Privacy Policy

Effective Date: 03/01/2024
Last Updated: 06/15/2025

1. Overview and Service Description

Medical Bill Navigator ("we," "us," "our," or "the Service") is an educational technology platform that provides billing guidance and insurance policy information. Our Service uses artificial intelligence to help users understand medical bills, insurance claims, and healthcare billing processes.

Important: This Service is designed for educational purposes only and does not provide medical, legal, or financial advice. We are not a covered entity under HIPAA, but we implement HIPAA-conscious practices to protect any health information that may be inadvertently shared.

2. Information We Collect

2.1 Account Information (Squarespace)

When you create an account through our Squarespace member portal, we collect:

  • Name and email address

  • Account credentials (securely managed by Squarespace)

  • Subscription and billing information

  • Account preferences and settings

2.2 Chat and Conversation Data

During your use of our AI chat service:

  • Messages you send are temporarily processed for response generation

  • Conversation context is maintained during your session only

  • Session tokens are used to track your conversation flow

  • Usage metrics (number of messages, session duration) for service improvement

2.3 Technical Information

  • IP addresses and browser information

  • Device and operating system details

  • Service usage patterns and analytics

  • Error logs and performance data

3. Protected Health Information (PHI) Handling

3.1 PHI Redaction and De-identification

We implement automatic PHI detection and redaction using advanced privacy protection systems:

What Gets Redacted:

  • Names, addresses, phone numbers

  • Social Security Numbers and ID numbers

  • Dates of birth and appointment dates

  • Medical record numbers and claim IDs

  • Provider identifiers and facility names

  • Any other identifiable health information

How It Works:

  1. Real-time scanning of all messages before processing

  2. Automatic replacement with generic placeholders (e.g., "the patient," "the date mentioned")

  3. No original PHI is stored, logged, or transmitted to third parties

  4. Session-consistent mapping ensures conversation continuity without storing identifiable data

3.2 Important User Responsibilities

You should NOT include:

  • Patient names, addresses, or contact information

  • Specific dates of birth or treatment dates

  • Social Security Numbers or insurance member IDs

  • Detailed medical information or diagnoses

  • Provider names or facility identifiers

If PHI is accidentally included: Our automated systems will detect and redact this information before processing, but we strongly encourage users to avoid sharing such details.

4. How We Use Your Information

4.1 Service Provision

  • Provide AI-powered billing and insurance guidance

  • Maintain conversation context during your session

  • Deliver educational content and policy information

  • Process your requests and provide customer support

4.2 Service Improvement

  • Analyze usage patterns to improve our AI responses

  • Identify common billing questions for content development

  • Monitor system performance and reliability

  • Develop new educational features and resources

4.3 Legal and Safety

  • Comply with applicable laws and regulations

  • Protect against fraud, abuse, and security threats

  • Respond to legal requests when required

  • Maintain audit trails for security purposes

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We work with trusted partners who help us provide our Service:

OpenAI (AI Processing):

  • All messages are PHI-redacted before transmission

  • Used solely for generating educational responses

  • Governed by OpenAI's enterprise privacy terms

  • No PHI or identifiable information is shared

Vercel (Hosting and Infrastructure):

  • Provides secure hosting and content delivery

  • All data transmissions are encrypted (HTTPS/TLS)

  • No persistent storage of conversation data

  • Complies with enterprise security standards

Squarespace (Account Management):

  • Manages user accounts and subscriptions

  • Handles billing and payment processing

  • Subject to Squarespace's privacy policy

  • Account data separate from chat conversations

Presidio API (PHI Detection):

  • Used exclusively for identifying and redacting PHI

  • Processes text content only for privacy protection

  • No data retention or secondary use

  • Enhances our privacy protection capabilities

5.2 We Do NOT Share

  • Original conversation content (only redacted versions are processed)

  • PHI or health information in any identifiable form

  • Personal account data for marketing purposes

  • Individual usage patterns with third parties

5.3 Legal Disclosures

We may disclose information when required by law, court order, or to:

  • Protect our legal rights and safety

  • Investigate fraud or security issues

  • Comply with regulatory requirements

  • Respond to valid legal process

6. Data Security and Protection

6.1 Technical Safeguards

  • Encryption in transit: All communications use HTTPS/TLS encryption

  • Automatic PHI redaction: Real-time privacy protection before processing

  • Session-based storage: No persistent conversation history

  • Access controls: Limited employee access to systems

  • Regular security audits: Ongoing monitoring and assessment

6.2 Data Retention

  • Chat conversations: Temporarily processed during session only, automatically purged

  • Session data: Cleared every 2 hours for HIPAA compliance

  • Account information: Retained while your account is active

  • Usage analytics: Aggregated, non-identifiable data for service improvement

  • Security logs: Maintained for audit and security purposes

6.3 Data Breach Response

In the unlikely event of a security incident:

  • Immediate investigation and containment

  • Assessment of affected information

  • Notification to affected users as required by law

  • Cooperation with regulatory authorities

  • Implementation of additional safeguards

7. Your Rights and Choices

7.1 Account Control

  • Access: View your account information through Squarespace portal

  • Update: Modify your account details and preferences

  • Delete: Request account deletion and data removal

  • Export: Request a copy of your account data

7.2 Communication Preferences

  • Opt out of promotional communications

  • Choose notification settings

  • Update contact preferences

  • Manage subscription details

7.3 Data Portability

Upon request, we can provide:

  • Your account information in a portable format

  • Summary of your service usage

  • Any stored preferences or settings

8. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

9. International Users and Data Transfers

Our Service is operated from the United States. If you are accessing our Service from outside the United States, please be aware that your information may be processed and stored in the United States, where privacy laws may differ from those in your jurisdiction.

For EU/UK Users: We implement appropriate safeguards for international data transfers and respect applicable privacy rights under GDPR.

10. HIPAA and HITECH Compliance

10.1 Our Commitment

While we are not a covered entity under HIPAA, we implement HIPAA-conscious practices:

  • Automatic PHI redaction to prevent inadvertent health information processing

  • Limited data retention with automatic deletion policies

  • Encryption and security measures that exceed industry standards

  • Employee training on privacy and security best practices

10.2 User Acknowledgment

By using our Service, you acknowledge that:

  • This is an educational tool, not a clinical or medical service

  • You will avoid sharing detailed PHI when possible

  • Any PHI accidentally shared will be automatically redacted

  • This Service is not intended for emergency medical situations

11. State-Specific Privacy Rights

11.1 California Residents (CCPA/CPRA)

California residents have specific rights regarding their personal information:

  • Right to know what personal information we collect and how it's used

  • Right to delete personal information we've collected

  • Right to opt out of the sale of personal information (we do not sell data)

  • Right to non-discrimination for exercising these rights

11.2 Other State Laws

We comply with applicable state privacy laws including Virginia CDPA, Colorado CPA, and other emerging privacy regulations.

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will:

  • Post the updated policy on our website

  • Notify users of material changes via email

  • Indicate the effective date of changes

  • Provide a summary of significant updates

Continued use of our Service after policy updates constitutes acceptance of the changes.

13. Contact Information

Questions About This Policy

If you have questions about this Privacy Policy or our privacy practices:

Email: privacy@medcoursepro.com
Address: 5900 Balcones Drive STE 100, Austin, TX 78731 US
Phone: (210) 202-4778

Data Protection Officer

For privacy-related requests or concerns: Email: support@medcoursepro.com

Account Support

For account-related questions: Email: support@medcoursepro.com

14. Effective Date and Acknowledgment

This Privacy Policy is effective as of 03/01/2024. By using the Medical Bill Navigator service, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: 06/15/2025
Version: 1.0

This Privacy Policy is designed to be transparent about our data practices while maintaining the highest standards of privacy protection. We are committed to earning and maintaining your trust through responsible data handling and clear communication about our practices.