Privacy Policy
This Privacy Policy describes how AutoPaper LLC d/b/a Suprabill and its affiliates under common control ("CLIENT","we","us", or "our") collect, use, disclose, and safeguard personal information obtained through Suprabill-branded digital services, including our website, mobile applications, and any tools we provide for out-of-network (OON) health insurance claim submission and tracking. By using our services and providing your health information, you authorize us to use and share your information with insurers and claims infrastructure providers for claim processing and other purposes consistent with this Privacy Policy.
We collect personal information directly from users who register for an account and use our platform to submit, monitor, or manage health insurance claims. This includes information provided by users, as well as responses or status updates we may receive from insurance payers, healthcare providers, or related third parties involved in processing such claims. In support of these services, we facilitate the collection, documentation, and transmission of claim-related data, which may include medical, insurance, billing, and contact information.
This policy also applies to individuals who visit or interact with our website or digital platforms, even if they do not submit a claim or register an account with us. As we expand our offerings, we may collect additional categories of information—such as analytics derived from website activity, user communications, or optional service features that users choose to enable, and we will update this Privacy Policy as applicable laws may require.
This Policy explains how we handle the personal information we collect or receive, and how individuals whose information we may process (data subjects) can understand and, where applicable, exercise their privacy rights. It also serves as your Notice of Collection under applicable laws, including the California Consumer Privacy Act (CCPA/CPRA), by describing the categories of personal information we collect, the sources from which we obtain it, the purposes for which we use it, and the categories of third parties to whom it may be disclosed, sold, or shared. Where required, we may also provide additional notices at the point of collection that supplement or reference this policy.
This policy will be updated as our services and data practices evolve. Material changes will be reflected on this page, and where required, we will provide additional notice.
Note on Health Information and HIPAA:
Our current services assist individuals with out-ofnetwork (OON) claims. We are not a healthcare provider or insurer, and HIPAA does not apply to our services provided directly to individuals. If Suprabill becomes a business associate of a HIPAA-covered entity (or their business associate), we will comply with HIPAA’s applicable privacy and security requirements. Otherwise, information you provide as an individual is governed solely by the commitments in this Privacy Policy.
1. What Data We Collect
We collect and process personal information to provide users with access to our claim submission and tracking services, to communicate with payers, and to support the functioning and improvement of our digital platforms. The information we collect may include data submitted directly by users as well as data received from payers or derived from user interaction with our services.
"Personal information" (also referred to as "personal data" in some jurisdictions) means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes identifiers, insurance and claim-related data, internet activity, and in some cases, sensitive personal information as defined under applicable law.
| Category of Personal Information | Examples | Current Use of This Data | Categories of Recipients |
|---|---|---|---|
| Identifiers | Name, date of birth, email, phone number, address, insurance ID | Collected Processed Shared* |
Insurance payers; claims and other infrastructure providers; affiliates providing operational support |
| Sensitive Personal Information | Diagnosis codes, CPT/procedure codes, session notes, insurance policy numbers | Collected Processed Shared* |
Same as above |
| Account registration information | Username, login credentials (hashed), communication preferences | Collected Processed |
Not applicable |
| Commercial Information | Claim submission history, eligibility determinations, claim statuses | Collected Processed Shared* |
Same as Identifiers |
| Financial Information | Payment method (Stripe), transaction confirmations, billing ZIP | Collected Processed Shared* |
Stripe; claims and other infrastructure providers |
| Professional Information | Provider name, NPI, service dates | Collected Processed Shared* |
Insurance payers; claims and other infrastructure providers |
| Internet/Electronic Activity | IP address, device/browser data, user session activity | Collected Processed Shared* |
Analytics providers; infrastructure vendors |
| Geolocation Data | Approximate location based on IP address | Collected Processed Shared* |
Same as above |
| Inferences | User preferences derived from feature use or behavior | Collected (Created) Processed |
Internal analytics only |
| Aggregated/Deidentified Data | Operational metrics (e.g., claim turnaround time, approval rates) | Collected Processed (anonymized) |
Internal analytics only; not shared or sold |
The disclosures provided in the table above are illustrative, not exhaustive, and are intended to reflect the typical scope of our data practices. Additional categories or examples of personal information may be collected or used, depending on how individuals interact with our services. The table should be read in conjunction with the following important notes and explanatory details:
(a) Shared* refers to disclosures made solely to provide our services as requested and directed by the user. These include disclosures to service providers or contractors under written agreement, as well as to other third parties—such as insurance payers and claims infrastructure providers—when such disclosures are necessary to process claims or deliver the requested services. These are not considered "sharing" or "selling" under the CCPA/CPRA. The table marks these with an asterisk (*) for clarity; no listed disclosures involve selling or sharing, as defined by CCPA/CPRA.
