Privacy Policy
We collect the minimum we need to run your reimbursement Snapshot and contact you about it: practice name, your name, email, optional phone, NPI, ZIP, the CPT codes and payer mix you enter, and the IP/user-agent of your browser. We never store Protected Health Information (PHI). We never sell your data. We use Supabase to store records, Resend to send email, and Stripe for any paid purchases. You can email david@reimburseos.com at any time and we will delete your data.
1. What we collect and why
- Practice and contact info (practice name, your name, email, phone, NPI, ZIP) — to deliver your Snapshot results, generate the locality-adjusted benchmark, and follow up about the paid Practice Snapshot if you request it.
- Snapshot inputs (CPT codes, payer mix, annual volume estimates) — to compute the benchmark.
- Snapshot results (the computed benchmarks, recovery estimates) — stored alongside your inputs as an audit trail.
- Technical metadata (IP address, user-agent, page-event timestamps) — to operate the service, prevent abuse (rate-limiting), and understand which marketing channels lead practitioners to us.
- Payment information — only collected if you purchase a paid product. Card data is handled exclusively by Stripe; we never see or store full card numbers.
2. What we never collect
- Protected Health Information (PHI). No patient names, no diagnoses, no claims, no records. The Lens Snapshot does not require any patient-identifying data to function.
- Social Security Numbers, financial account numbers, biometric identifiers.
3. How we use your data
- To compute and deliver your Snapshot.
- To send you the result email and, if you've consented (by buying a paid product), customer-service follow-ups.
- To improve the tool — aggregate, de-identified analytics about which specialties, ZIPs, and CPT mixes are most common.
- To prevent abuse (rate-limiting per email and IP).
4. Who sees your data
Only ReimburseOS / TwinFlame Group and the service providers we use to run the platform:
- Supabase — database hosting (US region)
- Netlify — site + serverless function hosting
- Resend — transactional email delivery
- Stripe — payment processing (paid products only)
- Cloudflare — DNS / CDN
We do not sell your data. We do not share it for advertising. We do not feed it to third-party AI training pipelines.
5. Data retention
Snapshot inputs and results are retained for as long as necessary to operate the service and any business relationship you have with us. You may request deletion at any time by emailing david@reimburseos.com; we will delete within 30 days unless we have a legal obligation to retain (e.g., financial records related to a paid purchase).
6. Your rights
If you are a California resident (CCPA) or in the EU/UK (GDPR), you have rights to access, correct, delete, port, and opt out of "sale" of your personal data. We don't sell your data, so the opt-out is moot, but the others apply. Email david@reimburseos.com to exercise any of these rights.
7. NPI is public — but PII to you
The National Provider Identifier (NPI) is a public CMS-issued number, but in combination with your other inputs it identifies you as an individual. We treat it as personal information and apply the same handling rules.
8. Security
Data in transit is encrypted via TLS. Data at rest is encrypted via Supabase's standard storage encryption. Access is limited to David Hitchman (founder) and authorized contractors under signed confidentiality agreements.
9. Children
ReimburseOS is a B2B tool for medical-practice operators. We don't intentionally collect data from anyone under 18.
10. Changes to this policy
We'll update this page if we change anything material. The "Updated" date at the top reflects the last change.
11. Contact
David Hitchman, Founder, TwinFlame Group
Email: david@reimburseos.com
Website: reimburseos.com