Privacy Policy

ApprovelyAI ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered prior authorization automation platform (the "Service").

This policy applies to all users of ApprovelyAI, including practice administrators, healthcare providers, billing specialists, and any other individuals who access or interact with our platform. By using ApprovelyAI, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

Given the nature of our Service, which processes protected health information (PHI) in connection with prior authorization workflows, we maintain rigorous privacy and security standards that meet or exceed the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and other applicable regulations.

We collect information in several categories depending on how you interact with the Service:

Account Information

When you create an account, we collect your name, email address, professional credentials, job title, and practice or organization information (including practice name, NPI number, address, and phone number). This information is necessary to provision your account, verify your identity, and configure the Service for your practice.

Usage Data

We automatically collect certain information when you access or use the Service, including server log data (IP address, browser type, operating system, referring URL, pages visited, and timestamps), device information (hardware model, unique device identifiers, and mobile network information), and analytics data about how you navigate and interact with features of the platform. This data helps us understand how the Service is used, diagnose technical issues, and improve performance.

Healthcare Data

In the course of providing the Service, we process healthcare data on your behalf, including patient demographic information, clinical documentation and medical records submitted for prior authorization, prior authorization request details (procedure codes, diagnosis codes, insurance plan information, and authorization status), payer correspondence and determination letters, and appeal documentation. This healthcare data may constitute protected health information (PHI) under HIPAA and is handled in accordance with the terms of our Business Associate Agreement and applicable law.

We use the information we collect for the following purposes:

• Provide and maintain the Service: To operate the platform, authenticate users, manage accounts, and deliver core prior authorization automation features.
• Process prior authorizations: To submit, track, follow up on, and manage prior authorization requests with insurance payers on your behalf.
• Generate AI-powered recommendations: To analyze clinical documentation, suggest appropriate codes, predict authorization outcomes, and draft appeal letters using our artificial intelligence systems.
• Improve the platform: To analyze usage patterns, conduct research and development, and enhance the accuracy, reliability, and functionality of the Service. When using data for improvement purposes, we de-identify information in accordance with HIPAA standards.
• Communicate with users: To send service-related notifications (such as authorization status updates, deadline reminders, and system alerts), respond to support requests, and provide product updates.
• Comply with legal obligations: To meet our obligations under HIPAA, state privacy laws, and other applicable regulations, and to respond to lawful requests from governmental authorities.

ApprovelyAI operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). We take our obligations under these regulations seriously and have implemented comprehensive administrative, physical, and technical safeguards to protect protected health information.

• Business Associate Agreement (BAA): We execute a Business Associate Agreement with every covered entity that uses our Service. A BAA is available upon request and must be in place before any PHI is processed through the platform.
• Encryption: All PHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Encryption keys are managed through a dedicated key management service with automatic rotation.
• Access controls and audit logging: We enforce role-based access controls, require multi-factor authentication for all users with access to PHI, and maintain comprehensive audit logs of all access to and actions taken on protected health information.
• Minimum necessary standard: We apply the HIPAA minimum necessary standard to limit the use and disclosure of PHI to the minimum amount reasonably necessary to accomplish the intended purpose of the use or disclosure.
• Breach notification: In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay, and no later than 60 days after discovery of the breach, in accordance with HIPAA Breach Notification Rule requirements.

We do not sell your personal information or protected health information to any third party, under any circumstances.

We may share your information only in the following limited circumstances:

• Insurance payers: We transmit prior authorization requests, clinical documentation, and related information to insurance payers as directed by you in the course of using the Service. These transmissions are made solely to facilitate the prior authorization process on your behalf.
• Sub-processors: We engage a limited number of third-party service providers to help us operate the Service, including cloud infrastructure providers, AI processing services, and database hosting. All sub-processors that handle PHI are bound by Business Associate Agreements and are required to maintain security standards consistent with our own. A current list of sub-processors is available upon request.
• Legal requirements: We may disclose information when required to do so by law, in response to a valid subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a governmental request.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information and any choices you may have regarding your information.

We implement and maintain a comprehensive information security program designed to protect the confidentiality, integrity, and availability of your data. Our security measures include:

• Encryption at rest: All data, including PHI, is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
• Encryption in transit: All data transmitted between your browser and our servers, and between internal services, is protected using TLS 1.3.
• SOC 2 Type II: We maintain SOC 2 Type II compliance, with annual audits conducted by an independent third-party firm to verify the effectiveness of our security controls.
• Penetration testing: We conduct regular penetration testing by qualified third-party security firms to identify and remediate potential vulnerabilities.
• Access controls: We enforce the principle of least privilege across our organization. All team members with access to production systems are required to use multi-factor authentication (MFA), and access is regularly reviewed and audited.
• Audit logging: We maintain detailed audit logs of all system access, data modifications, and administrative actions. Logs are retained for a minimum of six years and are monitored for anomalous activity.
• Incident response: We maintain a documented incident response plan that is tested and updated regularly to ensure rapid detection, containment, and recovery in the event of a security incident.

While we strive to use commercially acceptable means to protect your information, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any identified vulnerabilities.

We retain your information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, and enforce our agreements. Specific retention periods are as follows:

• Account data: Retained for as long as your account is active. Upon account closure, account data is deleted within 90 days, except as required by law.
• Healthcare records and PHI: Retained for a minimum of six (6) years from the date of creation or last effective date, in accordance with HIPAA requirements and applicable state laws, which may require longer retention periods.
• Usage data: Retained for two (2) years from the date of collection, after which it is aggregated and anonymized or deleted.
• Audit logs: Retained for a minimum of six (6) years in compliance with HIPAA requirements.

You may request deletion of your data at any time by contacting us. Deletion requests will be honored subject to any legal obligations that require us to retain certain records, including HIPAA retention requirements.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access: You may request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of your request.
• Right to correction: You may request that we correct any inaccurate or incomplete personal information. You can update most account information directly through your account settings.
• Right to deletion: You may request that we delete your personal information, subject to certain exceptions such as legal holds, regulatory retention requirements, and ongoing contractual obligations.
• Right to data portability: You may request that we export your data in a structured, commonly used, machine-readable format for transfer to another service provider.
• Right to opt out of marketing: You may opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any marketing email or by contacting us directly. Note that you will continue to receive transactional and service-related communications.

To exercise any of these rights, please contact us at support@feltsense.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

We use a limited set of cookies and similar technologies to operate and improve the Service:

• Essential cookies: These cookies are strictly necessary for the Service to function. They handle authentication, session management, and security features such as CSRF protection. You cannot opt out of essential cookies while using the Service.
• Analytics: We use Vercel Analytics to collect anonymized usage data, including page views, feature usage, and performance metrics. Vercel Analytics is privacy-focused and does not use third-party cookies or track users across websites.

We do not use third-party advertising cookies or tracking technologies. We do not participate in ad networks, and we do not allow third-party advertisers to place cookies or collect data through our Service.

We use the following third-party services to operate the platform. Each provider has been vetted for security and compliance, and where applicable, Business Associate Agreements are in place:

• Cloud Hosting (Vercel): Our application is hosted on Vercel's infrastructure, which provides serverless compute, edge networking, and automatic scaling. Vercel is SOC 2 Type II compliant.
• AI Processing (Google): We use Google's AI models to power our intelligent prior authorization features, including clinical documentation analysis, code suggestion, and appeal letter drafting. Data sent to Google for AI processing is governed by our BAA and is not used by Google for model training.
• Analytics (Vercel Analytics): We use Vercel Analytics for privacy-friendly, anonymized usage metrics. No personally identifiable information is collected by this service.

We regularly review our third-party providers to ensure they continue to meet our security and compliance requirements. A full list of sub-processors is available upon request.

ApprovelyAI is a professional healthcare administration platform and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children or minors. If we become aware that we have inadvertently collected personal information from a person under 18, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at support@feltsense.com so that we can take appropriate action.

ApprovelyAI is operated from and data is processed in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers are located and our central database operates.

By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your country of residence. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this policy, we will provide you with at least 30 days' advance notice through one or more of the following methods:

• An email notification sent to the address associated with your account
• An in-app notification displayed within the ApprovelyAI dashboard
• A prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@feltsense.com

We aim to respond to all inquiries within 30 business days. For urgent matters related to a potential data breach or security incident, please include "URGENT" in your email subject line.