Privacy Policy

This Privacy Policy explains how MyBenefitsPA Inc. collects, uses, discloses, protects, retains, and deletes personal information in connection with the MyBenefitsPA website, applications, software-as-a-service platform, alerts, document storage, advisor/caregiver features, AI-assisted guidance, and financial-data integrations.

The Platform is intended to help users and authorized advisors organize and monitor information relevant to public-benefit eligibility, renewal deadlines, income and asset thresholds, and supporting documentation. MyBenefitsPA is not a government agency, is not affiliated with SSA, CMS, Medicaid, SNAP, MAWD, any state Medicaid agency, any county assistance office, or any financial institution, and does not guarantee benefit eligibility, approval, renewal, or avoidance of overpayment.

This Policy is designed to address federal and state privacy and data-security requirements where applicable, including consumer privacy laws such as the Delaware Personal Data Privacy Act, federal privacy and unfair-practices standards enforced by the FTC, financial-data safeguards where applicable, HIPAA obligations where MyBenefitsPA acts as a covered entity or business associate, and state consumer-health-data requirements where applicable.

When a user connects a financial account through Plaid or another financial-data provider, the user authorizes MyBenefitsPA and the provider to access and process only the financial data selected and necessary for the user-requested services. MyBenefitsPA does not request, receive, or store the user's financial-institution username or password. Connections use tokenized access and provider-managed authentication flows.

• The Platform may retrieve account metadata, balances, transaction history, income deposit information, ownership/identity information where separately authorized, account status, and connection health information.
• The Platform will request the minimum integration products and scopes reasonably necessary to provide the feature selected by the user.
• The Platform may refresh financial data periodically to provide alerts and compliance monitoring, subject to user settings, provider limitations, and applicable law.
• A user may disconnect a financial account through the Platform or the provider flow. Disconnection stops future data retrieval but does not automatically delete historical records needed for retention, audit, dispute, legal-hold, or user-requested benefit monitoring purposes.
• Access tokens are encrypted, access-restricted, logged, rotated or reissued when appropriate, and revoked when an account is disconnected or deleted, except where preservation is required for security investigation or legal reasons.

MyBenefitsPA processes Sensitive Data only where the user has requested the relevant service, where processing is necessary to provide that service, where another lawful basis applies, or where affirmative consent is required and obtained. Consent is recorded in a consent ledger that may include the consenting person, date and time, device or IP metadata, data categories, service purpose, advisor scope, version of the notice presented, and revocation status.

Users may revoke consent or disconnect integrations through account settings or by contacting support@mybenefitspa.com. Revocation may limit or terminate Platform functionality. Revocation does not require MyBenefitsPA to delete records retained for legal, security, dispute, audit, regulatory, or documented benefits-monitoring purposes.

• Provide and maintain account access, authentication, alerts, reports, document storage, and support.
• Monitor benefit-related income, asset, renewal, and reporting thresholds chosen by the user.
• Generate reminders and informational guidance relating to Medicaid, SSI, SSDI, SNAP, MAWD, QMB, waiver, and related programs.
• Analyze uploaded documents and user-entered information to organize records and support user-requested summaries.
• Enable authorized advisor and caregiver access according to documented authority and account settings.
• Detect, investigate, and prevent security incidents, fraud, misuse, unauthorized access, and service errors.
• Comply with legal obligations, valid legal process, regulatory inquiries, audits, litigation holds, and user-rights requests.
• Improve services through aggregated or de-identified analytics, provided such data is not reasonably linkable to a specific user.

The Platform may use automated logic and AI-assisted systems to classify transactions, identify recurring income, flag possible benefit-threshold issues, summarize documents, prepare reminders, and generate informational guidance. These outputs are not legal, medical, tax, financial, benefits, fiduciary, or government-agency determinations. Users and advisors must verify all outputs against official notices, agency rules, program manuals, and qualified professional advice where appropriate.

