mainto
§ LEGAL

Privacy Policy

Last updated · May 18, 2026

1. Introduction

Mainto (“we,” “us,” or “our”) operates the Mainto platform at mainto.ai and the Mainto iOS application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, password (hashed), and organization name when you register.
  • Property data: Property names, addresses, building system details, vendor information, service records, work orders, and compliance documents you upload or create.
  • Payment information: When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number — Stripe handles all payment data under their PCI-DSS compliant infrastructure.
  • Communications: Messages you send through the Maia AI copilot, support requests, and any feedback you provide.
  • CSV uploads: Property data files you import during onboarding, which may contain property names, addresses, system types, and vendor details.
  • Vendor contact information: Names, email addresses, phone numbers, and related operational data for vendors you add to your organization. This data is used solely to coordinate work orders, send quote requests, and track service history.
  • Connected mailbox credentials:When you connect a Gmail or Outlook mailbox via OAuth (Settings → Integrations), we store an encrypted refresh token that lets us send email on your behalf. See Section 2.4 for what we do and don't do with this access.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, actions taken, timestamps, and session duration.
  • Device information: Browser type, operating system, device type, and screen resolution.
  • Log data: IP address, referral URLs, and error logs for debugging purposes.

2.3 Cookies and Tracking

We use only essential cookies required for the Service to function — such as session authentication tokens. We do not use advertising cookies or third-party tracking pixels. We do not sell or share your browsing data with advertisers.

2.4 Connected Mailbox Integration (Google / Microsoft)

Mainto offers an optional “send from your mailbox” feature that lets vendor outreach emails be sent from your actual business address (e.g., yourname@yourcompany.com) rather than from a Mainto-owned domain. When you enable this in Settings → Integrations, the following applies:

  • Google (Gmail / Workspace): We request only the gmail.send scope (plus standard OpenID Connect scopes: openid, email, profile). The gmail.send scope allows Mainto to send email on your behalf — nothing else.
  • Microsoft (Outlook / Microsoft 365): We request only the Mail.Send and offline_access scopes plus standard OIDC scopes. Mail.Send allows Mainto to send email on your behalf — nothing else.
  • What we DO NOT do: We do not read your inbox, draft folder, sent folder, contacts, calendar, or any other mailbox content. We do not request gmail.readonly, gmail.modify, mail.read, or any other read-scoped permissions. We do not access your mailbox for any purpose other than the one-time send action you trigger in Mainto.
  • Tokens and revocation:Refresh tokens are stored encrypted at rest. When you disconnect a mailbox in Settings → Integrations, the associated tokens are immediately deleted from our systems. You may also revoke Mainto's access at any time from your provider's security dashboard (Google Account → Security → Third- party apps; Microsoft Account → Privacy → App permissions).
  • Email delivery logs: For each email Mainto sends through your mailbox, we record metadata (recipient, subject, send timestamp, delivery status, provider message ID). We do not store the email body after the send completes. Logs support delivery diagnostics, audit history, and CAN-SPAM compliance verification.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including property tracking, compliance monitoring, vendor management, and AI-powered features.
  • Process payments and manage your subscription through Stripe.
  • Send transactional communications — account verification, password resets, compliance alerts, and deadline notifications.
  • Power AI features including the Maia copilot, automated vendor outreach, response analysis, and scheduling suggestions.
  • Improve and develop the Service based on aggregated, anonymized usage patterns.
  • Respond to support requests and communications.
  • Detect and prevent fraud, abuse, or security incidents.

4. AI and Large Language Model Usage

Mainto uses third-party AI services (Anthropic Claude) to power features like the Maia copilot, automated vendor outreach email generation, and vendor response analysis. When you use these features:

  • Relevant property, system, and vendor data is sent to the AI provider to generate responses.
  • Maia conversation history is stored in our database and associated with your organization.
  • We do not use your data to train third-party AI models. Anthropic does not use API inputs for model training.
  • AI-generated content (such as vendor outreach emails) is reviewed and sent on your behalf only when triggered by Mainto's automation system or your direct interaction.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Vercel: Web hosting and deployment.
  • Neon: PostgreSQL database hosting.
  • Stripe:Payment processing and subscription management. Stripe's privacy policy governs payment data handling.
  • Resend: Transactional email delivery via Amazon SES (account alerts, password resets, notifications, and outbound from Mainto-owned domain when a user mailbox is not connected).
  • Google (Gmail / Workspace): When you connect a Gmail mailbox in Settings → Integrations, Mainto uses the gmail.send scope to send email on your behalf. See Section 2.4 for full disclosure of what scopes we request and what we do not access.
  • Microsoft (Outlook / Microsoft 365): When you connect an Outlook mailbox in Settings → Integrations, Mainto uses the Mail.Send scope to send email on your behalf. See Section 2.4 for full disclosure.
  • Postmark: Inbound email webhook routing. When a vendor replies to a Mainto-relayed email, Postmark forwards the message to our webhook so we can thread it back to the originating work order. We process only emails sent to the routing address embedded in the original outbound email — we do not see your inbox.
  • Anthropic: AI/LLM services for Maia copilot and vendor outreach generation.
  • Apple Push Notification Service: Push notifications for the iOS app.

Each provider processes data on our behalf under their respective data processing agreements and privacy policies. We only share the minimum data necessary for each service to function.

6. Data Storage and Security

  • All data is stored in encrypted PostgreSQL databases hosted in the United States.
  • All connections use TLS encryption in transit.
  • Passwords are hashed using bcrypt — we never store plaintext passwords.
  • Session tokens are signed and expire after a configurable period.
  • Access to production infrastructure is restricted to authorized personnel.
  • We conduct periodic security reviews of our codebase and infrastructure.

7. Data Retention

  • Active accounts: We retain your data for as long as your account is active and you maintain a subscription.
  • After cancellation: When you cancel your subscription, your data is retained for 30 days in case you reactivate. After 30 days, account data is queued for permanent deletion.
  • Deletion requests: You can request immediate deletion of your data at any time by contacting us. We will process deletion requests within 30 days.
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion, after which backups are rotated and purged.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion:Request deletion of your personal data (“right to be forgotten”).
  • Export: Export your property data, service records, and compliance documents from the Settings page at any time.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Objection: Object to processing of your data for certain purposes.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at info@mainto.ai. We will respond within 30 days.

9. Vendor Email Rights (CAN-SPAM)

Mainto sends outbound emails (work-order requests, quote invitations, follow-up reminders) on behalf of our customer organizations to their selected vendors. If you are a vendor receiving Mainto-relayed email:

  • One-click unsubscribe: Every Mainto-relayed vendor email includes a working unsubscribe link in the footer. Clicking it takes you to a public preferences page (no login required) where you can stop receiving further emails from that customer organization with one click.
  • Per-organization scope:Opt-outs apply only to the specific customer organization that contacted you. Opting out of one customer's emails does not affect emails from any other Mainto customer.
  • Audit trail: When you opt out, we record the timestamp and treat future send attempts to your address from that organization as blocked. We retain this opt-out record permanently so we can prove the unsubscribe was honored if you ever raise a complaint.
  • Re-subscribing: Returning to the same preferences URL lets you re-subscribe at any time.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly.

11. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take appropriate safeguards to ensure your data is treated securely and in accordance with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at info@mainto.ai.