Privacy Policy

Effective Date: May 14, 2026

THE SHORT VERSION

Solomon Copilot does not store your medical bills, your name, your insurance details, or your dispute letters on our servers. We do not maintain user accounts. We process your bill, return your analysis, and forget you. The longer policy below explains every exception to this and what limited data we do keep, why, and for how long.

Contents

Introduction
What We Do Not Store
What We Do Store, Briefly
Third-Party Processors
Storage on Your Device
How We Use Data
Sharing & Disclosure
California Privacy Rights
Children's Privacy
Security
Changes to This Policy
Contact

1. Introduction

Solomon Copilot™ ("we," "us," or "our") operates a medical bill analysis service at solomoncopilot.com (the "Service"). This Privacy Policy explains what information we collect, what we do with it, what we deliberately choose NOT to collect, and what rights you have.

This policy is meant to be read. We have tried to write it plainly. If something is unclear, contact us and we will explain.

2. What We Do Not Store

The following information is never written to our durable storage:

The contents of your uploaded medical bills (PDFs, photos, EOBs, statements)
Your name, address, date of birth, or other personally identifying information
Your insurance member ID, account number, or claim number
The dispute letters generated for you
Your analysis results tied to your identity
Your email address (we do not collect one and do not have user accounts)
Your IP address in raw form

When you submit a bill, it is processed in real time and discarded from our servers as soon as the analysis returns to you. We do not maintain a history of your past disputes, your past bills, or your past sessions. A returning user is functionally indistinguishable from a new user from our system's perspective. This is by deliberate design, not a feature gap.

3. What We Do Store, Briefly

To operate the Service safely and prevent abuse, we keep limited information that is intentionally minimal and never personally identifies you:

3.1 Stripe Payment Session Identifiers

When you pay for an analysis, we record the Stripe Checkout session ID, the payment status, the timestamp, and the amount paid. We use this to verify your payment server-side and to enforce that each payment corresponds to one analysis. We do not store your name, billing address, or any other information Stripe collects from you during checkout. Stripe handles all payment information directly (see Section 4).

3.2 Hashed IP Addresses

We compute a one-way cryptographic hash (SHA-256) of your IP address combined with a secret salt, and store the hash temporarily for rate-limiting and abuse detection. The hash cannot be reversed to recover your IP address. Hashes are deleted after 24 hours.

3.3 Anonymous Outcome Data (Optional)

If you voluntarily submit an outcome report through our "Pay it Forward" feature after winning a dispute, we record only the win category, plan type, U.S. state, and savings range. No identifying information is collected. This data helps us show aggregate impact and improve the Service.

3.4 General Technical Information

Browser type and version
Device type and operating system
Pages visited and time spent on the Service
General geographic location (country/state level only)
Promo code redemption counts (for promo abuse prevention)

4. Third-Party Processors

Operating the Service requires us to work with a small number of trusted third-party providers. We have selected each based on their data protection commitments.

4.1 Payment Processing — Stripe

All payments are processed by Stripe. We do not see, handle, or store your credit card number, CVV, or billing details. Stripe collects this information directly and handles it under their privacy policy and PCI compliance. You can review Stripe's privacy policy at stripe.com/privacy.

4.2 AI Analysis

To perform the actual analysis of your bill, we send the bill contents to a third-party AI provider whose service we have selected based on strong privacy and security commitments. Under our agreement with this provider:

Your bill contents are never used to train AI models
The data is retained by the AI provider for up to 7 days for safety and operational purposes before being automatically deleted
The data is transmitted over encrypted connections (HTTPS/TLS)
The AI provider is subject to commercial data protection terms separate from any consumer-facing policy

If you would prefer that your bill not be sent to a third-party AI provider at all, please do not use the Service.

4.3 Infrastructure Providers

We rely on standard cloud infrastructure providers for hosting, content delivery, database operations, and analytics. All providers are bound by their published privacy and security policies. We do not transmit your medical bill contents to any of these providers in storable form — bills are processed in memory only.

4.4 Analytics

We use Google Analytics 4 to understand aggregate Service usage (page views, navigation patterns, general traffic). Google Analytics is configured to anonymize IP addresses where possible. You can opt out of Google Analytics tracking using the Google Analytics opt-out browser add-on.

5. Storage on Your Device

During the course of a single session, the Service may temporarily store small amounts of data in your browser's local storage on your device. This data does not leave your device and is not transmitted to us or to any third party.

5.1 Bill Cache During Checkout

When you upload a bill and proceed to payment, your bill is temporarily stored in your browser's local storage on your device. This allows the analysis to resume automatically after you return from the payment page, so you do not have to re-upload the same file. The stored bill is automatically deleted from your device after the analysis completes, or after 10 minutes if the session is abandoned.

5.2 Promo Code Memory

If you enter a valid promo code, we may store it in your browser's local storage so you do not have to enter it again. You can clear this at any time through your browser's settings.

5.3 Standard Cookies

The Service uses standard browser cookies for session management and analytics (see Section 4.4). You can manage cookies through your browser's privacy settings.

6. How We Use Data

The limited information we collect is used solely to:

Operate and provide the Service to you
Process your payment and prevent payment fraud
Prevent abuse, spam, and unauthorized usage
Improve the Service through aggregate, anonymous analytics
Comply with legal obligations where required

We do not use your information to advertise to you, profile you, or sell anything to third parties.

We do not sell, rent, lease, or otherwise share your personal information with third parties for marketing purposes. We do not have a data-broker relationship with anyone.

We may disclose information when:

Required by law: in response to a valid legal request, subpoena, court order, or other legal process
To protect rights and safety: if we reasonably believe it is necessary to prevent fraud, protect the Service, or protect the safety of users or the public
With our service providers: as described in Section 4, strictly to enable Service operation

8. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

Right to know: what personal information is collected and how it is used
Right to delete: request deletion of personal information we hold
Right to opt out: of the sale of personal information
Right to non-discrimination: we will not discriminate against you for exercising your rights

Because we do not store personally identifying information in connection with your bill analyses, most "right to delete" requests will be a no-op — we do not have data tied to you to delete. We do not sell personal information.

To exercise your rights, contact us using the methods in Section 12.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take prompt action to remove it.

10. Security

We use industry-standard security measures to protect the limited data we do store:

All data in transit is encrypted using HTTPS/TLS
Our database is protected by row-level security and access controls
Secrets and API keys are stored in encrypted environment variables, never in code
IP addresses are stored only in hashed form with a secret salt

No system can guarantee absolute security. Our architecture is designed to minimize the data we hold, so that even in the unlikely event of a breach, the information at risk is minimal.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, provide additional notice on the Service. Continued use of the Service after a policy update constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or to exercise any privacy rights described above:

Email: care@solomoncopilot.com

We aim to respond within 30 days.