Privacy Policy

Miaise is a mobile and web software service for licensed massage therapists ("LMTs") and adjacent licensed bodywork professionals in the United States. The service is available at miaise.com and through iOS and Android apps currently in development. Miaise is operated by Deckmint LLC, a Missouri limited liability company doing business as Miaise.

This Privacy Policy ("Policy") applies to:

• miaise.com and all subdomains
• The Miaise iOS and Android applications
• Any other Miaise-branded interface or API

This Policy does not apply to third-party websites, products, or services that Miaise links to. Those parties have their own privacy practices.

If you have questions about this Policy, see § 15 for contact information.

This section is a plain-language summary required by the California Consumer Privacy Act ("CCPA") and parallel state statutes. It describes, at the point of collection, what personal information Miaise collects and why. The full details appear in § 3 through § 5.

What Miaise collects and why, in plain terms:

• Waitlist and signup forms: name, email address, US state, optional license number, tools you currently use, approximate monthly visit volume, optional practice context, and technical data (IP address, browser or device type, referring URL). Collected to understand who is interested in Miaise and to send product updates.
• Therapist accounts: name, email, phone number, state, license credential, professional liability insurance details, multi-factor authentication enrollment metadata, app version, and error reports. Collected to verify professional credentials, operate the account, and maintain service reliability.
• Client records entered by therapists: health and demographic information for each client, session records, SOAP notes, and related data. This information is protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). Miaise stores PHI as a Business Associate (see § 6). Miaise does not collect this information directly from clients.

Miaise does not sell personal information. Miaise does not share personal information for cross-context behavioral advertising. Miaise does not use sensitive personal information for purposes beyond what is listed in § 4.

Global Privacy Control ("GPC"): Miaise currently uses no tracking cookies or behavioral advertising. GPC signals are recognized and result in no additional action because there is nothing to opt out of in the current configuration. If that changes, this Policy will be updated before the change takes effect.

Categories of third parties who receive personal information: cloud infrastructure providers, payment processors, and professional credential verification services. See § 5 for the full list.

Miaise collects different information depending on your relationship with the service. The subsections below describe each group. Information about clients of therapists (§ 3.3) is PHI subject to HIPAA and is handled under the Business Associate framework described in § 6.

Visitors and waitlist signups. Miaise uses information collected from visitors and signups to:

• Send product updates, launch announcements, and educational content you have opted into
• Understand the professional makeup and geographic distribution of interested users to guide product development
• Diagnose technical problems with miaise.com
• Comply with legal obligations

You may unsubscribe from waitlist emails at any time using the link in any email. Unsubscribing removes you from marketing communications but does not delete your record. To request deletion, see § 9.

Therapist accounts. Miaise uses therapist account information to:

• Verify professional credentials before granting PHI access
• Operate, maintain, and improve the Miaise service
• Send service notices (billing, security alerts, policy updates)
• Respond to support requests
• Detect and prevent fraud or unauthorized access
• Comply with legal obligations

Client PHI. Miaise uses client PHI only to:

• Provide the features of the practice tool to the therapist who entered the records
• Generate AI-assisted SOAP draft notes and contraindication signals as directed by the therapist (see § 7)
• Maintain audit logs required by HIPAA
• Respond to verified legal process directed at a specific therapist's records

Miaise does not use client PHI for advertising, product analytics, or model training. See § 7 for AI-specific processing disclosures.

Legal bases (where applicable). For users subject to state privacy laws with explicit legal basis requirements: processing of visitor and therapist account information is based on performance of a contract (account operation), legitimate interests (fraud prevention, service improvement), and legal obligation. Processing of PHI is based on the Business Associate relationship and HIPAA authorization framework described in § 6.

Miaise does not sell personal information. Miaise does not share personal information for cross-context behavioral advertising. Miaise shares information only as described below.

Infrastructure and core services. Miaise uses cloud subprocessors to store and process data on its behalf. All subprocessors with access to PHI have signed Business Associate Agreements with Miaise. The current named subprocessor list, including the specific services each provides, is published at /security#subprocessors.

