Book Now

Privacy Policy

Contact Us if you have any questions at +1 407.974.4600 or email at: info@magicalplasticsurgery.com.

Effective Date: 4/15/2025
Updated as of: 8/29/2025

Who We Are

Welcome to Magical Plastic Surgery (“we,” “us,” “our”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, www.magicalplasticsurgery.com, and use our services. By accessing or using our website, you agree to the terms of this Privacy Policy. We may update this Policy periodically to reflect changes in our practices or legal requirements. If we make material changes, we will update the “Updated as of” date and, where required, provide additional notice.

This Privacy Policy also covers information we receive through our communication channels (including phone, voicemail, email, web forms, and SMS/text messaging) in connection with your use of our website and patient‑facing services, as described below.

Please review our privacy practices below, email us or write to us at the address below if you have any questions.

Magical Plastic Surgery LLC
Attention: Privacy Requests
8809 Commodity Cir
Orlando, FL 32819

Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) remains governed by our Notice of Privacy Practices (NPP) provided at or before care. If you submit or discuss health information with us via our website, email, or SMS/text, we will treat it as PHI and handle it in accordance with HIPAA, the HITECH Act, and the HIPAA Omnibus Rule, consistent with (and in addition to) this Privacy Policy.

 

Information We Collect

When website visitors voluntarily leave comments on the website, we collect the data shown in the comments form, and also the visitor’s IP address, operating system, and browser user agent string for spam detection and mitigation. In addition, voluntary information you disclose, such as your name, address, email address, phone number, billing and/or credit card information, etc. may be collected and used to offer you the services, products, and level of service necessary to deliver the products and services you request.

An anonymized string created from your email address (also called a hash) is provided to a Gravatar service to see if you are using it. The Gravatar service privacy policy is available from Automattic. We monitor and in certain cases moderate comments, and upon approval of your comment, your profile picture and comment will be visible to the public in the context of your comment.

Categories of information we may collect (depending on your interactions) include:

  • Identifiers: name, alias, postal address, unique personal identifier, online identifier, IP address, email, phone number, account IDs.
  • Sensitive personal information: health information you provide (PHI), precise geolocation (if enabled), government IDs (only if legally required), and payment‑related data handled by our payment processor.
  • Commercial information: records of products/services considered or purchased, financing inquiries.
  • Internet or device activity: browsing history, search terms on our site, pages viewed, timestamps, referral URLs, and approximate location derived from IP.
  • Professional/demographic information: occupation, preferences, language.
  • Communications: calls, voicemails, emails, SMS/text messages, and form submissions (including metadata like date/time, sender, recipient, delivery status).

 

Cookies, Analytics, and Targeted Advertising

We use cookies and similar technologies to operate our site, remember preferences, perform analytics, and, where permitted, deliver targeted advertising. You can adjust cookie preferences in your browser and, where available, via our site controls. Some features may not function without certain cookies.

We may share limited pseudonymous data with analytics and advertising partners. For jurisdictions where “sale” or “share” is defined (e.g., California), see “Opt-Out Process” for opt‑out choices.

 

Information Collected From Other Sources

We participate in targeted marketing campaigns meant to reach out to people that may have expressed an interest in products and services that we offer. We will on occasion collect limited data from public databases, marketing partners, and other outside sources. This is in order to enhance our ability to provide relevant marketing, promotional offers, and services to you.

To keep our records current, we may also obtain contact and interest information from social media platforms, affiliate programs, data providers, and event partners (e.g., mailing addresses, job titles, email addresses, phone numbers, interests, IP addresses, and social media URLs) for targeted advertising, outreach, and event promotion, consistent with applicable law and your preferences.

 

Media

If you upload public images to the website, such as for your profile picture, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from public images on the website.

 

Embedded Content from other Websites

Content on this site may include embedded material (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

 

How We Use Your Information

Magical Plastic Surgery does not and will not in the future sell, rent, or lease your data or any of its customer lists and/or customer names to any third parties. You may opt-in/opt-out from receiving/not receiving content from us. The purpose for us to collect this data is so that we can provide you with the services you request. For example: If you request a password reset, your IP address will be included in the reset email, and we utilize this information as well as other identifying information to verify your authenticity.Here are some additional purposes for us to collect your data:

