Privacy Policy
1. TL;DR — The Short Version
- We don't sell your data. Ever. To anyone.
- We don't share your data with third parties except as strictly necessary to run the Service (e.g., sending you emails, running the AI feature).
- You can export and delete your data at any time from your account settings.
- We never ask for your VA.gov password. You log into VA.gov in your own browser and use a bookmarklet to copy your own data into VAClaims.
- We collect only what's needed to run the Service — no tracking pixels, no advertising IDs, no third-party analytics.
2. Who We Are
VAClaims (“the Service”) is operated by Bridging the Gap to Your VA Benefits, a personal project of a US Air Force veteran. The Operator is the “data controller” under U.S. and international privacy frameworks that use that term.
Contact: rwykoff@clearipsolutions.com
3. What Data We Collect
3.1 Data you give us directly
| Category | Fields | Why we collect it |
|---|---|---|
| Account | Email address, password (stored as a bcrypt hash, never plaintext), first and last name, display name | To create your account, sign you in, and address you in emails |
| Profile (optional) | Preferred name, date of birth, phone, address, VA file number, time zone, ID.me username, service branch, enlistment/discharge dates, rank, MOS, deployments, awards, emergency contact, POA on file, primary care provider, preferred contact method, goals, notes, theme preference, notification preferences | So the Service can show you your own information and send you the notifications you chose |
| Content you create | Notes, goals, questions submitted to the AI features | To power the feature you asked for |
3.2 Data you import from VA.gov
| Category | Fields | Why we collect it |
|---|---|---|
| Claims & appeals | Claim IDs, statuses, phases, contentions, filed dates, tracked items, documents | To render your dashboard, detect changes, and power the AI “explain this claim” feature |
| Ratings | Combined rating, individual diagnostic codes, percentages, effective dates, decision text, service-connected status | To render the Ratings page, detect rating changes, and inform AI advice |
| Service history | Branch, dates of service, character of discharge | To display on the Profile page and use in AI-generated explanations |
| Decision letters | PDF text extracted from letters you choose to import | To feed the AI “explain this decision” feature when you ask for it |
Important: this data is imported by you, from your own VA.gov account, by running a bookmarklet in your own browser. The Operator never logs into VA.gov on your behalf, and never asks for your VA.gov password.
3.3 Data we collect automatically
| Category | Fields | Why we collect it |
|---|---|---|
| Login activity | Email, IP address, timestamp, success/failure reason code | Security — detecting brute-force login attempts and locking out abusive IPs. Rows older than 60 minutes are automatically deleted. |
| Server logs | Request path, response code, user-agent, client IP, timestamp | Standard web server access logs. Stored on the server's disk for ~30 days and rotated. |
| Session cookies | Signed session ID, theme preference, transient flash messages | To keep you signed in and remember your UI preferences. Cookies are marked Secure, HttpOnly, and SameSite=Lax. The session expires after 24 hours of inactivity. |
3.4 What we do NOT collect
- No third-party analytics (Google Analytics, Segment, Mixpanel, etc.)
- No advertising trackers or cookies from ad networks
- No device fingerprinting
- No social media tracking pixels
- No cross-site tracking of any kind
4. How We Use Your Data
Your data is used solely to:
- Authenticate you and keep you signed in
- Render your dashboard, Ratings page, Alerts page, and Profile
- Detect changes between imports and notify you of them
- Send you emails you've opted into (account verification, password reset, claim alerts, rating changes, daily/weekly digests)
- Power AI features you explicitly invoke (“Explain this claim,” etc.)
- Maintain basic security and operational logs
We do not use your data for advertising, market research, training machine learning models, or any purpose unrelated to running the Service for you.
5. How We Share Your Data
Your data is shared only with the following, and only to the extent necessary to run the Service:
5.1 Microsoft (email + AI)
Outbound emails (verification, password reset, alerts, digests) are sent through Microsoft 365 / Exchange Online via the Microsoft Graph API. Microsoft processes and delivers the email but is not authorized to read its content or use it for any other purpose. Emails we send to you contain only information needed for the notification itself.
When you use an AI feature (“Explain this claim,” etc.), the relevant claim data and your question are sent to Microsoft Azure OpenAI Service to generate the response. Under the Azure OpenAI terms:
- Your content is not used to train or improve any Microsoft or OpenAI model.
- Your content is not shared with OpenAI (the company).
- Your content is processed within Microsoft's tenant and retained only briefly for abuse monitoring (up to 30 days).
You can find Microsoft's Azure OpenAI data, privacy, and security documentation at learn.microsoft.com.
5.2 Legal process
We will disclose data if required by a valid subpoena, court order, or other legal process, but only to the minimum extent required by law. We will challenge overbroad requests and, where not legally prohibited, notify affected users before disclosure so they can seek a protective order.
5.3 No other sharing
We do not share your data with any other third parties. We do not sell your data, rent it, license it, transfer it as part of an advertising arrangement, or provide it to data brokers. Ever.
6. How Long We Keep Your Data
- Your account & imported claims: As long as your account is active. Deleted within 30 days after you click “Delete my account” (see section 8).
- Email verification + password reset tokens: 7 days (verification) or 1 hour (reset). Single-use; deleted on use or expiry.
- Login attempt records: 60 minutes. Auto-pruned on successful login.
- Access logs: ~30 days, then rotated by the web server.
- Backups: 30 days. Daily snapshots of the database are kept on the server's disk for disaster recovery, then rotated.
7. How We Protect Your Data
- HTTPS everywhere. The entire Service is served over TLS. Plain HTTP is redirected and blocked at the web server level.
- Passwords are hashed with bcrypt (12 rounds) and never stored in plaintext. The 12-character minimum length is enforced, and we check all new passwords against the HaveIBeenPwned breach database using a privacy-preserving k-anonymity API — your password never leaves our servers for this check.
- CSRF, XSS, and clickjacking protections are enabled across every form and page.
- Rate limiting on login and password-reset endpoints locks out abusive IPs after 5-20 failed attempts in a 15-minute window.
- Security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security.
- Database backups are kept on the same server's disk. Off-site backups may be added in the future.
- No data at rest encryption beyond the OS-level disk protection of the server. The Operator is investigating column-level encryption for particularly sensitive fields in a future release.
No system is perfectly secure. If a breach is ever discovered, the Operator will notify affected users promptly and, where required by law, regulators as well.
8. Your Rights & Controls
8.1 Right to access + export
You can download a copy of all the data your account holds at any time via the “Export my data” button in your account settings. The export is a ZIP file containing human-readable JSON plus a README explaining each file.
8.2 Right to delete
You can delete your account at any time from the “Delete my account” section of your account settings. On deletion:
- Your account is immediately marked as deleted. You cannot sign in from that moment forward.
- Your data remains in the database for up to 30 days in case you change your mind — during this window, an administrator can restore your account.
- After 30 days, an automated process permanently deletes your account row and all related data (claims, alerts, profile, notification preferences, email verification tokens, login attempt records).
- Backups containing your data age out of the 30-day backup window on the same schedule.
8.3 Right to correct
You can update most of your personal information directly from the Profile page. For anything you can't edit yourself, contact the Operator and we'll update it or explain why we can't.
8.4 Right to opt out of non-essential emails
You can toggle claim alert emails, rating change emails, sync failure emails, and daily/weekly digest emails independently from your Profile → Communication Preferences. Security-critical emails (account verification, password reset, security alerts) are required and cannot be opted out of while your account is active.
8.5 Right to withdraw consent
You can withdraw your consent to these terms at any time by deleting your account. Withdrawal does not affect data processing that already occurred before withdrawal.
9. Children's Privacy
The Service is not directed to anyone under 18. The Operator does not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact the Operator so we can delete it.
10. International Users
The Service is hosted in the United States and operated by a US-based individual. If you access the Service from outside the United States, you acknowledge that your data will be processed in the United States and subject to US law. The Operator does not currently have GDPR, UK GDPR, or similar compliance certifications.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via email and an in-app notice at least 14 days before taking effect. You can always see the “Effective date” at the top of this page to check when the current version took effect.
12. Contact
Questions about this Privacy Policy, or want to exercise any of the rights above? Contact:
Bridging the Gap to Your VA Benefits
Email: rwykoff@clearipsolutions.com
Mailing address: available on request