Privacy Policy

1. Information We Collect

Account information: name, email address, password (hashed and salted — we never store your actual password). Service data: conditions, ratings, claims, and documents you choose to upload. Usage data: anonymous analytics (page views, feature usage). We do NOT store on our servers: Social Security Numbers, financial information, or biometric data.

SSN handling (Submit-to-VA only): When you use the direct Submit-to-VA feature, VA Benefits Intake requires a 9-digit fileNumber (SSN or BIRL) per VA spec. You enter your SSN once in your browser at Step 6 of your claim journey. It is encrypted on your device using AES-256-GCM with a key derived from your account password (PBKDF2-SHA256) and stored only as ciphertext in our database for cross-device sync. The decryption key never leaves your device, and Vet100 never stores or sees your SSN in plaintext. At Submit-to-VA click, the plaintext SSN is included in the multipart payload to VA Benefits Intake and discarded server-side after transmission.

2. How We Store Your Data

On your device: Health-related entries you make in the platform (conditions, ratings, claims, C&P prep answers) are stored locally in your browser localStorage. They are also synced (client-encrypted) to your account row in Supabase so they survive device switches — see "Cross-device sync" below.

In our infrastructure: Documents you upload are stored in encrypted AWS S3 under our executed AWS Business Associate Addendum (BAA), with AES-256 server-side encryption. Each veteran's documents are isolated per-row — no other user or organization can access them unless you explicitly toggle sharing.

When you use AI features (Records Analyzer, DBQ Decoder, nexus letter drafting, personal statement assistance): The text content of the document or prompt you feed to the AI tool is transmitted to AWS Bedrock for processing by Anthropic's Claude (Sonnet family) under the AWS HIPAA BAA. The transmission is encrypted in transit (TLS) and the request is not retained after processing and is not used to train models — but it is processed off-device. The document blob itself remains in AWS S3; only extracted text or your typed prompt is sent to Bedrock.

Cross-device sync: When you sign in with a password, conditions / claims / handoff packet info are AES-GCM encrypted on your device with a key derived from your account password, then synced to the users.encrypted_data column in Supabase. The server stores only ciphertext — your password (and therefore the decryption key) never leaves your device.

3. How We Use Your Data

To provide the VET100 service: rating calculations, document management, VSO coordination, claim tracking, and AI-assisted tools (nexus letter drafting, records analysis, C&P exam preparation). To improve the platform based on anonymous usage patterns. To send transactional emails (account verification, VSO notifications, ITF reminders). We NEVER use your data for advertising, marketing profiling, or sale to third parties.

4. Data Sharing & Subprocessors

With your VSO: Only when you explicitly toggle "Share" on a document or push a packet. Your VSO can only view — not download — shared documents unless you grant download permission. With the VA: Only through VA Lighthouse APIs when you explicitly authorize the connection. With third parties: We do not sell, rent, or share veteran data with any third party for marketing or advertising purposes.

Subprocessors: VET100 uses the following third-party services to operate the platform. All are US-based:

• Supabase — Database and authentication. Stores account profiles, messages, and packets. US region. Privacy Policy.
• Amazon Web Services (AWS) — Document storage via S3. All veteran-uploaded documents are stored in encrypted S3 buckets under executed AWS Business Associate Addendum (BAA). US East region. Privacy Policy.
• Vercel — Hosting and serverless functions. Serves the web application and API endpoints. No veteran health data stored. US region. Privacy Policy.
• Stripe — Payment processing for paying VSO customers only. Retains payment records per their retention policy. Free veteran accounts have no Stripe data. US. Privacy Policy.
• AWS Bedrock (Claude AI) — Vet100 uses Anthropic's Claude AI (Sonnet family) via AWS Bedrock for analysis features including DBQ decoding, nexus letter generation, personal statement assistance, and medical records review. AI requests are processed through AWS Bedrock under executed AWS Business Associate Addendum. Data submitted is not retained after processing and is not used to train models. US. AWS Privacy Policy · Anthropic Privacy Policy.
• Resend — Transactional email delivery for account verification, ITF reminders, breach notifications, and VSO notifications. US. Privacy Policy.
• Apple — iOS app distribution via the App Store. Apple processes app downloads and updates. VET100 does not share veteran data with Apple beyond standard app analytics. US. Privacy Policy.

