Data security
benefit is designed so that a bad day for us can't become a bad day for you. Here's what that looks like in practice.
All traffic between your browser and benefit is encrypted with TLS 1.2 or higher. Data at rest in our database is encrypted by our infrastructure provider.
Our database enforces row-level security: even inside the database, one user can only ever read their own records. A bug in the app cannot accidentally leak someone else’s tracker entries or profile.
We deliberately do not collect insurance member IDs, Social Security numbers, claims data, or medical records. The most effective way to protect sensitive data is to never ask for it.
Authentication is handled by Google Sign-In. We never see, store, or transmit your password.
Payments are processed by Stripe, a PCI-DSS Level 1 service provider. Payment-card details go directly from your browser to Stripe — they never touch our servers.
Production database access is limited to the engineers who need it, logged, and protected by multi-factor authentication. Developer environments use synthetic data, not real user records.
When you delete your account, your profile, recommendations, tracker entries, and chat transcripts are removed from our database. Backups age out on a fixed schedule.
If we ever discover an incident affecting your information, we commit to telling you about it quickly and honestly — including what happened, what data was involved, and what you should do.
The same table we use internally to vet every new feature.
| Category | We keep | We don't keep |
|---|---|---|
| Account | Name and email from Google Sign-In | Google password (we never receive it) |
| Profile | Age, biological sex, insurer, plan type, group number, dental/vision flags, optional deductible and out-of-pocket max, optional life-stage signals | Member ID, subscriber number, SSN, Medicare/Medicaid numbers |
| Insurance-card scan | Insurer name, plan type, and group number extracted from the photo | The photo itself (not retained after scanning), member ID, the name printed on the card |
| Tracker entries | Amount, category, optional label, and date of copays, bills, and premiums you choose to log | Provider names, service descriptions, diagnoses, procedure codes, EOBs |
| AI chat | Messages you send and the model’s replies, linked to your account, so you can see chat history | Any clinical or personal detail we would have to actively ask you for — we try to keep the scope narrow |
| Usage | Standard server logs (IP, browser) and pseudonymous product-analytics events | A behavioural advertising profile — we do not sell or share usage data with advertisers |
benefit is a consumer tool, not a healthcare provider, health plan, or clearinghouse, and we deliberately do not handle protected health information (PHI). HIPAA does not apply to us the way it applies to your doctor or your insurance company.
That's by design. We built the product to stay on the non-PHI side of the line so your sensitive medical records stay where they belong — with your providers and your insurer, not scattered across a new consumer app.
Security researchers, please email jack@getbenefit.health for responsible disclosure.