← Back to home

Consumer Health Data Privacy Policy

Version 1.6 · Effective 2026-07-10

CANDID HEALTH DATA CONSENT
Version 1.6 — Effective July 10, 2026
Operated by Airgetlam Labs LLC

Version 1.6 amendment: Updated Section 4 (Service Providers That Receive Your Health Data) — when you contact support, Slack now receives your full support messages and any replies you send, which may include billing and plan details you choose to share (previously only your message's subject and a short preview).

IMPORTANT — PLEASE READ BEFORE UPLOADING. This Health Data Consent is SEPARATE from our Terms of Service and Privacy Policy. Under the Washington My Health My Data Act (RCW 19.373, "MHMDA") and the California Consumer Privacy Act (CCPA/CPRA), the medical-billing and insurance information in the documents you provide is consumer health data ("CHD"). We obtain your specific, informed, freely-given consent before we collect or process it. You must accept this consent before uploading any health-related document or entering health information manually.

1. PLAIN-LANGUAGE SUMMARY
(A quick overview — the full terms below control.)
- We collect health information only from you — the documents you upload and the details you type in. We do not buy it, and we do not pull it from your providers or insurers.
- We use it only to do what you asked Candid to do: read your bills, find errors, check your benefits, draft dispute letters you send yourself, and show price comparisons.
- A small, named set of service providers help us run the service (listed in Section 4). We never sell your health data, and we never show advertising targeted using it.
- You can withdraw consent, access or export, and delete your data at any time (Sections 7–10). Withdrawing consent permanently deletes everything we hold that is linked to you — keeping only de-identified, generic plan-catalog facts that no longer identify you.
- We do not track your precise location and do not geofence health facilities.

2. WHAT HEALTH DATA WE COLLECT, AND WHERE IT COMES FROM
Sources — all provided by you:
- Documents you upload through the app;
- Information you enter manually (for example, your insurer or plan).
We do not acquire your health data from data brokers, healthcare providers, insurers, or any source other than you.

Categories of CHD we collect and process:
- Billing and claims data — claim numbers, billing line items, adjustment-reason details, per-charge amounts;
- Procedure and diagnosis codes appearing in your documents — CPT, HCPCS, ICD-10;
- Insurance plan and coverage details — plan name and type, cost-sharing (deductible, copay, coinsurance, out-of-pocket), and plan formulary structure (which drug categories your plan covers and at what tier — this describes your plan's coverage, not your personal prescriptions);
- Payment amounts — charge, allowed, paid, adjustment, and balance-due;
- Document types — medical and itemized hospital bills, Explanation of Benefits (EOB) documents, insurance statements and Summary of Benefits and Coverage (SBC) documents, and insurance-card images (member ID, group number, plan identifiers, insurer contact info);
- Provider information — provider and facility names and National Provider Identifiers (NPIs);
- Derived or inferred CHD — audit findings, benefit-gap analyses, cost estimates, and dispute-letter drafts that recite the above;
- Dispute records — letter drafts, dispute status, and correspondence tracking.
What we do NOT collect or store: Social Security numbers, medical record numbers, clinical notes, lab results, diagnostic images, or individual prescription-fill or pharmacy records. If any of this appears in a document you upload, we do not extract or retain it.

3. THE SPECIFIC PURPOSES WE USE YOUR HEALTH DATA FOR
We use your health data only for the purposes below, and will not use it for anything else without your separate, additional consent.
(a) Bill parsing — Reading your documents and extracting structured billing data, using text extraction, optical character recognition (OCR), and automated/AI analysis (see Section 3A).
(b) Audit analysis — Comparing your charges against public benchmarks (CMS Medicare Physician Fee Schedule; published hospital price-transparency files) to flag overcharges, errors, unbundling, upcoding, or duplicates.
(c) Benefit matching — Comparing your bill's procedures against your plan's covered benefits to surface coverage gaps or missed in-network savings.
(d) Dispute-letter generation — Populating letter templates with facts from your documents. You review and send every letter yourself — Candid transmits nothing to any insurer, provider, court, or regulator on your behalf.
(e) Cost estimation — Showing price comparisons for your procedures among providers in your area.
(f) Plan-catalog improvement — Contributing extracted plan-structure data (benefits, cost-sharing, formulary tiers) to a de-identified canonical plan database that improves benefit-matching for everyone. Your identity is never associated with these records.

3A. AUTOMATED AND AI-ASSISTED PROCESSING
To read and structure your documents, Candid uses automated systems and a third-party large-language-model provider, Anthropic, PBC ("Claude"). The text extracted from your documents is sent to this provider for classification and extraction. Your original image and PDF files are not sent to the LLM provider — only the extracted text. When a document is an image or a scan our app cannot read directly, the raw file is sent to a second provider, Google Document AI, solely to convert the image to text (OCR); it performs OCR only and does not analyze your bills.
Our agreement with the LLM provider is its commercial API, under which the provider does not use your data to train its models, and we retain ownership of the outputs. These providers process your data to perform the task you requested, not for their own purposes.

3B. FRAUD AND ABUSE PREVENTION
To protect data integrity and prevent fraud and data-poisoning, Candid analyzes uploaded documents and account activity using automated techniques, including content fingerprinting and legitimacy scoring. Contributions flagged as anomalous may be temporarily quarantined from aggregate statistics pending review.

3C. DE-IDENTIFIED, AGGREGATED DATA
To power price comparison and benefit matching for everyone, Candid derives de-identified, aggregated statistics from health data. Before any data enters an aggregate, it is de-identified using the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)), and no statistic is shown for fewer than 5 distinct users. These aggregates never include your identity, your documents, or your individual records, and are never used for advertising or for credit, insurance, or employment decisions. Because this data cannot reasonably be linked to you, it falls outside MHMDA's definition of consumer health data. We publicly commit never to attempt to re-identify it, and we require the same commitment by contract from any recipient. We may retain and use it even after you withdraw consent or delete your account (Section 9).

4. SERVICE PROVIDERS THAT RECEIVE YOUR HEALTH DATA
A small set of service providers (processors) help us operate Candid and may process your health data on our behalf under data-processing agreements. We have no corporate affiliates that receive your CHD. The processors that receive identifiable consumer health data are:
ProcessorWhat it does for CandidHealth data it receives
Anthropic, PBC (Claude)AI extraction and classification of document textThe text extracted from your documents (provider and facility names, NPIs, CPT/HCPCS/ICD-10 codes, claim numbers, amounts, plan cost-sharing and formulary text). Your image and PDF files are not sent — only extracted text
Google Document AIOCR fallback only — converts a document to text when in-app extraction cannot read itThe raw file (for example, a scanned PDF), only when the fallback triggers. Performs OCR only
Supabase, Inc.Encrypted database and file storage (our system of record)Your extracted billing and claims data, audit results, dispute records, and your original uploaded files
Vercel, Inc.Application hosting, compute, and loggingHealth data transits Vercel's compute; server logs may carry incidental residue (identifiable data is redacted from logs)
Resend, Inc.Outbound transactional emailDispute follow-up emails we send you embed your dispute type, the dollar amount disputed, and the insurer name
Slack (Salesforce)Internal support and operations alertsIn the support and dispute channels only: your email, your full support messages and any replies you send (which may include billing and plan details you choose to share), an attachment filename, and a time-limited link to a support document; dispute alerts include dispute type, amount, and insurer. Other channels receive only aggregate or system-level data
Upstash (QStash)Asynchronous processing queueJob references only (document IDs) — no document content
We do not load third-party web analytics on the authenticated pages where your health data appears.
Categorically not recipients of your health data: Stripe (payments — your email and subscription metadata only; no health data), Firebase / Google Identity Platform (sign-in only — email, phone, name, account ID; not document storage), Cloudflare Turnstile (bot challenge — token and IP only), and CMS public-data endpoints (we send only a 5-digit ZIP or a provider NPI — never your identity). We are not integrated with any other LLM provider, any error or product-analytics service, or any advertising network or data broker.
Other than the service providers listed above, no third party receives your identifiable consumer health data. We do not share your health documents or extracted health data with advertisers, data brokers, insurers, healthcare providers, employers, or other users, and we never sell your consumer health data.
Your MHMDA right to the list of third parties (RCW 19.373.040(1)(b)): you may request the specific list of third parties to which we have provided your consumer health data, by emailing privacy@candidclaim.com or opening a support ticket; we respond within 30 days (Section 10).
Any sharing beyond these processors requires separate consent. Candid's marketplace features (Candid Case and Candid Care) are governed by a separate Marketplace Data Sharing consent and would share only minimal, non-health profile fields (for example, your state, the service category you are seeking, and your contact email — never your insurance company or plan type, your documents, your audit results, or your dispute letters). Marketplace participation is not an endorsement or vetting of any participant.
No dark patterns. Your consent is separate, specific, freely given, opt-in, and revocable. We do not bundle it into the Terms of Service, do not pre-check it, and do not use interface designs that impair your choice. Declining or withdrawing it does not degrade any unrelated, non-health feature.

