Privacy Policy

3.2 Collection of De-Identified Information. MHICO may derive de-identified information from the personal data and health data described above. De-identified information is created through the removal or transformation of identifiable elements using methods consistent with the HIPAA Safe Harbor method (45 C.F.R. § 164.514(b)) or Expert Determination method. The scope of de-identified information we create includes aggregate utilization statistics, plan cost benchmarks, claims pattern analytics, and similar datasets from which individual identity has been removed. De-identified information is only created from personal data that was originally collected with your informed consent.

3.3 Consumer-Directed Exchange via Patient Access APIs. When you authorize MHICO to connect to a health data source, your request is treated as an individual right of access request under the HIPAA Privacy Rule (where applicable) or the applicable federal authorization framework. MHICO acts on your behalf and at your direction to retrieve your health information. MHICO supports the following categories of data source:

• •Commercial health plan Patient Access APIs — including but not limited to Anthem/Elevance Health, UnitedHealthcare, Aetna, Cigna, Humana, and other participating payers, subject to registration approval. Uses HL7 FHIR R4 standards, SMART on FHIR protocols, and OAuth 2.0 authorization, designed to align with the CARIN Blue Button Implementation Guide (STU1 or later).
• •CMS Blue Button 2.0 (displayed as “Medicare”) — the Centers for Medicare & Medicaid Services API that provides Medicare beneficiaries with access to their Part A, Part B, and Part D claims data. Uses OAuth 2.0 authorization and HL7 FHIR R4 standards. Available to Medicare beneficiaries who authorize access through their MyMedicare.gov account.
• •VHA Lighthouse APIs (Veterans Affairs) — the U.S. Department of Veterans Affairs health data API that provides Veterans enrolled in VHA benefits with access to their clinical and benefits data. Uses OAuth 2.0 authorization and HL7 FHIR R4 standards. Available to Veterans who authorize access through their VA.gov account.

Data retrieved may span up to five (5) years of history depending on the data source. AI personalization. Once imported, your coverage details and recent claims are automatically made available to the MHICO AI assistant to personalize responses — for example, applying your actual deductible, copays, and claim history when you ask cost or coverage questions. This data is transmitted to AWS Bedrock (covered under MHICO’s HIPAA BAA with AWS) solely for this purpose. Only display-level information (service descriptions, financial amounts, provider names, dates) is used; diagnostic codes, procedure codes, and internal identifiers are never included. You can prevent this by unlinking your insurer on the Link Insurer page.

3.4 One-Time vs. Persistent Collection. MHICO clearly indicates whether your personal data is collected on a one-time basis or is persistently collected, and if persistently, for what duration. For Patient Access API data, your OAuth token is valid for a limited period (typically within hours, as determined by your insurer) and must be renewed by you. You have the right to change your data collection preferences or revoke access at any time through Platform settings or your health plan’s member portal.

3.5 Collection Limitations. We collect only the personal data you have expressly consented for us to collect. We do not collect data beyond the scope of your authorization. All data is collected by lawful and fair means, with your knowledge and consent.

4.1 Initial Consent. Before collecting or accessing your personal data, MHICO presents you with a clear description of what data will be collected, how it will be used, and with whom it may be disclosed. You must provide affirmative consent (opt-in) before we proceed.

4.2 Consent for Health Plan Data Access. When you connect your health plan account, the OAuth consent flow provided by your health plan displays the specific data elements MHICO will access. You authorize this access through the health plan’s own authentication and consent interface.

4.3 Separate Marketing Consent. MHICO obtains separate, informed, proactive opt-in consent before using or disclosing your personal data for the purpose of facilitating the marketing of goods or services to you. Your consent for core Platform services does not extend to marketing. Marketing consent is independent and may be granted or withdrawn without affecting your access to the Platform’s core functionality. Your marketing consent applies only to your own personal data and does not extend to any other individual whose information may be referenced in your personal data (such as a dependent, spouse, or family member whose health information is included in data retrieved from your health plan). No marketing use of any other individual’s data will occur without that individual’s own separate, informed, proactive consent.

4.4 Consent for Third-Party Disclosure. Before disclosing your personal data to any third party beyond our contracted service providers or as required by law, we obtain your separate, express, informed, proactive consent. You may always specify the third-party recipients to whom your data may be shared.

4.5 Policy Change Notification and Re-Affirmation of Consent. When MHICO makes a Material Change to this Privacy Policy, we will: (i) proactively notify you via email and/or prominent notice on the Platform at least thirty (30) days before the change takes effect (when a policy update is deployed, the Platform automatically emails all existing users whose accounts predate the update); (ii) clearly describe the nature of the change and how it affects the use or disclosure of your personal data and de-identified information; and (iii) on your next login following a material policy change, present a re-consent screen describing the key updates and require you to accept the updated terms or close your account before you can continue. You must affirmatively re-affirm consent in order for MHICO to continue to use or disclose your personal data under the new terms. If you do not re-affirm consent within thirty (30) days of notification, MHICO will cease new uses and disclosures of your personal data beyond what was authorized under the prior Privacy Policy.

4.6 What Happens When Consent Is Re-Affirmed. If you re-affirm your consent following a Material Change to this Privacy Policy, MHICO will continue to collect, use, and disclose your personal data and de-identified information in accordance with the updated Privacy Policy. All data previously collected and all data collected going forward will be governed by the updated terms. Your re-affirmation is recorded with a timestamp for accountability purposes.

4.7 What Happens When Consent Is Withdrawn. If you withdraw your consent or decline to re-affirm consent following a Material Change, the following will occur: (a) MHICO will immediately cease all new collection of your personal data; (b) MHICO will cease all active use of your personal data for Platform services, including AI analysis, plan comparisons, and claims insights; (c) MHICO will cease all disclosure of your personal data to third parties, except as required by law or to fulfill existing legal obligations; (d) you may request that MHICO securely delete all of your personal data (see Section 8.2); (e) MHICO will request deletion of your personal data from contracted service providers where we have the contractual right to do so. For AWS, this is covered under our signed HIPAA BAA. For other service providers (Google, Brave Search), data shared with those parties is minimal, non-health data governed by their own privacy policies and subject to their own deletion practices; (f) de-identified information that was derived from your personal data prior to withdrawal may be retained, as it can no longer be linked to you; however, no new de-identified information will be created from your data; and (g) you may continue to access the Platform with limited functionality that does not require personal data processing, or you may close your account entirely.

4.8 COPPA Compliance. We comply with the Children’s Online Privacy Protection Act. The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13 without verified parental consent.

4.9 Easily Changing Consent Options. MHICO supports the right of users to easily change their consent options. You may modify or withdraw any consent at any time through a clear, accessible process within the Platform’s account settings (under “Privacy & Consent”), where each consent option is individually toggled. You may also change consent options by emailing julia@mhico.ai. Changes take effect immediately upon confirmation. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal. No fees, penalties, or reduction in service quality result from modifying your consent preferences, except that certain core features that require data processing may become unavailable if the corresponding consent is withdrawn.

5.3 Permitted Uses of De-Identified Information. MHICO uses de-identified information only for the following purposes: (a) Platform improvement, including improving AI models and recommendation algorithms; (b) aggregate analytics and benchmarking (e.g., average plan costs by region, common denial patterns by procedure type); and (c) research into health insurance affordability and access trends. MHICO does not use de-identified information for any purpose beyond those listed here without obtaining consent from the individual from whom the underlying personal data was originally collected, to the extent that individual can be contacted. MHICO does not use de-identified information for targeted advertising, marketing, underwriting, or discrimination.

6.4 Contractual Obligations for All Third-Party Service Providers. All third-party service providers, contractors, and application developers who receive personal data or de-identified information from MHICO are subject to contractual commitments, whether through a dedicated data processing agreement or the vendor's standard terms of service, to the extent applicable to the nature of data they receive. These contractual commitments include: (a) use limitations restricting data use to only the purposes described in this Privacy Policy; (b) prohibition on uses or disclosures inconsistent with MHICO’s commitments without the individual’s informed, proactive consent; (c) security safeguards at least as protective as those MHICO maintains; (d) prohibition on re-identification of de-identified data; (e) breach notification obligations; and (f) data deletion obligations upon termination of the service relationship or upon user request.

6.5 No Sale of Personal Data or De-Identified Information. MHICO does not sell your personal data or de-identified information to any third party. We do not exchange personal data or de-identified information for monetary or other valuable consideration.

6.6 Change of Ownership or Cessation of Business. In the event of a merger, acquisition, sale of assets, reorganization, bankruptcy, or cessation of business, MHICO will: (a) provide you with advance written notice via email and prominent Platform notice at least thirty (30) days before any transfer of personal data to a successor entity; (b) describe the identity of the successor entity, the scope of data being transferred, and the successor’s intended data practices; (c) ensure that the successor entity’s privacy and data protection commitments are consistent with this Privacy Policy as it existed at the time of the transfer; (d) provide you with the option to securely download a copy of your personal data, request secure deletion, or close your account entirely before the transfer takes effect; (e) if MHICO ceases business operations without a successor entity, securely dispose of all personal data within sixty (60) days of the cessation date; and (f) only transfer de-identified information to a successor entity that agrees in writing to the same restrictions on use, re-identification, and disclosure.

6.7 Disclosure of De-Identified Information. MHICO may disclose de-identified information to third parties for research, analytics, or industry benchmarking. All recipients are contractually required to: (a) maintain the de-identified status of the data; (b) not attempt re-identification; and (c) take reasonable measures to ensure the data cannot be associated with any individual. MHICO does not disclose de-identified information for targeted advertising, marketing, underwriting, or discrimination.

7.1 Right to Access. You have the right to access all personal data we have collected about you, to the extent technically feasible and consistent with applicable law. You may request a copy of your data at any time through the Platform’s account settings (under “My Data”) or by contacting julia@mhico.ai. We will provide your data in a structured, commonly used format within thirty (30) days of a verified request.

7.2 Right to Correction. You have the right to report inaccurate or incomplete data. Where the error originates from an external source, MHICO will identify the source and educate you on your rights to request corrections from the HIPAA-covered entity. Where the error is attributable to MHICO, we will correct it.

7.3 Right to Portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format.

7.4 Right to Annotation. Where technically feasible, you may annotate data held by MHICO that is not timely, accurate, relevant, or complete. MHICO will communicate such annotations to downstream recipients authorized by you.

7.5 Right to Revoke Data Access. You may revoke MHICO’s access to health plan data at any time through Platform settings or your health plan’s member portal.

7.6 Complaint Process. Contact julia@mhico.ai. We acknowledge complaints within five (5) business days and provide a substantive response within thirty (30) days.

