Privacy Policy

Last updated: April 27, 2026 · Version 1.2

TL;DR (plain-English summary)
We collect what we need to file your dental insurance claim — your contact info, your insurance card, your receipts, and the procedures performed. We share your protected health information only with your insurer (under your written authorization) and with a small set of audited service providers under signed contracts. We do not sell your data. We do not share it for advertising. You can ask to see, correct, or delete your data at any time at privacy@credimed.us.

The legally precise version follows.

1. Introduction

Credimed LLC ("Credimed," "we," "us," or "our") provides a service that helps US-based patients prepare and submit dental insurance reimbursement claims for dental work performed by licensed providers in Mexico.

Credimed is not a healthcare clearinghouse, healthcare provider, health plan, or insurance company. We provide administrative support services for claim preparation and submission, and use a third-party clearinghouse (currently Availity) to transmit prepared claims to insurance carriers.

When we handle Protected Health Information, we do so as a service provider to you and, where applicable, as a Business Associate to covered entities pursuant to applicable agreements. We do not provide medical care or make coverage determinations.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile experience, and related services (collectively, the "Service").

Legal basis: we process your information to perform the Service you request (including under your written authorization for claim submission), to comply with legal obligations, and for our legitimate interests in operating, securing, and improving the Service.

If you use Credimed to submit an insurance claim, please also review our Notice of Privacy Practices, which describes how we handle Protected Health Information ("PHI") in accordance with HIPAA, where applicable to our role for that claim.

2. Information We Collect

2.1 Information You Provide

Account information: name, email address, phone number, password (stored as a one-way hash via Amazon Cognito).
Identity and insurance information: date of birth, insurance member ID, insurance carrier, policy number, group number, and images of your insurance card.
Health information (PHI): dental procedures, dates of service, provider details, diagnostic codes, treatment notes, billing amounts, receipts, and records you upload.
Banking information (where applicable): bank account and routing information for reimbursement facilitation. Where collected, this information is transmitted directly to and processed by third-party payment providers acting on our behalf. Credimed does not store full bank account or routing numbers unless explicitly disclosed to you at the point of collection.
Electronic signatures: signatures provided through our platform in connection with our Service Agreement and any required authorizations.

2.2 Information Collected Automatically

Device and usage data: IP address, browser type, operating system, device identifiers, pages visited, timestamps, referring URLs.
Cookies: first-party cookies and browser storage used strictly for authentication, session management, and security. We do not use third-party advertising or cross-site tracking cookies. Full inventory in our Cookie Policy.
Privacy-first analytics: we use Plausible Analytics on public pages only (never within the authenticated patient flow). Plausible collects aggregated, anonymized usage data without cookies or personal identifiers. No identifiers, claim data, or Protected Health Information are included in analytics.

2.3 Information from Third Parties

Payment processor (Stripe): we receive transaction confirmations and limited payment metadata (e.g., last four digits of card). Full payment details are processed directly by Stripe and are never stored by Credimed. No Protected Health Information is transmitted to or processed by Stripe.

3. How We Use Your Information

We use your information for the following business purposes:

Prepare, review, and submit insurance reimbursement claims on your behalf, under your written authorization;
Communicate with you regarding claim status, documentation requests, and outcomes;
Process payments and refunds;
Verify identity and prevent fraud;
Operate, maintain, secure, and improve the Service;
Comply with legal obligations and enforce agreements.

We apply data minimization and use only the information necessary for the stated purposes.

3.1 Marketing Communications

With your opt-in consent (for example, when you provide an email through our refund estimator), we may send educational and marketing emails about our Service.

Marketing communications are limited to general product information and will not include claim-specific details or Protected Health Information.

Every marketing email includes a one-click unsubscribe link, and we honor opt-out requests promptly. We do not send marketing SMS without separate, explicit opt-in.

4. How We Share Your Information

4.1 Insurance Carriers

We share necessary information, including PHI, with your insurance carrier or its claim-processing intermediaries strictly as required to prepare and submit your claim, and always under your written authorization.

4.2 Service Providers (Business Associates and Vendors)

We share information with vendors that process information on our behalf under contractual obligations to safeguard your data:

Cloud infrastructure: Amazon Web Services (AWS), under a Business Associate Agreement (BAA) covering all PHI processed in our AWS environment.
Payment processing: Stripe — handles only payment data; no PHI is transmitted to Stripe.
Communications: transactional email and messaging providers used to deliver claim status updates and account notifications, under appropriate confidentiality and data protection obligations.

