Consumer Health Data Privacy Policy
Provided in accordance with the Washington My Health My Data Act (RCW 19.373). This policy supplements our general Privacy Policy and describes how Orchard Labs LLC collects, uses, shares, and protects consumer health data through HSA IQ at hsaiq.com.
Consumer Health Data We Collect
- Medical expense recordsProvider name, date of service, type of service or expense category, amount paid, and patient name
- Receipt imagesPhotographs or scans of medical receipts, which may contain provider names, dates, amounts, service descriptions, and patient names
- OCR-extracted health dataWhen you upload a receipt, we send the image to our OCR provider for text extraction. The extracted text is returned to us and presented for your review before being saved
- Reimbursement recordsDates and amounts of HSA reimbursements linked to specific expenses
- Family member dataExpense records and receipt images for your spouse and dependents, linked by name
Purposes for Collection
We collect consumer health data to:
- Store, organize, and display your medical expense records and receipts for HSA reimbursement tracking
- Extract text from receipt images using OCR for your review
- Check expenses against the IRS Section 213(d) eligible expense database
- Calculate unreimbursed balances and generate reports
- Track reimbursements and maintain an audit trail
- Perform automatic backups to your cloud storage, if enabled
- Send account notifications and periodic expense summaries
- Comply with legal obligations, including breach notification requirements
We do not collect consumer health data for advertising, marketing, or any purpose other than operating the Service.
Sources of Consumer Health Data
- Directly from youWhen you enter expense records, upload receipts, add family members, or record reimbursements
- From data you importWhen you upload receipts or expense records in bulk. Imported data is treated identically to data you enter directly
- From OCR processingWhen our OCR provider extracts text from receipts you upload. Results are presented for your review and not saved until you confirm
- From your cloud storageOptional -- if you import receipt images from a connected cloud storage account
We do not purchase or acquire consumer health data from data brokers, advertising networks, or any third party.
Third Parties With Whom We Share Consumer Health Data
We share consumer health data with the following categories of service providers, solely to operate the Service:
| Provider Type | What We Share |
|---|---|
| Cloud infrastructure providers | Your expense records and receipt images, encrypted at rest |
| OCR processing provider | Receipt images for text extraction; returns extracted text to us only |
| Email delivery provider | Your email address for transactional emails only. No provider names, dates of service, expense descriptions, or other identifying health details. Certain account summary emails include aggregate financial totals such as expense counts and total amounts |
| Cloud backup destinations (optional) | If you enable backup, your data is transmitted to your own cloud storage account via OAuth. Once in your storage, it is subject to that provider's terms |
We do not share consumer health data with advertising platforms, ad networks, data brokers, social media platforms, or any third party for marketing or profiling purposes. Our analytics provider receives only page views and feature usage events -- no health data.
We have no affiliates. Orchard Labs LLC is a single-member LLC with no parent company, subsidiaries, or affiliated entities.
Your Rights
Right to Confirm and Access
You have the right to confirm whether we are collecting or sharing consumer health data about you, and to access that data. You may also request a list of all third parties with whom we have shared your consumer health data, including their contact information. You may export your data at any time using the export features in your account.
Right to Withdraw Consent
You may withdraw consent from collection and sharing of your consumer health data by cancelling your account or contacting help@hsaiq.com. Upon withdrawal, we stop collecting new data. Previously collected data follows the deletion process below.
Right to Delete
If you cancel your account, we retain your consumer health data for up to 60 days to allow for data export, after which we permanently delete it. You may also request deletion at any time by contacting help@hsaiq.com. We process deletion requests within 30 calendar days.
Before deletion, we offer you the opportunity to export your data. Upon deletion, we remove your expense records, receipt images, family member data, reimbursement records, and account information. We retain only a compliance record that the request was fulfilled and anonymized billing records (7 years for tax compliance).
IRS documentation notice. Your records may serve as required documentation for IRS substantiation of HSA distributions under IRC Section 223(f) and IRS Notice 2004-50, Q&A-39. Deletion removes this documentation permanently. We strongly recommend exporting before requesting deletion.
How to Exercise Your Rights
- Use the export features in your account
- Email help@hsaiq.com
We verify identity using your account email. We respond within 30 calendar days, or notify you if we need up to 60 days.
Data Security
We protect consumer health data with:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Row-level database access controls
- Time-limited access to stored files
- Industry-standard password hashing
- Server-side only database access
Access to consumer health data is strictly limited to systems and personnel necessary to operate and maintain the Service.
What We Do Not Do
We do not sell consumer health data. We have never sold consumer health data.
We do not use geofencing around healthcare facilities to identify or track consumers, collect health data, or deliver advertising.
Changes to This Policy
We will notify you of material changes by email and by posting the updated policy at hsaiq.com. We will obtain new consent for material changes to the categories of data we collect, our purposes, or the categories of third parties with whom we share your data.
Contact Us
Orchard Labs LLC
Email: help@hsaiq.com