5. HOW WE SECURE YOUR HEALTH DATA
- Your health data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- We apply role-based access controls and conduct access reviews.
- Candid is not a HIPAA covered entity (Section 13), but we voluntarily adopt safeguards aligned with the HIPAA Security Rule as a best-practice standard. We describe these as HIPAA-grade-aligned safeguards — not as HIPAA compliance.

6. DATA RETENTION
- Your uploaded documents and extracted data are retained for the lifetime of your account, or until you delete them, whichever comes first.
- Upon withdrawal of this consent, we permanently delete all health data we hold that is linked to you — see Section 7 for the complete list. The only thing we keep is the de-identified, generic plan-catalog data described in Sections 3C and 9, which no longer identifies you.
- Upon account deletion, your health data is hard-deleted within 30 days, subject only to the narrow carve-outs in Section 8.
- De-identified, aggregated data (Sections 3C and 9) is retained under our never-re-identify commitment and is not deleted by withdrawal or account deletion, because it is no longer connected to you.
- Encrypted backups that may contain your data are overwritten on our standard backup-rotation cycle. We run no scheduled retention cron — deletion is event-driven (withdrawal, account deletion, administrator deletion).

7. YOUR RIGHT TO WITHDRAW CONSENT
You may withdraw this consent at any time, from your account Settings page by selecting "Revoke Health Data Consent," or by submitting a support ticket. Withdrawing consent will:
- Immediately stop all further uploads and all further processing of your documents;
- Permanently and promptly delete everything we hold that is linked to you, including: every document you uploaded — bills, EOBs, SBCs and plan documents, and insurance-card images — and the stored files; all data we extracted or that you entered — your claims and billing line items, audit findings, cost estimates, benefit analyses, and any health information you typed in manually; your dispute drafts and dispute records; and your insurance-plan and coverage records;
- Keep only de-identified, generic plan-catalog facts — structural information about insurance plans (which benefits a plan covers, its cost-sharing, its formulary tiers) that we previously contributed to our shared plan database. This describes insurance plans in general, carries no link to you, and is covered by Section 9;
- Preserve your account, subscription, and non-health personal data, so you can keep using Candid or upload again later;
- Not affect the lawfulness of any processing we performed before you withdrew.
Plain summary: withdrawing your consent erases everything personal to you that we hold; the only thing that remains is anonymous, general plan information that cannot be traced back to you. This is the same standard of erasure as account deletion (Section 8) — the difference is simply that withdrawal keeps your account open.
If you have an open dispute: withdrawing consent will delete the billing records and dispute drafts that an in-progress dispute relies on. Before we proceed, we will clearly warn you and ask you to confirm, so you can finish or export an active dispute first if you wish.

8. YOUR RIGHT TO DELETE (ERASURE) — ACCOUNT DELETION
Under MHMDA and CCPA/CPRA you may delete the consumer health data we hold. Account deletion is a hard erasure. Upon a verified deletion request or account deletion, within 30 days Candid will:
- delete everything listed in Section 7 (all documents, all extracted data, your dispute records, and your plan and coverage records);
- additionally delete your account, profile, and login, along with previously-retained records including finding dismissals and insurer-appeal confirmations;
- instruct our service providers to delete the health data they hold on our behalf; and
- confirm the deletion to you in writing.
What survives deletion (carve-outs):
- Stripe-side payment records — Stripe retains payment records as an independent controller (commonly about 7 years for tax and anti-money-laundering rules); we delete our local billing record but cannot delete Stripe's controller records.
- De-identified, generic plan-catalog data and aggregate statistics covering at least 5 distinct users (Sections 3C and 9), which no longer connect to you and are retained under our never-re-identify commitment.
- De-linked operational and anti-abuse records — a limited set survive with your user ID removed, once your account is gone.
- Service-provider logs — short-window vendor and server logs governed by each provider's own retention.

9. DE-IDENTIFIED DATA WE KEEP AFTER YOU LEAVE — IN PLAIN TERMS
Even after you withdraw consent or delete your account, Candid keeps de-identified plan-catalog data that is no longer connected to you: structural facts about insurance plans (which benefits a plan covers, its cost-sharing, its formulary tiers) that you contributed before you left. These describe the plan, not you, and carry no identifier tying them to you. We keep and use them to run benefit matching and price comparison for everyone. We publicly commit that we will never attempt to re-identify this data or connect it back to you, and we require any recipient to make the same commitment by contract.