Why only AWS has a BAA: Under HIPAA, a Business Associate Addendum is required from a subprocessor only if Protected Health Information (PHI) actually flows through that subprocessor. Vet100 was architected so PHI flows exclusively through AWS — both medical-record documents (S3) and AI-assisted analysis (Bedrock) — and is covered by the executed AWS BAA. The other subprocessors do not handle PHI under the current data flow: Supabase stores only account profile data (non-PHI PII) plus opaque ciphertext that Vet100's servers cannot decrypt (health entries are AES-256-GCM encrypted client-side with a key derived from your account password); Vercel proxies API requests in-memory and writes no PHI to logs or persistent storage; Resend sends only account notifications (sign-in, password reset, claim-submission acknowledgement, MOU updates) whose bodies are screened to contain no diagnosis, condition, or treatment content. Reference: HHS Business Associate guidance.

5. VA API Data

When you connect to VA.gov through VET100, we exchange data with the VA Lighthouse API platform. This includes claim status queries, document submissions, and veteran verification. Most VA-exchanged data is processed in transit and displayed in your dashboard without being stored. You can disconnect from VA.gov at any time through your account settings.

What we retain about your VA submissions: When you use the Submit-to-VA feature, we retain a minimal audit trail in our claim_submissions table — specifically the VA-issued tracking ID (va_guid), the current submission state (va_status, polled from VA), and a packet snapshot for our audit trail per 38 U.S.C. §5901 record-keeping requirements. We do not retain any decision letters, medical records returned by VA, or VA-side claim narratives.

VA OAuth tokens — encrypted at rest: Your VA Lighthouse access and refresh tokens are encrypted at rest using AES-256-GCM with a Vet100-controlled encryption key (separate from your account password). Tokens are stored only on the server, never returned to your browser, and decrypted in-memory only at the moment of an authorized VA API call. A database dump or service-role key compromise cannot recover these tokens without the encryption key, which is held in our hosting provider's secure environment-variable store.

6. Data Retention

Active accounts: Your data is retained while your account is active.

Dormant accounts: If you have not logged in for 24 months, we will send a reactivation notice to your email on file. If we receive no response within 60 days of that notice, your account and all associated data will be deleted. Note: Vet100 launched in March 2026. The 24-month dormant account cleanup process is scheduled to activate in March 2028. Implementation will be completed before the first accounts reach the 24-month threshold.

Third-party processors and their retention:

• Supabase (authentication and database): Data retained while your account is active. Deleted when you delete your account. Supabase Privacy Policy.
• AWS S3 (document storage): Documents retained while your account is active. Permanently deleted when you delete your account. Covered by signed HIPAA BAA. AWS Privacy Policy.
• Stripe (payment processing — applies ONLY to paying VSO customers): Stripe retains payment records for at least 5 years from the end of the business relationship or the date of the last transaction, whichever is later, per Stripe's retention policy and applicable financial regulations. This is a legal obligation that applies to all businesses. Payment records contain transaction history, amounts, billing details, and last 4 digits of card only — no claim data or health information. Free veteran accounts have no Stripe data. Stripe Privacy Policy.
• Resend (email delivery): Email delivery logs retained 30–90 days per Resend's policy. Resend Privacy Policy.
• AWS Bedrock / Claude AI (AI processing — Claude Sonnet family): AI prompts are processed via AWS Bedrock in real time and not retained after the request completes. Data is not used to train models. Covered under AWS HIPAA BAA. AWS Privacy Policy · Anthropic Privacy Policy.
• Vercel (hosting): Static assets and serverless function logs. No veteran health data is stored in Vercel infrastructure. Vercel Privacy Policy.

Commitment: Veteran claim data, health information, and personal data are never sold to third parties for marketing, advertising, or any non-service purpose — regardless of account status.

7. Data Security

All data in transit is encrypted using HTTPS/TLS. AWS S3 uses AES-256 server-side encryption at rest under an executed AWS Business Associate Addendum. Account passwords are hashed using bcrypt by Supabase Auth (we never see or store your plaintext password). Health entries (conditions, ratings, claim notes, C&P prep, SSN) are encrypted client-side using AES-256-GCM with a key derived from your account password via PBKDF2-SHA256 — the encryption key never leaves your device, and Vet100's servers store only opaque ciphertext they cannot decrypt. VA OAuth tokens are AES-256-GCM encrypted at rest with a Vet100-controlled key. API keys and credentials are stored as encrypted environment variables on Vercel — never in client-side code. Row-level security (RLS) is enabled on all database tables. A BEFORE UPDATE trigger blocks role escalation and identity tampering at the database layer. Every privileged action writes to a SHA-256 hash-chained audit_logs table — retroactive tampering breaks the chain and is detectable. Document access enforces authenticated-only ownership checks via signed URLs. Security controls are aligned with NIST 800-53 framework.

8. Insurance & Business Identity

VET100 LLC carries the following coverage that backs our data-handling and AI-assistance services:

• General Liability: $1,000,000 occurrence / $2,000,000 aggregate (Next Insurance).
• Technology Errors & Omissions + Cyber Liability: $1,000,000 (Embroker / Everspan, policy EM3EII-AX-007300-01, in force through 05/24/2027). Includes an AI Coverage Endorsement covering AI-assisted output (drafts, analyses, recommendations).

Business identity: VET100 LLC, Mississippi Veteran-Owned Small Business (VOSB), UEI RZW7AS72SV17, CAGE 1Z2U4. Patent pending for the One-Tap Intake workflow.

9. Compliance Roadmap

Third-party HIPAA audit (SOC 2 Type II with HIPAA mapping or HITRUST CSF) on roadmap for completion under first paid engagement, per standard SaaS audit observation requirements.

10. Your Rights

Access: You can view all your data at any time through the platform. Export: You can download a complete copy of all your data (JSON or PDF) using the "Download My Data" feature in Settings → Your Data. Delete: You can delete your account and all associated data using the "Delete My Account" feature in Settings → Danger Zone, or by emailing randy@vet100.net. Portability: Your data export includes all server-stored data plus signed download links for uploaded documents.

11. Your Right to Delete Your Data

You have the right to request deletion of all your data at any time. Two methods are available:

• In-app: Go to Settings → Danger Zone → Delete My Account. This is a three-step confirmation process requiring you to type "DELETE," confirm you understand the action is permanent, and re-enter your password.
• Email: Send a request to randy@vet100.net with the subject line "Data Deletion Request."

Timeline: Deletion will be completed within 45 days of your request. Deletion requests are processed through a combination of automated and operator-initiated steps. Vet100 monitors the deletion queue daily and executes pending deletions. A fully automated nightly process is scheduled to replace the current workflow upon platform upgrade to a production hosting tier.

Grace period: You have 7 days after requesting deletion to cancel by emailing randy@vet100.net. After 7 days, deletion cannot be reversed.

We encourage you to use "Download My Data" (Settings → Your Data) before requesting deletion to keep a personal copy of your records.

What is deleted: All claim data, uploaded documents (including files from storage), messages with VSOs, intake packets, appointment records, VSO claim notes about your case, enrollment records, and your account profile.

What is retained:

• Anonymized security audit logs (your user ID is removed, but the event record is preserved for security purposes).
• Stripe payment records for paying customers only — retained per financial regulations. These contain payment information only, not claim or health data.
• Data subject to a lawful preservation request (subpoena, court order). If such a hold exists, deletion may be delayed until the hold is lifted. You will be notified unless legally prohibited.

12. Data Breach Notification

In the event of a data breach that affects your personal information, VET100 will notify you without unreasonable delay after discovery. Notification will include:

• What data was affected
• When the breach was discovered
• What steps VET100 is taking to address the breach and prevent recurrence
• What steps you can take to protect yourself

Delivery: Notification will be sent via email to the address on your account AND through an in-app banner visible on your dashboard upon login.

Contact: For questions about any security incident, email randy@vet100.net.

13. Business Transfer, Merger, or Dissolution

In the event that VET100 LLC is acquired, merged with another entity, or dissolved, we commit to the following protections:

• Data portability: You may securely download, export, or transmit your health information at any time using the "Download My Data" feature in Settings.
• Successor obligations: Any successor entity will be contractually required to maintain privacy and data handling commitments consistent with or stronger than VET100's current policies.
• Right to delete before transfer: You may close your account and request deletion of all your data prior to any transfer using the "Delete My Account" feature in Settings.
• Advance notice: VET100 will provide a minimum of 30 days advance notice of any transfer, merger, acquisition, or dissolution — delivered by email to your address on file and by in-app banner.

14. Children's Privacy

VET100 is intended for use by veterans, their families, and VSO professionals. We do not knowingly collect information from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly.

15. Cookies and Tracking

VET100 uses localStorage (not cookies) for your preferences and Supabase session data. We do not use tracking cookies, advertising pixels, or third-party analytics trackers. The service worker caches static assets for offline functionality only.

One exception — VA OAuth session cookie: When you click "Connect VA" to authorize VA.gov access, we set a short-lived HttpOnly Secure SameSite=Lax cookie named va_oauth_sid (path /api, Max-Age 15 minutes). This cookie carries only an opaque session identifier — it does not contain any personal data and is never accessible to JavaScript. The cookie is consumed when you return from the VA OAuth flow and is cleared automatically; it is not a tracking cookie and is not used for analytics.

16. Changes to This Policy

We may update this privacy policy at any time. Changes will be communicated through the platform's announcement system and by in-app banner. Continued use after changes constitutes acceptance. Material changes affecting your data handling rights will include at least 30 days advance notice.

17. Contact

For privacy questions, data requests, or to report a concern, contact: randy@vet100.net. VET100 LLC, Houston, MS.