Privacy Policy

Miaise is a mobile and web software service for licensed practitioners providing hands-on therapeutic, bodywork, esthetic, or adjacent professional services in the United States. Eligible practitioners include licensed massage therapists ("LMTs"), estheticians, athletic trainers, manual therapists, and other licensed professionals working in adjacent disciplines. The Service's clinical-documentation features are bodywork-native and can be configured by the practitioner to suit the workflow of their specific practice. The service is available at miaise.com and through iOS and Android apps currently in development. Miaise is operated by Deckmint LLC, a Missouri limited liability company doing business as Miaise.

This Privacy Policy ("Policy") applies to:

• miaise.com and all subdomains
• The Miaise iOS and Android applications
• Any other Miaise-branded interface or API

This Policy does not apply to third-party websites, products, or services that Miaise links to. Those parties have their own privacy practices.

If you have questions about this Policy, see § 15 for contact information.

This section is a plain-language summary required by the California Consumer Privacy Act ("CCPA") and parallel state statutes. It describes, at the point of collection, what personal information Miaise collects and why. The full details appear in § 3 through § 5.

What Miaise collects and why, in plain terms:

• Waitlist and signup forms: name, email address, US state, optional license number, tools you currently use, approximate monthly visit volume, optional practice context, and technical data (IP address, browser or device type, referring URL). Collected to understand who is interested in Miaise and to send product updates.
• Therapist accounts: name, email, phone number, state, license credential, professional liability insurance details, multi-factor authentication enrollment metadata, payment-method metadata held by Stripe, app version, and error reports. Collected to verify professional credentials, operate the account, process subscription billing, and maintain service reliability.
• Client records entered by therapists: health and demographic information for each client, session records, SOAP notes, and related data. This information is protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). Miaise stores PHI as a Business Associate (see § 6). Miaise does not collect this information directly from clients.
• Booking-page visitors: when a member of the public requests a session through a therapist's public Miaise booking page, Miaise collects the name, contact information, session preferences, optional notes, and SMS-consent attestation that visitor enters into the form, along with the technical metadata captured to evidence consent (IP address, user agent string, timestamp). Collected to route the booking request to the therapist and, if the therapist accepts, to process payment through Stripe.
• Bank account connections (optional, therapist-only): when a therapist optionally links a financial account through Plaid to import business expense transactions, Miaise stores the masked account identifiers, institution name, and the transaction records returned by Plaid. Bank account credentials are never seen, stored, or accessible to Miaise; they are entered directly into Plaid's connection interface. This is business financial data subject to the Gramm-Leach-Bliley Act and is not PHI (see § 6 for why HIPAA does not apply, and § 5 for vendor relationships).

Miaise does not sell personal information. Miaise does not share personal information for cross-context behavioral advertising. Miaise does not use sensitive personal information for purposes beyond what is listed in § 4.

Global Privacy Control ("GPC"): Miaise currently uses no tracking cookies or behavioral advertising. GPC signals are recognized and result in no additional action because there is nothing to opt out of in the current configuration. If that changes, this Policy will be updated before the change takes effect.

Categories of third parties who receive personal information: cloud infrastructure providers, AI inference providers, voice transcription and text-to-speech services, server-side geocoding, image-based optical character recognition, SMS delivery, transactional email delivery, financial-account aggregation, payment and marketplace processing, and professional credential verification. See § 5 for the named subprocessors and their roles.

Miaise collects different information depending on your relationship with the service. The subsections below describe each group. Information about clients of therapists (§ 3.3) is PHI subject to HIPAA and is handled under the Business Associate framework described in § 6. Information from booking-page visitors (§ 3.4) is contact and booking-request data, not PHI, until and unless the therapist accepts the booking and converts that visitor into a client record (at which point § 3.3 governs the resulting record). Bank-connection data (§ 3.5) is business financial data governed by § 6.

Visitors and waitlist signups. Miaise uses information collected from visitors and signups to:

• Send product updates, launch announcements, and educational content you have opted into
• Understand the professional makeup and geographic distribution of interested users to guide product development
• Diagnose technical problems with miaise.com
• Comply with legal obligations

You may unsubscribe from waitlist emails at any time using the link in any email. Unsubscribing removes you from marketing communications but does not delete your record. To request deletion, see § 9.

Therapist accounts. Miaise uses therapist account information to:

• Verify professional credentials before granting PHI access
• Operate, maintain, and improve the Miaise service
• Process subscription billing through Stripe, including renewals, retries on declined payment, and lapse-state communications
• Operate the optional Stripe Connect Express account that allows the therapist to accept payments from booking-page clients (see § 5)
• Send service notices (billing, security alerts, policy updates) through transactional email and SMS providers identified in § 5
• Respond to support requests
• Detect and prevent fraud or unauthorized access
• Comply with legal obligations

Client PHI. Miaise uses client PHI only to:

• Provide the features of the practice tool to the therapist who entered the records
• Generate AI-assisted SOAP draft notes and contraindication signals as directed by the therapist (see § 7)
• Generate spoken pre-session briefing audio (text-to-speech) for the therapist to review before a visit
• Send transactional SMS to clients whose therapist has captured a TCPA-valid consent record, with content limited to a tokenized link to a secure intake form or to a secure card-capture page, plus the minimum appointment context (such as date and time) needed for the client to recognize the request; the SMS body never carries the studio address, the service or modality, or other clinical detail
• Where the therapist has saved a client's card and the client has authorized off-session charges, send the client a notice by email before each therapist-initiated charge (identifying the therapist, the amount, and the reason) and an emailed receipt after it, and deliver a secure card-capture link by SMS or email when the therapist asks Miaise to collect a card from the client
• Maintain audit logs required by HIPAA
• Respond to verified legal process directed at a specific therapist's records

Miaise does not use client PHI for advertising, product analytics, or model training. See § 7 for AI-specific processing disclosures.

Booking-page visitor data (pre-acceptance). Miaise uses information collected from booking-page visitors to:

• Route the booking request to the named therapist for acceptance, decline, or hold
• Send transactional booking confirmations, decline notices, and (if the therapist accepts and the visitor has consented to SMS at the form) brief appointment reminders
• Where the therapist has accepted the booking and required prepayment or a hold, process the payment through Stripe Connect under § 5
• Where a card is saved and the client has authorized it, charge the saved card off-session through Stripe for amounts the client owes the therapist under the therapist's stated terms. Covered reasons are a fixed, closed set: a deposit, a retainer, a balance for a service, a cancellation fee, a no-show fee, or an amount the therapist has invoiced for a service the client received (see Terms of Service § 8). This applies both to a card saved against a single booking and to a card saved at the client level under a standing authorization. Miaise initiates such a charge only when a valid authorization is on record, and sends the client an emailed notice before a therapist-initiated charge and an emailed receipt after it.
• Maintain the evidence trail for any SMS consent and any off-session card authorization attested in the booking form (the verbatim disclosure text, the visitor's IP address, and the UTC timestamp of submission)

If the booking is accepted and a client record is created from the booking request, the data transitions to client PHI under § 3.3 and the HIPAA Business Associate framework in § 6. If the booking is declined or expires, the data is retained only as described in § 12.

Bank-connection data. Miaise uses bank-connection data (§ 3.5) only to populate the therapist's business expense ledger, support classification for IRS Schedule C, and surface tax-ready exports. This data is not used for marketing, advertising, or any other purpose.

Legal bases (where applicable). For users subject to state privacy laws with explicit legal basis requirements: processing of visitor and therapist account information is based on performance of a contract (account operation), legitimate interests (fraud prevention, service improvement), and legal obligation. Processing of PHI is based on the Business Associate relationship and HIPAA authorization framework described in § 6. Processing of bank-connection data is based on the therapist's affirmative consent at the time of the Plaid connection, withdrawable at any time by disconnecting the account.

Miaise does not sell personal information. Miaise does not share personal information for cross-context behavioral advertising. Miaise shares information only with the subprocessors and counterparties described below, each engaged for a specific functional purpose. All subprocessors with access to PHI operate under a signed Business Associate Agreement with Miaise. The current named subprocessor list is also published at /security#subprocessors; this Policy and that page are kept consistent and any divergence should be reported to security@miaise.com.

Cloud infrastructure. Miaise's application, database, file storage, authentication, secret management, and logging run on Google Cloud Platform, including Firestore, Cloud Storage, Cloud Run, Cloud Functions, Identity Platform, Secret Manager, and Cloud Logging. Google Cloud is a Business Associate of Miaise under a signed BAA covering the HIPAA-eligible services that handle PHI.

