CANDID PRIVACY POLICY
Version 1.6 — Effective July 10, 2026
Operated by Airgetlam Labs LLC
Version 1.6 amendment: Updated Section 5 (Service Providers and Other Recipients) — when you contact support, our support tool (Slack) now receives your full support messages and any replies you send, which may include billing and plan details you choose to share (previously only a short message preview).
1. SCOPE — AND THE SEPARATE HEALTH-DATA POLICY
This Privacy Policy explains how Airgetlam Labs LLC ("Candid," "we," "us," "our") collects, uses, shares, retains, and protects your personal information when you use the Candid platform at www.candidclaim.com and related services (the "Services"). It covers your account, profile, insurance-plan, billing, support, and usage information.
The contents of the documents you upload — medical bills, Explanations of Benefits (EOBs), Summary of Benefits and Coverage (SBC) and other insurance documents, insurance-card images, claim and billing/diagnosis codes, audit findings, dispute drafts, and everything we derive from them — are consumer health data, governed by our separate Consumer Health Data Privacy Policy ("CHD Policy") at www.candidclaim.com/health-data, which you must review and accept before you upload any health document. The two policies are written to be read together; where they overlap, the CHD Policy controls for consumer health data.
We are not a HIPAA covered entity. Candid is not a healthcare provider, health plan, healthcare clearinghouse, or business associate under HIPAA. When you upload your own records, you are exercising your right as a consumer to access and use your own information. HIPAA does not govern Candid; we nonetheless apply safeguards aligned with HIPAA-grade practices (see Section 12). Our handling of consumer health data is governed by the Washington My Health My Data Act (RCW 19.373) and the state privacy laws in Section 10.
2. INFORMATION WE COLLECT
This section is your notice at collection. (Consumer health data categories are itemized in the CHD Policy, not here.)| Category | Examples | Source |
|---|
| Identifiers and account data | Full legal name; email; state of residence; account/user ID; authentication credentials (password hash) or third-party sign-in token (Google) | You, at registration |
| Age and eligibility data | Date of birth, collected at signup solely to confirm you are 18 or older | You, at registration |
| Insurance-plan profile | Insurance company; plan name and type (employer / marketplace / off-exchange / Medicare / Medicaid); matched public CMS plan identifier | You; matched to public CMS data |
| Payment data | Subscription status, billing period, and display-only card fields (last four, brand, expiration). Full card and bank numbers go directly into Stripe and are never stored by Candid | You, via Stripe |
| Support communications | The messages you send to support, any files you attach to a ticket, and our responses | You |
| Usage and device data | Pages and features used; activity timestamps; device and browser type; approximate IP-derived information. Used to operate and secure the Services and prevent fraud — not for cross-context behavioral advertising | Automatically |
| Consent-event metadata | A record of each consent you give or withdraw: the consent type and version, the exact text you saw (by content hash), a granted/withdrawn flag, the date, and the IP address and browser user-agent captured at that moment — kept as proof of consent | Automatically, at each consent event |
3. CONSUMER HEALTH DATA IS GOVERNED BY A SEPARATE POLICY AND CONSENT
The contents of medical bills, EOBs, SBCs and other insurance documents, insurance-card images, claim and billing/diagnosis codes, audit findings, dispute drafts, and any data we derive from them are consumer health data and are NOT covered by this Privacy Policy. We collect and use them only with your separate, informed consent under the CHD Policy (www.candidclaim.com/health-data). This separation is required by the Washington My Health My Data Act.
Please read the CHD Policy before uploading. Among other things, it discloses that Candid uses a third-party AI provider to read document text and, in a fallback case, a third-party optical-character-recognition (OCR) provider that receives the document file — and it names every provider that processes consumer health data. The AI and automated-processing summary in Section 4 of this policy is a pointer; the operative detail lives in the CHD Policy.
4. HOW WE USE YOUR INFORMATION
We use the personal information covered by this policy to:
- provide, maintain, secure, and improve the Services;
- authenticate you and protect your account;
- match you to relevant insurance-plan data from public sources (the CMS Marketplace API);
- communicate with you about your account, service changes, and support;
- process subscription payments (via Stripe);
- detect, investigate, and prevent fraud, abuse, security incidents, and data-poisoning (Section 4.3);
- comply with legal obligations and enforce our agreements; and
- derive the de-identified aggregates described in Section 4.2, and operate the limited marketplace activities described in Section 7.
We do not use your personal information for cross-context behavioral advertising targeted using your identifiable consumer health data, for sale to data brokers, or for profiling that produces legal or similarly significant effects (such as credit, insurance, or employment decisions).
4.1 AUTOMATED AND AI-ASSISTED PROCESSING
Candid uses automated systems and a third-party large-language-model (LLM) provider — Anthropic, PBC ("Claude") — to read and structure your documents. The pipeline runs in this order:
- You upload a file. It is stored, encrypted, in our database provider's storage.
- Text extraction (primary). We first extract the text layer locally, on our own servers, without sending the file to any third party.
- OCR (fallback only). If local extraction fails — a scanned, image-only, encrypted, or malformed PDF — the document file is sent to Google Cloud Document AI for OCR. It performs OCR only and does not parse or interpret the content.
- LLM analysis. The extracted text (not the original image or PDF) is sent to Anthropic to classify the document and extract structured fields.
- We store the structured result in our database.
Two facts a consumer should know plainly:
- No image or PDF is ever sent to Anthropic — Anthropic receives extracted text only. The only case in which a raw document file leaves our systems for processing is the Document AI OCR fallback above.
- Anthropic does not use your content to train its models. Under Anthropic's commercial terms, Anthropic may not train its models on the content Candid sends through the API.
Dispute and appeal letters are template-generated, not AI-written. When you generate a letter, Candid fills a deterministic template with facts already extracted from your documents. No LLM writes your letters, and no letter content is sent to Anthropic for generation. You review and send every letter yourself.
Automated output may be wrong. Audit findings, extracted fields, and draft letters are produced by automated tools and may contain errors. You are responsible for reviewing them before relying on or sending them.
4.2 DE-IDENTIFIED AND AGGREGATED DATA
To power price-comparison, benefit-matching, and similar features for all users, Candid derives de-identified, aggregated data from user data — for example, the typical charge for a procedure code in a region, or the share of plans that cover a given benefit. Candid also builds a de-identified reference catalog of plan and coverage structures that improves accuracy for every user with a similar plan.
Before any data enters an aggregate or the reference catalog, we de-identify it using the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)) — removing names, contact details, account and beneficiary numbers, dates more specific than year, full ZIP codes, and other identifiers — and no aggregate statistic is shown unless it reflects at least 5 distinct users. De-identified and aggregated data never includes your identity, your documents, or your individual records, and is never used for targeted advertising or for credit, insurance, or employment decisions.
We keep de-identified and aggregated data, and we may continue to use it — including after you withdraw consent or delete your account. Once data is de-identified, it is no longer linked to you and cannot reasonably be re-linked to you. We make a public commitment not to attempt to re-identify any de-identified data, we maintain it in de-identified form, and we contractually require any recipient of de-identified data to make the same commitment. This is consistent with California Civil Code Section 1798.140(m) and the de-identification standards of the other state laws in Section 10.
4.3 FRAUD, ABUSE, AND DATA-INTEGRITY PREVENTION
To protect the integrity of our data and prevent fraud, abuse, and data-poisoning, we analyze account activity and uploaded content using automated techniques, including content fingerprinting and anomaly or legitimacy scoring. A contribution flagged as anomalous may be temporarily held back from aggregate statistics pending automated re-evaluation, and is released automatically once it clears.
5. SERVICE PROVIDERS AND OTHER RECIPIENTS
We share limited personal information with the service providers below, each under a contract that limits them to providing services to us, solely to operate the Services. For providers that touch consumer health data, the fuller description is in the CHD Policy, incorporated here by reference.
