1. Introduction
ClaimCure Health Technologies Inc. ("ClaimCure," "we," "us," or "our") operates the website claimcure.health and provides AI-powered health insurance appeal services (the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you use our Service.
ClaimCure is federally incorporated in Canada and serves customers in both the United States and Canada. This Privacy Policy is designed to comply with applicable privacy laws in both jurisdictions, including:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- British Columbia's Personal Information Protection Act (BC PIPA)
- The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
- The Washington My Health My Data Act (MHMDA)
- Other applicable US state privacy laws
- The CAN-SPAM Act (US) and Canada's Anti-Spam Legislation (CASL)
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
2. Who We Are
ClaimCure Health Technologies Inc. is a health technology company that uses artificial intelligence to help individuals and healthcare providers draft appeal letters for denied health insurance claims. We are not a law firm, healthcare provider, health plan, or insurance company.
Privacy Officer:
Email: [email protected]
Location: Vancouver, British Columbia, Canada
The Privacy Officer is the individual accountable for our compliance with applicable privacy legislation, as required by PIPEDA and BC PIPA.
3. Information We Collect
3.1 Information You Provide Directly
| Category |
Data Collected |
When |
| Contact Information |
Email address, name |
Submission forms, contact form, business registration |
| Health & Insurance Information |
Insurance denial letters, medical records excerpts, patient notes, diagnosis codes, procedure codes, insurer names |
When you upload documents or provide context for your appeal |
| Account Credentials |
Email address, password (stored as a one-way cryptographic hash—we never store your actual password) |
Business portal registration |
| Business Information |
Practice or company name, subscription plan |
Business portal registration |
| Communications |
Messages sent via contact form, chatbot conversations, email replies |
When you contact us or use the chatbot |
| Marketing Preferences |
Opt-in or opt-out status for marketing communications |
Free audit submission (optional checkbox) |
3.2 Information Collected Automatically
- Device and Usage Data: IP address, browser type, pages visited, and timestamps when you access our website.
- Cookies: We use strictly necessary cookies for authentication (session management). We do not use advertising or tracking cookies. See Section 12 for details.
- Email Engagement Data: If you receive emails from us, we may track whether the email was opened and which links were clicked, to measure the effectiveness of our communications.
3.3 Information We Do Not Collect
- We do not collect payment card numbers, bank account details, or other financial account information. All payment processing is handled directly by our third-party payment processor, Stripe.
- We do not knowingly collect information from children under 13 (see Section 14).
3.4 Sensitive Health Information
The documents you upload and the notes you provide may contain sensitive health information, including Protected Health Information (PHI) as defined under US law, or personal health information as defined under Canadian law. We treat all such information as sensitive personal information subject to heightened protections as described in this policy. By uploading health-related documents, you provide express consent for us to process this sensitive information for the purpose of generating your insurance appeal and, in aggregate de-identified form only, for improving our service quality.
4. Your Warrant of Authority
IMPORTANT: If you upload documents belonging to a third party (e.g., a spouse, child, or patient), you formally warrant that you have obtained all necessary legal consents and authorizations to share that data with ClaimCure for the purpose of generating an appeal. You agree to indemnify ClaimCure against any claims arising from unauthorized data sharing.
5. How We Use Your Information
We use your personal information only for the following purposes:
| Purpose |
Description |
Legal Basis (PIPEDA) |
| Service Delivery |
Analyze your denial documents, generate appeal letters, deliver results to you via email |
Express consent |
| AI Processing |
Process your uploaded documents and notes through our AI system to identify appeal arguments and draft letters (see Section 6 for details) |
Express consent |
| Payment Processing |
Process payments through Stripe, record payment status |
Contractual necessity |
| Account Management |
Create and manage business portal accounts, authenticate sessions |
Contractual necessity |
| Customer Support |
Respond to inquiries via contact form, chatbot, or email |
Implied consent |
| Transactional Communications |
Send order confirmations, appeal delivery emails, case status updates |
Contractual necessity |
| Marketing (Opt-In Only) |
Send tips on fighting insurance denials and product updates, only if you explicitly opt in |
Express consent |
| Security & Compliance |
Prevent fraud, enforce rate limits, maintain audit logs, comply with legal obligations |
Legitimate interest / legal obligation |
| Service Improvement |
Aggregate, de-identified analytics to improve our AI accuracy and user experience |
Implied consent (de-identified data) |
We will not use your personal information for any purpose other than those identified above without first obtaining your consent.
6. AI and Automated Decision-Making
ClaimCure uses artificial intelligence to analyze your insurance denial documents and draft appeal letters. We believe in transparency about how this technology works:
6.1 How Our AI Works
- What it does: Our AI reads the text extracted from your uploaded documents and your written notes, identifies potential grounds for appeal, and drafts an appeal letter on your behalf.
- Technology: We use large language model technology hosted on AWS Bedrock infrastructure. Our API calls originate from Canada (AWS ca-central-1 region), but AI inference may be processed in the United States via AWS cross-region inference. Data is processed transiently and is never stored outside Canada. AWS maintains zero data retention for model inputs and outputs.
- What data is processed: The text content of your uploaded denial letters, any notes you provide, and extracted medical/insurance information.
- Human oversight: AI-generated appeal letters are tools to assist you. We recommend that you review and, if necessary, edit the generated letter before submitting it to your insurer. ClaimCure does not submit appeals on your behalf.
6.2 AI Data Protections
- We DO NOT sell your data to any third party.
- We DO NOT use your data to train general-purpose AI models.
- We DO NOT share your raw documents or personal information with third-party AI companies for their use.
- Your data is processed for inference (generating your appeal) only and is not retained by the AI model provider.
6.3 Your Rights Regarding AI
You have the right to:
- Know that AI is being used to process your data (this disclosure fulfills that right).
- Review and edit any AI-generated content before using it.
- Request information about how the AI reached its conclusions by contacting our Privacy Officer.
- Opt out of AI processing entirely by contacting us—however, this means we would be unable to provide the core Service.
7. How We Share Your Information
We share your personal information only in the following limited circumstances:
| Recipient |
Data Shared |
Purpose |
| Amazon Web Services (AWS) |
Document text, notes, email content |
AI processing (Bedrock), email delivery (SendGrid), data storage (S3). Data is stored in the AWS ca-central-1 (Canada) region. AI inference may be transiently processed in the United States via AWS cross-region inference, with zero data retention. |
| Stripe, Inc. |
Email address (for receipts); Stripe collects payment details directly |
Payment processing. Stripe is PCI DSS Level 1 certified. We never see or store your card number. |
| Google (if analytics enabled) |
Page view data, approximate location, device type. Google Analytics 4 does not log full IP addresses per Google's data processing terms. |
Website analytics via Google Analytics 4. Disabled by default; only active if enabled by administrator. Data may be processed outside Canada. |
We do not sell, rent, or trade your personal information. We have not sold personal information in the preceding 12 months.
We may also disclose your information if required by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of the transaction. We will notify you via email or prominent notice on our website before your information becomes subject to a different privacy policy.
8. Data Retention — The "Data Shredder" Protocol
We retain your personal information only as long as necessary for the purposes described in this policy. Our automated Data Shredder enforces strict retention limits:
| Data Category |
Retention Period |
Deletion Method |
| Uploaded documents (PDFs, images) |
48 hours after upload |
Automated permanent deletion from active systems |
| Case records (consumer appeals) |
48 hours after creation |
Automated permanent deletion from database |
| AI-generated appeal letters |
48 hours after generation |
Deleted with case record |
| Business portal case data |
Duration of active account |
Deleted on account closure or upon request |
| Business account information |
Duration of active account |
Deleted on account closure or upon request |
| Contact form submissions |
Until inquiry is resolved, then up to 1 year |
Manual or automated deletion |
| Email communication logs |
Up to 90 days after sequence completion |
Automated deletion |
| Testimonials |
Until withdrawn or account closure |
Manual deletion upon withdrawal request |
| Appeal outcome records |
Up to 90 days after resolution |
Automated deletion |
| Security event logs |
Up to 7 years (configurable) |
Automated deletion |
| Encrypted backups |
Up to 90 days (code, config, and operational data only—consumer documents, case records, and AI output are never included in backups) |
Overwritten per standard rotation cycle |
Note: Cases with active payment processing (PAID status) are retained until delivery is complete. After delivery, the 48-hour deletion timer begins.
9. Cross-Border Data Transfers
ClaimCure is based in Canada. Our data storage infrastructure is located in Canada (AWS ca-central-1 region, located in the Province of Quebec). All uploaded documents and generated appeal letters are stored exclusively within Canada.
However, certain services may process data outside of Canada:
- AI processing (AWS Bedrock cross-region inference): When generating your appeal letter, document text and notes are sent to AI models via AWS Bedrock. While our API calls originate from Canada, AI inference may be transiently processed on AWS servers in the United States. AWS maintains zero data retention for all model inputs and outputs—your data is not stored, logged, or used for model training. Processing is covered by our AWS Business Associate Agreement.
- Stripe (payment processing): Stripe, Inc. is a US-based company. Your email address and payment details (collected directly by Stripe) may be processed in the United States. Stripe is PCI DSS Level 1 certified and maintains its own privacy safeguards.
- Google Analytics (if enabled): If website analytics are enabled, anonymized usage data (pages visited, approximate location) may be processed by Google on servers outside Canada, including in the United States. No health information is shared with Google.
- For US residents: Your data is stored in Canada and may be transiently processed in the United States for AI inference. By using our Service, you consent to this processing.
- For Canadian residents: Your data is stored within Canada. AI inference may be transiently processed in the United States via AWS cross-region inference with zero data retention. Limited non-health data (email for payment receipts, anonymized analytics) may also be processed outside Canada as described above. We maintain contractual safeguards (AWS Business Associate Agreement) to ensure your data receives equivalent protection regardless of where it is processed.
- Legal access: Canadian and foreign law enforcement or government authorities may obtain access to your data under applicable legal processes (e.g., court orders). We will comply with valid legal process but will challenge overly broad requests where permitted by law.
10. Security Measures
We implement technical, administrative, and organizational safeguards appropriate to the sensitivity of the information we process:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (256-bit AES-GCM).
- Encryption at Rest: Data stored on our servers is encrypted using AES-256 encryption via AWS EBS and S3 server-side encryption with AWS Key Management Service (KMS).
- Password Security: Account passwords are hashed using bcrypt with 12 rounds of key stretching. We never store passwords in plaintext.
- Access Controls: Administrative access is protected by strong password requirements, account lockout after repeated failed attempts (rate limiting), and cryptographic session tokens.
- Security Headers: We enforce strict HTTP security headers including HSTS, Content Security Policy, and X-Frame-Options.
- Automatic Data Deletion: Our Data Shredder automatically and permanently deletes consumer data within 48 hours (see Section 8).
- Backup Encryption: System backups (code, configuration, and operational data) are encrypted using AWS KMS before transmission and storage. Consumer documents, case records, and AI-generated content are never included in backups.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you suspect a security incident, please contact us immediately at [email protected].
11. Data Breach Notification
In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:
- Notify affected individuals as soon as feasible, describing the nature of the breach, the information involved, and steps we are taking.
- Report to regulators as required by law, including:
- The Office of the Privacy Commissioner of Canada (OPC) under PIPEDA
- The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) under BC PIPA
- The US Federal Trade Commission (FTC) under the Health Breach Notification Rule, if applicable
- Applicable US state attorneys general as required by state breach notification laws
- Maintain records of all breaches in accordance with legal requirements.
12. Cookies and Tracking Technologies
12.1 Cookies We Use
| Cookie |
Purpose |
Duration |
Type |
| admin_session |
Admin authentication |
24 hours |
Strictly necessary |
| business_session |
Business portal authentication |
7 days |
Strictly necessary |
| referral_code |
Track referral program participation |
30 days |
Functional |
All cookies are set with HttpOnly, Secure, and SameSite=Lax flags for security. We do not use advertising or third-party tracking cookies.
12.2 Local Storage
We use browser localStorage to remember your display theme preference (light/dark mode). This data never leaves your browser.
12.3 Analytics
We may use Google Analytics 4 to collect website usage data (pages visited, time on site). This feature is disabled by default and only activated at the administrator's discretion. When active, Google Analytics is subject to Google's Privacy Policy.
12.4 Do Not Track Signals
Some browsers offer a "Do Not Track" (DNT) setting. There is currently no industry-wide standard for how companies should respond to DNT signals. At this time, our website does not respond to DNT signals. However, you can control tracking through your browser settings and by opting out of analytics cookies where available.
13. Email Communications
13.1 Transactional Emails
We send transactional emails necessary to deliver the Service, including order confirmations, appeal letter delivery, case status updates, and account notifications. These emails are not marketing and you cannot opt out of them while using the Service.
13.2 Marketing Emails (Opt-In Only)
We only send marketing emails if you have provided express consent (e.g., by checking the marketing opt-in box during free audit submission). This complies with both CAN-SPAM (US) and CASL (Canada) requirements.
- Every marketing email includes a clear, functional unsubscribe link.
- Unsubscribe requests are honored promptly (within 2 business days for CASL, within 10 business days for CAN-SPAM).
- All emails include our company name and physical mailing address.
- We do not use deceptive subject lines or misleading header information.
13.3 Follow-Up Emails
After receiving our Service, you may receive follow-up emails asking about the outcome of your appeal. These emails help us track the success of our service and improve our AI. You can opt out of follow-up emails at any time via the unsubscribe link.
14. Children's Privacy
Our Service is intended for users who are at least 18 years of age (or the age of majority in their jurisdiction, whichever is greater), as stated in our Terms of Service. We do not knowingly collect personal information from individuals under 18. We also do not knowingly collect personal information from children under 13, in compliance with the US Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from an individual under 18 without appropriate consent, we will take steps to delete that information promptly. If you believe a minor has provided us with personal information, please contact us at [email protected].
15. Your Privacy Rights
15.1 Rights for All Users
Regardless of where you live, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate personal information.
- Deletion: Request that we delete your personal information (subject to legal retention requirements).
- Withdraw Consent: Withdraw your consent for data processing at any time (note: this may prevent us from providing the Service).
- Complaint: Lodge a complaint with the appropriate regulatory authority (see Section 18).
15.2 Testimonial Consent & Withdrawal
If you voluntarily submit a testimonial about your appeal outcome:
- Consent is opt-in: Testimonials are only collected if you actively choose to share your experience. We never collect testimonials without your express consent.
- De-identification: Testimonials are automatically processed to remove dates, dollar amounts, identification numbers, phone numbers, and email addresses before storage.
- Admin review: All testimonials are manually reviewed before publication. Your testimonial will not be displayed publicly until approved.
- Right to withdraw: You may withdraw your testimonial at any time by using the withdrawal link provided in your follow-up email, or by contacting us at [email protected]. Upon withdrawal, your testimonial text is permanently deleted and any published display is removed within 30 days.
15.3 Additional Rights for Canadian Residents
Under PIPEDA and BC PIPA, you also have the right to:
- Know the purposes for which your information is collected, used, and disclosed.
- Challenge our compliance with privacy legislation by filing a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the OIPC BC.
- Expect that we collect only information necessary for the identified purposes.
15.3 Additional Rights for US Residents
Depending on your state of residence, you may have additional rights under state privacy laws:
- Right to Know: Request details about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. However, if this ever changes, you will have the right to opt out.
- Right to Limit Use of Sensitive Information: You can request that we limit our use of your sensitive personal information (including health information) to what is necessary to perform the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Opt Out of Automated Decision-Making: Where applicable, you may request an alternative to AI-based processing of your information.
15.4 How to Exercise Your Rights
To exercise any of these rights, contact our Privacy Officer:
We will verify your identity before processing your request. We will respond within:
- 30 days for requests under PIPEDA / BC PIPA (Canada)
- 45 days for requests under CCPA/CPRA (California) and other US state laws
If you have authorized an agent to make a request on your behalf, we may require proof of authorization.
16. California-Specific Disclosures (CCPA/CPRA)
If you are a California resident, the following additional disclosures apply:
- Categories of personal information collected: Identifiers (email, name); health/medical information; internet activity (IP, pages visited); commercial information (payment status).
- Categories of sensitive personal information collected: Health information contained in uploaded documents.
- Business or commercial purpose for collection: Providing the insurance appeal service as described in Section 5.
- Sale or sharing of personal information: We have not sold and do not sell personal information. We have not shared personal information for cross-context behavioral advertising in the preceding 12 months.
- Retention: As described in Section 8.
- Financial incentive programs: Our referral program offers discounts for referring new customers. Participation is voluntary and you can withdraw at any time. The value of the discount is reasonably related to the value of the referral to our business.
To exercise your CCPA/CPRA rights, contact [email protected].
17. Washington State Disclosures (My Health My Data Act)
If you are a Washington state resident, the following additional disclosures apply:
- Consumer health data collected: Health insurance denial information, medical records excerpts, diagnosis and procedure codes, and related health information that you upload.
- Purpose of collection: To provide the insurance appeal generation service you have requested.
- Categories of third parties with whom data is shared: AWS (infrastructure/AI processing), Stripe (payment processing). See Section 7 for details.
- Consent: By uploading your health information and clicking "Submit," you provide consent for us to collect and process your consumer health data for the purpose of generating your appeal. This consent is separate from any other consent you may provide.
- Right to delete: You may request deletion of your consumer health data. Note that our Data Shredder automatically deletes uploaded consumer health data within 48 hours.
- Right to withdraw consent: You may withdraw your consent for future collection at any time by contacting us.
18. Canadian-Specific Disclosures (PIPEDA & BC PIPA)
ClaimCure complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (BC PIPA). Key points for Canadian residents:
- Accountability: Our Privacy Officer is responsible for our compliance and can be reached at [email protected].
- Consent: We obtain express consent before collecting, using, or disclosing your sensitive personal information, including health information. You may withdraw consent at any time, subject to legal or contractual restrictions and upon reasonable notice.
- Purpose Limitation: We collect only the information necessary for the purposes identified in this policy and do not use it for any other purpose without your further consent.
- Accuracy: We take reasonable steps to ensure the personal information we hold is accurate, complete, and up to date as needed for its purposes.
- Data Residency: All data is stored within Canada (AWS ca-central-1 region). AI inference may be transiently processed in the United States via AWS cross-region inference with zero data retention (see Section 9).
- Filing a Complaint: If you are not satisfied with our handling of your personal information, you may file a complaint with:
- The Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca | 1-800-282-1376
- The Office of the Information and Privacy Commissioner for BC (OIPC): www.oipc.bc.ca | 250-387-5629
19. Third-Party Links
Our website may contain links to third-party websites or services (e.g., Stripe for payments, Google for analytics). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you use.
20. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered users by email if the changes materially affect how we handle their personal information.
- Post a prominent notice on our website for at least 30 days.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
21. Contact Us
If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us:
ClaimCure Health Technologies Inc. — Privacy Officer
#250 - 997 Seymour St, Vancouver, BC V6B 3M1, Canada
Email: [email protected]