How do insurance denial appeals work?

Upload your denial letter and Lysco analyzes it, identifies the denial reason, cites applicable laws (ACA, ERISA, state regulations), and generates a customized appeal letter. You review and submit it yourself.

What is the success rate for insurance appeals?

It varies by plan type. For ACA marketplace plans, about 44% of appealed denials are overturned (KFF, 2023). For Medicare Advantage, it can be as high as 83% (HHS OIG). Many denials stem from billing or administrative errors that get fixed when challenged. Individual results vary.

Is Lysco a law firm or medical practice?

No. Lysco is an informational tool that helps you understand your rights and options. It is not a law firm, medical practice, or insurance company. For specific legal or medical situations, consult a licensed professional.

How much does Lysco cost?

Analysis is always free and your first appeal letter is free too. Upgrade to Pro ($29/mo) or Annual ($199/year) for unlimited appeal letters, insurer playbooks, and benefits finder. Cancel anytime.

Is my health data secure on Lysco?

Yes. Lysco uses AES-256 encryption at rest, TLS for data in transit, and row-level security so only you can access your data. We never sell your data and follow HIPAA-aligned security practices.

Privacy Policy

Last updated: March 2026

1. Information We Collect

We collect the following categories of information:

Account Information: Name, email address, and password when you create an account.
Health-Related Documents: Insurance denial letters, medical bills, Explanation of Benefits (EOBs), prescription information, and other documents you voluntarily upload.
Insurance Information: Provider name, plan type, member ID, deductible and out-of-pocket amounts you enter.
Usage Data: Pages visited, features used, timestamps, device type, IP address, and browser information.
Payment Information: Processed securely by Stripe. We do not store credit card numbers.
Consent Records: Timestamps and metadata of your consent actions for compliance purposes.

2. How We Use Your Data

Provide and improve Lysco's informational services, including AI-powered analysis of your documents
Generate informational templates (appeal letters, negotiation letters, savings reports)
Process payments and manage subscriptions
Send service-related communications (case updates, billing notices)
Maintain security and prevent fraud
Comply with legal obligations

We do NOT sell, rent, or trade your personal or health data to third parties. We do NOT use your data to train AI models.

3. Legal Basis for Processing

We process your data under the following legal bases:

Consent: You explicitly consent to processing when you create an account and upload health documents.
Contract Performance: Processing necessary to provide the services you subscribed to.
Legitimate Interest: Security, fraud prevention, and service improvement.
Legal Obligation: Compliance with applicable laws and regulations.

4. Health Data Protections

Health Information Safeguards

Lysco recognizes the sensitive nature of health-related information. While Lysco is not a "covered entity" or "business associate" as defined under HIPAA (because Lysco does not provide healthcare services, health plans, or healthcare clearinghouse services), we voluntarily implement safeguards aligned with HIPAA Security Rule standards as a best practice.

Encryption: AES-256 at rest, TLS 1.3 in transit for all health-related data
Access Controls: Row-level security (RLS) ensures users can only access their own data
Audit Logging: All access to health data is logged with user ID, timestamp, and action
Data Isolation: Each user's data is logically isolated at the database level
No Model Training: Your documents are never used to train AI models
Secure Processing: Documents are processed in isolated environments with automated analysis technology
Employee Access: Strictly limited on a need-to-know basis with access logging

5. Data Security

We implement administrative, technical, and physical safeguards to protect your data. These include encryption, access controls, regular security assessments, and secure development practices. While no system is 100% secure, we are committed to protecting your information using industry-standard measures.

6. Data Retention

Account Data: Retained while your account is active and for 30 days after deletion request.
Health Documents: Retained while your account is active. Permanently deleted within 30 days of account deletion or upon request.
AI Chat History: Retained while your account is active. You can delete individual conversations at any time.
Consent Records: Retained for 6 years from creation for compliance audit purposes, even after account deletion.
Payment Records: Retained as required by tax and financial regulations (typically 7 years).
Anonymized Analytics: May be retained indefinitely in aggregate, non-identifiable form.

7. Sub-Processors and Third Parties

We use the following third-party services to operate Lysco. Each processes data only as necessary for their specific function:

Service	Purpose	Data Processed
Supabase (AWS)	Database, Auth, Storage	All user data (encrypted)
Anthropic	AI Analysis (Claude API)	Document text, chat messages
Stripe	Payment Processing	Email, payment details
Vercel	Application Hosting	IP address, usage analytics

Anthropic's data use policy: API inputs and outputs are not used to train Anthropic's models. Anthropic retains API logs for up to 30 days for safety monitoring, then deletes them.

8. Your Rights

Regardless of your location, you have the following rights:

Access: Request a copy of all personal data we hold about you
Rectification: Correct inaccurate personal data
Deletion: Request permanent deletion of your data (within 30 days)
Export: Receive your data in a portable, machine-readable format
Restrict Processing: Limit how we use your data
Withdraw Consent: Withdraw consent at any time without affecting prior processing
Object: Object to processing based on legitimate interest

Exercise these rights from your account settings or by contacting privacy@lysco.com. We will respond within 30 days (or as required by applicable law).

9. European Users (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Norway, additional protections apply:

Health data is processed under Article 9(2)(a) GDPR — your explicit consent, obtained before any health document upload
Data transfers to the US are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission
You have the right to lodge a complaint with your local data protection authority (e.g., Datatilsynet in Norway, ICO in the UK, CNIL in France)
Data Protection Officer contact: dpo@lysco.com

10. California Users (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: What personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do NOT sell or share your personal information for cross-context behavioral advertising
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Sensitive Personal Information: Health data is treated as sensitive personal information. We process it only with your explicit consent and solely to provide our services.

To exercise CCPA rights, email privacy@lysco.com with subject line "CCPA Request." We will verify your identity and respond within 45 days.

11. Children's Privacy

Lysco is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@lysco.com and we will promptly delete it.

12. Breach Notification

In the event of a data breach affecting your personal information, we will: (a) notify affected users within 72 hours of discovery (as required by GDPR) or as soon as practicable; (b) notify relevant supervisory authorities as required by applicable law; (c) provide details about the nature of the breach, data affected, and remediation steps taken.

13. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use after changes take effect constitutes acceptance. Previous versions are available upon request.

14. Contact

Privacy inquiries: privacy@lysco.com
Data Protection Officer: dpo@lysco.com
General support: support@lysco.com