We'll run a live look into your clinic's revenue leaks — actual missed calls, actual response times, actual dollar estimates. The report is yours to keep regardless of what you decide.

1. Agreement to Terms

By accessing katalyst-io.com or engaging the services of Katalyst IO LLC ("Katalyst," "we," "our," or "us"), you agree to be bound by these Terms and Conditions. If you do not agree, please do not use our services. These terms apply to all visitors, clients, and anyone who submits an audit request or enters into a service agreement with Katalyst IO LLC. Katalyst IO LLC can be contacted at outreach@getkatalyst-io.com, +1 (332) 279-0008, or 146 The Woodlands, London SE13 6TX.

2. Services

Katalyst provides revenue recovery automation services for independent medical spas, including but not limited to: missed call recovery, lead follow-up sequences, appointment reminder workflows, no-show recovery, and daily operational briefings. The scope of services delivered is defined in your individual service agreement or onboarding confirmation.

3. Free Audit

The mystery shop audit offered by Katalyst is provided free of charge with no obligation to proceed to a paid plan. By requesting an audit, you authorise Katalyst to contact your clinic as a prospective patient would, using publicly available contact details, for the purposes of assessing your operational response times and lead-handling processes. Audit findings are shared with you within 48 hours of completion and remain your property regardless of any subsequent commercial decision.

4. Subscription & Cancellation

Paid plans are billed monthly. There are no long-term contracts. You may cancel your subscription at any time by replying PAUSE to any morning briefing message or by contacting us directly at outreach@getkatalyst-io.com. Cancellation takes effect at the end of the current billing period. One-time installation fees are non-refundable once onboarding has commenced.

5. Data & Privacy

Katalyst handles client and patient-adjacent data in accordance with applicable data protection legislation. We do not sell or share your clinic's data with third parties. Any data collected during the audit or operational workflows is used solely to deliver the agreed services. For full details, refer to our Privacy Policy. If your clinic operates under HIPAA obligations, please contact us to discuss a BAA before engaging services.

6. Revenue and Earnings Claims — Disclaimer

Revenue exposure figures displayed on the Katalyst website (including the "$28,000–$52,000 monthly revenue exposure" range) are modelled estimates derived from named third-party industry data: AmSpa 2024 Medical Spa State of the Industry Report (245 average monthly visits, $504 average per-visit spend); Talkdesk Healthcare Report 2025 (23% medical practice call miss rate); and TrackableMed's published call audit of 7,000 calls across 22 practices (42% miss rate). These figures represent an estimated industry-average revenue exposure range, not a guaranteed outcome for any specific clinic.

KATALYST DOES NOT GUARANTEE ANY SPECIFIC REVENUE RECOVERY OUTCOME. Individual results depend on clinic call volume, staff responsiveness, treatment mix, geographic market, existing conversion rates, and numerous other factors outside Katalyst's control. The figures shown are not a representation that a typical Katalyst client recovers $28,000–$52,000 per month. The testimonials displayed on the website reflect the individual experiences of those specific clients and are not representative of typical outcomes. Results vary materially.

This disclaimer is provided in compliance with the FTC's Endorsement Guides (16 C.F.R. Part 255, as amended 2023) and Florida Deceptive and Unfair Trade Practices Act (Fla. Stat. § 501.201 et seq.). By using Katalyst's services, you acknowledge that you have not relied on any revenue estimate, projection, or testimonial as a guarantee of specific financial results.

7. Intellectual Property

All content, copy, design, workflows, and methodology published on katalyst.io or delivered as part of Katalyst's services are the intellectual property of Katalyst. The audit report delivered to you is yours to keep and use internally. You may not reproduce, resell, or distribute Katalyst's proprietary framework, workflow documentation, or methodology without written permission.

8. Warranties Disclaimer

EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, OR THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE. KATALYST DOES NOT WARRANT THAT THE SERVICE WILL MEET YOUR REQUIREMENTS OR THAT RESULTS OBTAINED THROUGH THE SERVICE WILL BE ACCURATE OR RELIABLE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY KATALYST SHALL CREATE A WARRANTY.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: (A) IN NO EVENT WILL KATALYST'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE EXCEED THE GREATER OF (I) THE TOTAL FEES PAID BY YOU TO KATALYST IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (II) ONE HUNDRED U.S. DOLLARS ($100.00); AND (B) IN NO EVENT WILL KATALYST BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, OR SPECULATIVE DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOST REVENUES, LOST DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, EVEN IF KATALYST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY OF LIABILITY.

