Legal

Privacy Policy

Last updated: May 7, 2026

Arrive ("Arrive," "we," "us") is a clinical operations platform for mobile medspas, operated by Emerson North LLC. This Privacy Policy explains what information we collect, how we use it, and your rights with respect to that information.

1. Who this policy covers

This policy applies to: (a) medspa practices and their staff who use the Arrive platform to manage appointments and clinical records, and (b) clients who book appointments or receive services through a medspa using Arrive.

2. Information we collect

Practice accounts: Practice name, owner name, email address, phone number, business address, timezone, and payment account information (processed via Stripe).

Staff and nurse accounts: Name, email address, and role. Staff accounts created via invite do not require a password — authentication uses one-time sign-in links.

Client information: Name, email address, phone number, appointment history, and health intake information provided prior to services. Health information includes details relevant to the services being performed (such as medical history questions for IV therapy).

Clinical records: SOAP notes, vitals, IV infusion records, Good Faith Exam documentation, before/after photos, and discharge instructions created by licensed nurses during appointments.

Location data: Nurses may share their real-time GPS location during active appointments to provide clients with an "on the way" tracker. This data is not stored after the appointment session ends.

SMS and communications: Phone numbers collected for appointment notifications, reminders, and on-my-way alerts. Message history is retained for recordkeeping purposes.

3. HIPAA and protected health information

Arrive is designed to support HIPAA compliance for the healthcare providers ("Covered Entities") who use our platform. In this context, Arrive acts as a Business Associate and handles Protected Health Information ("PHI") on behalf of healthcare providers under a Business Associate Agreement (BAA).

PHI includes: health intake responses, clinical notes, vitals, treatment records, photos, and any other information that could identify an individual in connection with their healthcare.

How we protect PHI:

• All PHI is encrypted in transit (TLS 1.2+) and at rest.
• Access to PHI is restricted to authenticated staff with appropriate role-based permissions.
• Clinical records are org-scoped — staff can only access records belonging to their practice.
• Audit logging is in place for access to sensitive records.
• PHI is not used for advertising, profiling, or sold to third parties under any circumstances.

If you are a healthcare provider using Arrive and require a Business Associate Agreement, please contact us at hello@emersonnorth.com.

4. Text messaging

Emerson North LLC may send you SMS/MMS messages if you have provided your phone number and consented to receive messages. Messages include appointment confirmations, reminders, and on-my-way notifications. Message frequency varies based on your interactions with us. You may opt out at any time by replying STOP. For help, reply HELP. Message and data rates may apply. We do not share your phone number with third parties for their marketing purposes. SMS delivery is powered by Twilio.

5. How we use your information

We use the information we collect to: deliver the Arrive platform and its features, provide appointment scheduling and clinical documentation tools, send transactional notifications (SMS and email), process payments via Stripe, support nurses with navigation and GPS tracking during active appointments, and improve the platform. We do not sell personal information or use PHI for any purpose outside of providing services to the covered entity.

6. Data sharing

We share information only as necessary to deliver services. Third-party providers include:

• Stripe — payment processing for deposits and service fees
• Twilio — SMS delivery
• Supabase — database and file storage (PHI stored here is encrypted at rest)
• Railway — API hosting
• Vercel — web application hosting

Each of these providers maintains their own security and privacy practices.

7. Data retention

Clinical records are retained for a minimum of 7 years in accordance with standard medical records retention guidelines. Practice and client account data is retained for as long as the account is active. You may request deletion of non-PHI account data by contacting us; PHI deletion requests are handled in accordance with applicable healthcare regulations.

8. Your rights

Depending on your location, you may have rights to access, correct, or request deletion of your personal information. Clients who are patients of a medical practice should contact that practice directly to exercise rights over their PHI. All other requests can be directed to hello@emersonnorth.com.

9. Cookies and tracking

Arrive uses session cookies for authentication only. We do not use third-party advertising trackers or analytics cookies.

10. Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated via email to active account holders. Continued use after notice constitutes acceptance.

11. Contact

Questions about this policy or to request a Business Associate Agreement: hello@emersonnorth.com