← Back to home

Privacy Policy

Service: AIAM (aiam.care) — Healthcare Management & Marketing Analytics Platform Effective date: 10 May 2026 Version: 1.0 Data controller: Orto Algorytmics sp. z o.o., Kraków, Poland (European Union) Contact: hello@aiam.care

1. Who we are

AIAM ("AIAM", "we", "us") is a software-as-a-service platform operated by Orto Algorytmics sp. z o.o., a limited liability company incorporated and registered in Kraków, Poland (European Union) (the "Company"). AIAM provides an AI-powered management and analytics platform for multi-location healthcare organizations, with a primary focus on orthotic and prosthetic (O&P) practices and adjacent specialties. The service is offered globally through the website at https://aiam.care and authorized sub-domains.

This Privacy Policy describes how we collect, use, share, and protect personal data in connection with the Service, including data we receive from third-party platforms such as Google and Meta when you choose to connect them to AIAM.

2. Scope and roles

Our customers are healthcare organizations ("Customer Organizations" or "Tenants") who use AIAM to manage their practice and marketing operations. In relation to data that Customer Organizations process about their patients, staff, or campaigns, AIAM acts as a data processor on behalf of the Customer Organization (the data controller). In relation to data we collect directly from visitors to aiam.care, account holders, and our own operations, AIAM acts as a data controller.

3. Information we collect

3.1 Account and identity data

  • Name, work email, role, organization, and password hash for users who register.
  • Authentication metadata (sign-in timestamps, IP address, user agent, MFA status).

3.2 Customer Organization (tenant) data

  • Practice configuration, location and staff records, scheduling, patient records, device fitting and orthotic/prosthetic case data, and other information our Customer Organizations choose to store in AIAM.
  • Such data is processed strictly on the documented instructions of the Customer Organization, in accordance with our Data Processing Addendum.

3.3 Third-party integration data (Google, Meta, and similar)

When an authorized user of a Customer Organization connects a third-party platform to AIAM via OAuth 2.0 user-delegation, we receive and process data the user has explicitly consented to share. This may include:

  • Google Ads: account identifiers (customer_id), account metadata (descriptive name, currency, time zone), campaign names and IDs, and aggregated performance metrics (impressions, clicks, cost, conversions, conversion value, time-series by date).
  • Google Analytics 4 / Search Console (when connected): property identifiers and aggregated traffic, conversion, and search-performance metrics.
  • Google Workspace / Gmail / Calendar / Drive (when connected): metadata and content of messages, events, or files explicitly selected by the user, used solely to power features the user has enabled.
  • Meta (Facebook & Instagram): page and ad-account identifiers, campaign and ad-set names, aggregated insights metrics, and lead-form submissions the user has chosen to ingest. Meta data is processed strictly under the Meta Platform Terms and Developer Policies (see Section 6 for full disclosure).

3.4 Usage and technical data

  • Product telemetry (feature usage, error events, performance metrics) to operate and improve the Service.
  • Cookies and similar technologies used for authentication, security, and (with consent) analytics. See Section 12.

4. How we use information

  • Provide, operate, secure, and improve the AIAM platform.
  • Display marketing performance dashboards (channel cards, top campaigns, sparkline trends, period-over-period comparisons) populated with data returned by the connected APIs.
  • Support our customers, prevent abuse, and meet legal obligations.
  • Develop, debug, and improve product features. We do not use third-party API data for personalized advertising, and we do not sell personal data.

5. Google API Services — Limited Use Disclosure

AIAM's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

  • We use Google user data only to provide or improve user-facing features that are prominent in AIAM's user interface (e.g., the Marketing Analytics Cockpit).
  • We do not transfer Google user data to third parties except (i) as necessary to provide or improve user-facing features, (ii) for security purposes (e.g., investigating abuse), (iii) to comply with applicable law, or (iv) as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data, except (i) with the user's affirmative agreement for specific messages, (ii) when necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized for internal operations.

This Limited Use commitment applies to all Google API scopes used by AIAM, including the https://www.googleapis.com/auth/adwords scope used by the Google Ads integration.

6. Meta (Facebook & Instagram) Platform Terms

When you connect a Meta account to AIAM, we process Meta Platform Data strictly in accordance with the Meta Platform Terms, the Meta Developer Policies, and applicable Meta Product Terms (including the Meta Business Tools Terms and Lead Ads Terms).

6.1 Scopes (permissions) we request

AIAM requests the minimum permissions required to deliver the features you enable. Each permission below is requested only when the corresponding feature is activated:

  • public_profile, email — to identify the connecting user.
  • pages_show_list, pages_read_engagement — to list the Facebook Pages you manage and read aggregated post engagement metrics shown in the Marketing Analytics Cockpit.
  • instagram_basic, instagram_manage_insights — to list connected Instagram business accounts and read aggregated insights metrics.
  • ads_read — to read Ad Account, campaign, ad set, and ad metadata, plus aggregated insights metrics (impressions, reach, clicks, spend, conversions, conversion value).
  • business_management — to list Business Manager assets the user has access to during the connection step.
  • ads_management (only when explicitly enabled) — to allow authorized users to act on campaigns from within AIAM (e.g., pause/resume) under user-initiated control. AIAM does not autonomously change campaign budgets, targeting, or creative.
  • leads_retrieval (only when explicitly enabled) — to ingest Lead Ads form submissions that the user wishes to flow into AIAM's CRM. Leads are processed solely for the connected Customer Organization and are never sold, shared with third parties, or used for cross-context advertising.

