Privacy Policy
Effective Date: May 12, 2026
What this covers
1. Who we are
This policy applies to information collected by Smart Practice Systems Inc., a California corporation doing business as Gro Technologies (also "GroTech," "GroTech AI," "we," "us," or "our"), and the brand Uberhair. Our business address is 1014 Broadway #1159, Santa Monica, CA 90401, USA.
We operate an AI workforce platform for aesthetic medical practices and consumer-facing services for hair restoration and adjacent wellness categories.
2. Information we collect
Information you give us directly
- Account & contact information: name, business name, email address, phone number, mailing address, professional credentials (for providers), date of birth where required for age-restricted services.
- Payment information: processed by our payment processor (Stripe). We do not store full card numbers on our systems.
- Provider information: for medical and non-medical providers, we collect business licensing, NPI (where applicable), state of practice, and clinical specialty information for verification.
- Consumer information: for consumer-facing services (e.g., Uberhair), we collect treatment preferences, photographs you upload (with separate consent), and lifestyle information you choose to share.
- Communications: messages, calls, and emails you send to us, including replies to texts and calls placed to or from our phone numbers.
Information we collect automatically
- Usage data: pages visited, features used, time spent, and referring source.
- Device data: browser type, operating system, IP address, device identifiers.
- Cookies and similar technologies: for authentication, preference storage, analytics, and (where you consent) marketing.
Information from third parties
- Enrichment partners: we may receive verified contact information from business-data providers (such as Apollo, Hunter, SignalHire) when we engage in B2B outreach to medical and non-medical practices.
- Authentication providers: if you sign in using Google or another OAuth provider, we receive the basic profile information you authorize.
- Provider partners: when a provider in our network refers a consumer to us (or vice versa), we may share necessary patient/consumer information with explicit consent.
3. How we use information
We use personal information to:
- Provide, maintain, and improve our services;
- Process bookings, payments, and provider relationships;
- Send transactional communications (booking confirmations, reminders, system alerts);
- Send marketing communications you have opted in to receive;
- Personalize content and recommendations using AI-driven systems;
- Detect, prevent, and respond to fraud, security incidents, and abuse;
- Comply with legal obligations, including healthcare and securities-law requirements; and
- Develop and train AI models that improve service quality. We do not sell personal information for training third-party AI models.
4. How we share information
We share personal information only as follows:
- Providers in our network: when you book a treatment or consultation through us, we share the information necessary for the provider to deliver care.
- Service providers: companies that help us operate (e.g., Supabase for data storage, Vercel for hosting, Postmark for transactional email, Twilio for SMS, Stripe for payments, Anthropic and Google for AI processing). Each is bound by written agreements limiting their use of your data to providing services to us.
- Legal compliance: when required by law, subpoena, court order, or to protect rights, property, or safety.
- Business transfers: in connection with a merger, acquisition, financing, or asset sale, subject to the protections of this policy.
- With your consent: any other sharing with your explicit permission.
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.
5. SMS / text messaging
If you provide your mobile number and opt in (by submitting a form, replying YES to a confirmation message, or otherwise affirmatively consenting), we may send you SMS messages including booking confirmations, appointment reminders, follow-up messages, customer service replies, marketing offers (only if separately opted in), and provider communications.
Message and data rates may apply. Message frequency varies. Reply HELP for assistance at any time. Reply STOP to unsubscribe. Carriers are not liable for delayed or undelivered messages. We share your number only with our SMS service provider (Twilio) for the purpose of delivering the message; we do not share your mobile number with affiliates or third parties for their marketing.
For details, see our SMS terms in our Terms of Service.
6. Health information & HIPAA
When we process protected health information (PHI) on behalf of a covered entity (such as a medical provider), we act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We enter into Business Associate Agreements (BAAs) with covered entities and apply administrative, technical, and physical safeguards consistent with the HIPAA Security Rule.
For Canadian residents, equivalent protections apply under PHIPA (Ontario) and other applicable provincial privacy legislation.
Consumers using our direct-to-consumer services (e.g., Uberhair) provide information directly to us; in those cases we are the data controller and apply equivalent safeguards even where HIPAA does not strictly apply.
7. Your choices
- Email: click "unsubscribe" in any marketing email, or contact privacy@grotech.ai.
- SMS: reply STOP to any text message.
- Cookies: most browsers let you decline or delete cookies. Some features may not function if you do.
- Access & correction: you can request a copy of the personal information we hold about you and correct inaccuracies.
- Deletion: you can request deletion of your personal information, subject to legal and contractual retention requirements.
8. California, Canada, and EU residents
California (CCPA/CPRA): you have the right to know, delete, correct, and limit use of sensitive personal information. We do not sell personal information. To exercise rights, contact privacy@grotech.ai.
Canada: under PIPEDA and applicable provincial laws (including Ontario's PHIPA where health information is involved), you have rights of access and correction. Contact privacy@grotech.ai.
EU/EEA/UK: if you reside in the EU, EEA, or UK, you have rights under GDPR/UK GDPR including access, rectification, erasure, restriction, portability, and objection. Our lawful bases include contract, legitimate interest, consent, and legal obligation. We do not currently target services to EU/EEA/UK residents.
9. Security
We apply industry-standard administrative, technical, and physical safeguards including encryption in transit (TLS), encryption at rest, role-based access control, audit logging, multi-factor authentication for administrative access, and routine vulnerability scanning. No system is perfectly secure; we cannot guarantee absolute security but we work to minimize risk.
10. Data retention
We retain personal information as long as needed to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Health information retention follows HIPAA and applicable state law (typically 6 years from creation or longer for minor patients). Marketing data is retained until you opt out plus a reasonable suppression period.
11. Children
Our services are not directed to children under 13 (or under 16 in jurisdictions where required). We do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will post the updated policy here with a new effective date. Material changes will be communicated by email or in-app notice.
13. Contact us
Smart Practice Systems Inc., d/b/a Gro Technologies
1014 Broadway #1159
Santa Monica, CA 90401, USA
Email: privacy@grotech.ai