Privacy Policy
Last updated: 2026-04-14T00:00:00.000Z
eobee - Privacy Policy
Draft pending legal review. This policy accurately describes our current data handling, but has not yet been reviewed by a qualified privacy attorney. Accuracy is our priority; a lawyer review is tracked in issue #9 and any material changes will appear in the revision log below.
Last updated: April 14, 2026
What we collect
- Account metadata: email address, display name (optional), auth provider identifier.
- Health insurance documents you upload: insurance card images (deleted after extraction), policy PDFs, explanation-of-benefit (EOB) images or PDFs.
- Audio recordings of visits and phone calls you make inside the app (deleted after transcription).
- Structured data we extract from your uploads: plan deductibles, copays, EOB line items, claim audit reports, fight-case steps.
- Conversation history with the policy and claim chat features.
Why we collect it
All collection is to deliver features you initiated: summarize your plan, audit a specific claim, draft a fight message. eobee never sells your health data and does not share it with third parties except the service providers listed below.
Third-party processors
- Google Cloud Platform (Firestore, Cloud Storage, Cloud Functions, Firebase Auth) - hosts the application.
- Google Gemini Developer API - large-language-model inference. Requests are transmitted for processing; per Google’s Gemini API terms, prompts and responses are not used to train models when delivered via the paid Developer API tier.
We do not run advertising, do not share data with marketers, and do not sell any data derived from your records.
Your rights
- Request a copy of your data (Settings → “Download my data” - not yet implemented).
- Delete your account (Settings → Delete account). This purges your Firestore data, Storage uploads, and Firebase Auth user.
- California residents: CCPA / CPRA rights apply. Contact us to exercise them.
- Washington residents: My Health My Data Act rights apply, including a private right of action.
Retention
- Insurance card images: deleted after extraction (minutes).
- Raw audio: deleted after transcription (minutes).
- Policy PDFs: retained while your account is active; cleared on account deletion.
- EOB PDFs / images: retained for 30 days by default; per-user retention controls are planned.
- Extracted structured data and audit logs: retained while your account is active.
Security
See docs/COMPLIANCE.md in the source repo for the full technical
controls. In short:
- TLS 1.2+ in transit
- Provider-side encryption at rest (Google Cloud)
- Per-user isolation in Firestore security rules and Cloud Storage rules - you can only read / write your own documents
- No PHI written to application logs
- Audit-event trail on every sensitive-data write
Contact
- General questions: marcus.salinas@jippylong12.xyz
- Security issues (responsible disclosure): marcus.salinas@jippylong12.xyz
Revision log
- v0 - 2026-04-14 - Initial draft. Substantively accurate, pending qualified-attorney review (issue #9). Ships with a visible banner noting the review status.