Legal

Privacy Policy

Effective date: March 2, 2026

Billshy (“Billshy,” “we,” “us,” or “our”) operates the Billshyplatform, a workers’ compensation billing workflow application. This Privacy Policy describes how we collect, use, protect, and disclose information when you use our services. By accessing or using Billshy, you acknowledge that you have read and understood this policy.

1. Information We Collect

We collect and process information necessary to provide billing workflow services. The categories of data we handle include:

  • Account information — name, email address, and authentication credentials used to create and manage your Billshy account.
  • Organization and team data — organization name, membership roles (admin, biller, viewer), and billing ownership configuration.
  • Case and patient data — patient demographics, dates of service, diagnosis codes, procedure codes, claim numbers, provider information, and other fields entered by authorized users or extracted from uploaded documents.
  • Uploaded documents — QME reports, medical records, declarations, and other source documents submitted for billing workflow processing.
  • Billing and payment data — subscription status, usage records, and payment information processed through our third-party payment provider (Stripe).
  • Usage and audit data — activity logs, access records, and operational metadata generated through your use of the platform.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing and operating the Billshy platform, including case intake, document parsing, draft review, CMS-1500 generation, and electronic claim submission.
  • Managing your account, organization membership, and role-based access permissions.
  • Processing subscription billing and usage-based charges through our payment infrastructure.
  • Generating and delivering transactional notifications related to billing activity, submission status, and account events.
  • Maintaining audit trails and activity logs for security, compliance, and operational integrity.
  • Improving platform reliability, diagnosing technical issues, and enhancing service quality.

3. Protected Health Information

Billshy processes data that may constitute Protected Health Information (PHI) under applicable healthcare privacy laws. We implement safeguards appropriate to the sensitivity of this data, including:

  • Encryption of sensitive patient demographic and clinical fields at rest.
  • Organization-scoped data isolation ensuring that each workspace can only access its own records.
  • PHI redaction in application logs and operational alert payloads.
  • Role-based access controls that restrict data visibility by user permission level.

Where applicable, the handling of PHI is governed by a Business Associate Agreement (BAA) executed between Billshy and the covered entity. If your organization requires a BAA, please contact us prior to processing PHI through the platform.

4. Data Sharing and Third Parties

We do not sell your personal information or PHI. We share data only in the following circumstances:

  • Service providers — we use trusted third-party services to operate the platform, including cloud infrastructure hosting, object storage, payment processing (Stripe), email delivery, and authentication services. These providers access data only as necessary to perform their functions.
  • Electronic claim submission — when you submit claims electronically, billing data is transmitted to designated clearinghouses and payers as part of the standard EDI workflow.
  • Legal obligations — we may disclose information when required by law, regulation, legal process, or governmental request.

5. Security Controls

We maintain administrative, technical, and physical safeguards designed to protect data against unauthorized access, alteration, disclosure, or destruction. Key measures include:

  • Authenticated access enforced through identity token verification and multi-factor authentication support.
  • Encrypted data transmission over HTTPS with strict transport security headers.
  • Tenant-level row-level security policies on database tables containing PHI and billing data.
  • Server-side rate limiting on authentication endpoints and sensitive operations.
  • Content Security Policy enforcement and standard browser security headers.

For a detailed overview of our security posture, visit the security section on our Features page .

6. Data Retention and Deletion

We retain data for the duration necessary to fulfill the purposes described in this policy and to comply with applicable legal and regulatory obligations. Our retention practices include:

  • Configurable retention schedules aligned with contractual, regulatory, and operational requirements.
  • Automated retention workflows that periodically remove aged audit events, EDI submission artifacts, and inactive patient records no longer linked to active cases.
  • Secure deletion of stored documents and generated artifacts upon expiration of applicable retention periods.

To request account-level data deletion or inquire about specific retention policies, contact Billshy support.

7. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information, including the right to access, correct, or delete your data. Organization administrators may manage user accounts and data directly within the platform. For requests that cannot be fulfilled through the application, contact us using the information below.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to account owners via email or through the platform. Continued use of Billshy after changes take effect constitutes acceptance of the updated policy.

9. Contact

For privacy inquiries, data requests, or questions about this policy, contact us at billshy1@outlook.com or visit our Contact page.