HIPAA COMPLIANT

Privacy Policy

Last updated: May 2026 · Version 1.0

1. Information We Collect

•Account Information: Name, email address, phone number, state of residence, and account type (patient, clinic, or hospital).
•Organization Data (Clinics/Hospitals): Organization name, NPI number, EIN/Tax ID, specialty, billing contact, CMS certification number, and address.
•Medical Documents: Insurance denial letters, appeal letters, and approval letters uploaded to process your case.
•Payment Information: Credit/debit card details are collected and stored by our payment processor (Paddle). We never store raw card numbers on our servers.
•Usage Data: Log data, device information, and interaction data to improve our service.

•ApproveIt maintains full HIPAA (Health Insurance Portability and Accountability Act) compliance for all Protected Health Information (PHI).
•We execute Business Associate Agreements (BAAs) with all clinic and hospital clients and with our infrastructure providers.
•All PHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
•Access to PHI is restricted to automated AI processing systems only. No human at ApproveIt reviews your medical documents.
•We maintain audit logs of all access to PHI for compliance purposes.
•Our infrastructure runs on HIPAA-eligible services with signed BAAs throughout the data chain.

•Appeal Processing: AI analysis of denial letters, clinical evidence research, appeal letter generation, and electronic submission.
•Case Management: Tracking case status, monitoring insurer deadlines, and automated escalation.
•Communication: Email notifications about case status, deadline alerts, and account updates.
•Billing: Processing success fees when appeals are approved.
•We NEVER sell, rent, or share your medical data with third parties for marketing or advertising purposes.

•All data is stored in Supabase (PostgreSQL) with HIPAA-compliant infrastructure.
•Uploaded medical documents (PDFs, images) are automatically deleted after 90 days.
•Structured data (claim amounts, denial reasons, case status) is retained for the duration of your account.
•Upon account deletion, all data is permanently removed within 30 days.
•Row Level Security (RLS) ensures complete data isolation — no user can access another user's data.

•Supabase: Database, authentication, and file storage (HIPAA BAA in place).
•Anthropic (Claude AI): AI processing for denial analysis and appeal generation. All calls are server-side only.
•Google (Gemini): OCR processing for document text extraction. Server-side only.
•Paddle: Payment processing for success fees. PCI DSS compliant. Paddle acts as Merchant of Record.
•Resend: Transactional email delivery for notifications.
•Vercel: Application hosting. No PHI is stored in Vercel infrastructure.
•All AI processing happens via secure server-side API routes. No patient data is exposed to the browser or client-side code.

•Access: You can view all your data through your dashboard at any time.
•Deletion: Request complete deletion of your account and all associated data by emailing approveit602@gmail.com.
•Portability: Download your case data and appeal letters from your dashboard.
•Correction: Update your personal information through account settings.
•HIPAA Rights: You have the right to an accounting of disclosures of your PHI and to request restrictions on certain uses.
•All requests are processed within 30 days.