Privacy Policy - Bill Shield

Privacy Policy

Last Updated: November 2, 2025

This Privacy Policy describes how Y CORP, Inc. (“Y CORP,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you use the Bill Shield mobile application, website, and related services (collectively, the “Service”).

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy is incorporated into our Terms and Conditions.

1. Who We Are & What We Do

Bill Shield is a consumer service that helps users:

  • Upload medical bills, insurance cards, and related documents;
  • Use AI-assisted tools to analyze those bills and identify potential billing/insurance errors; and
  • Generate and, with your authorization, submit appeals or disputes to insurers and providers on your behalf via fax, mail, or other channels.

To do this, we necessarily process sensitive information, including Protected Health Information (“PHI”) under U.S. law. We take that responsibility seriously and implement safeguards described below.

2. Information We Collect

We collect information in three main ways:

  • Information you provide directly
  • Information collected automatically
  • Information received from third parties

2.1 Information You Provide Directly

When you use Bill Shield, you may provide:

Account & Contact Information
  • Name
  • Email address
  • Phone number
  • Mailing address
  • Authentication information (depending on login method, e.g., email for magic link)
Medical Billing & Insurance Information (PHI)
  • Images/PDFs of medical bills, statements, and itemized charges
  • Images of insurance cards (front/back) and other plan documents
  • Explanation of Benefits (EOBs)
  • Claim numbers, account numbers, and billing reference numbers
  • Dates of service, provider names, facility names, and locations
  • Diagnostic (ICD) codes, procedure (CPT/HCPCS) codes, and other medical billing codes
  • Information about amounts billed, paid, adjusted, and owed
Demographic & Identity Information
  • Date of birth
  • Patient’s name (if different from subscriber)
  • Relationship to patient (self, spouse, child, etc.)
Appeal & Authorization Information
  • Authorized Representative forms (AOR)
  • HIPAA authorization forms
  • ESIGN consent
  • Any additional statements or explanations you provide in connection with a dispute
Payment & Subscription Information
  • Subscription plan and status
  • Limited payment details (handled primarily by third-party payment processors or app stores)
Support & Communication
  • Messages and emails you send to us
  • Feedback, feature requests, or survey responses

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Device information (device model, OS version, app version)
  • Log data (IP address, access times, pages/screens viewed, crash logs)
  • Analytics data (how you interact with features; approximate location based on IP)

We typically collect this using cookies, SDKs, and similar technologies.

2.3 Information from Third Parties

We may receive information about you from:

  • Virtual mailbox providers that receive and scan mail sent to Bill Shield on your behalf (e.g., insurer letters, RFIs, decisions)
  • Fax or mail APIs that handle inbound/outbound communications for your cases
  • Insurers or providers, when they send responses or records to us as your authorized representative
  • App stores (Apple App Store, Google Play) related to purchases and subscriptions

3. How We Use Your Information

We use information for the following purposes:

3.1 To Provide and Operate the Service

  • Create and manage your account
  • Process and analyze uploaded bills, insurance cards, and EOBs
  • Use AI and OCR tools to extract, structure, and review billing data
  • Identify potential billing/insurance errors and estimate potential savings
  • Generate appeal, grievance, or dispute documents (“Packets”)
  • With your authorization, submit those Packets to insurers or providers and track responses
  • Provide customer support and respond to your requests

3.2 To Communicate with You

  • Send service-related notifications (e.g., claim status updates, RFIs, appeal decisions)
  • Send security alerts (suspicious login, changes to your account)
  • Respond to support inquiries
  • Provide updates about new features, changes, or promotions (you can opt out of certain marketing communications)

3.3 To Maintain Security and Prevent Abuse

  • Detect and prevent fraud or misuse of the Service
  • Protect the security and integrity of our systems and users’ data
  • Enforce our Terms and Conditions

3.4 To Improve and Develop the Service

  • Analyze usage patterns to understand how users interact with features
  • Debug, troubleshoot, and optimize performance
  • Train internal models and heuristics (using de-identified and/or aggregated data whenever possible so it no longer reasonably identifies an individual)

3.5 To Comply with Legal Obligations

  • Maintain records required under HIPAA and other laws
  • Respond to lawful requests from regulators or law enforcement
  • Satisfy tax, accounting, audit, and corporate compliance requirements

We do not sell your PHI or personal information in the traditional sense of selling consumer data to brokers.

4. Legal Bases (If You Are in a Privacy-Regulated State or Jurisdiction)

Where applicable (e.g., under CCPA/CPRA or similar laws), we may rely on:

  • Your consent (e.g., for certain authorizations and electronic signatures)
  • Performance of a contract (providing the Service you requested)
  • Legitimate interests (improving and securing the Service, preventing fraud)
  • Compliance with legal obligations (HIPAA, breach notification, etc.)

5. How We Share Your Information

We may share your information with:

5.1 Insurers, Providers, and Billing Entities (With Your Authorization)

When you authorize us to act as your representative, we may share PHI and related information with:

  • Health insurance companies and health plans
  • Hospitals, clinics, physicians, and other providers
  • Revenue cycle / billing companies working for providers

We share only what is reasonably necessary to pursue your appeal, dispute, or request (e.g., bill copies, appeal letter, AOR/HIPAA forms, insurance card, relevant medical/billing details).

