Legal

Privacy Policy

Last updated: April 21, 2026

The Short Version

  • We don't store your medical bills. They're sent to our AI provider for analysis and then discarded.
  • Our AI provider (Google Gemini, paid tier) is contractually prohibited from using your inputs to train models.
  • Your full report is returned encrypted to your browser. We release the decryption key only after your payment is confirmed, and we don't keep a readable copy on our servers.
  • All traffic is encrypted in transit (TLS).
  • We don't sell your data. Ever.

1. What We Collect

Bill files you upload. Forwarded to Google Gemini (paid API tier) over a TLS-encrypted connection for analysis. We process your bill in memory only — we don't write it to disk, to a database, or to long-term storage, and we don't forward it anywhere else.

Analysis results. The structured AI output (summary, itemized charges, dispute letter, and so on) is returned to your browser. The free preliminary audit (summary and totals) is in plaintext; the full report is encrypted with a per-analysis key that we derive from a server-side secret. We release that key to your browser only after confirming your payment (or that you hold an active subscription). We do not persist a readable copy of your report on our servers.

Subscription access state. If you purchase a Family Plan or Pro Plan, we keep a numeric remaining-uses counter in our Upstash Redis store, keyed to your Stripe customer ID. The counter resets each billing cycle and is cleared when the subscription is canceled. This counter contains no bill or report content — just a number.

Email-a-letter (subscribers only). If you click “Email this letter” on your results, the letter text passes through our server once (to our email provider, Resend, and on to the recipient inbox you specify). We do not save a copy of the letter on our servers. Logs record only the fact that a send happened, plus error class names if one fails — never the letter contents.

Payment data. Payments are handled by Stripe. We do not receive or store your card number. We receive a confirmation that a session was paid, plus a reference ID tied to your analysis.

Basic usage data. Standard web-server logs (IP, user agent, timestamps, route paths) and aggregate analytics. We do not log bill contents, AI prompts, or AI responses.

2. How We Use It

  • To deliver the analysis and dispute letter back to you.
  • To process your payment and unlock the full report.
  • To detect and prevent abuse or fraud.
  • To improve the product (in aggregate, never using bill contents).

3. Third Parties We Use

  • Google Gemini (paid API) — AI analysis. Input is not used to train models (per Google's paid-tier terms). Google retains request data only briefly for abuse monitoring as described in their service terms.
  • Stripe — payment processing. Governed by Stripe's privacy policy.
  • Upstash (managed Redis) — stores rate-limit counters and, for active subscribers, a numeric remaining-uses counter keyed to a Stripe customer ID. No bill or report content.
  • Vercel — hosting and edge network for this website.

4. HIPAA

MediBill Saver operates as a consumer self-help tool. When you upload your own bill as an individual, you are not acting as a HIPAA-covered entity and the upload is not a HIPAA-regulated disclosure from your perspective. We are not a covered entity and do not represent ourselves as one. We implement strong privacy practices (TLS-encrypted transit, no server-side storage of bill contents, no-training contractual terms with our AI provider) regardless of HIPAA applicability.

5. Your Rights

Your analyses live in your browser's local storage — you can delete them at any time by clearing site data for this domain. Your Stripe customer record and payment history are retained per our payment processor's requirements. Subscription remaining-uses counters are cleared when the subscription is canceled or ends. You may contact us to request account deletion, data export, or to ask what we have on file:

privacy@medibillsaver.com

6. Children

The Service is not intended for users under 18. Do not upload bills on behalf of minors without parental consent, and do not use the Service if you are under 18.

7. Changes

We may update this policy. Material changes will be reflected on this page with a new "Last updated" date.

8. Contact

Privacy questions? Email privacy@medibillsaver.com.