Free Delivery on all orders over $50 50% Off your first purchase Check out our latest promotions Member Discounts – Sign up and save more
Free Delivery on all orders over $50 20% Off your first purchase Check out our latest promotions Member Discounts – Sign up and save more
Book an Appointment

Privacy Policy

Facial Salon Skincare by Ellen

Effective date: January 1, 2025
Location: Chicago, Illinois, USA
Contact: Privacy Officer, Facial Salon Skincare by Ellen — info@skincarebyellen.com |
Phone: (309) 703-7222 | Address: [1754 W Division st. Chicago, IL 60622]

This Privacy Policy explains how Facial Salon Skincare by Ellen (“we,” “us,” “our,” or “the Salon”) collects, uses, stores, shares, and protects personal information about clients, prospective clients, website visitors, contractors, and other individuals (collectively, “you” or “individuals”). It describes your privacy rights and how to exercise them. This Policy is intended to comply with applicable federal law and the laws of Illinois (including the Biometric Information Privacy Act and Illinois breach-notification laws) and will be interpreted consistently with those requirements. Where specific state or federal laws (e.g., HIPAA) apply, we will follow the additional rules described below.

Please read this Policy carefully. By booking services, visiting our salon, using our site, or providing information to us, you accept the practices described in this Policy.

1. Scope & Applicability

This policy covers personal information collected by the Salon:

  • In person at our Chicago location(s);
  • Through our website and online booking systems;
  • By phone, email, SMS/text, social media and other electronic communications; and
  • In written forms (consent forms, intake forms), photographs, and other media.

This Policy does not apply to information that has been de-identified or aggregated so that it cannot reasonably identify an individual.

2. Types of Personal Information We Collect

We collect the following categories of personal information depending on the services and interactions:

A. Identifying information

  • Full name, preferred name, date of birth (when necessary for records), mailing address, email address, phone number, emergency contact.

B. Appointment & service information

  • Service history, appointment dates/times, stylist/esthetician notes, treatment preferences, product usage and purchase history.

C. Health-related / sensitive information

  • Skin conditions, allergies, medical history, medications, pregnancy status, or other health information that you voluntarily disclose during intake and treatment. (Such information is treated as sensitive and is protected accordingly.)

D. Payment & billing information

  • Payment card details or other payment instrument details (collected through third-party payment processors), billing address, transaction history, invoices.

E. Technical & usage information

  • IP addresses, device and browser information, website usage logs, cookies and similar tracking technologies.

F. Images & biometric data

  • Photographs (before/after photos) or images of your face or skin taken during consultations or treatments. In some cases we may collect biometric identifiers or information (for example, facial scans used by certain analysis tools). If we collect biometric identifiers or biometric information, we will comply with Illinois law (see Section 7 on Biometric Data).

G. Communications

  • Messages you send us (by email, chat, SMS/text or social media), marketing preferences and opt-in/opt-out choices.

3. How We Collect Personal Information

We collect information:

  • Directly from you (intake forms, appointment booking, in-person conversations, emails, phone calls, SMS/texts);
  • Automatically when you use our website (cookies and analytics);
  • From third parties (e.g., booking platforms, payment processors, referral partners, public directories) with your consent or as permitted by law;
  • From photographs, images and treatment records you provide or authorize us to take.

4. Purposes For Which We Use Personal Information

We use personal information to:

  • Provide the requested services and treatments (booking, scheduling, consultations, delivering services);
  • Maintain client medical/intake records, treatment histories and safe care (including allergy or contraindication checks);
  • Process payments, invoices, refunds, and communicate about billing;
  • Communicate appointment reminders, confirmations, follow-ups, and any safety notices;
  • Send marketing and promotional materials (with your consent where required) and manage preferences;
  • Maintain security, prevent fraud and abuse, and fulfill legal or regulatory obligations;
  • Comply with legal obligations (e.g., public health reporting, subpoena or court order) and to respond to legal requests;
  • Improve our services, website, and business operations (analytics, product improvement).

