Privacy Policy
Effective Date: January 29, 2026
Last Updated: February 4, 2026
Apex Digital LLC ("we," "us," or "our") operates HSA Advantage at hsaadvantage.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
We also maintain a separate Consumer Health Data Privacy Policy that describes how we handle health-related data, as required by applicable state laws.
HSA Advantage is not a healthcare provider, health plan, or other entity covered by the Health Insurance Portability and Accountability Act (HIPAA). We provide consumer financial and record-keeping tools for tracking healthcare expenses and do not provide medical care or insurance services.
1. Information We Collect
Information You Provide Directly
| Category | Data | Purpose |
|---|---|---|
| Account Information | Email address, password (stored as a cryptographic hash), name (optional) | Account creation, authentication, communication |
| Receipt Metadata | Provider name, service date, amounts (total, insurance-covered, out-of-pocket), category (medical, dental, vision, prescription, mental health, equipment), patient name, service description, reimbursement status | Receipt tracking, unreimbursed balance calculation, tax year reporting |
| Email Subscription | Email address, marketing opt-in preference | Product updates and waitlist notifications |
| Payment Information | Billing name, email, payment method details (collected and processed by Stripe; we do not store card numbers) | Subscription billing |
Information Collected Automatically
| Category | Data | Purpose |
|---|---|---|
| Session Data | Session identifier, last activity timestamp | Maintaining your login state |
| Security Logs | IP address, login timestamps, failed login attempts | Brute force protection, account security |
| Audit Logs | User actions (receipt views, edits, exports), timestamps, IP address, user agent string | Compliance, security monitoring, data integrity |
| Page View Analytics | Pages visited, referrer origin (hostname only — e.g., "google.com," not the full URL) | Internal usage analytics to improve the Service |
Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Google OAuth | Email address, name, profile picture URL (from your Google account) | Account creation and authentication via Google Sign-In |
| Google Drive | Drive file IDs, folder IDs, file names (we do not access or read files beyond what you explicitly upload through our Service) | Storing your receipt files on your own Google Drive |
2. How We Use Your Information
We use your information for the following purposes:
- Provide the Service: Store receipt metadata, track unreimbursed balances, calculate tax year totals, and compare health plan options.
- Receipt Processing: Extract data from receipt images using AI-powered optical character recognition (OCR). See Section 5 for details.
- Google Drive Integration: Upload, organize, and manage your receipt files in your personal Google Drive account.
- Account Management: Authenticate your identity, manage your subscription, and process payments.
- Security: Detect and prevent unauthorized access, fraud, and abuse through login monitoring, rate limiting, and audit logging.
- Communication: Send transactional emails (password resets, email verification) and, with your opt-in consent, product updates.
- Legal Compliance: Maintain audit logs and respond to lawful data requests.
We do not use your information to serve advertisements, build advertising profiles, or sell your data.
3. Third-Party Services
We share information with the following categories of third-party service providers, solely as needed to operate the Service:
| Service | Provider | Data Shared | Purpose |
|---|---|---|---|
| Authentication | Google (OAuth 2.0) | Email, name, profile picture | Account login via Google Sign-In |
| File Storage | Google (Drive API) | Receipt files, folder structure | Storing receipt files on your own Google Drive |
| AI Processing | Anthropic (Claude API) | Receipt images/PDFs (file content only; no user identity is transmitted) | Extracting text and data from receipt images |
| Payments | Stripe | Email, name, billing address, payment method, transaction details | Subscription billing and payment processing |
| Email Delivery | Email service provider (e.g., Resend or SendGrid) | Email address, message content | Transactional and marketing emails |
| Infrastructure | Cloud hosting provider | All data necessary to run the Service | Application hosting, database hosting |
All third parties that process personal information or consumer health data on our behalf act as service providers or processors. They are contractually restricted from using the data for advertising, profiling, or other commercial purposes unrelated to providing, securing, and supporting the Service.
We do not sell, rent, or share your personal information with data brokers, advertisers, or any third parties for their own marketing purposes.
Stripe Privacy Notice
Stripe collects and processes payment information under its own privacy policy. Stripe may collect device identifiers, browser data, and IP addresses through its embedded payment forms (Stripe.js). We do not have access to your full card number. For details, see Stripe's Privacy Policy.
4. Google API Services Disclosure
HSA Advantage uses Google APIs to provide authentication (Google Sign-In) and file storage (Google Drive). Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What We Access
- Google Sign-In: Your email address, name, and profile picture (scopes:
openid,email,profile). - Google Drive: Only files created or opened by HSA Advantage in your Drive (scope:
drive.file). We create an "HSA Receipts" folder and manage receipt files within it.
Limited Use Compliance
We will not:
- Transfer Google user data to third parties, except as necessary to provide the Service, comply with law, or as part of a merger/acquisition with equivalent data protections.
- Use Google user data for serving advertisements.
- Use Google user data to determine creditworthiness or for lending purposes.
- Allow humans to read your Google Drive data, unless you give affirmative consent, it is necessary for security or legal reasons, or the data is aggregated and anonymized.
How We Store Google Data
We store Google OAuth access tokens and refresh tokens in our encrypted database to maintain your Drive connection. These tokens are used solely to manage your receipt files on your behalf. You can disconnect Google Drive at any time from Settings, which revokes our access and deletes stored tokens.
5. AI-Powered Receipt Processing
When you upload a receipt, we use Anthropic's Claude Vision API to extract text and structured data from the image or PDF. Here is how that works:
- What is sent: The receipt image or PDF file content only. We do not send your name, email, account information, or any other identifying data to Anthropic.
- What is returned: Structured data (provider name, dates, amounts, category) and confidence scores for each extracted field.
- Training: Data sent through the Anthropic API is not used to train AI models, per Anthropic's API data usage policy.
- Retention by Anthropic: Anthropic retains API inputs and outputs for a limited period (currently up to 7 days) for trust and safety purposes, after which the data is deleted.
- Processing location: Anthropic processes data in the United States.
7. Data Storage and Security
Where Your Data Lives
- Receipt metadata (extracted text, amounts, dates) is stored in our PostgreSQL database.
- Receipt files (images, PDFs) are stored on your personal Google Drive. We do not store copies of your receipt files on our servers.
- Passwords are stored as bcrypt hashes (12 salt rounds, OWASP-recommended). We never store plaintext passwords.
Security Measures
- HTTPS encryption for all data in transit
- HTTP security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options)
- CSRF (Cross-Site Request Forgery) protection on all form submissions
- Rate limiting on API endpoints and login attempts
- Brute force protection: automatic account lockout after repeated failed login attempts
- Session security: HTTP-only cookies, secure flag, idle timeout, session regeneration on login
- Verification tokens (email verification, password reset) are SHA-256 hashed before storage
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Receipt metadata | Until you delete the receipt or your account |
| Receipt files (on Google Drive) | Controlled by you on your Google Drive |
| Audit logs | 6 years (for compliance and regulatory purposes) |
| Page view analytics | 90 days |
| Login attempt logs | 7 days |
| Session data | 30 days maximum (shorter if idle for 24 hours) |
| Email verification tokens | 24 hours |
| Password reset tokens | 1 hour |
| Email subscriber data | Until you unsubscribe or request deletion |
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request that we delete your personal information. Deleting your account removes your data from our database. Receipt files on your Google Drive are yours to manage. Audit logs are anonymized but retained for compliance.
- Portability: Export your receipt data in CSV or JSON format from the Service.
- Opt-Out: Withdraw consent for marketing communications at any time.
- Non-Discrimination: We will not treat you differently for exercising your privacy rights.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or the timeframe required by applicable law). We may need to verify your identity before processing your request.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to legal retention requirements.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as those terms are defined under the CCPA/CPRA.
- Right to Limit Use of Sensitive Personal Information: We process health-related receipt data solely to provide the Service. We do not use it for purposes beyond what is necessary.
To submit a verifiable consumer request, contact us at [email protected].
11. Do Not Sell or Share My Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. This applies to all users, including California residents.
12. Children's Privacy
HSA Advantage is not directed to, and is not intended for use by, individuals under the age of 16. We do not knowingly collect personal information from individuals under 16. If we learn that a user under 16 has provided us with personal information, we will promptly delete that information and terminate the account.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered users by email if the changes significantly affect how we handle personal information.
- Provide prominent notice on the Service (such as a banner) for 30 days following material changes.
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Apex Digital LLC
Email: [email protected]