Privacy Policy

1. Who I Am

Essence by Shine is a California-based sole proprietorship operated by Shine, providing facial, skincare, and injectable treatments. This website is operated for clients located in the State of California.

This Privacy Policy applies to information collected through this website (essencebyshine.com) and any optional account you create on it. It works together with my Terms of Use and, if you participate in the referral program, my Referral Program Terms. Appointment booking is handled through a separate third-party platform with its own privacy policy (see Section 4).

Contact for privacy matters:
Use my contact form
California, USA (Bay Area — I'd love for you to come to me, travel available upon request)

2. Information I Collect

Information you provide directly

My website includes several places where you can voluntarily submit information:

General inquiry contact form:

• Name
• Email address
• Phone number (optional)
• Preferred contact method — email, phone, or no preference (optional)
• Your message or question

Coming-soon notification sign-up (for services not yet available):

• Name (optional)
• Email address
• Treatment interest (optional)
• Question or note (optional)

Notification sign-up information is used solely to contact you when the requested service becomes available.

Account registration (only if you choose to create an account):

• Name
• Email address
• Password (stored as a one-way hash — I cannot read your password)
• If you sign in with Google or Apple, the unique identifier and email that the provider returns (see "Third-party sign-in providers" below)
• If you register a passkey (WebAuthn), the public key and a device label your browser chooses — never your biometric data and never anything that could sign in to another site

Account security data (created automatically when you use those features):

• If you enable two-factor authentication (2FA): an encrypted shared secret used by your authenticator app, and a small set of one-time recovery codes (stored as hashes)
• If you check "Keep me signed in" at sign-in: a long-lived "remember-me" token along with the IP address, a short device/browser label (User-Agent), the time it was last used, and its expiration date — visible to you on the dashboard so you can revoke it
• Active session information (a session token tied to your account, used to keep you signed in for the current visit)

Review submission form:

• First name (the name shown publicly if I approve and publish the review)
• The service or services you're reviewing (and an optional "other" description)
• An approximate date of service (optional)
• Your review text
• If you submit while signed in, your account email is associated with the review internally so I can verify it; your email is never displayed publicly

Reviews are not published automatically. I review each submission and publish only those I approve. Approved reviews are displayed publicly on the Site under your first name and the service category, as described in the Terms of Use. Email addresses, last names, and phone numbers are not displayed publicly. You can request removal of any approved review at any time by contacting me.

Referral program data (if you receive a referral link or share yours):

• If you follow someone's referral link and choose to "save your info" without creating an account: your name, email (optional), and phone number (optional), stored only to attribute the referral and to follow up about your first visit
• If you have an account, every click of your personal referral link, the resulting sign-up or lead, and the status of any credit earned, so I can show this back to you in your dashboard

I do not collect appointment details, health information, treatment notes, or payment data through this website. All appointment booking is handled through a third-party scheduling platform, which has its own privacy policy (see Section 4).

Third-party sign-in providers

If you choose to sign in with Google or Apple, that provider authenticates you and shares a small profile with me — typically your name, email, and a stable identifier. Your password and any other information held by the provider stay with the provider. I do not receive your contacts, calendar, photos, or anything else outside of basic sign-in information. Use of those buttons is governed by the provider's own terms and privacy policy:

• Google Privacy Policy
• Apple Privacy Policy

Information collected automatically

When you visit my website, the web server automatically logs standard technical information, including:

• Your IP address
• Browser type and version
• Device type (desktop/mobile)
• Pages visited and time spent
• Referring URL (the site you came from)

This server log data is used solely for security and site maintenance purposes. It is not linked to your personal identity and is not shared with third parties.

