Skip to content
billoquy

Trust & data

How to trust a finding — and what we do with your data

A finding is only useful if you can check it. billoquy is built so you can: every dollar traces to a public record, we are plain about what we can and cannot check yet, and nothing acts on your behalf without your approval.

Findings cite the record

Each check reads one kind of bill against one public record — the tariff database, the hospital's price-transparency file, the FCC broadband label, or CFPB fee guidance. A completed finding carries its citations: for each one, a label, the source, and — where the source is a public URL — a link. You can open the record and check the work yourself, or hand the citation to someone who will.

The four checks page lists the exact record each check cites, and the MCP returns those citations on every finding, so an assistant relays the source alongside the number.

Honest about coverage

We would rather say "not yet" than invent a number

billoquy's checks read real public records, and we are building out the data pipelines behind them region by region. One check — Medical — depends on data loaded hospital by hospital (each hospital's federally required price-transparency file). Where a check cannot run on your input yet, it resolves to an honest "not yet available" — never a fabricated finding — and nothing is charged. You can leave your email to be told when your hospital is live.

The same honesty runs through the API and the agent surface: an unavailable check returnsnot_yet_available with a way to register interest, and a check that could not complete reports failed plainly rather than guessing.

The approval firewall

billoquy prepares; you approve. Every prepared fix waits in your account until you release it, and that boundary is enforced at the layer that matters — the edge refuses to approve on anything but a human session. An AI assistant you connect can prepare, but can never approve, file, send, or pay. There is no send button you did not press.

How your data is handled

  • Documents. Uploads are limited to PDFs and images and capped in size; anonymous uploads are rate-limited. When an assistant supplies a document by URL, that URL is fetched under strict guards (https only, a blocklist for private/loopback/metadata addresses, a content-type allowlist, and a byte cap) before it ever reaches storage.
  • Sign-in. Authentication is passwordless — a one-time link to your email. Your email address is not written to our logs; only that a link was requested.
  • Agent keys. A key an assistant uses is owner-scoped to your account, created by you, shown once, and revocable by you at any time. The agent surface holds no cloud credentials and no direct database access — it is a pure client of the same API the app uses, so it cannot slip past a guardrail.
  • Traceability. Every request carries a correlation id through the system, so an issue can be traced end to end without exposing what you uploaded.

What we do with your documents — in one breath

Your bill is used for exactly one thing: running the check you asked for and preparing the fix you approve. It is never sold, never used for advertising, and never used to train AI models. An upload that never becomes a check is deleted automatically, and everything else is deleted when you ask — emailhelp@billoquy.com and it's done. ThePrivacy Policy spells out every system your document touches and how long each thing is kept; the Terms of Service cover the rest.

What this is not

billoquy is decision support built on public records — not legal, tax, or financial advice. It compares your bills against the public record and prepares a fix; it never files, sends, or pays on your behalf. We surface the sources and the math so that the decision, and the approval, stay yours.