Ubexis Logo
Privacy Icon Privacy Policy

Ubexis Solutions
Privacy Policy

Updated on : July 8th, 2026

Privacy Policy

Effective Date: July 8, 2026

Last Updated: July 8, 2026

This Privacy Policy explains how Ubexis Solutions ("Company," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our AI-powered front desk, patient reactivation, review automation, analytics, and related services (the "Services") provided to multi-location aesthetic, medical spa, and wellness businesses ("Clients").

This Policy applies to two distinct groups, and we describe each separately below:

  • Clients — the businesses that contract with us and their authorized staff/administrators.
  • End Users — the patients, customers, and callers who interact with the Services on a Client's behalf (e.g., someone calling or texting a med spa that uses our AI front desk).

If you are an End User with a question about a specific interaction, please contact the business you called or texted directly — we act on their instructions, and they control that relationship. Contact details are in Section 12.

1. Who We Are and Scope of This Policy

Ubexis Solutions provides a managed, AI-powered operations system to multi-location aesthetic and wellness groups. This Policy covers:

  • The ubexis.com website and any lead-generation tools we operate (e.g., a free "Revenue Leak Calculator").
  • The Services delivered to Clients under a signed Master Service Agreement ("MSA") and Statement of Work ("SOW").

This Policy does not cover the Client's own website, booking/EMR platform, or any tools the Client operates independently of our Services.

2. Information We Collect

2.1 Information About Prospects and Website Visitors

  • Contact details submitted through forms, the Revenue Leak Calculator, or outreach replies (name, email, phone, business name, location count).
  • Standard web analytics (pages visited, referral source, general device/browser information).

2.2 Information About Clients

  • Business and billing information (company name, locations, point-of-contact names, billing address, payment details processed by our payment processor).
  • Credentials and access tokens for the Client's booking/EMR platform (e.g., Boulevard, Zenoti, Mangomint), provided solely to configure and operate the Services.
  • Service configuration data: pricing lists, service menus, staff escalation contacts, and the Client's Brand Voice Guide.

2.3 Information About End Users (Patients/Callers), Processed on the Client's Behalf

When the Services are active for a Client, we process, strictly on that Client's instructions:

  • Call audio, call transcripts, and SMS/chat message content.
  • Caller phone numbers and, where provided, names.
  • Appointment, scheduling, and treatment-cadence information needed to send reminders or reactivation messages (e.g., approximate treatment type and timing, not clinical detail beyond what the Client's own systems already store).
  • Review-request interactions (e.g., whether a review request was sent and whether a review resulted).

We are a data processor / service provider with respect to End User information. The Client is the data controller and is responsible for having its own lawful basis, notices, and consents in place with its patients and customers. We do not use End User information for our own marketing or resell it under any circumstances.

3. How We Use Information

We use the information above to:

  • Operate the AI front desk, reactivation, reminder, review-automation, and analytics Services as scoped in the applicable SOW.
  • Route calls/messages, book appointments into the Client's existing calendar, and escalate anything outside the AI's scope to a human, per the Client's escalation rules.
  • Generate the Monthly Performance Report and other reporting deliverables.
  • Maintain, secure, and improve the Services generally (e.g., identifying recurring AI errors to correct configuration) — using de-identified or aggregated data wherever feasible.
  • Communicate with Clients about their account, invoices, and service updates.
  • Comply with legal obligations and enforce our agreements.

We do not use End User call/message content to train general-purpose AI models outside the scope of delivering the Services to that specific Client, and we do not sell personal information.