(b) Additional categories of personal information identified under applicable laws (such as the CCPA/CPRA) are not included in the table above if we do not collect, process, or share/sell such information. Examples include: biometric data, sensory recordings, and protected classifications.
(c) If you choose to create an account on our website, we may collect additional information such as your name, email address, login credentials, and any preferences or information you submit through the account interface. Additional terms regarding account registration and use may be provided in our Terms of Use, which govern your interaction with our online services.
(d) Information that has been de-identified or anonymized in accordance with applicable laws is no longer considered personal information. We may use, share, license, or otherwise process such de-identified data for any lawful purpose, including but not limited to research, analytics, benchmarking, product development, service improvement, business intelligence, marketing insights, or the creation of aggregated datasets. We take reasonable steps to ensure that de- identified data cannot be re-associated with any individual.
2. Sources of Personal Information
We collect personal information from a variety of sources, depending on how individuals interact with us and our services. These sources may include:
- •
Information you provide directly – We collect personal and health-related information you submit when using our services, including claim-related documents, forms, or images (such as superbills, provider details, or insurance information) that you upload through our platform.
- •
Direct communications – We may collect information you provide when you communicate with us, such as by submitting a web form, sending an email, placing a phone call, or interacting with us through other online or offline channels.
- •
Your interactions with our website and platform – When you visit or interact with our digital services, we may collect technical data from your browser or device, including IP address, browser type, and usage patterns. We may use cookies and similar technologies to support functionality, analytics, or performance tracking.
- •
Account registration and profile activity – If you register for an account, we collect the information you provide during sign-up and while using your account, including communications, preferences, interaction history, and any content you submit or actions you take while logged into your account.
- •
Insurance payers and claims infrastructure providers – As part of processing your out-ofnetwork (OON) claim, we may receive information from insurance payers or claims infrastructure providers in response to your claim submission, such as claim status, eligibility responses, or payment updates.
- •
Authorized third parties acting on your behalf – In some cases, we may receive information from individuals or entities you authorize to act for you (such as a representative submitting claims on your behalf, or a provider's administrative staff forwarding documentation).
- •
Service providers and affiliated entities – We may receive or generate personal information in collaboration with service providers (e.g., infrastructure, analytics, communications) or operational affiliates under common control who support delivery of our services.
- •
Payment processors – If you submit payments for our services through our platform (e.g., via Stripe), we may receive limited transaction details from the payment processor, such as payment confirmation or billing ZIP code.
- •
Feedback and communications – We collect any personal information you include in messages, support requests, or feedback submitted through forms, emails, or other channels.
- •
Job applications – If you submit a job application through a third-party platform (e.g., Indeed or LinkedIn), we may collect and retain the information you provide for recruiting, business operations, and legal compliance purposes.
- •
Deidentified or aggregated insights – While this data is not considered personal information subject to this Privacy Policy, we may use aggregated service usage metrics derived from individual interactions for internal analytics, product improvement, and operational evaluation.
3. Purposes for Collecting and Using Personal Information
We collect, use, and otherwise process personal information for a variety of business and operational purposes, depending on the context in which we receive the data. These purposes may include:
- •
To provide services and functionality – Including enabling access to our website and digital tools, allowing you to create and manage an account, facilitate insurance claim submission and tracking, communicate with payers or intermediaries on your behalf, and fulfill your requests or transactions.