  • General: We use your information to provide, personalize, and improve our services and the information on our website.
  • Providing Services: To schedule consultations, manage appointments, deliver pre- and post-operative information, and support recovery communications.
  • Financial Reasons: Process payments, respond to financial inquiries and the delivery of services. We use PCI DSS-compliant processors (we do not store full payment card numbers on our systems beyond what is necessary to deliver the services and products you require).
  • Communicate with You: Send administrative messages (e.g., appointment confirmations, policy updates) and, where permitted, marketing communications (see “Email and SMS/Text Communications” below).
  • Improving User Experience: To understand how visitors interact with the website and help us enhance its functionality. This is also used to perform analytics, quality assurance, and service improvement.
  • Marketing and Promotions: To send newsletters, special offers, and updates about new services and contact you regarding a purchase or request or inquiry you made for a service/product.
  • Compliance with Legal Obligations: To adhere to regulations such as HIPAA and CCPA. Deliver safety notices and recalls and comply with other legal or regulatory obligations.
  • Security and Fraud Prevention: To protect against unauthorized access and ensure secure transactions. We use your information to detect, prevent, and investigate security incidents, fraud, spam, or abuse. We also use your information to fulfill your privacy rights requests and maintain records required by law.
  • Customer Support: To respond to inquiries and provide assistance and fulfill any other legitimate business service, provide you with our services and/or products.

 

Why We Collect Information and Our Retention Periods

If you purchase, request services, or leave a comment on our website, you may opt-in to save your name, email address, and other personally identifiable information, and we save those in cookies. These are for your convenience so that you do not have to fill in your details when you visit again, go to place another order, leave another comment, etc. These cookies will last for one year.

If you visit our shopping cart login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you publish or edit a product review or blog post response, an additional cookie will be saved to your browser. This cookie includes no personal data and simply indicates the post ID of the product review, article, or blog post you authored or edited. It expires after 1 day.

 

How Long We Retain Your Information

We retain information only as long as needed for the purposes described in this Policy, to provide services, for legitimate business needs, and to comply with legal, regulatory, tax, or accounting requirements. PHI is retained per medical records and state law requirements.

If you leave a comment on our website and any of our social media channels, the comment and its metadata are retained indefinitely. This is so we can recognize who posted the comment and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website, social media channels, create an account or profile, purchase from our shopping cart, or subscribe to our newsletter, we also store the personal information they provide in their user profile. All users can see, edit, or delete their own personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

 

Who We Share Your Information With

We do not sell, lease, rent or otherwise disclose the personal information collected from our website to third parties unless otherwise stated below or with your expressed consent. No mobile opt-in or text message consent will be shared with third parties or affiliates.

  • Healthcare Providers: Our surgeons and clinical staff and healthcare providers may have access to Personal Information for administrative and healthcare services. We may also use Personal Information to respond to and fulfill your orders and requests for information, products, or services.
  • Authorized Representatives: If another individual is responsible for your care, managing your affairs on your behalf (for example, a parent managing the affairs for their child), as authorized by you or as a personal or legal representative under applicable law, that person can view all Personal Information about you. This includes your next of kin, spouse, partner, domestic partner, legal guardian, same-sex partner or civil union partner.
  • Authorized Third-Party Suppliers: We transfer Personal Information to third-party service providers to perform tasks on our behalf and to assist us in providing our Services. For example, we use Stripe for credit card payment processing and invoicing and other providers such as Alphaeon Credit, CareCredit, and Cherry for financing, billing, and/or payment processing. We make every commercially reasonable effort to only engage or interact with third-party service providers and partners that post a privacy policy governing their processing of Personal Information and require our service providers to maintain confidentiality and comply with applicable laws in the processing of Personal Information. For a list of our current third party service providers, please Contact Us.
  • Others: We may disclose Personal Information about you if we have a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce our terms of use, including investigations of potential violations thereof; (iii) detect, prevent, or otherwise address fraud or security issues; or (iv) protect against harm to our business or other parties’ rights, property or safety.

 

How We Share Your Information

We do not sell personal information for monetary compensation, and we do not knowingly “sell” or “share” the personal information of children. We share information via electronic, written, and/or verbal methods with:

  • Healthcare providers such as surgeons, surgeon assistants, physicians, practitioners, and other medical providers involved in your care, as permitted by HIPAA and our Notice of Privacy Practices (NPP).
  • Designated family members and personnel you personally consent in writing to have access to your information, such as immediate family members, spouse, partner, parent/legal guardian, or healthcare surrogate.
  • Service providers and subcontractors (e.g., hosting, analytics, email/SMS platforms, scheduling, EHR/EMR vendors, and call centers) under contracts restricting use and requiring safeguards; BAAs are executed where PHI is involved.
  • Payment processors and financing partners to complete payment and credit transactions and for credit card fraud prevention.
  • Advertising/marketing partners with your consent where required; you can opt out of targeted advertising where applicable.
  • Law enforcement, regulators, or parties to legal proceedings when required by law or to protect rights, safety, and security.

 

Email, Social Media, Messenger Apps, and SMS/text communications

This section applies to compliance with: HIPAA, HITECH Act, Omnibus Rule, TCPA, CAN‑SPAM, Florida FTSA

Security and PHI Caution
Email, social media, messenger apps, and SMS/text messaging are not fully secure channels for transmitting Protected Health Information (PHI) or other sensitive data. To protect your privacy:

  • Avoid sending PHI, financial details, or other confidential information via unencrypted email, messages, or text.
  • If you choose to initiate communication through these channels, you authorize us to respond in the same manner and acknowledge the inherent security risks.
  • Secure, encrypted alternatives (such as patient portals or secure messaging platforms) are available upon request.

 

Consent and Scope of Communications

  • Administrative / Non-Marketing Messages
    We may send non‑marketing, conversational, informational, and service‑related messages (e.g., appointment reminders, pre‑op/post‑op instructions, care coordination updates) as part of your ongoing care or in response to your request for services.
  • Marketing / Promotional Messages
    Promotional email or SMS/text communications are sent only with your prior consent where required by law.
    • Consent is not a condition of purchase or care.
    • You may withdraw your consent at any time using the opt-out methods below.
    • If you consent to receive conversational, informational, promotional, or other types of SMS from us, you agree to receive these for the intended purpose (e.g., appointment reminders, sharing of information and links to procedural information, URL/Links to our website, care instructions, promotional offers, and additional offerings for post-surgical products and services).

 

SMS Terms of Service

As required by the Telephone Consumer Protection Act (TCPA) and Florida Telephone Solicitation Act (FTSA), we obtain your expressed written consent before sending autodialed, prerecorded, or artificial voice marketing calls/texts to mobile numbers.


Message Frequency and Rates

Message frequency may vary, depending on the service you request from us, the purpose, and method you elect to be contacted. Standard “Msg & data rates may apply.”

 

Opt-In Process

We follow recommended best practices for obtaining and documenting consent before sending marketing or automated communications.

  1. Clear Disclosure at Point of Collection
    • When you provide your mobile number or email, we clearly state the types of messages you may receive (e.g., conversational, informational, promotional, etc.).
    • We specify whether messages may include PHI and outline the associated risks of unencrypted channels.
  1. Affirmative Action Required
    • You must take a clear, affirmative action to opt in, such as checking a consent box online, replying “YES” to a confirmation text, or signing a written consent form.
    • Pre‑checked boxes or implied consent are not used for marketing or automated communications.
  1. Separate Consent for Marketing
    • Consent for marketing messages is separate from consent for administrative or care‑related messages.
    • You may receive care‑related communications without marketing consent, as permitted by law.
  1. Confirmation Message
    • After opting in, you will receive a confirmation message stating:
      • The organization name
      • Message type and frequency
      • “Msg & data rates may apply” disclosure
      • Instructions to reply “STOP” to opt out and “HELP” for assistance
  1. Recordkeeping
    • We maintain time‑stamped records of your consent, including the method, date, and content of the disclosure you agreed to.

 

Opt-Out Process

We follow recommended best practices for obtaining and documenting requests to not receive SMS/Text messages, whereby we utilize electronic systems, and you can:

  • Reply “STOP” to any SMS/text to opt-out of future text messages.
  • Reply “HELP” for assistance. You may also call or email us to help manage these preferences for you. We honor opt‑outs promptly.

 

Do-Not-Call List Compliance

We maintain records of consent and opt‑out requests and do not send marketing communications to numbers listed on applicable federal or state do‑not‑call registries without valid authorization.

 

CAN‑SPAM Compliance (Email)

Our marketing emails will:

  • Include our physical mailing address.
  • Clearly identify the message as an advertisement (where applicable).
  • Provide a clear, no-cost unsubscribe mechanism.

All unsubscribe requests are processed in a timely fashion and within the timeframes required by law. Campaigns that are scheduled ahead of time may take longer and we ask that you please contact us if you continue receiving unsolicited emails so that we can resolve this.


HIPAA Communications Preferences

You may request that we communicate with you by alternative means (e.g., secure portal, encrypted email) or at alternative locations. We will accommodate reasonable requests consistent with HIPAA privacy regulations.

 

PHI Handling and Notices (HIPAA, HITECH, Omnibus Rule)

When we receive or create PHI about you (including PHI you provide via our website, forms, email, messenger apps, or SMS/Text), we use and disclose it per HIPAA, HITECH, and the HIPAA Omnibus Rule, and our Notice of Privacy Practices (NPP). This includes minimum necessary use, role‑based access, audit logging, secure transmission/storage, and execution of Business Associate Agreements (BAAs) with vendors that handle PHI on our behalf (if any).

Breach notification: We assess suspected incidents involving PHI and notify affected individuals and regulators as required by HIPAA and applicable state laws. See “Information Security & Data Breaches” section below.

 

Payment Processing

We use third‑party payment processors (e.g., Stripe) to process payments. Transactions occur over encrypted channels, and our processors maintain PCI DSS compliance. We do not store full payment card numbers on our servers.

 

Information Security & Data Breaches

At Magical Plastic Surgery, we take information security and privacy concerns very seriously. We implement administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, logging/monitoring, workforce training, vendor risk management, vulnerability management, and incident response procedures. No method of transmission or storage is 100% secure; we continually improve our controls consistent with applicable laws and standards.

While no website can guarantee security, we maintain appropriate technical and organizational measures to protect your Personal Information. For example, we prevent unauthorized access, use, or disclosure through the use of encryption, secure payment processing via Stripe, regular security audits, and strict access controls, including assuring that third-party service providers who access or handle Personal Information on our behalf and affiliates maintain such safeguards.

Despite following best practices, there is no guarantee that information will not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. When you submit information to us through our website, you should be aware that your information is transmitted across the Internet and that no method of transmission over the Internet is completely or 100% secure. Please note that emails, live chat messages and other communications you send through our website are not encrypted, and we strongly advise you not to communicate any confidential information through these means.

In the event that a breach in our security system occurs and there is evidence that an unauthorized person acquires your Personal Information, we will notify you of such a breach in accordance with applicable law. However, delays in notification may occur while we take necessary measures to determine the scope of the breach and restore reasonable integrity to the system, as well as for the legitimate needs of law enforcement, if notification would impede a criminal investigation. From time to time, we evaluate new technologies for protecting information and, when appropriate, we will undertake reasonable efforts to upgrade our information security systems. If you notice or suspect any security violations, please Contact Us.

 

Your Privacy Rights

You may have rights to access, inspect, obtain a copy of, amend, or receive an accounting of disclosures of your PHI, and to request restrictions or confidential communications, in accordance with HIPAA as described in our Notice of Privacy Practices (NPP).

California (CCPA/CPRA)

California residents have the right to: (1) know/access categories and specific pieces of personal information collected, used, disclosed, “sold,” or “shared”; (2) delete personal information; (3) correct inaccuracies; (4) opt out of “sale” or “sharing” for cross‑context behavioral advertising; (5) limit use/disclosure of sensitive personal information; and (6) be free from discrimination for exercising rights. You may use an authorized agent, subject to verification.

Notice at collection: We collect the categories described in “Information We Collect” for the purposes in “How We Use Your Information,” retain data as described in “How Long We Retain Your Information” or data retention policy, and share with parties described in “How We Share Information.”

Opt‑out: If we “sell” or “share” your personal information as defined by California law, you can opt out by contacting us or using any available “Do Not Sell or Share My Personal Information” link or preference tools.

GDPR/EEA/UK

If you are in the EEA/UK, we process personal data under lawful bases including consent, contract, legal obligation, vital interests, public interest, or legitimate interests (balanced against your rights). You have rights to access, rectify, erase, restrict processing, data portability, and object; you may withdraw consent at any time. You may lodge a complaint with your supervisory authority. Where data is transferred outside the EEA/UK, we rely on appropriate safeguards (e.g., SCCs or other approved mechanisms).

Florida and Other U.S. State Laws

We comply with Florida health records and breach notification requirements, including reasonable security measures and timely notice of certain security incidents. We also comply with the Florida Telephone Solicitation Act for text/call marketing. For states with consumer privacy laws (e.g., CO, CT, VA, UT), we honor applicable rights to access, delete, correct, and opt out of targeted advertising, sale, or profiling where required.

NIS2 Alignment (EU)

We are a U.S. clinic; NIS2 generally applies to certain EU entities. While not an EU “essential” or “important” entity, we align our security and incident management practices with broadly recognized principles consistent with NIS2 where applicable to our operations.

Children’s Privacy

Our services are not directed to children under 13, and we do not knowingly collect personal information from them without verifiable parental consent. If we learn we have collected such information, we will delete it and take appropriate action.

Do Not Track

Some browsers send “Do Not Track” signals. We do not currently respond to such signals. You can manage certain tracking via browser settings, device settings, and available site controls.

International Information Transfers

If you are located outside the United States, your information may be processed in the U.S. or other countries with different data protection laws than in your country. We implement appropriate safeguards for such transfers where required.

 

What Rights You Have Over Your Data

If you are a patient of our clinic, have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are required to keep for administrative, legal, or security purposes.

 

How to Exercise Your Rights or Contact Us

To submit a privacy request (access, deletion, correction, opt‑out, marketing preferences) or to appeal a decision Email Us or write to us at the mailing address above.
For SMS, reply “STOP” to opt out or “HELP” for help.

For general questions (not related to privacy or security)

Contact Us if you have other general questions. Call +1 407.974.4600 or email our general company mailbox at: info@magicalplasticsurgery.com.



###End of Privacy Policy