GetMyYes

GetMyYes (getmyyes.com) helps you turn a health-insurance denial into appeal paperwork. The documents you upload are sensitive — this policy explains exactly what we collect, why, where it goes, and how to remove it.

The short version: your files are processed only to draft your appeal, never to train AI. Unsaved uploads auto-delete after 24 hours. Saved cases stay until you delete them. Payments are handled by Stripe — we never see your card number. There are no third-party trackers and no advertising — our own server keeps only aggregate traffic counts and privacy-preserving unique-visitor estimates, with no visitor analytics cookies and no profiles. You can delete everything — including your account — any time, from Settings.

1. Who we are (data controller)

GetMyYes, reachable at support@getmyyes.com, operates getmyyes.com and is the data controller responsible for the personal data described in this policy. For any privacy request or question, email us at that address.

2. What we collect, why, and on what legal basis

Personal data processing summary
DataWhenWhyLegal basis (GDPR)
Documents you upload (denial letters, EOBs, prior-auth denials) and the facts extracted from them — which may include health informationWhen you upload themTo draft your preview and appeal packetYour explicit consent (art. 9(2)(a)), given via the checkbox before upload; providing the service you asked for (art. 6(1)(b))
Your answers to the guided questionsWhen you answer themTo tailor the appeal to your situationExplicit consent (art. 9(2)(a)); contract (art. 6(1)(b))
Optional case-tracker details (submission date and method, confirmation reference, expected or actual response date, response status, and appeal outcome)When you choose to track a submitted appealTo help you follow the case, schedule an optional response reminder, and show next stepsContract (art. 6(1)(b)); consent for an optional email reminder (art. 6(1)(a))
Account email and password (password stored as a hash by Firebase Authentication)When you create an accountSign-in, saving cases, purchase receiptsContract (art. 6(1)(b))
Purchase records (amount, date, case reference, email; not card numbers)When you buy a packetDelivering what you paid for, receipts, tax recordsContract (art. 6(1)(b)); legal obligation — accounting and tax law (art. 6(1)(c))
Reminder email address (if you opt in to deadline reminders on a case)When you ask for remindersSending your case recap and appeal-deadline remindersConsent (art. 6(1)(a)) — withdraw any time by deleting the case or emailing us
Page, referrer/campaign labels, country, and network address processed momentarily for aggregate traffic measurement (the address and its digest are not stored)When a page loadsUnderstanding service usage and estimating repeat-deduplicated visitors by countryLegitimate interests (art. 6(1)(f)): improving the Service with aggregate-only, data-minimizing measurement
Basic technical logs (IP, timestamps, errors)AutomaticallySecurity and keeping the Service workingLegitimate interests (art. 6(1)(f)): fraud prevention and service security

We do not run analytics on the contents of your documents, confirmation references, reminder dates, or other case text. Product reliability and outcome reporting use only shared, fixed-category counters (for example, extraction completed, rate-limit error, or appeal approved); they cannot be used to inspect an individual case. We do not sell your personal information or share it for cross-context behavioral advertising. You can withdraw your consent at any time by deleting the case (or your account) in Settings — withdrawal doesn't affect processing that already happened.

3. How your documents are processed

  • Files are encrypted in transit (TLS) and at rest (Google Cloud default encryption).
  • To draft your documents, the relevant content is sent to OpenAI's API with retention disabled for the request ("store: false"). OpenAI API data is not used to train models.
  • Guest uploads auto-delete after 24 hours. Saved or purchased cases are kept until you delete them.
  • PDF export renders on your device; the exported file itself is not uploaded to us.
  • No solely automated decisions: AI drafts documents, but nothing with legal effect is decided automatically — you review, edit, and choose whether to send every document, and your insurer decides the appeal.

4. Who processes your data

  • Google Firebase / Google Cloud — hosting, authentication, database, file storage (United States).
  • OpenAI — AI drafting of your preview and packet, retention disabled.
  • Stripe — payment processing; your card details go directly to Stripe and never touch our servers.

These providers act as our processors under data-processing agreements and may not use your data for their own purposes beyond what those agreements allow.

5. International data transfers

Our servers are in the United States. If you use the Service from the EEA, the UK, or Switzerland, your data is transferred to the U.S. under recognized safeguards: Google, Stripe, and OpenAI are certified under the EU–U.S. Data Privacy Framework (and its UK and Swiss extensions), supplemented by Standard Contractual Clauses in their data-processing agreements.

