Privacy Policy

1. Introduction

PioneerQ LLC ("BillRazor," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the BillRazor platform and related services. This policy applies to all users of BillRazor, including consumers who upload medical bills for analysis and dispute assistance.

2. Information We Collect

2.1 Account Information

• Email address (encrypted at rest using AES-256)
• Phone number (encrypted at rest using AES-256, optional)
• Password (hashed with Argon2id, never stored in plaintext)
• ZIP code (for regional pricing comparisons)

2.2 Billing Information

• Bill images and PDFs (temporarily stored during processing, encrypted at rest)
• Extracted billing codes (CPT/HCPCS codes) and amounts (structured data)
• Provider names, NPI numbers, and dates of service
• Insurance Explanation of Benefits data, if provided

2.3 Payment Information

• Payment method details are processed by a PCI-DSS Level 1 compliant payment processor and are never stored on BillRazor servers. We retain only a customer ID and payment method token.

2.4 What We Do NOT Collect

• Patient names are processed transiently during OCR but are not permanently stored in structured form
• Date of birth
• Social Security numbers
• Full medical records, clinical notes, or diagnosis information (beyond what appears on billing documents)

3. How We Use Your Information

• Bill scanning and error detection: Analyzing your bill against federal pricing benchmarks, national billing rules, drug pricing databases, and hospital price transparency data
• Dispute filing and communication: Generating dispute letters and sending correspondence to healthcare providers on your behalf
• Payment processing: Charging fees upon confirmed bill reductions
• De-identified analytics: Creating aggregate, de-identified datasets for research, benchmarking, product improvement, and commercial data products
• Account management: Authenticating your identity, communicating about your cases, and providing customer support

4. De-Identified Data

BillRazor creates de-identified datasets from billing information in strict compliance with the HIPAA Safe Harbor method as defined in 45 CFR §164.514(b). Under the Safe Harbor method, all 18 categories of identifiers specified by HIPAA are removed, including names, geographic subdivisions smaller than a state, dates (except year), phone numbers, email addresses, Social Security numbers, medical record numbers, and all other unique identifying numbers.

De-identified data cannot reasonably be used to identify any individual. BillRazor does not attempt to re-identify de-identified data and contractually prohibits downstream recipients from doing so. De-identified data may be retained indefinitely and used for research, analytics, benchmarking, and commercial purposes.

5. Data Retention

• Active case data: Retained during the active dispute period. Upon case closure, personally identifiable billing data is purged in accordance with our data deletion procedures.
• Authorization records: Signed HIPAA authorizations, service agreements, and related legal documents are retained for 6 years from the date of last activity, as required for regulatory compliance.
• De-identified analytics data: Retained indefinitely. This data contains no personal identifiers.
• Account data: Retained while your account is active. Upon account deletion, personal data is removed within 30 days, except as required by law.

6. Your Rights

You have the right to:

• Access a copy of the personal information we hold about you
• Request deletion of your personal information
• Request correction of inaccurate information
• Withdraw consent for data processing (where consent is the legal basis)
• Receive your data in a portable format

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Third-Party Service Providers

We share information with the following categories of service providers, all of which are covered by Business Associate Agreements (BAAs) where required by HIPAA:

• Cloud infrastructure: Encrypted storage, document processing, and database hosting. Covered by BAA.
• Communication services: Dispute letter delivery and provider correspondence. HIPAA-eligible services with BAA.
• Payment processing: PCI-DSS Level 1 compliant. No protected health information (PHI) is stored with our payment processor.

We do not sell your personal information to third parties. We do not share your identifiable information with third parties for their marketing purposes.

8. Cookies and Tracking

BillRazor uses only essential cookies necessary for the functioning of the Service:

• Session cookies to maintain your authenticated session
• Authentication tokens stored in local storage for API access

We do not use advertising cookies, third-party tracking pixels, or analytics services that track individual users across websites.

9. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will promptly delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at the address associated with your account or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Security

We implement industry-standard security measures to protect your information, including:

• AES-256 encryption at rest for all sensitive data
• TLS 1.2+ encryption for all data in transit
• Role-based access controls with minimum necessary access
• Immutable audit logs for all access to protected health information
• Automatic session timeouts after 15 minutes of inactivity

For more information about our HIPAA compliance practices, see our HIPAA Notice.

12. Contact Information

If you have questions or concerns about this Privacy Policy, please contact us: