Privacy Policy

UnBound Health Pay, Inc. ("UBH," "we," "us," or "our") operates a mobile messaging and payment collection platform used by licensed medical providers to communicate with their patients about billing, statements, and payment-related matters. This Privacy Policy describes how we collect, use, and share information when providers and patients interact with our services.

Because we receive patient information from medical providers, we act as a business associate under the Health Insurance Portability and Accountability Act (HIPAA). Our handling of Protected Health Information (PHI) is governed by the Business Associate Agreement (BAA) executed with each provider, in addition to this Policy.

Information We Collect

From medical providers

• Patient identifiers (name, mobile phone number, internal account or patient ID)
• Billing and account information (statement amounts, balances, payment status, due dates)
• Provider practice details and authorized user accounts

From patients (message recipients)

• SMS message content exchanged through our platform, including replies to our messages
• Opt-out keywords and help requests
• Payment information when a patient completes a transaction through our platform (processed by our PCI-compliant payment processor)

Automatically

• Message delivery metadata from telecommunications carriers (delivery status, timestamps, error codes)
• Technical data necessary for platform operation, security, and abuse prevention

How We Use Information

We use the information we collect to:

• Deliver SMS communications on behalf of medical providers to the patients who have consented to receive them
• Process payments and send receipts and confirmations
• Handle opt-out and help requests in compliance with carrier and regulatory requirements
• Operate, maintain, secure, and improve our platform
• Comply with legal obligations and respond to lawful requests

SMS Communications

SMS messages are sent only after the patient has given affirmative, written consent to their medical provider. Consent is collected by the provider during patient intake, using a consent form that identifies UBH as the platform operator and discloses message types, frequency, opt-out instructions, and applicable message and data rates.

Patients may opt out of SMS communications at any time by replying STOP to any message. Opt-outs are processed immediately and automatically. A single confirmation message is sent, after which no further messages will be delivered unless the patient opts back in. Patients may reply HELP at any time for assistance.

A copy of our standard opt-in process is available at docs.unboundhealth.co/sample-consent-form.pdf.

How We Share Information

We share information only as needed to operate our service and only with the following categories of recipients:

• Telecommunications carriers and messaging infrastructure providers (such as Twilio) solely to deliver SMS messages. These providers are contractually bound to use the information only for message delivery.
• Payment processors to complete patient-initiated transactions. Card data is handled directly by our PCI-compliant processor.
• The medical provider that submitted the patient information, including opt-out events and delivery status updates.
• Service providers (cloud hosting, security, customer support tooling) under written agreements that restrict their use of the information.
• Legal and regulatory authorities when required by law or to protect rights, safety, or the integrity of our services.

We do not sell personal information, and we do not share personal information with third parties for their own marketing purposes.

Data Security

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption in transit and at rest, access controls, audit logging, and security monitoring consistent with HIPAA Security Rule requirements. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain information for as long as necessary to provide the service, comply with legal obligations (including telecommunications and healthcare recordkeeping requirements), resolve disputes, and enforce our agreements. Opt-in and opt-out records are retained for at least four years, consistent with guidance under the Telephone Consumer Protection Act (TCPA). Medical providers retain the underlying signed consent records in the patient's file.

Your Rights and Choices

Patients have the right to:

• Opt out of SMS communications at any time by replying STOP
• Contact their medical provider's billing department to request correction or deletion of their information held by the provider
• Contact us directly at the address below with questions about how their information is handled by our platform

Patients located in jurisdictions with additional privacy rights (such as California, Virginia, Colorado, and other states with comprehensive privacy laws) may have further rights, including rights of access, deletion, correction, and portability. Requests may be submitted to compliance@unboundhealth.co. Because we typically process patient information on behalf of medical providers, we may direct requests to the relevant provider where appropriate.

Children's Privacy

Our services are directed to medical providers and their adult patients. For patients who are minors, a parent or legal guardian must provide consent on the patient's behalf. We do not knowingly collect personal information directly from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in an updated "Last updated" date above. Continued use of our services after changes take effect constitutes acceptance of the revised Policy.

Contact Us