- •
To support decision-making using automated tools, including AI – We may use automated systems to process and analyze personal information, including to validate claim data, assess documentation, suppress irrelevant communications, or monitor usage patterns. Where such tools produce legal or similarly significant effects, we will provide required disclosures and offer the ability to request human review as may be required by law.
- •
To analyze, improve, and develop our offerings – Including assessing usage patterns, troubleshooting technical issues, conducting internal research, developing new products or services, and enhancing existing features.
- •
To personalize experiences and market responsibly – Including tailoring communications, improving user workflows, and analyzing anonymized usage data to optimize service delivery. We do not engage in cross-context behavioral advertising.
- •
To maintain the security and integrity of our systems – Including monitoring for fraud, abuse, threats, or other illegal or unauthorized activities, and protecting the rights, property, and safety of Suprabill, our users, or others.
- •
To comply with legal obligations and protect legal interests – Including responding to lawful requests, subpoenas, or court orders; complying with recordkeeping and regulatory requirements; and exercising or defending legal claims.
- •
To process job applications – If you apply for a role with us, we may use your information to evaluate your qualifications, communicate with you during the hiring process, and comply with applicable employment laws.
- •
To generate de-identified or aggregated data – We may remove identifiers from personal information to create de-identified or aggregated datasets, which we may use for any lawful purpose not governed by this policy.
4. Information Sharing and Disclosure
We may disclose personal information to third parties for a variety of operational, legal, and commercial purposes, including:
- •
To fulfill a request or transaction – Such as providing access to a website feature, submitting an out-of-network insurance claim on your behalf, facilitating account-based functionality, or processing a job application.
- •
To comply with contractual obligations – We may disclose personal information as necessary to fulfill our obligations under agreements with our customers and end users, service providers, partners, or other third parties involved in delivering or supporting our services.
- •
To service providers and vendors – We may share information with contractors, cloud infrastructure providers, analytics platforms, and other service providers who assist us in delivering services, operating our website, or supporting our business operations. These parties are required to handle the information in accordance with applicable law and contractual obligations.
- •
To business partners or other third parties – We may disclose personal information to operational partners, affiliated entities under common control, or other trusted third parties in connection with supporting or improving our services. We do not share personal information with third parties for cross-context behavioral advertising.
- •
To comply with legal obligations – We may disclose personal information if required to do so by law, regulation, subpoena, court order, or governmental request. We may also disclose data as necessary to enforce our Terms of Use, investigate violations, detect or prevent fraud, or protect the rights, property, or safety of Suprabill, our users, or others.
- •
In connection with a business transfer – If Suprabill or any of its assets, units, or affiliates are acquired, merged, reorganized, or otherwise transferred, personal information may be disclosed or transferred as part of that transaction.
We take reasonable steps to safeguard personal information we collect, including through technical, administrative, and physical controls appropriate to the nature of the data and our operations. We may also share de-identified or aggregated information with third parties for lawful business purposes. Such information does not identify you personally and is not subject to this Privacy Policy so long as we maintain and use it in accordance with applicable deidentification standards.
5. Legal Basis for Processing
Where required by law, our processing of personal information is based on one or more of the following legal grounds:
- •
The processing is carried out with your consent, where applicable;
- •
The processing is necessary to perform a contract or to take steps at your request before entering into a contract;
- •
The processing is necessary for us to comply with a legal obligation;
- •
The processing is necessary for our legitimate interests, such as providing and improving our services, preventing fraud, ensuring network and information security, or pursuing business operations—except where such interests are overridden by your rights and freedoms.
6. Cookies and Tracking Technologies
We and certain third-party partners use cookies, pixel tags, and similar tracking technologies to collect information about how visitors interact with our website. These technologies help us improve site functionality, analyze traffic patterns, understand engagement with content, and may also support our advertising and marketing efforts in compliance with applicable laws.
Cookies are small data files stored on your device that can retain information such as a user identifier, session state, or preferences. While cookies cannot access files or data stored on your hard drive or interact with cookies set by other websites, they may be used to associate browser or device activity over time. Pixel tags (sometimes called web beacons) are small pieces of code that can track certain actions on web pages or emails, such as whether a user viewed or clicked specific content.
Some parts of our website use first-party cookies to help us assess how useful our content is, how visitors navigate through our site, and how we can improve the user experience. We may also work with third-party service providers—for example, analytics platforms or infrastructure vendors—who may set cookies or similar technologies to help us understand site performance and usage. We do not currently engage in cross-context behavioral advertising. If this changes, and such activity occurs, it will be reflected in our Categories of Personal Information table as ―shared‖ or ―sold‖ without an asterisk (*), indicating that the disclosure is not solely for service delivery. In that case, we will update this policy and provide any required opt-out mechanisms.
You may be able to manage or restrict the use of cookies and similar technologies through your browser settings, which could allow you to block cookies entirely, be notified when cookies are set, or delete existing cookies. Please note that disabling cookies may impact the functionality of certain features or pages. To learn more about interest-based advertising or to opt out of thirdparty tracking by participating advertising networks, you may visit:
- •
DAA (Digital Advertising Alliance)
- •
NAI (Network Advertising Initiative)
By continuing to use our website, you consent to the use of cookies and tracking technologies as described above. We do not guarantee that browser-level controls or third-party opt-out tools will block all tracking activity, and we disclaim responsibility for the functionality or effectiveness of those tools.
7. Account and Password Security
For certain features or sections of our website, you may be required to register an account and select a password. Your Suprabill account will be accessible to anyone who has your login credentials. You are solely responsible for maintaining the confidentiality and security of your username and password, and for any activity conducted under your account. Suprabill is not responsible for unauthorized access resulting from your failure to safeguard your credentials.
We implement physical, electronic, and administrative safeguards to help protect the personal information you provide, as required by applicable law. In areas where sensitive information may be transmitted, we may use industry-standard encryption technologies such as SSL to protect data during transmission. However, due to the inherent nature of the internet, no data transmission or storage system can be guaranteed to be 100% secure. We cannot guarantee the security of any information you transmit to us online.
We encourage you to take precautions to protect your personal information while online, including regularly updating your passwords, using complex combinations of letters and numbers, and ensuring your browser and operating system are up to date.
8. Information of Children and Minors
Our website is not directed to children under the age of 13, and we do not knowingly collect personal information directly from children under 13. However, we may receive information about minors, including children under 13, when submitted by a parent or legal guardian in connection with an out-of-network claim or related request. Such information is processed solely for the purpose of providing the requested services on behalf of the parent or guardian.
If we become aware that we have inadvertently collected personal information directly from a child under 13 without appropriate parental consent, we will delete it in accordance with applicable law and without liability to you or anyone else. We reserve the right to take reasonable steps, including restricting access or suspending accounts, if we determine that a user has repeatedly submitted information in violation of this policy or applicable children's privacy laws.
9. Third Party Websites
Our website may contain links to third-party websites that are not owned or operated by Suprabill. We do not transmit personal information about you to those websites, and we are not responsible for their privacy practices or content. If you choose to leave our site and visit a third-party website, your information will be governed by that site's privacy policy and terms of use, which may differ from ours—even if the third party is a service provider used by Suprabill.
For example, if you apply for a position with Suprabill through a platform such as Indeed.com, your application may be processed under that platform's own privacy policy. We encourage you to review the privacy policies of any third-party websites before providing them with your personal information.
10. Do Not Track Signals
Some web browsers and extensions offer a "Do Not Track" (DNT) setting or Global Privacy Control (GPC) signal intended to indicate a user's preference not to be tracked across websites. At this time, there is no universally accepted standard for interpreting DNT or GPC signals, and our website does not currently respond to them.
To reduce or block tracking technologies, you may use private browsing modes (such as "Incognito" or "Private" windows), adjust your browser settings, or use third-party tools to manage cookies and trackers. However, your browser provider or third-party services may still collect information independently, and we do not control their behavior. Please consult your browser's support documentation for more information.
