by clicking the “Unsubscribe” link in the footer. Administrative emails (e.g., verification updates, billing receipts) are exempt from opt-out as they are necessary for the performance of our services.

ARTICLE XIV: POLICY GOVERNANCE AND UPDATES

14.1. Annual Review. PINCH Club conducts an annual audit of our data processing practices to ensure continued compliance with emerging state privacy laws.

14.2. Notice of Material Changes. We reserve the right to modify this Policy at any time. If we make material changes (e.g., a change in how we collect CHD), we will:

  1. Update the “Effective Date” at the top of the Policy;
  2. Post a prominent notice on the Platform; and
  3. Seek a new affirmative opt-in from Consumers if the change affects the processing of previously collected CHD.

14.3. Merger or Acquisition. In the event that PINCH Club, LLC is involved in a merger, acquisition, or sale of assets, your PI and CHD may be transferred as part of that transaction. The privacy commitments made in this Policy will remain binding on any successor entity. We will notify affected users at least thirty (30) days prior to any such transfer.

ARTICLE XVI: SMS COMMUNICATIONS

PINCH Club may send text messages (SMS/MMS) to users who have provided their mobile phone number and consented to receive such communications. All SMS programs are governed by Twilio’s messaging policies, the Telephone Consumer Protection Act (TCPA), and CTIA messaging guidelines.

16.1. No Sharing of Mobile Information. Mobile phone numbers and SMS opt-in data collected by PINCH Club will never be shared, sold, or disclosed to third parties or lead generators for marketing or promotional purposes. This prohibition applies regardless of the message program type.

16.2. SMS Program Types. PINCH Club operates the following SMS message programs:

  • Customer Support: Responses to inbound support inquiries submitted via SMS. Message frequency varies based on your interactions with our support team.
  • Transactional: Account notifications, verification codes, match confirmations, and other messages necessary to deliver the Platform’s services. Message frequency varies based on your activity on the Platform.
  • Marketing & Promotional: Promotional offers, platform announcements, and other marketing communications. Message frequency will be disclosed at the time of opt-in.

16.3. Consent and Opt-In. Consent to receive SMS messages is never a condition of using the Platform or purchasing any service. Consent is obtained as follows:

  • Customer Support and Transactional SMS: By providing your mobile number and agreeing to the Terms of Service, you consent to receive customer support and transactional SMS messages necessary to operate your account.
  • Marketing & Promotional SMS: Written opt-in consent is required and is obtained separately from general Terms of Service acceptance. You must affirmatively check an unchecked box at the point of enrollment to opt in to marketing SMS. Verbal consent is not accepted for marketing messages.

16.4. Opt-Out Instructions. You may opt out of any SMS program at any time:

  • To stop all messages: Reply STOP to any message. You will receive a one-time confirmation that you have been unsubscribed and will receive no further messages from that program.
  • To re-subscribe: Text START to the same number.
  • For help: Reply HELP to any message, or contact us at privacy@pinchclub.com.

16.5. Rates and Delivery. Message and data rates may apply. PINCH Club is not responsible for delayed or undelivered messages. Carriers are not liable for delayed or undelivered messages. For questions about your text plan or data plan, contact your wireless provider.

ARTICLE XV: CONTACT INFORMATION

To exercise your rights or submit a question regarding our privacy practices, please contact us:

Email: privacy@pinchclub.com
Postal Address:
PINCH CLUB LLC
30 N Gould St, Ste R
Sheridan, WY 82801
Attn: Privacy Compliance Officer

Response Timeline: We will acknowledge receipt of your request within ten (10) business days and provide a substantive response within forty-five (45) days. If additional time is required, we will notify you of the extension and the reason, with a maximum total response time of ninety (90) days from the initial request.

California Residents: You may also contact the California Attorney General’s Office regarding complaints:
California Attorney General’s Office
Privacy Enforcement Section
1300 I Street, Suite 1740
Sacramento, CA 95814