PRIVACY POLICY

This Privacy Policy informs you (or the entity on whose behalf you are using this Service) (“you”
or as the context requires “your”) what personal information Grace Aesthetics and Wellness may collect and how Grace Aesthetics and Wellness uses such information. This Privacy Policy is a part of and incorporated into the Terms of Use (“Terms of Use”) posted to the applicable to the Grace Aesthetics and Wellness website (“Website”) (the Website and related services provided through, and intellectual property contained within, the Website, collectively, the “Service”). Any terms capitalized in this Privacy Policy, but not defined, have the meanings assigned to such terms in the applicable Terms of Use. At Grace Aesthetics and Wellness, we recognize that privacy of your Personal Information, as defined below, is important. Here is information on what types of personal information we receive and collect when you use and visit our Website. We never sell your personal information to third parties.

BY USING OR ACCESSING THE SERVICE IN ANY MANNER, YOU ACKNOWLEDGE THAT
YOU ACCEPT THE PRACTICES AND POLICIES OUTLINED IN THIS PRIVACY POLICY, AND YOU
HEREBY CONSENT THAT WE WILL COLLECT, USE, AND SHARE YOUR INFORMATION IN THE
FOLLOWING WAYS. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MAY NOT USE THE
SERVICE. IF YOU USE THE SERVICE ON BEHALF OF SOMEONE ELSE (SUCH AS YOUR CHILD)
OR AN ENTITY (SUCH AS YOUR EMPLOYER), YOU REPRESENT THAT YOU ARE AUTHORIZED BY
SUCH INDIVIDUAL OR ENTITY TO ACCEPT THIS PRIVACY POLICY ON SUCH INDIVIDUAL’S OR
ENTITY’S BEHALF.

1. Personal Information Collected by the Service. Grace Aesthetics and Wellness uses
information collected from users of the Service to personalize and improve your visit and
experience at the Website and for other purposes set out below. Grace Aesthetics and Wellness
gathers information in the following ways:
a. Information You Provide to Grace Aesthetics and Wellness. Through a user’s
interactions with the Service, Grace Aesthetics and Wellness collects “Personal
Information,” which is information that identifies an individual or relates to an identified
individual, as defined under the Maryland Personal Information Protection Act (“PIPA”).
Personal Information includes, but is not limited to, (i) your first and last name in
combination with a social security number, a driver’s license number, an account or credit
card number, personal health information, a health insurance policy number, or biometric
data; (ii) your username or email address in combinations with a password or security
question and answer that permits access to your email account; or (iii) genetic
information that is not encrypted, redacted, or otherwise protected by a method that
renders the information unreadable or unusable. Personal Information is collected when
you establish an online account, book an appointment, place an order, sign up to receive
emails, or when you communicate with Grace Aesthetics and Wellness about the
Website. Grace Aesthetics and Wellness will also collect your PHI through patient intake
documents if you choose to engage in the Services.
b. Web Beacons. Grace Aesthetics and Wellness records data about visits to or
transactions made on the Website through the use of Web Beacons. “Web Beacons” are
web page elements which may employ cookie technology that enable such recording of
data. This information is sometimes known as “clickstream data.” Grace Aesthetics and
Wellness may use this data to analyze trends and statistics to improve your online
experience or our customer service. No Personal Information is collected through the use
of Web Beacons on the Website.

