Privacy Policy

Effective Date

Last Updated: 2026-01-21

Overview

This Privacy Policy explains how Candela Corporation and our subsidiaries and affiliates (collectively, 'Candela', 'we', 'us', or 'our') collect, use, disclose, and protect personal information when you use our websites, customer portals, attend our events, interact with us offline, or otherwise engage with our products and services (collectively, the 'Services'). It also describes your privacy rights and choices and how to exercise them.

Scope

This Policy applies to personal information we process about consumers, prospects, healthcare professionals, business contacts, and visitors in the jurisdictions described below. Country- or state-specific sections supplement (and, where required, supersede) the general provisions.

Information We Collect

We may collect the following categories of personal information, depending on how you interact with us: identifiers and contact details; commercial information (such as transaction history and preferences); internet or electronic network activity; geolocation data; audio/visual recordings (e.g., event or premises security); professional or employment-related information; and in limited cases sensitive information (such as precise geolocation, financial account numbers, health or insurance information) where permitted by law and with appropriate notices and choices.

Sources of Personal Information

We collect personal information directly from you, automatically through your devices (e.g., via cookies and similar technologies), from our service providers and partners, and from public sources, consistent with applicable law.  We may also obtain personal information from third-party applications, integrations, and service providers that support our e-commerce operations, including those integrated into our storefront through the Shopify platform. These may include providers of payment processing, analytics, marketing, customer engagement, shipping, and related services. Such information may be collected directly by these providers or shared with us in accordance with their respective privacy policies.

How We Use Personal Information

We use personal information to operate, provide, and improve the Services; fulfill transactions and provide customer support; personalize content and communications; conduct analytics and product development; secure, detect, and prevent fraud and other unlawful activity; comply with legal obligations; and with your consent or as otherwise permitted by law.

Sensitive Personal Information

Where required by law, we limit the use and disclosure of sensitive personal information to the purposes permitted by applicable law (for example, providing requested Services, ensuring security and integrity, short‑term transient use, and other CPRA‑permitted purposes) and offer mechanisms to limit such use where required.

Cookies, Analytics, and Tracking Technologies

We and our partners use cookies, SDKs, pixels, and similar technologies to enable site functionality, measure engagement, and deliver advertising. You can manage cookies via your browser settings and, where required by law, through our consent banner. We honor user-enabled opt‑out preference signals (such as Global Privacy Control) and other recognized universal opt‑out mechanisms in jurisdictions that require them. 

In addition to our own use of cookies and similar technologies, third-party applications and integrations used on our website may deploy cookies, pixels, tags, SDKs, and other tracking technologies to collect information about your device, browsing behavior, and interactions with the site.

These technologies may be used by third parties for purposes such as analytics, advertising, retargeting, personalization, and performance monitoring. The data collected through these technologies may be transmitted to and processed by the applicable third-party providers in accordance with their own privacy policies.

Your Privacy Rights and Choices (General)

Depending on your location, you may have rights to access, correct, delete, and obtain a copy of your personal information, and to opt out of targeted advertising, sale or sharing of personal information, and certain profiling. You can exercise these rights by contacting us as described in the Contact Us section or via the links provided in the region‑specific sections below. We will not discriminate against you for exercising these rights.

Third-Party Applications and Integrations

Our website is powered by Shopify Inc. and may incorporate various third-party applications, plugins, and services (collectively, “Third-Party Applications”) to enhance functionality and user experience.

These Third-Party Applications may independently collect, use, disclose, and process personal information. Candela does not control and is not responsible for the privacy practices, data handling, or security measures of these third parties.

We encourage you to review the privacy policies of any Third-Party Applications you interact with before providing personal information or using such services.

This disclosure is intended to supplement your rights under applicable privacy laws, including the California Consumer Privacy Act and the General Data Protection Regulation, and analogous state and international regulations.

Notice at Collection for California Residents

We collect the categories of personal information listed above for the purposes described in this Policy. We may sell or share personal information (as those terms are defined by California law) for cross‑context behavioral advertising. We retain personal information for as long as reasonably necessary for the disclosed purposes, taking into account applicable legal, tax, and operational requirements; where feasible, we apply category‑specific retention periods in our records schedule. California residents can exercise the right to opt out of sale/sharing and to limit the use of sensitive personal information via our links: 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information,' and via recognized opt‑out preference signals such as Global Privacy Control.

State-Specific Disclosures (U.S.)

