Legal

Consumer Health Data Privacy Policy

Last updated: April 26, 2026

About This Policy

This Consumer Health Data Privacy Policy is published by LootCastPuff LLC (“MediBill Saver,” “we,” “us”) under the Washington My Health My Data Act (RCW 19.373) and similar consumer health data laws (Nevada SB 370, Connecticut SB 3). It is intended to be read together with our general Privacy Policy. If anything in this Consumer Health Data Privacy Policy conflicts with our general Privacy Policy with respect to consumer health data, this policy controls.

1. Categories of Consumer Health Data We Collect

The Service may collect the following categories of consumer health data:

  • Medical bill content you upload. Bills may contain provider names, dates of service, line-item charges, CPT or HCPCS codes, descriptions of services rendered, and amounts billed, adjusted, or paid by insurance. Bills may incidentally reveal information about a patient’s diagnoses, procedures, prescriptions, or treatments.
  • Optional patient label.A short free-text label you may attach to an analysis (e.g., “Mom’s hospital bill”).
  • Inferences about health status. The structured analysis our system returns may identify procedures, codes, and conditions referenced on the bill.

2. Sources of Consumer Health Data

We collect consumer health data only from the consumer who chooses to upload a bill to the Service. We do not purchase health data, do not receive it from hospitals, insurers, or other healthcare providers, and do not derive it from cookies, advertising networks, or third-party data brokers.

3. How We Use Consumer Health Data

We use consumer health data only to deliver the bill-audit service the consumer has requested:

  • Forwarding the bill to our AI processor (Google Gemini, paid tier) for analysis
  • Generating the analysis output and dispute-letter form templates
  • Returning the encrypted result to the consumer’s browser and releasing the decryption key after payment
  • Detecting and preventing abuse (rate limiting on our infrastructure)

We do not use consumer health data for advertising, profiling, training AI models, building data products, or any purpose beyond the requested service.

4. Categories of Consumer Health Data We Share

We share consumer health data only as strictly necessary to deliver the requested service, with the processors listed in the next section. We do not sell consumer health data, do not share it with affiliates for cross-context advertising, and do not combine it with data from other sources.

5. Third Parties and Affiliates That Receive Consumer Health Data

  • Google LLC (Gemini paid tier). Receives the bill content for AI analysis. Contractually prohibited from using paid-tier inputs to train models. Brief retention for abuse monitoring per Google’s service terms.
  • Vercel, Inc.Hosts the application and proxies the request from the consumer’s browser to our server-side analysis route. No long-term storage of bill content.
  • Cloudflare, Inc. Provides bot protection (Turnstile) on upload requests. Receives request metadata, not bill content.

We have no corporate affiliates. The LootCastPuff LLC group has no parent, subsidiary, or sister entities.

6. Retention

Bill content is processed in memory only and is not written to our databases or long-term storage. The encrypted analysis blob is held briefly so paid consumers can retrieve and decrypt it; the decryption key is released only after payment and is not persistently stored. Numeric subscription counters (no health content) are retained while a subscription is active and are cleared when canceled.

7. Your Rights Under MHMDA

If you are a Washington consumer, you have the following rights with respect to your consumer health data:

  • Right to access. Confirm whether we are processing your consumer health data and obtain a copy.
  • Right to know recipients. Request a list of third parties and affiliates with whom we have shared your consumer health data.
  • Right to deletion. Request that we delete your consumer health data. Because we do not retain bill content, most deletion requests are no-ops; we will confirm in writing.
  • Right to withdraw consent. Withdraw any consent you previously gave to processing.
  • Right to non-discrimination. We will not discriminate against you for exercising these rights.

To exercise any right, email privacy@medibillsaver.com with the subject line “MHMDA Request.” We will respond within 45 days. We may require reasonable verification of your identity (such as a match against the email on file with your purchase) before processing the request.

If we deny a request, you may appeal by replying to our denial. If your appeal is denied, you may file a complaint with the Washington Attorney General’s Office at atg.wa.gov/file-complaint.

8. Consent

We collect and process consumer health data only to deliver the service the consumer has requested by uploading a bill. By uploading a bill, you consent to the collection and processing described in this policy. You may withdraw consent at any time by emailing privacy@medibillsaver.com.

9. Security

We use TLS encryption for all data in transit. Encrypted analysis blobs use AES-256-GCM with per-analysis keys derived from a server-side secret. We do not maintain server-side copies of bill content or readable analysis content after delivery.

10. Breach Notification

If we discover unauthorized acquisition or disclosure of consumer health data, we will notify affected consumers without unreasonable delay and within the timeframes required by the FTC Health Breach Notification Rule (16 CFR Part 318), the Washington Data Breach Notification Law (RCW 19.255), and any other applicable state breach-notification laws.

11. Contact

Questions, requests, or complaints under this policy:

privacy@medibillsaver.com
LootCastPuff LLC
980 Broadway, #550
Thornwood, NY 10594