We design our systems to segregate payment data from claim data so that Protected Health Information is not transmitted to payment processors.

4.3 Legal Requirements

We may disclose information:

to comply with applicable laws, subpoenas, or legal processes;
to protect the rights, safety, and property of Credimed, our users, or others;
in connection with corporate transactions (e.g., merger, acquisition, financing). Any successor entity will be bound by privacy commitments at least as protective as this Policy.

4.4 With Your Consent

We may share information for other purposes with your explicit, written consent, which you may revoke at any time except to the extent we have already acted in reliance on it.

4.5 What We Do Not Do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

We honor Global Privacy Control (GPC) signals as opt-out requests by default. For browser "Do Not Track" signals, we follow the practices described in this Policy.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information:

Encryption in transit: HTTPS/TLS 1.2 or higher on all connections.
Encryption at rest: PHI is encrypted at the field level using AWS Key Management Service (KMS).
Access controls: role-based access with least-privilege authorization.
Audit logging: access to PHI is logged and monitored.
Session security: automatic logout after 15 minutes of inactivity.
Vulnerability management: annual third-party security review and continuous dependency scanning.

No system is completely secure. In the event of a breach involving your unsecured PHI, we will notify you within sixty (60) days as required by HIPAA's Breach Notification Rule, and sooner where required by state law. Where state law requires shorter timelines, we comply with the stricter requirement.

6. Data Retention

We retain information for the periods required to provide the Service and to comply with legal and regulatory obligations:

PHI: 6 years from last claim activity (HIPAA minimum)
Billing and tax records: 7 years
Account data: until deletion + up to 90 days backup
Marketing logs: 3 years after last interaction
Agreements and authorizations: 7 years
Audit logs: 6 years

We may retain information longer if required by law, an active legal hold, or an ongoing dispute.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access your data
Correct inaccuracies
Request deletion (subject to retention obligations)
Receive a copy in portable format
Withdraw consent
Opt out of marketing
File a complaint

HIPAA grants additional rights; see our Notice of Privacy Practices.

To exercise rights: privacy@credimed.us

We will respond within 45 days, with one possible extension as permitted by law. We may need to verify your identity before fulfilling certain requests.

7.1 California Residents (CCPA / CPRA)

If you are a California resident, you have specific additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of personal information we collect: identifiers (name, email, phone), customer records (insurance information, signatures), commercial information (transaction history), internet activity (device and usage data described in §2.2), and protected classification characteristics solely as required to file your claim (e.g., date of birth). We collect Protected Health Information as further described in §2.1.

Sources: directly from you, automatically through your device, and from Stripe (limited payment metadata).

Business purposes for collection: claim preparation and submission, billing, fraud prevention, security, service improvement, and legal compliance.

Categories of third parties with whom we share: your insurance carrier (under your authorization), our cloud and payment-processing service providers (under contract), and government authorities (when legally required).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

You have the right to:

Know what personal information we have collected, used, disclosed, and (if any) sold about you;
Delete your personal information, subject to legal retention exceptions;
Correct inaccurate personal information;
Limit the use and disclosure of "sensitive personal information" to that which is necessary to provide the Service;
Non-discrimination for exercising your rights;
Submit requests through an authorized agent under California law.

We use sensitive personal information solely as necessary to provide the Service and as permitted by law.

We honor Global Privacy Control (GPC) browser signals as opt-out requests. To exercise any right, email privacy@credimed.us with the subject line "California Privacy Request." We may need to verify your identity before fulfilling certain requests.

8. Children's Privacy

The Service is not directed to children under thirteen (13). We do not knowingly collect personal information from children under thirteen. If we learn that we have inadvertently collected such information, we will delete it promptly.

The Service is not intended for users under eighteen (18). A parent or legal guardian may use the Service on behalf of a covered minor dependent, in which case the parent or guardian represents that they have legal authority to provide the minor's information and to authorize claim submission.

If you believe a child has provided us with personal information without parental consent, please contact us at privacy@credimed.us.

9. International Users

Credimed operates and stores data in the United States.

Information may originate from services performed outside the US (e.g., Mexico), but all processing occurs within the US.

By using the Service, you acknowledge and consent to the transfer of your information to, and processing in, the United States.

10. Changes

We may update this policy. Material changes will be communicated at least 30 days in advance.

11. Contact

Credimed LLC
Privacy Officer
Email: privacy@credimed.us
Mailing address: [TO BE PROVIDED]

← Back to Credimed