In addition to California, several states provide consumers with rights and impose obligations on businesses. Where we are subject to these laws, we honor universal opt‑out mechanisms (where required), provide appeal processes, and conduct data protection assessments for high‑risk processing as applicable. The following supplements apply:

Colorado: We recognize and process Universal Opt‑Out Mechanisms (UOOM) including Global Privacy Control. Beginning July 1, 2024, covered controllers must honor UOOM signals for opt‑outs of sales and targeted advertising. Our privacy notice explains how we process such signals and how consumers may appeal denials.

Connecticut: We honor opt‑out preference signals and provide an appeals process. For teens ages 13–16, we obtain consent before selling personal data or using it for targeted advertising.

Delaware: Effective January 1, 2025, Delaware residents have rights to access, correct, delete, data portability, and to opt out of sales, targeted advertising, and certain profiling. We will recognize universal opt‑out signals as required (including beginning January 1, 2026).

New Jersey: Effective January 15, 2025, New Jersey residents have rights similar to other states and covered businesses must honor universal opt‑out signals for sales and targeted advertising. An appeals process is available and responses will be provided within statutory timelines.

Oregon: Effective July 1, 2024, we provide the rights enumerated under OCPA and honor universal opt‑out signals. Nonprofits become subject on July 1, 2025.

Texas: Effective July 1, 2024 (with universal opt‑out effective January 1, 2025), Texas residents can exercise access, correction, deletion, portability, and opt‑out rights. We recognize Global Privacy Control as required by the TDPSA.

Minnesota: Effective July 31, 2025, Minnesota residents have rights similar to other state laws, including the right to question certain profiling decisions. Small businesses have specific obligations; we will respond within statutory timeframes.

New Hampshire: Effective January 1, 2025, New Hampshire residents have comprehensive privacy rights and businesses must recognize global opt‑out signals. We provide mechanisms to revoke consent that are as easy as granting it.

European Economic Area (EEA), United Kingdom, and Switzerland

Where GDPR/UK GDPR/Swiss law applies, the controller is the Candela entity that provides the relevant Service or determines the processing purposes. Our lawful bases include performance of a contract, legitimate interests (such as improving Services and ensuring security), legal obligations, vital interests, and consent where required. Individuals have rights to access, rectify, erase, restrict, object (including to processing based on legitimate interests and to direct marketing), and data portability, and not to be subject to decisions based solely on automated processing with legal or similarly significant effects. You also have the right to lodge a complaint with your supervisory authority. We provide additional disclosures about international transfers below.

International Data Transfers

We transfer personal information to countries outside the EEA, UK, and Switzerland, including the United States. Where applicable, we rely on the EU–U.S. Data Privacy Framework (and its UK Extension and Swiss–U.S. DPF) for transfers to certified U.S. affiliates/providers, and otherwise use European Commission‑approved Standard Contractual Clauses and conduct transfer impact assessments.

China (People’s Republic of China) – PIPL Disclosures

For residents of the PRC, we process personal information in accordance with the Personal Information Protection Law (PIPL). Where we export personal information outside China, we use legally permitted mechanisms such as the CAC Security Assessment (where thresholds are met), execution of the standard contract for cross‑border transfers, or certification, and provide required notices and obtain separate consent where required. We store PRC‑collected personal information in China unless lawful transfer conditions are satisfied.

Security

We implement appropriate technical and organizational measures designed to protect personal information, taking into account the nature of the information and the risks of processing. No method of transmission or storage is completely secure; if we become aware of a data incident affecting your information, we will notify you and regulators as required by applicable law.

Data Retention

We retain personal information for as long as reasonably necessary to achieve the purposes described in this Policy or as required by law (for example, tax, accounting, or compliance obligations). We maintain category‑specific retention periods in our records schedule and delete or de‑identify data when it is no longer needed.

Children’s Privacy

Our Services are not directed to children. We do not knowingly collect personal information online from children under 13 (or under 14 in China). Where required by law, we will not sell or share personal information of consumers under 16 without appropriate opt‑in consent.

Updates to This Policy

We may update this Policy from time to time. We will post the updated Policy and change the effective date. If we make material changes, we will provide additional notice as required by law.

Contact Us

If you have questions or wish to exercise your rights, contact: Candela Corporation, 251 Locke Drive, Marlborough, MA 01752 USA; +1-800-733-8550; info@candelamedical.com. For EEA/UK residents, you may also contact your local supervisory authority. For China, contact Syneron/Candela (Beijing) Medical Technologies Co., Ltd., Unit 2801-2808, 28th Floor, Building 9, No. 91 Courtyard, Jianguo Road, Chaoyang District, Beijing; info.chinahr@candelamedical.com.