AI inference (primary path). AI-assisted SOAP note drafting and contraindication-signal evaluation run on Google Cloud Vertex AI, accessed inside the same Google Cloud project that hosts the Miaise application. Vertex AI is a HIPAA-eligible service covered by Miaise's BAA with Google Cloud.

AI inference (contingency path). Miaise maintains a contingency configuration on Amazon Web Services Bedrock running Anthropic Claude Sonnet 4.6 inference. This path is used only if the primary Vertex AI path is unavailable, and is covered by Miaise's BAA with Amazon Web Services. Anthropic does not hold a direct relationship with Miaise; Anthropic's model on Bedrock operates under the AWS BAA.

Voice transcription. Session-audio transcripts that feed the SOAP-drafting path are produced by AWS Transcribe Medical, covered by Miaise's BAA with AWS.

Text-to-speech (briefing audio). Pre-session briefing audio is generated by AWS Polly Generative voices from a text briefing about a client's intake context. Polly is covered by Miaise's BAA with AWS.

Receipt and document OCR. When a therapist captures a business expense receipt with the in-app camera or uploads one, the image is processed by AWS Textract to extract date, vendor, amount, and line items for Schedule C categorization. Receipts are not PHI; this path does not handle client records. Textract is covered by Miaise's BAA with AWS regardless.

SMS delivery. Transactional SMS (intake-form links, booking confirmations, appointment reminders, safety-feature check-ins) is delivered by Telnyx, Inc. through a registered United States toll-free number. Telnyx operates as a conduit carrier under the HIPAA conduit exception (45 CFR 164.504(e)): it transmits messages but does not access or retain message contents for substantive use. As the load-bearing customer-side discipline that supports the conduit posture, Miaise applies strict body-redaction: SMS message bodies contain no therapist names, client names, clinical vocabulary, or appointment details, only a tokenized link to a secure intake or confirmation web page on miaise.com. Carrier compliance details, the SMS consent capture flow, and the TCPA evidence model are described at /sms-consent.

Transactional email. Account-related email (email verification, password reset, multi-factor enrollment notifications, welcome and onboarding mail, billing-state notices, booking confirmations, waitlist communications) is delivered by Resend, Inc. Resend also operates as the SMTP relay through which Identity Platform's built-in account-state notifications are sent, so that all account email originates from a miaise.com sender domain with proper SPF/DKIM alignment. Resend handles email message contents in the course of transit; email bodies are limited to the operational subject matter described in this Policy and do not include PHI beyond what is unavoidable for clinical communications the therapist initiates (which, today, do not exist in the product).

Server-side geocoding. Address-to-coordinate conversion for mileage trip endpoints uses Mapbox, server-side, with a PHI-suppression gate: known client addresses are never sent to Mapbox; only the addresses of unknown destinations (a coffee shop, a hardware store) are geocoded. Map-rendering tiles served on the mobile app are also delivered by Mapbox. Mapbox is not a Business Associate; the data shared with Mapbox is not PHI.

Subscription billing. Subscription fees for the Miaise account are processed by Stripe, Inc. under the HIPAA payment-processing exemption. PHI is architecturally fenced out of all Stripe data fields by a typed schema gate applied to every Stripe API call. Stripe holds the payment-method record, not Miaise. Stripe's own privacy practices govern Stripe's processing of payment data.

Marketplace processing (Stripe Connect Express). When a therapist opts in to accept payments from booking-page clients, Miaise creates a Stripe Connect Express account on the therapist's behalf. Stripe handles know-your-customer verification, bank-account collection, and payout disbursement directly with the therapist. For each accepted booking, the booking-page visitor's payment is processed by Stripe Connect with Miaise as the platform and the therapist as the connected account; the therapist receives the payment net of Stripe's processing fees and the Miaise platform fee disclosed at signup. Where a card is saved for later use, whether against a single booking or at the client level under a standing authorization, Stripe stores the client's payment method and Miaise retains only a Stripe payment-method reference; a later off-session charge is initiated through Stripe against that saved method, only when a valid authorization is on record, and only for one of a fixed, closed set of reasons (a deposit, a retainer, a balance for a service, a cancellation fee, a no-show fee, or an amount the therapist has invoiced for a service the client received) (§ 3.4, § 4, and Terms of Service § 8). Where Miaise sends the client a secure card-capture link to save the card, the link is delivered by Telnyx (SMS) or Resend (email) under the same conduit and transactional-email practices described above and carries only the minimum appointment context, never PHI in the SMS body. PHI is not transmitted to Stripe at any point in the payment flow.