The foregoing limitations do not apply to: (i) your obligation to pay fees; (ii) either party's indemnification obligations; (iii) damages arising from breach of confidentiality; (iv) damages arising from a party's fraud, gross negligence, or wilful misconduct; or (v) Katalyst's liability for a HIPAA breach to the extent the applicable BAA provides for a separate cap.

We will notify you promptly of any material service interruption and will not charge fees for periods of verified service unavailability exceeding 24 consecutive hours.

10. Dispute Resolution & Arbitration

Any dispute, claim, or controversy arising out of or relating to these Terms or the breach, termination, enforcement, interpretation, or validity thereof shall be resolved through binding arbitration administered under the rules of a recognised arbitration body, before a single arbitrator. Judgment on the award may be entered in any court having jurisdiction. YOU AGREE THAT YOU MAY BRING CLAIMS AGAINST KATALYST IO LLC ONLY IN YOUR INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS ACTION OR REPRESENTATIVE PROCEEDING. The parties waive their right to a trial by jury where applicable.

11. Governing Law

These terms are governed by the laws of England and Wales. Any disputes arising from these terms or the services provided by Katalyst shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Changes to These Terms

We may update these terms from time to time. Material changes will be communicated to active clients by email. Continued use of our services after notification constitutes acceptance of the revised terms.

13. Contact

For any questions regarding these terms, please contact us at outreach@getkatalyst-io.com · Phone: +1 (332) 279-0008

1. Who We Are

Katalyst IO LLC ("Katalyst," "we," "our," or "us") is a revenue recovery automation company. We provide automated workflow services to independent medical spas, including missed-call recovery, lead follow-up, appointment reminders, no-show recovery, and daily operational reporting. Contact: outreach@getkatalyst-io.com · +1 (332) 279-0008 · 146 The Woodlands, London SE13 6TX · United States.

2. Information We Collect

Information you provide directly: When you submit an audit request or contact us, we collect your name, business name, email address, phone number, and any information you include in your message. When you become a client, we also collect onboarding details about your clinic (operating hours, booking links, service menu, staff details).

Call recordings and transcripts: As part of our service, we record and transcribe inbound and outbound calls routed through our platform on behalf of client clinics. These recordings may incidentally contain information about clinic patients (caller names, appointment inquiries, treatment interests). This data is processed under a Business Associate Agreement (BAA) where the client clinic is a HIPAA-covered entity. See Section 9.

Usage data: We collect technical information when you visit our website — your IP address, browser type, pages visited, and referral URL. We use Microsoft Clarity (session analytics and heatmaps) and RB2B (business visitor identification) to understand website usage and improve our service. These third-party tools may set cookies and collect usage data in accordance with their own privacy policies. We do not use this data for advertising and we do not sell it.

Cookies: This website uses essential first-party cookies necessary for it to function (session management, security), as well as analytics cookies set by Microsoft Clarity and RB2B to measure and improve website usage. We do not set advertising cookies. You may disable cookies in your browser settings; disabling analytics cookies will not materially affect your ability to use this website.

3. How We Use Your Information

We use the information we collect to: (a) respond to audit requests and deliver the mystery shop report; (b) provide and operate our automation services for client clinics; (c) process call recordings and generate transcripts and daily briefings; (d) communicate with you about your account, service updates, and support; (e) maintain security and prevent fraud; (f) comply with applicable legal obligations; and (g) generate aggregated, de-identified industry benchmarks (no individual is identifiable in these).

We do not use your information for targeted advertising, behavioral profiling, or sale to third parties.

4. Legal Basis for Processing

For business contacts and audit requesters: processing is necessary for the performance of a contract or to take steps at your request before entering a contract, and in pursuit of our legitimate business interest in operating and improving our services. For call recordings and transcripts processed on behalf of a covered-entity client: processing is authorized by the Business Associate Agreement and governed by HIPAA.

5. Call Recording Disclosure — Florida Law

Florida Statutes § 934.03 requires all parties to a phone call to consent to recording. Every call processed through Katalyst's platform includes an automated pre-call disclosure: "This call is being recorded by [clinic name] and its service provider for quality, training, and business-record purposes. By continuing this call, you consent to being recorded. If you do not wish to be recorded, you may hang up now." This disclosure plays before any substantive conversation begins on both inbound and outbound calls. Timestamped logs of each disclosure are retained.