We do not share your personal information with advertising networks, social-media platforms, or data brokers. Our current web-analytics posture is described in Section 8.| Provider | What it does for Candid | Personal data it receives |
|---|
| Supabase, Inc. | Primary database and file storage (system of record) | Account, profile, insurance-plan, usage, support data; extracted billing/audit data; uploaded files (at rest) |
| Firebase / Google Identity Platform | Authentication only (email/password, Google sign-in, phone one-time-passcode) | Email, phone, name, user ID, IP/user-agent. No documents; no health data |
| Anthropic, PBC (Claude) | AI text analysis of uploaded documents | Text extracted from your documents — not the image/PDF files (see Section 4.1 and the CHD Policy) |
| Google Cloud Document AI | OCR fallback only — runs when local text extraction fails | The document file (only when the fallback fires; see Section 4.1 and the CHD Policy) |
| Stripe, Inc. | Subscription payment processing | Email, subscription events, cancellation reason. Card data goes directly into Stripe; no health data reaches Stripe |
| Resend, Inc. | Outbound transactional email | Your email address and name; outbound message content (for dispute follow-ups: the dispute type, amount, and insurer name) |
| Vercel, Inc. | Application hosting, serverless compute, scheduled jobs, and logs | Data in transit through the Services; server logs (IP; health-data residue redacted) |
| Upstash (QStash) | Background document-processing queue | Job references only (a document ID and callback URL) — no document content |
| Slack (Salesforce, Inc.) | Internal support and operations alerts | Support and dispute alerts include your email, your support messages and any replies you send (which may include billing and plan details you choose to share), dispute amount/insurer, and a time-limited document link; other internal channels receive only aggregate or system data |
| Cloudflare Turnstile | Automated bot-challenge on upload and compare | A challenge token and IP address. No health data |
Public reference lookups (not service providers). To match plans and providers, Candid queries U.S. government public-data endpoints (healthcare.gov, NPPES, data.cms.gov). These queries send only a 5-digit ZIP code or a provider NPI — never your identity or your records.
Changes to our providers. When we add or change a provider in a way that materially affects how your data is handled, we update this list; for changes affecting consumer health data, we update the CHD Policy and re-request consent.
6. DATA RETENTION
How long we keep personal information depends on (1) whether it is needed to provide active services, (2) legal and regulatory obligations, (3) the need to resolve disputes and enforce our agreements, and (4) your account status.
| Data | Retention |
|---|
| Account, profile, and insurance-plan data | Kept for the life of your account; deleted on account deletion (Section 11) |
| Uploaded documents and extracted health data | Governed by the CHD Policy. Fully deleted when you withdraw health-data consent, and on account deletion; only de-identified, generic plan-catalog facts are retained (Section 4.2) |
| Payment records | Stripe, as an independent business controlling its own records, retains payment records under its own legal-basis schedule (commonly about 7 years for tax, fraud, and anti-money-laundering rules). Candid's own subscription-status records are deleted with your account |
| Support communications | Kept up to 2 years after the matter is resolved, then deleted |
| Consent-event records | Kept as proof of consent while your account is active; handled on deletion as described in Section 11 |
| De-identified and aggregated data | Retained indefinitely in de-identified form and never re-identified (Section 4.2) |
| Server, log, and provider-side data | Kept for each provider's standard period under its agreement |
We run no scheduled retention or cleanup job — deletion of your content is event-driven (withdraw consent, account deletion, administrator deletion).
7. NO SALE OF YOUR DATA; ADVERTISING AND MARKETPLACE
We do not sell your personal information or your consumer health data for money — ever. Candid's revenue comes from subscriptions, from advertising on non-health and de-identified surfaces, and from marketplace listing memberships (attorneys and providers pay a flat fee to be listed in our directories). Charging a business to be listed is selling a product to that business; it is not selling your data.
Marketplace listings are not an endorsement or a vetting service. A listing means a participant paid to appear — not that Candid recommends, vets, or vouches for them.
Marketplace connections you initiate. If you choose to use a marketplace feature, only the limited, non-health profile data described in our separate Marketplace Data Sharing Consent — your state, the service category you are seeking, and your contact email; not your insurance company or plan type — is shared at your request, after you separately opt in, to make the connection you asked for. We never share your documents, audit findings, or dispute letters with marketplace participants. Because a participant pays us a listing fee, this consumer-initiated sharing may be treated as a "sale" or "share" under some state laws even though we receive no money for the data itself; we therefore give you the opt-out and signal-honoring in Section 10.
