AuthFight← Back to home

Legal

Privacy Policy

Effective date: June 18, 2026Last updated: June 18, 2026
Plain-English Summary: AuthFight helps you appeal insurance denials. To do that, we need some of your health and insurance information. We use it only to build and submit your appeal. We share it with the physician who reviews your letter and the insurer we submit it to — no one else. We never sell your data. AuthFight is completely free for patients.
01

Who We Are

AuthFight, Inc. ("AuthFight," "we," "us," or "our") operates the AuthFight platform at authfight.com. We provide tools that help patients understand, prepare, and submit appeals for prior authorization denials issued by their health insurers.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have. By using our platform, you agree to the practices described here.

If you have questions at any point, contact us at privacy@authfight.com.

02

What We Collect

Information you provide directly

  • Account information: Your name, email address, and password when you create an account.
  • Denial information: Your denial letter uploaded as a photo or PDF, denial code, insurer name, and date of denial.
  • Health information: Your diagnosis, prescribed medication or procedure, prescribing physician's name, and any supporting clinical notes you choose to upload. This constitutes Protected Health Information (PHI) under HIPAA where applicable.
  • Appeal intake responses: Your answers to the 5-question intake form we use to personalize your appeal letter.
  • Insurance information: Your insurer name, plan type, member ID, and group number.

Information we generate on your behalf

  • Your Fight Score: A calculated probability score based on publicly available CMS-reported overturn data for your insurer, your denial code category, and your case urgency. This score is generated automatically and presented to you for informational purposes.
  • Your appeal letter draft: An AI-generated appeal letter created using the information you provide in the intake form, combined with relevant clinical evidence and legal frameworks. This draft is reviewed by a licensed physician before submission.

Information collected automatically

  • Usage data: Pages visited, time spent, features used, and actions taken within the platform.
  • Device and technical data: IP address, browser type, operating system, and session identifiers.
  • Cookies: We use essential cookies to keep you logged in and remember your session. We use analytics cookies to understand how the platform is used. You can disable non-essential cookies in your browser settings.
03

How We Use Your Information

We use your information only to deliver the AuthFight service and to comply with our legal obligations. Specifically:

Appeal Processing
To decode your denial, generate your Fight Score, create your appeal letter, coordinate physician review, and submit your appeal to your insurer.
Deadline Management
To calculate your legal appeal deadlines based on your plan type and denial date, and to send you reminders before those deadlines expire.
Communications
To send you status updates, insurer responses, deadline alerts, and service notifications related to your active appeal.
Platform Improvement
To understand how the platform is used in aggregate, identify bugs, and improve accuracy of Fight Scores and appeal outcomes. Only de-identified, aggregated data is used for this purpose.
What we do not do: We do not use your health information to serve you advertisements. We do not build marketing profiles from your medical data. We do not sell your information to data brokers, pharmaceutical companies, or any third party.
04

How We Share Your Information

We share your information only in the following specific circumstances:

Physician reviewers

When your appeal letter is ready for review, we share your denial information, health background, and draft letter with a licensed physician in the relevant specialty. That physician reviews the letter for clinical accuracy, may add supporting medical opinion, and signs it before submission. All physician reviewers operate under Business Associate Agreements (BAAs) where required and are bound by professional confidentiality obligations.

Your insurer

To submit your appeal, we transmit your appeal letter, supporting documentation, and identifying insurance information (member ID, group number, denial reference) to your health insurer via their designated submission channel (fax, portal, or mail). This disclosure is made on your behalf, at your direction, and is necessary to perform the service you requested.

Service providers

We work with a limited set of third-party vendors who process data on our behalf under strict confidentiality agreements:

Cloud hosting & storageEncrypted document transmissionEmail deliveryPayment processingPlatform analytics

These vendors may not use your data for their own purposes and are contractually required to protect it at least as rigorously as we do.

Legal requirements

We may disclose your information if required to do so by law, court order, subpoena, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property, or safety of AuthFight, our users, or the public.

Business transfers

If AuthFight is acquired, merged with another company, or sells substantially all of its assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

We do not sell your data. We do not share your health information with employers, insurers outside your active appeal, pharmaceutical companies, data brokers, or marketing platforms — ever.
05

AI & Your Data

AuthFight uses artificial intelligence to generate personalized appeal letters based on the information you provide in your intake form.