Bank-account aggregation (Plaid). When a therapist optionally links a financial account through Plaid Inc. to import business-expense transactions (§ 3.5), Plaid handles the credential exchange directly with the therapist and the financial institution, and returns to Miaise the masked account metadata and transaction records described in § 3.5. Plaid's relationship with Miaise is governed by Plaid's own privacy notice and the GLBA framework, not by HIPAA.

Push notifications. Mobile push notifications are delivered through Expo Push Notifications (operated by 650 Industries, Inc.) and the operating-system push services of Apple and Google. Notification payloads do not include PHI; bodies are operational ("a new booking request is waiting", "session is starting in 10 minutes") and the in-app destination resolves the rest after the user authenticates.

Professional credential verification. License credentials are verified at onboarding by manual lookup against the issuing state board's public registry. License data is not transmitted to third-party verification services without updated notice in this Policy.

Legal process. Miaise may disclose information when required to do so by valid legal process (subpoena, court order, government demand), to the extent permitted by law. Where the law permits, Miaise will attempt to notify affected therapists before complying with a demand directed at their records.

Business transfers. If Deckmint LLC is acquired, merged, or substantially all of its assets are transferred, personal information held by Miaise may be transferred as part of that transaction. Miaise will provide notice of any material change in data controller identity through the process in § 14.

No other sharing. Miaise does not share personal information with data brokers, advertisers, analytics platforms, or social networks. Miaise does not use third-party analytics scripts (no Google Analytics, no Mixpanel, no Segment, no Meta Pixel).

HIPAA Business Associate status. Miaise operates as a Business Associate ("BA") under HIPAA with respect to PHI that therapists store in the practice tool. Each therapist (a "Covered Entity" under HIPAA) signs a Business Associate Agreement with Miaise at onboarding. PHI access is gated by a custom account claim that is set only after the BAA is accepted and the therapist's license credential is verified. This gate is enforced in Firestore security rules and is not bypassable through the application interface.

What Miaise does as a Business Associate. Under the BAA, Miaise:

• Stores and processes PHI only for the purposes described in the BAA and this Policy
• Applies the security safeguards described in § 13 and at /security
• Maintains audit logs of every PHI read and write (see § 3.3)
• Reports to the affected therapist any breach of unsecured PHI within the time frames required by the HIPAA Breach Notification Rule and the FTC Health Breach Notification Rule (see below)
• Does not use PHI for purposes beyond those permitted under the BAA
• Supports therapists in honoring patient rights requests (access, amendment, accounting of disclosures) as required by HIPAA

Therapist obligations as Covered Entity. Therapists are responsible for:

• Obtaining all necessary authorizations and consents from clients before entering their PHI into Miaise
• Providing clients with a Notice of Privacy Practices ("NPP") as required by HIPAA
• Responding to client requests for access, amendment, or accounting of disclosures using records stored in Miaise (Miaise provides data export to support this)
• Maintaining any state-law record retention obligations applicable to their practice

Notice of Privacy Practices. A Miaise-perspective NPP describing the Business Associate relationship is presented to therapists in the application at onboarding and is available within the Miaise app at any time from account settings. The therapist's own client-facing NPP is a separate document the therapist posts in their own practice; that responsibility lies with the therapist, not with Miaise.

FTC Health Breach Notification Rule. The FTC's Health Breach Notification Rule (as expanded effective July 2024) applies to personal health record vendors and related entities. In the event of a breach of unsecured individually identifiable health information affecting 500 or more individuals, Miaise will notify affected individuals within 60 days, notify the FTC, and (where required) notify prominent media outlets in affected states. Breaches affecting fewer than 500 individuals will be reported to the FTC on the annual log schedule.