4. AI Processing and Subprocessors

Delivering the Services requires sharing data with a limited set of third-party subprocessors, each bound by contract to protect the data and use it only to provide their service to us:

CategoryExample ProvidersPurpose
Voice AI / telephonyTwilio, Vapi, Retell, or equivalentAnswering calls, speech-to-text, text-to-speech
Large language model providersAnthropic, OpenAI, or equivalentGenerating conversational responses from call/message content
SMS / messagingTwilioSending and receiving text messages
Booking / EMR integrationBoulevard, Zenoti, Mangomint, or the Client's specified platformReading/writing appointment data
Cloud hosting & infrastructureAWS, Google Cloud, or equivalentHosting the system and storing data
Payment processingStripeBilling and invoicing

A current list of subprocessors is available on request. We will notify Clients of any material change in subprocessors that handle their data.

5. Protected Health Information (PHI) and HIPAA

Where the Services involve information that qualifies as Protected Health Information under HIPAA (U.S. Clients only), we will execute a Business Associate Agreement (BAA) with the Client before that data is processed. Our obligations, permitted uses, breach notification timelines, and subcontractor requirements are governed by that BAA, which supplements and, where inconsistent, controls over this Policy for PHI. Clients outside the U.S. should refer to Section 8 for the applicable regional framework.

We configure the AI so that it never provides clinical or medical advice; any interaction resembling a clinical question is escalated immediately to the Client's designated human staff.

6. How We Share Information

We share information only as follows:

  • With the Client — all data collected through the Services for that Client's End Users belongs to, and is shared back with, that Client.
  • With subprocessors — as described in Section 4, under contractual confidentiality and security obligations.
  • For legal reasons — if required by law, subpoena, or governmental request, or to protect the rights, safety, or property of Company, our Clients, or others.
  • In a business transfer — if we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this Policy or a comparably protective successor policy.

We do not share End User information with data brokers or for third-party advertising.

7. Data Retention

  • Call/message content and transcripts: retained for 12 months to support QA, dispute resolution, and reporting, then deleted or anonymized, unless the Client instructs otherwise or a longer period is required by law or the applicable BAA.
  • Client account and billing data: retained for the duration of the contract plus 7 years for tax and legal purposes.
  • Upon termination, data is handled per the Offboarding / Cancellation Policy referenced in the Client's MSA — including return or deletion of End User data within the agreed notice period.

8. Regional Privacy Rights

United States (CCPA/CPRA and other state laws)

California and other U.S. residents may have the right to know what personal information is collected, request deletion, and opt out of the sale or sharing of personal information. We do not sell personal information. Requests can be submitted to team@ubexis.com.

Canada (PIPEDA)

We process personal information in accordance with Canadian federal privacy law where applicable, including providing individuals reasonable access to their information on request.

United Kingdom / European Union (UK GDPR / GDPR)

Where applicable, individuals have the right to access, correct, delete, restrict, or port their personal data, and to object to certain processing. Our legal basis for processing is generally performance of a contract with the Client or the Client's own legitimate interests/consent as data controller. International transfers outside the UK/EEA are made using appropriate safeguards (e.g., Standard Contractual Clauses).

United Arab Emirates and Other Jurisdictions

We comply with applicable local data protection requirements for Clients operating in other covered geographies; contact us for jurisdiction-specific detail.

9. Data Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data involved, including access controls, encryption in transit and at rest where supported by our subprocessors, and role-based access limiting internal staff access to only what each role requires. No system is completely secure; we will notify affected Clients of any confirmed data breach affecting their data without undue delay and in accordance with applicable law and any signed BAA.

10. Cookies and Website Analytics

Our website may use cookies or similar technologies for basic analytics and functionality. You can control cookies through your browser settings. We do not use cookies for third-party behavioral advertising.

11. Children's Privacy

The Services are intended for business use and are not directed to children. We do not knowingly collect personal information from individuals under 18 through our website's lead-generation tools.

12. Contact Us

Questions about this Privacy Policy, or requests regarding your personal information, can be directed to:

Ubexis Solutions
team@ubexis.com
Johar Town, Lahore
Punjab, Pakistan
+92 327 0715342

13. Changes to This Policy

We may update this Policy from time to time. Material changes affecting Clients will be communicated per the notice provisions in the applicable MSA. The "Last Updated" date above reflects the most recent revision.