InvisaClaim LLC — Privacy Policy

Effective Date: June 1, 2026 Last Updated: June 1, 2026

This Privacy Policy explains how InvisaClaim LLC ("InvisaClaim," "we," "us," or "our") collects, uses, discloses, and protects information when you access or use our website (www.invisaclaim.com), our application (app.invisaclaim.com), and our AI-powered healthcare revenue cycle management services, including any connected email functionality (collectively, the "Services").

This Policy is part of and incorporated into our Terms of Use. It applies to all users of the Services. If you provide Protected Health Information (PHI), our separate Business Associate Agreement (BAA) governs that PHI and takes precedence over any conflicting provision in this Policy.

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY. If you do not agree, you must not use the Services.

1. Information We Collect

We collect the following categories of information:

  • Account and Contact Information — name, email address, phone number, organization details, billing information, and login credentials.

  • Your Data — claims data, denial records, appeal drafts, patient encounter information, billing codes, analytics inputs, and any other content you upload or generate through the Services.

  • Protected Health Information (PHI) — only if you have executed a BAA with us. Without a BAA in place, you are prohibited from uploading PHI.

  • Connected Account Data — if you connect a third-party email account (Google or Microsoft), the limited data described in Section 4. We do not store the contents of your email messages.

  • Usage and Technical Data — IP address, browser type, device information, operating system, usage logs, session data, and interaction metrics (automatically collected).

  • Automatically Collected Data — cookies, pixels, and similar tracking technologies (see Section 10).

We do not collect sensitive personal information (e.g., racial or ethnic origin, sexual orientation, or genetic data) except to the extent it appears in PHI you lawfully provide under a BAA.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Services (including AI-powered denial analysis, appeal generation, workflow automation, and connected email).

  • Process and analyze Your Data to deliver the Services and AI outputs.

  • Train, refine, and enhance our AI models using aggregated and de-identified data only — never your identifiable PHI, and never your email content, unless expressly permitted in your BAA.

  • Manage accounts, billing, and subscriptions.

  • Communicate with you (service updates, support, legal notices).

  • Detect, prevent, and respond to security incidents, fraud, or misuse.

  • Comply with legal obligations and enforce our Terms of Use.

We do not use your data for advertising or marketing purposes without your explicit consent. We do not sell your information or PHI.

3. How We Share or Disclose Information

We share information only in the following limited circumstances:

  • Service Providers and Subprocessors — we engage third-party cloud storage, AI processing, and infrastructure vendors (such as AWS, Google Cloud, Microsoft Azure, and AI model providers). Such vendors are contractually bound by Business Associate Agreements (for PHI) or equivalent data protection agreements, may access data solely to provide services to us, and are prohibited from using it for their own purposes.

  • Legal Requirements — we may disclose information if required by law, subpoena, court order, or government request (including HIPAA-permitted disclosures).

  • Business Transfers — in a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, with notice as required by law.

  • Aggregated or De-Identified Data — we may share anonymized, aggregated data for industry analytics or research. This data cannot reasonably identify you or any individual.

  • No Sale of Data — we do not sell your personal information or PHI to any third party.

4. Connected Third-Party Accounts (Email Integration)

The Services let you optionally connect a third-party business email account — Google (Gmail / Google Workspace) or Microsoft (Outlook / Microsoft 365) — so you can read and send email inside InvisaClaim. Connection is authorized by you through the provider's standard OAuth consent flow and may be revoked at any time.

4.1 What we access

With your authorization, InvisaClaim accesses, on your behalf:

  • Your connected account's email address (to identify the mailbox).

  • The contents of messages in your mailbox, on a read-only basis, for display within the application.

  • The ability to send email messages that you compose and submit within the application.

For Google, this corresponds to the gmail.readonly and gmail.send scopes (plus basic identity scopes openid, userinfo.email, userinfo.profile). For Microsoft, this corresponds to the Microsoft Graph delegated permissions Mail.Read (or Mail.ReadWrite), Mail.Send, and offline_access. We request the minimum permissions necessary to provide the feature and do not request the ability to delete your mail or change your mailbox settings.

4.2 We do not store your email content

InvisaClaim does not store, copy, cache, or log the contents of your email messages. When you view a message, its content is retrieved live from Google's or Microsoft's APIs at that moment, rendered to you, and not retained on our servers afterward. The only connection-related data we store is:

  • an encrypted OAuth refresh token (used solely to maintain your authorized connection), and

  • minimal account metadata: your connected email address, the provider, the connection timestamp, and connection status.

Refresh tokens are encrypted at rest and are accessible only to the authenticated user who created the connection. Because we do not retain message content, InvisaClaim is not a repository of your mailbox; we act only as a transient, authorized conduit between you and your email provider.

4.3 How we use connected-account data

We use connected-account access solely to display your mailbox within InvisaClaim and to send messages you write and submit. We do not use email data for advertising, we do not sell it, and we do not use it to develop, improve, or train any generalized or public artificial-intelligence or machine-learning models.

4.4 How we share connected-account data

We do not transfer connected-account data to third parties except: (a) calls to the email provider's own APIs that are necessary to deliver the feature; (b) where required by law; or (c) as part of a business transfer with prior notice. We do not share email content with our AI model providers.

