🏥 A Note on HIPAA
FairMedBill is a consumer-facing analysis tool. Consumer-to-app interactions may not trigger formal HIPAA obligations. However, we apply HIPAA-inspired principles: minimal data collection, strong encryption, strict access controls, and short retention windows. We treat your health information with the same care that your doctor's office would.
1. What Data We Collect
Short version: We only collect what's in the bill you upload or enter. No account, no name required from you.
When you upload a bill:
- The bill file (PDF, JPG, PNG, or WebP) — held in memory for parsing, then stored in an encrypted database temporarily
- Parsed line items extracted by AI: descriptions, CPT codes, charge amounts, and any flagged issues
- Bill summary fields: patient name (if on the bill), provider, date of service, billed amounts
- A random session ID generated in your browser — not tied to your identity
When you enter data manually:
- The line items you type (descriptions, CPT codes, amounts) — same anonymous session handling
Technical data (automatic):
- Standard server logs: IP address, user agent, timestamp, request path
- Used only for security monitoring — not linked to your bill content
- No tracking cookies, no third-party analytics embedded
2. How We Use Your Data
Your bill data is used for one purpose only: to analyze the bill and return results to you.
- Bill content is sent to our AI model for parsing and error detection
- Parsed results are stored temporarily so you can view your analysis
- We may use aggregated, anonymized statistics (e.g., "X% of bills had duplicate charges") to improve our detection models — your bill content is never used as a named training example
- We do not use your data to build profiles, serve ads, or sell to insurers, employers, or data brokers
3. Data Retention
Bills are automatically deleted within 30 days of analysis.
- Uploaded files: held in memory during processing only — not stored to disk outside the database
- Parsed data (line items, summary fields): stored in an encrypted database, auto-deleted after 30 days
- Server logs: rotated on a 30-day cycle
- Want early deletion? Email privacy@fairmedbill.com with your session ID — we'll delete it within 48 hours
4. Data Security
- In transit: All data is encrypted via TLS 1.2+ (HTTPS)
- At rest: Database records are encrypted with AES-256
- Access controls: Only automated processes access bill content. No employee reads your bill in normal operations.
- AI provider: Your bill content is sent to an AI API under a data processing agreement that prohibits training on customer data. We don't send identifying metadata.
- We maintain security monitoring and will notify users in the event of a breach involving health information
5. Data Sharing
We do not sell, rent, or share your bill data with any third party for commercial purposes — ever.
The only disclosure scenarios:
- Service providers: Cloud hosting and AI API providers process data under strict contracts prohibiting secondary use
- Legal requirement: Valid court order or subpoena — we'll notify you before disclosure unless legally prohibited
- Safety: If required to prevent imminent harm (extremely rare)
We never share with: insurers, employers, data brokers, advertisers, or anyone building consumer health profiles.
6. Your Rights
- Access: Request a copy of the parsed data we hold for your session
- Deletion: Request immediate deletion by emailing us your session ID
- Correction: Use manual entry to correct misread items and re-run the analysis
- Opt-out of aggregated stats: Email us to exclude your session from aggregate analysis
Contact us at privacy@fairmedbill.com to exercise any of these rights.
7. Children's Privacy
FairMedBill is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has submitted information, contact us immediately.
8. Changes to This Policy
We may update this policy as the service evolves. We'll update the "Last updated" date above. Significant changes will be noted on our homepage. Continued use after changes constitutes acceptance.