Consumer health data laws. Certain state laws treat health-adjacent data as consumer health data even outside the HIPAA framework (see § 10.2, § 10.3, § 10.4). Miaise's PHI suppression practices and data minimization approach are designed to satisfy those statutes in addition to HIPAA.

Where AI is used. Miaise uses artificial intelligence in three features of the practice tool:

1. SOAP draft generation. A therapist may choose to record audio during or after a session. The audio is transcribed using AWS Transcribe Medical. The transcript is then sent to the Claude Sonnet 4.6 large language model to generate a structured draft SOAP note (subjective, objective, assessment, plan). The therapist reviews, edits, and signs the final SOAP note. No SOAP note is filed without the therapist on the record as the responsible author.

1. Contraindication signaling. When intake responses are entered or updated, Miaise evaluates them against a rules-based contraindication catalog and applies an AI-assisted reading of free-text narrative fields using Claude Sonnet 4.6. The therapist sees any flags surfaced by this evaluation and decides how to act on them. The system does not make clinical decisions or take autonomous action.

1. Pre-session briefing audio. Miaise composes a short text briefing summarizing the client's intake context and converts that briefing to spoken audio using AWS Polly Generative voices. The therapist plays the briefing back before the visit. The briefing is generated from PHI; the audio file is stored encrypted and is treated as PHI under the Business Associate framework in § 6.

AI provider configuration. Claude Sonnet 4.6 inference is hosted in two places, both BAA-covered:

• Primary path: Google Cloud Vertex AI inside the same Google Cloud project that hosts the Miaise application. Vertex AI is a HIPAA-eligible Google Cloud service covered by Miaise's BAA with Google.
• Contingency path: AWS Bedrock, used only when the primary path is unavailable. Bedrock and the model running on it are covered by Miaise's BAA with Amazon Web Services.

Both providers operate the same Anthropic-published model under their own service terms. Miaise does not hold a direct relationship with Anthropic for production inference.

Therapist on the record. For every AI-assisted artifact, Miaise records the model identifier, the provider that served the inference, the generation timestamp, and the therapist's acceptance or sign-off. This record is part of the permanent session record.

Training-data posture. Miaise does not contribute PHI or any Miaise user data to AI model training. AWS Bedrock and Google Cloud Vertex AI are configured under their HIPAA and enterprise terms in a mode where customer prompts and completions are not used for base model training, consistent with the BAAs and service terms governing each path. California AB 2013, effective January 1, 2026, requires transparency about training data for generative AI systems deployed to consumers. Miaise's AI features use third-party foundation models; training-data disclosures for those models are published by their respective developers (Anthropic for Claude, Google for Vertex-native models).

Colorado automated decision-making technology framework (effective January 1, 2027). In May 2026, Colorado enacted SB 26-189, which repealed and replaced the prior Colorado Artificial Intelligence Act with a new framework focused on automated decision-making technology ("ADMT") used to materially influence consequential decisions affecting Colorado residents. The new framework takes effect January 1, 2027, and the Colorado Attorney General is conducting rulemaking that must conclude by that date. The Colorado Attorney General has stated it will not enforce the new framework before the rulemaking concludes and the statute takes effect.

Miaise's contraindication evaluation, SOAP-draft, and pre-session briefing audio features involve automated processing that informs, but does not replace, a licensed professional's judgment. As the Colorado Attorney General's rulemaking progresses, Miaise will assess whether these features fall within the new framework's definition of ADMT that "materially influences" a consequential decision, and will publish a Colorado consumer notice before the January 1, 2027 effective date describing: (a) the purpose of each AI feature; (b) the nature and source of the inputs; (c) the human-in-the-loop control points that prevent fully automated decisions; (d) how a Colorado resident can obtain additional information about the use of automated processing in their care record; and (e) the contact path for questions. Miaise will update that notice as the rulemaking finalizes and as AI features change.

Utah AI Policy Act. Amendments effective May 2024 (and as further amended in 2025) require disclosure when generative AI is used in interactions with a person who could reasonably be expected to not realize the interaction is with AI, and when generative AI is used in a regulated professional context. Miaise discloses generative AI use in the SOAP draft, briefing audio, and contraindication signaling features both within this Policy and inline at the relevant in-app surface with an "AI-assisted" label.

