Consumer Health Data Privacy Policy

Effective Date: January 29, 2026

Last Updated: January 29, 2026

This Consumer Health Data Privacy Policy supplements our Privacy Policy and describes how Apex Digital LLC ("we," "us," or "our") collects, uses, and shares consumer health data through HSA Advantage at hsaadvantage.com (the "Service").

This policy is provided in accordance with the Washington My Health My Data Act (RCW 19.373) and other applicable state health data privacy laws.

1. What Is Consumer Health Data

Consumer health data is personal information that identifies or could reasonably be used to identify a consumer and that relates to their physical or mental health. In the context of HSA Advantage, this includes information extracted from your medical, dental, vision, prescription, and mental health receipts and Explanations of Benefits (EOBs).

Important: HSA Advantage is not a healthcare provider, health plan, or other entity covered by the Health Insurance Portability and Accountability Act (HIPAA). We are a consumer financial tool that helps you track healthcare expenses for tax and reimbursement purposes.

2. Health Data We Collect

Through the Service, we collect the following categories of consumer health data:

Category Examples
Healthcare provider information Provider name, facility name
Service descriptions Description of medical, dental, vision, prescription, or mental health services received
Service dates Date healthcare services were provided
Financial amounts Total billed amount, insurance-covered amount, out-of-pocket (HSA-eligible) amount
Service category Medical, Dental, Vision, Prescription, Mental Health, Equipment
Patient name Name of the person who received healthcare services (may include dependents)

This data is extracted from receipt images and documents that you choose to upload to the Service. We do not collect consumer health data from data brokers, advertisers, healthcare providers, insurers, or other third-party sources. The primary source of consumer health data is the documents you choose to upload to the Service. We do not collect precise geolocation data or health data derived from location tracking technologies.

3. Sources of Health Data

All consumer health data comes from a single source:

  • Directly from you: When you upload a medical receipt or EOB document to the Service, our AI-powered OCR system extracts structured data from the document. You control which documents to upload and can review, edit, or delete the extracted data at any time.

We do not collect health data from healthcare providers, insurers, pharmacies, data brokers, or any other third-party source.

4. Purposes for Collecting Health Data

We collect and process consumer health data solely for the following purposes:

  • Receipt tracking: Storing and organizing your healthcare expense metadata so you can track unreimbursed HSA-eligible expenses.
  • Tax reporting: Calculating tax-year totals for HSA-eligible expenses and providing export tools for tax preparation.
  • Reimbursement management: Tracking which expenses have been reimbursed from your HSA and which remain eligible for future reimbursement.
  • Data extraction: Using AI-powered OCR to extract text and structured data from receipt images, reducing manual data entry.
  • Service improvement: Improving OCR accuracy and the user experience (using aggregated, de-identified data only).

We do not use your health data for advertising, marketing profiling, or any purpose unrelated to the Service.

5. How We Share Health Data

We share consumer health data only with the following third parties, and only as necessary to provide the Service:

Third Party Data Shared Purpose
Anthropic (Claude Vision API) Receipt image/PDF file content (no user identity) AI-powered text extraction (OCR). Anthropic retains API inputs and outputs for a limited period (currently up to 7 days) for trust and safety purposes, after which the data is deleted. API data is not used to train AI models.
Google (Drive API) Receipt files (uploaded to your own Google Drive) File storage on your personal Drive. Your files remain under your Google account's access controls.
Cloud hosting provider Receipt metadata in the database Application and database hosting.

All third parties that process personal information or consumer health data on our behalf act as service providers or processors. They are contractually restricted from using the data for advertising, profiling, or other commercial purposes unrelated to providing, securing, and supporting the Service.

We do not share consumer health data with:

  • Advertisers or ad networks
  • Data brokers
  • Employers
  • Insurance companies
  • Any other third party for their own purposes

6. Sale of Health Data

We do not sell consumer health data. We have never sold consumer health data and have no plans to do so. This includes any exchange of health data for monetary or other valuable consideration.

8. Your Rights Over Your Health Data

You have the following rights regarding your consumer health data:

  • Right to Confirm: You may ask us to confirm whether we are collecting or sharing your consumer health data.
  • Right to Access: You may request a copy of the consumer health data we hold about you. You can also access this data directly in the Service (receipt detail pages, export features).
  • Right to Delete: You may request that we delete your consumer health data. You can delete individual receipts through the Service, or request full account deletion.
  • Right to Withdraw Consent: You may withdraw consent for the collection and sharing of your consumer health data at any time.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

How to Exercise Your Rights

You can exercise most of these rights directly within the Service (viewing, editing, deleting receipts; exporting data; disconnecting Google Drive). For formal requests or account deletion, contact us at [email protected].

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

Appeal Process

If we deny your request, we will provide a written explanation. You may appeal by responding to that explanation within 30 days. If your appeal is denied, we will provide information about how to file a complaint with your state's attorney general.

9. How We Protect Your Health Data

We implement the following safeguards to protect consumer health data:

  • Privacy-first architecture: Your actual receipt files are stored on your personal Google Drive, not on our servers. We store only extracted metadata.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted via HTTPS/TLS.
  • Access controls: Receipt data is isolated per user. Each database query is scoped to the authenticated user's ID, preventing cross-user data access.
  • Audit logging: All access to receipt data is logged with timestamps, user identity, and action type for compliance monitoring.
  • Minimal AI data exposure: When processing receipts through AI, we send only the file content — no user identity, account information, or other metadata.
  • Session security: HTTP-only, Secure, SameSite cookies; idle timeout; session regeneration on login.

10. Retention of Health Data

Data Retention Period
Receipt metadata (extracted health data) Until you delete the receipt or your account
Receipt files on Google Drive Controlled by you; we delete our reference when you delete a receipt
Audit logs (anonymized after account deletion) 6 years for compliance purposes
AI processing (Anthropic retention) Up to 7 days, then automatically deleted by Anthropic

11. Contact Us

If you have questions about this Consumer Health Data Privacy Policy or wish to exercise your rights, contact us at:

Apex Digital LLC
Email: [email protected]