c. Mobile Device Identifiers. Mobile device identifiers help Grace Aesthetics and Wellness
learn more about our users’ demographics and internet behaviors. Mobile device
identifiers are data stored on mobile devices that may track mobile device and data and
activities occurring on and through it, as well as the applications installed on it. Mobile
device identifiers enable collection of Personal Information, such as media access
control, address and location, and tracking data, including without limitation IP address,
domain server, type of device(s) used to access the Service, web browser(s) used to
access the Service, referring webpage or other source through which you accessed the
Service, other statistics and information associated with the interaction between your
browser or device and the Service.
d. Cross Device Matching. To determine if users have interacted with content across
multiple devices and to match such devices, we may work with partners who analyze
device activity data and/or rely on your information (including demographic, geographic
and interest-based data). To supplement this analysis, we may also provide de-identified
data to these partners. Based on this data, we may then display targeted advertisements
across devices that we believe are associated, or use this data to further analyze usage
of Service across devices.
e. Cookies. We may use some or all of the following types of Cookies:
i. Essential Cookies. Essential Cookies are required for providing you with
features or services that you have requested. For example, certain Cookies
enable you to log into the secure areas of our Service. Disabling these Cookies
may make certain features and services unavailable.
ii. Functional Cookies. Functional Cookies are used to record your choices and
settings regarding our Service, maintain your preferences over time and
recognize you when you return to our Service. These Cookies help us to
personalize our content for you, greet you by name, and remember your
preferences (for example, your choice of language or region).
iii. Performance/Analytical Cookies. Performance/Analytical Cookies allow us to
understand how visitors use our Service such as by collecting information about
the number of visitors to the Service, what pages visitors view on our Service,
how long visitors are viewing pages on the Service, mouse clicks, mouse
movements, scrolling activity, and text typed into the Service. Performance/
Analytical Cookies also help us measure the performance of our advertising
campaigns in order to help us improve our campaigns and the content for those
who engage with our advertising. For example, Google Inc. (“Google”) uses
cookies in connection with its Google Analytics services. Google’s ability to use
and share information collected by Google Analytics about your visits to the
Service is subject to the Google Analytics Terms of Use and the Google Privacy
Policy. You have the option to opt-out of Google’s use of cookies by visiting the
Google advertising opt-out page at www.google.com/privacy_ads.html or the
Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/
gaoptout.
iv. Retargeting/Advertising Cookies. Retargeting/Advertising Cookies collect data
about your online activity and identify your interests so that we can provide
advertising that we believe is relevant to you.
v. You can decide whether or not to accept Cookies through your internet browser’s
settings. Most browsers have an option for turning off the Cookie feature, which
will prevent your browser from accepting new Cookies, as well as (depending on
your browser software) allow you to decide on acceptance of each new Cookie in

a variety of ways. You may also be able to reject mobile device identifiers by
activating the appropriate setting on your mobile device. You can also delete all
Cookies that are already on your computer. Although you are not required to
accept Grace Aesthetics and Wellness’s Cookies, if you block, reject, or delete
them, you may have to manually adjust some preferences every time you access
the Service as some functionalities may not work.
vi. To explore what Cookie settings are available to you, look in the “preferences” or
“options” section of your browser’s menu. To find out more information about
Cookies, including information about how to manage and delete Cookies, please
visit http://www.allaboutcookies.org.

f. Meta Pixel. We use the visitor action pixel from Meta Platforms, Inc. (1 Hacker Way,
Menlo Park, CA 94025, USA, or, if you are based in the EU, Meta Platforms Ireland Ltd.,
4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta,” formerly known
as Facebook)) on our Website.
This allows user behavior to be tracked after they have been redirected to the Website
by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook
ads for statistical and market research purposes. The collected data remains anonymous
and we cannot see any personal data of individual users.
However, this data is stored and processed by Meta, which is why we’re informing you,
based on our knowledge of the situation. Meta may link this information to your Facebook
account and also use it for its own promotional purposes, in accordance with Meta’s
Privacy Policy, which you can visit at https://www.facebook.com/privacy/policy. You can
allow Meta and its partners to place ads on and off Meta. A cookie may also be stored on
your computer for these purposes. To learn more about Meta’s privacy practices and
make use of various privacy controls offered by Meta, you can visit https://
www.facebook.com/privacy/center.

2. Use of Information Collected By Grace Aesthetics and Wellness. Grace Aesthetics and
Wellness uses the Personal Information collected in an effort to improve your experience with the
Service, to provide services to you and to communicate with you about information that you
request. Grace Aesthetics and Wellness may also use Personal Information to help target specific
offers to you and to help Grace Aesthetics and Wellness develop and improve its Service.
Additionally, Grace Aesthetics and Wellness may use your Personal Information to do any of the
following:
a. Respond to user service requests,
b. Administer user accounts,
c. To perform core business functions,
d. Respond to your questions and concerns,
e. To communicate with users about our products, services, and related issues, and/or
f. Conduct research and analysis.
3. Sharing of Information with Third Parties. Grace Aesthetics and Wellness will not rent, sell or
otherwise disclose your Personal Information to unrelated third parties without your consent,
except as stated in this Privacy Policy. Grace Aesthetics and Wellness may disclose Personal
Information to its parent, subsidiary, affiliates, and other related companies without your consent.
Grace Aesthetics and Wellness may disclose Personal Information to service providers for the
purposes of operating our business, delivering, improving, and customizing our products or
services, sending marketing and communications related to our business, payment processing,
and for other legitimate purposes permitted by applicable law. To the extent permitted by law,
Grace Aesthetics and Wellness will disclose Personal Information to government authorities or
third parties pursuant to a legal request, subpoena, or other legal process. Grace Aesthetics and
Wellness may also use or disclose your Personal Information as permitted by law to perform
charge verifications, apply or enforce the Service’s Terms of Use, or protect Grace Aesthetics and
Wellness’s rights, interests, or property as well as those of Grace Aesthetics and Wellness

