Privacy Policy

Last Updated: March 13, 2026

Introduction

MAON Intelligence ("MAON," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI Therapist application and related services (collectively, the "Service").

By using MAON, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Information We Collect

1. Biometric and Biosignal Data

When you connect a wearable device to MAON, we may collect the following types of biometric data:

  • Heart rate and heart rate variability (HRV)
  • Sleep patterns and sleep stages
  • Activity and movement data
  • Stress indicators and physiological signals
  • Body temperature variations
  • Respiratory rate
  • Other sensor data from supported devices (Apple Watch, Galaxy Watch, Fitbit, Bangle.js 2)

2. App Usage and Screen Time Data

With your permission, we collect information about your digital habits through screen time APIs:

  • App usage patterns and frequency
  • Screen time duration and schedules
  • App categories you interact with
  • Device pickup frequency
  • Notification patterns (aggregate, not content)

3. Information You Provide

  • Account information (email address, name, phone number)
  • Device preferences and settings
  • Mood check-ins and self-reported data
  • Responses to prompts and interventions
  • Feedback and communications with us

4. Phone Number and Communications Data

If you opt in to receive SMS or voice communications from MAON, we collect:

  • Your phone number
  • SMS and voice communication logs (timestamps, delivery status)
  • Your communication preferences and opt-in/opt-out status

5. Automatically Collected Information

  • Device type, operating system, and version
  • IP address and general location (country/region)
  • App performance and crash data
  • Usage analytics (features used, session duration)

6. Google Calendar Data

If you choose to connect your Google Calendar account to MAON, we access and may modify your calendar data through the Google Calendar API. The scope of access includes the ability to see, edit, share, and permanently delete all calendars you can access using Google Calendar. Specifically, we may read and interact with:

  • Calendar event titles, dates, times, and durations
  • Event frequency and scheduling patterns
  • Free/busy status across all your calendars
  • Calendar metadata (names, sharing settings) necessary to place wellness events in the right calendar

We use this access to correlate your calendar data with biometric signals from your wearable (such as stress levels, heart rate variability, and sleep quality) in order to identify patterns — for example, how meeting density or schedule gaps relate to physiological stress markers. This analysis powers personalized wellness recommendations to help you optimize your daily routines.

With your explicit consent, MAON may also create, modify, or delete calendar events on your behalf — for example, adding a recovery block after a high-stress period or removing a suggested event you no longer need. You will always be asked before any calendar write or delete action is taken. You can revoke calendar access at any time through your account settings.

How We Use Your Information

We use the information we collect to:

  • Provide personalized insights: Analyze your biometric and behavioral data to identify emotional patterns and provide relevant support
  • Deliver interventions: Offer timely, supportive suggestions based on detected patterns in your data
  • Improve our Service: Understand how users interact with MAON to enhance features and user experience
  • Communicate with you: Send service-related notifications, updates, reminders, and wellness check-ins via SMS, voice, or push notifications
  • Verify your identity: Send one-time verification codes (OTP) via SMS during account registration and login to confirm your identity
  • Ensure security: Detect and prevent fraud, abuse, and security incidents
  • Research and development: Develop new features and improve our AI models using aggregated, de-identified data
  • Calendar-based insights: Correlate your Google Calendar data with biometric signals from your wearable to identify how scheduling patterns (meeting density, schedule gaps) relate to physiological stress markers, and — with your explicit consent — suggest or create calendar adjustments such as recovery blocks to help you optimize your wellbeing

How We Share Your Information

We do not sell your personal data. We may share your information only in the following circumstances:

  • Service providers: We work with trusted third parties who help us operate our Service (cloud hosting, analytics, customer support, and communications platforms such as Twilio for SMS and voice services). These providers are bound by confidentiality obligations and process your data only on our behalf. Google Calendar data is not shared with any third-party service providers except as necessary to provide the core functionality described in this policy.
  • With your consent: We may share data when you explicitly authorize us to do so.
  • Legal requirements: We may disclose information if required by law, court order, or government request.
  • Safety: We may share information if we believe it's necessary to prevent harm to you or others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Secure authentication and access controls
  • Regular security audits and monitoring
  • Employee access limited on a need-to-know basis

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Service. You may request deletion of your data at any time. Upon account deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law.

Google Calendar data is retained only for as long as necessary to provide you with calendar-based wellness insights. If you disconnect your Google Calendar account or revoke access, we will delete all stored Google Calendar data within 30 days.

Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Request your data in a portable format
  • Opt-out: Opt out of certain data processing activities
  • Withdraw consent: Withdraw previously given consent at any time

To exercise these rights, please contact us at lks@maonhealth.com or daniel.lee@maonhealth.com.

