legal · privacy policy
Privacy Policy
Effective date: [EFFECTIVE DATE — set when adopted, after attorney review]
Draft — for attorney review
This document is a working draft. It has not been reviewed or approved by a licensed attorney, it is not legal advice, and it is not yet in effect. It will be adopted only after that review.
Draft — for attorney review. This document is a working draft prepared for review by a licensed attorney. It has not been reviewed by a lawyer, it is not legal advice, and it is not yet in effect. Bracketed items like
[ENTITY NAME]are placeholders the owner must fill before adoption.
The short version (plain language; the sections below control). To run a check we need your bill and a few details — sometimes sensitive ones, like an itemized hospital bill or a bank statement. We use them for exactly one thing: running the check you asked for and preparing the fix you approve. We never sell your data, never use it for advertising, and never use it to train AI models. Your documents are processed by a short, named list of infrastructure providers (AWS, Cloudflare, Stripe). Uploads that never become a check are deleted automatically, and you can ask us to delete everything at any time by emailing help@billoquy.com.
1. Who we are and what this policy covers
This Privacy Policy describes how [ENTITY NAME] (“billoquy,” “we,” “us”) handles personal
information when you use billoquy.com, app.billoquy.com, api.billoquy.com, and mcp.billoquy.com
(the “Service”). It is part of our Terms of Service. billoquy is a U.S. service for
people in the United States.
2. What we collect
We collect only what the Service needs to do its job:
- Documents you upload. Utility bills, internet or TV bills, itemized hospital bills, and bank or card statements — as a PDF or a photo. These can contain personal information: your name, address, account numbers, charges and transactions (financial information), and for the Medical Check, billing line items for medical services (health-related information).
- Details you type. What a check asks for — for example your ZIP code or your utility’s name.
- Your email address, if you sign in (sign-in is a one-time emailed link — we never have a password), leave it to be notified when a check covers your area, or write to us.
- Payment information. Payments are processed by Stripe. We receive the payment’s status and a customer reference; we never see or store your full card number.
- Technical and usage data. IP addresses (used to rate-limit anonymous uploads and for the human-verification challenge), request logs, and a correlation ID that lets us trace a request through the system. Our logs are deliberately built not to contain your email address or the contents of your documents.
- From a connected AI assistant. If you connect an assistant via an agent key, we receive the same categories above when it starts checks for you (for example, a document it supplies by URL, which we fetch under strict safety guards).
We do not collect advertising identifiers, run third-party ad trackers, or buy data about you from data brokers.
3. How we use it
- To run your checks: parsing your uploaded document with an AI model, reading it against the relevant public record, and producing your finding.
- To prepare and deliver a fix you paid for and approved, and to email it to you.
- To operate your account: sign-in links, receipts, and service emails (such as telling you a check now covers your area, if you asked).
- To keep the Service safe: rate limiting, abuse prevention, human verification of anonymous checks, and debugging via redacted logs.
- To meet legal obligations, such as keeping required payment and tax records.
What we do not do: we do not sell or rent your personal information; we do not share it for advertising; we do not use your documents or findings to train AI models; and we do not send anything you prepared to a utility, hospital, bank, or insurer — a prepared fix is delivered to you, and you decide whether to send it.
4. AI processing of your documents
When a check needs to read a document, the document is sent to Amazon Bedrock (an AWS service) to be parsed by an AI model, and the model’s output becomes part of your finding. This processing is under our service agreements with AWS; per AWS’s published commitments for Bedrock, customer content is not used to train the underlying models. We do not use your documents, findings, or prepared fixes to train models of our own. AI parsing can make mistakes — which is one reason every finding cites the public record it read, and every prepared fix waits for your review.
5. Who processes your data
We use a small, fixed set of infrastructure providers (“sub-processors”) to run the Service:
| Provider | What it does with your data |
|---|---|
| Cloudflare | Hosts the sites and the API (Workers/Pages), stores your uploaded documents (R2), and provides the human-verification challenge on anonymous checks (Turnstile). |
| Amazon Web Services | Parses documents and drafts fixes (Bedrock), stores your checks, findings, fixes, and receipts (DynamoDB), runs the background workers (Lambda/SQS), and sends our email — sign-in links and your delivered fixes (SES). |
| Stripe | Processes payments. Stripe handles your card details under its own privacy policy; we receive status and a customer reference. |
| Google Fonts | The marketing site loads its typefaces from Google Fonts, which means your browser sends your IP address to Google when the page loads. No other Google service is used. |
Beyond those providers, we disclose personal information only: (a) at your direction; (b) to comply with law or valid legal process; (c) to protect the Service, our users, or others from fraud or abuse; or (d) as part of a merger, acquisition, or sale of the business — in which case this policy continues to apply and we will notify you of any change in ownership. If you connect an AI assistant, whatever the Service returns to it (your findings, fix previews) is then in that assistant’s hands, under its provider’s terms — connect only assistants you trust.
Email is ordinary email: a fix delivered to your inbox travels over standard email infrastructure, which is not end-to-end encrypted.
6. How long we keep things
| Data | How long |
|---|---|
| Uploaded document that never becomes a check (abandoned upload) | Deleted automatically by a storage lifecycle rule. [RETENTION WINDOW — owner to set on the R2 bucket and state it here; proposed: 30 days] |
| Uploaded document attached to a check | Kept while the check is in your account, so your finding stays traceable to its source; deleted on your deletion request or account deletion. |
| Checks, findings, prepared fixes, receipts | Kept while your account is active — they are your record; deleted on request. |
| Sign-in links | Expire after 15 minutes. |
| Signed-in sessions | Expire after 30 days. |
| Agent keys | Expire after at most 1 year, or immediately when you revoke them. |
| Anonymous rate-limit counters (IP-keyed) | Expire within minutes. |
| Payment records | Kept as required for accounting, tax, and legal obligations (held with Stripe and in our records). |
| Interest signups (email for “tell me when my area is live”) | Kept until we notify you or you ask us to remove it. |
7. Deleting your data
Email help@billoquy.com from the address on your account and ask. We will delete your account, your uploaded documents, and your checks, findings, fixes, and receipts, and confirm when it is done — keeping only what the law requires us to keep (chiefly payment and transaction records) and minimal records of the deletion request itself. We may need to verify the request came from you, which we do via your email address (the same way sign-in works).
8. How we protect it
- Everything moves over TLS (HTTPS), and uploads are restricted by type and size.
- No passwords exist to steal — sign-in is a one-time emailed link.
- The edge and the data plane are connected by a single least-privilege credential that can only do the narrow things the Service needs; the agent surface holds no cloud credentials and no direct database access.
- Logs carry correlation IDs, never your email address or document contents.
- Documents supplied by URL (from a connected assistant) are fetched under strict guards — HTTPS only, private-network addresses blocked, content-type allowlist, and a size cap — before they ever reach storage.
- Approval of a prepared fix is structurally restricted to a signed-in human — an agent key cannot do it.
No service can promise perfect security, but the Service is built so that the sensitive path — your documents — touches the fewest possible systems, each doing one job.
9. Your rights and choices
Whoever you are, you can: access what we hold about you, correct it, delete it (Section 7), and opt out of non-essential email. Write to help@billoquy.com to exercise any of these; we will respond within the time applicable law requires (and in any case within 45 days).
California residents (CCPA/CPRA). We adopt the CCPA/CPRA’s baseline whether or not its business thresholds currently apply to us: we do not sell your personal information and do not share it for cross-context behavioral advertising, so there is no sale/share to opt out of. We use sensitive personal information (Section 10) only to provide the Service you asked for. You have the rights to know, access, correct, delete, and to not be discriminated against for exercising them. You may use an authorized agent to submit a request; we will verify the request through your account email.
If you are in the EEA/UK. The Service is directed to the United States, but if GDPR-style rights apply to you we honor the equivalents: access, rectification, erasure, restriction, portability, and objection, with processing grounded in performing our contract with you (running your checks) and our legitimate interest in keeping the Service secure.
We do not currently respond to browser “Do Not Track” signals — there is no cross-site tracking
here for them to control. [ATTORNEY CHECK: whether Global Privacy Control handling must be stated differently given the no-sale/no-share posture.]
10. Sensitive information
Some checks only work if you hand us sensitive things: an itemized hospital bill, a bank statement. Our posture is strict and simple:
- It is used only to run the check you started and prepare the fix you approve — never for advertising, profiling unrelated to your check, or sale.
- billoquy is a consumer tool you use with your own records. We are not a health plan, health
care provider, or claims clearinghouse, and we do not receive data from them — so we operate
outside HIPAA’s covered-entity framework, and we say that plainly rather than implying
HIPAA coverage.
[ATTORNEY CONFIRM: HIPAA non-applicability analysis, and whether any state consumer-health-data law (e.g., Washington's My Health My Data Act) imposes additional obligations if the Service is offered there.] - You can delete it at any time (Section 7).
11. Children
The Service is for adults. It is not directed to anyone under 18, and we do not knowingly collect personal information from children under 13. If you believe a child has given us personal information, email help@billoquy.com and we will delete it.
12. Where your data lives
The Service runs in the United States (AWS and Cloudflare infrastructure), and your information is stored and processed there.
13. Changes to this policy
If we change this policy, we will post the new version here with a new effective date, and — if the change is material, such as a new sub-processor category or a new use of your data — notify account holders by email or a prominent notice before it takes effect. We will never retroactively weaken the “never sold, never used to train models” commitments for data you already gave us without your consent.
14. Contact
[ENTITY NAME]
[POSTAL ADDRESS — required for privacy notices]
help@billoquy.com [owner: consider a dedicated privacy@billoquy.com alias]