Privacy Policy for Maia Labs

PRIVACY POLICY

MAIA LABS s.r.o., ID No. 17461782, with registered seat at Purkynova 649/127, Medlanky, 612 00 Brno, incorporated in the Commercial Register kept by the Regional Court in Brno under file No. C 130208 (hereinafter referred to as “we” or “MAIA LABS),

hereby informs about the principles and procedures for processing personal data, which takes place in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).


  1. BASIC INFORMATION

Controller: MAIA LABS s.r.o., ID No. 17461782, with registered seat at Purkynova 649/127, Medlanky, 612 00 Brno, incorporated in the Commercial Register kept by the Regional Court in Brno under file No. C 130208, contact e-mail hello@maia-labs.com

Data Protection Officer: MAIA LABS has not appointed a Data Protection Officer, as it is not obliged to do so under Article 37 GDPR.  

Transfer of personal data to a third country or international organizations: Some of our service providers may be located outside the EU/EEA or may access personal data from outside the EU/EEA (in particular the United States). In such cases, we ensure that any transfer is carried out in accordance with GDPR, in particular by relying on the European Commission’s Standard Contractual Clauses and, where necessary, supplementary measures.

Automated individual decision-making: We do not make decisions producing legal or similarly significant effects solely by automated processing within the meaning of Art. 22 GDPR. Where our services use automated processing to generate outputs, such outputs are intended as decision-support and are subject to human review and decision-making by our clients.

Nature of data provision: Where personal data are processed to comply with a legal obligation or to perform a contract, providing such data is a statutory or contractual requirement. Where personal data is processed based on your consent, providing such data is voluntary. If you do not provide data that is necessary for a contract or for responding to your request, we may not be able to provide the requested service or respond.

MAIA LABS as a Data Processor: If you are a business customer using our services and you upload or otherwise provide personal data of individuals (e.g. your patients or other end users) for processing within our services, you act as the data controller, and we act as your data processor. Such processing is governed by a data processing agreement concluded with you; the relevant contract governing the services may incorporate the substance of Article IV as the data processing agreement.

Supervisory authority: The competent data protection supervisory authority in our jurisdiction is the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, email: posta@uoou.gov.cz, tel.: +420 234 665 111. You have the right to lodge a complaint with this authority.


  1. MAIA LABS AS PERSONAL DATA CONTROLLER

When acting as a data controller, we process personal data only to the extent necessary and for the purposes described below and retain it only for as long as needed for those purposes or as required by law.

Purpose of processing: We only collect and process personal data that is adequate and relevant for the specific purposes described below:

  1. Visiting Our Website. When you visit our website (www.maia-labs.com), we may collect certain information about your device and usage of the site. This includes, for example, your device’s IP address and other technical information automatically logged by our web server, as well as cookies (small text files) that may be stored on your browser. This information is used to ensure the website’s functionality, security, and to analyze traffic for improvements, in line with our legitimate interests. For details on cookies, please refer to our separate Cookie Policy.

  2. Contact and Communication. If you contact MAIA LABS via email, telephone, or other means (for example, sending us an inquiry or expressing interest in our products or collaboration), we will process the personal data you provide to us in order to respond and communicate with you. This typically includes contact details and related information such as your name, email address, phone number, company/organization, and any other information you choose to share. We use these details solely for corresponding with you, handling your request or business discussion, and we may retain the communication for our records. Processing personal data for queries or business communications is based on our legitimate interest (GDPR Art. 6(1)(f)) in responding to inquiries and developing our business relationships. Providing such data is voluntary, but if you do not provide at least basic contact information, we may not be able to respond to your inquiry.

  3. Business Relationships and Contracts. If you or the organization you represent becomes our client or partner (for example, by engaging MAIA LABS for a project or purchasing our products/services), we will process personal data as needed to negotiate and perform the contract. This may include identification and contact information of the client’s representatives or signatories (such as name, job title, business email, phone) and any other personal data necessary for the contractual relationship (e.g. for billing or legal compliance). We process these data for the purpose of entering into and fulfilling the contract (GDPR Art. 6(1)(b)) and to meet our legal obligations (Art. 6(1)(c), such as accounting and tax requirements). If a contract is not ultimately concluded, we may retain relevant correspondence or proposal information for a limited period.

