Legal

Privacy Policy

How Onsite Fire Billing collects, uses, and safeguards information across our fire recovery services, fire billing application, and Recovery Hub platform.

Last updated: May 14, 2026 - Version 2026-05-14

Scope

This policy covers our public website and the authenticated application (including all dashboards and APIs) available at onsitefirebilling.com and related subpaths.

Information We Collect

Account Data: First/last name, email, role, user group, profile picture URL, phone number/extension, rank, theme preference, online status.

Department Data: Department name, logo, headquarters/payment addresses, phone/extension, fire chief name, stations and apparatus details, and onboarding approvals metadata.

Claims & Invoices: Incident date/time, incident address, narrative, department/station/engine response details, insurance company and billing address information, adjuster contact (name/email/phone), invoice data, and an immutable audit history of changes.

Payments (Records Only): Payment amount, date, method (e.g., cash/check/other), check/reference numbers, payer name, notes, any attachments, and aggregate totals/remaining balance. We do not process card payments in-app.

Documents & Attachments: Files you upload (e.g., images/PDFs) tied to claims or payments. Files are stored in private storage with signed URLs generated on demand; public URLs are not exposed.

OCR Processing: For documents you explicitly submit to OCR, we process files to extract payment-related fields (e.g., amount, date, check number). Raw OCR output is sanitized before display/return.


Sales Inquiries (Contact Form): Name, title, email, phone, department, budget range, station count, apparatus count, and your message. Security metadata includes user agent and IP.

Authentication & Session: Authentication/session cookies or tokens, session creation and last activity timestamps, device/user agent and IP in the normal course of operation. We enforce idle session timeouts.

Operational Logs: Minimal application and infrastructure logs for reliability, rate limiting, abuse detection, and security diagnostics. We design logs to avoid PHI/PII where possible.

How We Use Information

Provide the Service: Authentication, department and claims management, document storage, OCR upon request, payment record-keeping, invoice generation, and real-time updates.

Communications: Onboarding/invitations, department approvals, account and security notifications, and support responses.

Security & Abuse Prevention: Session timeouts, rate limiting, access control, audit trails, and system health monitoring.

Operations & Improvement: Diagnose issues, measure reliability, and improve features with minimal telemetry.

Compliance: Maintain immutable audit trails and safeguards consistent with healthcare-grade privacy expectations.

Legal Bases (where applicable)

Contract: To deliver the features you request.

Legitimate Interests: Security, fraud prevention, reliability, and product improvement.

Consent: Where required for certain communications or marketing.

Legal Obligations: To comply with applicable laws and regulatory requests.

Sharing & Service Providers

Hosting & Infrastructure: To deliver, secure, and operate our website and application.

Database & Storage: To store application data and documents using private storage with signed access.

Email Delivery: To send invitations, approvals, account and support notifications.

Document Processing (OCR): To extract data from documents you explicitly submit for processing.

Maps & Address Services: To provide address autocomplete and related functionality where applicable.

We do not sell personal data or share it for third‑party advertising. Internal access to data is restricted to authorized personnel on a need‑to‑know basis. We engage service providers under confidentiality and data‑protection obligations.

International Transfers

Processing primarily occurs in the United States. Subprocessors may process data in the U.S. or other jurisdictions. Where required, we rely on appropriate safeguards for international transfers.

Retention

Accounts & Departments: Retained while your account/relationship is active and as required by law.

Claims, Invoices, Payments, Documents: Retained for operational, audit, and legal requirements. Deletion requests are honored subject to legal/contractual constraints and audit log integrity.

Sales Inquiries: Typically retained for reasonable sales/support timelines (e.g., up to 24 months) unless you request deletion earlier.

Logs & Telemetry: Retained for limited periods necessary for security, troubleshooting, and compliance monitoring.

Security

Access Control: Role‑based permissions and fine‑grained, row‑level access policies on sensitive data.

Session Management: Multi‑layer 60‑minute idle auto‑logout (cron, middleware, client warning), with health monitoring.

Storage Controls: Private storage buckets, signed URLs on demand, restricted image delivery; no public URLs for protected files.

Transport & At‑Rest: TLS for data in transit and provider‑level encryption at rest.

Auditability: Immutable audit trails on claim changes; rate limiting and abuse detection.

Minimization: Operational logs designed to avoid PHI/PII where feasible.

Note: We implement safeguards aligned to healthcare‑grade privacy requirements (e.g., HIPAA‑style session management). Whether HIPAA applies to your use depends on your specific configurations and agreements. If you require a Business Associate Agreement (BAA), contact us.

Cookies & Similar Technologies

Strictly Necessary: Authentication/session cookies to sign in, maintain sessions, and secure the app.

No Ad Tracking: We do not use third‑party advertising cookies. Platform‑level performance telemetry may be collected for reliability.

Local Storage: Used for non‑sensitive preferences (e.g., theme) and client caching; sensitive data is not stored in local storage.

Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, and to data portability. You may opt out of non‑essential communications at any time.

If you are a California resident, we do not “sell” personal information or “share” it for cross‑context behavioral advertising. You may exercise your rights without discrimination.

Children’s Privacy

Our services are not directed to children under 16, and we do not knowingly collect data from children.

Third‑Party Links

Our site may contain links to third‑party services. Their privacy practices are governed by their own policies.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices. We will post updates with a new effective date and, where required, notify you.

Contact Us
Email: support@onsitefirebilling.com

Mailing:
Onsite Fire Billing
PO BOX 1046
Milledgeville, GA
31059