Hone Privacy Policy
Effective date: May 22, 2026·Last updated: May 22, 2026
1. Who we are
Hone is a software service for electrolysis and skincare practitioners to manage client records, appointments, treatment notes, and related practice operations.
Hone is operated by Sam Vemuri (an individual operating as Hone, pending incorporation), located in Ontario, Canada.
For privacy-related questions, contact us at privacy@hone.care.
A formal mailing address will be provided here once our registered business address is established. In the interim, written correspondence may be sent to privacy@hone.care and we will provide a mailing address for service of legal documents upon request.
2. Scope
This policy describes how we collect, use, store, share, and protect personal information when you use Hone at hone.care or any subdomain. It applies to:
- Practitioners who sign up to use Hone to run their practice (“Studio Owners” and “Practitioners”)
- Clients of those practitioners whose information is entered into Hone by the practitioner
We process data on behalf of practitioners. Practitioners are the data controllers of their clients’ information. Hone is the data processor.
3. Personal information we collect
From practitioners directly
- Name, email address, phone number
- Login credentials (passwords are hashed, never stored in plaintext)
- Studio name, business address, business contact info
- Billing information (processed by our payment processor, not stored by Hone)
From practitioners about their clients
- Client name, contact information (email, phone, address)
- Date of birth, gender, pronouns
- Skin type, Fitzpatrick classification, allergies, contraindications
- Treatment notes, session records, photos (if uploaded)
- Appointment history, treatment plans, treatment goals
- Emergency contact information
- Health intake responses
Automatically when you use Hone
- IP address, browser type, device information
- Pages visited, actions taken, timestamps
- Cookies and similar technologies for authentication and session management
From third parties
- Authentication providers (Google) if you sign in with them
- Payment processors for billing confirmation
Sensitive health information
Some of the information that practitioners enter about their clients is sensitive health information, including:
- Allergies and contraindications
- Skin conditions and Fitzpatrick skin type
- Treatment notes and clinical observations
- Health intake responses (medical history, medications, conditions)
- Photographs of skin or treatment areas
Sensitive health information receives enhanced protection under Canadian privacy law and our practices:
- Practitioners must obtain explicit, informed consent from clients before entering sensitive health information into Hone
- We apply strict access controls so this information is only visible to authorized practitioners within the client’s studio
- Practitioners are responsible for handling this information in accordance with applicable health information privacy laws in their jurisdiction
- Clients have the right to know what sensitive health information their practitioner has stored about them and to request access through their practitioner
If you are a client and have concerns about sensitive health information stored about you in Hone, contact your practitioner directly. If your practitioner does not respond, you may also contact us at privacy@hone.care.
4. How we use personal information
We use personal information to:
- Provide the Hone service to practitioners
- Authenticate users and secure accounts
- Send appointment reminders and confirmations on behalf of practitioners (only when the practitioner has enabled this)
- Process payments and billing
- Respond to support requests
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Improve the service through aggregate, anonymized analysis
We do not:
- Sell personal information to third parties
- Use client health information for advertising
- Train machine learning models on practitioner or client data
- Access practitioner data except as needed for support (with permission) or required by law
5. Where we store data
Personal information is stored on infrastructure provided by Supabase, hosted in AWS US-East-1 (Northern Virginia, United States).
This means data may be transferred to and stored outside of Canada. The United States has different privacy laws than Canada, and US authorities may have legal access to data stored in the US under US law.
We selected this provider because it offers strong security, reliability, and the technical features needed to operate Hone. We are evaluating Canadian data residency options for future deployments.
Practitioners and clients in Canada should be aware that by using Hone, their information is transferred to and processed in the United States.
6. How we share personal information
We share personal information only as follows:
With service providers who help us operate Hone, under contract:
- Supabase (database and authentication)
- Vercel (web hosting)
- Resend (transactional email delivery)
- Twilio (SMS delivery, when enabled by practitioner)
- Stripe (payment processing, when enabled by practitioner)
- Anthropic (AI-assisted features, when enabled, with data minimization)
When required by law, such as in response to a valid court order, subpoena, or government request, after legal review.
With clients of practitioners, at the practitioner’s direction (e.g., appointment confirmation emails sent to a client).
In connection with a business transfer, such as a merger or sale of assets, with notice to affected users.
We do not share personal information for marketing purposes.
7. Cookies and tracking
We use cookies for:
- Authentication (keeping you signed in)
- Session management
- Security (preventing cross-site request forgery)
We do not use third-party advertising cookies, behavioral tracking cookies, or analytics cookies that share data with advertising networks.
8. Your rights under PIPEDA
If you are in Canada, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- Right to access the personal information we hold about you
- Right to correct inaccurate or incomplete information
- Right to withdraw consent to certain uses (subject to legal or contractual restrictions)
- Right to file a complaint with the Office of the Privacy Commissioner of Canada
To exercise any of these rights, contact us at privacy@hone.care. We will respond within 30 days.
If you are a client of a practitioner using Hone, please contact your practitioner first for access or correction requests, as they are the data controller of your information. We will assist your practitioner in fulfilling your request.
9. Data retention
We retain personal information for as long as:
- The practitioner’s account is active
- Necessary to provide the service
- Required by legal or regulatory obligations (typically up to 7 years for billing records)
When a practitioner closes their account, we retain data for 30 days to allow account recovery, then delete it. Practitioners may request immediate deletion in writing.
When a client is deleted by their practitioner in Hone, their record is soft-deleted (marked as deleted but retained for audit purposes) for 30 days, then hard-deleted from active systems. Backups are purged within 90 days.
10. Security
We protect personal information with:
- TLS encryption for data in transit
- Row-level security so practitioners only access their own studio’s data
- Authentication via Supabase Auth using Google OAuth and email magic links. Hone does not collect or store account passwords directly.
- We review security-sensitive changes before deployment
No system is completely secure. If we become aware of a security breach affecting your personal information, we will notify you and applicable regulators as required by law.
11. Children’s privacy
Hone is intended for use by adult practitioners. Practitioners may store information about minor clients, but only as authorized by the minor’s parent or guardian as part of their professional services.
We do not knowingly collect personal information directly from children under 16. If you believe we have, contact privacy@hone.care.
12. International users
Hone is operated from Canada with infrastructure in the United States. If you access Hone from outside Canada or the US, you consent to the transfer of your information to these jurisdictions.
We do not currently target users in the European Economic Area, United Kingdom, or other jurisdictions with specific data residency requirements. If you are in one of these regions and have concerns, contact us before signing up.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email to account holders at least 30 days before taking effect. The current version is always available at hone.care/privacy.
14. Contact
Privacy questions: privacy@hone.care
Operator: Sam Vemuri (operating as Hone, pending incorporation), Ontario, Canada
Filing a complaint: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau QC K1A 1H3, https://www.priv.gc.ca