Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and a securely hashed version of your password (using bcrypt with a work factor of 12). If you register via Google OAuth, we receive your name, email, and Google account identifier. We never store your password in plaintext or recoverable form.

1.2 Veteran Profile Information

You may voluntarily provide profile information to personalize your benefits analysis, including: branch of service, Military Occupational Specialty (MOS), current VA disability rating and individual rated conditions, service dates, state of residence, ZIP code, deployment history, number of dependents, discharge type, combat veteran status, and service component. Sensitive fields (state, ZIP code, MOS, individual ratings, deployments) are encrypted at rest using AES-256-GCM.

1.3 Chrome Extension Data

If you install and authorize our Chrome browser extension, it collects data from your VA.gov account when you are logged in to VA.gov. This includes:

• Claims and claim details (status, phase, contentions, tracked items, documents)
• Rated disabilities (condition name, rating percentage, diagnostic code, effective date)
• Appeals (issues, events, decisions, alerts)
• Compensation payment history (date, amount, type)
• Service history and periods of service
• Intent to File (ITF) records
• Benefit letter eligibility
• VA debts
• Declared dependents
• eFolder document metadata (document titles and dates, not document contents)

The extension accesses this data using your existing VA.gov session. It does not capture, transmit, or store your VA.gov username or password. The extension synchronizes data approximately every 5 minutes while VA.gov is open and on certain navigation events. The extension requires browser permissions for storage, tabs, web requests, cookies, and scripting on VA.gov and VeteranHQ domains.

1.4 Uploaded Documents

When you or your authorized attorney upload documents — such as C&P exam results, medical records, VA decision letters, discharge paperwork, or C-Files — we store the original files in encrypted cloud object storage (AWS S3) and extract text content for AI analysis. C-File content is embedded using BAA-covered AI services (AWS Bedrock) to ensure PHI remains within HIPAA-compliant infrastructure.

1.5 Chat Conversations

We retain the messages you send and receive through the VeteranHQ chat interface, including AI responses, extended thinking content, tool call results, and citations. This data is stored to provide continuity of service and allow you to reference prior conversations. You may delete individual conversations or your entire chat history at any time.

1.6 Social Security Numbers

Certain VA form generation features require a Social Security Number (SSN) or VA file number to produce complete form drafts. When provided, SSNs are handled with heightened security controls:

• SSNs are transmitted exclusively over encrypted connections (TLS 1.3).
• SSNs are injected server-side during PDF generation only and are never included in AI tool call results, chat responses, or client-facing card UIs.
• SSNs are never logged, cached, or stored in plaintext outside of the encrypted veteran profile.
• If you do not wish to provide an SSN through the platform, you may leave the field blank and manually complete it on the generated PDF.

1.7 Payment Information

Subscription payments are processed by Stripe, Inc. VeteranHQ does not store, process, or have access to your credit card number, card expiration date, or CVV. We retain only a Stripe customer identifier and subscription status to manage your account. Stripe is PCI DSS Level 1 certified. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

1.8 Usage Data & Analytics

We collect information about how you use VeteranHQ, including pages visited, features used, session timing, browser type, device type, and referring pages. We use Vercel Analytics and Vercel Speed Insights for web performance monitoring. This data helps us improve the platform and is used in aggregate form for product analysis.

1.9 Cookies & Tracking Technologies

VeteranHQ uses the following tracking technologies: (a) Authentication cookies stored in your browser's localStorage (JWT access and refresh tokens) to maintain your login session; (b) Vercel Analytics for privacy-friendly, aggregated web analytics (no cross-site tracking, no personal data sold); (c) Vercel Speed Insights for page performance monitoring. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

2. How We Use Your Information

We use the information we collect for the following purposes and no others:

• Personalized Benefits Analysis: We use your veteran profile, uploaded documents, and VA.gov sync data to generate tailored benefits recommendations, identify potential secondary conditions, calculate estimated ratings, and surface programs you may qualify for.
• AI-Powered Chat & Research: Your profile, documents, and conversation history are provided to AI models to generate contextual, personalized responses. Conversation history provides continuity across sessions.
• Document Processing & Analysis: Uploaded documents are analyzed using AI tools to extract findings, identify opportunities, flag potential VA errors, and generate structured case briefings.
• VA Form Generation: Your profile data and VA sync data are used to pre-populate VA form drafts for your review and completion.
• Law Firm Client Services: When a veteran authorizes a law firm to access their data, we facilitate that access through scope-gated, audited, consent-tracked client relationships.
• Service Improvement: We analyze aggregated, anonymized usage patterns and query analytics to improve the platform. Individual user data is never used in identifiable form for this purpose. We do not use your data to train third-party AI models.
• Billing & Account Management: We use your account information to manage your subscription, process billing events, and send transactional communications about your account status.
• Security & Fraud Prevention: We use login attempt data, IP addresses, and usage patterns to detect and prevent unauthorized access, abuse, and fraudulent activity.
• Legal Compliance: We may use or disclose information as necessary to comply with applicable law, legal process, or enforceable government request.

