Legal

Privacy Policy

Last updated: March 2026

Overview

Kupu is built on the principle that your medical data belongs to you. Your documents — bills, EOBs, denial letters — live on your device, not on our servers. When analysis is needed, your data is de-identified before it ever leaves your phone. We do not sell, share, or retain your medical information.

Data Collection & Processing

When you upload a medical bill, EOB, or denial letter, Kupu de-identifies the document on your device before transmitting it to our servers. The de-identified data is analyzed against medical coding databases, NCCI bundling rules, and fee schedule benchmarks to identify potential errors. All data is encrypted in transit using TLS.

In rare cases where an action requires identified information — such as sending an appeal letter on your behalf — Kupu will request your explicit permission before transmitting any personally identifiable health data. These transactions are fully HIPAA-compliant, handled under a Business Associate Agreement (BAA), and the data is deleted from our servers once it is no longer needed to support your claim.

What We Can and Cannot See

Kupu collects anonymized, aggregate usage statistics — things like app opens, documents uploaded, letters saved — to improve the product. These statistics contain no medical detail. We cannot see your bills, your diagnoses, your charges, or any information within your documents. When our servers process a document for analysis, it arrives de-identified: we see procedure codes and charge amounts, not who you are or where you were treated.

Account Information

We collect your email address when you create an account. This is used solely for account management and product communications. You can request deletion of your account and all associated data at any time.

What We Don't Do

  • Sell, rent, or share your data with third parties for marketing.
  • Use your health data to train AI models.
  • Share data with advertising networks or data brokers.
  • Share data with insurers, providers, or employers.

Third-Party Services

Kupu uses third-party services for infrastructure (hosting, analytics). These services are selected for their privacy practices and, where applicable, operate under BAAs. We do not share your medical data with advertising networks or data brokers.

Data Security

All data in transit is encrypted with TLS 1.2+. PHI processing occurs in HIPAA-compliant infrastructure with a signed BAA. We will notify affected users of any breach within 72 hours as required by law.

Your Rights

You can request deletion of your account and all associated data at any time. Contact privacy@kupuhealth.com for any data or privacy requests.

Children's Privacy

Kupu is not directed at children under 13 and we do not knowingly collect personal information from children under 13.

Changes to This Policy

Material changes will be communicated via email. Continued use after notification constitutes acceptance.

Questions? support@getkupu.com · Join the beta →