legal · privacy

Privacy policy. Plain English.

We run a HIPAA-grade billing platform. Most of the data flowing through us is Protected Health Information (PHI) belonging to your patients, not to us. This page explains what we collect, how we use it, who we share it with, and what you can ask us to do with it.

last updated2026-05-17contactsriram@getmaxrcm.comentityGetMax Healthcare Solutions Pvt Ltd

1. Who we are

GetMax Healthcare Solutions Pvt Ltd ("GetMax", "we", "us") operates the platform at app.getmaxglobal.com and related marketing surfaces at getmaxglobal.com. Our headquarters is in India; we serve United States healthcare practices.

For privacy questions, the responsible person is the CEO, Sriram Raghavan, at sriram@getmaxrcm.com.

2. The two kinds of data we handle

It is important to separate these because the rules that apply to each are different.

Customer data (you, the practice)

  • Account profile: name, work email, role, practice name, billing address.
  • Authentication: hashed password, MFA factors, session and audit logs.
  • Payment data: handled by Stripe; we never see full card numbers.
  • Product telemetry: pages visited, features used, errors triggered.
  • Support communications: emails, chats, call transcripts you initiate.

Patient data (PHI, processed on your behalf)

  • Demographics, insurance details, eligibility responses, claim status, denials, appeals, EOBs, and clinical notes only when your workflow requires them (e.g. coding assistance).
  • For PHI we act as a Business Associate under HIPAA. We do not own this data; you do. A signed Business Associate Agreement (BAA) is required before any PHI flows.

3. How we use customer data

  1. To operate the product (eligibility checks, claim work, voice calls, etc.).
  2. To bill you and prevent fraud.
  3. To send transactional email (receipts, security alerts, downtime notices).
  4. To improve the product — aggregate, de-identified usage only.
  5. To meet legal obligations (tax records, lawful requests with proper process).

We do not sell customer data. We do not train third-party AI models on PHI. Internal models, where used, run inside our HIPAA-eligible infrastructure (see Subprocessors below).

4. Subprocessors

We use a small set of vendors to deliver the platform. Each row below is real and in production today. Where the vendor handles PHI, a BAA is signed. Where it does not, a Data Processing Addendum (DPA) is in place. We update this list when we add or remove a vendor.

VendorPurposeData categoryLocationStatus
Amazon Web ServicesCompute, storage, networkingPrimary hosting, S3, secrets managerCustomer data + PHI (encrypted)US (us-east-1, us-west-2)BAA signed
MongoDB AtlasPrimary application databasePer-tenant document storeCustomer data + PHIUS (AWS-backed)BAA signed
VercelMarketing site + web app edgeStatic assets, edge functions, logsCustomer data (no PHI persisted)USDPA in place
TwilioVoice + SMS infrastructureProgrammable voice for Echo agentsPhone numbers, call metadata, recordingsUSBAA signed
ElevenLabsText-to-speech for voice agentsSynthesises Ava, Niya, Sarah, Roger voicesCall transcripts, agent promptsUSBAA / Enterprise
Anthropic (Claude)LLM inference for AI featuresClaim classification, drafting, coding hintsDe-identified or BAA-covered PHI onlyUSBAA / ZDR
Microsoft GraphEmail + calendar integrationOutlook sync for Flux, Lisa meeting captureMailbox content (customer-authorised)US (M365 commercial)M365 DPA
Google Workspace APIsGmail + Calendar integrationGmail sync for Flux when user connectsMailbox content (customer-authorised)USWorkspace DPA
StripePaymentsSubscription billing, invoicesCustomer billing data (no PHI)USDPA in place
Availity, Stedi, pVerifyClearinghouses270/271, 276/277, 837 routingPHI (eligibility, claim status)USBAA per partner

To be notified when this list changes, email sriram@getmaxrcm.com and ask to be added to the subprocessor notification list.

5. PHI handling specifics

  • Encryption. PHI fields are encrypted at the application layer with AES-256-GCM in addition to AWS-managed encryption at rest. TLS 1.2+ in transit.
  • Minimum necessary. Each feature requests only the PHI fields it needs. Eligibility uses payer ID and member ID; coding uses encounter notes; voice uses a redacted summary, not the full chart.
  • Access control. Role-based access, mandatory MFA for all GetMax staff, per-tenant isolation in every read path, and audit logging on every PHI access.
  • No PHI in training. We do not train models on customer PHI. Aggregate, de-identified usage may be used to improve the product.

6. Data retention

We retain customer data for as long as your account is active and for a defined period after termination, then we delete it. PHI retention follows your direction and applicable law (commonly 7 years for medical billing records in the US).

  • Active accounts: retained while the contract is in force.
  • After termination: 30-day grace period for export; then deletion within 90 days unless you direct otherwise (e.g. legal hold).
  • Backups: rolling encrypted backups retained for 35 days; these are purged on a rolling basis and cannot be selectively edited.
  • Audit logs: retained for a minimum of 6 years for HIPAA compliance.

7. Your rights

Depending on where you (or your patients) live, you may have the following rights. Submit any request to sriram@getmaxrcm.com and we will respond within 30 days.

  • Access. Get a copy of the personal data we hold about you.
  • Correction. Ask us to fix data that is wrong.
  • Deletion. Ask us to delete data we hold about you, subject to legal retention duties (e.g. tax records, HIPAA-required audit logs).
  • Portability. Get an export in a common machine-readable format (JSON or CSV).
  • Restriction / objection. Limit how we process your data for marketing or analytics.
  • Patient HIPAA rights. Patient requests should go to the practice (covered entity) first. We assist on request.

8. Children

The product is sold to businesses, not consumers. We do not knowingly collect information from individuals under 13. Patient data we handle on behalf of a covered entity may include minors as a normal part of medical billing — this is governed by HIPAA, not by general childrens' privacy law.

9. International transfers

GetMax engineering is based in India. Customer and PHI data is stored on US-based AWS regions; engineer access to that data is gated by SSO, MFA, role checks, and full audit logging. We use Standard Contractual Clauses where applicable.

10. Security incidents

We will notify affected customers without undue delay (and within 60 days for any confirmed Breach of Unsecured PHI as defined by HIPAA) and provide what we know, what we are doing, and how to reach us. See the Security page for the broader incident response posture.

11. Changes to this policy

We will post material changes at the top of this page and email registered customers at least 30 days before the change takes effect. Continued use of the product after the effective date constitutes acceptance.

12. Contact

Email sriram@getmaxrcm.com. Postal mail on request.