Cookies and local storage

This website does not use advertising cookies, tracking pixels, or analytics services. A small number of cookies and browser storage items are used solely for essential functionality:

Cookies (stored in your browser, sent to the server)

• Session cookie — set when you sign in to your account. Keeps you signed in during your visit and is cleared when you sign out or the session expires.
• "Remember-me" cookie — set only if you check "Keep me signed in" at sign-in. Keeps you signed in across browser sessions on that device, on a sliding window (currently up to about 60 days). You can see and revoke every active "remember-me" device from the dashboard.
• CSRF token cookie — a random value used to confirm that sensitive form submissions came from the page you're actually viewing. Strictly defensive; not used for tracking.
• Referral cookie (ebs_ref) — set when you follow a referral link shared by another client. Used only to attribute your visit so the person who referred you can receive credit if you complete a service. Expires after 90 days. Never used for advertising or behavioral tracking.
• Signup-source cookie (ebs_signup_source) — set if you click a sign-up prompt the Site offers (for example, the referral-program prompt). Records which on-site prompt led to your sign-up so I can tell whether those prompts are useful. Stored for up to one year. Not shared with anyone and not used for advertising.

Local storage (stored on your device only, never sent to the server)

• Cookie notice acknowledgment — remembers that you have dismissed the cookie notice.
• Display theme preference — remembers your chosen color scheme (system default, light, or dark) if you have changed it via the display settings page.
• Booking tip preference — remembers if you have chosen not to see the booking tip reminder again.
• One-shot prompt history — a small list of which one-time prompts (e.g., the referral-program nudge) you have already dismissed, so you don't see them again.

No cookies are set for marketing, retargeting, or behavioral tracking purposes. If this changes in the future, this policy will be updated and you will be notified through an updated cookie notice before any new tracking begins.

Global Privacy Control (GPC)

I honor the Global Privacy Control browser signal as an opt-out preference under the CCPA/CPRA. Because I do not sell or share your personal information for cross-context behavioral advertising in the first place, no further action is required when GPC is detected — but I treat the signal as a clear instruction to keep things that way.

3. How I Use Your Information

I use the information I collect only for these purposes:

• To respond to you — replying to contact-form messages, coming-soon notification sign-ups, and referral-program lead submissions.
• To run your account — letting you sign in, reset your password, verify your email, set up two-factor authentication, manage signed-in devices, change your password, and use a passkey if you choose.
• To run the referral program — attributing referral clicks to the person who shared the link, tracking the status of each referral, calculating credits, and showing your dashboard the activity on your link.
• To moderate and publish reviews — reviewing what you submit and, where I approve it, displaying it publicly under your first name as described in Section 2 and the Terms of Use.
• To keep the Site safe and working — using server logs, security tokens, the CSRF cookie, and the IP/device label on remember-me sessions to detect abuse, prevent fraud (including referral fraud), and recover from incidents.
• To send transactional email — for example: a verification link when you register, a password-reset link when you ask for one, recovery codes for 2FA, and (occasionally) a notice about a change to these policies.
• To comply with the law — when I'm legally required to retain or disclose information.

Marketing communications

I do not currently send marketing email. If I add an opt-in for promotional messages in the future, the opt-in toggle will appear on your dashboard and will default to off — you'll receive promotional email only after you actively turn it on. Every promotional email I do send will include a clear way to unsubscribe, and unsubscribing will not affect your ability to receive transactional or account-related email (password resets, verification, security alerts) or the services I provide.

What I will never do with your information

I will not sell or rent your information. I will not use your information for cross-context behavioral advertising. I will not run automated decision-making against your information that produces legal or similarly significant effects. I will not use information you submit on this Site to train any third-party machine-learning model.

I retain contact-form submissions, coming-soon sign-ups, and referral leads only as long as necessary to follow up with you, and I retain account information for the life of your account (see Section 9). You can ask me to delete information sooner — see Section 6 for how.

4. Appointment Booking & Third-Party Platform

I encourage you to review the privacy policy of the booking platform before submitting your appointment information. I select platforms that maintain appropriate security standards for the data they handle.

5. How I Share Your Information

I do not sell, rent, or trade your personal information to any third party.