affiliates, customers, or Service users. If Grace Aesthetics and Wellness sells all or part of its
business or makes a sale or transfer of assets or is otherwise involved in a merger or business
transfer, you agree that Grace Aesthetics and Wellness may transfer your Personal Information to
a third party as part of that transaction. Exceptions to these requirements may apply where the
disclosure of Personal Information is necessary for Grace Aesthetics and Wellness to coordinate
with service providers, carry out its employment law obligations, or for other reasons as permitted
by applicable law.
4. Security of Personal Information. Grace Aesthetics and Wellness has reasonable and
appropriate safeguards in place to help protect the Personal Information Grace Aesthetics and
Wellness collects from loss, misuse, and unauthorized access, disclosure, alteration, and
destruction. Although Grace Aesthetics and Wellness attempts to protect the Personal Information
in our possession, no security system is perfect, and Grace Aesthetics and Wellness cannot
promise that your Personal Information will remain absolutely secure in all circumstances.
5. Data Integrity and Purpose Limitation. Grace Aesthetics and Wellness limits the use of
Personal Information to ways that are compatible and relevant to the purposes for which the
Personal Information was collected or subsequently authorized or for which consent was
obtained. Grace Aesthetics and Wellness will take reasonable steps to ensure that Personal
Information is reliable for its intended use, accurate, complete, and current.
6. Retention of Personal Information. Grace Aesthetics and Wellness will retain your Personal
Information as needed to fulfill the purposes for which it was collected. Grace Aesthetics and
Wellness will retain and use your Personal Information as necessary to comply with Grace
Aesthetics and Wellness’s business requirements, legal obligations, resolve disputes, protect our
assets, and enforce our agreements.
7. Aggregated De-Identified Information. Grace Aesthetics and Wellness may provide aggregated
information related to your Personal Information to some of Grace Aesthetics and Wellness’s
business partners. This information is used in a collective manner and does not identify you
individually in any way. In addition, as set forth in the Terms of Use for the Service, Grace
Aesthetics and Wellness may, subject to the limitations set out in the Terms of Use, use certain
de-identified personal health information.
8. Security.
a. The security of your Personal Information is important to us. We seek to protect your
Personal Information from unauthorized access, use and disclosure using appropriate
physical, technical, organizational and administrative security measures based on the
type of Personal Information and how we are processing that data. We endeavor to follow
generally accepted industry standards to protect the Personal Information submitted to
us, both during transmission and in storage. We store and process your information on
our servers in the United States. We maintain what we consider industry standard backup
and archival systems. You should also help protect your data by appropriately selecting
and protecting your password and/or other sign-on mechanism; limiting access to your
computer or device and browser; and signing off after you have finished accessing your
account.
b. Although we work to protect the security of your account and other data that we hold in
our records, for example, by making good faith efforts to store Personal Information in a
secure operating environment that is not open to the public, please be aware that no
method of transmitting data over the Internet or storing data is completely secure. We
cannot and do not guarantee the complete security of any data you share with us, and

except as expressly required by law, we are not responsible for the theft, destruction, loss
or inadvertent disclosure of your information or content.
c. We retain Personal Information about you consistent with all internal policies and
procedures. We may retain Personal Information to comply with our legal obligations,
resolve disputes or collect fees owed, or as is otherwise permitted or required by our data
retention policies and procedures.