6. Cookies, local storage & traffic measurement

We use no advertising or analytics cookies and no third-party trackers — that's why you don't see a cookie banner. Browser storage is limited to what the Service needs: Firebase Authentication keeps your sign-in session in local storage/IndexedDB so you stay logged in. The owner's browser also keeps a one-bit internal-traffic exclusion preference, and our server sets a verified, HttpOnly exclusion cookie after owner sign-in; these prevent internal testing from entering aggregate counts and are not used to identify or track visitors. Fonts, marketing-page scripts, and the Flutter rendering engine are served from our own domain. When the secure workspace starts, it loads official Firebase application modules from Google's CDN as part of the Firebase / Google Cloud service disclosed above; those modules provide authentication, database, file-storage, and server-function features and are not advertising or analytics trackers. Stripe sets its own strictly-necessary cookies on Stripe's checkout page when you pay.

First-party traffic measurement: our own server keeps aggregate daily totals — visits, pages viewed, which site referred the visit (for example, a search engine), which tagged campaign sent it, and its country. It also counts how long the secure workspace takes to show its first frame using broad, fixed ranges (under 1 second, 1–2, 2–4, 4–8, or over 8 seconds); exact timings and the associated page are discarded. Campaign labels are ordinary utm_source, utm_medium, and utm_campaign values in the page link, aggregated into daily counts. For the country report, the server also uses the network address momentarily to update a fixed-size mathematical counting sketch protected by a server-side secret. The raw address and its keyed digest are discarded after the request; only the sketch's aggregate numeric registers are stored. Merging those registers lets the dashboard estimate repeat-deduplicated visitors from each country over 30 days without creating a directly identifying visitor record.

That country figure is an estimate of unique networks, not an exact count of people: a shared network can combine several people, while a VPN or changing address can split one person. The dashboard can compare aggregate interactions by one category at a time — for example, all page views versus page views associated with France — but it exposes no visitor lookup or per-person history. The measurement uses no analytics cookie, browser analytics storage, device fingerprint, raw stored network address, stored network-address digest, or per-visitor profile. It never involves the contents of your documents. Because it places no non-essential cookie or similar browser identifier, the site does not show an analytics-cookie banner.

7. HIPAA note

GetMyYes is a consumer self-help tool. We are not a healthcare provider, health plan, or clearinghouse, and not a HIPAA covered entity or business associate. HIPAA generally does not cover copies of records you upload yourself. We protect them under this policy and applicable consumer-privacy law instead.

8. Emails we send

We send transactional email only: purchase confirmations/receipts and messages about your account or cases. If you opt in to a deadline reminder, we email you before the appeal deadline and stop that reminder when you purchase, delete the case or account, or ask us to stop. After submitting an appeal, you may separately opt in to one response-date reminder in the case tracker; turning it off or deleting the case or account cancels it. We do not send marketing email unless you separately opt in (there is currently no marketing list).

9. Retention

  • Unsaved (guest) uploads: deleted automatically after 24 hours.
  • Saved cases and packets: until you delete them or your account.
  • Purchase records: kept as long as required for accounting and tax law.
  • Queued transactional emails: purged after 30 days.
  • Backups and logs: purged on a rolling basis.

10. Your rights & controls

  • Delete: Settings → "Delete all data" removes every case and uploaded file permanently; "Delete my account" also erases your account itself. You can also delete individual cases.
  • Access / export: your packet is exportable as a PDF; for a copy of other data, email us.
  • EEA / UK / Swiss rights (GDPR): you have the right to access, rectify, erase, restrict, or object to the processing of your data, the right to data portability, and the right to withdraw consent at any time. You also have the right to lodge a complaint with the data-protection supervisory authority in your country of residence.
  • State privacy rights (California CCPA/CPRA and similar): you may request access, deletion, or correction, and you won't be discriminated against for exercising rights. We don't sell or share personal information as those laws define it.
  • Contact for any request: support@getmyyes.com. We respond within 30 days and may need to verify you control the account first.

11. Children

The Service is for adults 18+. We do not knowingly collect information from children under 13; if you believe a child has used the Service, contact us and we will delete the data.

12. Security

Encryption in transit and at rest, uid-scoped storage rules so only your account can access your files, server-side entitlement checks, and secrets kept out of the client. No system is perfectly secure — if a breach affects you, we will notify you as required by law.

13. Changes

We'll post any changes here with a new "Last updated" date. Material changes will be highlighted in the app.