Security & Privacy
Trust & Security
Last updated: April 29, 2026
The Short Version
- Bills are processed in memory, never written to disk or database on our servers.
- Reports are AES-256-GCM encrypted with a per-analysis key before they leave our server. The key is released only after verified payment or active subscription auth.
- Our AI provider (Google Gemini, paid tier) is contractually prohibited from using your inputs to train models.
- We never see or store credit card numbers — Stripe handles every payment.
- Vulnerability reports go to security@medibillsaver.com. See /.well-known/security.txt for the full RFC 9116 disclosure record.
Encryption
In transit: TLS 1.2+ everywhere. HSTS is preload-eligible (max-age 2 years, includeSubDomains, preload). Browsers will refuse to connect over plain HTTP after the first visit.
At rest (analysis blobs): Each completed analysis is encrypted with AES-256-GCM using a unique per-analysis key derived server-side. The encrypted payload is sent to your browser; the decryption key is held separately and only released to your browser after Stripe confirms payment (one-time tier) or after subscription cookie verification (Family/Pro). We never persist the readable analysis on our servers.
At rest (subscription state): A small numeric counter (remaining bills this cycle) is stored in Upstash Redis keyed to your Stripe customer ID. The counter resets each billing cycle and clears on cancellation. Subscription cookies are HMAC-SHA-256 signed with a server-only secret — they can't be forged.
No-Storage Architecture
Your uploaded bill is read into memory, sent to Google Gemini for analysis, and discarded. The bytes never touch our disk or database. The only artifact we keep server-side is a SHA-256 fingerprint of the bill (no PHI, just a hash) used to detect refund-cycle abuse — that's it.
The full report your browser displays comes from the encrypted blob plus the decryption key, both delivered fresh from the analyze endpoint. If you close the tab without saving the report, it's gone — neither we nor an attacker breaching our infrastructure can reconstruct it.
AI Processor Disclosure
We use Google Gemini 2.5 Flash (paid tier) for bill analysis. The paid tier is contractually no-train: per Google's Generative AI terms, paid-tier inputs are not used to improve, train, or fine-tune Google's models, and are retained only briefly for abuse-monitoring purposes.
We do not use Gemini's free tier (which has different terms), and we do not send bill content to any other third-party AI service.
Subprocessors
Every external service we use, what it receives, and why:
| Processor | Receives | Purpose |
|---|---|---|
| Google Gemini | Bill image / PDF | AI analysis, paid tier no-train |
| Stripe | Email, payment method (card data goes directly to Stripe, not us) | Payments, subscriptions, affiliate payouts |
| Vercel | Request metadata, IP | App hosting and edge delivery |
| Upstash Redis | Hashed IP, Stripe customer ID, numeric counters | Rate limiting, subscription state |
| Neon Postgres | Affiliate emails, ref codes, conversion ledger, bill SHA-256 hashes | Affiliate program, refund-abuse detection |
| Resend | Recipient email, message body | Receipts, recovery links, letter delivery |
| Cloudflare Turnstile | Bot-detection challenge | CAPTCHA on free upload |
| Sentry | Error class names, stack metadata | Error monitoring (no bill content captured) |
| Plausible & Vercel Analytics | Page path, country (no cookies, no fingerprint) | Privacy-preserving traffic analytics |
Bot & Abuse Protection
- Cloudflare Turnstile on free uploads — invisible CAPTCHA that catches automated submissions without disrupting humans.
- Per-IP rate limiting on every paid endpoint via Upstash Redis.
- SHA-256 bill dedup pauses checkout when the same bill is processed 3+ times in 30 days, preventing refund-cycle abuse.
- Stripe Radar rules block suspicious card and email patterns at the payment processor.
Compliance Posture
- HIPAA: not a covered entity, business associate, or subcontractor. The patient is the data subject and consents to the processing they request. See Terms §8.
- CCPA / CPRA: Sensitive Personal Information handled per Cal. Civ. Code §1798.140(ae).
- Washington MHMDA: Consumer health data policy at /consumer-health-privacy. GPC signal honored on every page.
- FTC Health Breach Notification Rule: 16 CFR Part 318 acknowledged in Privacy Policy.
- CARL / California auto-renewal: Bus. & Prof. Code §17602 compliant — express affirmative consent captured at checkout, one-click cancel via Stripe Customer Portal.
Vulnerability Disclosure
If you find a security issue, please email security@medibillsaver.com. The full disclosure record is at /.well-known/security.txt (RFC 9116 format).
We aim to acknowledge reports within 48 hours and have a fix deployed within 7 days for critical issues. We don't run a paid bug-bounty program at this time, but we'll credit researchers who follow responsible-disclosure practice.
Most Recent External Review
External read-only security audit completed April 28, 2026 — covering HTTP headers, static-bundle scanning, API endpoint behavior, robots/sitemap hygiene, common-path probing, and full review of all legal documents. No exposed credentials, source-map leaks, or open admin paths found. All identified findings (legal copy errors, marketing-claim hedging, hygiene items) shipped within 24 hours.
Related Pages
- Privacy Policy — what data we collect, how long we keep it, your rights.
- Consumer Health Data Privacy — Washington MHMDA-specific disclosures.
- Cookies — every cookie we set and why.
- Methodology — the four federal data sources we audit bills against.
- Terms of Service — refund policy, limitation of liability, dispute resolution.