The only personal information collected through this website is what you voluntarily submit via my general inquiry form (name, email, message). I may share this only in these limited circumstances:

• Legal obligations: If required by California law, a court order, or to protect the safety of any person.
• Business transfer: In the unlikely event of a sale or transfer of the business, personal data may be transferred to a successor — subject to the same privacy protections.

6. Your California Privacy Rights

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the following rights regarding their personal information held by me:

Right to Know

You have the right to request that I disclose what personal information I have collected about you, the categories of sources, the business purpose for collecting it, and any third parties with whom it was shared.

Right to Delete

You have the right to request deletion of your personal information that I have collected, subject to certain exceptions (e.g., if needed to complete a transaction you requested or comply with a legal obligation).

Right to Correct

You have the right to request that I correct inaccurate personal information I hold about you.

Right to Opt Out of Sale or Sharing

I do not sell or share your personal information with third parties for cross-context behavioral advertising. You do not need to take any action to opt out of a sale that does not occur.

Right to Non-Discrimination

I will not discriminate against you for exercising any of these rights. Exercising your privacy rights will not affect your ability to receive services from me.

How to exercise your rights

To submit a privacy rights request, use my contact form. I will respond to verifiable requests within 45 days as required by California law. I may need to verify your identity before processing your request.

7. California Online Privacy Protection Act (CalOPPA)

In compliance with the California Online Privacy Protection Act (CalOPPA), I commit to the following:

• Users can visit my site anonymously.
• This Privacy Policy is linked clearly from my website and is accessible from every page via the footer.
• I will notify users of any material changes to this policy by updating the Effective Date and, where appropriate, posting a notice on the homepage.
• Users can update their personal information by contacting me directly.

8. Data Security

I take reasonable and appropriate technical measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include:

• HTTPS encryption for all website traffic
• Limited access to client records (myself only)
• Use of reputable, security-audited third-party platforms where applicable

No method of transmission over the internet is 100% secure. While I strive to protect your information, I cannot guarantee absolute security.

9. Data Retention

I retain your personal information for as long as necessary to provide services to you and comply with my legal obligations. Specifically:

• Contact form inquiries and coming-soon sign-ups: Retained until the inquiry is resolved, or for up to 1 year for reference purposes.
• Account information: Retained for as long as your account is open. When you close your account or ask me to delete it, I remove your profile, sessions, remember-me devices, 2FA secrets, recovery codes, and registered passkeys, subject to limited exceptions for fraud prevention and legal obligations.
• Reviews: Approved reviews are retained as long as they remain published. You can request removal at any time and I'll take the review down within a reasonable period.
• Referral records: Retained for as long as your account is open and for a limited period afterward to honor any earned-but-unpaid credit and to detect fraud.
• Email-verification and password-reset tokens: Expire automatically (typically within 24 hours) and are deleted shortly after.
• Server logs: Automatically purged after 90 days.

You may request deletion of your personal information at any time (subject to the exceptions described in Section 6), and I will honor those requests promptly.

10. Children's Privacy

Account-based features of the Site are intended for adults (see the Terms of Use, Section 2). My website and services are not directed to children under the age of 16, and I do not knowingly collect personal information from anyone under 16. If you believe I have inadvertently collected information from a minor, please contact me immediately and I will delete it promptly.

11. Third-Party Links

My website may contain links to third-party websites (for example, social media profiles or review platforms). These sites have their own privacy policies, and I am not responsible for their content or practices. I encourage you to review the privacy policy of any third-party site you visit.

12. Changes to This Policy

I may update this Privacy Policy from time to time to reflect changes in my practices or applicable law. I will update the Effective Date at the top of this page and, for material changes, post a notice on my homepage.

Continued use of my website after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact me directly:

This Privacy Policy was prepared for Essence by Shine, a California-based aesthetics studio. It is provided for informational purposes and does not constitute legal advice. For complex compliance questions, consult a California-licensed attorney.