Legal Basis for Processing: MAIA LABS processes personal data only when there is a valid legal basis under the GDPR. Depending on the context, one or more of the following legal bases may apply:

  1. Performance of a Contract (Art. 6(1)(b) GDPR). We process personal data when necessary to negotiate or perform a contract with you (or your organization), including pre-contractual communications and fulfilling our contractual obligations (for instance, processing data of a business partner to deliver our services).

  2. Legal Obligation (Art. 6(1)(c) GDPR): Some processing is necessary for us to comply with our legal obligations. For example, we must retain certain transaction records for accounting and tax purposes or provide information to authorities if required by law.

  3. Legitimate Interests (Art. 6(1)(f) GDPR). We process personal data as needed for the legitimate interests of our company, provided such interests are not overridden by your rights and freedoms. This includes responding to inquiries and business communications, improving our website and services, ensuring IT security, and defending our legal claims. When relying on legitimate interests, we consider and balance any potential impact on your rights. You have the right to object to processing based on our legitimate interests.

  4. Consent (Art. 6(1)(a) GDPR). As of now, we generally do not rely on consent for processing your data, except in relation to cookies or similar technologies (governed by our Cookie Policy) or specific situations where you are explicitly asked for consent. If we ever ask for and rely on your consent, you have the right to withdraw it at any time, and we will process your data for that purpose only with your consent.

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal requirements. The retention periods depend on the context and purposes of processing, as outlined below:

  1. Website usage data. Information such as server logs or analytics data is kept for a short period needed for security monitoring and analysis. Typically, raw visit logs are retained for only a few weeks or months, unless a security review requires longer retention. Aggregated data (which does not directly identify individuals) may be kept longer for statistical purposes.

  2. Inquiries and correspondence. If you contact us with a question, request, or potential business opportunity, we will retain your communication and contact details for the time needed to respond and handle the matter, and for an appropriate period thereafter. Generally, we do not keep such communications longer than 4–5 years from the date of our last interaction regarding that matter. This allows us to maintain business continuity and refer to past communications if you contact us again, while also considering relevant statutes of limitation for legal claims. If the nature of the inquiry could have legal significance, we may retain it for a longer period as needed to protect our legitimate interests.

  3. Contracts and business data. For clients or partners with whom we have a contract, we retain personal data that is part of the contract documentation or transaction records for the duration of the contract and a defined period after its termination. Typically, after a contract ends, relevant data is archived for up to 5 years. This retention period covers legal limitation periods and our business record-keeping needs. Data processed to fulfill legal obligations (e.g. accounting records) will be retained for the period required by law (which in some cases, such as tax or accounting legislation, may be 5 to 10 years or more).

  4. Legal requirements and disputes. Notwithstanding the above, if we are required by law to retain certain data for a longer period, or if the data is needed for the establishment, exercise or defense of legal claims, we will retain the data for as long as necessary to fulfill such requirements. In these cases, access to the data will be restricted to the specific purpose (compliance or legal claims).

After the applicable retention period expires, or upon a justified request for deletion, we will either securely delete the personal data or anonymize it so that it can no longer be associated with an identified individual.

Special categories of personal data: Where MAIA LABS acts as a data controller, we do not process special categories of personal data as defined in Article 9(1) GDPR (such as health data, biometric data for identification purposes, genetic data, etc.) unless a condition under Article 9(2) GDPR applies and appropriate safeguards are in place. Where MAIA LABS acts as a data processor (see Article IV), the customer (controller) is responsible for determining the applicable legal basis under Article 6 GDPR and the relevant condition under Article 9(2) GDPR (if applicable), and MAIA LABS processes such data solely on the controller's documented instructions under Article 28 GDPR.


  1. DATA SHARING AND RECIPIENTS

MAIA LABS respects the confidentiality of your personal data. We do not sell or rent personal data to any third parties for their own marketing or other independent use. In general, we disclose personal data to third parties only in the following circumstances:

  1. Service Providers (Processors). Your personal data may be shared with third-party service providers that process data strictly on our behalf and under our instructions (known as data processors). These providers help us operate our business and website – for example, companies providing website hosting, email services, cloud storage, or IT support. When we use processors, it is always on the basis of a data processing agreement that ensures your data is protected. Such processors are bound to confidentiality and to protect personal data with appropriate technical and organizational measures, and they cannot use your data for any other purpose than to provide services to MAIA LABS. Examples of processors we may use include our web hosting company and email service provider.

