Privacy Policy

Last updated: April 21, 2026

Blue Sage (“we,” “our,” or “us”) operates the Blue Sage platform, including the website at bluesage.app and related services (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, and protect information when you use our Service.

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, phone number, business name, and business address. This information is necessary to provide the Service and communicate with you.

Patient Data: When you connect your booking system (such as Vagaro, Boulevard, or Mangomint), we sync patient information including names, phone numbers, email addresses, visit history, and services received. This data is stored securely and used solely to power the messaging workflows you configure.

Message Content: We store the content of messages drafted by our AI, messages you approve and send, and replies received from your patients. This data is necessary to provide the conversation management features of the Service.

Website Visitor Data: When visitors interact with the Blue Sage chatbot widget on your website, we collect information they voluntarily provide, such as their name, phone number, email address, and service interests. We also collect technical data such as IP address (stored in hashed form only) and browser user agent for rate limiting and bot detection.

Usage Data: We collect information about how you use the Service, including pages viewed, features used, approval actions taken, and login timestamps. This helps us improve the product.

Payment Information: Payment processing is handled by Stripe. We do not store credit card numbers or banking details on our servers. Stripe's privacy policy governs the handling of payment data.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Draft personalized patient messages using AI based on treatment history and patient context
• Send approved messages via SMS (Twilio) and email (Resend) on your behalf
• Capture and manage leads from your website chatbot
• Generate analytics and reports about your practice's patient engagement
• Send you account notifications, daily digest emails, and product updates
• Provide customer support
• Detect, prevent, and address technical issues and abuse

3. How We Share Your Information

We do not sell your personal information or your patients' personal information to third parties. We share information only in the following circumstances:

• Service Providers: We use third-party services to operate the platform, including Twilio (SMS delivery), Resend (email delivery), Anthropic (AI message drafting), Supabase (database hosting), Vercel (website hosting), Inngest (job scheduling), and Stripe (payment processing). These providers process data on our behalf and are bound by their own privacy policies and data processing agreements.
• Booking System Integrations: We access your booking system data through authorized API connections that you initiate and can revoke at any time.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business Transfers: If Blue Sage is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Row-level security policies ensuring strict tenant data isolation — your data is never accessible to other Blue Sage customers
• Secure authentication via Supabase Auth with JWT-based session management
• IP addresses from chatbot interactions are stored only in hashed form — we never store raw IP addresses
• API keys for chatbot integrations are generated with cryptographic randomness and stored securely

5. Data Retention

We retain your account and patient data for as long as your account is active. If you cancel your subscription, we retain your data for 90 days to allow for reactivation, after which it is permanently deleted. You may request immediate deletion of your data at any time by contacting us.

Patient opt-out records are retained indefinitely to ensure compliance — we must remember that a patient opted out so we never message them again, even if other data is deleted.

6. Patient Privacy and Consent

As a Blue Sage customer, you are responsible for ensuring that you have appropriate consent to contact your patients via SMS and email. Blue Sage provides tools to support compliance:

• Automatic opt-out processing — patients who text STOP are immediately and permanently removed from all messaging
• Send window enforcement — messages are only sent between 9 AM and 7 PM in your local timezone
• Message frequency limits — maximum one message per patient per day across all workflows
• Opt-out status is checked at both draft time and send time as a double safeguard

7. SMS and Messaging Disclosure

Blue Sage sends SMS messages on behalf of med spas and other businesses to their existing patients and leads. Messages include appointment follow-ups, reactivation outreach, review requests, and service recommendations. Message frequency varies based on workflow configuration. Message and data rates may apply. Patients can opt out at any time by replying STOP to any message.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data
• Data Portability: Request a machine-readable copy of your data
• Opt-Out: Opt out of marketing communications at any time

To exercise any of these rights, contact us at privacy@bluesage.app.

9. Cookies and Tracking

The Blue Sage dashboard uses essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. The chatbot widget on your website does not set cookies on your visitors' browsers.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice in the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Blue Sage
Fairfield, Connecticut
Email: privacy@bluesage.app