Security & Privacy
We believe transparency builds trust. Here's exactly how we protect your data and what we do (and don't) store.
Privacy-by-Design Architecture
FairVisitHealth is designed to minimize data collection. We help you search for prices and generate negotiation templates—we never store your medical records, diagnoses, or insurance information. We apply strong security controls (encryption, access controls, audit logs) and follow industry best practices for consumer health applications.
Security Practices
How we protect your data at every layer
TLS Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3.
AES-256 Encryption at Rest
Sensitive data stored in our database is encrypted using AES-256 encryption.
SOC 2 Controls in Progress
We are actively implementing SOC 2 Type II security controls and working toward certification.
Access Controls
Role-based access control (RBAC) limits employee access to production data on a need-to-know basis.
Audit Logging
All access to sensitive data is logged and monitored. Logs are retained for 90 days.
Incident Response
We maintain a documented incident response plan with 24-hour notification for security events.
Data We Collect
Exactly what we store, what we don't, and for how long
Account Information
- • Email address
- • Name (optional)
- • ZIP code
- • Subscription status
- • Social Security Number
- • Insurance ID
- • Medical records
Until account deletion + 30 days
Search Activity
- • Search queries
- • Providers viewed
- • Price comparisons run
- • Health conditions
- • Diagnoses
- • Treatment history
12 months (anonymized after 90 days)
Generated Documents
- • Negotiation letters
- • Saved reports
- • Case files
- • Actual medical bills
- • Insurance EOBs
- • PHI
Until user deletes or account closure
Payment Information
- • Stripe customer ID
- • Last 4 digits of card
- • Billing address
- • Full card numbers
- • CVV
- • Bank account details
Managed by Stripe (PCI compliant)
Subprocessors
Third-party services that process data on our behalf
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | United States |
| Stripe | Payment Processing | United States |
| Resend | Transactional Email | United States |
| Cloudflare | CDN & DDoS Protection | Global |
| Google Cloud | AI Processing | United States |
| Sentry | Error Monitoring | United States |
Your Rights
Access Your Data
Export all your data anytime from Settings → Export My Data.
Delete Your Data
Request complete account deletion from Settings → Delete My Account.
Security Contact
Found a security issue? Have privacy concerns? We take security reports seriously.
[email protected]Last updated: December 2024