Privacy policy.

Last updated: June 2026

Account Information

When you create a BURSIFY account, we collect your name, email address, and password. If you choose to complete your profile, we may also collect your date of birth, mailing address, phone number, and household size. This information is necessary to identify benefits and programs you may be eligible for.

Financial Transaction Data

Through our integration with Plaid, we access your financial transaction data on a read-only basis. This includes account balances, transaction history, account and routing numbers (masked), and institution details. We never have the ability to move money from your accounts or initiate any transactions on your behalf.

Uploaded Documents

If you use our insurance appeal features, you may upload denial letters, explanation of benefits (EOB) documents, and medical records. These documents are processed using optical character recognition (OCR) to extract relevant information for your appeal cases.

Usage Analytics

We collect anonymized usage data including pages visited, features used, session duration, and device information (browser type, operating system, screen resolution). This data is used to improve the platform experience and does not personally identify you.

We use the information we collect to:

• Screen your eligibility for unclaimed benefits, tax credits, and government programs (such as Medicaid, SNAP, LIHEAP, CHIP, and EITC). Bursify provides eligibility estimates and links to official enrollment portals. We do not file applications on your behalf. You must apply directly with the relevant federal, state, or local agency.
• Analyze insurance denial letters and generate appeal arguments on your behalf
• Match you with eligible class action settlements based on your transaction history
• Provide personalized financial recovery recommendations
• Process subscription payments and manage your account
• Send transactional emails (account confirmations, case updates, appeal status changes)
• Improve our AI models and platform features using aggregated, de-identified data

We do not sell your personal information to third parties. We do not use your financial data for advertising purposes. Your data is used solely to provide and improve the BURSIFY service.

We collect, process, and store your data only with your express consent. You provide this consent at three distinct points:

• At account creation: you check a required box agreeing to this Privacy Policy and our Terms of Service.
• When linking financial accounts: Plaid surfaces its own consent screen describing the categories of data you are about to share with us. You may refuse or decline at that step without losing access to BURSIFY's other features.
• When uploading documents: by uploading a medical bill, EOB, or denial letter, you confirm consent for us to OCR-extract the content and use it to generate dispute or appeal documents.

You can withdraw consent at any time by disconnecting financial accounts, deleting uploaded documents, or deleting your account entirely from Settings. Withdrawing consent stops new data collection immediately; existing data is purged on the schedule described in Section 6.

BURSIFY uses Plaid Technologies, Inc. to securely connect to your financial institutions. When you link an account through Plaid, you are granting BURSIFY read-only access to your financial data. We do not store your banking credentials. Plaid handles authentication directly with your financial institution.

Our Plaid integration accesses the following data categories: account balances, transaction history (up to 24 months), account holder name, and institution details. Data is synced every 24 hours to keep your benefit eligibility and settlement matching up to date.

You can disconnect any linked account at any time from your Settings page. When you disconnect an account, we stop syncing new data and delete the associated transaction history within 30 days, in accordance with Plaid's data retention policies.

All data is stored on Amazon Web Services (AWS) infrastructure located in the United States. We implement industry-standard security measures to protect your information:

• Encryption at rest using AES-256 for all stored data, including databases and file storage
• Encryption in transit using TLS 1.3 for all data transmitted between your browser and our servers
• Per-row access controls so a query for your data only ever returns your data
• Role-based access controls limiting employee access to production data
• Regular security audits and penetration testing

We retain personal data only as long as it serves the purpose for which it was collected:

• Account data (name, email, profile): retained while your account is active. Permanently deleted within 30 days of account closure.
• Plaid transaction data: retained for up to 24 months rolling to support analysis. Purged within 30 days of disconnecting an account (per Plaid's data retention policy).
• Uploaded documents (medical bills, EOBs, denial letters): retained for the lifetime of the active dispute or appeal case. Auto-deleted 90 days after a case is closed or resolved.
• Generated documents (dispute letters, appeal packages): retained for 1 year so you can re-download. Purged 1 year after generation.
• Audit logs (security events, access records): retained for 1 year for security compliance. Anonymized after that window.
• Aggregated, de-identified data: may be retained indefinitely for product improvement; cannot be re-linked to you.

You may request immediate deletion of any specific document or your entire account at any time from your Settings page or by emailing privacy@bursify.app. Account deletion disables your login immediately and cascades a permanent delete across every BURSIFY engine within 30 days of request.

This retention schedule is reviewed at least annually. The most recent review was conducted in May 2026.

We work with the following third-party service providers:

• Plaid: Financial data aggregation and account linking
• Stripe: Subscription billing and payment processing. We do not store your credit card information; it is handled entirely by Stripe.
• Amazon Web Services: Cloud infrastructure, data storage, authentication, and the secure account where we host the AI models
• Anthropic: Maker of Claude, the AI model used to draft personalized dispute letters and appeal language from your uploaded documents. Anthropic operates under a Business Associate Agreement and does not retain your prompts or your documents for training.
• SRFax: HIPAA-compliant fax transmission of dispute letters to providers and insurers. Operates under an executed Business Associate Agreement and stores transmission metadata for audit-trail purposes only.
• Lob: Certified-mail delivery of physical dispute letters to providers that do not accept fax. Operates under an executed Business Associate Agreement.

Each third-party provider is contractually obligated to protect your data in accordance with their respective privacy policies and applicable data protection regulations. Providers that may receive Protected Health Information (PHI), namely Anthropic, SRFax, Lob, and AWS, do so under executed Business Associate Agreements as required by HIPAA.

Bursify is a US-only service. We extend the same core privacy rights to every Bursify user in all 50 states and the District of Columbia — regardless of whether your state has passed its own privacy law. Some states (such as California under the CCPA/CPRA) grant additional rights; for the full state-by-state detail and how to file a request, see Your Privacy Rights. At minimum, everyone has:

• Right to Access: You can request a copy of all personal data we hold about you by emailing privacy@bursify.app. We confirm receipt within 10 days and complete the request within 45 days.
• Right to Deletion: You can request that we delete your account and all associated data by emailing privacy@bursify.app. Account deletion is permanent and cannot be undone.
• Right to Correction: You can update your personal information at any time through your account settings.
• Right to Opt Out: You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or updating your notification preferences.
• Right to Portability: You can request your data in a machine-readable format (JSON) by emailing privacy@bursify.app for transfer to another service.

To exercise any of these rights, contact us at privacy@bursify.app or use the self-service options in your account settings. We confirm receipt within 10 days and complete requests within 45 days, with one possible 45-day extension for complex requests (we will tell you in advance if we need it).

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@bursify.app
• Support: Help Center

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.