Skip to main content
XPandMD

Privacy Policy

XPand MD™ · Effective Date: May 2026

Introduction

XPand MD™ is a men's health and aesthetic medicine practice located in Chicago, Illinois, operating as a sub-brand of XSculpt. This Privacy Policy explains what information we collect when you visit xpandmd.com, how we use it, and your rights regarding that information.

By using this website, you agree to the practices described in this policy. If you do not agree, please do not use the site.

This policy applies to information collected through our website only. It does not govern information collected in person at our practice or through other channels.

Information We Collect

We collect information in two ways: information you provide to us directly, and information collected automatically when you visit the site.

Information you provide:

When you submit a contact form or consultation request, we collect your name, phone number, email address, and any details you include about your interest or goals. We use this information solely to respond to your inquiry and schedule a consultation.

Information collected automatically:

When you visit the site, our analytics and advertising tools collect information about your session, including your IP address, browser type, device type, operating system, pages visited, time on site, and referring URL. This information is collected through cookies and similar tracking technologies.

How We Use Your Information

We use the information we collect for the following purposes:

  • To respond to inquiries and schedule consultations
  • To follow up on consultation requests you have submitted
  • To improve the website experience and understand how visitors use the site
  • To measure the effectiveness of our advertising campaigns
  • To comply with applicable legal obligations

We do not sell your information to third parties. We do not use your information for purposes unrelated to the above without your consent.

HIPAA Notice

XPand MD is a medical practice. You may wonder how HIPAA applies to information submitted through this website.

Information you submit through a website contact or consultation form is not automatically classified as Protected Health Information (PHI) under HIPAA. PHI protections under the Health Insurance Portability and Accountability Act apply once a formal patient-provider relationship has been established, such as when you become a patient of the practice.

Before that relationship exists, website form submissions are general business communications and are handled under the data practices described in this policy.

Once you become a patient of XPand MD, your health information is protected under HIPAA and governed by our Notice of Privacy Practices, which is available at our office and provided to you at the time of your first appointment.

If you have questions about how your health information is handled as a patient, please contact us directly at the phone number or address listed at the end of this policy.

Cookies and Tracking Technologies

Cookies are small files placed on your device by a website. We use cookies and similar technologies for the following purposes:

Analytics cookies (Google Analytics / GA4):

These track how visitors use our website, including pages viewed and time spent on the site. This helps us understand what content is useful and where to improve the experience. GA4 data is anonymized and aggregated.

Advertising pixels (Google Ads, Meta Pixel):

These tools allow us to measure which ads led to visits or consultation requests, and to show relevant advertising to people who have visited our site. These pixels are managed through Google Tag Manager.

Session and functional cookies:

These support basic site functionality, including form submission and page load performance.

How to manage cookies:

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking certain cookies may affect site functionality. You can also opt out of interest-based advertising through the Digital Advertising Alliance at optout.aboutads.info or the Network Advertising Initiative at optout.networkadvertising.org.

Third-Party Services

We use third-party services to operate this website and run our practice. Each service has its own privacy policy that governs how it handles data.

GoHighLevel (GHL)

We use GoHighLevel for consultation forms and customer relationship management. GoHighLevel is a HIPAA-compliant platform and we have a signed Business Associate Agreement (BAA) in place.

GoHighLevel Privacy Policy: www.gohighlevel.com/privacy-policy

Google Analytics (GA4)

We use Google Analytics to understand website traffic and user behavior.

Google Privacy Policy: policies.google.com/privacy

Google Tag Manager

We use Google Tag Manager to manage tracking tags on our site.

Google Privacy Policy: policies.google.com/privacy

Google Ads

We use Google Ads to run search and display advertising.

Google Privacy Policy: policies.google.com/privacy

Meta Pixel

We use the Meta Pixel (Facebook/Instagram) to measure ad performance and run retargeting campaigns.

Meta Privacy Policy: www.facebook.com/privacy/policy

Vercel

Our website is hosted on Vercel, which may collect server logs and performance data as part of standard hosting operations.

Vercel Privacy Policy: vercel.com/legal/privacy-policy

Data Retention

Form submissions:

Information submitted through contact and consultation forms is retained in our CRM (GoHighLevel) for as long as it is necessary to manage your inquiry or until you request deletion, whichever comes first. If you become a patient, your records are subject to applicable medical record retention laws.

Analytics data:

Google Analytics data is retained according to our GA4 settings, typically 14 months for user-level and event-level data, after which it is aggregated and anonymized.

Server logs:

Vercel may retain server access logs for a limited period as part of standard hosting operations.

Your Rights

You have the following rights regarding information you have submitted through our website:

Access:

You may request a copy of the information we hold about you from your website interactions.

Correction:

If information we hold about you is inaccurate, you may request that we correct it.

Deletion:

You may request that we delete information you submitted through the website. We will honor deletion requests where we are not legally required to retain the data.

To make any of these requests, contact us at the phone number or address listed below. We will respond within a reasonable timeframe.

Note: These rights apply to information collected through the website. If you are a patient seeking to exercise rights over your medical records, those requests are handled separately under HIPAA and should be directed to our office.

California residents:

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, and the right to opt out of its sale. We do not sell personal information. To submit a CCPA request, contact us at the information below.

Children's Privacy

This website is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted information through our site, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the effective date at the top of this page. We encourage you to review this policy periodically. Continued use of the website after any changes constitutes your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, or to submit a data access, correction, or deletion request, contact us at:

XPand MD

310 W Superior St, Floor 2, Ste 201

Chicago, IL 60654

Phone: 833-972-8578

Website: xpandmd.com