3. Health Information & HIPAA Compliance

3.1 Nature of Health Information

VeteranHQ processes information that may constitute Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including veteran medical conditions, disability ratings, C&P exam results, medical records, and service-connected health data.

3.2 HIPAA Compliance Posture

VeteranHQ maintains administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) and the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164). Our infrastructure runs on BAA-covered Amazon Web Services (AWS), including AWS Lightsail (compute), AWS S3 (object storage), and AWS Bedrock (PHI-safe AI embeddings). A Business Associate Agreement with AWS is in effect, as is a Business Associate Agreement with Anthropic for AI model processing.

Scope of HIPAA applicability for individual veteran users (B2C): When an individual veteran uses VeteranHQ directly — without a law firm or healthcare provider intermediary — VeteranHQ is not acting as a Business Associate under HIPAA, because there is no upstream HIPAA covered entity in that data flow. In these direct-to-consumer interactions, VeteranHQ applies HIPAA Security Rule safeguards as a matter of policy, not as a legal obligation under HIPAA itself. Your information is still protected under this Privacy Policy, applicable state privacy laws (including the CCPA/CPRA for California residents), and Section 5 of the FTC Act. The safeguards we describe in this section — encryption, access controls, audit logging, breach notification — apply to all user data regardless of HIPAA applicability.

3.3 Business Associate Relationships

When VA-accredited law firms (as Covered Entities or Business Associates under HIPAA) use the VeteranHQ B2B platform to process veteran client PHI, VeteranHQ functions as a Business Associate. VeteranHQ maintains Business Associate Agreements with applicable vendors and is prepared to execute BAAs with law firm clients upon request. Law firms requiring a BAA should contact legal@veteranhq.app.

3.4 PHI Safeguards

• Encryption at Rest: All PHI is encrypted using AES-256-GCM at the application layer (veteran profile fields, individual ratings, deployments, MOS, state, ZIP). C-File content and documents are encrypted in AWS S3 with server-side encryption.
• Encryption in Transit: All data transmission uses TLS 1.3. Non-HTTPS connections are rejected.
• Access Controls: Role-based access control (RBAC) with four user roles and organization-level roles. Scope-gated data filtering enforces the Minimum Necessary standard (HIPAA §164.502(b)).
• Audit Trail: Every access to PHI is logged in an append-only audit log including actor identity, action type, resource accessed, IP address, user agent, and timestamp (HIPAA §164.312(b)).
• Consent Tracking: Veteran consent for law firm data access is recorded with timestamp, IP address, user agent, and specific scopes granted (HIPAA §164.508).
• Patient Rights: Veterans can view all entities with access to their data and revoke access at any time through the Settings > Privacy page (HIPAA §164.524).
• PHI-Safe AI Processing: C-File content is embedded using AWS Bedrock Titan (BAA-covered). Non-PHI regulatory content uses separate embedding services.
• Session Security: Authentication sessions expire after inactivity. Failed login attempts trigger exponential account lockout (5 failures: 15 minutes, 10 failures: 1 hour, 15+ failures: 24 hours).

3.5 B2B Business Associate Posture and Flow-Down Obligations

When VeteranHQ functions as a Business Associate to a VA-accredited law firm or other HIPAA covered entity or business associate (our “B2B customers”), we are subject to all obligations of a Business Associate under 45 CFR §164.504(e), including the obligation to flow down Business Associate Agreement requirements to our own subcontractors that create, receive, maintain, or transmit PHI on our behalf.

In accordance with §164.504(e)(5), VeteranHQ has executed downstream Business Associate Agreements with the subcontractors that process PHI on our behalf: Amazon Web Services, Inc. (compute, storage, and AI embedding services) and Anthropic, PBC (AI model inference via Anthropic's 1P API with Zero Data Retention). PHI is not transmitted to any service provider that is not covered by a Business Associate Agreement. Any future subcontractor that would create, receive, maintain, or transmit PHI will not be engaged until a Business Associate Agreement is fully executed.

