Skip to main content

Privacy Policy

Effective Date: August 2025

Last Updated: November 2025

Introduction

Medical Bill Rescue ("we," "our," or "us") is committed to protecting your privacy with our zero-knowledge architecture. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical bill analysis service at medicalbillrescue.com (the "Service").

Zero-Knowledge Processing

  • No Medical PHI Storage: Your personally identifiable health information is never stored on our servers
  • Immediate PII Redaction: Patient names, SSNs, and other identifiers are automatically removed before processing
  • Memory-Only Analysis: Bill analysis happens in temporary memory and is discarded after completion
  • Encrypted Transit: All data transmission uses enterprise-grade encryption

By using the Service, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Information You Provide

  • Account Information: Email address, password (encrypted), name (optional)
  • Payment Information: Processed securely by Stripe (we don't store card details)
  • Uploaded Documents: Medical bills you upload for analysis (processed with automatic PII redaction)

Information Automatically Collected

We do not use analytics or tracking services. The only automatic data collection is:

  • Server logs: May temporarily include IP addresses for security purposes (not used for tracking)
  • Session data: Authentication state stored in encrypted cookies on your device

We do not track pages visited, time spent, browser type, device information, or any behavioral data.

Cookies (Essential Only)

We only use strictly necessary cookies:

  • Session cookie: Maintains your authenticated session (expires after 7 days of inactivity)
  • Security cookie: CSRF protection token

We do not use analytics, tracking, advertising, or third-party cookies.

How We Use Your Information

  • Provide and maintain our Service
  • Process your medical bills for anomaly detection
  • Process transactions and send related information
  • Send administrative information and service updates
  • Respond to inquiries and provide customer support
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

Information Sharing and Disclosure

Service Providers

We share data with service providers who help deliver our Service. See our Subprocessors page for the complete list.

Legal Requirements

We may disclose information if required by law, subpoena, or to protect our rights, prevent fraud, or ensure safety.

Business Transfers

In connection with a merger, sale, or acquisition, your information may be transferred as a business asset.

Data Security

We implement security measures including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Secure development practices

Note: No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Data Retention

  • Account information: As long as your account is active
  • Transaction records: As required for accounting and tax purposes
  • Analysis results: As long as your account is active
  • Server security logs: 30 days maximum

You may request deletion of your account and associated data at any time.

Your Privacy Rights

Depending on your location, you may have rights to:

  • Access your personal information
  • Correct inaccurate data
  • Delete your information
  • Data portability
  • Withdraw consent where applicable

How to Request Your Data

To request a copy of your data, correct inaccuracies, or delete your account, email [email protected]. We will respond within 30 days (or 45 days for California residents).

California Residents (CCPA/CPRA)

If you are a California resident, the CCPA/CPRA provides you with specific rights.

Categories of Personal Information We Collect

  • Identifiers: Email address, name (optional), user ID
  • Commercial Information: Purchase history, credit transactions
  • Sensitive Personal Information: Medical bill information you upload for analysis

Note: We do not collect Internet/Network Activity data (no analytics or behavioral tracking).

We Do Not Sell Your Personal Information. Medical Bill Rescue does NOT sell your personal information and has not sold personal information in the preceding 12 months.

Your CCPA Rights

  • Right to Know: Request disclosure of personal information collected (up to 2 requests per year)
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise your rights, email [email protected] with subject line "CCPA Request".

European Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, the GDPR provides you with specific rights.

Lawful Basis for Processing

  • Contract: Account creation, service delivery, payment processing
  • Explicit Consent: Processing medical bill data (health data)
  • Legitimate Interests: Fraud prevention, security
  • Legal Obligation: Tax compliance, legal record-keeping

Health Data: Medical bills contain health information classified as "special category" data under GDPR Article 9. We process this based on your explicit consent when you upload documents. You may withdraw consent at any time.

International Data Transfers

Your data may be transferred to the United States. We implement appropriate safeguards including Standard Contractual Clauses (SCCs) with our service providers.

Your GDPR Rights

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion ("right to be forgotten")
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests

We will respond within one month. You also have the right to lodge a complaint with your local Data Protection Authority.

Other U.S. State Privacy Laws

Several U.S. states have enacted comprehensive privacy laws. If you are a resident of these states, you may have additional rights.

Virginia (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) provides Virginia residents with the following rights:

  • Right to Access: Confirm whether we process your data and access it
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data you provided or we collected
  • Right to Portability: Obtain a copy of your data in a portable format
  • Right to Opt-Out: Opt out of targeted advertising and sale of data (we do neither)

To exercise your rights, email [email protected] with subject "VCDPA Request".

Colorado (CPA)

The Colorado Privacy Act (CPA) provides Colorado residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data
  • Right to Portability: Obtain your data in a portable, usable format
  • Right to Opt-Out: Opt out of targeted advertising, sale of data, and profiling (we do none)

To exercise your rights, email [email protected] with subject "CPA Request".

Connecticut (CTDPA)

The Connecticut Data Privacy Act (CTDPA) provides Connecticut residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Correct: Correct inaccuracies
  • Right to Delete: Delete personal data
  • Right to Portability: Obtain a copy in a portable format
  • Right to Opt-Out: Opt out of targeted advertising, sale, and profiling

To exercise your rights, email [email protected] with subject "CTDPA Request".

Utah (UCPA)

The Utah Consumer Privacy Act (UCPA) provides Utah residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Delete: Delete personal data you provided
  • Right to Portability: Obtain a copy of your data
  • Right to Opt-Out: Opt out of targeted advertising and sale of data

To exercise your rights, email [email protected] with subject "UCPA Request".

Texas (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) provides Texas residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data
  • Right to Portability: Obtain your data in a portable format
  • Right to Opt-Out: Opt out of targeted advertising, sale of data, and profiling

To exercise your rights, email [email protected] with subject "TDPSA Request".

Oregon (OCPA)

The Oregon Consumer Privacy Act (OCPA) provides Oregon residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Correct: Correct inaccuracies
  • Right to Delete: Delete personal data
  • Right to Portability: Obtain a copy of your data
  • Right to Opt-Out: Opt out of targeted advertising, sale, and profiling

To exercise your rights, email [email protected] with subject "OCPA Request".

Montana (MCDPA)

The Montana Consumer Data Privacy Act (MCDPA) provides Montana residents with the following rights:

  • Right to Access: Confirm processing and access your personal data
  • Right to Correct: Correct inaccuracies
  • Right to Delete: Delete personal data
  • Right to Portability: Obtain a copy of your data
  • Right to Opt-Out: Opt out of targeted advertising, sale, and profiling

To exercise your rights, email [email protected] with subject "MCDPA Request".

Note: We do not sell personal information, engage in targeted advertising, or profile users for any purpose. We will respond to all requests within the timeframes required by applicable law.

HIPAA and Medical Data

Important Clarification: Medical Bill Rescue is not a HIPAA-covered entity. HIPAA applies to healthcare providers, health plans, and their business associates—not to consumer tools that help you understand your own medical bills.

However, we implement privacy and security controls that meet or exceed healthcare industry standards:

  • Zero-knowledge processing architecture
  • Automatic PHI/PII redaction before analysis
  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication
  • Security audit logging

For enterprise inquiries requiring HIPAA Business Associate Agreements, contact [email protected].

Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

  • Notify affected users within 72 hours (per GDPR) or without unreasonable delay
  • Notify relevant regulatory authorities as required by law
  • Provide information about the breach and measures taken
  • Offer guidance on steps you can take to protect yourself

Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for material changes

Contact Us

If you have questions about this Privacy Policy: