Privacy Policy

Effective Date: February 22, 2025  |  Last Updated: February 22, 2025
Operator: Conduit Catalyst LLC  |  Gulfport, Mississippi

We know you're already cautious about HIPAA, data privacy, and every new tool that touches your workflow. Good — you should be. This policy is written to give you clear, honest answers about what we collect, what we don't, and who else is involved. No legalese traps. No buried clauses.

SECTION 1
Who We Are

Denial Code Navigator ("the Tool") is a product of Conduit Catalyst LLC, a limited liability company based in Gulfport, Mississippi. The Tool is delivered via a Telegram bot (@MDCDenialBot) and marketed through denialdecoder.xyz ("the Site").

For all privacy-related questions, you can reach us at: support@denialdecoder.xyz

SECTION 2
What We Collect

We believe in minimal data collection. Here's exactly what we receive when you use the Tool:

2.1 — Data We Receive Through Telegram

• Your Telegram user ID and username — This is sent automatically by Telegram when you message any bot. We use this to track your usage against your plan tier (Free, Starter, Pro, or Agency).
• The text messages you send — When you type a denial code like "CO-197" or "PR-1 N362", we receive that text in order to process your lookup.
• Photos you send — When you use the photo scanner feature, we receive the image you send. We process it to extract billing codes and amounts, then return the analysis. We do not permanently store your photos.

2.2 — Data We Collect Through the Website

• Basic analytics — We may use privacy-respecting analytics (such as Plausible or Google Analytics) to understand page traffic, referral sources, and general visitor behavior. This data is aggregated and does not personally identify you.
• Contact form submissions — If you use the contact form on our site, we collect your name, email address, and message content solely to respond to your inquiry.

2.3 — Payment Data

All billing and payment processing is handled by Stripe, Inc. When you subscribe to a paid plan, Stripe collects and processes your payment information (credit card number, billing address, etc.) under their own Privacy Policy and PCI-DSS security standards.

SECTION 3
What We Do NOT Collect

This section exists because we know billers worry. Here's what we want to be unambiguous about:

• We do not collect patient names, dates of birth, SSNs, medical record numbers, or any Protected Health Information (PHI).
• We do not store your conversation history. Your queries are processed in real time and not retained in a searchable database tied to your identity.
• We do not build user profiles. We don't track which codes you look up over time to create behavioral models, advertising profiles, or sell to third parties.
• We do not sell, rent, or share your personal data with advertisers, data brokers, or marketing companies. Period.

SECTION 4
HIPAA — Let's Be Direct

4.1 — What Is PHI?

Protected Health Information (PHI), as defined under HIPAA (45 CFR §160.103), is any individually identifiable health information — data that can be linked to a specific patient. This includes names, dates of birth, Social Security numbers, medical record numbers, health plan IDs, and similar identifiers.

4.2 — What the Bot Actually Sees

The data the Tool processes — denial reason codes (CARC/RARC), group codes, CPT/HCPCS procedure codes, and dollar amounts — is administrative billing data, not PHI. When you crop the patient header off an ERA before sending a photo, what remains are codes and numbers that cannot identify any individual patient.

4.3 — Your Responsibility

You are solely responsible for ensuring that no PHI enters the system. Before sending any image to the bot, you must redact all patient-identifiable information. Your phone's built-in photo editor can do this in seconds — crop the top of the ERA where the patient name and ID appear, and send only the billing grid.

If you accidentally send PHI, notify us immediately at support@denialdecoder.xyz so we can confirm no data was retained.

SECTION 5
The Telegram Relationship

Denial Decoder operates on Telegram's messaging infrastructure. When you send a message to @MDCDenialBot, here's the data flow:

1. You type a message or send a photo in Telegram.
2. Telegram transmits your message through its servers to our bot's API endpoint.
3. Our system processes the query and returns a response through Telegram.

What Telegram does with your data on their end is governed by Telegram's Privacy Policy, not ours. We only receive what Telegram forwards to our API. We do not have access to your other Telegram conversations, contacts, groups, or account settings.

We chose Telegram because it's free, fast, works on every platform, supports photo messaging natively, and offers end-to-end encryption options. But your relationship with Telegram is yours — we are an independent third-party bot on their platform, not a Telegram product.

SECTION 6
Third-Party AI Processing

To deliver fast, accurate responses, the Tool uses third-party AI APIs to assist in processing your queries. C urrently, these include services routed through OpenRouter (which may connect to models such as DeepSeek V3 and Gemini 2.0 Flash).

This means:

• Your text queries and/or images may be transmitted to these third-party AI providers for processing.
• Each provider has its own data retention and privacy policies. We select providers with strong data handling practices, but we cannot control their internal policies.
• We do not send any patient-identifiable information to these providers — because we never receive any in the first place (you redact it before sending).

We will update this section if our AI provider stack changes materially.

SECTION 7
Data Retention

• Query data — Your text lookups and photo submissions are processed in real time. We do not maintain a permanent, searchable log of your individual queries tied to your identity.
• Usage counters — We track the number of lookups and scans you've used against your plan limits. This is a simple counter, not a content log.
• Payment records — Stripe retains transaction records as required by financial regulations. We retain basic subscription status data (plan type, billing dates) for account management.
• Contact form submissions — We retain contact messages for as long as necessary to respond and resolve the inquiry, then delete them.

SECTION 8
Your Rights

Regardless of where you live in the United States, you have the right to:

• Request information about what data we hold related to your Telegram user ID or email address.
• Request deletion of your data from our systems. Contact support@denialdecoder.xyz with your Telegram username, and we will remove your usage data within 30 days.
• Opt out of any future communications from us (we don't send marketing emails unless you explicitly sign up, and you can unsubscribe at any time).
• Ask questions — we're real people and we respond. If something in this policy concerns you, write to us. We'll answer.

A Note for California Residents (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). We do not sell personal information. To exercise any CCPA rights, contact support@denialdecoder.xyz.

A Note for International Users (GDPR)

Denial Code Navigator is designed for medical billers in the United States. If you are accessing the Tool from outside the US, please be aware that your data is processed in the United States. If you are in the EU/EEA and believe GDPR applies to your use, contact us and we will work with you to address your rights under applicable law.

SECTION 9
Security

We implement reasonable technical and organizational measures to protect the data we process. These include encrypted API connections (HTTPS/TLS), access controls, and secure server infrastructure.

However, no system is 100% secure. We cannot guarantee absolute security, and you use the Tool at your own risk. If you believe your data has been compromised, contact us immediately.

SECTION 10
Children's Privacy

The Tool is designed for adult professionals in the medical billing industry. We do not knowingly collect information from children under 13. If you believe a child has used the Tool, contact us and we will delete any related data.

SECTION 11
Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted at denialdecoder.xyz/privacy with a new "Last Updated" date. For material changes, we will make reasonable efforts to notify you at least 14 days in advance.

Your continued use of the Tool after changes are posted constitutes acceptance of the updated policy.

SECTION 12
Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your data, reach out to us:

Conduit Catalyst LLC
Gulfport, Mississippi
support@denialdecoder.xyz
denialdecoder.xyz

We respond within one business day. We're billers' people — not a faceless corporation. Ask us anything.