Privacy Policy

MAIA Medical, Inc.

Last Updated April 4, 2026

This Privacy Policy describes how MAIA Medical, Inc. ("MAIA," "we," "us," or "our") collects, uses, discloses, and protects information when you visit our website at maiamed.ai (the "Website") or use the MAIA platform, including the desktop application and web dashboard (the "Service").

This Privacy Policy does not replace or modify any Business Associate Agreement ("BAA") between MAIA and a healthcare provider. Where a BAA is in effect, the BAA governs our handling of Protected Health Information ("PHI") and takes precedence over this Privacy Policy to the extent of any conflict.

1. Information We Collect

1.1 Information You Provide Directly

Account and Registration Information. When you create an account, join our waitlist, or contact us, we collect information such as your name, email address, phone number, practice name, practice address, specialty, NPI number, and role within the practice.

Billing Information. We collect payment method details and billing address to process subscription fees and credit purchases. Payment card information is processed by our third-party payment processor and is not stored on MAIA's servers.

Communications. When you contact us via email, our website contact form, or other channels, we collect the content of your communications and any information you choose to provide.

Feedback and Survey Responses. If you participate in surveys, beta testing, or provide product feedback, we collect the information you submit.

1.2 Information Collected Automatically

Website Usage Data. When you visit the Website, we automatically collect certain information, including your IP address, browser type and version, operating system, referring URL, pages viewed, time spent on pages, and date and time of your visit.

Cookies and Similar Technologies. We use cookies and similar tracking technologies on the Website. See Section 7 (Cookies) below for details.

Desktop Client Telemetry. When you use the Desktop Client, we collect operational telemetry data to monitor system health, diagnose errors, and improve the Service. This telemetry includes: system health metrics (CPU, memory, disk usage), feature usage frequency and error rates, license validation events, credit consumption data, and application version information. Telemetry data never includes PHI, patient identifiers, clinical content, or the substance of any Service Output. Telemetry can be reviewed by the Subscriber via the web dashboard.

Web Dashboard Usage. When you use the web dashboard, we collect login events, pages accessed, and interaction data to maintain security and improve the user experience.

1.3 Information Processed Through the Service

Practice and Clinical Data. In the course of providing the Service, MAIA processes data from the Subscriber's electronic health record ("EHR") system and other practice systems. This data may include PHI such as patient names, dates of birth, diagnosis codes, procedure codes, insurance information, clinical notes, lab results, medication histories, and prior authorization documentation.

How This Data Is Handled. Practice and clinical data, including PHI, is:

Local vs. Server Processing. Certain Service functions are performed locally on the Subscriber's hardware through the Desktop Client. Data processed locally remains on the Subscriber's systems and is not transmitted to MAIA's servers unless transmission is required to perform a specific AI processing function. When data is transmitted to MAIA's servers, it is processed in memory, used solely for the requested function, and not persisted beyond the duration necessary to complete the task.

2. How We Use Information

2.1 Website Visitor Information

We use information collected from Website visitors to: operate and improve the Website, respond to inquiries and support requests, send communications you have opted into (such as waitlist updates and product announcements), analyze Website traffic and usage trends, detect and prevent fraud or abuse, and comply with legal obligations.

2.2 Subscriber and Service Information

We use Subscriber account information and Service telemetry to: provide, maintain, and improve the Service, process billing and credit transactions, monitor system health and diagnose technical issues, provide customer support, enforce our Terms of Service, communicate product updates and service notifications, and generate aggregate and de-identified analytics about Service usage patterns (which do not contain PHI or identify any individual patient).

2.3 PHI

We use PHI solely as directed by the Subscriber and as permitted under the applicable BAA. We do not use PHI for marketing, advertising, analytics, model training, or any purpose other than performing the specific Service functions requested by the Subscriber.

3. How We Share Information

3.1 We Do Not Sell Personal Information

MAIA does not sell, rent, or trade personal information or PHI to third parties.

3.2 Service Providers

We share information with third-party service providers who perform services on our behalf, such as payment processing, cloud hosting, and email delivery. These providers are contractually obligated to use information only for the purposes of providing services to MAIA and to maintain appropriate security measures. Where a service provider may access PHI, MAIA ensures that a BAA or equivalent agreement is in place.

3.3 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, including but not limited to a subpoena, court order, or request from a regulatory agency. We will notify the Subscriber of such disclosure to the extent permitted by law.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, information may be transferred as part of that transaction. We will notify affected Subscribers before their information becomes subject to a different privacy policy.

3.5 With Subscriber Consent

We may share information for purposes not described in this Privacy Policy with the Subscriber's prior written consent.

4. Data Security

4.1. We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information in our possession. These measures include:

4.2. The Desktop Client stores data locally on the Subscriber's hardware using encrypted local storage (SQLCipher). The Subscriber is responsible for the physical security of hardware on which the Desktop Client is installed and for maintaining appropriate access controls on its local systems and network.

