Placeholder — To be reviewed by healthcare attorney before commercial launch

Privacy Policy

Last updated: April 2026

1. What This Policy Covers

This Privacy Policy describes how ApprovedPA collects, uses, and stores information when you use our Service. ApprovedPA is designed as a de-identified workflow — we do not knowingly collect protected health information (PHI).

2. Information We Collect

Account information

Practice name, physician name, and email address collected at registration. Password stored as a secure hash (bcrypt).

De-identified clinical data

When you create an appeal, you provide clinical information: insurance payer, medication, denial reason, patient BMI, diagnosis, comorbidities, prior therapies, and lab values. Per our Terms of Service, this information must not include patient names, dates of birth, or any other HIPAA identifier.

Generated letters

Appeal letters generated by the AI are stored in your account for retrieval, editing, and download.

Usage data

Standard server logs including IP addresses and request metadata, retained for security and operational purposes.

3. How We Use Your Information

  • To generate and store appeal letters on your behalf
  • To authenticate your account and secure access
  • To improve letter quality and payer-specific accuracy (aggregated, de-identified patterns only)
  • To communicate service updates

4. AI Processing — Anthropic API

De-identified clinical data you enter is transmitted to Anthropic's API for letter generation. Anthropic's privacy practices govern how they handle API inputs. We do not send patient-identifying information to Anthropic. ApprovedPA does not currently maintain a HIPAA Business Associate Agreement with Anthropic; the Service is intended for de-identified data only.

5. Data Storage and Security

Data is stored in a Neon Postgres database hosted on AWS infrastructure. The application is hosted on Vercel. We use industry-standard encryption in transit (TLS) and at rest. Passwords are hashed with bcrypt and never stored in plaintext.

6. Data Sharing

We do not sell your data. We do not share your data with third parties except as described above (Anthropic API for generation, Vercel/Neon for hosting/storage) or as required by law.

7. Data Retention

Appeal data is retained as long as your account is active. You may delete individual appeals from your dashboard. To delete your account and all associated data, contact us at the address below.

8. Your Rights

You may request access to, correction of, or deletion of your account data at any time by contacting us. We will respond within 30 days.

9. Changes to This Policy

We may update this Privacy Policy as the Service evolves. Material changes will be communicated by email or in-app notice.

10. Contact

Privacy questions: privacy@approvedpa.com