How does Counterclaim generate an insurance appeal letter?

Counterclaim uses a 5-agent AI pipeline. The Reader extracts claim data from your document. The Researcher identifies applicable state insurance law. The Writer drafts a formal appeal letter. The Adversary identifies weaknesses. The Editor rewrites the letter to eliminate all weaknesses. The final letter is ready to print and mail in minutes.

Is Counterclaim free to use?

Yes - Counterclaim is free during the launch period. Upload your denial letter and receive a complete adversary-tested appeal letter at no cost. No account required.

What types of insurance denials can Counterclaim handle?

Counterclaim handles all major denial types: medical necessity (CO-50), prior authorization (CO-11), experimental treatment (PR-1), fee schedule (CO-45), timely filing (PR-27), not covered (CO-4), step therapy (PR-50), and missing information (CO-16).

What file formats does Counterclaim accept?

Counterclaim accepts PDF files, JPG and PNG photos, and scanned documents of your denial letter or Explanation of Benefits (EOB).

Does Counterclaim provide legal advice?

No. Counterclaim generates appeal letters based on publicly available legal and clinical information but does not constitute legal advice. For complex cases, consult a licensed healthcare attorney or certified patient advocate.

Privacy Policy | Counterclaim

This Privacy Policy describes how the individual operator of Counterclaim (the "Operator", "we", "us") collects, uses, shares, and retains information when you use the website at counterclaim.help and the AI-driven appeal-letter drafting service available there (the "Service"). It is published as a companion to our Terms of Service and the Disclaimer; the three documents should be read together.

1. Operator identity

The Service is operated by an individual sole proprietor doing business as "Counterclaim". The Operator is not a corporation, limited liability company, professional corporation, or law firm. A future corporate entity (such as an LLC or Inc.) may take over operation of the Service; users will be notified via the website if and when that happens. This identity is also disclosed in the Terms of Service.

2. What we collect

2.1 Uploaded documents. When you upload a denial letter, Explanation of Benefits ("EOB"), physician note, plan document, or other supporting file, the file is held in server memory only for the duration of the processing pipeline run. We extract the text via optical character recognition ("OCR") and pass that text to the rest of the pipeline.

2.2 OCR text and structured fields. The text extracted from your uploaded documents and the structured fields parsed from that text - patient name, member ID, insurer name, claim number, denial code, CPT/HCPCS codes, ICD-10 codes, dates of service, billed amount, denial reason - are stored in a transient session record so the pipeline can produce, regenerate, and let you download your draft letter.

2.3 Intake answers. Any free-text answers you provide (your physician's name, your address, the basis for urgency, etc.) are stored alongside the session record.

2.4 Optional follow-up email. If you voluntarily provide an email address to receive deadline reminders or follow-up cadence emails about your appeal, we store that email along with a tokenized identifier so the follow-up cron can send the scheduled messages and so you can unsubscribe with a single click.

2.5 Aggregate analytics. We use Vercel Analytics and Plausible to count anonymized page views, referrers, and aggregate device categories. These services are configured for cookieless, IP-anonymized measurement and do not build cross-site advertising profiles.

2.6 Server logs. Our hosting provider maintains short-term operational logs (HTTP method, status code, latency, generic user-agent, truncated IP) for security and debugging. These are not used for marketing.

3. What we do not collect

3.1 No accounts. Counterclaim does not require you to create an account, choose a username, or set a password. We do not maintain a user database to leak.

3.2 No payment-card data. Payment-card details are entered directly into Stripe's hosted checkout. We never see, log, or store your card number, security code, or full card expiration on our infrastructure. See Section 4 (Payment information) for what we do receive from Stripe.

3.3 No advertising tracking. We do not embed third-party advertising trackers, retargeting pixels, social widgets, or cross-site identity graphs.

4. Payment information

4.0 The Service is currently free. No payment is taken today, so none of the payment data described below is collected at present. This section describes what would happen if and when paid access is enabled.

4.1 We do not receive or store your card number, CVV, expiration date, or billing address. Stripe, Inc. processes all card payments on our behalf and is the controller for that data under its own privacy policy: https://stripe.com/legal/privacy-center.

4.2 We receive from Stripe a transaction identifier, the amount paid, the email address you provided at checkout (if any), and the success/failure status of the transaction. We use this information only to mark your session as paid, to unlock your download, and to allow Stripe to deliver a Stripe-generated receipt to the email you provided.

4.3 We do not sell, share, or use payment information for advertising, profiling, or any cross-context behavioral marketing. We do not transmit payment information to AI sub-processors.

5. How long we keep data

5.1 Session records. Session records, including the OCR text and the generated letter HTML, are automatically purged approximately one (1) hour after they are created by a scheduled cleanup cron. After that point we cannot recover your draft - download or copy your letter before the session expires.

5.2 Uploaded files. Uploaded files are not persisted to long-term storage; they are processed in memory and discarded once OCR completes.

5.3 Follow-up tokens. If you opt into follow-up email reminders, the token, the email address, and the schedule of upcoming sends are kept for up to one hundred fifty (150) days from the start of the cadence, or until you unsubscribe via the link in any reminder, whichever comes first. After that the record is deleted.

5.4 Analytics aggregates. Anonymized, aggregate analytics are retained per the standard retention policies of Vercel Analytics and Plausible and are not tied to an individual.

6. Third parties (sub-processors)

We rely on a small number of vendors to deliver the Service. Each one only processes the minimum data required for its function:

OpenRouter is the routing layer through which the AI pipeline reaches the underlying model providers. OCR text and intake answers are sent through OpenRouter to the providers below in order to generate the draft appeal letter and supporting analyses.
Google (a Gemini Flash model, accessed via OpenRouter) is the default model used for the Reader and fast-path agents, as well as for primary OCR of scanned uploads.
Anthropic (Claude Sonnet, accessed via OpenRouter) is used as an escalation model when the primary model fails to return a parseable extraction, and may be used as a vision fallback. Per the providers' published API policies, API inputs are not used to train their models by default.
Vercel hosts the website, the API endpoints, and the cron schedule, and provides anonymized page-view analytics.
Neon hosts the transient session database where session records and follow-up tokens live for the retention windows described above.
Plausible records anonymized, cookieless aggregate page-view counts.
AgentMail sends follow-up reminder emails when you have opted in.
Stripe would process payment if and when paid access is enabled (the Service is currently free and no payment is taken). If you ever pay, card details go directly to Stripe and never touch our infrastructure. See Section 4 (Payment information) for what data Stripe receives and what we receive back. RevenueCat may be added in the future for subscription billing and is not currently active.

We may add or change sub-processors as the Service evolves. Material changes will be reflected by an updated "Last updated" date on this page. We do not sell or rent your information to data brokers, advertisers, or any other third party.

7. HIPAA notice

7.1 Counterclaim is a consumer-facing software tool. The Operator is not a HIPAA "Covered Entity" (i.e., not a health-care provider, health plan, or health-care clearinghouse), and the Service is not provided as a HIPAA "Business Associate" of any Covered Entity. The Operator does not enter into Business Associate Agreements.

7.2 When you, as the patient, voluntarily upload your own EOB, denial letter, or medical record, you are sharing your own protected health information with a consumer service for processing on your behalf - similar to forwarding a copy to a friend or pasting it into a search engine. The HIPAA protections that bind your insurer and your physician do not extend to this Service.

7.3 You agree not to upload another person's protected health information unless you are that person's authorized representative under applicable law.

8. Children

The Service is intended for adults (18 years of age and older) and is not directed at children under thirteen (13). We do not knowingly collect personal information from children under thirteen. If you believe a child under thirteen has used the Service, please contact us at the address below and we will delete the associated session data on request.

9. Your rights

9.1 Right to deletion. Because session records auto-purge in approximately one hour, in most cases there is nothing to delete by the time you ask. If you have opted into follow-up emails, you may unsubscribe at any time via the link in any reminder email or by contacting us at the address below; that removes your email and any associated tokens from our systems.

9.2 California residents (CCPA / CPRA). California residents have the right to know what personal information we collect, to request deletion, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising or for monetary or other valuable consideration. To exercise your rights, contact us at the address below; we will respond within forty-five (45) days and will not discriminate against you for exercising your rights.

9.3 Other US states. Residents of other US states with comprehensive consumer-privacy statutes (such as Colorado, Connecticut, Virginia, Utah, Texas, and Washington) have similar rights to know, delete, and opt out of profiling that produces legal or similarly significant effects. We honor those rights on the same process described above.

9.4 GDPR. The Service is offered to US residents only and is not intentionally directed at users in the European Union, the United Kingdom, or other jurisdictions covered by the GDPR or UK GDPR. We acknowledge the GDPR data-subject framework as a matter of good practice; if you believe you have nonetheless used the Service from such a jurisdiction and would like to exercise GDPR rights, contact us and we will respond in good faith.

10. Cookies

10.1 The Service uses session cookies only where strictly necessary - for example, to maintain CSRF protection between page loads or to round-trip a Stripe checkout redirect. These cookies expire when you close your browser session or shortly thereafter.

10.2 We do not set advertising cookies, cross-site tracking cookies, social-network cookies, or persistent identifiers used for marketing.

11. Security

11.1 Data in transit between your browser and the Service is protected by HTTPS / TLS. Data at rest in our session database is encrypted by our hosting and database providers (Vercel, Neon) under their standard practices.

11.2 No system is perfectly secure. We do not warrant that the Service or any data we hold will be free from unauthorized access, loss, alteration, or disclosure. By using the Service you accept this residual risk.

12. Children's Online Privacy Protection Act (COPPA)

The Service is not directed to children under the age of thirteen, and we do not knowingly collect personal information from such children. If we become aware that a child under thirteen has provided personal information, we will delete it as soon as practicable.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last updated" date and, where appropriate, by additional notice on the website. Your continued use of the Service after a change is published constitutes acceptance of the updated Privacy Policy.

14. Contact

Privacy questions, deletion requests, and CCPA / state consumer-privacy requests may be sent to our tracked AgentMail inbox at counterclaim@agentmail.to. Please include enough detail (the approximate date and time of your session, the email address you used for follow-up emails, etc.) to allow us to identify any record that still exists.

Last updated: 2026-06-09.