Privacy Policy · AppealIt

Who We Are

AppealIt (operated by Appealit Inc.) runs the website appealit.ai -- a free, consumer-facing tool that helps patients draft and submit health insurance appeals for themselves. We are a consumer tool. You use AppealIt directly; your doctor, hospital, or health plan does not hire us or instruct us. That means AppealIt is not a "business associate" of any covered entity under HIPAA (45 CFR 164.502(e)), and your information is not protected by HIPAA once you voluntarily share it with us.

Counsel review required: confirm this characterization holds for your specific data flows before publishing.

Instead, we are subject to the FTC Health Breach Notification Rule (16 CFR Part 318, as amended July 2024) and applicable state consumer protection laws, and we take those obligations seriously.

Quick Summary

What we do	What we don't do
Collect your denial letter and clinical info to draft an appeal	Sell your data -- ever
Use de-identified data to improve our engine	Share identifiable health info with advertisers
Notify you within 60 days of any security breach	Act as your lawyer or provide legal advice
Let you delete your account and data on request	Keep your data longer than we need to

1. What Data We Collect

1a. Data You Give Us Directly

When you use AppealIt to build an appeal, you may provide:

Health insurance denial information: insurer name, claim or reference number, date of denial, stated reason for denial.
Clinical information: diagnosis codes, procedure codes, medication names (e.g., GLP-1 agonists, CGRP inhibitors), prescribing physician name, notes from your denial letter.
Documents you upload: denial letters, explanation-of-benefits forms, prior authorization requests, clinical notes. These are processed to extract the information above.
Contact information (optional): email address, if you create an account or request a copy of your draft.
Submission information: if you use our tool to prepare a submission packet, we record the fact that a submission was prepared and its date.

1b. Data We Collect Automatically

When you visit appealit.ai, our hosting infrastructure collects standard web server logs, which may include:

IP address (truncated after processing)
Browser type and version
Pages visited and time on page
Referring URL

We do not use persistent cross-site tracking cookies or advertising pixels.

Counsel review required: confirm with your analytics/hosting stack before publishing.

1c. Data We Do Not Collect

We do not collect:

Social Security numbers
Payment card or banking information (the tool is free; no payment is processed)
Precise geolocation
Biometric data

2. How We Use Your Data

We use the information you provide for the following purposes only:

a. Drafting your appeal

Your denial information and clinical data are passed to our AI processing engine to generate a draft appeal letter with citation-grounded arguments. This is the primary and core use.

b. Providing you a copy

If you supply an email address, we send you the finished draft.

c. Operating and securing the service

Server logs and session data are used to detect abuse, prevent unauthorized access, and maintain system performance.

d. Improving the service -- de-identified only

We analyze patterns in appeal types, denial reasons, and outcome data to improve our drafting engine. This analysis uses only de-identified data (see Section 7). Your identifiable health information is never used for model training or service improvement in identifiable form.

e. Legal compliance

We may retain or disclose data as required by law (see Section 6).

We do not use your data for:

Targeted advertising
Sale to data brokers, insurers, employers, or any third party
Profiling unrelated to your appeal
Any secondary commercial purpose not listed above

3. Legal Basis and Your Role

You come to AppealIt voluntarily. You provide your own information and you submit your own appeal. We are a tool that helps you exercise a right you already have -- the right to appeal a health insurance denial under your plan documents and, where applicable, under the Employee Retirement Income Security Act (ERISA), the Affordable Care Act (ACA), or state external review statutes.

Because you are the person who authorizes each step -- you upload your documents, you review the draft, you submit the appeal yourself -- AppealIt operates under what practitioners sometimes call the "TurboTax model": we are a consumer document-preparation tool, not a healthcare provider, insurer, or their agent.

Your consent to this Privacy Policy is obtained electronically, which is legally valid under the Electronic Signatures in Global and National Commerce Act (ESIGN, 15 U.S.C. 7001 et seq.) and the Uniform Electronic Transactions Act (UETA) as adopted by your state.

Counsel review required: UETA adoption varies by state; confirm applicability for your target user base.

4. Sharing Your Information

We do not sell your personal information. Period.

We may share your information only in these limited circumstances:

a. Service providers (processors)

We use third-party vendors to host our infrastructure and run our AI processing pipeline. These vendors receive your data only to perform services on our behalf. They are contractually prohibited from using your data for any other purpose.

Counsel review required: list specific sub-processors (e.g., Cloudflare, AI API vendor) and ensure appropriate data processing agreements are in place before launch.

b. At your direction

If you instruct us to transmit your appeal draft to an insurer, external review organization, or other party, we do so only on your explicit instruction.

c. Legal requirements

We may disclose information if required by a valid court order, subpoena, or applicable law. Where legally permitted, we will notify you before complying.

d. Business transfers

If AppealIt is acquired or merges with another entity, your data may transfer as part of that transaction. We will notify you via the email on file (if any) and post a notice on the site at least 30 days before any transfer that materially changes how your data is used.

e. Protection of rights

We may disclose information to enforce our Terms of Service, protect against fraud, or protect the safety of any person, to the extent permitted by law.

In no circumstance do we share your identifiable health information with:

Advertisers or ad networks
Health insurers for underwriting purposes
Employers
Data brokers

5. De-Identification and Aggregate Analysis

We may use de-identified data to analyze denial patterns, improve our citation engine, and develop aggregate insights about appeal outcomes. De-identification is performed by removing or hashing all direct identifiers (name, date of birth, address, email, claim number, provider name, and any other information that could reasonably identify you) before data is used for analysis or model improvement.

De-identified data is not your personal information. We do not attempt to re-identify it. Our contracts with any analytics vendors prohibit re-identification.

Counsel review required: if you intend to publish or license aggregate research data, confirm de-identification meets the HIPAA Expert Determination or Safe Harbor standard (45 CFR 164.514(b)) as a belt-and-suspenders standard even though you are not a covered entity -- this is a credibility and risk-management move, not a legal requirement for a non-covered entity.

6. FTC Health Breach Notification Rule (16 CFR Part 318)

AppealIt is a vendor of personal health records as defined under the FTC Health Breach Notification Rule (as amended, effective July 29, 2024). Our appeal drafting tool draws health information from multiple sources you provide (denial letters, clinical documents, information you type in) and maintains it in electronic form on your behalf. That makes us subject to the Rule.

What this means for you

If there is a breach of security -- meaning an unauthorized acquisition of your identifiable health information, whether through a data security incident or an unauthorized disclosure -- we are required by law to notify you.
Notification will be sent to you without unreasonable delay and no later than 60 calendar days after we discover the breach (16 CFR 318.5).
Notification will be sent to the email address on file with us, or, if we have no email, posted prominently on our website and, where we have your mailing address, sent by first-class mail.
If a breach affects 500 or more people, we will also notify the FTC contemporaneously with notifying you.
If a breach affects 500 or more residents of a single state, we will notify prominent media outlets in that state as required by 16 CFR 318.5(b)(3).

Counsel review required: confirm media notice threshold interpretation under the 2024 amendments.

Unauthorized disclosure

Under the 2024 amendments to the Rule, an unauthorized disclosure is not limited to hacking. It includes disclosures inconsistent with user expectations, deceptive omissions about data sharing, and use of data for secondary purposes you never authorized. We designed this Privacy Policy and our data practices to avoid any such unauthorized disclosure.

7. Data Retention

We retain your personal information for the period necessary to:

Complete your appeal draft and deliver it to you.
Comply with legal obligations (e.g., responding to a regulatory inquiry).
Resolve disputes and enforce our agreements.

Default retention schedule

Data type	Retention period
Uploaded documents (denial letters, clinical notes)	90 days from last account activity, then deleted
Appeal drafts	90 days from last account activity, then deleted
Email address (if provided)	Until you delete your account or request deletion
Server logs (with IP)	30 days, then IP is truncated or deleted
De-identified usage data	Indefinitely (cannot be linked back to you)

If you do not create an account and use AppealIt as a guest, your session data and uploaded documents are deleted within 7 days of your session ending.

Counsel review required: confirm these periods are consistent with any litigation hold or regulatory record-keeping obligations that may apply at your stage.

8. Your Rights and Choices

Regardless of where you live, we honor the following rights:

Access

You may request a copy of the personal information we hold about you.

Correction

You may request that we correct inaccurate information.

Deletion

You may request that we delete your personal information. We will do so within 45 days of a verified request, subject to any legal obligations to retain certain records. We will confirm deletion in writing.

Portability

You may request your data in a common machine-readable format.

Withdraw consent

You may stop using AppealIt at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at [email protected] or via the account settings page. We will verify your identity before acting on a request and respond within 30 days (or 45 days for complex requests, with notice to you).

Counsel review required: set up the [email protected] inbox before launch.

California residents (CCPA/CPRA)

You have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information (as defined under the CCPA), so the opt-out right has no practical effect -- but you may exercise it by contacting us. We will not discriminate against you for exercising your rights.

Washington residents (My Health MY Data Act, RCW 19.373)

Washington law provides additional rights over "consumer health data" that fall outside HIPAA. You have the right to confirm whether we collect your consumer health data, access it, withdraw consent, and request deletion. To exercise these rights, contact us at [email protected]. We will respond within 30 days.

Counsel review required: the MHMD Act has a private right of action and broad coverage regardless of company revenue -- take this seriously and confirm compliance before serving Washington residents.

Other states

Multiple states have enacted or are enacting health data privacy laws. We intend to honor the spirit of these laws for all users.

Counsel review required: track Nevada SB 370, Connecticut SB 3, Maryland HB 881, and any 2025-2026 enactments that have taken effect by your launch date.

9. Security

We use industry-standard technical and organizational measures to protect your information, including:

Encryption in transit (TLS 1.2 or higher)
Encryption at rest for stored health documents
Access controls limiting who can view health data to personnel who need it
Logging and monitoring for unauthorized access attempts
Automatic deletion pipelines aligned with our retention schedule above

No system is perfectly secure. If you believe your information has been compromised, contact us immediately at [email protected].

Counsel review required: set up the [email protected] inbox and an incident response procedure before launch.

10. Children

AppealIt is intended for adults (18 and older) who are managing their own health insurance appeals. We do not knowingly collect information from children under 13. If we discover we have collected information from a child under 13, we will delete it promptly. If you believe a child has submitted information to us, contact [email protected].

Counsel review required: if parents will use the tool to appeal on behalf of a minor dependent, add a section addressing parental consent and minor-data handling.

11. No Legal Advice

AppealIt is a document-preparation tool. Nothing we produce constitutes legal advice, and nothing in this Privacy Policy or our Terms of Service creates an attorney-client relationship. If you need legal advice about your appeal rights, consult a licensed attorney.

12. Changes to This Policy

We may update this Privacy Policy. If we make a material change -- one that affects how we collect, use, or share your health information -- we will:

Post the updated policy on appealit.ai with a new "Last Updated" date.
Send notice to your email address on file (if any) at least 30 days before the change takes effect.
Require your renewed consent if the change involves a new use of your identifiable health information.

Continued use of AppealIt after the effective date of a non-material update constitutes acceptance of the revised policy.

13. Contact Us

AppealIt
Appealit Inc.
[Registered address to be inserted]

Privacy inquiries: [email protected]
Security incidents: [email protected]
General: [email protected]

Appendix A: Controlling Legal Framework

Law	Applicability	Key obligation
FTC Health Breach Notification Rule (16 CFR Part 318, amended July 2024)	Applies -- AppealIt is a PHR vendor	Notify users, FTC, and media within 60 days of breach or unauthorized disclosure
FTC Act Section 5 (15 U.S.C. 45)	Applies	Privacy policy must be accurate; deceptive or unfair data practices prohibited
ESIGN Act (15 U.S.C. 7001) / UETA	Applies	Electronic consent and signatures valid
HIPAA (45 CFR 160, 164)	Does NOT apply directly -- AppealIt is not a covered entity or business associate	N/A, but we use HIPAA de-identification standards as a best-practice benchmark
CCPA/CPRA (Cal. Civ. Code 1798.100+)	Applies to California residents	Access, deletion, correction, opt-out rights; no sale or sharing
WA My Health MY Data Act (RCW 19.373)	Applies to Washington residents	Consent, access, deletion rights; private right of action
MD HB 881 / NV SB 370 / CT SB 3	May apply depending on launch date and resident base	Monitor and update before serving residents of these states

This document is a build-ready draft produced for AppealIt. It must be reviewed by licensed counsel before publication, with particular attention to the items flagged [COUNSEL: ...] throughout.