Legal
Cookie Policy
Last updated: May 11, 2026
The Short Version
- We use a small number of first-party cookies needed to keep you signed in and prevent automated abuse.
- We also use two cookielessservices — Vercel Web Analytics for aggregate visitor counts and Sentry for error monitoring. Neither sets cookies on your device. Both are detailed below for full transparency.
- We do not use advertising cookies, do not embed third-party advertising pixels, and do not share data with advertising networks.
- We do not need a consent pop-up because all cookies we set are either strictly necessary or are first-party performance cookies that you can disable in your browser at any time.
- We honor the Global Privacy Control (GPC) signal. If your browser sends
Sec-GPC: 1, we will not set non-essential cookies (currently: the affiliate referral cookie).
Cookie Inventory
| Cookie | Category | Duration | Source |
|---|---|---|---|
mbs_pack Subscription authentication. HMAC-signed token identifying an active Family or Pro subscriber. Used to grant access to paid features without a login form. | Strictly necessary | Up to 90 days | First-party |
mbs_ref Affiliate referral attribution. Stores a referral identifier when a visitor arrives via an affiliate link, so the affiliate is credited if the visitor later subscribes. First-party only — no third-party network reads this cookie. | Performance | 60 days | First-party |
__cf_bm / cf_clearance Cloudflare Turnstile bot protection. Verifies that a human is using the upload form. Required to prevent automated abuse of our analysis API. | Security | Session to 30 minutes | Third-party (Cloudflare) |
Cookieless Analytics & Error Monitoring
Two services run on every page that do not set cookies, but do receive limited technical information about your visit. We list them here so the picture is complete — not just the cookies.
- Vercel Web Analytics (provided by Vercel, Inc., our hosting provider). Records aggregate visitor counts, page views, the country and region you visited from (no city, no IP address), device type, OS, browser, the page URL and its dynamic route, the referring site, filtered query parameters, and a small set of named product events (for example,
scan_started). Visitor identifiers are short-lived hashes discarded after 24 hours. No cross-site tracking. No advertising use. See Vercel’s privacy and compliance documentation. Under CCPA/CPRA, Vercel acts as our service provider; this is not a “sale” or “share” of personal information. - Sentry (provided by Functional Software, Inc.). Receives error class names, stack traces, browser and OS strings, and route paths only when something goes wrong, plus a 10% sample of performance traces (timing of API calls and page transitions). Configured with
sendDefaultPii: false: your IP address and request headers are not transmitted by default. Session replay and screen recording are explicitly disabled. We use this solely to identify and fix bugs we’d otherwise miss. See Sentry’s privacy policy. Sentry acts as our service provider.
How to opt out. Because these services use no cookies and no persistent identifier, there is no opt-out cookie to set. To stop transmission entirely you can install a content blocker that targets vitals.vercel-insights.com (Vercel Analytics) and ingest.sentry.io (Sentry), or disable JavaScript. Neither service receives the contents of your medical bill in any case.
Third-Party Domains
When you complete a paid checkout, you are redirected to checkout.stripe.com, which sets its own cookies under Stripe’s domain to process your payment. Those cookies are governed by Stripe’s cookie policy, not ours. We do not receive payment-card data and do not read Stripe’s cookies.
What We Do Not Use
- No Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or any other advertising or cross-site tracking pixel. (Vercel Web Analytics, listed above, is a different category — cookieless, first-party-style aggregate counts, no advertising signal sent anywhere.)
- No cross-context behavioral advertising. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act / CPRA.
- No session-replay or screen-recording technology.
- No fingerprinting libraries.
- No advertising or remarketing networks of any kind.
Your Choices
You can disable cookies entirely in your browser settings. If you do, the Service may not work as expected — most notably, your subscription authentication will not persist between visits.
To opt out of the affiliate referral cookie specifically, enable the Global Privacy Control signal in your browser (instructions at globalprivacycontrol.org) or email us at privacy@medibillsaver.com.
Related Policies
- Privacy Policy — overall data handling
- Consumer Health Data Privacy Policy — Washington MHMDA-specific terms
Contact
Cookie questions: privacy@medibillsaver.com