6. Sharing and Disclosure

We share your information only as follows: (a) Sub-processors: We use third-party vendors to operate our platform (cloud hosting, telephony, AI transcription) and to analyse website usage (Microsoft Clarity, RB2B). Each sub-processor is bound by a written data processing agreement. A current list of sub-processors is available on request at outreach@getkatalyst-io.com. (b) Client clinics: Call recordings, transcripts, and briefing reports are shared with the client clinic on whose behalf they were created. (c) Legal compliance: We may disclose information if required by law, subpoena, or court order, or to protect the rights, property, or safety of Katalyst, our clients, or others. (d) Business transfer: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes.

6a. SMS & Mobile Messaging — Special Notice

When you opt in to receive SMS messages from Katalyst IO LLC, your mobile number and consent record are used solely to send you the messages you have agreed to receive (audit updates, appointment reminders, service notifications, and promotional offers where consented). To opt out at any time, reply STOP to any message. To request assistance, reply HELP. Message and data rates may apply. Message frequency varies. Opt-in consent records are retained for a minimum of 4 years.

Call recordings and transcripts are retained for 6 years from the date of creation (aligned with HIPAA documentation requirements under 45 C.F.R. § 164.530(j)) or shorter if the applicable BAA specifies otherwise. Web form contact data (audit request submissions) is retained for 24 months from collection or the duration of the client relationship, whichever is longer. Briefing reports and operational data are retained for 12 months. You may request earlier deletion (see Section 8).

8. Your Rights

You may request access to, correction of, or deletion of personal information we hold about you by emailing outreach@getkatalyst-io.com. We will respond within 30 days. Note: for call recordings or transcripts that contain a patient's information, those rights must be directed to the client clinic (the HIPAA-covered entity) under its Notice of Privacy Practices, not to Katalyst. We cannot independently fulfil patient rights requests over PHI held on behalf of a covered entity. Rights of access, amendment, and accounting of disclosures over PHI are governed by 45 C.F.R. §§ 164.524–164.528.

9. HIPAA and Protected Health Information

Many of Katalyst's med-spa clients qualify as HIPAA Covered Entities. In those relationships, Katalyst acts as a Business Associate as defined at 45 C.F.R. § 160.103. Call recordings and transcripts processed on behalf of a covered entity are Protected Health Information (PHI) under HIPAA. Katalyst's handling of that PHI is governed by the executed Business Associate Agreement, which includes: permitted uses and disclosures; Security Rule safeguards (encryption at rest and in transit, access controls, audit logs); Breach Notification Rule obligations; subcontractor BAA requirements; and PHI return or destruction upon termination. Katalyst's Security Rule program includes administrative, physical, and technical safeguards required under 45 C.F.R. Part 164, Subpart C.

10. Security

We implement technical and organizational measures appropriate to the risk, including: AES-256 encryption at rest for call recordings and transcripts; TLS 1.2+ encryption in transit; multi-factor authentication on all administrative accounts; role-based access controls; immutable audit logs; regular security assessments; and an incident response plan. No security measure is perfect. In the event of a data breach affecting your information, we will notify you and the applicable regulators as required by law.

11. Children's Privacy

Our services are directed exclusively to business operators aged 18 and over. We do not knowingly collect personal information from anyone under 13 years of age. If you believe we have inadvertently collected information from a minor, please contact us immediately at outreach@getkatalyst-io.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients by email at least 14 days before they take effect. The "Last reviewed" date at the top of this page indicates when the policy was last updated. Continued use of our services after a material change constitutes acceptance of the updated policy.

13. Contact

Privacy questions, data subject requests, and BAA inquiries: outreach@getkatalyst-io.com · Phone: +1 (332) 279-0008 · Katalyst IO LLC · United States.

Who this applies to

This Data Processing Agreement ("DPA") applies to all Katalyst clients ("Controller") whose use of the Katalyst platform involves the processing of personal data on their behalf. By executing a service agreement or submitting an audit request that proceeds to onboarding, you agree to this DPA. If you require a custom-executed DPA for enterprise procurement purposes, contact outreach@getkatalyst-io.com.

1. Definitions

"Controller" means the Katalyst IO LLC client (the med spa or its operating entity) that determines the purposes and means of processing personal data. "Processor" means Katalyst IO LLC, which processes personal data on the Controller's behalf. "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Katalyst IO LLC service. "Processing" has the meaning given in applicable privacy law. "Sub-processor" means any third party engaged by Katalyst IO LLC to process Personal Data on the Controller's behalf. "PHI" means Protected Health Information as defined under HIPAA, 45 C.F.R. § 160.103.

2. Subject Matter and Duration

Katalyst processes Personal Data for the duration of the service agreement (including any renewal or extension) and for such further period as is necessary to comply with legal obligations or as specified in the retention terms of the executed BAA. Upon termination, Katalyst will return or securely destroy all Personal Data within 30 days, unless a longer retention period is required by law.