Legal basis for processing: we rely on consent (for sensitive data and marketing), contractual necessity (to perform services you request), legitimate interests (for business operations, security, record-keeping), and compliance with legal obligations. For any processing that requires express consent under law (for example, certain biometric processing under Illinois law), we will obtain the required consent before collection.

5. Biometric Information — Illinois (BIPA) Compliance

If we collect biometric identifiers or biometric information (e.g., facial scans used for automated skin analysis or identity verification), we will comply with the Illinois Biometric Information Privacy Act (BIPA) and any amendments thereto. In particular, we will:

  • Provide written (or electronic where allowed) notice that biometric data will be collected and the purpose and length of time for which the data will be stored, used, and retained. (We note that recent legislative changes permit certain electronic consent mechanisms; we will follow current Illinois law regarding permissible consent formats.)
  • Obtain informed consent from the individual prior to collecting their biometric identifiers or biometric information.
  • Maintain a publicly available written policy describing our retention schedule and destruction guidelines for biometric information, and we will destroy biometric data when the initial purpose has been satisfied or within three (3) years of the individual’s last interaction with us, whichever is earlier, unless otherwise required by law.
  • Not sell, lease, trade or otherwise profit from biometric data and only disclose it as permitted by law (e.g., with your consent or to comply with legal process). If we intend to use biometric data for any new purpose, we will obtain an additional written consent specific to that purpose.

6. Health Information and HIPAA Considerations

  • Medical/health-related information: Some skincare treatments and esthetic services involve collection of medical details (conditions, medications, contraindications). We treat such information as sensitive and apply strong security controls.
  • HIPAA: Generally, HIPAA applies to covered healthcare providers and health plans. If the Salon engages in activities that cause it to be a HIPAA-covered entity (for example, if services are billed to health insurance or medical procedures are supervised by a licensed medical provider and the Salon transmits protected health information electronically to a covered entity), then HIPAA will apply and we will comply with HIPAA’s privacy and security requirements (including patient rights and breach rules). If you believe HIPAA should apply to information we hold, contact our Privacy Officer (contact details above) and we will confirm and respond as required.

Non-HIPAA businesses that collect sensitive health information may also be subject to the FTC’s Health Breach Notification Rule in the event of a breach, and we will comply with federal breach-notification obligations where applicable.

7. Sharing Personal Information — Who We Share With

We may share personal data with third parties only as needed and in limited ways, including:

  • Service providers & subprocessors: payment processors, appointment/booking platforms, email/SMS providers, analytics providers, IT and cloud hosting providers, labs for product testing, and other suppliers who perform services for us. We require vendors to protect data and to use it only for the contracted purposes.
  • Professional advisors: lawyers, accountants, or insurance brokers when necessary to operate and protect the Salon.
  • Regulators and law enforcement: if required by law, or to comply with a subpoena, court order, or governmental investigation.
  • Business transfers: in connection with a merger, sale, change in control, or asset sale — with notice to affected individuals where required by law.
  • With your consent: where you expressly authorize sharing (for example, with your physician, or for marketing collaborations).

We do not sell or rent your personal data for third-party marketing purposes. (If this practice changes, we will provide notice and a means to opt out.)

8. Cookies, Tracking & Website Analytics

Our website may use cookies, web beacons, and similar technologies to operate the site and analyze usage (for performance, improvement, and marketing). You can control cookie preferences through your browser settings and our cookie consent tool (if available). Third-party services (e.g., analytics, advertising networks, social media) may set cookies when you visit our site; their practices are governed by their privacy policies.

9. Data Retention & Deletion

We retain personal information only for as long as necessary for the purposes listed in Section 4 and to comply with legal, accounting, or reporting requirements. Examples of typical retention periods (subject to legal/regulatory requirements) include:

  • Appointment records, treatment notes, and health/intake forms: retained for the duration necessary for care and business recordkeeping — generally at least 3–7 years (or as required by state/federal law for medical records if applicable).
  • Payment and billing records: retained for tax and accounting purposes (commonly 7 years).
  • Marketing preferences and account records: retained while your account is active or until you withdraw consent.
  • Biometric data: retained and destroyed according to our written biometric retention schedule and in accordance with Illinois law (destroy when purpose satisfied or within 3 years of last interaction).

