Back to Billy SavesBeta

Privacy Policy

Last updated: March 1, 2025

Billy Saves ("we," "us," "our") is a personal health data management platform currently in Beta. We are committed to protecting your privacy and handling your health data responsibly. This Privacy Policy explains what data we collect, how we use it, and the choices you have.

1. Information We Collect

Account Information

When you create an account, we collect your email address, password (securely hashed — we never store plaintext passwords), full name, and optionally your date of birth and profile photo.

Health Records

You may upload health records in various formats (FHIR JSON, C-CDA XML, PDFs, images). We parse and normalize this data into structured categories including conditions, medications, allergies, lab results, vitals, immunizations, and procedures. For PDFs and images, we use AI-powered extraction to convert unstructured documents into structured data.

Medical Bills

You may upload medical billing documents. We extract and store billing details including provider information, charges, insurance data, and line items. Our AI analyzes bills for potential issues such as duplicate charges or pricing anomalies.

Chat & AI Interactions

When you use our AI chat feature, your conversations are stored to provide continuity across sessions. Your health data may be included as context in AI requests to provide personalized responses.

Provider Integrations

If you connect external healthcare providers or payers (e.g., through Epic, UnitedHealthcare, or Anthem), we store encrypted access tokens and refresh tokens to maintain your connection. We sync health records and insurance claims from these sources on your behalf.

Usage Data

We collect basic usage information such as share link access counts and timestamps to help you understand how your shared data is being accessed.

2. How We Use Your Information

We use your data to:

  • Provide and operate the Service, including parsing, storing, and displaying your health records and bills
  • Power AI features such as health summaries, chat, and billing analysis
  • Enable you to share selected health data with providers via secure links
  • Sync data from connected healthcare providers and payers
  • Improve the Service and fix issues
  • Communicate with you about your account or changes to the Service

We do not sell your personal data or health information. We do not share your data with third parties for advertising or marketing purposes.

3. Third-Party Services

We use the following third-party services to operate Billy Saves:

  • Supabase — Database hosting, authentication, and file storage. Your data is stored in Supabase's infrastructure with row-level security policies that isolate each user's data.
  • Anthropic (Claude API) — AI-powered features including health record parsing, bill analysis, and chat. When you use AI features, relevant portions of your data are sent to Anthropic for processing. Anthropic's data handling practices are described in their privacy policy.
  • Vercel — Application hosting and deployment.

We carefully select providers with strong security practices, but we encourage you to review their respective privacy policies.

4. Data Security

We take the security of your health data seriously and implement multiple layers of protection:

  • Row-Level Security (RLS) — Database policies ensure that every user can only access their own data. This is enforced at the database level, not just the application level.
  • Encrypted Storage — Integration tokens (such as OAuth access and refresh tokens) are encrypted using AES-256-GCM before being stored.
  • Private File Storage — Uploaded health records and bills are stored in private storage buckets with access-controlled policies.
  • Secure Authentication — Passwords are securely hashed. Session management is handled through industry-standard protocols.
  • HTTPS — All data in transit is encrypted via TLS.

5. HIPAA & Compliance

We want to be transparent: Billy Saves is not currently fully HIPAA compliant. We are a Beta product actively working toward HIPAA compliance, including Business Associate Agreements (BAAs) with our infrastructure providers, comprehensive audit logging, and additional security controls.

That said, we take data security seriously and have implemented meaningful safeguards (as described above) to protect your information. We believe in your right to own and control your health data, as supported by the 21st Century Cures Act and HIPAA Right of Access provisions, and we are building Billy Saves to uphold that right.

By using Billy Saves during the Beta period, you acknowledge that the Service is not yet fully HIPAA compliant and you accept the associated risks.

6. Data Sharing

We only share your data in the following circumstances:

  • When you choose to share — You can create secure share links with granular control over which categories of data to include. Share links can be set to expire and can be revoked at any time.
  • Third-party service providers — As described in Section 3, to operate the Service (e.g., AI processing, database hosting). These providers process data on our behalf and are not permitted to use it for their own purposes.
  • Legal requirements — If required by law, regulation, or legal process.

7. Your Rights & Controls

You have control over your data:

  • Access & Export — You can view all of your stored data through the dashboard. Health records can be exported in FHIR format.
  • Deletion — You can delete individual records, bills, conversations, or your entire account at any time.
  • Sharing Control — You decide what to share, with whom, and for how long. All share links can be revoked instantly.
  • Integration Control — You can connect and disconnect healthcare provider integrations at any time.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data and health records from our active systems. Some data may persist in backups for a limited period as part of standard infrastructure operations.

9. Children's Privacy

Billy Saves is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

11. Contact Us

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us at hello@billysaves.com.