Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and a securely hashed version of your password (using bcrypt with a work factor of 12). If you register via Google OAuth, we receive your name, email, and Google account identifier. We never store your password in plaintext or recoverable form.

1.2 Veteran Profile Information

You may voluntarily provide profile information to personalize your benefits analysis, including: branch of service, Military Occupational Specialty (MOS), current VA disability rating and individual rated conditions, service dates, state of residence, ZIP code, deployment history, number of dependents, discharge type, combat veteran status, and service component. Sensitive fields (state, ZIP code, MOS, individual ratings, deployments) are encrypted at rest using AES-256-GCM.

1.3 Chrome Extension Data

If you install and authorize our Chrome browser extension, it collects data from your VA.gov account when you are logged in to VA.gov. This includes:

• Claims and claim details (status, phase, contentions, tracked items, documents)
• Rated disabilities (condition name, rating percentage, diagnostic code, effective date)
• Appeals (issues, events, decisions, alerts)
• Compensation payment history (date, amount, type)
• Service history and periods of service
• Intent to File (ITF) records
• Benefit letter eligibility
• VA debts
• Declared dependents
• eFolder document metadata (document titles and dates, not document contents)

The extension accesses this data using your existing VA.gov session. It does not capture, transmit, or store your VA.gov username or password. The extension synchronizes data approximately every 5 minutes while VA.gov is open and on certain navigation events. The extension requires browser permissions for storage, tabs, web requests, cookies, and scripting on VA.gov and VCS domains.

1.4 Uploaded Documents

When you or your authorized attorney upload documents — such as C&P exam results, medical records, VA decision letters, discharge paperwork, or C-Files — we store the original files in encrypted cloud object storage (AWS S3) and extract text content for AI analysis. C-File content is embedded using BAA-covered AI services (AWS Bedrock) to ensure PHI remains within HIPAA-compliant infrastructure.

1.5 Chat Conversations

We retain the messages you send and receive through the VCS chat interface, including AI responses, extended thinking content, tool call results, and citations. This data is stored to provide continuity of service and allow you to reference prior conversations. You may delete individual conversations or your entire chat history at any time.

1.6 Social Security Numbers

Certain VA form generation features require a Social Security Number (SSN) or VA file number to produce complete form drafts. When provided, SSNs are handled with heightened security controls:

• SSNs are transmitted exclusively over encrypted connections (TLS 1.3).
• SSNs are injected server-side during PDF generation only and are never included in AI tool call results, chat responses, or client-facing card UIs.
• SSNs are never logged, cached, or stored in plaintext outside of the encrypted veteran profile.
• If you do not wish to provide an SSN through the platform, you may leave the field blank and manually complete it on the generated PDF.

1.7 Payment Information

Subscription payments are processed by Stripe, Inc. VCS does not store, process, or have access to your credit card number, card expiration date, or CVV. We retain only a Stripe customer identifier and subscription status to manage your account. Stripe is PCI DSS Level 1 certified. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

1.8 Usage Data & Analytics

We collect information about how you use VCS, including pages visited, features used, session timing, browser type, device type, and referring pages. We use Vercel Analytics and Vercel Speed Insights for web performance monitoring. This data helps us improve the platform and is used in aggregate form for product analysis.

1.9 Cookies & Tracking Technologies

VCS uses the following tracking technologies: (a) Authentication cookies stored in your browser's localStorage (JWT access and refresh tokens) to maintain your login session; (b) Vercel Analytics for privacy-friendly, aggregated web analytics (no cross-site tracking, no personal data sold); (c) Vercel Speed Insights for page performance monitoring. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

2. How We Use Your Information

We use the information we collect for the following purposes and no others:

