How DenaliHealth collects, uses, and protects your information.
Effective: March 5, 2026
1. Overview
DenaliHealth ("we," "us," or "our") is a Medicare claims intelligence application operated by Qash Solutions Inc. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website at www.denali.health and related services (collectively, the "Service"). By creating an account, you actively acknowledge and accept the practices described in this policy. You may review this policy before signing up, and you may delete your account at any time if you no longer agree.
2. Information We Collect
Information You Provide
Email address (for account creation and authentication via one-time passcodes)
Phone number (for multi-factor authentication, if you choose to add it)
Conversation content (your questions and our AI-generated responses about Medicare coverage)
Appeal letter content (generated by our AI based on information you provide)
Consent preferences (your choices about how your data is used)
Medicare Health Data (With Your Explicit Consent)
Patient demographics (age and gender only — we do not store your full name, date of birth, address, or Medicare beneficiary ID)
Coverage information (Medicare Part A/B enrollment, plan details)
Claims and Explanation of Benefits (EOBs) including denied claims
Conditions, medications, and screening history (extracted from your claims data)
Information We Do NOT Collect
Full names, dates of birth, or mailing addresses
Social Security Numbers (SSN)
Medicare beneficiary IDs or insurance card numbers (we access data via secure OAuth, not card numbers)
Bank account or financial information (payments processed by Stripe)
Medical records beyond what Medicare provides
Automatically Collected Information
Device type and browser information (for compatibility)
IP address (for security and audit logging)
Usage patterns (pages visited, features used — anonymized)
3. How We Use Your Information
Provide personalized Medicare coverage guidance based on your situation
Generate appeal letters when Medicare denies a claim
Connect to the official Medicare claims API to access your Medicare data (only with your explicit consent)
Personalize AI conversations with your health context (lab results, diagnoses, medications — only if you consent)
Detect and alert you to potential claim denial risks before they happen
Improve our service through anonymized, de-identified learning patterns
Maintain audit logs for CMS compliance (who accessed what data, when, and why)
Send you account-related communications (authentication codes, appeal status)
4. Medicare Health Data
We access your Medicare data through the official Medicare claims API. This connection uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for security — we never see or store your Medicare password.
When you connect your Medicare account, you authorize CMS to share specific data with us. You can revoke this connection at any time in Settings.
When you disconnect your Medicare connection, all cached health data is immediately and permanently deleted from our servers. Previously collected health data is not retained, shared, or used after you revoke access. Your right to revoke access does not affect any data already anonymized for service improvement (see Section 7).
How We Protect Your Medicare Data
OAuth tokens are encrypted at rest using AES-256-GCM encryption
Health data is cached locally for up to 24 hours to reduce API calls, then refreshed
All data access is logged in our audit system (who, what, when, why)
Data in transit is protected by TLS 1.2+
Application-level access controls ensure you can only access your own data through authenticated API routes
Your Consent Controls
Health Data in AI: Choose whether your lab results, diagnoses, and medications are used to personalize AI conversations
Health Data Storage: Choose whether your Medicare data is cached for faster access
Analytics: Choose whether anonymized usage data helps us improve the service
You can change these preferences anytime in Settings > Privacy & Data
5. How We Share Your Information
We do not sell your personal information. We share data only in limited circumstances, described below with the scope and duration of each sharing relationship:
Stripe: Payment processing for subscriptions and per-appeal purchases. Sharing is transactional (one-time per payment event) — we never see or store your credit card number.
CMS (Medicare API): We exchange data with the Medicare claims API only when you explicitly authorize the connection. Sharing is persistent while your connection is active and ceases immediately when you disconnect.
AWS (Amazon Web Services): Our database (RDS PostgreSQL), application hosting (ECS/Fargate), and AI processing (Bedrock) provider. AWS is HIPAA-eligible and our Business Associate Agreement (BAA) was executed on February 25, 2026. Your account data, conversation history, and cached health data are stored in encrypted AWS RDS databases in us-east-1. Sharing is persistent for the lifetime of your account.
Legal Requirements: We may disclose information if required by law, court order, or government regulation.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you via email at least 30 days before your data is transferred and becomes subject to a different privacy policy. As a holder of CMS Blue Button API production credentials, we will also notify CMS at the earliest practicable time, as production credentials are issued to a specific approved application and entity and a change of ownership requires CMS re-review.
Resend: Email delivery service for authentication codes and account communications. Resend receives only your email address, transiently for message delivery. SOC 2 Type II certified.
Vendor Data Protection Commitments: Each third-party service provider we work with is contractually required to protect your information using safeguards appropriate to the sensitivity of the data they handle, consistent with applicable law. All providers handling protected health information are covered by Business Associate Agreements (BAAs). AWS is HIPAA-eligible and SOC 2 Type II certified (BAA executed February 25, 2026); Stripe is PCI DSS certified for payment data; Resend is SOC 2 Type II certified for email delivery.
AWS Bedrock (Claude AI) Data Handling
Your conversation content (questions and context) is processed through Claude on AWS Bedrock to generate responses. Sharing is transactional (per-message) — each request is independent. Health data is only included if you have enabled the 'Health Data in AI' consent toggle.
AWS Bedrock does not store or log your prompts and completions by default, and does not train models on your data.
All data sent to AWS Bedrock is encrypted in transit via TLS 1.2+ and processed within HIPAA-eligible infrastructure covered by our AWS BAA executed February 25, 2026.
AWS is SOC 2 Type II certified and HIPAA-eligible across all services we use (RDS, ECS/Fargate, Bedrock).
