Privacy Policy

Last updated: May 27, 2026

Our Commitment: MedBill is designed with privacy and security as foundational principles. We process medical billing data to identify overcharges and errors — nothing more. Your Protected Health Information (PHI) is encrypted, processed in-memory, and never sold or shared.

1. Who We Are

MedBill ("we," "our," "us") operates the MedBill platform at medbill-auditor.pages.dev. We provide automated medical bill auditing services to consumers and healthcare practices.

Data Controller: MedBill Inc. For privacy inquiries, contact privacy@medbill.ai.

2. Information We Collect

We collect only the information necessary to provide our audit service:

2.1 Information You Provide

Medical Bills & EOBs: PDFs, images, or forwarded emails containing medical bills, Explanation of Benefits (EOB) forms, and insurance correspondence. These contain Protected Health Information (PHI) including patient names, dates of service, CPT/ICD-10 codes, provider information, and billed amounts.
Contact Information: Your email address (required for report delivery). Optional: phone number for support.
Payment Information: When you purchase a Full Audit or B2B plan, payment is processed through Stripe. We do not store credit card numbers. Stripe's privacy policy applies to payment data.
Account Information: If you create an account, we store your name, email, and hashed password.

2.2 Information Collected Automatically

Usage Data: Pages visited, upload timestamps, referral source, device type, browser type. Used for analytics and service improvement.
Cookies: Essential cookies for site functionality. Analytics cookies (GDPR/CCPA opt-in required). See our Cookie Policy.

3. How We Use Your Information

Purpose	Legal Basis	Data Used
Medical bill audit (core service)	Performance of contract / Consent	Full medical bill data (PHI)
Report delivery (email)	Performance of contract	Email address
Payment processing	Performance of contract	Payment data (via Stripe)
Service improvement & analytics	Legitimate interest	Aggregated, de-identified usage data
Legal compliance	Legal obligation	As required by law

4. Protected Health Information (PHI) — HIPAA Compliance

Medical bills and EOBs contain Protected Health Information (PHI) as defined by HIPAA (Health Insurance Portability and Accountability Act). We handle PHI with the following safeguards:

HIPAA Business Associate Status

When serving healthcare providers and medical practices (B2B), MedBill acts as a HIPAA Business Associate. We enter into Business Associate Agreements (BAAs) with covered entities upon request.

For direct-to-consumer services, MedBill is not a HIPAA-covered entity. We process PHI solely to perform the billing audit service you request. We comply with applicable state privacy laws and industry best practices for PHI protection.

4.1 Our PHI Safeguards

Encryption in Transit: All data uploaded to MedBill is encrypted using TLS 1.3 (HTTPS). Email submissions are encrypted in transit via SMTP TLS.
Encryption at Rest: PHI stored in our systems is encrypted using AES-256. Source files are stored in Cloudflare R2 (SOC 2 compliant) with server-side encryption.
In-Memory Processing: During audit analysis, PHI is processed in memory only. Temporary files are immediately deleted after processing completes.
Access Controls: PHI is accessible only to the automated audit pipeline. No human accesses your bill data except as needed for support (with your explicit consent).
Data Minimization: We collect only the minimum PHI necessary to perform the audit. We do not request medical records, treatment history, or genetic information.

5. Data Retention

Data Type	Retention Period	Reason
Source bill files (uploaded PDFs/images)	Deleted within 24 hours of audit completion	Minimize PHI exposure
Audit report (findings, dispute letter)	30 days available via shareable link	Allow user access + dispute processing
Email address + job metadata	7 years (pseudonymized)	Legal compliance + service records
Payment records	As required by tax law (typically 7 years)	Tax and financial compliance
Analytics data	26 months (aggregated, de-identified)	Service improvement

You may request earlier deletion of your data at any time by emailing privacy@medbill.ai. We will delete all identifiable data within 14 days of verified request.

6. Data Sharing & Disclosure

We never sell your personal information or PHI. We share data only in these limited circumstances:

Stripe: For payment processing. Stripe is PCI DSS Level 1 compliant.
Cloudflare: CDN and R2 object storage (SOC 2 Type II, ISO 27001).
AgentMail: For email delivery of reports and notifications.
Legal Requirement: If required by law, court order, or regulatory authority.
Your Consent: With your explicit, written consent for any other purpose.

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your data:

Right	Description
Access	Request a copy of the personal data we hold about you
Rectification	Correct inaccurate or incomplete data
Deletion (Right to be Forgotten)	Request deletion of your data (we will delete within 14 days)
Restriction	Limit how we process your data
Portability	Receive your data in a machine-readable format
Objection	Object to processing based on legitimate interests
Withdraw Consent	Withdraw consent at any time (does not affect prior processing)

To exercise any right, email privacy@medbill.ai. We will respond within 30 days (or as required by applicable law).

8. Cookies

We use essential cookies for site operation and optional analytics cookies. You can manage preferences at any time. See our full Cookie Policy.

9. Data Security

MedBill implements industry-standard security measures:

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest
Cloudflare infrastructure (SOC 2 Type II, ISO 27001 certified)
Automated security scanning and penetration testing
Strict access controls — no human access to PHI without explicit consent
Regular security audits and updates

10. Children's Privacy

MedBill is not directed at individuals under 18. We do not knowingly collect information from children. If we discover a child has provided us with personal data, we will delete it immediately.

11. International Users

MedBill is based in the United States and processes data in US-based and EU-based cloud infrastructure. If you are accessing our service from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and Data Processing Addenda (DPAs) as appropriate transfer mechanisms.

12. Third-Party Links

Our website may contain links to third-party sites (e.g., Stripe, CMS.gov). We are not responsible for their privacy practices. We encourage you to review their privacy policies.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email (if you provided one) or a notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy-related inquiries, data subject requests, or to report a concern:

Email: privacy@medbill.ai
Response Time: We respond to all privacy inquiries within 7 business days
Data Protection Officer: Privacy Team, MedBill Inc.

15. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict of laws principles. By using MedBill, you consent to the data practices described in this policy.