aveleno

    Privacy Policy

    Last updated: November 11, 2026

    1. Introduction

    This Privacy Policy describes how Aveleno ("we," "us," or "our") collects, uses, and protects information when you use our structured treatment program platform (the "Service"). Aveleno is built for independent nurse practitioner-owned medical aesthetic practices. We take privacy seriously and have designed our platform to be HIPAA-conscious from the ground up.

    2. Information We Collect

    We collect several types of information:

    Information from practitioners

    When a clinician signs up for Aveleno, we collect: name, email address, business name, business address, phone number, and authentication credentials.

    Patient information

    When a clinician uses Aveleno to communicate with their patients, we process patient information that the clinician enters or imports into the platform. This includes: patient name, contact information (phone number, email), treatment history, appointment information, and program-related milestones. This information is provided to us by the clinician under a Business Associate Agreement and is treated as Protected Health Information (PHI) under HIPAA.

    Phone numbers for SMS communication

    If a clinician uses our SMS messaging features, we collect and store patient phone numbers. These phone numbers are only used to deliver messages that the clinician has scheduled or approved as part of their patient's treatment program. We do not share, sell, or use phone numbers for any other purpose.

    Technical information

    We collect standard technical information when you use our Service, including IP address, browser type, device information, and usage patterns. This is used to operate, secure, and improve the Service.

    3. How We Use Information

    We use information to:

    • Provide the structured treatment program platform to clinicians
    • Send patient communication on behalf of clinicians (when authorized)
    • Protect the security and integrity of the Service
    • Comply with legal obligations
    • Improve and develop new features

    We do not use patient information or phone numbers for advertising or marketing purposes.

    4. How We Share Information

    With service providers

    We share information with vetted service providers who help us operate the platform, including Supabase (our database provider), Twilio (our SMS delivery partner), SendGrid (our email delivery partner), and Anthropic (our AI provider for content generation). All service providers have signed Business Associate Agreements where required and meet our security standards.

    With clinicians who use our service

    Patient information is shared with the specific clinician or practice that entered or imported the information. We do not share patient information across practices.

    When required by law

    We may disclose information if required by law, court order, or to protect our rights or the safety of others.

    5. SMS Messaging and A2P 10DLC

    Aveleno operates a Twilio A2P 10DLC registered messaging program. This means:

    • Phone numbers are used solely to send messages directly related to the patient's treatment program with their clinician.
    • We do not share phone numbers with third parties for marketing.
    • Patients can opt out of SMS messages at any time by replying STOP to any message.
    • Patients can request help by replying HELP to any message.
    • Message and data rates may apply.
    • Message frequency varies based on the patient's treatment program and clinician's settings.

    For complete SMS program details, see our SMS Terms.

    6. Data Security

    We use industry-standard security measures including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. We have signed Business Associate Agreements with our infrastructure providers where applicable.

    7. Data Retention

    We retain practitioner account information for as long as the account is active. Patient information is retained as directed by the clinician practice, who is the data controller for their patients' information. Phone numbers used for SMS messaging are retained as long as the patient is enrolled in a program with the clinician.

    When a practitioner closes their account, we delete or anonymize practitioner data within 90 days unless retention is required by law.

    8. Your Rights

    If you are a practitioner: you can access, update, or delete your account information by contacting us at the email below.

    If you are a patient who has received messages from a clinician using Aveleno: please contact your clinician directly to update or remove your information. Your clinician is the data controller for your information.

    9. Children's Privacy

    Aveleno is not intended for use by individuals under 18. Clinicians who use Aveleno must comply with applicable laws regarding the treatment of minors.

    10. Changes to This Policy

    We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify clinicians via email of material changes.

    11. Contact Us

    Questions about this Privacy Policy or your information?

    Email: privacy@aveleno.com
    Address: Aveleno, Parker, Colorado