Categories of subprocessors include:

• Cloud infrastructure providers (application hosting, database, file storage, authentication, secret management, logging)
• AI inference providers (SOAP note drafting, contraindication evaluation)
• Voice transcription and text-to-speech services
• SMS and email delivery services
• Server-side geocoding (address-to-coordinate conversion; PHI suppression is applied before any address is sent)
• Professional credential verification (license validation at onboarding)

Payment processing. Miaise uses Stripe for subscription billing and, in the future, marketplace payment processing. Stripe operates under HIPAA's payment-processing exemption. PHI is architecturally fenced out of all Stripe data fields by a typed schema gate applied to every Stripe API call. Stripe's own privacy policy governs its processing of payment data.

Legal process. Miaise may disclose information when required to do so by valid legal process (subpoena, court order, government demand), to the extent permitted by law. Where the law permits, Miaise will attempt to notify affected therapists before complying with a demand directed at their records.

Business transfers. If Deckmint LLC is acquired, merged, or substantially all of its assets are transferred, personal information held by Miaise may be transferred as part of that transaction. Miaise will provide notice of any material change in data controller identity through the process in § 14.

No other sharing. Miaise does not share personal information with data brokers, advertisers, analytics platforms, or social networks.

HIPAA Business Associate status. Miaise operates as a Business Associate ("BA") under HIPAA with respect to PHI that therapists store in the practice tool. Each therapist (a "Covered Entity" under HIPAA) signs a Business Associate Agreement with Miaise at onboarding. PHI access is gated by a custom account claim that is set only after the BAA is accepted and the therapist's license credential is verified. This gate is enforced in Firestore security rules and is not bypassable through the application interface.

What Miaise does as a Business Associate. Under the BAA, Miaise:

• Stores and processes PHI only for the purposes described in the BAA and this Policy
• Applies the security safeguards described in § 13 and at /security
• Maintains audit logs of every PHI read and write (see § 3.3)
• Reports to the affected therapist any breach of unsecured PHI within the time frames required by the HIPAA Breach Notification Rule and the FTC Health Breach Notification Rule (see below)
• Does not use PHI for purposes beyond those permitted under the BAA
• Supports therapists in honoring patient rights requests (access, amendment, accounting of disclosures) as required by HIPAA

Therapist obligations as Covered Entity. Therapists are responsible for:

• Obtaining all necessary authorizations and consents from clients before entering their PHI into Miaise
• Providing clients with a Notice of Privacy Practices ("NPP") as required by HIPAA
• Responding to client requests for access, amendment, or accounting of disclosures using records stored in Miaise (Miaise provides data export to support this)
• Maintaining any state-law record retention obligations applicable to their practice

Notice of Privacy Practices. A Miaise-perspective NPP describing the Business Associate relationship is presented to therapists in the application at onboarding and is available within the Miaise app at any time from account settings. The therapist's own client-facing NPP is a separate document the therapist posts in their own practice; that responsibility lies with the therapist, not with Miaise.

FTC Health Breach Notification Rule. The FTC's Health Breach Notification Rule (as expanded effective July 2024) applies to personal health record vendors and related entities. In the event of a breach of unsecured individually identifiable health information affecting 500 or more individuals, Miaise will notify affected individuals within 60 days, notify the FTC, and (where required) notify prominent media outlets in affected states. Breaches affecting fewer than 500 individuals will be reported to the FTC on the annual log schedule.

Consumer health data laws. Certain state laws treat health-adjacent data as consumer health data even outside the HIPAA framework (see § 10.2, § 10.3, § 10.4). Miaise's PHI suppression practices and data minimization approach are designed to satisfy those statutes in addition to HIPAA.

Where AI is used. Miaise uses artificial intelligence in two features of the practice tool:

1. SOAP draft generation: A therapist may choose to record audio during or after a session. The audio is transcribed using AWS Transcribe Medical. The transcript is then sent to the Claude Sonnet 4.6 large language model, operated by Anthropic via AWS Bedrock, to generate a structured draft SOAP note (subjective, objective, assessment, plan). The therapist reviews, edits, and signs the final SOAP note. No SOAP note is filed without the therapist on the record as the responsible author.

1. Contraindication signaling: When intake responses are entered or updated, Miaise evaluates them against a rules-based contraindication catalog and applies an AI-assisted reading of free-text narrative fields. The therapist sees any flags surfaced by this evaluation and decides how to act on them. The system does not make clinical decisions or take autonomous action.