No fully automated decisions. No Miaise AI feature makes a final decision that significantly affects a client without a therapist reviewing and acting on the output. Therapists may disable AI features in account settings; the SOAP-draft feature in particular can be turned off, in which case session documentation falls back to manual entry.

Current state: essential cookies only. Miaise currently uses cookies only for session authentication on miaise.com. No analytics cookies, advertising cookies, or behavioral tracking pixels are deployed.

What "essential" means here. Essential cookies maintain your logged-in state during a browser session. Without them, the application cannot function. These cookies are not used to track you across other websites.

No analytics platforms. Miaise does not load Google Analytics, Mixpanel, Segment, Meta Pixel, or similar third-party analytics or advertising scripts on miaise.com or in the mobile apps.

Global Privacy Control. Because we do not engage in the sale or sharing of personal information through cookies or tracking technologies, GPC signals received by miaise.com are honored trivially: there is no cross-site tracking to opt out of. If we add any such technology in the future, we will update this section, provide advance notice per § 14, and make sure GPC signals trigger the appropriate opt-out before any new technology goes live.

Local storage on mobile. The Miaise mobile apps use device local storage and secure on-device keychain for session tokens and offline cache. This data stays on your device and is not shared with third parties.

You have the following rights over personal information Miaise holds about you. These rights apply to visitors, waitlist signups, and therapist account holders. Rights over client PHI are governed by HIPAA and must be directed to the therapist who holds that record (see § 6).

Access. You may request a copy of the personal information Miaise holds about you.

Correction. You may request that Miaise correct inaccurate personal information.

Deletion. You may request that Miaise delete your personal information. Deletion of a therapist account is subject to HIPAA record retention requirements (§ 12) and any state-law retention period applicable to the therapist's practice.

Portability. You may request your personal information in a structured, commonly used, machine-readable format.

Restriction. You may request that Miaise restrict processing of your personal information in certain circumstances (for example, while a correction request is pending).

Opt-out of marketing. You may opt out of marketing emails at any time using the unsubscribe link in any Miaise email. Transactional and security notices are not subject to opt-out while your account is active.

Account deletion endpoint. Consistent with Apple App Store Guideline 5.1.1(v), therapists may delete their Miaise account directly from within the mobile application. The deletion flow is accessible from account settings. A web-based deletion landing page is also available at /account/delete.

How to submit a request. Send privacy and data requests to security@miaise.com (see § 15). Include your name, the email address associated with your Miaise record, and a description of what you are requesting. Miaise will verify your identity before acting on any access, correction, deletion, or portability request. Verification may involve confirming information you provided when you signed up.

Response time. Miaise will respond to verifiable requests within 45 days. Where additional time is reasonably necessary (up to an additional 45 days), Miaise will notify you of the extension within the initial 45-day period. No fee is charged for a first request in any 12-month period.

Appeals. If Miaise declines to act on your request, you will receive a written explanation. You may appeal the decision by replying to that explanation. If your appeal is denied, you will receive instructions for escalating to the relevant state attorney general or data protection authority.

Non-discrimination. Miaise will not discriminate against you for exercising any right described in this section.

Federal and state privacy laws grant additional rights depending on your state of residence. The subsections below address the most significant state frameworks. If your state is not listed by name, see § 10.5.

Miaise is not directed to children. The Miaise service is designed for licensed professionals. Miaise does not knowingly collect personal information from individuals under the age of 13. If Miaise becomes aware that it has collected personal information from a child under 13 without verifiable parental consent, it will delete that information promptly.

Public booking pages. A therapist's public booking page is not directed to children. The booking form requires the visitor to be 18 or older to submit a request on their own behalf. If a parent or legal guardian is booking on behalf of a minor client, the booking is submitted by the adult, and any further information about the minor is captured by the therapist directly in the course of treatment and is governed by the next paragraph.

Minor clients in therapist records. Therapists may enter records for minor clients as part of their professional practice. These records are entered by the therapist in their capacity as a licensed professional, and the therapist is responsible for obtaining all required consents from the parent or legal guardian of the minor client before entering that information into Miaise. Miaise stores these records as PHI under the Business Associate framework (§ 6) and applies the same safeguards as it does to all PHI.

If you have reason to believe that Miaise has collected personal information from a child under 13 without parental consent, please contact Miaise at security@miaise.com (§ 15).

