← Back to home

Privacy Policy

Last updated: April 13, 2026 · Effective: April 13, 2026

The short version

What The Health ("WTH", "we") analyzes medical bills and insurance claims you give us so we can flag billing errors, overcharges, and coverage issues. To do that, we share your documents with a small number of vendors who power the analysis, send email, and store your files. We don't sell your data, we don't use it to train AI models, and you can delete everything at any time.

The rest of this document explains, in detail, exactly what we collect, who sees it, and the choices you have. If you'd rather talk to a human, email privacy@whatthe.health.

Who we are (and aren't)

WTH is a consumer-facing service that you, the user, voluntarily share your own medical bills and insurance information with. We are not a HIPAA-covered entity, a health plan, a health care provider, or a health care clearinghouse. The Health Insurance Portability and Accountability Act (HIPAA) does not apply to us the way it applies to your doctor or insurer.

That doesn't mean we play fast and loose with your data. We operate under the FTC Health Breach Notification Rule, the Washington My Health My Data Act, the California Consumer Privacy Act and its sensitive-data provisions, and similar consumer-protection laws. This policy describes how we comply with those, and the promises we make to you directly.

Information we collect

We collect four buckets of information:

1. Account information

  • Your email address (required).
  • Your notification preferences.
  • Authentication tokens to keep you logged in.

2. Documents and consumer health data you give us

  • Medical bills and provider statements you upload.
  • Explanations of Benefits (EOBs) from insurers.
  • Insurance cards (front and back images).
  • Plan documents and Summaries of Benefits and Coverage (SBCs).
  • Any context you write into the audit wizard — your question, the situation you're dealing with, whether the visit was an emergency, whether it was in-network.

From these documents, our AI pipeline extracts structured information: provider names, dates of service, procedure codes (CPT), diagnosis codes (ICD), billed and paid amounts, patient responsibility, and the identity fields on your insurance card (member ID, group number, payer name).

We treat all of the above — and the inferences we make from it in your audit findings and report — as consumer health data under Washington's My Health My Data Act.

3. Claims and clinical data from payers and providers (if you connect one)

  • When you connect an insurance payer (e.g., Aetna, UnitedHealthcare) through Payer Connect, we retrieve your ExplanationOfBenefit, Coverage, and Patient resources via their SMART on FHIR Patient Access API.
  • When you connect a healthcare provider (e.g., MyChart/Epic) through Provider Connect, we retrieve only the billing and clinical records you authorize — encounters, charges, lab results, diagnoses, and medications — via their SMART on FHIR Patient Access API.
  • We store OAuth access and refresh tokens to keep each connection active.
  • Each retrieved claim or record becomes part of your audit history in WTH.

4. Usage and technical information

  • IP address, browser type, and device information from server access logs.
  • A session cookie and, if you opt in, a "remember me" cookie that keeps you logged in for 14 days.
  • Timestamps of when you submit, view, or modify an audit.
  • Error and performance telemetry used to fix bugs.

We do not use advertising, analytics, or tracking cookies. There are no third-party trackers on our site.

How we use your data

We use the information above for exactly these purposes, and no others:

  • Running your audit. Extracting structured information from your documents, cross-referencing bills against EOBs, identifying overcharges and errors, generating your report.
  • Answering your questions. The chat feature lets you ask follow-up questions about your audit. Your questions and the relevant audit data are sent to our AI partner to answer them.
  • Operating your account. Sending you sign-in links, email confirmations, and notifications about your audits.
  • Keeping the service working. Debugging, fixing bugs, investigating errors, and protecting the service from abuse.
  • Legal compliance. Responding to lawful requests and protecting against fraud.

How our AI works — and what that means for your data

The core of WTH is an AI pipeline. When you upload a document, here's what happens to it:

  1. Your file is uploaded to our servers over HTTPS and stored in an encrypted Cloudflare R2 bucket.
  2. Our servers send the contents of the document to Anthropic's Claude API, which extracts structured data (amounts, codes, dates, provider information).
  3. Extracted data is stored in our PostgreSQL database.
  4. Our servers run additional Claude API calls to correlate bills and EOBs, enrich them with reference data, analyze for errors, and generate your written report.
  5. The completed report is stored and displayed to you.

What Anthropic does with your data. Anthropic processes API requests under their Commercial Terms of Service. They do not use API data to train their models. They may retain API inputs and outputs for up to 30 days for trust and safety purposes, after which it is deleted. See Anthropic's Commercial Terms for details.

By submitting an audit, you explicitly consent to having your uploaded documents and the extracted data processed by Anthropic for the sole purpose of generating your audit. If you do not consent to this, the service cannot function — please don't upload anything, and email us if you'd like us to delete your account.

Third-party services we share data with

We share your data only with the vendors listed below, and only for the specific purposes described. None of them sell your data, and none of them use it for their own marketing.

  • Anthropic (Claude API)
    Receives: uploaded document contents, extracted data, audit findings, your chat questions.
    Purpose: AI-powered extraction, analysis, and report generation.
    Retention: up to 30 days per Anthropic's Commercial Terms.
  • Cloudflare R2
    Receives: raw document files, insurance card images, vault documents.
    Purpose: object storage for files you upload.
    Encryption: AES-256 at rest (Cloudflare default).
    Retention: until you delete the document or your account.
  • Fly.io
    Receives: everything that runs in memory or lives in our PostgreSQL database — they are our hosting provider.
    Purpose: application and database hosting.
    Retention: until you delete your data.
  • Resend
    Receives: your email address and the body of transactional emails (sign-in links, account confirmations, audit-ready notifications). Emails contain generic copy and links to WTH — they do not contain your medical bill contents or audit findings.
    Purpose: sending transactional email on our behalf.
  • Insurance payers (when you connect one)
    When you connect a payer, we make OAuth and FHIR API calls to that payer on your behalf. We only ask them for your own data. We never send your audit contents or other WTH data to a payer. Each payer's own privacy policy governs their handling.
  • Healthcare providers (when you connect one)
    When you connect a provider (e.g., MyChart/Epic), we make OAuth and FHIR API calls to that provider on your behalf. We only ask them for the billing and clinical records you authorize. We never send your audit contents or other WTH data to a provider. Each provider's own privacy policy governs their handling.

We do not currently share data with analytics providers, advertising networks, or data brokers. If that ever changes, we will update this list and notify active users by email before the change takes effect.

What we don't do

  • We don't sell your data. Not to advertisers, not to data brokers, not to insurers, not to anyone. Under the CCPA, we do not "sell" or "share" personal information for cross-contextual behavioral advertising.
  • We don't use your data for marketing or advertising.
  • We don't use your data to train AI models. Not ours, and not Anthropic's — their API terms prohibit training on API inputs and outputs.
  • We don't share your data with law enforcement except in response to a valid legal process (subpoena, court order, or warrant). When legally permitted, we will notify you first.

How we protect your data

  • In transit: All traffic between you and WTH is encrypted with HTTPS (TLS 1.2 or higher). HTTP Strict Transport Security (HSTS) is enforced on our domain.
  • Uploaded files: Stored in Cloudflare R2, which encrypts all objects at rest with AES-256.
  • Medical data in our database: Every field that holds medical content — the documents you upload, the data we extract from them, the audit findings we generate, and the reports we produce — is encrypted at the application layer with AES-256-GCM before being written to the database. The encryption key is held outside the database, so the data is unreadable even if the database itself is compromised.
  • Payer and provider OAuth tokens and raw FHIR claim or clinical data: Encrypted with the same AES-256-GCM scheme.
  • Other database fields (email, account metadata): Protected by network isolation, strict access controls, and disk-level encryption provided by our hosting provider.
  • Authentication: Accessing your account requires a one-time sign-in link sent to your email. Session tokens are cryptographically signed.
  • Internal access: Access to production systems is limited to a small number of engineers, logged, and only used for operating or debugging the service.

No system is perfectly secure. If you believe you've found a security issue, please email security@whatthe.health and we will respond as quickly as we can.

Data retention

  • Account and audits: Retained for as long as your account is active. If your account has been inactive for 24 months, we will email you before deleting your data.
  • Uploaded documents: Retained until you delete them or delete your account.
  • Server access logs: Retained for approximately 30 days, then rotated out.
  • Deleted data: When you delete something, it is removed from our live systems within 30 days, and from backups on the next backup rotation. We retain only the minimum information needed to prove the deletion happened.
  • Payer and provider OAuth tokens: Retained until you disconnect the payer or provider, then deleted within 30 days.

Your rights and choices

Regardless of where you live, you can at any time:

  • Access the data we have about you, via your account settings or by emailing us.
  • Correct information about yourself.
  • Delete individual audits, documents, or your entire account.
  • Export a copy of your data in a portable format.
  • Disconnect any payer or provider connection, which revokes our access and deletes the stored tokens.
  • Withdraw consent to our processing of your consumer health data. This stops future processing but does not retroactively recall data already shared with our vendors to run past audits.

Washington residents (My Health My Data Act)

If you are a Washington resident, you have additional rights under the My Health My Data Act:

  • The right to confirm whether we are collecting, sharing, or selling your consumer health data.
  • The right to withdraw consent to the collection, sharing, or sale of your consumer health data.
  • The right to have your consumer health data deleted, including, where applicable, from the records of our processors.
  • The right to appeal if we deny your request.

To exercise any of these rights, email privacy@whatthe.health. We respond within 45 days.

California residents (CCPA/CPRA)

If you are a California resident, you have the right to know, access, delete, correct, and request portability of your personal information. You also have the right to limit the use of sensitive personal information — medical information is sensitive personal information under the CPRA. We only use your sensitive personal information for the purposes necessary to provide the service, as described in the "How we use your data" section above.

We do not sell or share personal information for cross-contextual behavioral advertising. We have not done so in the past 12 months and have no plans to do so.

Other U.S. state residents

Residents of Colorado, Connecticut, Virginia, Oregon, Texas, Delaware, New Jersey, and other states with comprehensive consumer privacy laws have similar rights. Contact us at privacy@whatthe.health to exercise them.

In the event of a data breach

If we discover a data breach affecting your information, we will notify you in accordance with applicable law, including the FTC Health Breach Notification Rule. That means:

  • We will notify affected users directly by email within 60 days of discovering the breach.
  • If the breach affects more than 500 people, we will also notify the FTC and, where required, prominent media in the affected region.
  • Our notification will describe what happened, what information was affected, what we have done about it, and what you can do to protect yourself.

Children's privacy

WTH is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has submitted information to us, email privacy@whatthe.health and we will delete it.

International users

WTH is operated from the United States and your data is stored and processed in the United States. If you access WTH from outside the U.S., you consent to the transfer of your data to the U.S. for processing. We do not currently offer the service to users in the European Union or the United Kingdom.

Changes to this policy

We may update this policy as our service changes. When we do, we will update the "Last updated" date at the top and, if the changes are material, notify active users by email at least 14 days before the new version takes effect. The most recent version is always available at whatthe.health/privacy.

Contact us

For privacy questions or to exercise any of your rights under this policy: