Privacy Policy for Bevelure

Bevelure is operated by Bevelure LLC, based in Miami, Florida, USA. Our business address is 1723 SW 2nd Ave, Unit 902, Miami, FL 33129, USA.

You can reach us about this Privacy Policy or any privacy request at: support@bevelure.com.

• EU/UK representative (if applicable): If and when we are required under Article 27 of the EU or UK GDPR to designate a representative in the EU or the UK, that representative's contact details will be provided here.

Bevelure is a beauty and wellness treatment-history tracker and a lightweight booking marketplace that connects Customers with Care Providers. We are a cosmetic/wellness platform only. We are not a medical or healthcare provider, and the Service does not provide medical advice or care.

The Service supports three account roles, and the data we collect depends in part on your role:

• CUSTOMER — individuals who track their treatment history, book appointments, and choose whether and how to share their history.
• CARE_PROVIDER — aestheticians, nail technicians, stylists, salons, and similar professionals who list services, manage appointments, and record treatment details.
• SALON_ADMIN — salon administrators who manage a salon profile, team members, salon-scoped appointments, and related salon records.

In addition, some individuals interact with the Service without holding an account — for example, a guest a provider books by email, phone, or social-media handle; an external (out-of-system) provider who completes appointment details through a one-time link; and anonymous recipients who open a shared history link. We process limited personal information about these individuals as described in Sections 5, 7, and 8. Where the law gives them rights over that information, those rights apply to them too (see Section 11).

Bevelure is for adults only. You must be at least 18 years old to create an account or use the Service. See Section 12 (Children and Minors) below.

For purposes of the California Consumer Privacy Act, as amended by the CPRA ("CCPA"), the following is a description of the categories of personal information we have collected in the preceding twelve (12) months and that we continue to collect. The specific categories depend on your role and how you use the Service. (Retention for each category is described in Section 10; sources are described in Section 4.)

• Identifiers and account information (all users): email address, password (stored only as a bcrypt hash — we never store your plain-text password), first and last name, date of birth (collected to confirm you are 18+), sex, city, country, profile photo, preferred language, phone number (in E.164 format), and a social-media link.
• Customer profile information: an allergies indicator (whether you have allergies) and free-text allergy notes; and your at-home "care routine" content, including care-routine photos and free-text routine notes.
• Care Provider profile information: service type, years in service, biography, business address (including the precise latitude and longitude captured when you select an address from autocomplete — see Section 9), IANA time zone, languages, uploaded certificates (files, images, or PDFs), the services you offer (name, duration, price) and add-ons, and portfolio images.
• Appointment information: appointment date and time (stored in UTC, with a snapshot of the provider's time zone), status, and a snapshot of the service, add-ons, and price. Appointment details additionally include: procedure notes, products used, recommendations, provider-only internal notes, customer-only private notes, and three photo collections — result photos, procedure photos (visible to both parties), and customer private photos (visible only to the customer). The Service also supports two-way ratings (1–5) between a Customer and a Care Provider.
• Messaging: one-to-one chat between a Customer and a Care Provider, including text and photo attachments (see Section 8).
• Sharing information: read-only "share tokens" (links/QR codes) that a Customer generates to share treatment history, including the procedure type(s) selected, the share scope, an optional recipient email address, expiration time, and basic view metadata (such as view count and last-viewed time). See Section 5.
• Favorites and notifications: the providers a Customer saves as favorites, and in-app and email notification records.
• Precise geolocation (sensitive — permission-based): if you permit it, your browser-derived location used to sort providers by distance; and the latitude/longitude associated with a provider's business address. See Sections 6 and 9.
• Sensitive personal information: as detailed in Section 6 (including allergies and allergy notes, care-routine information, body and face photos, treatment history, and precise geolocation).
• Internet/network and device information: JWT access and refresh tokens stored in your browser's localStorage (not in cookies; see Section 9), and standard server logs (which may include IP address, browser type, and timestamps).

We collect personal information from the following categories of sources. For CCPA purposes, these are the "sources" from which we collect personal information.

• Directly from you: information you provide when you sign up, build your profile, enter appointment or care-routine details, upload photos or certificates, chat, rate, book, and share.
• From the other party to an appointment: because Bevelure is a marketplace, the Customer and the Care Provider each generate information about the appointment. In particular, a Care Provider enters appointment details ABOUT a Customer — including procedure notes, products used, recommendations, provider-only internal notes, and result/procedure photos. This means personal information about you (including sensitive information such as treatment records and provider-only notes) may be entered by the other party, not only by you.
• From a provider or salon admin who books a guest: a Care Provider or salon administrator can create an appointment for a guest Customer using that guest's email, phone number, or social-media handle. In that case, the guest's contact information and the appointment details are entered by the provider/admin. If that guest later registers, the Service may link ("claim") matching prior guest appointments to the new account based on a matching email address.
• From an external (out-of-system) provider: where a Customer records an appointment with a provider who is not on Bevelure, that external provider may be invited to fill in appointment details through a one-time link. Information they enter (such as procedure notes, products, recommendations, and photos) is collected through that link.
• Automatically from your device/browser: server logs and, with your permission, browser geolocation (see Section 9).
• From service providers: limited operational data from our subprocessors (for example, email delivery status). We do not buy personal information from data brokers.

Lawful bases (where GDPR applies). Where EU/UK data protection law applies, we map each processing purpose to a lawful basis as follows: (a) providing and operating the Service, maintaining your account, calculating available slots, and delivering the sharing feature you request — performance of a contract with you (or steps taken at your request); (b) sending transactional/service notifications, securing the Service, login rate limiting, preventing abuse, debugging, and improving reliability — our legitimate interests in operating a secure and functional service and, where relevant, the other party's legitimate interest in maintaining an accurate treatment record; (c) processing sensitive personal information (allergies, care-routine, body/face photos, treatment history, precise geolocation) and sending any non-transactional email — your consent (Articles 6(1)(a) and 9(2)(a)); and (d) meeting legal obligations and establishing, exercising, or defending legal claims — compliance with a legal obligation and our legitimate interests. You may object to processing based on legitimate interests and withdraw consent at any time (see Sections 6 and 11).

We use the information described above to:

• Provide and operate the Service — including treatment-history tracking, appointment booking, available-slot calculation, and maintaining your account.
• Connect Customers with Care Providers through the marketplace, including search and nearest-provider distance sorting.
• Operate the history-sharing feature (see Section 7), including generating, delivering, displaying, and revoking share links.
• Send service notifications in-app, by email, and, where SMS is enabled and a phone number is on file, by text message; and maintain outbound delivery/audit records for those messages (see Section 8).
• Maintain security and prevent abuse — for example, login rate limiting and enforcing access controls.
• Comply with legal obligations and enforce our terms.

No automated decision-making or profiling with significant effects. We do NOT engage in automated decision-making that produces legal or similarly significant effects about you, and we do NOT conduct profiling for such purposes within the meaning of GDPR Article 22 or of U.S. state profiling-opt-out provisions (such as those in Colorado, Connecticut, and Virginia). Nearest-provider distance sorting and the display of aggregate ratings are simple, non-evaluative features that do not produce legal or similarly significant effects, and they are not used to make decisions about you.

Much of what makes Bevelure useful is sensitive. The following may be considered "sensitive personal information" (or special-category data under GDPR) under applicable privacy laws: allergies and allergy notes; at-home care-routine information; body and face photos (including profile, result, procedure, care-routine, and chat-attached photos); treatment history; and precise geolocation (see Section 9).

Opt-in consent — when and how we obtain it. Where applicable law (including the consumer privacy laws of Virginia, Colorado, Connecticut, Texas, and Oregon, and the GDPR) requires opt-in consent before processing sensitive data, we obtain that consent through affirmative action at the point of collection. In practice this means: (a) at signup, you consent to the processing described in this policy as part of creating your account; and (b) at the point you actually enter sensitive content — for example, when you turn on the allergies indicator and add allergy notes, add care-routine information, upload a face/body photo, or grant browser-location permission — your act of providing that information serves as your affirmative opt-in to its processing for the purposes described here. We do not condition use of unrelated parts of the Service on your providing optional sensitive information.

Withdrawing consent. You can withdraw consent at any time by removing the relevant content (for example, deleting allergy notes, removing photos, or revoking browser-location permission), by adjusting your sharing choices (Section 7), or by contacting us at support@bevelure.com. Withdrawal stops future processing based on that consent but does not affect processing that already occurred. Where a Customer chooses to share history (Section 7), the Customer controls that sharing.

Right to limit. Where a state law (such as the CCPA) provides a right to limit the use of sensitive personal information, you may exercise it as described in Section 11. Because we use sensitive information only to provide the Service you request and not for inferring characteristics or for advertising, our use is already limited to those purposes.

No facial recognition or biometric identifiers. Although face and body photos are central to the Service, we do NOT use them to perform facial recognition, and we do NOT generate, collect, or store biometric identifiers or biometric templates (such as faceprints, scans of face geometry, or other unique biological measurements) from them. We do not use photos for biometric identification of any kind. For clarity, we do not knowingly engage in conduct regulated by biometric-specific statutes such as the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), or Washington's biometric privacy law, because we do not create or use biometric identifiers.

Bevelure is a cosmetic/wellness product and does not provide medical advice or care. Provider-only notes are appointment records kept within the Service and are not a substitute for professional medical advice.

A core feature of Bevelure lets a Customer share their treatment history with a Care Provider. The Customer is always in control of what is shared, with whom, and for how long.

How sharing is initiated:

• At booking — when booking an appointment, a Customer can choose to share their relevant history with the booked provider.
• From "My Care Hub" — a Customer can generate a read-only link (and a QR code), and may optionally have it emailed to a recipient.

What the Customer chooses when sharing:

• Procedure type(s) — sharing is scoped to one or more selected procedure types.
• Scope — either the "last 5 visits" or the "full history" of those procedure types.

What the shared read-only page EXPOSES: for the in-scope visits, it shows the appointment name/service, dates, procedure notes, products used, recommendations, result photos, and procedure photos. The shared view also includes the Customer's first and last name and the Customer's allergies indicator and allergy notes (so the provider can treat safely).

What the shared link KEEPS PRIVATE: it does NOT expose the Customer's private notes or private photos. On a public link, it also does NOT reveal which OTHER providers performed past visits (the names of other providers are withheld; an in-system provider viewing shared history will see their own name on their own past records only).

Optional recipient email. If you choose to have a share link emailed, the recipient's email address is sent to and processed by our email/SMTP subprocessor (see Section 8) solely to deliver that email, and the address is retained with the share record as described in Section 10. Do not enter a recipient email you are not authorized to use.

Information collected from anonymous viewers. Anyone who opens a share link does so without logging in and without separately accepting this policy. When a link is viewed, the Service records basic view metadata associated with the link, such as view count and last-viewed time, and our servers generate standard logs that may include the viewer's IP address, browser type, and timestamps (see Section 9). We use this limited information to operate and secure the sharing feature. This Privacy Policy serves as notice to anonymous viewers of that collection; if you receive a share link and do not wish your view to be recorded, do not open the link.

Revocation does not retract what was already seen. Share links are time-limited (each has an expiration time) and a Customer can revoke a link at any time, after which it stops working. However, revoking or expiring a link CANNOT retract, delete, or recall information that a recipient already viewed, downloaded, screenshotted, or copied while the link was active. Until a link expires or is revoked, ANYONE who has the link can view the shared page without logging in. Share links only with people you trust, and revoke links you no longer need.

Messaging / chat. The Service includes one-to-one chat between a Customer and a Care Provider, which may include text and photo attachments (and attachments can be sensitive, such as body/face photos). Chat content is visible to the two participants in that conversation. We do not routinely monitor the content of private chats, but authorized personnel may access chat content where necessary to operate, secure, troubleshoot, or provide the Service, to enforce our terms, to respond to a lawful request, or to investigate abuse or safety concerns. Chat content is retained as described in Section 10 and is handled as part of your account on deletion (see Sections 10 and 11).

Public vs. private profile information. Some information is, by design, visible to others. A Care Provider's public profile and any shared view may display fields such as the provider's first and last name, profile photo, service type, city/country, business address, languages, services, portfolio images, and aggregate ratings. Two-way ratings and related user-generated content are visible to the relevant counterpart and, for providers, may appear on the public provider profile. A shared history view displays the Customer's first/last name and allergy information to the recipient (see Section 7). Information that is made publicly available may be viewed, indexed, cached, or copied by third parties (including search engines) in ways we cannot control or fully reverse. Provider-only internal notes remain provider-only, and Customer private notes and private photos remain Customer-only.

Transactional email and SMS. The messages we currently send are transactional/service messages — for example, booking and appointment updates, share-link emails you initiate, appointment reminders, and account or security notices. We may send them in-app, by email, and, where SMS is enabled and a phone number is on file, by text message. Because these are necessary to operate the Service, you generally cannot opt out of them while you maintain an account and use the relevant features; to stop receiving them you would deactivate the related feature, remove the relevant contact method where available, or close your account. We do not currently send marketing or promotional email or SMS. If we introduce any non-transactional/promotional messages in the future, we will obtain any required consent and provide a clear unsubscribe mechanism.

Outbound message logs. To operate and troubleshoot transactional messages, we keep an audit record of send attempts, including channel (email/SMS/future push), event type, recipient email address or phone number, related appointment where applicable, provider message ID where available, delivery status such as sent or failed, failure reason, and timestamps.

JWT tokens in localStorage (not cookies): To keep you signed in, the Service stores JWT access and refresh tokens in your browser's localStorage. These are not cookies, and we do not use cookies for cross-site tracking. They are used for authentication and session management and are removed from your browser when you log out.

Precise geolocation (permission-based, sensitive). If you grant permission, the Service uses your browser's Geolocation API to obtain your location for the sole purpose of sorting providers by distance. Depending on your device and browser, this location may be precise (i.e., capable of identifying your location within a radius of approximately 1,850 feet) and is therefore treated as "precise geolocation" — a category of sensitive personal information under the CCPA and similar laws. We request it only with your permission, do not use it for any purpose other than distance sorting, and you can decline or revoke this permission in your browser at any time without losing access to the rest of the Service. Separately, when a Care Provider selects a business address from autocomplete, the Service stores the precise latitude and longitude of that business address to enable distance sorting; that business location is also displayed on the provider's public profile. Your rights regarding sensitive personal information, including any right to limit, are described in Sections 6 and 11.

Do Not Track. Some browsers offer a "Do Not Track" (DNT) signal. There is no common industry standard for how to interpret DNT, and because we do not track users across third-party websites or services over time and do not serve behavioral advertising, the Service does not currently respond differently to DNT signals.

Server logs. Like most web services, our servers generate standard logs that may include technical information such as IP address, browser type, and timestamps, used for security, debugging, and operating the Service (including logs generated when anonymous recipients view share links — see Section 7).

We keep personal information only for as long as needed for the purposes described in this policy, then delete or de-identify it. We use the following retention criteria and periods by category.

• Active accounts: retained while your account is active and you are using the Service.
• Account deactivation (soft delete): When an account is deleted in the ordinary course, the Service uses a "soft delete" — the account is marked deleted (a deleted_at marker) and excluded from the Service's queries, so it no longer appears in or functions within the Service. This deactivation is NOT, by itself, a legally compelled erasure; see "Verified erasure requests" below for what happens to your underlying data when you exercise a deletion right.
• Soft-deleted records: retained in deactivated form for no longer than 90 days before the underlying records are permanently deleted or de-identified, unless a longer period is required for the legal/business reasons below.
• Appointment and treatment records (including procedure notes, products, recommendations, provider-only internal notes, and photos): retained for as long as your account is active to preserve the treatment history that is the core function of the Service; note that a record may relate to both a Customer and a Provider, which can affect deletion (see below).
• Chat messages and attachments: retained for as long as your account is active and then deleted or de-identified.
• Share tokens and share view metadata (including any optional recipient email, view count, and last-viewed time): retained for up to 12 months after the link expires or is revoked.
• Outbound message logs: retained as needed for support, security, delivery troubleshooting, dispute resolution, and legal compliance, then deleted or de-identified.
• Server logs: retained for up to 90 days for security and debugging, then deleted or aggregated.
• Backups: encrypted backups exist for disaster recovery and are retained on a rolling 35-day cycle. When we delete data from the live system, residual copies may persist in backups until those backups are overwritten or purged on the normal cycle; we do not restore deleted data from backups except for disaster recovery.

Verified erasure requests. When you exercise a verified right to delete/erasure (Section 11), we do not merely deactivate (soft-delete) your data. Subject to the exceptions below, we permanently delete or de-identify the personal information we hold about you — including sensitive items such as allergy notes, care-routine content, and your photos (profile, result, procedure, care-routine, and chat attachments) — from our live systems, with residual copies removed from backups on the cycle described above. Where information is shared between a Customer and a Provider (for example, an appointment both participated in), we will delete or de-identify your personal information to the extent we can do so without erasing the other party's lawful record of the same event; we may instead de-identify your portion. We may retain limited information after deletion where permitted or required by law or for legitimate purposes (such as security, fraud prevention, dispute resolution, tax/record-keeping obligations, or completing a transaction you requested), for only as long as necessary for those purposes.