Advertising. Where we show advertising, our policy is to use non-health context or de-identified and aggregated data only — we do not target advertising using your identifiable consumer health data, and we do not place advertising-network tags on the authenticated, health-data parts of the Services.
8. COOKIES, ANALYTICS, AND TRACKING
Candid uses essential, first-party cookies for authentication and session management. We do not use third-party advertising cookies, ad pixels or beacons, or cross-site behavioral-tracking technologies. We do not load third-party web analytics on the signed-in parts of the Services (such as your claims, plans, disputes, and uploads), where your health data appears, and we do not use analytics to build advertising profiles about you.
When any advertising under Section 7 is implemented, ad technology may introduce new tags or identifiers; we will update this section and the Section 5 provider list and obtain any consent then required before doing so.
9. YOUR RIGHTS — ALL USERS
Wherever you live, you may ask us to:
- Access — get a copy of the personal information we hold about you;
- Correct — fix inaccurate personal information;
- Delete — delete your account and the personal information we hold about you (a true erasure of identifiable data — Section 11); and
- Port — receive your personal information in a structured, machine-readable format.
How to exercise them, honestly stated. You can delete your account from your account Settings. For access, correction, and a portable copy, submit a request through your account Settings or a support ticket; we fulfill these requests manually within 30 days. We do not yet offer an instant self-service download — your request is handled by a person and confirmed to you.
10. YOUR RIGHTS — BY STATE
10.1 CALIFORNIA (CCPA / CPRA)
California residents have the rights to Know / Access, Delete, Correct, Opt out of the sale or sharing of personal information, Limit the use of sensitive personal information, data portability, and non-discrimination.
- Sensitive personal information. Your consumer health data is sensitive personal information; we collect and use it only with your consent under the CHD Policy and only to provide the Services you request. You may direct us to limit use of sensitive personal information; because we already restrict it to providing the Services, this does not reduce functionality.
- Do Not Sell or Share My Personal Information. We do not sell your personal information for money. To the extent the marketplace or advertising activities in Section 7 are treated as a "sale" or "share," you may opt out — through your account Settings or a support ticket.
- Global Privacy Control (GPC). We honor the GPC browser signal as a valid request to opt out of sale or sharing for that browser, and we record it. Because Candid does not sell or share personal information today, there is currently nothing to suppress; before any sale, share, or advertising feature launches, GPC will functionally suppress that processing.
- Non-discrimination. We will not deny you services, charge a different price, or provide a different quality of service for exercising your rights.
- Response time. We respond to CCPA/CPRA requests within 45 days (extendable by another 45 days where permitted, with notice).
10.2 VIRGINIA, COLORADO, CONNECTICUT, UTAH, TEXAS, OREGON (AND OTHER COMPREHENSIVE-PRIVACY-LAW STATES)
If you reside in a state with a comprehensive consumer-privacy law — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and Oregon (OCPA) — you may have rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Most of these laws treat health data as sensitive and require your opt-in consent before processing it — which is why health-data collection runs through the separate CHD Policy consent.
Appeal. If we decline your request, you may appeal by contacting us at privacy@candidclaim.com with "Privacy Appeal" in the subject line. We respond within the time your state's law requires (generally 45 to 60 days). If we deny the appeal, we will tell you how to contact your state Attorney General:
- Virginia — Office of the Attorney General, Consumer Protection: oag.state.va.us
- Colorado — Colorado Attorney General (Colorado Privacy Act): coag.gov
- Connecticut — Office of the Attorney General: portal.ct.gov/ag
- Utah — Utah Division of Consumer Protection: dcp.utah.gov
- Texas — Office of the Attorney General of Texas: texasattorneygeneral.gov
- Oregon — Oregon Department of Justice: justice.oregon.gov
10.3 WASHINGTON (MY HEALTH MY DATA ACT) — SEE THE CHD POLICY
If you are a Washington resident (or your consumer health data is otherwise covered by the Washington My Health My Data Act, RCW 19.373), your consumer-health-data rights — separate consent before collection, the right to withdraw consent, the right to have consumer health data deleted, the no-sale-without-authorization rule, and the right not to be geofenced around healthcare locations — are described in, and exercised through, our CHD Policy (www.candidclaim.com/health-data). Please read that policy. Washington law also provides a private right of action under the Washington Consumer Protection Act (RCW 19.86).