11. Retention and Disposal of Personal Information
We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to provide our services, comply with legal obligations, enforce agreements, resolve disputes, and support internal compliance and improvement efforts. The specific retention period for any given category of data may vary depending on the nature of the information, the context in which it was collected, and applicable legal or regulatory requirements.
We may also retain de-identified or aggregated information for internal analytics, service evaluation, or other lawful purposes. When personal information is no longer needed for its original purpose and is not subject to a legal or contractual retention requirement, we will take reasonable steps to delete, de-identify, or securely dispose of it.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time at our sole discretion or as required by law. All changes will take effect upon posting the revised version to this page, unless otherwise stated. Your continued use of our platform following any changes constitutes your acceptance of the updated policy.
We encourage you to review this page periodically to stay informed about our data practices. If we make material changes to how we collect, use, or share your personal information, we may also notify you through additional means, such as email or a notice on the website.
13. Questions or Suggestions
If you have any questions or concerns about how we collect, use, or disclose personal information, you may contact us by e-mail at: [email protected]. Please allow up to five business days for a reply.
14. California Resident Privacy Disclosures & Statement of Rights
California Residents Only.
This section applies only to individuals who are residents of California, to the extent our operations are subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and related regulations.
California Rights
If you are a California resident, you may have the following rights regarding your personal information, subject to certain exceptions and limitations under applicable law:
- •
Right to Know – You have the right to request information about the personal information we collect, use, disclose, or sell, including: (1) the categories of personal information we have collected; (2) the categories of sources from which it was collected; (3) the purposes for collecting, selling, or sharing the information; (4) the categories of third parties to whom personal information was disclosed; and (5) in certain cases, the specific pieces of personal information we have collected about you.
- •
Right to Delete – You may request that we delete personal information we have collected from you, subject to certain legal exceptions.
- •
Right to Correct – You may request that we correct inaccurate personal information we maintain about you.
- •
Right to Opt Out of Sale or Sharing – If we sell or share personal information as defined by California law, you have the right to opt out of such sale or sharing.
- •
Right to Know Recipients of Disclosures – You may request information about the categories of third parties to whom we have disclosed personal information for a business or commercial purpose.
- •
Right to Non-Discrimination – You have the right not to receive discriminatory treatment for exercising your privacy rights under the California Consumer Privacy Act (CCPA/CPRA). We will not deny you services, charge different prices, or provide a different level of service solely because you exercised those rights. However, please note that certain services may require us to collect or use specific types of personal information. For example, some features may only be available to registered users or individuals who provide the information necessary to use those features.
Exercising Your Rights
As a California resident, you may exercise your privacy rights, request access to or correction of the personal information we have collected about you, or contact us for more information about our privacy practices. To submit any California privacy rights requests, please contact us via[email protected].
Verification Process
You may submit your California rights requests using any of the methods listed above. For certain requests, California law requires us to verify the identity and authority of the individual making the request in order to protect your privacy and personal information. Depending on the nature and sensitivity of the request, we may ask you to provide two or more pieces of information that match data already in our records before we can process the request.
Authorized Agent
If you wish to submit a California rights request through an authorized agent, you may do so by designating the agent in writing and contacting us through any of the methods listed above. To help us verify and process the request, please provide the following information:
- •
Your full name and date of birth
- •
Your current address and telephone number
- •
The name of the authorized agent
- •
Whether the requested information should be delivered to you or to the agent, along with appropriate delivery instructions
- •
The specific types of requests you are authorizing the agent to make (e.g., Request to Know, Request to Delete, or Request to Opt-Out of Sale or Sharing)
- •
Your signature and the date of authorization
If any required information is missing or cannot be verified, we may request additional documentation before processing the request. We may also ask for further verification depending on the nature or sensitivity of the request, in accordance with applicable law.
No Sale of Minor Information
Suprabill does not have actual knowledge of any sale of the personal information of consumers under 16 years of age.
Questions About Our Privacy Policy?
If you have questions and concerns about how we collect, use and disclose personal information, please contact us:
[email protected]