4.3. No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.

5. Data Retention

5.1 Website Visitor Data

We retain Website visitor data (such as analytics and contact form submissions) for up to twenty-four (24) months from the date of collection, unless a longer retention period is required by law or necessary for a legitimate business purpose.

5.2 Account Information

We retain Subscriber account information for the duration of the subscription and for a period of three (3) years after termination, to comply with legal and regulatory obligations and to resolve disputes.

5.3 Billing Records

We retain billing and transaction records for a period of seven (7) years to comply with tax and financial reporting requirements.

5.4 PHI

PHI is retained and disposed of in accordance with the terms of the applicable BAA. Upon termination of the BAA, MAIA will return or destroy PHI as specified in the BAA, subject to any legal obligation to retain specific records.

5.5 Telemetry Data

Operational telemetry data is retained for up to twelve (12) months for system monitoring and improvement purposes.

6. Your Rights and Choices

6.1 Access and Correction

You may request access to the personal information we hold about you and request correction of any inaccurate information by contacting us at privacy@maiamed.ai.

6.2 Deletion

You may request deletion of your personal information, subject to our legal obligations to retain certain records. We will respond to deletion requests within thirty (30) days.

6.3 Marketing Communications

You may opt out of marketing communications at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@maiamed.ai. Opting out of marketing communications does not affect transactional or service-related communications.

6.4 PHI Rights

Rights related to PHI (including access, amendment, restriction, and accounting of disclosures) are governed by HIPAA and the applicable BAA. Requests related to PHI should be directed to the healthcare provider (the Subscriber), who is the covered entity responsible for responding to patient rights requests under HIPAA. MAIA will assist the Subscriber in fulfilling such requests as required by the BAA.

6.5 State Privacy Rights

Residents of certain states, including California (under the CCPA/CPRA), Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws, may have additional rights regarding their personal information. These rights may include the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising privacy rights. To exercise any state-specific privacy rights, please contact us at privacy@maiamed.ai. We will respond within the timeframe required by applicable law.

Note: PHI that is subject to HIPAA is exempt from the CCPA and similar state privacy laws. The rights described in this section apply to non-PHI personal information.

7. Cookies and Tracking Technologies

7.1 What We Use

We use the following types of cookies and similar technologies on the Website:

Strictly Necessary Cookies. These are required for the Website to function and cannot be disabled. They include session management and security cookies.

Analytics Cookies. These help us understand how visitors interact with the Website by collecting information about pages visited, time on site, and navigation paths. We use this information to improve the Website.

Functional Cookies. These remember your preferences (such as language or region) to provide a more personalized experience.

7.2 What We Do Not Use

We do not use advertising or retargeting cookies. We do not serve third-party advertisements on the Website. We do not sell cookie data or Website usage data to advertisers.

7.3 Managing Cookies

You can control cookies through your browser settings. Disabling certain cookies may affect Website functionality. For more information on managing cookies, consult your browser's help documentation.

8. Children's Privacy

The Website and Service are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. Note: The Service may process PHI of minor patients as part of the Subscriber's medical records, which is governed by the BAA and applicable law (including HIPAA and state minor consent laws), not by this provision.

The Website and Service may contain links to third-party websites or integrate with third-party services that are not operated by MAIA. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party site you visit.

10. HIPAA Compliance

10.1. MAIA recognizes its obligations under HIPAA when acting as a Business Associate of a covered entity. Our HIPAA compliance program includes: designation of a Privacy Officer and Security Officer, implementation of administrative, physical, and technical safeguards as required by the HIPAA Security Rule, workforce training on HIPAA policies and procedures, BAAs with all subcontractors who may access PHI, breach notification procedures in compliance with the HIPAA Breach Notification Rule, and regular risk assessments.

10.2. In the event of a breach of unsecured PHI, MAIA will notify the affected Subscriber without unreasonable delay, and in no event later than sixty (60) calendar days after discovery of the breach, as required by HIPAA (45 CFR 164.410) and the applicable BAA. MAIA will use commercially reasonable efforts to notify within thirty (30) days where feasible, subject to any delay permitted under 45 CFR 164.412.

10.3. To report a potential HIPAA concern or security incident, contact us at security@maiamed.ai.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised policy on the Website with an updated "Last Updated" date and notify active Subscribers via email. Your continued use of the Website or Service after the effective date of any changes constitutes acceptance of the revised Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us at:

MAIA Medical, Inc.
Email: privacy@maiamed.ai
Security Concerns: security@maiamed.ai
Website: https://maiamed.ai

For HIPAA-related inquiries or to request a copy of our Business Associate Agreement, please contact privacy@maiamed.ai.