When we delete data, we will take reasonable measures to remove it from active systems; copies may remain in backups for a limited time for operational or legal reasons.

10. Data Security

We maintain administrative, technical, and physical safeguards designed to reasonably protect personal information from unauthorized access, use, alteration, and disclosure. Examples include access controls, encryption for electronic records where feasible, secure storage for physical records, staff training, and routine monitoring. No system is completely secure; if we discover a breach affecting your personal information, we will follow applicable breach-notification laws and notify affected individuals and regulators as required. Under Illinois law, notification to affected residents must be made without unreasonable delay; for certain state entities a 45-day timeframe applies as a benchmark in agency contexts and we will follow all applicable timing requirements.

11. Your Rights & Choices

Subject to applicable law, you may have the following rights with respect to your personal information. To exercise these rights, contact our Privacy Officer at info@skincarebyellen.com or the phone number above. We may ask for information to verify your identity before responding.

  • Access / Data Portability: Request a copy of personal information we hold about you.
  • Correction / Update: Request correction of inaccurate or incomplete information.
  • Deletion / Erasure: Request deletion of personal information where we are not required to retain it.
  • Restriction / Objection: Request restriction of processing or object to processing that is based on our legitimate interests.
  • Withdraw Consent: If processing is based on consent (e.g., for marketing or biometric collection), you may withdraw consent at any time; withdrawal will not affect processing performed prior to withdrawal.
  • Opt-out of Marketing: You may opt out of marketing emails/SMS at any time via unsubscribe links or by contacting us directly.

Response time: We will respond to verifiable requests within a reasonable period and in accordance with applicable law (frequently within 30–45 days, though the timeline may vary depending on the request and whether additional verification or legal review is required).

12. Minors & Children

We do not knowingly collect personal information from children under the age of 13. If we learn we have collected such information without parental consent, we will take steps to delete it. For minors (age 13–17), we will collect personal information only with parental or guardian consent when required by law or when necessary for a treatment for which parental consent is required.

13. International Transfers

Our operations are primarily in the United States. If we transfer personal information to service providers or affiliates located outside the U.S., we will take commercially reasonable steps to ensure that such transfers are protected by appropriate safeguards and contractual protections required by law.

14. Third-Party Links & Social Media

Our website and communications may contain links to third-party sites (e.g., booking platforms, social media). We are not responsible for the privacy practices of those third parties. Please consult their privacy policies.

15. How We Respond to Legal Requests

We may disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or to comply with a court order, subpoena, or other legal process.

16. Changes to This Policy

We may update this Privacy Policy when our practices change or in response to legal or regulatory developments. The “Effective Date” at the top will indicate the most recent revision. Where required by law, we will notify you of material changes (for example, via email, website notice, or an in-salon posting).

17. Contact & How to Submit Requests or Complaints

For questions about this Policy, to exercise your rights, to withdraw consent, to request deletion, or to file a complaint about a privacy practice, contact:

Privacy Officer
Skincare by Ellen
Email: info@skincarebyellen.com
Phone: (309) 703-7222
Address: [1754 W Division st. Chicago, IL 60622]

If you are an Illinois resident and believe we have violated your privacy rights under Illinois law (including BIPA or the Illinois Personal Information Protection Act), you may have the right to seek relief under state law and to contact the Illinois Attorney General’s office. We ask that you first contact our Privacy Officer so we may attempt to address your concerns promptly.

18. Additional Legal References (for informational purposes)

  • Illinois Biometric Information Privacy Act (BIPA) — requirements on notice, consent, retention/destruction of biometric identifiers and information.
  • Illinois Personal Information Protection Act and State breach notification requirements — obligations for notifying residents and the Attorney General after a data breach.
  • Federal Health Breach Notification Rule and FTC guidance on health-related data for non-HIPAA entities.
  • HIPAA — federal rules for covered entities and business associates; may apply if Salon bills health plans or otherwise functions as a covered entity