Depending on where you live and which laws apply, you may have rights regarding your personal information, and these rights extend to non-registered individuals (such as booked guests and external providers) where the law provides.

U.S. state privacy laws. Residents of states with comprehensive privacy laws — including California (CCPA/CPRA) and states such as Virginia, Colorado, Connecticut, Texas, and Oregon, among others — may have rights to access/know, correct, delete, and obtain a portable copy of personal information, and to opt out of certain processing, where applicable. Where sensitive personal information is processed, you may have the right to limit or to decline its processing (see Section 6).

No sale, no targeted advertising, no relevant profiling. We do NOT sell personal information and do NOT "share" it for cross-context behavioral advertising or process it for targeted advertising, so there is no such activity to opt out of; we will still honor applicable access, correction, deletion, portability, and limit rights. We do not conduct profiling that produces legal or similarly significant effects (see Section 5), so there is no profiling opt-out to exercise. We do not offer financial incentives or loyalty programs in exchange for personal information.

GDPR (EU/UK), where applicable. To the extent we serve users in the EU/UK, those users have rights including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, as well as the right to lodge a complaint with their supervisory authority. Where we rely on consent (including for sensitive data), you may withdraw it at any time without affecting prior processing (see Section 6). Our lawful bases are described in Section 4.

How to submit a request. You may submit a request by emailing us at support@bevelure.com. Because Bevelure operates exclusively online, we may, to the extent the law allows for online-only businesses, designate email as our primary contact method for requests. We will take reasonable steps to verify your identity (and, for sensitive or deletion requests, may require additional verification) before acting, so that we do not disclose or delete data based on an unverified request. An authorized agent may submit a request on your behalf where the law permits; we may require proof of the agent's authorization (such as written permission or a power of attorney) and may verify your identity directly. We will not discriminate against you for exercising your rights.

Response timelines. CCPA (California): we will confirm receipt within 10 business days and respond within 45 calendar days, extendable by an additional 45 days (up to 90 days total) when reasonably necessary, with notice to you. Virginia, Colorado, Connecticut, Texas, Oregon, and similar state laws: we will respond within 45 days, extendable by an additional 45 days when reasonably necessary, with notice. GDPR (EU/UK): we will respond within one month, extendable by up to two further months for complex or numerous requests, with notice.

Right to appeal. If we decline to act on your request, we will tell you why. Where state law provides an appeal right (including Virginia, Colorado, Connecticut, Texas, and Oregon), you may appeal our decision within a reasonable time by replying to our decision email or by writing to support@bevelure.com with the subject line "Privacy Appeal." We will review the appeal and respond within the period required by the applicable law (for many states, within 60 days). If your appeal is denied, we will provide a method to contact the relevant state Attorney General or regulator to submit a complaint, and (for GDPR) you may also complain to your supervisory authority.

Request metrics. Where we are legally required to disclose annual metrics about consumer requests received, complied with, denied, and our average response time, we will publish those metrics in this Privacy Policy as required.

Bevelure is intended only for adults aged 18 and older. We collect date of birth at signup to confirm eligibility. Age eligibility is based on the self-reported date of birth you provide; we do not perform separate age verification beyond this self-attestation, and date of birth is treated as part of your account information and protected accordingly.

The Service is not directed to children or minors, and we do not knowingly collect personal information from anyone under 18 (including children under 13). If we learn that an account belongs to, or that we have otherwise collected information from, a person under 18, we will promptly delete that person's information (rather than merely deactivating it) and terminate the account. Consistent with Florida's online protections for minors (including HB 3) and other applicable laws, we do not knowingly allow minors to register or maintain accounts. If you believe a minor has provided us information, please contact us at support@bevelure.com.