What the AI does

Our AI combines your denial details, health background, and intake responses with clinical evidence (FDA approvals, NCCN guidelines, peer-reviewed literature) and legal frameworks (ERISA, ACA, state insurance codes) to produce a draft appeal letter. The output is a starting point — it is always reviewed and signed by a licensed physician before submission.

What the AI does not do

Your data is NOT used to train our AI modelsWe do NOT share your data with third-party AI providers for model trainingNo AI-generated letter is submitted without physician review

You are always in control

You may review any AI-generated letter before it is sent to a physician or your insurer. If you are not satisfied with the output, you may request revisions or withdraw from the process entirely with no charge.

Fight Score methodology

Your Fight Score is calculated using publicly available data that Medicare Advantage insurers are federally required to report to CMS — specifically their overturn rates by denial category. This is public government data, not your personal health information. We combine this with your denial code's historical reversal frequency and the urgency classification of your case. The Fight Score is an estimate for informational purposes only and does not constitute a legal guarantee of outcome.

06

Data Retention

We retain your information for as long as necessary to deliver the service and meet our legal obligations.

Active account
All data retained while your account is active and appeals are open.
After appeal closes
We retain appeal records for 7 years to support potential follow-up appeals, audits, or legal disputes — consistent with standard medical records practice.
Account deletion
If you delete your account, we will delete or de-identify your personal data within 30 days, except where retention is required by law.
Analytics data
De-identified, aggregated usage data may be retained indefinitely to improve our platform and track appeal outcome trends.
07

Security

We take the security of your health and personal information seriously. Our safeguards include:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Your documents and health information are encrypted at rest using AES-256 encryption.
  • Access controls: Access to your data within our organization is restricted to employees and contractors who require it to perform their job. All access is logged and audited.
  • Document transmission: Denial letters and appeal documents are transmitted to physicians and insurers via HIPAA-compliant encrypted channels.
  • Breach notification: In the event of a data breach that affects your PHI or personal information, we will notify you and relevant authorities in accordance with HIPAA's Breach Notification Rule and applicable state law.

No system is 100% secure. If you believe your AuthFight account has been compromised, contact us immediately at security@authfight.com.

08

Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

All users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your account and personal data, subject to legal retention requirements.
  • Withdrawal: Withdraw your consent to process your health information at any time. Note this will stop your appeal.
  • Portability: Request your data in a structured, machine-readable format.

California residents (CCPA/CPRA)

  • You have the right to know what personal information we collect, use, share, and sell. We do not sell personal information.
  • You have the right to opt out of the sale or sharing of your personal information. As stated, we do not sell personal information.
  • You have the right to non-discrimination for exercising your privacy rights.
  • You may designate an authorized agent to make requests on your behalf.

To exercise any of these rights, email privacy@authfight.com or use the account deletion option in your account settings. We will respond within 30 days.

If you are exercising rights related to your health information under HIPAA — including the right to access, correct, or restrict your Protected Health Information — please see our HIPAA Notice, which covers those rights in full.
09

Children's Privacy

AuthFight is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at privacy@authfight.com and we will delete that information promptly.

If you are a parent or guardian submitting an appeal on behalf of a minor, you may use the platform on their behalf. The health information of the minor patient is treated with the same protections described in this policy.

10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product features. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Send you an email notification at the address on your account.
  • Display a notice on the platform when you next log in.

Your continued use of AuthFight after a policy update constitutes your acceptance of the revised policy. If you do not agree to the updated policy, you may delete your account.

Previous versions of this policy are available upon request at privacy@authfight.com.

11

Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or the way we handle your information, please reach out:

AuthFight Privacy Team

Emailprivacy@authfight.com
Securitysecurity@authfight.com
MailAuthFight, Inc. · Privacy Officer · [Your Address]
Response timeWithin 30 days of receipt

Legal disclaimer:This Privacy Policy is provided for informational purposes and reflects AuthFight's current data practices. It does not constitute legal advice. AuthFight recommends that users with specific legal questions consult a qualified attorney. This policy should be reviewed by qualified legal counsel before being published in a final production environment.