← Back to Credimed
Privacy Policy
Last updated: April 26, 2026 · Version 1.0
Draft template. This document is provided as a starting point and must be reviewed and customized by qualified legal counsel before Credimed accepts paying customers. The protections of HIPAA, state privacy laws (CCPA, CPRA, etc.), and international privacy laws (GDPR if applicable) impose specific disclosure requirements that vary by jurisdiction.
1. Introduction
Credimed, Inc. ("Credimed," "we," "us," or "our") provides a service that helps US-based patients submit dental insurance reimbursement claims for dental work performed by licensed providers in Mexico. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile experience, and related services (collectively, the "Service").
If you are a patient using Credimed to submit an insurance claim, please also read our Notice of Privacy Practices, which describes how we handle your Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
2. Information We Collect
2.1 Information you provide
- Account information: name, email address, phone number, password (stored as a one-way hash by Amazon Cognito).
- Identity and insurance information: date of birth, insurance member ID, insurance carrier, policy number, group number, and an image or scan of your insurance card.
- Health information (PHI): dental procedures performed, dates of service, provider name, diagnostic codes, treatment notes, billing amounts, and dental receipts and records you upload.
- Banking information: bank account number, routing number, and account holder name (for ACH refund deposits, where applicable).
- Signatures: the electronic signature you provide on our service agreements.
2.2 Information collected automatically
- Device and usage data: IP address, browser type, operating system, device identifiers, pages visited, timestamps, and referring URLs.
- Cookies and similar technologies: we use first-party cookies only for authentication and session management. We do not use third-party advertising or tracking cookies.
- Privacy-first analytics: on our public pages (homepage and legal pages, never the authenticated patient flow) we use Plausible Analytics, a cookieless analytics tool. Plausible records aggregate page views, referrers, and approximate geography without identifying individual visitors and without setting cookies. No PHI ever flows through analytics.
2.3 Information from third parties
- Payment processor (Stripe): we receive transaction confirmations and the last four digits of your payment card. Full card numbers are handled directly by Stripe and are never stored by Credimed.
3. How We Use Your Information
We use your information to:
- Prepare, review, and submit dental insurance reimbursement claims to your insurance carrier on your behalf;
- Communicate with you about your claim, including status updates, requests for additional documentation, and outcome notifications;
- Process payments and refunds;
- Verify your identity and prevent fraud;
- Improve and operate the Service, including diagnosing technical issues;
- Comply with legal obligations and enforce our terms.
4. How We Share Your Information
4.1 Insurance carriers and payers
To submit your claim, we share your PHI with your insurance carrier (or its claim processing intermediary). The information shared is limited to what is necessary for claim adjudication.
4.2 Business associates and service providers
We share information with vendors that process information on our behalf, under written contracts that require them to safeguard your data. Current categories include:
- Cloud infrastructure: Amazon Web Services (AWS) — bound by an executed Business Associate Agreement (BAA) for HIPAA-regulated data.
- Payment processing: Stripe.
- Communications: email and SMS providers used to send transactional notifications.
4.3 Legal disclosures
We may disclose information when required by law, subpoena, court order, or other legal process; to protect the rights, property, or safety of Credimed, our users, or others; or in connection with a corporate transaction such as a merger, financing, acquisition, or bankruptcy.
4.4 With your consent
We share information for any other purpose with your consent.
5. Data Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
- Encryption in transit: all communications use HTTPS/TLS 1.2 or higher.
- Encryption at rest: Protected Health Information stored in our database is encrypted at the field level using AWS Key Management Service (KMS).
- Access controls: access to PHI is restricted to authorized personnel through role-based authentication and group-based authorization.
- Audit logging: all access to PHI is logged to a tamper-resistant audit trail.
- Automatic session timeout: inactive sessions are automatically signed out after 15 minutes.
No system is perfectly secure. We cannot guarantee that your information will not be subject to unauthorized access. We will notify affected users in accordance with applicable law if we become aware of a breach involving your personal or health information.
6. Data Retention
We retain your information for as long as necessary to provide the Service, comply with legal and regulatory obligations (including insurance recordkeeping requirements), resolve disputes, and enforce our agreements. When information is no longer required, we securely delete or de-identify it.
7. Your Rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you;
- Request correction of inaccurate information;
- Request deletion of your personal information, subject to legal retention obligations;
- Receive a copy of your information in a portable format;
- Withdraw consent for processing where consent is the legal basis;
- Lodge a complaint with a supervisory authority.
HIPAA grants additional rights with respect to your PHI; see our Notice of Privacy Practices.
To exercise any of these rights, contact us at privacy@credimed.us.
8. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@credimed.us and we will delete it.
9. International Users
Credimed operates and stores data in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the latest revision took effect. For material changes, we will provide notice through the Service or by email.
11. Contact Us
Credimed, Inc.
Email: privacy@credimed.us
Mailing address: [TO BE PROVIDED]
← Back to Credimed