Privacy Policy

1. Information We Collect

Account information: name, email address, password (hashed and salted — we never store your actual password). Service data: conditions, ratings, claims, and documents you choose to upload. Usage data: anonymous analytics (page views, feature usage). We do NOT collect: Social Security Numbers (only last 4 digits if you voluntarily enter them), financial information, or biometric data.

2. How We Store Your Data

Health-related data (conditions, ratings, claims, C&P prep answers) is stored locally on your device using browser localStorage. This data never leaves your device unless you explicitly push a packet to your VSO. Documents you upload are stored in encrypted AWS S3 storage under executed AWS Business Associate Addendum (BAA), with AES-256 server-side encryption. Each veteran's documents are isolated — no other user or organization can access them unless you toggle sharing.

3. How We Use Your Data

To provide the VET100 service: rating calculations, document management, VSO coordination, claim tracking, and AI-assisted tools (nexus letter drafting, records analysis, C&P exam preparation). To improve the platform based on anonymous usage patterns. To send transactional emails (account verification, VSO notifications, ITF reminders). We NEVER use your data for advertising, marketing profiling, or sale to third parties.

4. Data Sharing & Subprocessors

With your VSO: Only when you explicitly toggle "Share" on a document or push a packet. Your VSO can only view — not download — shared documents unless you grant download permission. With the VA: Only through VA Lighthouse APIs when you explicitly authorize the connection. With third parties: We do not sell, rent, or share veteran data with any third party for marketing or advertising purposes.

Subprocessors: VET100 uses the following third-party services to operate the platform. All are US-based:

• Supabase — Database and authentication. Stores account profiles, messages, and packets. US region. Privacy Policy.
• Amazon Web Services (AWS) — Document storage via S3. All veteran-uploaded documents are stored in encrypted S3 buckets under executed AWS Business Associate Addendum (BAA). US East region. Privacy Policy.
• Vercel — Hosting and serverless functions. Serves the web application and API endpoints. No veteran health data stored. US region. Privacy Policy.
• Stripe — Payment processing for paying VSO customers only. Retains payment records per their retention policy. Free veteran accounts have no Stripe data. US. Privacy Policy.
• AWS Bedrock (Claude AI) — Vet100 uses Anthropic's Claude AI (Sonnet family) via AWS Bedrock for analysis features including DBQ decoding, nexus letter generation, personal statement assistance, and medical records review. AI requests are processed through AWS Bedrock under executed AWS Business Associate Addendum. Data submitted is not retained after processing and is not used to train models. US. AWS Privacy Policy · Anthropic Privacy Policy.
• Resend — Transactional email delivery for account verification, ITF reminders, breach notifications, and VSO notifications. US. Privacy Policy.
• Apple — iOS app distribution via the App Store. Apple processes app downloads and updates. VET100 does not share veteran data with Apple beyond standard app analytics. US. Privacy Policy.

5. VA API Data

When you connect to VA.gov through VET100, we exchange data with the VA Lighthouse API platform. This includes claim status queries, document submissions, and veteran verification. This data is processed in transit and displayed in your dashboard — it is not permanently stored on VET100 servers. You can disconnect from VA.gov at any time through your account settings.

6. Data Retention

Active accounts: Your data is retained while your account is active.

Dormant accounts: If you have not logged in for 24 months, we will send a reactivation notice to your email on file. If we receive no response within 60 days of that notice, your account and all associated data will be deleted. Note: Vet100 launched in March 2026. The 24-month dormant account cleanup process is scheduled to activate in March 2028. Implementation will be completed before the first accounts reach the 24-month threshold.

Third-party processors and their retention:

• Supabase (authentication and database): Data retained while your account is active. Deleted when you delete your account. Supabase Privacy Policy.
• AWS S3 (document storage): Documents retained while your account is active. Permanently deleted when you delete your account. Covered by signed HIPAA BAA. AWS Privacy Policy.
• Stripe (payment processing — applies ONLY to paying VSO customers): Stripe retains payment records for at least 5 years from the end of the business relationship or the date of the last transaction, whichever is later, per Stripe's retention policy and applicable financial regulations. This is a legal obligation that applies to all businesses. Payment records contain transaction history, amounts, billing details, and last 4 digits of card only — no claim data or health information. Free veteran accounts have no Stripe data. Stripe Privacy Policy.
• Resend (email delivery): Email delivery logs retained 30–90 days per Resend's policy. Resend Privacy Policy.
• AWS Bedrock / Claude AI (AI processing — Claude Sonnet family): AI prompts are processed via AWS Bedrock in real time and not retained after the request completes. Data is not used to train models. Covered under AWS HIPAA BAA. AWS Privacy Policy · Anthropic Privacy Policy.
• Vercel (hosting): Static assets and serverless function logs. No veteran health data is stored in Vercel infrastructure. Vercel Privacy Policy.

Commitment: Veteran claim data, health information, and personal data are never sold to third parties for marketing, advertising, or any non-service purpose — regardless of account status.

7. Data Security

All data in transit is encrypted using HTTPS/TLS. AWS S3 uses AES-256 server-side encryption at rest under a signed HIPAA BAA. Passwords are hashed using PBKDF2 with unique salts. API keys and credentials are stored as encrypted environment variables on Vercel — never in client-side code. Row-level security (RLS) is enabled on all database tables. Document access enforces authenticated-only ownership checks via signed URLs. Security controls are aligned with NIST 800-53 framework.

8. Compliance Roadmap

Third-party HIPAA audit (SOC 2 Type II with HIPAA mapping or HITRUST CSF) on roadmap for completion under first paid engagement, per standard SaaS audit observation requirements.

9. Your Rights

Access: You can view all your data at any time through the platform. Export: You can download a complete copy of all your data (JSON or PDF) using the "Download My Data" feature in Settings → Your Data. Delete: You can delete your account and all associated data using the "Delete My Account" feature in Settings → Danger Zone, or by emailing randy@vet100.net. Portability: Your data export includes all server-stored data plus signed download links for uploaded documents.

10. Your Right to Delete Your Data

You have the right to request deletion of all your data at any time. Two methods are available:

• In-app: Go to Settings → Danger Zone → Delete My Account. This is a three-step confirmation process requiring you to type "DELETE," confirm you understand the action is permanent, and re-enter your password.
• Email: Send a request to randy@vet100.net with the subject line "Data Deletion Request."

Timeline: Deletion will be completed within 45 days of your request. Deletion requests are processed through a combination of automated and operator-initiated steps. Vet100 monitors the deletion queue daily and executes pending deletions. A fully automated nightly process is scheduled to replace the current workflow upon platform upgrade to a production hosting tier.

Grace period: You have 7 days after requesting deletion to cancel by emailing randy@vet100.net. After 7 days, deletion cannot be reversed.

We encourage you to use "Download My Data" (Settings → Your Data) before requesting deletion to keep a personal copy of your records.

What is deleted: All claim data, uploaded documents (including files from storage), messages with VSOs, intake packets, appointment records, VSO claim notes about your case, enrollment records, and your account profile.

What is retained:

• Anonymized security audit logs (your user ID is removed, but the event record is preserved for security purposes).
• Stripe payment records for paying customers only — retained per financial regulations. These contain payment information only, not claim or health data.
• Data subject to a lawful preservation request (subpoena, court order). If such a hold exists, deletion may be delayed until the hold is lifted. You will be notified unless legally prohibited.

11. Data Breach Notification

In the event of a data breach that affects your personal information, VET100 will notify you without unreasonable delay after discovery. Notification will include:

• What data was affected
• When the breach was discovered
• What steps VET100 is taking to address the breach and prevent recurrence
• What steps you can take to protect yourself

Delivery: Notification will be sent via email to the address on your account AND through an in-app banner visible on your dashboard upon login.

Contact: For questions about any security incident, email randy@vet100.net.

12. Business Transfer, Merger, or Dissolution

In the event that VET100 LLC is acquired, merged with another entity, or dissolved, we commit to the following protections:

• Data portability: You may securely download, export, or transmit your health information at any time using the "Download My Data" feature in Settings.
• Successor obligations: Any successor entity will be contractually required to maintain privacy and data handling commitments consistent with or stronger than VET100's current policies.
• Right to delete before transfer: You may close your account and request deletion of all your data prior to any transfer using the "Delete My Account" feature in Settings.
• Advance notice: VET100 will provide a minimum of 30 days advance notice of any transfer, merger, acquisition, or dissolution — delivered by email to your address on file and by in-app banner.

13. Children's Privacy

VET100 is intended for use by veterans, their families, and VSO professionals. We do not knowingly collect information from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly.

14. Cookies and Tracking

VET100 uses localStorage (not cookies) to store your preferences and session data. We do not use tracking cookies, advertising pixels, or third-party analytics trackers. The service worker caches static assets for offline functionality only.

15. Changes to This Policy

We may update this privacy policy at any time. Changes will be communicated through the platform's announcement system and by in-app banner. Continued use after changes constitutes acceptance. Material changes affecting your data handling rights will include at least 30 days advance notice.

16. Contact

For privacy questions, data requests, or to report a concern, contact: randy@vet100.net. VET100 LLC, Houston, MS.