8.1 Retention Periods. Account data: retained for the duration of your active account. Upon self-service closure, account data is deleted immediately as described in Section 8.2. For inactive accounts, account data is retained and then deleted as described in Section 8.4. Encrypted backup archives may retain a copy for up to thirty (30) days after deletion, as described in Section 8.3(c). Health data via Patient Access APIs: retained for the duration of your active account and deleted upon account closure as described in Section 8.2. Insurance plan data: retained for the duration of your active account and deleted upon account closure. Claims and appeals: resolved claims and associated appeal records are retained for three (3) years from the date of service, then purged; unresolved claims are retained until resolved. Payer connection records (the stored link between your MHICO account and a connected health plan, including encrypted OAuth credentials): purged from our systems if your payer connection has not been synced for ninety (90) days. Note that the OAuth access token issued by your insurer expires independently and much sooner — typically within hours — as determined by the insurer, not MHICO; an expired token requires you to reconnect but does not delete your connection record or any already-imported health data. De-identified data: may be retained indefinitely for research and improvement. Legal/compliance records: retained as required by law. AI chat messages: stored in a server-side session and deleted immediately upon logout; automatically purged after fourteen (14) days of inactivity if you do not explicitly log out. AI chat session metadata (a record that a session occurred, what tools were used, and whether attachments were present, but not message content): ninety (90) days. Login records (timestamp, IP address, and authentication method): ninety (90) days. Account event audit logs (data syncs, consent changes, payer connections, MFA configuration changes, and other account-level events): three hundred sixty-five (365) days. Security and infrastructure logs are retained for the following periods, solely for security, compliance, and incident response purposes: web server access and error logs (nginx access and error logs retained in two locations: on the EC2 server filesystem for ten (10) days with daily rotation, and shipped to AWS CloudWatch for ninety (90) days); application logs (Django application events including HTTP errors and authentication events, shipped to AWS CloudWatch, ninety (90) days); network traffic logs, including VPC flow logs that capture connection metadata such as IP addresses (ninety (90) days); API activity audit trails via AWS CloudTrail (three hundred sixty-five (365) days); and web application firewall (WAF) logs capturing request metadata including IP addresses (fourteen (14) days, stored in AWS CloudWatch in the us-east-1 region as WAF is attached to AWS CloudFront).

8.2 Right to Close Account and Delete Data. You may close your account and request deletion of all your personal data at any time by using the “Close Account” option in your account settings or by contacting julia@mhico.ai. Upon receiving a verified request, MHICO will immediately: (a) revoke your account access and all active data connections; (b) permanently delete all personal data and health information associated with your account, including your name, email address, insurance plan data, claims history, payer connections, login history, AI chat session metadata, multi-factor authentication credentials (including any stored phone number), ad click identifiers, and any email suppression record associated with your address; (c) replace all identifying information with a de-identified token that cannot be linked back to you, retaining only a minimal anonymized record for audit integrity and legal compliance (this record contains no personally identifiable information); and (d) request deletion of your personal data from contracted service providers where we have the contractual right to do so. For AWS, deletion is covered under our signed HIPAA BAA. For Google and Brave Search, data shared with those parties is minimal, non-health data governed by their own privacy policies and subject to their own deletion practices.

8.4 Dormant Accounts. If your account is inactive for twelve (12) consecutive months, MHICO will notify you by email and provide thirty (30) days to log in and keep your account active. If you do not log in within that period, your account will be deactivated. Deactivated accounts that remain inactive for a total of two (2) years from the date of last login will be deleted consistent with the process described in Section 8.2.

9.1 Collection. De-identified information is derived from personal data and health data originally collected with your informed consent (Section 3.2). De-identification is performed using methods consistent with the HIPAA Safe Harbor or Expert Determination standards.

9.2 Use. De-identified information is used only for Platform improvement, aggregate analytics and benchmarking, and research (Section 5.3). It is not used for targeted advertising, marketing, underwriting, or discrimination.

9.3 Disclosure. De-identified information may be disclosed to third parties for research, analytics, or benchmarking. All recipients are contractually prohibited from re-identification (Section 6.7).

9.4 Prohibition on Re-Identification. MHICO maintains internal policies and secures contractual commitments from all third parties to prohibit the re-identification of de-identified or anonymized data.

9.5 Pseudonymization. Pseudonymized data cannot be attributed to a specific individual without additional information, which MHICO keeps separately under technical and organizational safeguards.