Therapist on the record. For every AI-assisted artifact, Miaise records the model identifier, the generation timestamp, and the therapist's acceptance or sign-off. This record is part of the permanent session record.

Training data posture. Miaise does not contribute PHI or any Miaise user data to AI model training. AWS Bedrock and Google Cloud Vertex AI are configured with customer data not used for base model training, consistent with their respective BAA and service terms. California AB 2013, effective January 1, 2026, requires transparency about training data for generative AI systems deployed to consumers. Miaise's AI features use third-party foundation models; training data disclosures for those models are published by their respective developers (Anthropic for Claude, Google for Vertex AI models).

Colorado AI Act (effective June 30, 2026). The Colorado AI Act requires developers and deployers of high-risk AI systems to disclose certain information and take steps to minimize the risk of algorithmic discrimination. Miaise's contraindication evaluation feature involves automated processing that informs (but does not replace) a licensed professional's judgment. Miaise will publish its Colorado AI Act disclosure before the June 30, 2026 enforcement date and will update it as features evolve.

Utah AI Disclosure Act. Amendments effective May 2025 require disclosure when generative AI is used in customer-facing interactions. Where a Miaise interface surface uses generative AI to produce text that a user sees, that surface is labeled with a disclosure identifying it as AI-assisted. The SOAP draft interface carries this label.

No fully automated decisions. No Miaise AI feature makes a final decision that significantly affects a client without a therapist reviewing and acting on the output. Therapists may disable AI features in account settings.

Current state: essential cookies only. Miaise currently uses cookies only for session authentication on miaise.com. No analytics cookies, advertising cookies, or behavioral tracking pixels are deployed.

What "essential" means here. Essential cookies maintain your logged-in state during a browser session. Without them, the application cannot function. These cookies are not used to track you across other websites.

No analytics platforms. Miaise does not load Google Analytics, Mixpanel, Segment, Meta Pixel, or similar third-party analytics or advertising scripts on miaise.com or in the mobile apps.

Global Privacy Control. Because we do not engage in the sale or sharing of personal information through cookies or tracking technologies, GPC signals received by miaise.com are honored trivially: there is no cross-site tracking to opt out of. If we add any such technology in the future, we will update this section, provide advance notice per § 14, and make sure GPC signals trigger the appropriate opt-out before any new technology goes live.

Local storage on mobile. The Miaise mobile apps use device local storage and secure on-device keychain for session tokens and offline cache. This data stays on your device and is not shared with third parties.

You have the following rights over personal information Miaise holds about you. These rights apply to visitors, waitlist signups, and therapist account holders. Rights over client PHI are governed by HIPAA and must be directed to the therapist who holds that record (see § 6).

Access. You may request a copy of the personal information Miaise holds about you.

Correction. You may request that Miaise correct inaccurate personal information.

Deletion. You may request that Miaise delete your personal information. Deletion of a therapist account is subject to HIPAA record retention requirements (§ 12) and any state-law retention period applicable to the therapist's practice.

Portability. You may request your personal information in a structured, commonly used, machine-readable format.

Restriction. You may request that Miaise restrict processing of your personal information in certain circumstances (for example, while a correction request is pending).

Opt-out of marketing. You may opt out of marketing emails at any time using the unsubscribe link in any Miaise email. Transactional and security notices are not subject to opt-out while your account is active.

Account deletion endpoint. Consistent with Apple App Store Guideline 5.1.1(v), therapists may delete their Miaise account directly from within the mobile application. The deletion flow is accessible from account settings. A web-based deletion landing page is also available at /account/delete.

How to submit a request. Send privacy and data requests to security@miaise.com (see § 15). Include your name, the email address associated with your Miaise record, and a description of what you are requesting. Miaise will verify your identity before acting on any access, correction, deletion, or portability request. Verification may involve confirming information you provided when you signed up.

Response time. Miaise will respond to verifiable requests within 45 days. Where additional time is reasonably necessary (up to an additional 45 days), Miaise will notify you of the extension within the initial 45-day period. No fee is charged for a first request in any 12-month period.

Appeals. If Miaise declines to act on your request, you will receive a written explanation. You may appeal the decision by replying to that explanation. If your appeal is denied, you will receive instructions for escalating to the relevant state attorney general or data protection authority.