  2. Affiliates. At present, MAIA LABS does not have any parent or subsidiary companies to which personal data is regularly disclosed. If this changes (e.g. internal group sharing), we will update this Policy accordingly.

  3. Legal Compliance. We may disclose personal data to government authorities, regulatory bodies, law enforcement or courts if required to do so by law or a binding order. For example, we might have to provide information to the data protection authority or respond to lawful requests during an investigation. We may also disclose data as necessary to meet our reporting obligations or to enforce our legal rights or protect our operations (for instance, to external advisors or courts in the context of a legal dispute).

International data transfers: We generally prefer that personal data is stored and processed within the EU/EEA. Where personal data is transferred outside the European Union or the European Economic Area, MAIA LABS ensures that such transfers are subject to appropriate safeguards in accordance with applicable data protection laws, in particular through standard contractual clauses approved by the European Commission or other lawful transfer mechanisms.


  1. MAIA LABS AS A DATA PROCESSOR

In certain cases, MAIA LABS processes personal data on behalf of its business customers, in particular healthcare providers or other professional users of MAIA LABS’ services. In such cases, MAIA LABS acts as a data processor, while the customer acts as the data controller within the meaning of the GDPR. This section provides a description of our processing activities as a data processor. As a standard practice, where we process patient identifiers or other personal data on behalf of a customer, such data is processed only for the duration necessary to deliver the agreed services and is deleted or anonymized after completion of the relevant processing task (typically within 24–48 hours), unless a different period is agreed with the customer or required by law.

MAIA LABS processes such personal data solely for the purpose of providing the agreed services and strictly in accordance with the documented instructions of the customer. Processing is limited to the scope and duration necessary to deliver the services. MAIA LABS ensures that:

  1. personal data is processed only on documented instructions from the controller;

  2. persons authorized to process personal data are bound by confidentiality obligations;

  3. appropriate technical and organizational measures are implemented to ensure a level of security appropriate to the risk;

  4. personal data breaches affecting processed data are notified to the controller without undue delay;

  5. personal data is deleted or returned to the controller upon completion or termination of the services, unless retention is required by applicable law;

  6. sub-processors, if engaged, are subject to data protection obligations no less protective than those applicable to MAIA LABS.

Where required by applicable data protection laws, the processing of personal data on behalf of customers is governed by a data processing agreement (DPA) concluded between MAIA LABS and the respective customer in accordance with Article 28 GDPR. The relevant contract governing the provision of the services may incorporate the substance of this Article as the data processing agreement, instead of a separate standalone DPA.

The customer (as data controller) is responsible for determining the legal basis for processing, including any conditions under Articles 6 and 9 GDPR, and for providing the required information to data subjects under Articles 13/14 GDPR.


  1. DATA SECURITY

MAIA LABS takes appropriate technical and organizational measures to ensure a level of security appropriate to the risk of our processing activities. We protect personal data against unauthorized or unlawful access, alteration, disclosure, or destruction. Technical safeguards include, for example, secure network architectures, encryption of data (where applicable), and up-to-date security software to prevent unauthorized access. Organizational safeguards include internal policies and training for employees on data protection, and access to personal data is restricted only to personnel who need it for their job (needtoknow basis). These internal rules and measures are confidential for security reasons.

If we use third-party data centers or cloud services, we take steps to ensure they also implement appropriate security measures. We prefer to keep personal data on servers located in the European Union or in countries with equivalent data protection standards. If we ever need to transfer or store data outside of such areas, we will ensure it is protected in compliance with GDPR (for example, by using approved contractual clauses).

While we strive to protect your data, no system is 100% secure. In the unlikely event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay as required by GDPR. We also maintain a procedure for notifying relevant supervisory authorities of significant data breaches, in line with legal obligations.


  1. YOUR RIGHTS

As a data subject, you have certain rights regarding your personal data under the GDPR. Below is an overview of these rights. Please note that their applicability may depend on the circumstances and certain legal exceptions. If you wish to exercise any of these rights, you can contact us at hello@maia-labs.com. We will respond to your request without undue delay and at the latest within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests, and we will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request, as permitted by Article 12(5) GDPR.