10.1 Authentication. MHICO, as both the organization and app developer, uses provider portal credentials compliant with SMART on FHIR standards for authenticating users accessing health plan data via Patient Access APIs. When users connect a health plan through a Patient Access API, authentication is performed directly through the payer’s portal, which may apply its own identity proofing and multi-factor authentication requirements. Email verification is required before account activation. MHICO supports three forms of multi-factor authentication (MFA): a time-based one-time password (TOTP) authenticator app, email OTP (a one-time code sent to your registered email address via Twilio SendGrid), and SMS OTP (a one-time code sent to your registered mobile phone number via Twilio Verify). MFA is required to access AI-powered features, including the chat assistant. Users may create an account without enabling MFA but will be prompted to set it up before using AI features. Mobile phone numbers used for SMS MFA are encrypted at rest using AES-256-GCM with a dedicated encryption key. Access tokens issued by your insurer are time-limited — they typically expire within hours, as determined by the insurer, not MHICO. When a token expires, MHICO will prompt you to reconnect; your already-imported health data is not affected. Tokens clearly indicate the destination for data transmission. Users may revoke tokens at any time from the Link Insurer page or directly through their insurer’s member portal.

10.2 Breach Notification. MHICO, as both the organization and app developer, complies with all applicable breach notification laws, including the FTC Health Breach Notification Rule (16 CFR Part 318) and applicable state breach notification statutes. All third-party service providers and app developers engaged by MHICO are contractually required to comply with the same breach notification obligations. In the event of a breach of unsecured personally identifiable health information, we will notify affected individuals, the FTC, and (where required) prominent media outlets in accordance with the Rule’s timelines and procedures.

10.3 Prohibition on Re-Identification. MHICO, as both the organization and app developer, maintains internal policies and secures contractual commitments from all third-party service providers and app developers to prohibit the re-identification of de-identified, anonymized, or pseudonymized data. Any attempt to re-identify such data is a violation of MHICO’s contractual terms and may result in termination of the service relationship and legal action.

12.1 California (CCPA/CPRA). Right to know, delete, correct, opt out of sale/sharing (MHICO does not sell or share), limit use of sensitive information, and non-discrimination.

12.2 Virginia (VCDPA). Right to access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling.

12.3 Colorado (CPA). Right to access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling.

12.4 Connecticut (CTDPA). Right to access, correct, delete, portability, and opt out of sale and targeted advertising.

12.5 New Jersey. MHICO complies with all New Jersey consumer protection and data privacy requirements.

12.6 Nevada. Opt out of sale of covered information under NRS 603A.

12.7 Washington (My Health My Data Act). Right to know what consumer health data is collected and shared; withdraw consent; delete consumer health data; MHICO will not sell or share without authorization. Consumer Health Data Privacy Policy link accessible from homepage per the Act.

Contact julia@mhico.ai. We respond within time periods required by applicable state law.

13.1 Designated Officer. MHICO has designated Julia Mahieu as the responsible executive officer committed to the data protection principles outlined in this Privacy Policy and the CARIN Code of Conduct. These commitments are publicly facing to allow oversight and enforcement by the Federal Trade Commission, State Attorneys General, or other applicable authorities.

13.2 Workforce Training. MHICO ensures that all personnel with access to personal data, including employees, contractors, and other authorized individuals, are trained on compliance with the data practices covered by the CARIN Code of Conduct and this Privacy Policy. Training is provided upon onboarding, at least annually thereafter, and when material changes are made to data practices.

13.3 FTC Compliance. MHICO, as both the organization and app developer, is subject to Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce.

13.4 Applicable Law. MHICO, as both the organization and app developer, and all third-party service providers engaged by MHICO, comply with all applicable federal and state laws regarding the protection, use, and disclosure of personal data and health data.

13.5 Certification and Accreditation Notifications. When MHICO receives any certification or accreditation from an independent certifying organization, including but not limited to CARIN Code of Conduct accreditation through DirectTrust/EHNAC or any SOC 2 or equivalent independent audit certification, we will notify the public through a prominent notice on the Platform and an update to this Privacy Policy. Such notification will include the name of the certifying organization, the scope and type of certification, and the timing and duration of the certification period.

MHICO Inc., My Health Insurance Copilot

Website: https://mhico.ai

Email: julia@mhico.ai