Health Information Disclaimer

MAON is a consumer wellness application, not a healthcare provider. We are not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). This means HIPAA regulations do not apply to the data we collect.

However, we treat your health-related data with the highest level of care and apply robust security measures that meet or exceed industry standards for protecting sensitive health information.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect and how it's used
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information

International Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the General Data Protection Regulation (GDPR). Our legal bases for processing include:

  • Consent: For biometric data and sensitive health information
  • Contract: To provide the Service you requested
  • Legitimate interests: To improve our Service and ensure security

You may also lodge a complaint with your local data protection authority.

SMS and Voice Communications

Phone Verification (OTP)

During account registration and login, we send one-time verification codes (OTP) via SMS to the phone number you provide. These messages are sent through Auth0's phone verification flow, which uses Twilio as the underlying delivery provider. The sole purpose of these messages is to verify your identity, and no marketing content is included. By providing your phone number during sign-up, you consent to receiving these verification messages. Standard message and data rates may apply.

Optional Wellness Communications

If you separately opt in to receive additional SMS or voice communications from MAON, you may also receive:

  • Wellness check-ins and reminders
  • Service notifications and account alerts
  • AI-generated supportive interventions

Message frequency varies. Message and data rates may apply. You can opt out of wellness communications at any time by replying STOP to any SMS message or by adjusting your communication preferences in the app. Reply HELP for assistance. Opting out of wellness communications does not affect verification messages required for account security.

When we send you SMS or voice communications, your phone number and message data are processed by Twilio in accordance with Twilio's Privacy Policy. We do not share your phone number with third parties for marketing purposes.

Your consent to receive optional wellness communications is not a condition of using the Service. However, phone number verification via OTP is required to create and access your account.

Google API Services User Data Policy

MAON's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

How We Access Google Calendar Data

When you connect your Google Calendar account to MAON, we request access through Google's OAuth 2.0 authorization flow. You will be prompted by Google to explicitly grant MAON permission before any data is accessed or modified. We request the scope necessary to read your calendar events for biometric-correlation analysis and, with your separate in-app consent, to create or modify events (such as wellness blocks) on your behalf. This broader access is required because schedule adjustments — adding recovery time, rescheduling suggested events — involve write and delete operations across your calendars.

How We Use Google Calendar Data

We use your Google Calendar data exclusively to:

  • Correlate calendar events (meeting density, schedule gaps, recurring commitments) with biometric signals from your wearable — such as stress levels, heart rate variability, and sleep quality — to identify patterns that affect your wellbeing
  • Provide personalized wellness recommendations based on how your schedule relates to your physiological state (e.g., flagging high-stress meeting blocks, identifying recovery opportunities)
  • Analyze scheduling patterns to detect signs of overwork, burnout, or insufficient rest
  • With your explicit in-app consent, suggest or create calendar adjustments — such as adding recovery blocks after high-stress periods or rescheduling conflicting commitments — to help you optimize your daily routines
  • Remove or modify calendar events that MAON previously created on your behalf, when you request it

We do not use Google Calendar data for:

  • Serving advertisements or targeting ads
  • Selling or sharing data with third parties for their own purposes
  • Training generalized AI or machine learning models unrelated to your personal wellness insights
  • Reading event descriptions, attendee details, or private notes unless explicitly displayed to you within the app
  • Any purpose other than providing and improving the MAON wellness features described in this policy

How We Store and Protect Google Calendar Data

All Google Calendar data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to this data is strictly limited to the systems and personnel necessary to provide the Service. We do not store raw calendar data longer than necessary to generate your wellness insights.

How We Share Google Calendar Data

We do not sell, rent, or share your Google Calendar data with any third parties, except:

  • With your explicit consent
  • As necessary to comply with applicable law, regulation, or legal process
  • To protect the safety, rights, or property of MAON, our users, or the public

Limited Use Disclosure

Notwithstanding anything else in this Privacy Policy, MAON's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google Calendar data to provide and improve user-facing features that are prominent in the MAON application's user interface
  • We do not transfer Google Calendar data to third parties unless necessary to provide or improve user-facing features, as required by law, or with the user's affirmative consent
  • We do not use Google Calendar data for serving advertisements
  • Humans do not read Google Calendar data unless we have your affirmative consent, it is necessary for security purposes, to comply with applicable law, or our use is limited to internal operations with data that has been aggregated and anonymized

Revoking Access

You can disconnect your Google Calendar from MAON at any time through your account settings in the app or by visiting your Google Account permissions page. Upon revocation, we will stop accessing your Google Calendar data and delete all stored Google Calendar data within 30 days.

Children's Privacy

MAON is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

MAON Intelligence

Email: lks@maonhealth.com | daniel.lee@maonhealth.com