Plain-English privacy

BillBusted Privacy Policy

Last updated: May 16, 2026. This explains what data BillBusted collects, how we use it, and how we protect it. Contact: hello@billbusted.com.

The short version

  • Free Bill Scan: documents are processed in memory and discarded after the scan returns. No account is required.
  • Paid orders ($29, $49, $149, B2B): documents are encrypted at rest in Supabase. Used only to generate your case file and any follow-up the tier covers.
  • We do not sell or share your data with third-party advertisers, data brokers, or marketers.
  • Email addresses you give us (paid order receipts, optional "email me my results" on the free scan, B2B leads) are used to send your output and the related drip sequence, processed via Brevo. Unsubscribe anytime.
  • We are not a HIPAA-covered entity because you send documents directly to us, not through a provider or insurer — but we treat the data with the same care.

1. What data we collect

a. Documents you upload

Medical bills, Explanations of Benefits, Good Faith Estimates, and any other documents you submit to the Bill Scan or paid tiers. We extract line items (CPT codes, charges, dates of service, provider names, amounts) so the AI can audit the bill.

b. Free-text you paste

Anything you type into the bill summary field, insurance status dropdown, care context dropdown, or document checkboxes.

c. Contact information

Email addresses you provide at checkout for paid orders, or optionally on the free scan when you check “Email me my results.” B2B inquiries include the contact name, work email, company, role, and headcount you submit.

d. Payment data

Paid orders are processed by Stripe. We receive a transaction reference and the email you used at checkout. Stripe handles the card details under their own privacy notice.

e. Automatic analytics

Standard web analytics (page views, referrer, approximate location from IP, browser type) for product improvement. We do not run third-party advertising cookies.

2. How we use it

  • To run the AI Bill Scan and produce your scan summary.
  • To generate the paid case file (Resolution Pack, Full Audit, Done-For-You) you ordered.
  • To send your output by email, including welcome and follow-up emails on the optional warm-lead drip.
  • For Done-For-You orders: to submit the dispute on your behalf and run automated 14/30/60/90-day follow-ups.
  • To answer your support emails.
  • To improve the service in aggregate (model performance, error-pattern coverage). We do not train on individual identifiable bills without separate explicit consent.

3. Where the data lives

  • Free Bill Scan documents: processed in memory by OpenRouter-hosted language models. Discarded after the scan returns.
  • Paid order documents and case files: stored in Supabase Postgres with row-level security, encrypted at rest. Vercel Blob is used as a fallback for large files. Retained for the lifetime of your case (typically up to 12 months after order) so we can support follow-ups, then deleted on request or at the end of the retention window.
  • Email logs: stored in Brevo for delivery purposes per their privacy notice.
  • B2B leads: stored in Supabase to track outreach.
  • Warm-lead drip captures: stored in Supabase. Drip stops after 5 emails or when you unsubscribe.

4. Who we share data with

We share data only with the third-party processors needed to run the service:

  • OpenRouter — language-model inference for the AI bill scan and dispute-letter generation.
  • Supabase — database and file storage for paid orders.
  • Vercel — application hosting and serverless functions.
  • Stripe — payment processing.
  • Brevo — transactional and drip email delivery.

Each processor has its own privacy notice and security posture. We don't sell, rent, or trade your data with third-party advertisers, data brokers, or marketing networks.

5. Your rights

  • Access: email hello@billbusted.com and we'll send you a copy of the data we hold about you.
  • Deletion: email us and we'll delete your account data within 30 days, subject to legal retention requirements (e.g., Stripe transaction records).
  • Correction: email us if any data we hold is wrong.
  • Email opt-out: every email we send has an unsubscribe link. Unsubscribing stops drip emails but does not affect transactional order confirmations.
  • Do not sell: we don't sell your data. If you're a California resident and want to confirm, email us.

6. HIPAA status

BillBusted receives documents directly from patients, not from healthcare providers, insurers, or business associates of covered entities. We are therefore not a HIPAA-covered entity or business associate, and HIPAA does not technically apply to the data you send us.

We treat the data with the same care a HIPAA-covered entity would: encryption at rest for paid orders, in-memory processing for free scans, no sale or marketing-sharing of PHI-like content, and breach-notification practices comparable to the HIPAA Breach Notification Rule.

7. Children

BillBusted is not directed at children under 18. If you're a parent or court-appointed agent uploading a child's bill, you may do so as the adult responsible for that bill. We don't knowingly collect data from anyone under 18.

8. Security

Documents are transferred over TLS. Paid-tier data is encrypted at rest. Access to the admin dashboard is limited and token-gated. We follow industry-standard practices but no system is perfect — if a breach occurs, we'll notify affected users by email within a reasonable time, in line with applicable state breach-notification laws.

9. Cookies

We use minimal first-party cookies and localStorage to remember theme preference (light/dark) and to keep your free-scan session state. We do not run third-party advertising or social-media tracking cookies.

10. International users

BillBusted is built for U.S. medical-billing patient-rights frameworks. If you access the service from outside the U.S., the patient-rights triggers we surface (No Surprises Act, IRS 501(r), GFE $400 rule, ERISA, state insurance complaints) may not apply to your bill. Data may be processed in the U.S.

11. Changes to this policy

We'll post material changes here with a new “last updated” date. Continued use after the change means you accept the updated policy.

12. Contact

Questions, deletion requests, or privacy concerns: hello@billbusted.com.