5.2 Service Providers & Subprocessors

We use trusted third parties to help us operate the Service, such as:

  • Cloud hosting providers (e.g., Microsoft Azure)
  • AI/ML service providers (e.g., Azure OpenAI Service)
  • Fax & mail APIs (e.g., providers that send faxes and letters to insurers and providers)
  • Virtual mailbox providers (that receive, scan, and forward mail sent to us on your behalf)
  • Payment processors and subscription billing platforms
  • Analytics services (for app usage & performance)
  • Customer support tools and communication platforms

These providers are contractually required to protect your information and may only use it to provide services to us. Where PHI is involved, we enter into Business Associate Agreements (BAAs) as required by HIPAA.

5.3 Business Transfers

If Y CORP is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to confidentiality obligations and applicable law.

5.4 Legal and Safety

We may disclose information if we believe in good faith that such disclosure is reasonably necessary to:

  • Comply with applicable laws, regulations, or legal process
  • Respond to valid requests by government or law enforcement
  • Protect the rights, property, or safety of Y CORP, our users, or the public
  • Investigate and mitigate fraudulent or malicious activity

6. Cookies, SDKs, and Tracking Technologies

We and our service providers may use cookies, mobile SDKs, and similar technologies to:

  • Remember your preferences
  • Keep you logged in
  • Measure app usage and performance
  • Diagnose technical issues

On mobile, you can often control certain tracking permissions through your device settings. Some features may not function properly without certain cookies or SDKs.

7. Data Retention

We retain your information for as long as reasonably necessary to:

  • Provide the Service and manage your account
  • Maintain accurate records of appeals and communications carried out on your behalf
  • Comply with legal, regulatory, and contractual obligations (including HIPAA record-retention rules)
  • Resolve disputes and enforce our agreements

When information is no longer needed, we may delete it or anonymize it so it can no longer reasonably identify you.

If you request deletion of your account, we will delete or de-identify your information subject to:

  • Our need to retain certain records for legal compliance; and
  • Our obligations under BAAs and HIPAA.

8. Data Security

We implement a combination of administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption of data in transit using TLS
  • Encryption of data at rest where appropriate
  • Role-based access controls and least-privilege principles
  • Audit logs for administrative access to PHI
  • Employee training on privacy and security practices

Despite our efforts, no system can be completely secure. We cannot guarantee absolute security of information transmitted to or stored by the Service.

If we discover a breach of unsecured PHI, we will notify affected individuals and relevant authorities as required by HIPAA and other applicable laws.

9. Your Choices & Rights

Depending on your location and applicable law, you may have certain rights regarding your information.

9.1 Account-Level Controls

Within the app, you may:

  • Update certain profile details
  • Upload or remove certain documents
  • Adjust notification preferences
  • Cancel your subscription (subject to app store rules)
  • Request account deletion

9.2 HIPAA-Related Rights (Where Applicable)

If Y CORP acts as a Business Associate of a HIPAA-covered entity for your data, your HIPAA rights (access, amendment, etc.) are generally exercised through your healthcare provider or health plan. However, to the extent Y CORP holds PHI directly for you as a consumer, you may:

  • Request access to your PHI processed by the Service
  • Request corrections of inaccurate PHI we maintain
  • Request that we provide an accounting of certain disclosures of your PHI

We may require verification of your identity before responding. Some requests may be directed to or coordinated with your insurer or provider.

9.3 Rights Under State Privacy Laws (e.g., CCPA/CPRA)

If you are a resident of a state with a comprehensive privacy law (such as California), you may have additional rights, such as:

  • The right to know what personal information we collect and how we use it
  • The right to request deletion of your personal information (subject to legal exceptions)
  • The right to correct inaccurate information
  • The right to limit certain uses of sensitive personal information
  • The right to non-discrimination for exercising your privacy rights

To submit a request, contact us at privacy@billshield.app and indicate that your request relates to state privacy rights. We may ask you to verify your identity before processing the request.

We do not sell your personal information as that term is traditionally defined under such laws.

10. Children’s Privacy

The Service is not intended for children under 13 and we do not knowingly collect personal information directly from children under 13. Parents or legal guardians may submit information about a child as part of a medical bill or plan, but the account holder must be an adult.

If you believe we have collected information directly from a child under 13, please contact us at privacy@billshield.app and we will take appropriate steps to delete such information.

11. International Users

Bill Shield is intended for use by individuals located in the United States in connection with U.S. healthcare bills and insurance. If you access the Service from outside the U.S., you understand that your information may be processed and stored in the United States and other countries that may have different data protection laws than your country of residence.

12. Third-Party Links and Services

The Service may contain links to third-party websites, apps, or services that are not operated by Y CORP. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top and, where required, provide additional notice (e.g., in-app or by email).

Your continued use of the Service after any changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, you may contact us at: