How do I know if my medical bill has errors?

Upload your bill to Candid Claim. We compare every charge against benchmarks and flag overcharges, duplicate codes, unbundled procedures, and balance billing — each with a severity rating and dollar estimate.

How do I dispute a medical bill?

Candid generates ready-to-send dispute letters based on the errors found in your audit. You review the letter, customize it if needed, and send it yourself. You stay in control.

Does my insurance cover therapy, acupuncture, or chiropractic?

It depends on your plan. Candid reads your policy and shows you covered benefits in plain English — including therapy, acupuncture, chiropractic, preventive screenings, and more.

Is Candid Claim free?

Yes. Candid Claim's bill audit and benefits discovery tools are free. No credit card required.

Is my medical data safe with Candid?

Candid is HIPAA-aware by design. Your documents are encrypted at rest and in transit. We never sell your personal health information. Every consent event is logged and you can revoke access anytime.

Privacy Policy | Candid Claim

CANDID PRIVACY POLICY
Version 1.4 — Effective April 8, 2026
Operated by Airgetlam Labs LLC

1. SCOPE
This Privacy Policy describes how Airgetlam Labs LLC ("Candid," "we," "us") collects, uses, and protects your personal information when you use the Candid platform. This policy covers your account and profile data only. Collection of health-related data (medical bills, EOBs, insurance documents) is governed by a separate Health Data Consent that you must accept before uploading any health documents.

2. INFORMATION WE COLLECT

(a) Account Information — When you create an account, we collect:
- Full legal name
- Email address
- State of residence
- Authentication credentials (password hash or third-party OAuth token)

(b) Insurance Profile — When you set up your profile, you may provide:
- Insurance company name
- Plan name and type (employer, marketplace, off-exchange, Medicare, Medicaid)
- Matched plan identifier (if using CMS marketplace plan data)

(c) Usage Data — We automatically collect:
- Pages visited and features used
- Timestamps of activity
- Device type and browser type (not fingerprinted or shared)
- IP address (used for security and fraud prevention only; not shared with third parties)

(d) Support Communications — When you contact support, we retain your messages and our responses.

(e) Payment Information — Subscription payment details are collected and processed directly by Stripe, Inc. We do not store your credit card number, bank account number, or other payment instrument details on our servers. We receive from Stripe only: subscription status, billing period, and a truncated card identifier for display purposes.

(f) Email-Forwarded Documents — If you forward documents to us via email (e.g., to support@candidclaim.com), we collect: the sender's email address, email subject and body text, and any attachments. Email-forwarded documents are processed the same way as directly uploaded documents.

3. INFORMATION WE DO NOT COLLECT UNDER THIS POLICY
Health data (medical bills, EOBs, insurance documents, audit results, billing codes) is NOT covered by this Privacy Policy. Collection and use of health data requires separate, informed consent under our Health Data Consent document. This separation is required by the Washington My Health My Data Act and recommended under CCPA/CPRA for sensitive data categories.

4. HOW WE USE YOUR INFORMATION
We use your personal information to:
- Provide, maintain, and improve the Candid platform
- Authenticate your identity and secure your account
- Match you with relevant insurance plan data from public sources (CMS Marketplace API)
- Communicate with you about your account, service updates, and support requests
- Process subscription payments
- Comply with legal obligations
- Detect and prevent fraud or unauthorized access

We do NOT use your personal information for:
- Targeted advertising
- Sale to data brokers
- Profiling for credit, insurance, or employment decisions

5. THIRD-PARTY SERVICE PROVIDERS
We share limited personal data with the following service providers, each operating under data processing agreements:

Provider	Purpose	Data Shared
Supabase (Supabase Inc.)	Database hosting	Account info, profile, usage records
Firebase / Google Cloud Platform	Authentication, file storage	Email, auth tokens, uploaded files
Stripe, Inc.	Payment processing	Email, subscription events
Resend (Resend Inc.)	Transactional email (outbound and inbound)	Email address, name, inbound email content
Vercel Inc.	Application hosting	IP address (server logs, auto-deleted)
Upstash (QStash)	Asynchronous document processing queue	Document processing job references
Slack (Salesforce)	Admin operational alerts	System-level alerts (no user-identifiable data)
Google Cloud Document AI	Document OCR and parsing	Uploaded document images (processed in-memory, not stored by Google)

We do not share your data with advertising networks, social media platforms, or data brokers.

6. DATA RETENTION
Retention periods for each category of personal information are determined based on the following criteria: (1) whether the data is necessary to provide active services to your account, (2) applicable legal and regulatory obligations (e.g., tax, financial reporting), (3) the need to resolve disputes or enforce our agreements, and (4) the active status of your account. Specific periods:
- Account data is retained for the lifetime of your account.
- Upon account deletion, personal data is removed within 30 days.
- Server access logs (containing IP addresses) are retained for no more than 90 days.
- Payment records are retained for 7 years as required by IRS tax and financial reporting regulations.
- Support communications are retained for 2 years after resolution, then deleted.

7. WE DO NOT SELL YOUR DATA
Candid does not sell, rent, or trade your personal information to third parties. This applies to all categories of personal information we collect. For the purposes of the California Consumer Privacy Act (CCPA/CPRA), we confirm: we have not sold personal information in the preceding 12 months and do not intend to do so.

8. COOKIES AND TRACKING
Candid uses only essential, first-party cookies required for authentication and session management. We do not use:
- Third-party tracking cookies
- Advertising pixels or beacons
- Cross-site tracking technologies
- Analytics platforms that share data with third parties

9. YOUR RIGHTS — ALL USERS
Regardless of where you reside, you have the right to:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate personal data
- Deletion: Request deletion of your account and personal data
- Portability: Request your data in a structured, machine-readable format
To exercise these rights, visit your account Settings page or submit a support ticket.

10. YOUR RIGHTS — CALIFORNIA RESIDENTS (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to Know: You may request the specific categories and pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we hold about you, subject to legal exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may submit one via a support ticket for your records.
- Global Privacy Control (GPC): Candid recognizes and processes Global Privacy Control (GPC) opt-out preference signals transmitted by your web browser. When we detect a GPC signal, we treat it as a valid request to opt out of the sale or sharing of personal information associated with that browser, as required by CCPA/CPRA regulations. No additional action is required on your part.
- Right to Limit Use of Sensitive Personal Information: Your health data is governed by a separate consent. We do not use sensitive personal information for purposes beyond what is needed to provide our services.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a verifiable consumer request, visit your account Settings page or submit a support ticket. We will respond within 45 days.

11. YOUR RIGHTS — WASHINGTON STATE RESIDENTS (MY HEALTH MY DATA ACT)
If you are a Washington state resident, you have additional rights under the Washington My Health My Data Act (RCW 19.373):
- Your consumer health data (including medical billing records) requires separate, specific consent before collection — provided through our Health Data Consent document.
- You may revoke consent for health data collection at any time.
- You may request deletion of all consumer health data within 30 days.
- We will never sell your consumer health data without separate, explicit consent.
- We will never geofence healthcare facilities to collect or infer health data.
- You have a private right of action under the Washington Consumer Protection Act (RCW 19.86) if we violate these provisions.
Health data rights are exercised through the Health Data Consent document and your account Settings page.

12. CHILDREN'S PRIVACY
Candid is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

13. INTERNATIONAL USERS
Candid is operated from the United States. If you access Candid from outside the United States, your data will be transferred to and processed in the United States. By using Candid, you consent to this transfer.

14. DATA SECURITY
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256 for stored data)
- Role-based access controls
- Authentication via Firebase with secure token management
- Regular access reviews
No system is 100% secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach, consistent with applicable state breach notification laws.

15. CHANGES TO THIS POLICY
We may update this Privacy Policy. Material changes will be communicated via email and will require re-acceptance. The "Effective" date at the top indicates the latest version.

16. CONTACT
Airgetlam Labs LLC
Contact us via your account Settings page or by submitting a support ticket at candidclaim.com.