• Personalized Benefits Analysis: We use your veteran profile, uploaded documents, and VA.gov sync data to generate tailored benefits recommendations, identify potential secondary conditions, calculate estimated ratings, and surface programs you may qualify for.
• AI-Powered Chat & Research: Your profile, documents, and conversation history are provided to AI models to generate contextual, personalized responses. Conversation history provides continuity across sessions.
• Document Processing & Analysis: Uploaded documents are analyzed using AI tools to extract findings, identify opportunities, flag potential VA errors, and generate structured case briefings.
• VA Form Generation: Your profile data and VA sync data are used to pre-populate VA form drafts for your review and completion.
• Law Firm Client Services: When a veteran authorizes a law firm to access their data, we facilitate that access through scope-gated, audited, consent-tracked client relationships.
• Service Improvement: We analyze aggregated, anonymized usage patterns and query analytics to improve the platform. Individual user data is never used in identifiable form for this purpose. We do not use your data to train third-party AI models.
• Billing & Account Management: We use your account information to manage your subscription, process billing events, and send transactional communications about your account status.
• Security & Fraud Prevention: We use login attempt data, IP addresses, and usage patterns to detect and prevent unauthorized access, abuse, and fraudulent activity.
• Legal Compliance: We may use or disclose information as necessary to comply with applicable law, legal process, or enforceable government request.

3. Health Information & HIPAA Compliance

3.1 Nature of Health Information

VCS processes information that may constitute Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including veteran medical conditions, disability ratings, C&P exam results, medical records, and service-connected health data.

3.2 HIPAA Compliance Posture

VCS maintains administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) and the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164). Our infrastructure runs on BAA-covered Amazon Web Services (AWS), including AWS Lightsail (compute), AWS S3 (object storage), and AWS Bedrock (PHI-safe AI embeddings). A Business Associate Agreement with AWS is in effect.

3.3 Business Associate Relationships

When VA-accredited law firms (as Covered Entities or Business Associates under HIPAA) use the VCS B2B platform to process veteran client PHI, VCS functions as a Business Associate. VCS maintains Business Associate Agreements with applicable vendors and is prepared to execute BAAs with law firm clients upon request. Law firms requiring a BAA should contact legal@veteranhq.app.

3.4 PHI Safeguards

• Encryption at Rest: All PHI is encrypted using AES-256-GCM at the application layer (veteran profile fields, individual ratings, deployments, MOS, state, ZIP). C-File content and documents are encrypted in AWS S3 with server-side encryption.
• Encryption in Transit: All data transmission uses TLS 1.3. Non-HTTPS connections are rejected.
• Access Controls: Role-based access control (RBAC) with four user roles and organization-level roles. Scope-gated data filtering enforces the Minimum Necessary standard (HIPAA §164.502(b)).
• Audit Trail: Every access to PHI is logged in an append-only audit log including actor identity, action type, resource accessed, IP address, user agent, and timestamp (HIPAA §164.312(b)).
• Consent Tracking: Veteran consent for law firm data access is recorded with timestamp, IP address, user agent, and specific scopes granted (HIPAA §164.508).
• Patient Rights: Veterans can view all entities with access to their data and revoke access at any time through the Settings > Privacy page (HIPAA §164.524).
• PHI-Safe AI Processing: C-File content is embedded using AWS Bedrock Titan (BAA-covered). Non-PHI regulatory content uses separate embedding services.
• Session Security: Authentication sessions expire after inactivity. Failed login attempts trigger exponential account lockout (5 failures: 15 minutes, 10 failures: 1 hour, 15+ failures: 24 hours).

4. Law Firm Access to Veteran Data

When a law firm invites a veteran to connect through VCS and the veteran accepts:

• A Client Relationship is created with specific data scopes (profile, claims, VA syncs, documents, chat) that the veteran explicitly authorized.
• The law firm can access only the data categories within the granted scopes. Empty or ungrated scopes return no data (fail-closed).
• All law firm access to veteran data is logged in the PHI audit trail with the accessor's identity, action, IP address, and timestamp.
• Client Relationships expire by default after one (1) year and must be renewed (SOC 2 CC6.1 alignment).
• The veteran retains full control and may revoke attorney access at any time through Settings > Privacy, effective immediately.
• No veteran data is duplicated into the law firm's account. The firm reads data from the veteran's account through the authorized relationship. Revoking access severs the connection completely.

Law firms are independently responsible for their own HIPAA compliance, data handling practices, and professional obligations with respect to any data they access, download, or export from VCS.

5. Third-Party Service Providers (Sub-Processors)

We engage the following categories of third-party service providers to operate VCS. All providers are bound by contractual obligations restricting their use of your data to providing services to VCS only.

We do not sell, rent, or trade your personal information to any third party for marketing, advertising, or any purpose unrelated to providing the VCS service. We do not share your data with data brokers. We do not participate in ad networks.

6. Data Retention

We retain your data in accordance with the following schedule:

• Active Account Data: Documents, chat messages, profile information, and VA sync data are retained for the duration of your active account. You may request deletion of specific items at any time.
• Account Deletion: Upon account deletion, all personal data — including uploaded documents, chat history, profile information, and VA sync data — is permanently removed from our active systems within thirty (30) days.
• Audit Logs: PHI access audit logs are retained for a minimum of six (6) years as required by HIPAA regulations (45 CFR §164.530(j)), even after account deletion. Audit logs contain only access metadata (who accessed what, when, from where) — not the underlying PHI content.
• Query Analytics: Anonymized, aggregated query analytics are retained for ninety (90) days and then automatically purged.
• Backups: Encrypted database backups are retained for thirty (30) days on a rolling basis and then deleted.
• Anonymized Data: Anonymized, aggregate data that is not linked to your identity and cannot be re-identified may be retained indefinitely for service improvement and statistical analysis.

To request deletion of your data, use the account deletion feature in Settings or contact us at support@veteranhq.app.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your data:

7.1 Technical Controls

• All data in transit encrypted via TLS 1.3 (HTTPS enforced, HSTS enabled with preload)
• Sensitive data at rest encrypted with AES-256-GCM at the application layer
• Object storage (S3) encrypted with server-side encryption (SSE-S3)
• Passwords stored using bcrypt with a work factor of 12 (never plaintext, never recoverable)
• JWT-based authentication with short-lived access tokens and refresh token family rotation (replay detection)
• Exponential account lockout on failed login attempts
• Input validation on all API endpoints (Zod schema enforcement)
• CSP, HSTS, X-Frame-Options, and other security headers enforced via Helmet
• Rate limiting across all endpoints with per-route profiles
• SSH key-based server access only (no password authentication)

7.2 Operational Controls

• Role-based access control with principle of least privilege
• Append-only audit logging of all PHI access
• Automated health monitoring with self-healing restart on failure
• Daily encrypted database backups to separate AWS storage
• Structured logging with automatic redaction of sensitive fields (passwords, tokens, API keys)
• Error monitoring with Sentry (opt-in, 10% sample rate, no PHI in error reports)

No system is 100% secure. While we implement industry-standard and HIPAA-aligned safeguards, we cannot guarantee absolute security against all threats. In the event of a security incident, we will follow our breach notification procedures (see Section 11). If you believe your account has been compromised, contact us immediately at support@veteranhq.app.

8. Your Rights

You have the following rights with respect to your personal information. These rights apply regardless of your state of residence, and we honor them for all users:

To exercise any of these rights, contact us at privacy@veteranhq.app. We will verify your identity and respond within thirty (30) days. If we need additional time, we will notify you of the reason and extension period (not to exceed an additional 60 days).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), provides you with additional rights regarding your personal information.

9.1 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information: (A) Identifiers (name, email, account ID); (B) Personal information under Cal. Civ. Code §1798.80(e) (name, SSN if voluntarily provided for form generation); (C) Protected classification characteristics (veteran status, military branch); (D) Internet or network activity (usage data, browsing on VCS); (E) Professional information (MOS, service dates, service component); (F) Sensitive personal information (SSN, health-related information including disability ratings and medical conditions, precise geolocation via ZIP code).

9.2 We Do Not Sell or Share Your Personal Information

VCS does not sell your personal information as defined by the CCPA. VCS does not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

9.3 Your CCPA Rights

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (legal obligations, audit log retention).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to that which is necessary to perform the services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@veteranhq.app with the subject line “CCPA Request.” We will verify your identity using your account email and respond within 45 days.

10. Additional State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with consumer privacy laws may have additional rights, including the right to access, correct, delete, and obtain a portable copy of their personal data, and the right to opt out of targeted advertising, profiling, and sale of personal data.

VCS does not engage in targeted advertising, profiling for decisions that produce legal or similarly significant effects, or sale of personal data. Accordingly, opt-out rights for these activities are not applicable.

To exercise any rights under your state's privacy law, contact privacy@veteranhq.app. If you are not satisfied with our response, you may contact your state's attorney general.

11. Data Breach Notification

In the event of a security breach that compromises the confidentiality, integrity, or availability of your personal information, VCS will:

• Investigate promptly: We will conduct an immediate investigation to determine the scope and impact of the breach.
• Notify affected users: We will notify affected users via email within seventy-two (72) hours of confirming that a breach has occurred, or as otherwise required by applicable law (including HIPAA breach notification requirements under 45 CFR §§164.404–164.410, which may require notification within 60 days of discovery).
• Notify regulators: Where required by law, we will notify applicable regulatory authorities, including the HHS Secretary for HIPAA-covered breaches affecting 500 or more individuals.
• Provide details: Breach notifications will include: a description of the incident, the types of information involved, the steps we are taking to address the breach, and recommended actions you can take to protect yourself.
• Remediate: We will take all reasonable steps to contain the breach, prevent recurrence, and mitigate harm to affected individuals.

If you believe your data has been compromised, contact us immediately at security@veteranhq.app.

12. International Users

VCS is operated from the United States and is intended primarily for users located in the United States. If you access VCS from outside the United States (including military personnel stationed overseas), your data will be transferred to and processed in the United States.

By using VCS, you consent to the transfer of your data to the United States. The United States may not provide the same level of data protection as your home jurisdiction. We apply the same security safeguards described in this policy to all user data regardless of the user's location.

VCS does not specifically target users in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a specific legal basis for processing under GDPR or equivalent legislation. If you believe you have rights under such legislation and wish to exercise them, contact privacy@veteranhq.app.

13. Children's Privacy

VCS is intended for adults aged 18 and older. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@veteranhq.app and we will promptly delete it.

14. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. As there is no industry-standard protocol for DNT signals, VCS does not currently respond to DNT signals. However, as described in Section 1.9, we do not engage in cross-site tracking, third-party advertising tracking, or retargeting, and we do not sell personal information to third parties.

15. AI-Specific Data Practices

VCS uses third-party AI models to power chat responses, document analysis, and case briefings. The following practices govern AI data handling:

• No Training on Your Data: Your data (chat messages, documents, profiles) is not used to train, fine-tune, or improve third-party AI models. Our AI provider's API usage terms prohibit the use of API inputs and outputs for model training.
• Prompt Caching: VCS uses AI prompt caching to improve response speed and reduce cost. Cached prompts contain your veteran profile context (encrypted in transit) and are ephemeral — they exist only within your active session.
• AI Outputs: AI-generated outputs (analyses, recommendations, form drafts, case briefings) are stored as part of your chat history and are subject to the same retention, encryption, and deletion policies as all other user data.
• Human Review: VCS may review anonymized, aggregated conversation patterns (with no individually identifiable information) to improve the quality of AI responses. We never review individual conversations except at your request (e.g., for a support ticket) or as required by law.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the effective date at the top of this page; (b) notify you via email at least thirty (30) days before the changes take effect; and (c) where required by law, obtain your consent before implementing changes that materially affect the processing of your data. Your continued use of VCS after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree, you must stop using the service and may request deletion of your data.

17. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your data, please contact us: