Legal

Privacy Policy

Effective date: April 30, 2026

Last updated: April 30, 2026

This is an interim privacy policy. Compass is a small, founder-run business and we are in the process of engaging healthcare-focused legal counsel to produce our full privacy policy and complete our HIPAA compliance review. This interim policy describes our actual current practices accurately and conservatively. We will replace it with the full version when ready, and notify users of material changes.

Who we are

Compass (getcompasshealth.com) is a consumer healthcare education platform operated by Shay Forbes. We offer self-paced courses, live cohorts, and a one-time professional bill review service that helps customers identify errors and overcharges on their medical bills.

What we collect

When you create an account or enroll in a course or cohort:

Your full name
Your email address
Authentication credentials (managed by our authentication provider; we do not store your password directly)
Payment information (processed by our payments provider; we do not store your card details)

When you submit a bill for review:

Your full name and email
The medical bill itself (uploaded as a file, max 4MB)
The name of the provider who issued the bill
The type of service the bill is for
Any notes you choose to include

The bill review service is the only part of Compass that involves medical billing information. We treat this data with greater care than other categories of information we collect, as described below.

Automatically collected:

Standard web access information (IP address, browser type, pages visited) collected by our hosting provider for security and operational purposes.

We do not currently use third-party advertising trackers. We may use limited analytics tooling to understand how the site is used; if we do, it will be configured to minimize personal data collection.

How we use your information

We use the information you provide to:

Deliver the courses, cohorts, and bill review services you have purchased
Send transactional email related to your account and purchases (signup confirmation, magic links, password resets, bill review status updates)
Communicate with you when you contact us
Maintain the security and integrity of our service

We do not sell your personal information. We do not share your bill review submissions with anyone outside the limited internal access described below.

Service providers (subprocessors)

We rely on the following providers to operate Compass. Each receives only the information necessary to perform its function:

Supabase— database, authentication, and file storage
Stripe— payment processing. Payment card details are entered directly into Stripe and never reach our servers. We send Stripe only a reference ID and a transaction type tag, never bill contents or other medical information.
Resend— transactional email delivery
Vercel— application hosting

We are in the process of executing Business Associate Agreements (BAAs) with these providers where applicable as part of our HIPAA compliance work.

Bill review data: handling and access

Because bill submissions can contain protected health information, we apply additional safeguards:

Restricted access. Only authorized personnel have administrative access to bill submissions, and only for the purpose of performing the review you have requested.
Audit logging. Every administrative access to a bill submission is logged, including who accessed it, when, and what action was taken.
No PHI sent to third parties for marketing or analytics purposes. We do not send bill content, provider names, service types, or notes to any service provider beyond what is strictly necessary to store and deliver the bill review service.
Self-service deletion. You can request deletion of your bill submission at any time by contacting us, and we will honor your request promptly.

How long we retain your information

Account information (name, email): retained for the duration of your account.
Bill review submissions: retained for 180 days after we mark your review as complete (reviewed or negotiated status), then deleted. We currently honor deletion-on-request manually; we are building automated deletion at the 180-day mark and will update this policy when that is in place.
Payment records: retained as required by tax and accounting law.
Email logs:retained according to our email provider’s standard retention policies.

You can request earlier deletion of your account or any specific bill submission at any time.

Your rights

You have the right to:

Access the personal information we hold about you
Correct information that is inaccurate or out of date
Request deletion of your information
Withdraw consent for marketing communications (we currently do not send marketing email; if that changes, you will be able to unsubscribe at any time)

To exercise any of these rights, email us at the address below. We will respond within a reasonable time.

If you are a California, Colorado, Delaware, Florida, Virginia, or Utah resident, you have additional rights under your state’s privacy law. Contact us using the same email and we will honor those rights in accordance with applicable law.

Children

Compass is intended for adults navigating their own healthcare. We do not knowingly collect information from anyone under 13.

Security

We protect your information using commercially reasonable safeguards, including encryption in transit, access controls, and audit logging for bill review data. No system is perfectly secure; we will notify affected users in accordance with applicable law if a breach occurs.

Changes to this policy

We will replace this interim policy with our full policy following our legal review. We will update the “Last updated” date above and, for material changes, notify users by email.

Contact

For privacy questions, deletion requests, or any other matter related to this policy:

Shay Forbes
hello@getcompasshealth.com