9. Children’s Privacy.
a. The Service is not directed to or intended for use by children under 18 years of age. If
you are a child under the age of 18, please do not attempt to register for or otherwise use
the Service or send us any Personal Information. By accessing, using and/or submitting
information to or through the Service, you represent that you are not under the age of 18.
As noted in the Terms of Use, we do not knowingly collect or solicit Personal Information
from children under the age of 18. If we learn that we have received any Personal
Information directly from a child under age 18 without first receiving his or her parent’s
verified consent, we will use that Personal Information only to respond directly to that
child (or his or her parent or legal guardian) to inform the child that he or she cannot use
the Service. We will then subsequently delete that child’s Personal Information. If you
believe that a child under 18 may have provided us with Personal Information, please
contact us at info@gracemedspas.com.
b. If you are between age 18 and the age of majority in your place of residence, you may
use the Service only with the consent of or under the supervision of your parent or legal
guardian. If you are a parent or legal guardian of a minor child, you may, in compliance
with the Terms of Use, use the Service on behalf of such minor child. Any information that
you provide us while using the Service on behalf of your minor child will be treated as
Personal Information as otherwise provided in this Privacy Policy. If you use the Service
on behalf of another person, regardless of age, you agree that Grace Aesthetics and
Wellness may contact you for any communication made in connection with providing the
Service or any legally required communications. You further agree to forward or share
any such communication with any person for whom you are using the Service on behalf.
10. Controlling Your Personal Information and Notifications. If you are a registered user of the
Service, you can modify certain Personal Information or account information by logging in and
accessing your account. If you wish to close your account, please email us at
info@gracemedspas.com. Grace Aesthetics and Wellness will use reasonable efforts to delete
your account as soon as reasonably possible. Please note, however, that Grace Aesthetics and
Wellness reserves the right to retain information from closed accounts consistent with our internal
data retention policies and procedures. You must promptly notify us if any of your account data is
lost, stolen, or used without permission.
11. Links to Third Party Websites from our Website. To the extent that our Website contains links
to sites operated by third parties and not related to our products or services (“Linked Websites”),
the Linked Websites are not controlled by us and we are not responsible for the privacy practices
of those companies. Before disclosing your Personal Information to Linked Websites, we advise
you to examine their privacy policies. Disclaimer: Facebook, Twitter, LinkedIn, YouTube,
Instagram, nor any other brand mentioned on our Website endorses or sponsor this Website and
are in no way affiliated with Grace Aesthetics and Wellness.
12. Maryland’s Notice Requirement.
a. PIPA. The Maryland Personal Information Protection Act (“PIPA”) provides Maryland
residents with the right to be notified of a security breach regarding their Personal
Information. This section describes your PIPA rights and explains how to exercise those

rights. If you have any questions about this section or whether any of the following
applies to you, please contact us at info@ gracemedspas.com and indicate “Maryland
Notification Requirement” in the subject line of your communication.
b. Notice. If at any time during or after our relationship we believe that the security of your
Personal Information may have been compromised, you will receive a notice from us as
soon as reasonably practicable, but not later than 45 days, unless we reasonably
determine that a breach does not create a likelihood that Personal Information has been
or will be misused. If a notification is appropriate, we will endeavor to notify you as
promptly as possible under the circumstances. If we have your email address, we may
notify you by email to the most recent email address you have provided us in your
account profile. Please keep your email address in your account up to date. You can
update that email address anytime in your account profile. If you receive a notice from us,
you can print it to retain a copy of it. To receive these notices, you must check your email
account using your computer or mobile device and email application software. You
consent to our use of email as a means of such notification. If you prefer for us to use the
U.S. Postal Service to notify you in this situation, please email us at
info@gracemedspas.com. Please include your address when you submit your request.
You can make this election any time, and it will apply to notifications we make after a
reasonable time thereafter for us to process your request. You may also use this email
address to request a print copy, at no charge, of an electronic notice we have sent to you
regarding a compromise of your Personal Information.

13. Changes to this Privacy Policy. We reserve the right to amend our Privacy Policy at our
discretion and at any time. When we make changes to the Privacy Policy, we will notify you by
email or through a notice on our website homepage. Use of the information we collect is subject
to the Privacy Policy in effect at the time such information is collected. You should review this
Privacy Policy periodically so that you keep up to date on our most current policies and practices.
The effective of the latest version of our Privacy Policy is located at the beginning of this Privacy
Policy.
14. Contact Information. If you have any questions or comments about this Privacy Policy, the ways
in which we collect and use your Personal Information, your choices and rights regarding such
use, please do not hesitate to contact us at:
Email: info@gracemedspas.com
Address: 1030 Liberty Rd. Suite 100 Eldersburg, MD 21784
Phone: 443-398-8425