Privacy Policy
Effective date: April 30, 2026Spa Ledger ("we," "our," or "us") operates spaledger.co and provides AI-native CFO services to medical spa owners. This policy explains what information we collect, how we use it, and your rights.
Information we collect from website visitors
When you visit spaledger.co, we automatically collect standard server and analytics data, including:
- IP address and approximate location (city/region)
- Browser type, operating system, and device type
- Pages visited, time spent, and traffic source
This data is collected through Cloudflare (our website host) and two analytics tools: Google Analytics and Ahrefs Analytics. Neither tool receives your name, email, or any information that directly identifies you as an individual. See the Cookies section for details on opting out.
When you submit the contact form, we collect:
- Your name and business name
- Your email address
- The accounting software you use (QuickBooks Online or Xero)
- Any additional information you include in your message
When you book a discovery call through Calendly, Calendly collects your name, email address, and scheduling preferences directly. See Calendly's privacy policy at calendly.com/privacy.
Information we collect from clients
When you become a client, we collect access to your financial data across several systems in order to perform CFO-level analysis and reporting.
Accounting software (QuickBooks Online or Xero)
We receive accountant-level access to your account. This gives us read and write access to your chart of accounts, transactions, P&L, and balance sheet. Access is granted through the software's built-in user permission system. You can revoke it at any time from your account settings. We do not store your login credentials.
Point-of-sale and scheduling data
Depending on the practice management system you use (Boulevard, Zenoti, Aesthetic Record, Jane App, Mindbody, or other), we may receive exported or integrated revenue, appointment, and service-line data. This data is used to reconcile your actual revenue by service line against your accounting records.
Injectable vendor data
With your authorization, we access purchasing history and rebate statements from Allergan/Allē, AbbVie, Galderma, Merz, and other injectable vendors you use. This data is used to calculate your actual injectable COGS after vendor rebate offsets and to reconcile those figures against your accounting records.
Payroll data
If provider profitability analysis is part of your service, we receive provider compensation and staffing cost data. This is used to calculate revenue per room hour and provider-level gross margin.
How we use your information
- To respond to your inquiry and determine whether Spa Ledger is a fit for your business
- To provide bookkeeping, COGS reconciliation, and financial analysis
- To deliver your weekly P&L, service-line profitability report, and dashboard
- To send service-related communications: report delivery, billing, onboarding updates
- To improve how we deliver and structure our services
We do not sell, rent, or share your personal or financial information with third parties for marketing purposes.
We do not train AI models on your data. Your financial records, revenue figures, provider compensation, and business information are never used to train machine learning or AI models, whether our own or a third party's. Your data is used only to produce your deliverables.
Cookies and tracking
Our website uses cookies and similar tracking technologies to understand how visitors use the site. No cookies are set for advertising or retargeting.
| Cookie | Purpose | Provider | Duration |
|---|---|---|---|
| _ga, _ga_* | Tracks sessions and pages visited to produce aggregate analytics | Google Analytics | 2 years |
| ahrefs_* | Tracks traffic sources and visitor behavior for analytics | Ahrefs Analytics | Session / 1 year |
To opt out of Google Analytics tracking, use the browser add-on at tools.google.com/dlpage/gaoptout. You can also disable cookies in your browser settings; this will not affect your ability to use the site.
Third-party services
| Service | Purpose | Privacy policy |
|---|---|---|
| Cloudflare | Website hosting, CDN, and security. Processes IP addresses and server logs. | cloudflare.com/privacypolicy |
| Google Analytics | Website analytics. Collects anonymized visitor behavior data. | policies.google.com/privacy |
| Ahrefs Analytics | Website analytics. Collects anonymized traffic data. | ahrefs.com/privacy |
| Formspree | Processes contact form submissions. Stores submissions on Formspree servers. | formspree.io/legal/privacy-policy |
| Calendly | Discovery call scheduling. Collects name, email, and scheduling preferences. | calendly.com/privacy |
| Booke AI | Assists with transaction categorization for client accounts. Client financial data may be processed through Booke AI. | booke.ai/privacy |
| Intuit QuickBooks Online | Client accounting software. We access client accounts with accountant-level permissions. | intuit.com/privacy |
| Xero | Client accounting software. We access client accounts with accountant-level permissions. | xero.com/us/legal/privacy |
Security
We take the following measures to protect client financial data:
- Accounting access: We use accountant-level permissions in QuickBooks Online and Xero — not owner credentials. You can revoke our access at any time without contacting us.
- No credential storage: We do not store your login credentials for any financial system, including accounting software, POS platforms, or injectable vendor portals.
- Dashboard access controls: Your dashboard is protected by email verification. Only the email addresses you authorize can view your data.
- Encrypted transmission: All data transmitted between your systems and ours uses HTTPS. All communications with clients use encrypted email.
- No shared storage: Client financial data is never stored in shared documents, public cloud folders, or unencrypted email attachments.
No method of data transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide your information at your own risk.
Data retention
We retain client financial data and communications for a minimum of three years, consistent with standard bookkeeping practice. If you end your service, we will provide you with a full export of your records upon request and delete our copies within 90 days, unless we are required to retain them by law.
Your rights
You have the right to:
- Request a copy of any personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your information, subject to any legal retention obligations
- Revoke access to your accounting software, POS systems, or vendor portals at any time through those platforms' permission settings
To submit any of these requests, email ridge@spaledger.co.
California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know: You can request a list of the categories and specific pieces of personal information we have collected about you.
- Right to delete: You can request deletion of personal information we have collected, subject to certain exceptions.
- Right to correct: You can request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell or share personal information with third parties for cross-context behavioral advertising.
- Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
To submit a California privacy rights request, email ridge@spaledger.co with the subject line "California Privacy Request." We will respond within 45 days.
Changes to this policy
We may update this policy as our service evolves. We will notify active clients of material changes by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent update.
Questions about this policy? Email ridge@spaledger.co and we will respond within two business days.