Where applicable law gives users the right to opt out of profiling or automated decision-making producing legal or similarly significant effects, MyBenefitsPA will honor that right. MyBenefitsPA does not make final eligibility decisions, approve benefits, deny benefits, or submit government determinations.

MyBenefitsPA does not sell personal information. MyBenefitsPA does not use Sensitive Data for targeted advertising. If any future feature involves targeted advertising, sale, or profiling subject to opt-out rights, MyBenefitsPA will provide required notices and controls before enabling that feature.

Advisor or caregiver access is limited to individuals invited by the Beneficiary, authorized account holder, guardian, agent under power of attorney, representative payee, trustee, or other person with lawful authority. Advisors must provide accurate authority information and must not access data unless they have a current lawful basis to do so.

• The Platform may require upload or verification of authority documents before advisor access is granted or expanded.
• Access may be limited by role, beneficiary, data category, program, document folder, and permitted action.
• MyBenefitsPA may suspend advisor access if authority is disputed, expired, revoked, incomplete, or reasonably suspected to be misused.
• Beneficiaries or authorized account holders may revoke advisor access, subject to legal holds and account-control rules.

The Platform may use cookies, local storage, session identifiers, and similar technologies for authentication, security, preference management, fraud prevention, analytics, and performance measurement. Essential security and authentication cookies are necessary to operate the Platform. Non-essential analytics or marketing cookies, if used, will be subject to required notice and choice.

Where required by law, MyBenefitsPA recognizes Universal Opt-Out Mechanisms, including Global Privacy Control, for applicable opt-out rights. Because the Platform is not designed for targeted advertising using Sensitive Data, Global Privacy Control will be treated conservatively as an opt-out from sale, sharing for targeted advertising, and applicable profiling uses.

Depending on state of residence and applicable law, users may have rights to access, confirm processing, receive a copy, correct, delete, obtain portability, opt out of sale, opt out of targeted advertising, opt out of certain profiling, withdraw consent, limit use of sensitive information, appeal a denied request, and use an authorized agent. MyBenefitsPA will not discriminate against a user for exercising legally protected privacy rights.

• Requests may be submitted to support@mybenefitspa.com. MyBenefitsPA will verify the requester's identity and authority before disclosing or deleting information.
• If a request is denied, MyBenefitsPA will provide the reason and, where required, instructions for appeal. Appeals will be reviewed by a person not involved in the original denial where practicable.
• Deletion requests may be limited by legal holds, security logs, fraud-prevention needs, dispute records, tax/accounting obligations, benefits-record retention needs, and other lawful exceptions.
• Authorized-agent requests require proof of authorization and may require direct confirmation from the user or legal representative.

MyBenefitsPA will comply with HIPAA only to the extent it is legally acting as a covered entity or business associate. When MyBenefitsPA receives PHI under a business associate agreement, HIPAA rights and obligations apply according to that agreement and applicable law. When a consumer directly uploads medical or disability documents, the information may be sensitive health or disability data even if HIPAA does not apply. MyBenefitsPA protects that data under this Policy, the Security Policy, applicable consumer-health-data laws, and contractual commitments.

Public-benefits records may be subject to program-specific confidentiality rules. MyBenefitsPA does not access agency portals, submit forms, contact agencies, or represent users before agencies unless a separate authorized feature or written agreement permits that activity.

MyBenefitsPA uses administrative, technical, and physical safeguards described in its Security and Safeguards Policy, including encryption in transit, encryption at rest, role-based access, MFA, logging, vendor controls, monitoring, and incident response. Retention and deletion are governed by the Data Retention and Deletion Policy.

The Platform is intended for adults age 18 and older. The Platform is not directed to children under 13. A parent, guardian, or legally authorized representative may provide information about a minor or dependent beneficiary only where legally authorized and only as necessary for the services.

MyBenefitsPA may update this Policy from time to time. Material changes will be communicated by posting an updated policy and, where required, email or in-Platform notice.

Privacy requests, security reports, and general support: support@mybenefitspa.com. Website: www.mybenefitspa.com.