Privacy Policy
Last Updated: March 15, 20261. Introduction
Welcome to CoverageUnlocked LLC ("we," "our," "us," or "Company"). We are committed to protecting your privacy and being transparent about how we collect, use, and protect your personal and healthcare data. This Privacy Policy applies to:
- CoverageUnlocked.com website and all subdomains
- DenialBot Pro SaaS application (app.coverageunlocked.com)
- The Denial Dispatch newsletter (via beehiiv)
- All training materials, webinars, and support communications
This policy does NOT apply to third-party websites or services linked from our platform. Please review their privacy policies separately.
2. Information We Collect
2.1 Information You Provide Directly
| Information Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, organization, phone, title | Account creation, authentication, support |
| Billing Information | Name, address, email, payment method (via Stripe) | Payment processing, invoicing, subscription management |
| Analysis Data | Claim IDs, CPT codes, payer names, denial codes, state | Generate denial analysis and scoring |
| Healthcare Data | De-identified clinical notes, treatment descriptions, outcomes | Improve appeal recommendations and models |
| Communications | Emails, support tickets, feature requests, feedback | Customer support, product improvement, marketing |
2.2 Information Collected Automatically
| Information Type | Collection Method | Retention |
|---|---|---|
| Usage Data | Log files, cookies, analytics (Google Analytics) | 90 days |
| Device Information | IP address, browser type, OS, device ID | 90 days |
| Performance Data | API response times, feature usage, error logs | 90 days |
| Location Data | IP-based geolocation (no GPS tracking) | 90 days |
2.3 Information from Third Parties
- Stripe: Payment processing information, fraud detection signals
- Your Organization: LDAP/SSO data during enterprise SSO login
- Public Data Sources: CMS denial rates, state regulatory data (de-identified)
- Service Providers: Support platforms, analytics, infrastructure partners
3. Data Classification & Handling
3.1 Data Categories
| Category | Definition | Examples | Encryption |
|---|---|---|---|
| Non-PHI | Public or non-sensitive information | Payer names, CPT codes, aggregate statistics | In-transit (HTTPS) |
| De-Identified Data | HIPAA de-identified under 45 CFR §164.502(b) | Clinical descriptions without patient ID or dates | In-transit; optional at-rest |
| PHI | Protected health information under HIPAA | Patient names, MRNs, dates, diagnoses | In-transit (HTTPS); at-rest (AES-256) |
| PII | Personally identifiable information | Names, emails, phone numbers, SSN | In-transit; at-rest (encrypted on Supabase) |
3.2 Data We Never Collect
- Full patient names or medical record numbers (MRNs)
- Social Security numbers or passport numbers
- Complete dates of service or birth dates (use age ranges only)
- Explicit diagnoses paired with patient identifiers
- Credit card or bank account numbers (Stripe handles payment data)
- Biometric data or facial recognition information
- Genetic data or substance abuse treatment records
3.3 PHI Roadmap (Future)
We plan to handle PHI when enterprise customers require it. To do so, we will:
- Execute Business Associate Agreements (BAAs) with covered entities
- Achieve HIPAA compliance (encryption, access controls, audit logging)
- Obtain SOC 2 Type II attestation
- Implement comprehensive breach notification protocols
- Restrict PHI access to authorized personnel only
4. How We Use Your Information
| Use | Legal Basis | Data Categories |
|---|---|---|
| Provide and improve the platform | Contract performance | Account, analysis, usage data |
| Process payments | Contract performance | Billing information |
| Customer support and training | Contract performance | Account, communications, support tickets |
| Security and fraud prevention | Legitimate business interest | All categories (monitoring and logs) |
| Marketing and newsletters | Consent / legitimate interest | Account information, email |
| Research and AI model improvement | Legitimate interest (de-identified) | De-identified analysis data only |
| Regulatory compliance | Legal obligation | All categories as required |
| Aggregate analytics and reporting | Legitimate business interest | Anonymized usage data |
5. Who We Share Data With
5.1 Service Providers
| Provider | Purpose | Data Shared | Agreement |
|---|---|---|---|
| Stripe | Payment processing | Name, email, billing address, payment method | Stripe Payment Processing Agreement |
| Supabase | Database and authentication | All application data | DPA available |
| Anthropic | AI analysis engine | De-identified claim and analysis data | Anthropic Enterprise DPA |
| Cloudflare | CDN, DNS, security | Request metadata, cookies, analytics | Cloudflare DPA |
| Google Analytics | Website analytics | Usage patterns, referrers, device info (anonymized) | Google Terms of Service |
| beehiiv | Newsletter hosting | Email, name, subscription status | beehiiv DPA |
| SendGrid / Email Providers | Transactional emails | Name, email, account information | DPA available |
5.2 Legal Disclosures
We may disclose your information if required by law or legal process:
- Subpoena, court order, or government agency request
- Law enforcement investigation (with warrant)
- Compliance with healthcare regulations (HIPAA, state laws)
- Detection and prevention of fraud or security breaches
5.3 Business Transfers
If CoverageUnlocked is acquired, merged, or assets are sold, your information may be transferred as part of that transaction. We will provide notice before such transfer.
5.4 No Sale of Personal Data
We do NOT sell, rent, or trade your personal information. Under California CCPA and similar laws, you have the right to know we do not engage in data sales.
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of relationship + 1 year | Legal, tax, support records |
| Analyses & Appeal Data | 12 months | Customer reference, audit trail, model improvement |
| Server Logs & Access Logs | 90 days | Security monitoring, debugging |
| Billing Records | 7 years | Tax, audit, regulatory requirements |
| Cookies & Tracking | 30 days to 2 years | Analytics, session management |
| Deleted Accounts | 30 days (backup retention) | Restore from accidental deletion |
After retention periods expire, data is securely deleted or anonymized. You can request early deletion subject to legal and contractual obligations.
7. Data Security
7.1 Encryption
- In Transit: All data is encrypted using TLS 1.2+ (HTTPS)
- At Rest: Application data in Supabase PostgreSQL uses AES-256 encryption
- Database Backups: Encrypted and stored off-site
- API Keys: Hashed using SHA-256, never stored in plain text
7.2 Access Controls
- Role-based access control (RBAC) for all team members
- Multi-tenant isolation: customers can only access their own data
- SSO/SAML integration for enterprise accounts
- Supabase Row Level Security (RLS) policies enforce tenant boundaries at database level
- All database access is logged and auditable
7.3 Infrastructure Security
- Hosted on Vercel (SOC 2 Type II, DPA available) and Supabase (ISO 27001, DPA available)
- Network: Cloudflare DDoS protection, WAF rules, bot management
- Firewalls: Inbound restricted to HTTPS only, outbound limited to necessary services
- Monitoring: 24/7 infrastructure monitoring, intrusion detection, anomaly alerts
7.4 Monitoring & Auditing
- Comprehensive audit logs of all data access and modifications
- API rate limiting to prevent abuse
- Automated security scanning for vulnerabilities
- Regular penetration testing (planned for SOC 2 phase)
7.5 Data Breach Protocol
If a data breach occurs:
- We will immediately secure the affected systems
- We will notify affected parties without unreasonable delay (within 30 days)
- We will provide details of affected data categories and recommended actions
- For PHI breaches, we will comply with HIPAA breach notification rules (60 days)
- We will cooperate with regulatory investigations as required
No security system is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security. You are responsible for maintaining your password confidentiality and account security.
8. Your Rights & Choices
8.1 Access & Portability
Right to Access: You can request a copy of all personal information we hold about you.
Right to Data Portability: You can request your data in a standard, portable format (JSON, CSV).
8.2 Correction & Deletion
Right to Correction: You can update or correct inaccurate information in your account.
Right to Deletion: You can request deletion of your account and associated data, subject to legal retention obligations.
8.3 Restriction & Objection
Right to Restrict Processing: You can request we stop using your data for certain purposes (marketing, profiling, etc.).
Right to Object: You can object to processing for direct marketing. To opt out, use the unsubscribe link in emails or contact us.
8.4 Automated Decision Making
We do not make decisions about you based solely on automated processing (e.g., denying access based on a score). Decisions that affect your account involve human review.
8.5 Exercising Your Rights
To exercise any of these rights, contact us at privacy@coverageunlocked.com with:
- Your name and email
- The specific right you wish to exercise
- Sufficient detail to locate your data
We will respond within 30 days. If we need to verify your identity, we may request additional information.
8.6 Cookie & Tracking Opt-Out
- Google Analytics: Opt out using Google's opt-out extension
- Cloudflare Analytics: Disable in your browser's privacy settings
- Marketing Emails: Use the unsubscribe link in any email from us
- Do Not Track: We honor DNT browser signals where applicable
9. Children's Privacy
CoverageUnlocked is not intended for children under 13. We do not knowingly collect information from children under 13. If we learn we have collected information from a child under 13, we will delete it immediately and notify the parent or guardian.
For users between 13-18, we provide additional privacy protections and restrict marketing.
10. Third-Party Services
10.1 Linked Websites
Our website may link to third-party sites (news articles, health resources, competitor platforms). We are not responsible for their privacy practices. Review their privacy policies before providing information.
10.2 Embedded Content
We may embed content from third parties (YouTube videos, Twitter widgets, etc.). These providers may collect data independently. Check their privacy policies.
10.3 API Integrations
When you authorize integrations with third parties (Slack, Microsoft Teams, Epic EHR), those platforms receive data according to their policies and your authorization. You can revoke integrations in your account settings.
11. Business Associate Agreement (BAA)
11.1 Current Status
CoverageUnlocked is NOT currently a HIPAA covered entity or business associate. We do not accept PHI under a BAA at this time.
11.2 Future BAA Path
When enterprise customers require it, we will:
- Execute a HIPAA-compliant Business Associate Agreement
- Implement administrative, physical, and technical safeguards under 45 CFR Part 164
- Maintain audit controls and integrity controls
- Designate a Privacy Officer and Security Officer
- Provide breach notification under HIPAA rules (not state notification laws)
- Restrict PHI use strictly to the purposes in the BAA
- Prohibit PHI sub-contracting without written authorization
11.3 Transitional Data Handling
Until BAA execution, customers should:
- De-identify data per HIPAA §164.502(b) before submission
- Use "patient ID" instead of actual MRNs
- Provide age ranges instead of birthdates
- Describe clinical findings without explicit diagnoses
12. International Data Transfers
12.1 US-Based Storage
All data is stored in the United States (Supabase, Vercel, Stripe infrastructure). If you are located outside the US, you acknowledge data transfers to the US.
12.2 GDPR & CCPA Compliance
For EU Users (GDPR): We comply with GDPR data subject rights (access, deletion, portability, restriction). Our legal basis for processing is contract performance and legitimate interest. Data transfers are governed by Supabase's standard contractual clauses.
For California Users (CCPA): You have rights to know, delete, and opt-out of sales (which we don't do). For "shine the light" requests, contact privacy@coverageunlocked.com.
12.3 UK GDPR
UK users have equivalent rights to GDPR data subjects. We comply with UK adequacy requirements for transfers.
13. Policy Changes
We may update this policy periodically. Changes become effective when we post them on this page and update the "Last Updated" date. Continued use of the platform after changes constitutes acceptance of the updated policy.
For material changes affecting privacy rights, we will notify you via email or prominent website notice.
14. Contact Us
For privacy questions, requests, or complaints, contact:
CoverageUnlocked LLC
Privacy Officer: privacy@coverageunlocked.com
General Contact: ned@coverageunlocked.com
Address: Bend, Oregon, USA
For EU/UK complaints, you also have the right to lodge a complaint with your data protection authority (DPA).
Effective Date: This Privacy Policy is effective as of March 15, 2026. It applies to all users and interactions with CoverageUnlocked from this date forward.