4.5 Google Limited Use

InvisaClaim's use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4.6 Microsoft data

InvisaClaim's access to Microsoft 365 / Outlook data via Microsoft Graph adheres to the Microsoft APIs Terms of Use and the Microsoft Services Agreement. We request only the minimum necessary delegated permissions and process Microsoft data only to provide the connected-email feature.

4.7 Business accounts and PHI

Because email in a healthcare revenue-cycle context may contain PHI, connected mailboxes must be business accounts(Google Workspace or Microsoft 365 commercial) covered by your organization's own provider agreement (including a HIPAA BAA with Google or Microsoft where applicable). The application is designed to reject connection of consumer/personal email accounts. Any PHI accessed through a connected mailbox remains subject to your BAA with InvisaClaim.

4.8 Revoking access

You may disconnect a connected account at any time within InvisaClaim, which deletes the stored encrypted token. You may also revoke InvisaClaim's access directly through your provider — Google at myaccount.google.com/permissions, or Microsoft through your account's app-permissions settings. Revocation immediately ends our ability to access the mailbox.

5. AI-Specific Processing

Our Services rely on artificial intelligence. AI outputs are generated automatically and may contain inaccuracies, omissions, or hallucinations. We use your inputs solely to provide the Services and to improve our models in aggregated/de-identified form only. Human oversight is required on your end before any output is used for claims submission or patient-related decisions. We do not use customer PHI, or any connected email content, to train public or generalized models without explicit BAA authorization.

6. Data Retention and Deletion

  • Active Subscription: we retain Your Data for as long as your subscription is active and as needed to provide the Services.

  • After Termination or Cancellation: we retain Your Data for a maximum of thirty (30) days to allow you to export it.

  • Permanent Deletion: after 30 days, all data (including PHI) may be permanently and irreversibly deleted without further notice.

  • Connected Accounts: encrypted OAuth tokens and connection metadata are deleted upon disconnection or account termination. Email content is never retained, so there is nothing further to delete.

  • Backups: we maintain temporary backups for disaster recovery only; these are also subject to the 30-day deletion timeline.

We have no obligation to retain or return data beyond this period. You are responsible for maintaining your own backups and exporting records before termination.

7. Security

We implement commercially reasonable administrative, technical, and physical safeguards — including encryption at rest and in transit, access controls, audit logging, regular vulnerability scanning, and employee training — to protect your information. Connected-account credentials (OAuth refresh tokens) are encrypted at rest and scoped to the authorizing user. No system is completely secure, and we do not guarantee that data will never be lost, accessed, or disclosed in an unauthorized manner. You must use strong, unique passwords and enable multi-factor authentication where available.

8. Your Rights and Choices

For Non-PHI Personal Information (e.g., account data) you may:

  • Access, correct, or delete your information (subject to legal retention obligations).

  • Opt out of certain processing (where applicable).

  • Request a copy of your data in a portable format.

  • Disconnect any connected email account at any time.

For PHI: all rights (access, amendment, accounting of disclosures, etc.) are governed exclusively by your BAA and applicable HIPAA rules. Contact your organization's privacy officer or submit requests through the BAA process.

California Residents (CCPA/CPRA): you have the right to know what personal information we collect, request deletion, opt out of "sales" (we conduct none), and correct inaccuracies. Email legal@invisaclaim.com; we will verify your identity before responding (within 45 days).

Other State Privacy Rights (Virginia, Colorado, Connecticut, Utah, and others): comparable rights apply where required by law.

To exercise any rights, email legal@invisaclaim.com. We will respond within the time required by applicable law.

9. HIPAA and Protected Health Information

If you upload or transmit PHI, a valid BAA must be in place before any processing occurs. This Policy supplements — but does not replace — your BAA. We act only as a Business Associate and will:

  • Use and disclose PHI solely as permitted by the BAA and HIPAA.

  • Implement required administrative, technical, and physical safeguards.

  • Report breaches as required by law.

  • Return or destroy PHI upon termination (subject to the 30-day retention period above).

PHI that appears in a connected email mailbox is handled per Section 4 and remains governed by your BAA.

10. Cookies and Tracking Technologies

We use essential cookies (for authentication and functionality), analytics cookies (e.g., Google Analytics), and functional cookies. You can manage preferences through your browser settings or our cookie consent banner. We do not use tracking technologies that disclose PHI without a BAA.

11. Third-Party Links and Services

The Services may contain links to third-party sites. We are not responsible for their privacy practices. Review their policies before providing information.

12. Children's Privacy

Our Services are not intended for anyone under 18. We do not knowingly collect data from children. If you believe we have, contact us immediately.

13. International Users

If you are outside the United States, your data is transferred to and processed in the U.S. By using the Services, you consent to this transfer. We implement appropriate safeguards for international transfers where required.

14. Changes to This Privacy Policy

We may update this Policy at any time. Material changes will be notified via email or in-Service notice. Continued use after the effective date constitutes acceptance. The "Effective Date" above reflects the latest version.

15. Contact Information

InvisaClaim LLC 1200 N Federal Hwy, Suite 300 Boca Raton, FL 33432 Email: hello@invisaclaim.com Website: www.invisaclaim.com