Waitlist and visitor records. Information collected from visitors and waitlist signups is retained for 90 days from collection, after which it is deleted, unless you have created a therapist account or have requested earlier deletion under § 9. If you unsubscribe from waitlist emails, your record is removed from the marketing list but the underlying contact record is retained for the 90-day period to maintain suppression (so you are not re-added by a duplicate submission) and then deleted.

Therapist account records. Therapist account records are retained for the duration of the active account. After account closure, Miaise retains the minimum account metadata necessary to comply with applicable law and resolve disputes for a period of no more than three years, unless a longer period is required by law. Professional liability insurance records may be retained longer to document the credential verification that occurred during the account relationship.

Client PHI. Client PHI is retained for the period required by the HIPAA medical record retention standard and any applicable state medical record retention law. Many states require retention of adult patient records for a minimum of 7 years from the date of last service, and minor patient records for a minimum of 7 years from the date of last service or until the patient reaches the age of majority plus the applicable adult retention period, whichever is longer. Miaise applies the most conservative applicable retention period as a default. Therapists may request export of PHI records before account closure and are responsible for their own retention obligations as Covered Entities.

Booking-page request records. A booking request submitted through a therapist's public booking page is retained for the lifetime of the resulting client relationship if the booking is accepted. If the booking is declined or expires unpaid, the request and its associated TCPA evidence trail are retained for 24 months from the date of the request to support audit of consent practices and to honor any later subject-rights request under § 9, then deleted.

Business and tax records. Receipts, supply records, bank-connection transaction records, and other business financial records the therapist creates in Miaise for tax purposes are retained for 7 years from the date of the underlying transaction or session, consistent with IRS recommended retention for Schedule C records. Therapists may request export of these records at any time and may delete individual records inside the in-app expense ledger, subject to any applicable tax-record retention obligation that is the therapist's own responsibility to honor.

Plaid bank-connection metadata. Disconnecting a financial account in the in-app banking settings removes the Plaid Item and stops further transaction imports. Historical transactions that were imported before disconnection are retained on the business-and-tax-records schedule above so that prior-year tax reporting is not disrupted.

Audit logs. PHI audit logs (recording every PHI read and write with actor, timestamp, and record identifier) are retained for a minimum of 6 years from the date of creation, consistent with the HIPAA Security Rule's documentation retention standard.

Deletion requests. Deletion requests under § 9 are processed within 45 days subject to applicable legal hold and retention obligations. Where Miaise is required to retain certain information by law, it will inform you of the reason and the applicable retention period.

We apply a layered security program to the information Miaise stores and processes. Every therapist account requires multi-factor authentication (TOTP plus device biometric on mobile). All PHI at rest is encrypted using Firestore and Cloud Storage encryption. Data in transit uses TLS 1.3 with no protocol downgrade allowed. Access controls follow a least-privilege model, and Firestore security rules enforce row-level access so that each therapist can access only their own client records. Every PHI read and write is written to an audit log. Subprocessors with access to PHI have signed Business Associate Agreements and are listed at /security#subprocessors.

The security page at /security describes our security program in more detail. If you discover a potential security vulnerability, please report it to security@miaise.com.

The version number and effective date at the top of this Policy reflect when it was last updated. The version string follows the format YYYY.MM.DD.

Non-material changes. Corrections, clarifications, and updates that do not affect your rights or Miaise's data practices may be made without advance notice. The effective date will be updated.

Material changes. A material change is one that meaningfully affects how Miaise collects, uses, or shares your personal information, or that reduces your rights under this Policy. For material changes, Miaise will:

• Send an email notice to the email address on file for each affected therapist account, at least 30 days before the change takes effect
• Post a notice on miaise.com
• Require therapist accounts to re-accept the updated Policy in the application before continuing to use PHI-related features

Your choices. If you disagree with a material change, you may close your account and request deletion of your data (§ 9) before the change takes effect.

For privacy questions, data access requests, deletion requests, and security concerns:

Email: security@miaise.com

For general inquiries:

Email: hello@miaise.com

Postal address (required by CCPA and parallel state statutes):

Deckmint LLC, doing business as Miaise Attention: Privacy Saint Peters, MO 63376 United States

Miaise responds to privacy and data requests submitted to security@miaise.com within 45 days. See § 9 for the full rights request process.