Security measures. We use reasonable administrative and technical measures designed to protect personal information, including:

• HTTPS/TLS encryption in production.
• Password protection using bcrypt hashing (we never store plain-text passwords).
• JWT-based authentication and login rate limiting to deter abuse.
• Access controls that enforce the privacy boundaries described in this policy — for example, provider-only internal notes are visible only to the provider, and a Customer's private notes and private photos are visible only to that Customer.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. Please use a strong, unique password and keep your login credentials confidential.

Data-breach notification. Given the sensitive nature of the data on Bevelure (such as allergies, treatment history, and body/face photos), we maintain procedures to detect, investigate, and respond to security incidents. If we determine that a breach of security has compromised, or is reasonably likely to have compromised, your personal information, we will notify affected individuals and, where required, the relevant authorities, as follows:

• Florida residents (Fla. Stat. § 501.171 / FIPA): we will notify affected individuals without unreasonable delay and no later than 30 days after determining a breach has occurred (subject to lawful delay for law-enforcement needs), and we will notify the Florida Department of Legal Affairs and consumer reporting agencies where the law's thresholds are met.
• Other U.S. states: we will notify affected individuals and any required regulators in accordance with the applicable state breach-notification statute.
• GDPR (EU/UK), where applicable: we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach that is required to be reported (Article 33), and we will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

Our breach notices will describe, to the extent required by law, what happened, the categories of information involved, the steps we are taking, and what you can do to protect yourself.

We share personal information with service providers (subprocessors) only as needed to operate the Service. The categories of personal information disclosed to each recipient (for a business purpose, not for sale) are:

• Geocoding — Photon (OpenStreetMap-based), used for city/address autocomplete. Categories disclosed: only a search query string (for example, partial address or city text). These requests are proxied through our servers; we do NOT send your account information, identifiers, or other personal information to the geocoder.
• Email delivery / SMTP provider — used to send transactional and notification emails, including share-link emails. Categories disclosed: recipient email address and the contents of the message (for a share-link email, this includes the optional recipient email address you provided — see Section 7).
• Cloud hosting — Amazon Web Services (AWS), where Service data and uploaded files are stored and processed. Categories disclosed: all categories of personal information described in Section 3, as necessary to host the Service (including photos, certificates, portfolio images, appointment details, and chat content).
• SMS delivery — Twilio (Twilio Inc.), used to send transactional SMS notifications (such as booking requests, confirmations, cancellations, and appointment reminders) to users and to external recipients who have a phone number on file. SMS is being rolled out and may not be active for all users yet; where it is used, the categories disclosed are the recipient's phone number and the message content. We use SMS only to deliver Service notifications, never for marketing.

Sharing inherent in the marketplace. We also share information between Customers and Care Providers as inherent in the Service — for example, an appointment's shared details, chat messages, ratings, public provider-profile fields, and any history a Customer chooses to share (Sections 7 and 8).

What we do NOT do: We do NOT sell your personal information, and we do not share it for cross-context behavioral advertising or targeted advertising. We do not currently process payments, so we do not share data with payment processors at this time. We may also disclose information if required by law, in response to lawful requests, or to protect our rights, our users, or the public.

We are based in Miami, Florida, USA, and the Service is hosted in the United States (on AWS). If you access the Service from outside the United States, your personal information will be transferred to, processed, and stored in the United States, which may have data-protection laws that differ from those of your country.

Transfer mechanism (EU/UK). To the extent the GDPR applies to a transfer of personal data from the EEA, the UK, or Switzerland to the United States, we will rely on a valid transfer mechanism, namely the European Commission's Standard Contractual Clauses (and, for the UK, the UK International Data Transfer Addendum/IDTA), and/or another lawful basis or adequacy mechanism where available. You may request a copy of the relevant safeguards by contacting us at support@bevelure.com; we may redact commercial terms.

If you have questions about the legal basis for transferring your information, please contact us at support@bevelure.com.

We may update this Privacy Policy from time to time. When we do, we will post the updated version with a new Effective Date.

If changes are material, we may provide additional notice as required by applicable law. Your continued use of the Service after an update takes effect indicates your acceptance of the revised policy, to the extent permitted by law.

This Privacy Policy is governed by the laws of the State of Florida, USA, without regard to its conflict-of-laws principles, except where applicable mandatory privacy laws provide otherwise.

Questions, requests, or complaints about this policy or our privacy practices can be sent to:

• Bevelure LLC
• 1723 SW 2nd Ave, Unit 902, Miami, FL 33129, USA
• Email: support@bevelure.com