Privacy Policy

Unlock HSA is a consumer-facing HSA recordkeeping and reimbursement documentation tool. It helps users collect, organize, review, and export medical-expense support records for HSA reimbursement planning.

This Privacy Policy explains what information we collect, how we use it, how we protect it, when we share it, and the choices available to you.

Unlock HSA is not a tax preparer, claims processor, health plan, HSA custodian, financial advisor, legal advisor, or tax advisor.

These points are worth calling out clearly because they shape how Unlock HSA is designed and how we expect users to rely on the service.

• We do not sell your personal data.
• We do not use your medical documents for third-party advertising.
• We do not use your documents to train or fine-tune AI models.
• We do not make tax, legal, medical, financial, or reimbursement eligibility decisions for you.

We collect information you provide directly, information created as you use the service, and limited technical information needed to operate and protect the service.

• Account information, such as your name, email address, login and authentication details, and plan or subscription status.
• Household and family-member information, such as names or labels you use to organize records.
• Medical-expense records, such as service dates, provider names, patient names, amounts, notes, reimbursement status, HSA establishment date, and annual 1099-SA comparison values if you enter them.
• Documents and evidence, such as receipts, bills, EOBs, proof of payment, superbills, uploaded files, file metadata, and generated audit-package artifacts.
• OCR and AI outputs, such as extracted text, suggested structured data, confidence or rationale fields, explanatory notes, and review metadata where those features are used.
• Inbound email information, such as sender, recipient alias, subject, message body content, email-authentication metadata, attachments, and processing outcome details.
• Connected-provider information, such as Google Drive or Dropbox connection metadata, provider file metadata, storage-operation metadata, and the token material needed to keep those connections working.
• Technical and usage information, such as browser or device details, IP address, logs, security events, and service metrics needed to operate, troubleshoot, and protect the service.

We use information to provide the service you ask us to provide, to protect the service, and to improve reliability and usability.

• Operate your account and provide HSA documentation, expense tracking, reimbursement recordkeeping, and export features.
• Process uploads, inbound emails, OCR and AI extraction, review queue items, bulk imports, and audit-package generation.
• Support optional connected-storage features for Google Drive and Dropbox.
• Detect likely duplicates, documentation gaps, double-dip risk, timing issues, defensibility warnings, and reconciliation guidance.
• Provide customer support, account recovery, and security monitoring.
• Improve product reliability, diagnostics, and user experience.
• Comply with legal obligations and protect users, the service, and our rights.

Unlock HSA may use OCR, document analysis, and AI-assisted extraction to help organize records, suggest structured details, and support review workflows.

These features are assistive and review-first. They may be wrong, incomplete, or unavailable, and they do not silently finalize expense, reimbursement, or audit decisions.

Unlock HSA does not provide tax, legal, medical, or financial advice through OCR or AI outputs.

Unlock HSA does not use your uploaded documents, OCR text, or AI extraction outputs to train or fine-tune general-purpose AI models unless we later clearly disclose that change and obtain any consent required by law.

We use layered administrative, technical, and organizational safeguards designed to protect the information we handle.

Those measures include transport encryption, access controls, monitoring, conservative intake controls, and application-layer encryption for covered sensitive fields before database storage.

For covered sensitive fields, a database compromise alone should not expose plaintext values. That protection is field-specific, not full-platform encryption.

• TLS or similar protections for data in transit.
• Application-layer encryption for covered sensitive fields before database storage.
• Envelope-style key management with wrapped keys and KMS-backed controls where implemented.
• Encrypted storage of Google Drive and Dropbox OAuth token material.
• Conservative intake protections, including supported file-type controls, size and count limits, ZIP safety checks, and malware scanning where configured.
• Backup and export protections for app-managed systems.

Google Drive and Dropbox are optional connected storage providers. You choose whether to authorize them.

If you connect a provider, Unlock HSA uses the access you grant only to provide the connected features you choose, such as storing or retrieving uploaded documents and finalized audit-package files.

If you disconnect a provider, Unlock HSA may lose the ability to access files that remain stored there through the app.

Files you downloaded or files that remain in your own Google Drive or Dropbox account may continue to exist there under your control even after you disconnect the provider from Unlock HSA.

Your use of Google Drive or Dropbox is also subject to that provider's own terms and privacy policy.

You may send simple receipts and payment confirmations to a unique Unlock HSA intake email address or upload files, including supported ZIP archives, through Intake.

For medical bills, EOBs, detailed statements, insurance documents, or anything with sensitive health or insurance information, direct upload through Unlock HSA is recommended because it gives you a more controlled path into the app.

Regular email may be encrypted in transit, but it is not end-to-end encrypted and may pass through sender mailboxes, mail providers, forwarding or routing systems, spam filters, and workers before reaching Unlock HSA.

Emails, attachments, and related metadata may be processed to create reviewable Intake items and to support OCR, AI extraction, review, and storage workflows.

To protect the service, inbound email and ZIP intake use conservative controls such as supported file-type allowlists, size and count limits, malware scanning where configured, no nested archives, no unsafe paths, and only clean or accepted files moving forward to review.

Unsupported files, generic portal notifications, and other content that does not fit the intake rules may be skipped or rejected.

Do not send unrelated sensitive information that you do not want Unlock HSA to process.

We do not sell personal information, and we do not share your medical documents for third-party advertising.

We share information only when needed to run the service, comply with law, protect users or the service, or complete a business transfer.

• Service providers that help us operate hosting, databases, storage, email delivery, OCR and AI processing, security monitoring, or related infrastructure.
• Connected storage providers such as Google Drive or Dropbox when you authorize those integrations.
• Legal, regulatory, or security recipients when disclosure is required or reasonably necessary to protect rights, safety, or the service.
• A successor or acquiring organization in the event of a merger, acquisition, financing, restructuring, or sale of all or part of the business.

We keep information for as long as reasonably needed to provide the service, maintain security, comply with legal obligations, resolve disputes, and keep normal backup and operational records.

You may export records and audit packages from the service. User-initiated exports can create files that you control outside Unlock HSA.

If you request account deletion or your account is deactivated, we may delete or schedule deletion of account records and app-managed documents, subject to legal, security, fraud-prevention, and backup-retention needs.

Files stored in your own Google Drive or Dropbox account, and files you already downloaded, may need to be deleted by you directly.

Backups may retain information temporarily until normal backup-expiration cycles complete.

Depending on your account and the feature you are using, you may be able to access, update, export, disconnect, or delete certain information directly in the service.

• Update account and record information through the app where available.
• Disconnect Google Drive or Dropbox through Settings.
• Export records and audit packages.
• Request account, privacy, or support help by contacting support.
• Opt out of optional marketing messages if we offer them in the future.

Unlock HSA is intended for adults managing their own HSA documentation or household records.

The service may contain dependent or family-member information entered by an adult, but it is not intended for children to create accounts or use on their own.

We may update this Privacy Policy from time to time. If we make material changes, we will update the date on this page and may provide additional notice through the service or by email.

If you have privacy or data-use questions, contact support@unlockhsa.com.