6.2 How we use Meta Platform Data

  • We use Meta Platform Data only to provide and improve user-facing features explicitly enabled within AIAM (e.g., the Marketing Analytics Cockpit, lead inflow into CRM).
  • We do not sell, license, or otherwise transfer Meta Platform Data to data brokers, advertising networks, or any third party for advertising purposes.
  • We do not use Meta Platform Data to build user profiles for advertising outside the Meta platforms.
  • We do not combine Meta Platform Data with data from other sources for purposes incompatible with the user's expectations or these disclosures.
  • Aggregated and de-identified metrics may be used internally to operate, secure, and improve the Service.

6.3 Data Deletion Instructions (required by Meta)

You can request deletion of your Meta Platform Data held by AIAM at any time using any of the following paths:

  • In-app: open Marketing Hub → Settings → Integrations, find the Meta connection, and click Disconnect & delete data. Within 30 days we permanently delete all Meta Platform Data associated with that connection (back-ups overwritten on the standard rotation schedule, up to 30 additional days).
  • Email: send a request to hello@aiam.care with the subject Meta Data Deletion from the email address tied to your AIAM account.
  • From Facebook: go to Settings & Privacy → Settings → Apps and Websites, select AIAM, and choose Remove. Facebook will send AIAM a deauthorization signal, after which we delete Meta Platform Data associated with your account within 30 days.

If you submit a deletion request through Meta's flow that includes a confirmation code, we will provide a status URL where you can verify completion. Contact us at hello@aiam.care if you need that URL.

6.4 Deauthorization callback

AIAM implements Meta's deauthorization callback. When Meta notifies us that you have removed AIAM from your Facebook account, we automatically:

  1. Revoke the stored access token.
  2. Halt all background syncs for that connection.
  3. Schedule deletion of Meta Platform Data associated with that user within 30 days, except where retention is required by law or the Customer Organization's documented instructions.

6.5 Lead Ads specific commitments

Where AIAM ingests Lead Ads submissions:

  • Leads are delivered solely to the Customer Organization that owns the corresponding Ad Account and Page.
  • Leads are never resold or shared with third parties for advertising or marketing purposes.
  • AIAM follows the user's lawful basis for outreach (consent, performance of contract, or legitimate interest) and provides unsubscribe handling.
  • Lead records are retained per the Customer Organization's retention policy and are deleted on request.

6.6 Meta Pixel and Conversion API on aiam.care

Currently, aiam.care does not deploy the Meta Pixel or the Conversions API. If we add them in the future for marketing measurement on our own website, we will update this Policy, add the relevant cookie-consent controls, and disclose the data flow before activation.

7. Legal bases for processing (GDPR)

  • Performance of a contract (Art. 6(1)(b) GDPR) — to deliver the Service to account holders and Customer Organizations.
  • Legitimate interests (Art. 6(1)(f)) — to secure, support, and improve the Service, prevent fraud, and operate our business, balanced against the rights of data subjects.
  • Consent (Art. 6(1)(a)) — for optional cookies, marketing emails, and specific third-party integrations connected via OAuth.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other applicable laws.

8. How we share information

We share personal data only as described below:

  • Sub-processors we use to host and operate AIAM (e.g., cloud infrastructure, email delivery, error monitoring, customer support). A current list is available on request and incorporated into our Data Processing Addendum.
  • Customer Organization — data entered or generated by users of a Customer Organization is accessible to administrators of that organization.
  • Law enforcement and authorities when required by valid legal process and to the extent permitted by applicable law.
  • Corporate transactions — successor entities in a merger, acquisition, or asset sale, with notice and continued protection consistent with this Policy.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

9. International data transfers

AIAM is operated from the European Union. Where we transfer personal data outside the European Economic Area (EEA) or the UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum where relevant, together with supplementary technical and organizational measures.

10. Data retention

  • Account data is retained for the duration of the account and for a reasonable period thereafter (typically up to 90 days), unless a longer period is required by law.
  • Tenant content is retained per the Customer Organization's instructions and the subscription agreement. Upon termination, tenant content is deleted or returned within 30 days unless retention is legally required.
  • Marketing-analytics snapshots derived from Google Ads API are cached for a maximum of 15 minutes and may be retained in aggregate form for historical comparison for up to 25 months from collection, unless the user requests earlier deletion.
  • Backups are rotated and overwritten on a defined schedule (currently 30 days).

11. Security

  • Encryption in transit using TLS 1.2 or higher.
  • Encryption at rest using AES-GCM for OAuth tokens, credentials, and sensitive personal data.
  • Tenant isolation enforced at database query level using a mandatory tenant_id filter.
  • Principle of least privilege; access to production systems is restricted, logged, and reviewed.
  • Vulnerability management, secure development practices, and routine backup testing.

12. Cookies and similar technologies

We use strictly necessary cookies for authentication and security, and (subject to consent where required) limited analytics cookies to understand product usage. We do not use third-party advertising cookies on aiam.care.

13. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. EU/EEA and UK residents may lodge a complaint with their supervisory authority. To exercise rights, contact hello@aiam.care. We respond within 30 days.

Revoking third-party access. You can disconnect any integration at any time from Marketing Hub → Settings → Integrations in AIAM. You can also revoke AIAM's access externally:

  • Google: myaccount.google.com/permissions
  • Meta (Facebook): Settings & Privacy → Settings → Apps and Websites → AIAM → Remove
  • Meta (Business): Meta Business Suite → Settings → Business Assets → Apps

Data Deletion Request URL: https://aiam.care/data-deletion (also see Section 6.3 for Meta-specific deletion paths).

14. Children

AIAM is intended for use by healthcare professionals and is not directed to children under 16. We do not knowingly collect personal data directly from children. Customer Organizations that process patient records of minors do so as data controllers under their own legal basis.

15. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Effective date" at the top reflects the latest version.

16. Contact us

Orto Algorytmics sp. z o.o., Kraków, Poland (European Union). Email: hello@aiam.care. Postal address available on request. For data-protection matters, please put "Privacy" in the subject line.