Your rights include:

  1. Right of Access (Article 15 GDPR). You have the right to obtain confirmation as to whether or not we are processing personal data concerning you, and if so, to request access to that data. This means you can ask us to provide a copy of the personal data we hold about you, as well as information on how we use it, who we share it with, how long we store it, and the purposes of processing. If you require additional copies, we may charge a reasonable fee based on administrative costs.

  2. Right to Rectification (Article 16 GDPR). If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay. We encourage you to keep us informed of any changes to your personal data so we can ensure it remains accurate.

  3. Right to Erasure (Article 17 GDPR). You have the right to request the deletion of your personal data without undue delay in certain circumstances. This right applies, for example, if the data is no longer necessary for the purposes for which it was collected, if you withdraw consent (and no other legal basis applies), or if you object to processing and we have no overriding legitimate grounds to continue. Please note that this right is not absolute – we may not delete your data to the extent processing remains necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims, among other exceptions provided by law.

  4. Right to Restriction of Processing (Article 18 GDPR). You have the right to request that we restrict (temporarily halt) the processing of your personal data under certain conditions. This might apply if you contest the accuracy of your data (for a period allowing us to verify it), if the processing is unlawful but you prefer restriction over erasure, if we no longer need the data but you need it for legal claims, or if you have objected to processing and verification of our legitimate grounds is pending. While processing is restricted, the data will only be stored and not further processed (except to the extent allowed by you or as necessary for legal reasons).

  5. Right to Data Portability (Article 20 GDPR). In cases where we process your personal data by automated means based on your consent or on a contract with you, you have the right to obtain the data you provided to us in a structured, commonly used, machine-readable format and to have that data transmitted to another controller (if technically feasible). In practice, this right mainly applies to data you actively provided and that is processed by automated systems.

  6. Right to Object to Processing (Article 21 GDPR). You have the right to object, on grounds relating to your particular situation, to any processing of your personal data that we carry out based on our legitimate interests (Art. 6(1)(f)). If you raise such an objection, we will reconsider the processing and will no longer process your personal data for that purpose unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless the processing is for the establishment, exercise or defense of legal claims.

  7. Right to Object to Direct Marketing (Article 21(2) GDPR). If your personal data is processed for direct marketing purposes (such as receiving promotional emails), you have the right to object at any time to such processing. If you exercise this right, we will stop using your personal data for direct marketing immediately and without any conditions. (Note: Currently, MAIA LABS does not send out broad marketing communications; if you are receiving any newsletters or updates from us, it is on the basis of either our legitimate interest in B2B relationships or your consent, and you can opt out at any time.)

  8. Right not to be Subject to Automated Decision-Making (Article 22 GDPR). You have the right to not be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. As noted above, MAIA LABS does not engage in such automated decision-making in its processing of personal data.

  9. Right to Withdraw Consent. In cases where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted based on your consent before its withdrawal. If you withdraw consent, we will stop the processing that was based on it (unless another legal basis applies).

  10. Right to Lodge a Complaint. If you believe we have processed your personal data unlawfully or violated your rights, you have the right to file a complaint with the supervisory authority. In the Czech Republic, this is Úřad pro ochranu osobních údajů (ÚOOÚ). We would, however, appreciate the chance to address your concerns directly before you approach the authority – you can contact us at any time to discuss any issues, and we will do our best to resolve them.

MAIA LABS will not discriminate against or penalize you for exercising any of these rights. We are committed to upholding your rights and complying with our obligations under data protection laws.


  1. COOKIE POLICY

MAIA LABS uses cookies and similar technologies on its website. The rules for the use of cookies, including information about the types of cookies used, their purpose, and options to manage or withdraw consent, are set out in a separate document available at https://maia-labs.com/cookie-policy


  1. FINAL PROVISIONS

This Policy aims to provide you with transparent information about our processing of your personal data. However, it does not contain an exhaustive list of all details. We will be happy to provide you with any additional information if you are interested in anything specific - just contact us.

The current version of this Policy is available on our website at www.maia-labs.com. This Policy may be updated from time to time to reflect changes in our processes or legislative developments. We will inform you about significant changes by posting a notice on the website (and, where feasible, also by email). 

Validity: This version of the Privacy Policy is effective from January 1, 2026.