D
DenialIQ← Back to sign up

Privacy Policy

Last updated: 2026

DenialIQ operates as a Business Associate under HIPAA. This Privacy Policy explains how we collect, use, and protect your information and the protected health information (PHI) you entrust to us. For PHI-specific obligations, please refer to our Business Associate Agreement.

1. Information We Collect

We collect the following categories of information:

Account and practice information:

  • Name, email address, and password (authentication)
  • Practice name, NPI number, credentials, address, and phone number
  • Billing information processed through Stripe (we do not store card numbers)

Protected Health Information (PHI) in ERA files:

  • Patient names and member ID numbers as they appear in ERA/835 files
  • Dates of service, CPT codes, and diagnosis codes
  • Payer names, claim IDs, and denial reason codes
  • Billed, paid, and denied amounts

Usage and technical data:

  • Log data including IP addresses, browser type, and pages visited
  • Audit trail data required by HIPAA (file uploads, claim views, appeal status changes)

2. How We Use Your Information

We use the information we collect only to:

  • Provide, operate, and improve the DenialIQ service
  • Process ERA files and generate AI-powered denial analysis and appeal letters
  • Authenticate users and maintain account security
  • Process payments and manage subscriptions
  • Maintain HIPAA-required audit logs
  • Send transactional communications (account creation, subscription receipts, trial reminders)

We do not sell your information. We do not use PHI for marketing. We do not use PHI to train AI models beyond what is necessary to provide the Services to you.

3. Third Parties and Subprocessors

We share data only with the following third-party service providers as necessary to operate the service:

Supabase, Inc.

Database and file storage (including PHI)

SOC 2 Type II certified. Data stored in the United States.

Anthropic PBC

AI analysis of denial claims and appeal letter generation

Processes PHI under a BAA. Data is not used to train Anthropic models.

Stripe, Inc.

Payment processing

Does not receive PHI. PCI DSS Level 1 certified.

Resend

Transactional email delivery

Used for account and subscription emails only. Does not receive PHI.

We do not share your information with any other third parties except as required by law.

4. Data Retention

  • ERA files and claim data (PHI): Retained for 2 years from the date of upload, then permanently deleted. This period supports the HIPAA requirement to maintain records for 6 years from creation, but ERA-specific claim data is retained only for the 2-year period needed for appeal purposes.
  • Audit logs: Retained for 6 years as required by HIPAA.
  • Account information: Retained while your account is active and for 90 days following account closure.
  • Payment records: Retained as required by applicable financial regulations.

5. Security

We implement security measures appropriate to the sensitivity of the data we handle:

  • All data encrypted at rest using AES-256 encryption
  • All data transmitted using TLS 1.2 or higher
  • Row-level security enforcing strict data isolation between practices
  • Access controls limiting employee access to PHI on a need-to-know basis
  • HIPAA-required audit logging of all PHI access
  • Regular security assessments

No method of electronic storage or transmission is 100% secure. In the event of a breach affecting your PHI, we will notify you in accordance with our Business Associate Agreement and applicable law.

6. Patient Rights Under HIPAA

As a Business Associate, DenialIQ supports your obligations to patients whose PHI you process through the Service. Patients may exercise their rights under HIPAA (including rights of access, amendment, and accounting of disclosures) by contacting you, the Covered Entity. You should direct such requests to us and we will cooperate in fulfilling those requests as required by our BAA.

7. Your Rights and Choices

  • Access and correction: You can view and update your practice information at any time in your Settings page.
  • Data deletion: You may request deletion of your data at any time. Account closure data is deleted after 90 days. PHI can be deleted sooner upon written request.
  • Data portability: You may export your claim data from the dashboard at any time.
  • Marketing communications: We do not send marketing emails. You will receive only transactional communications related to your account.

8. Children

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact

For privacy questions, data deletion requests, or to exercise your rights, please use the contact form on our website.