Apellica

Privacy Policy

Last updated: 2026-05-17.Version: 2026-05-17 (v2).

Plain-English summary.

  • We collect what we need to fight your denied insurance claim. Nothing more.
  • Your health information is treated with HIPAA-grade safeguards even though we are not, by default, a HIPAA-covered entity.
  • We do not sell your data. We do not train AI models on identifiable PHI.
  • You can request a copy, correction, or deletion of your data at any time by emailing privacy@apellica.com.
  • We notify you of any data breach within 60 days, consistent with HIPAA §164.404 — sooner if your state's law requires it.

1. Who We Are

Apellica, Inc. ("Apellica", "we", "us", "our") is a Delaware corporation operating an insurance-appeals advocacy service in the United States. Our customer-facing office is at New York, NY, United States; our registered office is at New York, NY. We are the data controller for personal information collected on https://apellica.com and through our case-management portal atcrm.apellica.com.

2. What We Collect

CategoryExamples Identifiers Name, email, phone, date of birth, address, state of residence Claim & insurance information Carrier name, member ID, claim number, denial date, denial reason, plan type Protected Health Information (PHI) EOBs, denial letters, prior-authorization records, clinical notes, lab/imaging, peer-to-peer call records — only when you authorize disclosure via the AOB Financial Invoice, payment-method last 4, bank routing for ACH (tokenized by our payment processor — we never store full card or bank credentials)Account & auth HMAC case-access tokens, signed-cookie session, audit log of actions Device & technical IP address, user agent, timestamp, referrer, pages viewed — for security and aggregate analytics only Communications Emails to/from you, SMS (if opted in), uploaded documents, support tickets

We do NOT knowingly collect information from anyone under 18. We do NOT use third-party advertising trackers, behavioral retargeting pixels, or social-media tracking scripts on the public site.

3. How We Collect It

  • Directly from you through the intake form, account signup, AOB signing, customer portal, and email/phone communications.
  • From your Carrier after you authorize Apellica via the AOB (45 CFR §164.508 HIPAA authorization), via portal API, secure email, fax, or certified mail.
  • From your healthcare providers after you authorize the disclosure via the AOB.
  • Automatically by our hosting infrastructure (request logs, security telemetry).

We do not buy lists or scrape third-party sources to enrich your case file.

4. Why We Collect It

  • To respond to your inquiry and provide a free initial denial review.
  • To prepare and submit insurance appeals on your behalf under your signed AOB.
  • To bill, invoice, and collect contingency fees when a Recovery occurs.
  • To comply with applicable law (tax, recordkeeping, regulatory reporting).
  • To improve our appeal engine — aggregated, de-identified outcomes data only; we do NOT train AI on identifiable PHI.
  • To protect the security and integrity of the Service.

5. With Whom We Share It

We share your information only as needed to deliver the Service, with the parties below. We require every party to handle your information consistent with this Policy and applicable law, and to maintain a Business Associate Agreement where they handle PHI on our behalf.

  • Your Carrier and providers— to file appeals, request records, and pursue Recovery, per your AOB.
  • Subprocessors— see Section 6 below.
  • Government and regulators— only when required by law or subpoena, and only the minimum necessary.
  • An acquirer— in connection with a merger or sale of substantially all assets, on prior written notice to you and subject to the same privacy commitments.

We do not sell your personal information. We do not "share" personal information for cross-context behavioral advertising as that term is defined under the CCPA / CPRA.

6. Subprocessors

The third parties below process personal information on our behalf in the categories shown. We maintain Business Associate Agreements ("BAAs") with subprocessors that handle PHI.

SubprocessorPurposeLocationPHI?BAASupabase (Postgres + Storage)Primary database, encrypted PHI at rest, signed AOB PDF storageUSYes (encrypted)Yes (Team-tier)Amazon Web Services (Amplify, S3, SES)Web hosting, static assets, transactional email failoverUS (us-east-1)No PHI in URL/headers; payload may transitYes (AWS HIPAA Addendum)VercelMarketing-site edge hosting (no PHI, public pages only)Global edge / US originNoN/AModal LabsAppeal-letter generation compute (model inference)USYes (transient, in-memory)In progressResendTransactional email delivery (signed AOB copy, status updates)USYes (envelope + attachment)YesPostal (self-hosted)Bulk transactional email send (failover)US (Apellica-operated VPS)YesN/A (operated by Apellica)Documenso (self-hosted)E-signature for AOB; certified signed PDF storageUS (Apellica-operated VPS)Yes (signed document)N/A (operated by Apellica)StripeHosted invoice payments (ACH and card); no PHI in invoice line itemsUS / CanadaNoN/A (no PHI)CloudflareDNS, WAF, DDoS mitigationGlobalIn-transit only (encrypted)Yes (Enterprise BAA available)

Material changes to this list will be reflected here with the Last updated date. For a current programmatic list with effective dates, email privacy@apellica.com.

7. How Long We Keep It

CategoryRetentionSigned AOB and case file (PHI)7 years from case close (HIPAA recordkeeping standard)Financial / invoice records7 years (IRS standard)Marketing-list contacts (free review only, no engagement)24 months from last interaction, then deletedAudit and security logs2 yearsAnonymous aggregate analyticsIndefinite (no identifiers retained)

8. How We Protect It

  • Encryption in transit: TLS 1.2+ on every endpoint.
  • Encryption at rest: AES-256-GCM via libsodium for PHI columns (email_enc,first_name_enc,last_name_enc,member_id_enc, and full denial documents stored in private storage buckets). Server-side keys held in environment-bound key material that never leaves the runtime.
  • Access control: role-based; least privilege; HMAC-signed per-case customer tokens; admin authentication with rate limiting.
  • Audit log: every read and write to a case is logged incrm.audit(actor, IP, user agent, timestamp).
  • Workforce: confidentiality agreements with all staff; PHI training mandatory before access.
  • Security posture: aligned with the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312); SOC 2 Type 1 audit in progress.

9. Your Rights Under HIPAA (where applicable)

Where Apellica handles PHI on your behalf under a signed AOB, you have the right to:

  • Access your records (45 CFR §164.524).
  • Amend incorrect records (§164.526).
  • Receive an accounting of disclosures we have made of your PHI (§164.528).
  • Request restrictions on certain uses and disclosures (§164.522).
  • Revoke your HIPAA authorization (§164.508) at any time in writing (except to the extent we have already acted on it).
  • Complain to Apellica (privacy@apellica.com) or to the HHS Office for Civil Rights without retaliation.

10. Your Rights Under State Privacy Laws

Depending on your state of residence you may have additional rights:

  • California (CCPA / CPRA): right to know, delete, correct, opt out of sale and "sharing" (we do neither), limit use of sensitive personal information, and equal service without retaliation.
  • Virginia (CDPA): right to access, correct, delete, portability, and opt out of targeted advertising / sale / profiling.
  • Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA): rights substantially similar to the CDPA — access, correct, delete, portability, opt out.
  • Washington (My Health My Data Act): right to access, correct, delete, and withdraw consent for "consumer health data" processing. We do not sell consumer health data.
  • Nevada (Consumer Health Data Privacy): same as Washington in substance.

To exercise any right, email privacy@apellica.com with your name and case number. We verify identity before fulfilling a request, respond within 45 days (extendable once by 45 days with notice), and do not charge a fee unless the request is excessive. You may designate an authorized agent to act on your behalf with proof of authority. We do not discriminate against you for exercising any of these rights.

11. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, email privacy@apellica.com and we will delete it.

12. International Transfers

Apellica operates only in the United States and processes data exclusively in US-based facilities. We do not knowingly serve customers outside the US. If you access the Service from outside the US, you do so on your own initiative and are responsible for compliance with local law.

13. Cookies and Analytics

The Apellica marketing site uses a minimal set of first-party cookies for session state and CSRF protection. We do not use third-party advertising trackers, retargeting pixels, or social-media beacons. We may use privacy-respecting product analytics (page view counts, referrer, viewport) — these are aggregated and do not identify you. The customer portal uses an HMAC-signed session cookie for authentication; this cookie is set withSecure,HttpOnly, andSameSite=Laxattributes.

14. Data Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than 60 days after discovery, consistent with 45 CFR §164.404. We will notify the HHS Secretary as required by 45 CFR §164.408 and any state attorneys general where state law requires.

15. Changes to This Policy

We will post the new version here with a new Last updated date. For material changes affecting how we use already-collected information, we will email customers with an active case at least 30 days before the change takes effect, so you have time to revoke your AOB if you object.

16. Contact

Start Free Case Review