3. Nature and Purpose of Processing

Katalyst processes Personal Data to: (a) receive, record, and transcribe inbound and outbound telephone calls on behalf of the Controller; (b) generate automated follow-up SMS and email communications to callers and leads; (c) compile and deliver daily operational briefings to the Controller; (d) identify missed appointments, no-shows, and unfollowed leads for recovery workflows; and (e) operate and maintain the platform infrastructure. Processing occurs only on documented instructions from the Controller and for no other purpose.

4. Types of Personal Data Processed

Categories of Personal Data processed include: caller identification (phone number, name where provided); appointment details; treatment inquiries; call timestamps and durations; SMS message content; email addresses; and any other information contained in the oral content of recorded calls. Where the Controller is a HIPAA-covered entity, this data includes PHI and is governed by the separately-executed Business Associate Agreement.

5. Categories of Data Subjects

Data subjects include: (a) callers and prospective patients contacting the Controller's clinic; (b) the Controller's staff whose calls are recorded; and (c) the Controller's own authorized users of the Katalyst platform. Katalyst does not intentionally collect data from individuals under 18 years of age in connection with the service.

6. Controller Obligations

The Controller represents and warrants that: (a) it has a lawful basis to collect and process the Personal Data it directs Katalyst to process; (b) it has complied with all applicable call recording consent requirements, including Florida Statutes § 934.03 and any other applicable all-party consent law, and authorizes Katalyst to deploy the required pre-call recording disclosure on its behalf; (c) it has published, or will publish before go-live, a privacy notice or policy that discloses the use of recording services; (d) it will promptly notify Katalyst of any changes to its instructions; and (e) it will indemnify and hold harmless Katalyst for any claims arising from the Controller's failure to comply with (a)–(d).

7. Processor Obligations — Katalyst

Katalyst will: (a) process Personal Data only on documented instructions from the Controller and not for any other purpose; (b) ensure that authorized personnel are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organizational security measures described in Section 8; (d) assist the Controller in responding to data subject rights requests to the extent feasible given the nature of the processing; (e) notify the Controller without undue delay (and in any event within 48 hours of discovery) of any confirmed or reasonably suspected Personal Data breach affecting the Controller's data; (f) maintain records of processing activities as required by applicable law; and (g) upon Controller request and at Controller's expense, make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits not more than once per calendar year with 30 days' prior written notice.

8. Security Measures

Katalyst implements appropriate technical and organizational measures, including: AES-256 encryption of Personal Data at rest; TLS 1.2+ encryption of data in transit; multi-factor authentication for all administrative access; role-based access controls limiting access to authorized personnel only; immutable audit logs of access to Personal Data; regular penetration testing and vulnerability assessments; an incident response and business continuity plan; and annual workforce training on data protection and security. Katalyst will update these measures as the state of the art evolves and as new risks are identified.

9. Sub-processors

The Controller grants Katalyst general authorization to engage sub-processors as necessary to deliver the service, provided that: (a) sub-processors are bound by written data processing terms providing at least equivalent protection to this DPA; (b) Katalyst remains fully liable to the Controller for the sub-processor's performance; and (c) Katalyst maintains a current list of sub-processors available on request at outreach@getkatalyst-io.com and will notify the Controller of any material change to its sub-processor list with reasonable notice (not less than 10 business days) to allow the Controller to object. Current categories of sub-processors: cloud infrastructure (AWS or equivalent HIPAA-eligible provider); telephony (Twilio or equivalent); AI transcription service (HIPAA-eligible tier with executed BAA); payment processor.

10. HIPAA Business Associate Agreement

Where the Controller is a HIPAA Covered Entity (as defined at 45 C.F.R. § 160.103), the parties must execute a Business Associate Agreement (BAA) before Katalyst processes any PHI. The BAA governs the handling of PHI and takes precedence over this DPA to the extent of any conflict with respect to PHI. If you have not yet executed a BAA with Katalyst and require one, contact outreach@getkatalyst-io.com before activating the service. Katalyst will not process PHI without a signed BAA in place.

11. International Transfers

All Personal Data is processed and stored within the United States. Katalyst does not transfer Personal Data outside the United States at this time. If this changes, Katalyst will update this DPA and notify affected Controllers with reasonable advance notice.

12. Governing Law

This DPA is governed by the laws of the State of Florida, without regard to its conflict of law provisions. Disputes arising under this DPA are subject to the dispute resolution provisions in the Katalyst Terms of Service.

13. Contact

DPA enquiries, sub-processor list requests, and BAA execution: outreach@getkatalyst-io.com