Privacy Policy
This policy describes how Orchard Labs LLC collects, uses, stores, and shares information when you use HSA IQ at hsaiq.com.
We collect health-related information as part of the Service, subject to the FTC Health Breach Notification Rule (16 CFR Part 318) and applicable state health data privacy laws. Washington state residents: please also review our Consumer Health Data Privacy Policy for additional disclosures required by the Washington My Health My Data Act.
Information We Collect
Information You Provide
- Account informationName, email address, and password. If you sign in with Google, we receive your name and email address. We do not receive or store your Google password
- Medical expense recordsPatient name, provider name, date of service, type of service or expense category, and amount paid -- the five fields required by the IRS for HSA reimbursement documentation under IRS Notice 2004-50
- Receipt imagesPhotographs or scans of medical receipts you upload, which may contain provider names, dates, amounts, service descriptions, and patient names
- Imported dataExpense records and receipt images you upload in bulk. Imported data is subject to the same storage, encryption, and retention policies as data you enter directly
- Family member informationNames and relationships (spouse, dependent) for family members whose expenses you track. Family members do not have separate accounts
- Reimbursement recordsDates, amounts, and status for tracked reimbursements
- Cloud backup preferencesIf you enable automatic backup to a cloud storage provider, we store the OAuth credentials needed to perform backups on your behalf
Information Collected Automatically
- Analytics dataWe collect page views and feature usage events through our analytics provider. We do not include health information -- such as provider names, expense categories, patient names, dates of service, or amounts -- in analytics data
- Server logsOur hosting provider collects standard server logs including IP addresses, request timestamps, and browser information for security monitoring and performance
Information Processed by Third Parties
- OCR-extracted dataWhen you upload a receipt, we send the image to our OCR provider for text extraction. The extracted text is returned to us and presented for your review before being saved. You can correct any errors before confirming
- Payment informationOur payment processor collects your card number, expiration date, and billing information when you subscribe. We never receive, process, or store your full credit card number
How We Use Your Information
We use your information to:
- Provide and improve the Service, including expense tracking, receipt storage, data import, reimbursement tracking, and reporting
- Process receipt images through OCR for your review
- Generate expense reports and unreimbursed balance calculations
- Perform automatic backups to your cloud storage, if enabled
- Process subscription payments
- Send account and billing notifications, periodic expense summaries, and data management reminders
- Monitor product performance through analytics, using only non-health data as described in Section 1.2
- Respond to support requests
- Comply with legal obligations, including breach notification requirements
We do not use your information for advertising, marketing profiling, or any purpose other than those listed above.
How We Store and Protect Your Information
Structured data (expense records, accounts, family members, reimbursements) is stored in an encrypted database with row-level access controls ensuring each user can only access their own data. Receipt images are stored in encrypted file storage in the United States.
- All data encrypted at rest using AES-256
- All data encrypted in transit using TLS 1.2 or higher
- Database access restricted to server-side application logic only
- Direct database API access is disabled
- Passwords hashed using industry-standard one-way hashing
Third-Party Services
We share information with the following service providers, only to the extent necessary to operate the Service:
| Provider Type | What We Share |
|---|---|
| Cloud database provider | Structured user data including expense records, account information, and family member records |
| Cloud file storage provider | Receipt images you upload, encrypted at rest in the United States |
| OCR processing provider | Receipt images for text extraction; returns extracted text to us only |
| Payment processor | Payment card information for subscription billing. We never receive or store your full card number |
| Email delivery provider | Your email address for transactional emails only. We do not include provider names, dates of service, expense descriptions, or other identifying health details in emails. Certain account summary emails include aggregate financial totals such as expense counts and total amounts |
| Analytics provider | Page view and feature usage events only. Does not receive any health information |
| Cloud backup destinations (optional) | If you enable automatic backup, your exported data is transmitted to your own cloud storage account via OAuth. Once in your storage, it is subject to that provider's terms |
We do not share, sell, rent, or disclose your health information to advertising platforms, data brokers, or any third party for marketing purposes. We do not use tracking pixels, advertising cookies, or retargeting technologies. We do not monetize your data.
Data Retention
- Active accountsWe retain your data for as long as your account is active. This may span decades, consistent with the IRS shoebox strategy (IRS Notice 2004-50, Q&A-39)
- Cancelled accountsUpon cancellation, we prompt you to export your data. We retain your data for up to 60 days after cancellation, after which we permanently delete your account, expense records, and receipt images
- Billing recordsPayment transaction records are retained by our payment processor for 7 years for tax compliance, then anonymized
- Analytics dataAnalytics events are retained on a rolling 12-month basis
Data Deletion
You may request deletion at any time by emailing help@hsaiq.com. We process requests within 30 calendar days and send confirmation of what was deleted and what was retained.
We recommend exporting your data before requesting deletion, as deletion is permanent.
What We Retain After Deletion
- A record that the request was fulfilled (for compliance)
- Anonymized billing records (7 years for tax)
- Aggregate de-identified analytics data
Cloud backup copies. We cannot delete copies stored in your own cloud storage. You are responsible for managing data in your own accounts.
IRS compliance note. Your records may serve as documentation for IRS substantiation of HSA distributions under IRC Section 223(f). Once deleted from HSA IQ, this documentation cannot be recovered.
Your Rights
All users may access and export their data at any time, update or correct their records, request deletion, and cancel their subscription.
California Residents (CCPA/CPRA)
California residents have additional rights including the right to know what information we collect, request deletion, and opt out of sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA. Medical expense data is classified as sensitive personal information under the CPRA; we use it only to provide the Service and do not use it to infer characteristics about you.
To exercise your rights, contact help@hsaiq.com. We respond within 45 calendar days.
Washington State Residents
Washington state residents have additional rights under the My Health My Data Act. Please review our Consumer Health Data Privacy Policy for full details.
Children's Privacy
HSA IQ is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact help@hsaiq.com and we will delete it promptly.
Note: parents and guardians tracking medical expenses for minor dependents are entering their own data as account holders -- the children do not interact with the Service.
HIPAA
HSA IQ is a consumer application. We are not a HIPAA covered entity or business associate. Our data protection obligations are governed by the FTC Health Breach Notification Rule, the FTC Act, and applicable state privacy laws.
Security Incidents
In the event of a breach involving your unsecured health information, we will notify you in accordance with the FTC Health Breach Notification Rule (16 CFR Part 318) and applicable state laws within the required timeframes.
Changes to This Policy
We will notify you of material changes by email and by posting the updated policy at hsaiq.com. Continued use after changes are posted constitutes acceptance.
Contact Us
Orchard Labs LLC
Email: help@hsaiq.com