Non-discrimination. Miaise will not discriminate against you for exercising any right described in this section.

Federal and state privacy laws grant additional rights depending on your state of residence. The subsections below address the most significant state frameworks. If your state is not listed by name, see § 10.5.

Miaise is not directed to children. The Miaise service is designed for licensed professionals. Miaise does not knowingly collect personal information from individuals under the age of 13. If Miaise becomes aware that it has collected personal information from a child under 13 without verifiable parental consent, it will delete that information promptly.

Minor clients in therapist records. Therapists may enter records for minor clients as part of their professional practice. These records are entered by the therapist in their capacity as a licensed professional, and the therapist is responsible for obtaining all required consents from the parent or legal guardian of the minor client before entering that information into Miaise. Miaise stores these records as PHI under the Business Associate framework (§ 6) and applies the same safeguards as it does to all PHI.

If you have reason to believe that Miaise has collected personal information from a child under 13 without parental consent, please contact Miaise at security@miaise.com (§ 15).

Waitlist and visitor records. Information collected from visitors and waitlist signups is retained for 90 days from collection, after which it is deleted, unless you have created a therapist account or have requested earlier deletion under § 9. If you unsubscribe from waitlist emails, your record is removed from the marketing list but the underlying contact record is retained for the 90-day period to maintain suppression (so you are not re-added by a duplicate submission) and then deleted.

Therapist account records. Therapist account records are retained for the duration of the active account. After account closure, Miaise retains the minimum account metadata necessary to comply with applicable law and resolve disputes for a period of no more than three years, unless a longer period is required by law. Professional liability insurance records may be retained longer to document the credential verification that occurred during the account relationship.

Client PHI. Client PHI is retained for the period required by the HIPAA medical record retention standard and any applicable state medical record retention law. Many states require retention of adult patient records for a minimum of 7 years from the date of last service, and minor patient records for a minimum of 7 years from the date of last service or until the patient reaches the age of majority plus the applicable adult retention period, whichever is longer. Miaise applies the most conservative applicable retention period as a default. Therapists may request export of PHI records before account closure and are responsible for their own retention obligations as Covered Entities.

Audit logs. PHI audit logs (recording every PHI read and write with actor, timestamp, and record identifier) are retained for a minimum of 6 years from the date of creation, consistent with the HIPAA Security Rule's documentation retention standard.

Deletion requests. Deletion requests under § 9 are processed within 45 days subject to applicable legal hold and retention obligations. Where Miaise is required to retain certain information by law, it will inform you of the reason and the applicable retention period.

We apply a layered security program to the information Miaise stores and processes. Every therapist account requires multi-factor authentication (TOTP plus device biometric on mobile). All PHI at rest is encrypted using Firestore and Cloud Storage encryption. Data in transit uses TLS 1.3 with no protocol downgrade allowed. Access controls follow a least-privilege model, and Firestore security rules enforce row-level access so that each therapist can access only their own client records. Every PHI read and write is written to an audit log. Subprocessors with access to PHI have signed Business Associate Agreements and are listed at /security#subprocessors.

The security page at /security describes our security program in more detail. If you discover a potential security vulnerability, please report it to security@miaise.com.

The version number and effective date at the top of this Policy reflect when it was last updated. The version string follows the format YYYY.MM.DD.

Non-material changes. Corrections, clarifications, and updates that do not affect your rights or Miaise's data practices may be made without advance notice. The effective date will be updated.

Material changes. A material change is one that meaningfully affects how Miaise collects, uses, or shares your personal information, or that reduces your rights under this Policy. For material changes, Miaise will:

• Send an email notice to the email address on file for each affected therapist account, at least 30 days before the change takes effect
• Post a notice on miaise.com
• Require therapist accounts to re-accept the updated Policy in the application before continuing to use PHI-related features

Your choices. If you disagree with a material change, you may close your account and request deletion of your data (§ 9) before the change takes effect.

For privacy questions, data access requests, deletion requests, and security concerns:

Email: security@miaise.com

For general inquiries:

Email: hello@miaise.com

Postal address (required by CCPA and parallel state statutes):

Deckmint LLC, doing business as Miaise Attention: Privacy Saint Peters, MO 63376 United States

Miaise responds to privacy and data requests submitted to security@miaise.com within 45 days. See § 9 for the full rights request process.