Data handling & security

This page summarizes how the ClaimSaver+ application handles information you provide. It is general information, not legal advice, and does not replace any contract or policy you agree to when using the service.

Last updated: 5/28/2026

HIPAA scope — no certification claimed

Many users upload health- and accident-related documents. ClaimSaver+ is built as claim-preparation software for consumers. We do not operate as your health care provider or health plan under HIPAA, and we do not claim to be a HIPAA business associate for routine platform use. We do not display or rely on a third-party HIPAA “certification” badge. If you are a regulated entity that requires a Business Associate Agreement, contact us before using the platform for regulated workflows.

What we collect and store

We collect account and profile information you provide (such as email via our authentication provider), claim form fields you enter, calendar and expense entries you create, and files you upload (for example documents and images related to your claim). Operational logs may include IP address, device type, and timestamps for security and troubleshooting.

Encryption and storage

Traffic between your browser and our services uses TLS (HTTPS). Uploaded files and application data are stored using our database and object storage providers (for example Supabase), which apply industry-standard encryption for data at rest consistent with their documentation (including AES-256-class protections as described by the provider). We do not describe this as “bank-level encryption,” which is not a defined technical standard. Backups, key management, and subprocessors follow our vendors’ architectures. Review vendor documentation for the latest technical detail.

Payments (Stripe)

Card payments are processed by Stripe. Card data is handled on Stripe’s systems under their PCI DSS program; for typical hosted Checkout flows, your deployment may fall under PCI SAQ A scope—confirm with your own compliance advisor. We do not store full card numbers on ClaimSaver+ servers for those flows.

Accounts and authentication

Sign-in uses Supabase Auth (email/password, magic link, or OAuth such as Google, depending on how your project is configured). Configure email verification, password reset, and branded templates in the Supabase dashboard. We recommend strong passwords and enabling MFA in your provider settings when available. Refer to Supabase’s documentation for session duration and security defaults.

Email and domain mail policy

Public support email is sent from our claimsaverplus.com domain. Organization administrators should configure SPF, DKIM, and DMARC for that domain with your DNS host so recipients can authenticate legitimate mail and reject spoofing; we cannot set DNS on your behalf.

Retention and deletion

We retain data as needed to operate your account and meet legal obligations. You may request deletion or export of personal data subject to applicable law and technical feasibility; contact support for account-specific requests.

Contact

Questions about this summary can be sent to our support channel listed on the Contact page.

Account security: We recommend enabling multi-factor authentication (MFA) for accounts that store medical and insurance documents. Set up MFA in Account security.