6. Data Retention
Account data: Retained until you delete your account
Conversation history: Retained until you delete your account
Appeal letters: Retained until you delete your account
Cached health data: Refreshed every 24 hours; deleted when you disconnect Medicare or delete your account
OAuth tokens: Encrypted; deleted when you disconnect Medicare or delete your account
Audit logs: Retained for a minimum of 6 years per HIPAA requirements — this retention obligation applies even after account deletion and cannot be waived
Anonymized learning data: Retained indefinitely (contains no personally identifiable information)
Inactive accounts: Accounts with no sign-in activity for 24 months may receive a 30-day email notice before data is archived. You can reactivate by signing in during the notice period.
7. Account Deletion
You can delete your account at any time through Settings > Danger Zone. When you delete your account, we permanently and irreversibly delete:
Your Medicare connection and all cached health data
All conversations and messages
All appeal letters
Your consent preferences
Your diabetes tracking data (daily logs, lab snapshots, and AI-generated insights)
Your authentication credentials
Your Stripe subscription (if active)
The only data retained after deletion is anonymized, de-identified learning data (e.g., 'symptom phrase X maps to diagnosis code Y with Z% confidence'). This data contains no names, contact details, Medicare beneficiary IDs, or account identifiers. While we believe this data cannot be traced back to any individual, we acknowledge that in rare cases, highly specific patterns in medical data could theoretically contribute to re-identification of individuals with uncommon conditions. We deliberately minimize and aggregate this data to reduce that risk. Medicare claims data may also contain information relevant to family members — for example, diagnosis codes for hereditary conditions. We do not share your personal health data with any other individuals, including relatives, without your explicit consent. We handle all such data with this sensitivity in mind. Note: audit logs are subject to a minimum 6-year HIPAA retention requirement that applies even after account deletion. All other data listed above is permanently and irreversibly deleted.
8. Security Measures
AES-256-GCM encryption for OAuth tokens at rest
TLS 1.2+ for all data in transit
Application-level access controls — users can only access their own data through authenticated API routes
PKCE (Proof Key for Code Exchange) for Medicare OAuth to prevent authorization code interception
Comprehensive audit logging of all sensitive data access
Automatic session management and token refresh
9. HIPAA Compliance and Privacy Act
Medicare data obtained through the Blue Button APIs is subject to the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), and other applicable federal and state laws requiring special safeguarding. We comply with all applicable federal and state laws regarding the protection and disclosure of information obtained through the Blue Button APIs. Our compliance measures include:
Physical safeguards: secure hosting through AWS (RDS, ECS/Fargate, Cognito) with SOC 2 and HIPAA-eligible services
Business Associate Agreements (BAAs) are required from all service providers who access, process, or store protected health information on our behalf. Our BAA with AWS (covering database, hosting, and AI services via Amazon RDS, ECS/Fargate, and Bedrock) was executed on February 25, 2026.
For detailed information about our HIPAA practices, see our HIPAA Compliance page.
As a personal health record vendor, we comply with the FTC Health Breach Notification Rule (16 CFR Part 318) and the HITECH Act breach notification requirements. In the event of a breach of unsecured health data:
We will notify affected individuals within 60 days of discovery via email, explaining what happened, what data was involved, and what steps to take
Notification will include: a description of the breach, the types of data involved, steps we have taken to investigate and mitigate, and specific steps you can take to protect yourself — such as monitoring your Medicare Summary Notices and Explanation of Benefits for unfamiliar claims, contacting 1-800-MEDICARE (1-800-633-4227) if you suspect misuse of your Medicare number, and reviewing your credit report if personal identifiers were involved
For breaches affecting 500 or more individuals, we will also notify the FTC and HHS as required by law
We maintain incident response procedures to detect, investigate, and contain potential breaches promptly (see our HIPAA Compliance page for the full Incident Response Plan)
11. CMS Interoperability Framework
We participate in the CMS Health Technology Ecosystem as a Patient-Facing App under two categories: Conversational AI Assistants and Diabetes & Obesity Prevention. As part of this framework, we commit to:
Supporting patient identity verification through CMS-approved services (Medicare OAuth with IAL2/AAL2)
Maintaining transparent audit logs of all data access
Honoring patient consent preferences across all data operations
Including request purpose codes on all health data queries
Providing a 14-day free trial for Medicare beneficiaries
Making our application available for CMS review and directory listing
Clearly marking all AI-generated content and distinguishing it from clinical guidance
12. Cookies & Local Storage
Authentication cookies: Secure, httpOnly session cookies for login state
PKCE cookies: Temporary httpOnly cookies during Medicare OAuth (cleared after authorization)
Theme preference: Stored in localStorage (dark/light/system)
We do not use tracking cookies or third-party advertising cookies
We do not participate in cross-site tracking or ad networks
13. Your Rights
Depending on your jurisdiction, you may have the right to:
Access: View all data we hold about you (conversation history, appeals, health data cache)
Correction: Request correction of inaccurate data
Deletion: Delete your account and all associated data (Settings > Danger Zone)
Portability: Export your data in a readable format
Consent Withdrawal: Revoke any consent at any time (Settings > Privacy & Data)
Opt-Out: Disconnect your Medicare data connection at any time
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information is collected and the right to opt-out of the sale of personal information. We do not sell personal information.
14. Children's Privacy
Our Service is designed for Medicare beneficiaries (generally age 65+) and their caregivers. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify registered users via email at least 30 days before the new policy takes effect, with a summary of what changed.
If changes are driven by CMS regulatory updates or modifications to the CMS Interoperability Framework, we will specifically identify those changes and explain how they affect your Medicare data handling.
If you disagree with the changes, you may delete your account and all associated data before the effective date (Settings > Danger Zone). Continued use of the Service after the effective date constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy, your data, or your rights, you can:
Ask Denali directly in the chat for privacy-related questions
