AI Guardrails
MARCo safeguards user well-being through a multi-layered AI approach. First, a dynamic rules system considers client data (demographics, conditions, emotions) and session details (session number, phase) to select the most appropriate AI model for each stage of the interaction. The stages are defined by the Beck Institute’s MODIFIED BRIEF COGNITIVE BEHAVIORAL THERAPY GUIDE and COGNITIVE THERAPY RATING SCALE (CTRS) to ensure that the robot follows an appropriate clinical modality in delivering care. The stages are on defined paths that can only be switched once certain criteria have been met during the session or by the client.
Figure 1: Example rules based system for care delivery
At each stage of the session delivery, generative AI models are employed, fine-tuned for specific conversation aspects like motivational interviewing or psychoeducation, ensuring focused and relevant responses. Finally, for emergencies, pre-scripted interventions by our team take over, guaranteeing consistent and safe support during critical moments. This layered approach significantly reduces the risk of inaccurate or harmful responses from MARCo's AI.
MARCo collects different kinds of data during its normal course of use for different purposes. Data may be classified into three categories: saved data, shared data, and transient data.
The first is personal saved data. This covers data that is connected to a particular user’s account for use by the device in providing better support, including but not limited to:
Saved data is obscured behind the encrypted user ID managed by your service provider, which, when saved, anonymizes it and makes it impossible to trace to a specific user and specific MARCo. Saved data is saved only on your MARCo wherever possible, but saved data will also be saved to a secure cloud database when it is necessary to enable functionality of the MARCo Online app. This data is not traceable, does not get reviewed or accessed, and is anonymized, only accessible by a user and authorized providers.
MARCo Health does not review saved data, change saved data, access saved data, or delete saved data, unless when given express permission, which can only happen in the event of a) a data corruption that requires salvaging an account, b) an upgrade to an account account to give you access to either beta features or paid features for free, c) a user asks us to delete your data completely, d) a user asks us to access saved data that is no longer available to that user for legal or health purposes.
MARCo Health does not share any saved data with any third party with the following exceptions:
The second data type is shared data. This includes any data that may be viewed by a third party directly involved in the implementation of MARCo, including, but not limited to, authorized providers, authorized family members, community partners, school administrators or authorized staff.
There are different levels of access to shared data that each authorized administrator can access. MARCo Health sets the policy with each administrator to determine the level of data access they are permitted. Both the user and the administrator then need to opt-into sharing that data, and the user may opt-out of any or all data sharing capabilities.
Shared data may include any or all of the following, depending on the levels of access granted by MARCo Health and the opt-in by the end user and administrator:
The third type of data is transient data. This includes audio captured from MARCo when a user speaks to it and turns on the microphone, the transcription of what a user says to MARCo, the transcription of what MARCo says back to the user, camera data used only for the purpose of analyzing facial expressions and emotions, and other sensor data.
Transient data is not linked to a user’s account and cannot be traced back to a particular user.
Transient data may be transmitted temporarily to a 3rd party only to serve the purpose of accessing necessary services for essential functions, including AI speech recognition and MARCo’s conversational database, but it is never stored with a 3rd party, nor are any individuals associated with such a 3rd party ever enabled or able to access such data.
Transient data is encrypted using the latest encryption protocols that our service providers use, anonymized, and randomized during transmission to and from the servers that process this data, meaning that it cannot be traced back to a particular MARCo or user.
Transient data may be periodically reviewed by members of MARCo Health for quality control purposes, to ensure that the device delivers accurate and safe responses. All personally identifiable information (PII) is redacted from the transient data before this review, and all transient data is anonymized and randomized to obfuscate any potential traceability to a particular user or MARCo.
A sample informed consent form displaying the privacy policy that an end user would receive is shown in Appendix B.
For users who just wish to access some of MARCo’s features and activities without logging personally identifiable information, MARCo Health can create one or multiple “anonymous” accounts for clients to use with MARCo. These “anonymous” accounts would have a generic name (e.g. “Friend”) and have a MARCo Health sponsored email and password that can be provided to users to sign-in with.
Anonymous accounts would still use transient data and have some saved data, but shared data would be unusable as it would not reflect a single user, nor could it be traced back. This method is only recommended for situations where collection and review of data is not necessary.
Any user can request some or all of their MARCo data to be deleted. This can be done through the MARCo device, the MARCo app, the MARCo website, or by emailing support@marcohealthtech.com.
As part of liability protection measures, any user registered through the customer’s organization that requests data deletion will see their account immediately deactivated. However, data will be archived for a period of time before total deletion. This is to provide a record for a reasonable period of time in the event of data being subpoenaed or requested by an appropriate legal, governmental, or healthcare entity as part of an appropriate legal process. The customer may notify MARCo Health of the preferred archive policy timeline for this data, but the recommended minimum is 1 year.
If user data is breached, MARCo Health will notify the customer and all MARCo users within 24 hours of the breach and work quickly to resolve the issue and contain the damage. Users will be notified as soon as the data breach is resolved, steps they can take to secure their data, and options to delete their data to prevent further breaches.
See Appendix C for an excerpt of MARCo’s Terms & Conditions highlighting waiver and indemnification for an end user using MARCo and its services. By using MARCo All users of MARCo waive the right to pursue legal action against MARCo Health and the customer through use or failure to use the platform and services.
Additional Indemnification
The terms and conditions laid out in Appendix C hold MARCo Health and the customer harmless from any damage, injury, costs, or liabilities that an end user experiences as a result of attempts to use or failure to properly use MARCo’s platform and services.
Furthermore, customer agrees to indemnify, defend, and hold harmless MARCo Health, its officers, directors, employees, agents and third parties, for any losses, costs, liabilities and expenses (including reasonable attorney’s fees) relating to or arising out of your use of or inability to use the Services, any advice or information given by the Services, your violation of any terms of this Agreement or your violation of any rights of a third party, or your violation of any applicable laws, rules or regulations. MARCo Health reserves the right, at its own cost, to assume the exclusive defense and control of any matter otherwise subject to indemnification by the customer, in which event you will fully cooperate with MARCo Health in asserting any available defenses.