Privacy Policy

1. Introduction

DenyZero ("we," "our," or "the platform") provides claim denial prevention tools for healthcare billing professionals. This Privacy Policy describes how we collect, use, and protect information when you use our services at denyzero.polsia.app.

2. No Real PHI Policy

DenyZero does not accept, store, or process real Protected Health Information (PHI) as defined by HIPAA.

Our platform is designed for use with:

• Synthetic (fabricated) test data
• De-identified data that has been stripped of all 18 HIPAA identifiers
• Sample datasets provided by DenyZero for demonstration purposes

If you accidentally upload data containing real PHI, contact us immediately at the address below. We will delete it promptly and notify you of the removal.

3. Information We Collect

Data You Provide

• Claim data: CSV files uploaded for analysis (should contain only synthetic or de-identified data)
• Denial records: ERA/835 remittance data uploaded for rule gap analysis
• Admin credentials: Password-based authentication for admin features

Automatically Collected Data

• Usage analytics: Page views, feature usage, and session duration
• Audit logs: IP address, user agent, timestamps, and actions taken (for security and compliance)
• Technical data: Browser type, device type, and referral source

4. How We Use Your Information

• To analyze claim data and identify potential denial risks
• To detect rule gaps and improve our denial prevention engine
• To maintain audit trails for compliance readiness
• To improve platform performance and user experience
• To enforce security and prevent unauthorized access

5. Data Security

We implement the following security measures to protect your data:

• Encryption at rest: Sensitive claim fields (patient names, member IDs, dates of birth, authorization numbers) are encrypted using AES-256-GCM before database storage
• Encryption in transit: All data is transmitted over HTTPS/TLS
• Audit logging: Every data access event is recorded with timestamp, IP address, and action details
• Rate limiting: Authentication endpoints are rate-limited to prevent brute force attacks
• Security headers: HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options) are applied to all responses
• Session timeouts: Authenticated sessions automatically expire after 15 minutes of inactivity

6. Data Retention

Claim analysis results and batch history are retained for as long as the platform is in use. Audit logs are retained for a minimum of 6 years in accordance with HIPAA-readiness guidelines.

You may request deletion of your data by contacting us at the address below.

7. Data Sharing

We do not sell, rent, or share your data with third parties, except:

• As required by law or legal process
• With infrastructure providers (hosting, database) who are contractually bound to protect your data
• In aggregated, de-identified form for platform improvement

8. Your Rights

You have the right to:

• Request access to the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for data processing

9. Future HIPAA Compliance

DenyZero is building toward full HIPAA compliance. Our current HIPAA-readiness measures include encryption at rest and in transit, audit logging, session security, and access controls. Before accepting real PHI, we will:

• Migrate to HIPAA-certified hosting infrastructure with a signed Business Associate Agreement (BAA)
• Implement role-based access controls (RBAC)
• Complete a formal security risk assessment
• Establish breach notification procedures

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the most recent changes were made. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries, data access requests, or to report an incident involving potential PHI exposure:

Email: denyzero@polsia.app