Privacy Policy

1. Information We Collect

1.1 Account Information

When you register and set up your profile we collect:

• Email address (required)
• Password (stored only in hashed form — we never see or store your plaintext password)
• Phone number (optional)
• First name, last name, and middle initial
• Date of birth (optional)
• Household address (optional)

1.2 Receipt & Health-Related Data

When you upload or create a receipt we may collect information that could reveal details about your health, including:

• Date of medical service
• Healthcare provider name
• Description of the medical service or expense
• Cost and payment details
• HSA expense category
• Recipient name (e.g., yourself, a spouse, or a dependent)
• Uploaded receipt images or PDF documents
• Notes you add to receipts

1.3 Financial Account Information

You may optionally store:

• Payment method names and types (e.g., “Chase Visa Debit”)
• Last four digits of payment card or account numbers (we mask the rest)
• Deposit account names and institution names for reimbursement tracking

We do not process payments. We only store descriptive labels you provide to help you track which card was used and where reimbursements were deposited.

1.4 Automatically Collected Data

When you use MyHSAHub, we automatically collect:

• IP address
• Approximate location derived from your IP (city and country only)
• Browser type and operating system
• Session timestamps (login time, last activity)

This data is used for session management, security monitoring, and to help you review your active sessions.

1.5 Support Ticket Data

If you contact us through our help center, we collect your message content, category, and any screenshots you attach.

2. How We Use Your Information

We use your data exclusively to provide and improve the MyHSAHub service:

• Provide core functionality — store and organize your receipts, generate statements and exports, and track reimbursement status.
• Process uploaded documents — we use automated document intelligence (OCR) to extract data from receipt images and PDFs to save you time.
• Authenticate and secure your account — verify your identity, enforce multi-factor authentication, detect suspicious login attempts, and manage sessions.
• Communicate with you — send email verification links, password reset emails, and security alerts.
• Provide customer support — respond to your help requests and troubleshoot issues.

3. How We Protect Your Information

We implement industry-standard technical and organizational safeguards:

• Encryption of data in transit and at rest
• Secure password storage — we never store or have access to your plaintext password
• Masking of sensitive financial account numbers
• Automatic session expiration and the ability to review and revoke active sessions
• Protection against unauthorized access attempts
• Optional multi-factor authentication (MFA) for additional account security

4. Third-Party Services

We work with a limited number of trusted third-party service providers:

• Cloud infrastructure and secure file storage
• Automated document processing (extracting data from uploaded receipts)
• Transactional email delivery (verification, password reset, security alerts)
• Email validation and fraud prevention

5. Data Retention

• Active accounts — your data is retained for as long as your account is active.
• Deletion requests — if you request deletion of your personal information, we will delete it from our records and direct any service providers to do the same.
• Session data — session records are retained for security auditing purposes and expire automatically.

6. Your Rights

Depending on your location, you may have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete your account and all associated data.
• Data portability — export your receipts and data in standard formats (CSV, PDF).
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

Contact us at [email protected] and we will respond within 30 days.

7. State-Specific Disclosures

7.1 California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of your data. We do not sell your personal information.

7.2 Washington (My Health My Data Act)

If you are a Washington state resident, the My Health My Data Act (MHMDA) may provide you with additional rights regarding your consumer health data. We collect health-related information solely to provide you with the receipt tracking service you have requested. We do not sell or share your consumer health data.

8. HIPAA Disclaimer

MyHSAHub is not a covered entity or business associate under HIPAA. While HIPAA does not legally apply to our service, we voluntarily implement security measures consistent with HIPAA standards.

9. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify you via email within 60 days, consistent with the FTC Health Breach Notification Rule.

10. Children's Privacy

MyHSAHub is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

11. Cookies and Tracking

MyHSAHub uses essential cookies only — specifically, a session cookie required for authentication. We do not use third-party analytics cookies, advertising trackers, or tracking pixels.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page.

13. Contact Us

• Email: [email protected]