11. DATA DELETION AND ERASURE
Candid offers three erasure paths. Read them with the carve-outs at the end of this section — they are stated honestly, not aspirationally.
(i) Withdraw health-data consent — full erasure of your health data; account preserved. You may withdraw your health-data consent at any time from your account Settings. When you do, we immediately stop processing and permanently delete everything we hold that is linked to you: every document you uploaded (bills, EOBs, SBCs and plan documents, insurance-card images) and the stored files; all data we extracted (claims, line items, audit findings, cost estimates, benefit analyses) and anything you entered manually; your dispute drafts and records; and your insurance-plan and coverage records. We keep only de-identified, generic plan-catalog facts that no longer identify you (Section 4.2). Your account, subscription, and non-health data are preserved so you can keep using Candid. The full mechanics are in the CHD Policy, which controls. (If you have an open dispute, we will warn you and ask you to confirm before deleting the records it relies on.)
(ii) Delete your account — true hard erasure of identifiable data. When you delete your account, we permanently delete everything in path (i) plus your profile, authentication account, subscription-status records, support tickets, and consent records, along with previously-retained records including finding dismissals and insurer-appeal confirmations. We complete deletion within 30 days.
This erasure has honest carve-outs — data that is not deleted, because it is either no longer about you or held by an independent party under its own legal duty:
- Payment records held by Stripe. Stripe controls its own records and retains payment information under its own schedule (commonly about 7 years). We delete our local subscription records but cannot erase Stripe's.
- De-identified and aggregated data. Statistics and plan/coverage reference data we derived before your deletion are retained in de-identified form and are never re-identified (Section 4.2). They are no longer linked to you.
- De-linked operational and forensic records. Certain internal operational records are kept with your identity removed — the link to you is severed.
- Provider-side and log data. Copies held by our service providers, and server and operational logs, age out under each provider's standard retention.
(iii) Deletion request for any data. Independent of account deletion, you may request deletion of personal information through a support ticket; we honor verified deletion requests within 30 days, subject to the same carve-outs and legal-retention exceptions.
12. SECURITY
We protect personal information with safeguards aligned with HIPAA-grade practices (we are not a HIPAA covered entity — Section 1). Our shipped controls include:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256) for stored data;
- Per-user, server-side access scoping, so that one user's requests cannot reach another user's data;
- Rate-limiting and bot-challenge controls on sensitive and abuse-prone endpoints;
- Redaction of health-data residue from application logs;
- Authentication through Firebase / Google Identity Platform with managed token handling; and
- Access controls and periodic reviews for administrative access.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a breach affecting your personal information occurs, we will notify affected users and regulators as required by applicable breach-notification laws.
13. INTERNATIONAL USERS
Candid is operated from the United States, and your personal information is processed in the United States. Some of our service providers rely on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework for any cross-border transfer. By using Candid, you understand that your information is processed in the United States.
14. CHILDREN'S PRIVACY
The Services are intended only for adults 18 and older. We do not knowingly collect personal information from anyone under 18; if we learn that we have, we delete it promptly. We confirm your age at signup.
15. CHANGES TO THIS POLICY
We may update this policy. For material changes, we will provide notice and, where the change affects what you previously agreed to, ask you to re-accept the updated policy through an in-product prompt. The "Effective" date reflects the current version. If a material change affects consumer health data, we will also update the CHD Policy and re-request consent.
16. CONTACT
Airgetlam Labs LLC (operator of Candid), 7547 Leviston Avenue, El Cerrito, CA 94530.
- Privacy requests and questions: privacy@candidclaim.com
- Privacy appeals: privacy@candidclaim.com (subject "Privacy Appeal")
- General support: through your account Settings or a support ticket at candidclaim.com