Law firm customers who require a Business Associate Agreement with VeteranHQ should contact legal@veteranhq.app. Our downstream BAA template is available for review on request.

4. Law Firm Access to Veteran Data

When a law firm invites a veteran to connect through VeteranHQ and the veteran accepts:

• A Client Relationship is created with specific data scopes (profile, claims, VA syncs, documents, chat) that the veteran explicitly authorized.
• The law firm can access only the data categories within the granted scopes. Empty or ungrated scopes return no data (fail-closed).
• All law firm access to veteran data is logged in the PHI audit trail with the accessor's identity, action, IP address, and timestamp.
• Client Relationships expire by default after one (1) year and must be renewed (SOC 2 CC6.1 alignment).
• The veteran retains full control and may revoke attorney access at any time through Settings > Privacy, effective immediately.
• No veteran data is duplicated into the law firm's account. The firm reads data from the veteran's account through the authorized relationship. Revoking access severs the connection completely.

Law firms are independently responsible for their own HIPAA compliance, data handling practices, and professional obligations with respect to any data they access, download, or export from VeteranHQ.

5. Third-Party Service Providers (Sub-Processors)

We engage the following categories of third-party service providers to operate VeteranHQ. All providers are bound by contractual obligations restricting their use of your data to providing services to VeteranHQ only. For a concise compliance-posture summary including BAA dates and PHI-handling status, see the Security & Trust page.

We do not sell, rent, or trade your personal information to any third party for marketing, advertising, or any purpose unrelated to providing the VeteranHQ service. We do not share your data with data brokers. We do not participate in ad networks.

6. Data Retention

We retain your data in accordance with the following schedule:

• Active Account Data: Documents, chat messages, profile information, and VA sync data are retained for the duration of your active account. You may request deletion of specific items at any time.
• Account Deletion: Upon account deletion, all personal data — including uploaded documents, chat history, profile information, and VA sync data — is permanently removed from our active systems within thirty (30) days.
• Audit Logs: PHI access audit logs are retained for a minimum of six (6) years as required by HIPAA regulations (45 CFR §164.530(j)), even after account deletion. Audit logs contain only access metadata (who accessed what, when, from where) — not the underlying PHI content.
• Query Analytics: Anonymized, aggregated query analytics are retained for ninety (90) days and then automatically purged.
• Backups: Encrypted database backups are retained for thirty (30) days on a rolling basis and then deleted.
• Anonymized Data: Anonymized, aggregate data that is not linked to your identity and cannot be re-identified may be retained indefinitely for service improvement and statistical analysis.

To request deletion of your data, use the account deletion feature in Settings or contact us at support@veteranhq.app.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your data:

7.1 Technical Controls

• All data in transit encrypted via TLS 1.3 (HTTPS enforced, HSTS enabled with preload)
• Sensitive data at rest encrypted with AES-256-GCM at the application layer
• Object storage (S3) encrypted with server-side encryption (SSE-S3)
• Passwords stored using bcrypt with a work factor of 12 (never plaintext, never recoverable)
• JWT-based authentication with short-lived access tokens and refresh token family rotation (replay detection)
• Exponential account lockout on failed login attempts
• Input validation on all API endpoints (Zod schema enforcement)
• CSP, HSTS, X-Frame-Options, and other security headers enforced via Helmet
• Rate limiting across all endpoints with per-route profiles
• SSH key-based server access only (no password authentication)

7.2 Operational Controls

• Role-based access control with principle of least privilege
• Append-only audit logging of all PHI access
• Automated health monitoring with self-healing restart on failure
• Daily encrypted database backups to separate AWS storage
• Structured logging with automatic redaction of sensitive fields (passwords, tokens, API keys)
• Error monitoring with Sentry (opt-in, 10% sample rate, no PHI in error reports)

No system is 100% secure. While we implement industry-standard and HIPAA-aligned safeguards, we cannot guarantee absolute security against all threats. In the event of a security incident, we will follow our breach notification procedures (see Section 11). If you believe your account has been compromised, contact us immediately at support@veteranhq.app.

8. Your Rights

You have the following rights with respect to your personal information. These rights apply regardless of your state of residence, and we honor them for all users:

To exercise any of these rights, contact us at privacy@veteranhq.app. We will verify your identity and respond within thirty (30) days. If we need additional time, we will notify you of the reason and extension period (not to exceed an additional 60 days).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), provides you with additional rights regarding your personal information.

9.1 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information: (A) Identifiers (name, email, account ID); (B) Personal information under Cal. Civ. Code §1798.80(e) (name, SSN if voluntarily provided for form generation); (C) Protected classification characteristics (veteran status, military branch); (D) Internet or network activity (usage data, browsing on VCS); (E) Professional information (MOS, service dates, service component); (F) Sensitive personal information (SSN, health-related information including disability ratings and medical conditions, precise geolocation via ZIP code).

9.2 We Do Not Sell or Share Your Personal Information

VeteranHQ does not sell your personal information as defined by the CCPA. VeteranHQ does not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

9.3 Your CCPA Rights

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (legal obligations, audit log retention).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to that which is necessary to perform the services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@veteranhq.app with the subject line “CCPA Request.” We will verify your identity using your account email and respond within 45 days.

10. Additional State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with consumer privacy laws may have additional rights, including the right to access, correct, delete, and obtain a portable copy of their personal data, and the right to opt out of targeted advertising, profiling, and sale of personal data.

VeteranHQ does not engage in targeted advertising, profiling for decisions that produce legal or similarly significant effects, or sale of personal data. Accordingly, opt-out rights for these activities are not applicable.

To exercise any rights under your state's privacy law, contact privacy@veteranhq.app. If you are not satisfied with our response, you may contact your state's attorney general.

11. Data Breach Notification

In the event of a security breach that compromises the confidentiality, integrity, or availability of your personal information, VeteranHQ will:

• Investigate promptly: We will conduct an immediate investigation to determine the scope and impact of the breach.
• Notify affected users: We will notify affected users without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a breach of unsecured PHI, in accordance with 45 CFR §164.404. Where operationally feasible, we aim to notify within seventy-two (72) hours of confirmed discovery. Nothing in this Policy shall be construed to reduce VeteranHQ's obligations under HIPAA, state breach notification laws, or other applicable law.
• Notify regulators: Where required by law, we will notify applicable regulatory authorities, including the HHS Secretary for HIPAA-covered breaches affecting 500 or more individuals.
• Provide details: Breach notifications will include: a description of the incident, the types of information involved, the steps we are taking to address the breach, and recommended actions you can take to protect yourself.
• Remediate: We will take all reasonable steps to contain the breach, prevent recurrence, and mitigate harm to affected individuals.

If you believe your data has been compromised, contact us immediately at security@veteranhq.app.

12. International Users

VeteranHQ is operated from the United States and is intended primarily for users located in the United States. If you access VeteranHQ from outside the United States (including military personnel stationed overseas), your data will be transferred to and processed in the United States.

By using VeteranHQ, you consent to the transfer of your data to the United States. The United States may not provide the same level of data protection as your home jurisdiction. We apply the same security safeguards described in this policy to all user data regardless of the user's location.

VeteranHQ does not specifically target users in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a specific legal basis for processing under GDPR or equivalent legislation. If you believe you have rights under such legislation and wish to exercise them, contact privacy@veteranhq.app.

13. Children's Privacy

VeteranHQ is intended for adults aged 18 and older. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@veteranhq.app and we will promptly delete it.

14. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. As there is no industry-standard protocol for DNT signals, VeteranHQ does not currently respond to DNT signals. However, as described in Section 1.9, we do not engage in cross-site tracking, third-party advertising tracking, or retargeting, and we do not sell personal information to third parties.

15. AI-Specific Data Practices

VeteranHQ uses third-party AI models to power chat responses, document analysis, and case briefings. The following practices govern AI data handling:

• No Training on Your Data: Your data (chat messages, documents, profiles) is not used to train, fine-tune, or improve third-party AI models. Our AI provider's API usage terms prohibit the use of API inputs and outputs for model training.
• Prompt Caching: VeteranHQ uses AI prompt caching to improve response speed and reduce cost. Cached prompts contain your veteran profile context (encrypted in transit) and are ephemeral — they exist only within your active session.
• AI Outputs: AI-generated outputs (analyses, recommendations, form drafts, case briefings) are stored as part of your chat history and are subject to the same retention, encryption, and deletion policies as all other user data.
• Human Review: VeteranHQ may review anonymized, aggregated conversation patterns (with no individually identifiable information) to improve the quality of AI responses. We never review individual conversations except at your request (e.g., for a support ticket) or as required by law.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the effective date at the top of this page; (b) notify you via email at least thirty (30) days before the changes take effect; and (c) where required by law, obtain your consent before implementing changes that materially affect the processing of your data. Your continued use of VeteranHQ after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree, you must stop using the service and may request deletion of your data.

17. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your data, please contact us: