Mammograms Save Lives

Schedule Your Screening Mammogram Now at Our Midtown location.

Click here to learn more about our in house mammogram services.

Book Online
BOOK appointment
TEXT US
Book Mammogram

Consumer and Website Policy

Effective Date: May 26, 2026

1. INTRODUCTION

This Consumer and Website Privacy Policy (“Privacy Policy”) describes how Maiden Lane Medical, PLLC and its  management services organization, KAL Health, LLC, (each or collectively, “Practice,” “MSO”, “we,” “us,” or “our”) collect, use, maintain, protect, and disclose personal data about you when you visit our website, use our digital platform, or interact with our services.

This Privacy Policy applies to all visitors, users, and patients who access our website, mobile applications, patient portal, scheduling tools, or other digital services (collectively, the “Service” or “Services”), whether or not you create an account or become a patient.

This Privacy Policy does not replace or modify our Notice of Privacy Practices which describes how we use and disclose protected health information (PHI) created during clinical care in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If your personal data constitutes protected health information, it is governed by our Notice of Privacy Practices. To the extent this Privacy Policy conflicts with HIPAA or the Notice of Privacy Practices, we comply with HIPAA and the Notice of Privacy Practices to the extent applicable under the circumstance.

By accessing or using the Services, you acknowledge that you have read and understand this Privacy Policy and our Terms of Service. If you do not agree with this Privacy Policy or the Terms of Service you are not authorized to access or use the Services and must promptly discontinue using and exit the Services.

This Privacy Policy may be updated from time to time, and the updated version will be effective as soon as it is accessible unless a later effective date is stated. If we make material changes, we will notify you by prominently posting a notice of such changes, posting the updated Privacy Policy on our website, and updating the effective date. We may also notify you by email if we have your email address on file. Continued use of the Services after changes are posted constitutes acceptance of the updated Privacy Policy.

2. RELATIONSHIP BETWEEN THIS PRIVACY POLICY AND HIPAA

The Practice provides healthcare services through itself and/or affiliated licensed professional entities and providers. In the course of providing clinical care, certain health and medical information you provide may constitute protected health information (PHI) under HIPAA. The use and disclosure of PHI is governed exclusively by our Notice of Privacy Practices, not this Privacy Policy.

However, not all information you provide to constitutes PHI. Information you provide in order to create an account, browse the website, schedule appointments, make payments, or otherwise interact with the Services outside of clinical care — including your name, email address, shipping address, phone number, payment information, and website browsing activity — may not always be considered PHI under the circumstances and is governed by this Privacy Policy.

Any information that does not constitute PHI or protected health information under applicable law may be used or disclosed in any manner permitted under this Privacy Policy.

3. PERSONAL DATA WE COLLECT

We collect the following categories of personal data from and about users of the Services, which includes personal data you voluntarily provide to us and personal data collected automatically when you express an interest in obtaining information about us or our services, book an appointment, pay a bill, participate in activities on the Services, or contact us:

  • Contact Information
  • Name, postal address, billing address, email address, and telephone number.
  • Account Information
  • Username, password, and account preferences.
  • Payment Information

Credit or debit card number, billing address, and payment processing information. Payment information is collected solely for the purpose of processing transactions and is handled by our third-party payment processors, Stax Payments or Global Payments Integrated.

Demographic Data

Date of birth, gender, race or ethnic origin (when voluntarily provided), and other demographic information you provide.

Health-Related Information

Information you provide through intake forms, questionnaires, patient portal messages, uploaded photographs, or other communications related to your health, symptoms, medical history, medications, or treatment. When this information becomes part of your medical record or is used for clinical care, it is governed by our Notice of Privacy Practices and HIPAA, not this Privacy Policy.

Device and Usage Information

Information about your internet connection, IP address, browser type, operating system, device identifiers (such as cookie IDs and mobile advertising IDs), language preferences, referring and exit pages, date and time of visits, pages viewed, clickstream data, and other usage information.

Location Information

General geographic location inferred from your IP address or information you provide regarding your physical location. We do not collect precise GPS-based geolocation data through the Services.

Communications

Records and contents of communications you send to us, including emails, portal messages, chat messages, and telephone communications.

Sensitive Personal Data

Certain personal data we collect may be considered “sensitive personal information” under applicable state laws, and sensitive personal data may be used only for purposes permitted by applicable law, including:

  • Government-issued identification (when required for identity verification)
  • Account login credentials (username in combination with password)
  • Race or ethnic origin (when voluntarily provided)
  • Health-related information (to the extent it is not PHI governed by HIPAA)
  • Information about reproductive or sexual health (to the extent provided through intake forms or questionnaires and not governed by HIPAA)

4. HOW WE COLLECT YOUR PERSONAL DATA

Directly From You

When you create an account, complete intake forms, schedule appointments, submit information through the patient portal, make payments, contact us by email or telephone, or otherwise provide information to us.

Automatically Through Technology

As you navigate and interact with the Services, we automatically collect device and usage information through cookies, pixels, analytics tools, and similar technologies (see Section 6 below).

From Third Parties

We may receive personal data from payment processors, analytics providers, advertising sources, social networks, or other third parties in connection with the Services.

Information We Generate

We may generate or create information about you from your interactions with the Services, such as inferences about your general geographic location based on your IP address or inferences about services that may be relevant to you based on your browsing activity.

For information regarding what are cookies and how they are used, please refer to our Cookie Notice.

5. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes:

  • Providing the Services to you, including scheduling, patient communications, care coordination, and facilitating clinical services through affiliated providers.
  • Processing payments and fulfilling transactions.
  • Verifying your identity and physical location as required for telehealth services.
  • Communicating with you about your account, appointments, and Services.
  • Responding to your inquiries and requests.
  • Improving, personalizing, and optimizing the Services and user experience.
  • Sending promotional communications, newsletters, or health-related information with your consent. You may opt out of promotional communications at any time (see Section 10 below).
  • Analyzing website traffic and usage patterns to improve the Services.
  • Enforcing our Terms and Conditions and other agreements.
  • Complying with legal obligations and responding to lawful requests.
  • Protecting the rights, safety, and security of ours, our users, and the public.
  • Conducting internal analytics, quality improvement, and business operations.
  • Detecting and preventing fraud, unauthorized access, and other harmful activity.
  • Health Data and Advertising

We do not use protected health information, medical records, clinical data, or health-related information collected during clinical care for advertising, marketing, or promotional purposes. Health-related browsing activity on our website (such as viewing pages about specific treatments or conditions) is not shared with advertising partners or used for targeted advertising.

6. COOKIES AND TRACKING TECHNOLOGIES

See our Cookie Notice

7. HOW WE SHARE YOUR PERSONAL DATA

We do not sell your personal data for monetary consideration. We do not share protected health information, medical records, or clinical data with advertising or marketing partners.

We may share personal data in the following circumstances:

Service Providers

We share personal data with vendors and service providers who perform services on our behalf, including payment processing, website hosting, analytics, email delivery, customer support, electronic health record hosting, and information technology services. These service providers are contractually obligated to use personal data only for the purposes for which it is disclosed and to maintain appropriate security safeguards.

Payment Processors

Payment transactions are processed by Stax Payments or Global Payments Integrated. When you make a payment, your payment information is transmitted directly to the payment processor. We do not store full credit or debit card numbers. The payment processor’s privacy policy governs its use of your payment information.

Professional Entities and Providers

We share personal data with the affiliated professional entity and its licensed healthcare providers as necessary to deliver clinical services. When personal data is shared for clinical purposes, it becomes subject to our Notice of Privacy Practices and HIPAA.

Laboratories and Pharmacies

We may share personal data with laboratories and pharmacies as necessary to facilitate laboratory testing, prescription fulfillment, and related clinical services on behalf of the affiliated professional entity and providers.

Referral Partners

We may share limited personal data with specialist providers, imaging centers, or other healthcare facilities to facilitate referrals when recommended by your provider.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your personal data.

Legal Compliance

We may disclose personal data to comply with applicable law, regulation, court order, subpoena, or governmental request, or to protect the rights, safety, or property of ours, our users, or the public.

With Your Consent

We may share personal data for other purposes with your express consent, and we will not use consent obtained for one purpose as consent for a materially different purpose unless permitted by applicable law.

Advertising and Marketing Disclosures

We do not share personal data with third parties for their own direct marketing purposes without your consent, but we may provide identifiers, online activity information, or general geolocation data to advertising partners, analytics providers, or social networks in a manner that may be deemed a “sale” or “sharing” under applicable privacy laws. We do not share health-related information, medical data, or clinical information with advertising partners.

Certain uses of cookies and tracking technologies described in Section 6 may result in the collection of identifiers (such as IP addresses and cookie IDs) and usage data (such as pages viewed) by third-party analytics providers. Under some state privacy laws, including the CCPA, this type of data collection may be considered a “sale” or “sharing” of personal information even though no monetary payment is exchanged. You may opt out of this type of data collection using the controls and mechanisms described in our Cookie Policy in this Privacy Policy and by contacting us pursuant to Section 15 below.

De-Identified Information

We may disclose aggregated or de-identified information that cannot reasonably be used to identify any individual, provided that we maintain and use de-identified information in de-identified form and do not attempt to re-identify it except as permitted by applicable law. We contractually require recipients of de-identified information to maintain it in de-identified form and not attempt to re-identify it except as permitted by applicable law.

8. DATA SECURITY

We implement administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, use, alteration, and disclosure. 

These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments and monitoring
  • Employee training on data privacy and security practices

Despite these safeguards, no electronic communication or data storage system can be guaranteed to be completely secure. Transmission of personal data through the Services is at your own risk, but we will maintain safeguards appropriate to the nature of the personal data we process and applicable legal requirements.

You are responsible for maintaining the confidentiality of your account credentials. Do not share your password with anyone. If you have reason to believe that your account or personal data has been compromised, please contact us immediately.

9. DATA RETENTION

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements.

Medical records and other patient-related information are retained in accordance with applicable state and federal law, payer, insurance-carrier, and professional-liability requirements. In New York, medical records are generally retained for at least six years from the date of the last treatment (or three years after a minor patient reaches the age of 18, whichever is longer).

When personal data is no longer needed for any lawful purpose, we will delete or anonymize it, or, if deletion or anonymization is not reasonably possible because the information is stored in backup archives or must be retained under law, patient-record requirements, or insurance obligations, we will securely store it and limit further processing to those purposes.

10. YOUR RIGHTS AND CHOICES

Communication Preferences

Promotional Emails. If you receive promotional emails from us and wish to stop, you may opt out at any time by clicking the “unsubscribe” link at the bottom of any promotional email. This opt-out does not apply to transactional or service-related communications (such as appointment confirmations, billing notices, or clinical messages).

Text Messages (SMS). If you receive promotional text messages and wish to stop, you may reply STOP to any promotional text message, and we will honor your opt-out request in accordance with applicable law. Standard message and data rates may apply.

Telephone. You may request to be removed from promotional call lists by contacting us at the address provided below.

Opting out of promotional communications will not affect clinical communications from your provider or service-related messages necessary to operate your account.

Privacy Rights

Depending on your state of residence, you may have certain rights regarding your personal data:

Right to Know and Access. You may request information about the categories and specific pieces of personal data we have collected about you, the sources of that data, the purposes for collection, and the categories of third parties with whom it has been shared.

Right to Delete. You may request deletion of your personal data, subject to certain legal exceptions. We may not be able to delete information that is required to be retained under applicable law (for example, medical records subject to state retention requirements) or that is necessary to complete a transaction, detect fraud, or comply with a legal obligation.

Right to Correct. You may request correction of inaccurate personal data we maintain about you.

Right to Opt Out of Sale or Sharing. You may opt out of the sale or sharing of your personal data for targeted advertising purposes. Although we do not intentionally sell personal data for monetary consideration, certain data-sharing practices (such as the use of tracking pixels) may be considered a “sale” or “sharing” under some state laws. You may opt out by enabling the Global Privacy Control in your browser, adjusting your cookie settings, or contacting us directly.

Right to Limit Use of Sensitive Personal Data. You may request that we limit the use of sensitive personal data to purposes necessary to provide the Services you have requested.

Right to Appeal. If we decline your request, you may appeal that decision by contacting us. We will respond to your appeal in accordance with applicable law.

Right to Nondiscrimination. We will not discriminate against you for exercising any of your privacy rights. We will not deny services, charge different prices, or provide a different level of service because you exercised a privacy right.

To exercise any of these rights, please contact us at the address provided in Section 15, email us at legal@maidenlanemedical.com or, for opt-out requests, email legal@maidenlanemedical.com with “Opt-Out Rights” in the subject line. We may need to verify your identity before processing your request. Verification may require you to provide your name, email address, and other identifying information associated with your account.

You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide written proof of authorization and may require you to verify your identity directly.

11. CALIFORNIA RESIDENTS

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email address, IP address, account name); personal information as defined in California Civil Code Section 1798.80(e) (name, address, telephone number, financial information); characteristics of protected classifications (age, gender, race or ethnic origin when voluntarily provided); commercial information (transaction history, services purchased); internet or electronic network activity information (browsing history, search history, interaction with the website); geolocation data (general location inferred from IP address); audio, electronic, or visual information (photographs submitted through the Services); inferences (preferences or characteristics derived from collected data); and sensitive personal information (government ID when required for verification, account credentials, health-related information, demographic data).

Sources of Personal Information

We collect personal information directly from you, automatically through your use of the Services, and from third-party sources such as payment processors and analytics providers.

Business or Commercial Purpose for Collection

We collect personal information for the purposes described in Section 5 of this Privacy Policy, including providing the Services, processing payments, communicating with you, improving the Services, and complying with legal obligations.

Categories of Personal Information Sold or Shared

While we do not intentionally sell personal information for monetary consideration, certain uses of tracking technologies (such as cookies and pixels) may constitute a “sale” or “sharing” under the CCPA. Categories potentially affected include identifiers (IP addresses, cookie IDs) and internet or electronic network activity information (pages viewed, clickstream data). We do not sell or share health-related information, medical data, or sensitive personal information for advertising purposes.

Categories of Personal Information Disclosed for a Business Purpose

In the preceding 12 months, we have disclosed identifiers, personal information, commercial information, and internet or electronic network activity information to service providers for business purposes including payment processing, analytics, website hosting, and email delivery.

Your CCPA Rights

You have the right to know, access, delete, correct, opt out of sale or sharing, and limit use of sensitive personal information as described in Section 10 above. You may make a CCPA-related data access or portability request up to twice in a 12-month period.

California residents or their authorized agents may submit verifiable requests by email, telephone, or mail using the contact methods listed in Section 15.

To exercise your rights, contact us at the address provided below.

We do not knowingly sell or share the personal information of individuals under 13 years of age, knowingly solicit personal data from or market to children, or knowingly collect personal information from children under 13 without verifiable parental consent depending on the circumstances.

By using the Services, you represent that you are at least eighteen (18) years old or that you are the parent or guardian of a minor at least thirteen (13) years old and consent to that minor dependent’s use of the Services, and children under 13 must not use and must promptly exit the Services; if we learn that we have collected or received personal information from a child under the legal age without verification of parental consent, we will delete that information as required by law, and you may notify us at legal@maidenlanemedical.com with “Minor Data Collected Notification” in the subject line.

California Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about personal data disclosed to third parties for direct marketing purposes. We do not disclose personal data to third parties for their own direct marketing purposes.

12. WASHINGTON AND NEVADA RESIDENTS

If you are a resident of Washington State or Nevada, you may have additional rights under the Washington My Health My Data Act (MHMDA) or the Nevada Health Data Privacy Act (NHDPA) with respect to consumer health data.

Consumer health data may include information about health conditions, symptoms, diagnoses, treatments, medications, bodily measurements, or information that could identify an attempt to seek health care services or supplies.

We collect consumer health data directly from you, from your interactions with the Services, and from third parties. We use consumer health data primarily to provide the Services you have requested or authorized.

We may share consumer health data with service providers, affiliated professional entities, payment processors, laboratories, pharmacies, and as otherwise described in Section 7 above.

We do not sell consumer health data. We do not use consumer health data for advertising or marketing purposes.

You may have the right to access, delete, or withdraw consent relating to consumer health data. To exercise these rights, contact us at the address provided below.

If your request is denied, you may appeal by contacting us. If your appeal is unsuccessful, you may file a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint or the Nevada Attorney General at ag.nv.gov/complaints/file-complaint.

13. RESIDENTS OF OTHER STATES; INTERNATIONAL USERS

You may have rights under other state consumer privacy laws depending on whether we meet the qualification requirements under the law, including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Massachusetts, Montana, New Hampshire, New York (e.g., SHIELD Act, with respect to certain non-PHI, i.e., with protected health information (PHI) covered under HIPAA), New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. These laws may provide rights to access, delete, correct, or opt out of certain data processing activities.

If you have questions about your rights under these laws or wish to exercise a right, please contact us at the address provided below or by email at legal@maidenlanemedical.com. We will respond to your request in accordance with applicable law.

If you access, use, or interact with the Services from outside the United States, including the European Economic Area, this Privacy Policy applies together with any mandatory privacy disclosures required by the laws of your jurisdiction, and, to the extent those laws apply, we may rely on legal bases such as your consent, performance of a contract, compliance with legal obligations, protection of vital interests, or our legitimate interests in operating, securing, and improving the Services. To the extent there is any conflict between this section and the other sections of the Privacy Policy, this section shall govern.

More specifically, the laws of some jurisdictions, such as the European Union, require companies to tell you about the legal basis for using, sharing, or disclosing your information. To the extent those laws apply, we may rely on the following legal bases:

  • performance of a contract: where use of your information is necessary to provide you with the Services under a contract; for example, the Terms and Conditions.
  • legitimate interest: where use of your information is necessary for our or others’ legitimate interests and where the use is not outweighed by your rights and interests. Below are some examples of such interests:
  • providing the Services;
  • improving the Services and developing new ones;
  • recognizing and better understanding our users, including across platforms;
  • conducting security and fraud prevention activities;
  • marketing and promoting our content and services;
  • building and managing business relationships;
  • conducting compliance and risk management activities; and
  • providing and managing access to our systems
  • legal obligation: where use of your information is necessary to comply with laws and regulations such as those relating to anti-bribery and corruption and anti-money-laundering, complying with requests from government bodies or courts, or responding to litigation.
  • with consent: we may ask for your consent to process your information in a certain way. Where we rely on this basis, you have the right to withdraw your consent at any time.

If you are located in Canada, this section applies to you: We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time. In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

  • If collection is clearly in the interests of an individual and consent cannot be timely obtained.
  • For investigations and fraud detection and prevention.
  • For business transactions provided certain conditions are met.
  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim.
  • For identifying injured, ill, or deceased persons and communicating with next of kin.
  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse.
  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records.
  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced.
  • If the collection is solely for journalistic, artistic, or literary purposes.
  • If the information is publicly available and is specified by the regulations.

14. THIRD-PARTY LINKS AND SERVICES

The Services may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party services you access.

Examples of third-party services you may be directed to through the Services include laboratory ordering portals, pharmacy websites, specialist referral platforms, payment processing pages, advertising networks, analytics platforms, and social networks. Each of these services is governed by its own privacy policy.

15. CONTACT INFORMATION

If you have questions, concerns, complaints, or requests regarding this Privacy Policy, your personal data, or your privacy rights, please contact us at:

Maiden Lane Medical – Privacy Inquiries

90 Maiden Lane, Third Floor, New York, NY 10038

legal@maidenlanemedical.com

646-290-9560

You may also submit privacy-related requests by sending a written request to the mailing address above. Please include your full name, email address associated with your account, a description of your request, and your state of residence.

We will respond to verified requests within the timeframes required by applicable law (generally within 45 days for CCPA requests, with the possibility of a 45-day extension if reasonably necessary) and will maintain and, when required, publish records of requests received, complied with, denied, and average response times to the extent required by applicable law.