10. YOUR RIGHT TO ACCESS AND DATA PORTABILITY
You may request a copy of the health data we hold about you, in a structured, machine-readable format (JSON or CSV), including the categories of third parties with whom your CHD has been shared (the Section 4 list). We respond within 30 days. Today this is a request-based process fulfilled by our team within that window; we will tell you when an instant self-serve download becomes available.

11. YOUR OTHER RIGHTS, AND HOW TO EXERCISE THEM
- Non-discrimination. We will not discriminate against you for exercising any right here. Withdrawing health-data consent does not degrade any unrelated feature, change your price, or deny you service.
- Appeal. If we deny a request (access, third-party list, withdrawal, or deletion), you may appeal by emailing privacy@candidclaim.com with the subject "MHMDA Appeal." We respond within 45 days (extendable once, with notice, where reasonably necessary). If we deny the appeal, we explain why and tell you how to contact the Washington Attorney General.
- Washington Attorney General. A violation of MHMDA is enforceable under the Washington Consumer Protection Act (RCW 19.86), which provides a private right of action. You may also contact the Washington State Office of the Attorney General — file a complaint at www.atg.wa.gov/file-complaint (Consumer Protection Division).
- Global Privacy Control (GPC). If your browser sends a GPC opt-out signal, we honor and record it. We do not sell or share your data for cross-context behavioral advertising, so there is nothing to opt out of today; a functional GPC consumer will be in place before any sharing or advertising feature launches.
- Consent records. When you grant or withdraw consent, we record the event together with the consent text you saw, a timestamp, your IP address, and your browser's user-agent, to prove what you agreed to.

12. CHILDREN
Candid is for adults. You must be 18 or older to use Candid, and we do not knowingly collect health data from anyone under 18. If we learn we have, we will delete it.

13. HIPAA DOES NOT APPLY TO CANDID
Candid is not a healthcare provider, health plan, healthcare clearinghouse, or Business Associate under HIPAA. When you upload your own medical documents, you are exercising your individual right to access and share your own health information; we receive the data from you, not on behalf of a covered entity. HIPAA therefore does not directly regulate Candid — which is why MHMDA applies to flows like ours. We voluntarily adopt safeguards aligned with the HIPAA Security Rule (we do not claim HIPAA compliance).

14. CANDID IS NOT A HEALTHCARE PROVIDER
Candid does not provide medical advice, diagnoses, treatment recommendations, or clinical opinions. All health-related outputs (audit findings, benefit analyses, cost estimates) are informational tools for your independent use. Always consult qualified healthcare and legal professionals for advice specific to your situation.

15. WE DO NOT TRACK YOUR LOCATION OR GEOFENCE HEALTH FACILITIES
Candid does not collect your precise geolocation and does not use geofences around healthcare facilities (or anywhere else) to collect, infer, or trade in your health data. Location-based features operate at the state level only, using information you provide. We affirm the MHMDA geofencing prohibition (RCW 19.373.030) as our standing practice.

16. WASHINGTON RESIDENTS — YOUR MHMDA RIGHTS
Under the My Health My Data Act, Washington residents may: receive this consent in a clear, standalone format; know the categories of CHD collected and each purpose (Sections 2–3); know the categories of third parties receiving CHD and obtain the actual list (Section 4); withdraw consent (Section 7) and have CHD deleted (Section 8), including our commitment to notify processors to delete it; access and export CHD (Section 10); exercise these rights free from discrimination (Section 11); appeal a denied request and complain to the Washington Attorney General (Section 11); rely on our no-geofencing commitment (Section 15); and bring a private cause of action under RCW 19.86.

17. EFFECTIVE DATE AND CHANGES
Effective Date: June 13, 2026. Material changes will be communicated and will require re-acceptance; a version bump forces re-consent. This consent is linked from the site footer, the Terms page, the Privacy page, and the upload-consent flow.

18. CONTACT
Airgetlam Labs LLC, operator of Candid. Questions about this consent, or to exercise your rights: privacy@candidclaim.com, or your account Settings page (submit a support ticket) at candidclaim.com. If you contact us by email, that correspondence is handled by our email provider; please do not email health documents or other sensitive health information — upload documents through the app instead.

See also: Terms of Service · Privacy Policy