Privacy Policy

1. Introduction

VetStack ("we," "us," or "our") operates a mobile and web application that helps veterans access their VA benefits claims information. This Privacy Policy describes:

• What information we collect and why
• How we use and protect your information
• Your rights regarding your personal data
• How to contact us with privacy concerns

By using VetStack, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 VA Benefits Claims Data

When you authorize VetStack to access your VA benefits information, we collect:

• Claims status and details
• Claim submission and update dates
• Claim types and categories
• Associated documentation metadata

This data is accessed through the official VA Benefits Claims API and is used solely to display your claims information within the VetStack application.

2.2 Authentication Information

VetStack uses VA.gov OAuth authentication. We receive:

• OAuth access tokens (used to access your VA data)
• Basic profile information from your VA.gov account (name, email if provided)
• Authentication timestamps

Important: We never see, store, or have access to your VA.gov password or credentials. All authentication is handled securely by VA.gov, ID.me, or Login.gov.

2.3 Usage and Analytics Data

To improve VetStack and understand how it's used, we collect:

• App usage statistics (features used, pages viewed)
• Device information (device type, operating system, app version)
• Performance metrics (load times, error rates)
• Crash reports and diagnostic data

This data is collected through Firebase Analytics and is used to improve app performance and user experience.

2.4 Email Notifications

If you sign up for launch notifications or updates, we collect:

• Email address
• Signup timestamp
• Notification preferences

2.5 Information We Do NOT Collect

VetStack does not collect:

• Your VA.gov password or login credentials
• Medical records or health information
• Financial information (bank accounts, credit cards)
• Social Security Number
• Precise geolocation data

3. How We Use Your Information

We use the information we collect solely for the following purposes. Your VA benefits claims data is used exclusively to provide you with the VetStack service and is never used for marketing, advertising, profiling, or any purpose unrelated to displaying your claims information.

3.1 Provide the Service

Your VA benefits claims data is used to:

• Display your VA benefits claims information within the VetStack application
• Sync data from the VA Benefits Claims API to keep your information current
• Send notifications about claim status updates (if enabled)
• Provide offline access to previously loaded data for your convenience

Important: Your VA claims data is never used for any purpose other than displaying it to you within VetStack. We do not analyze, profile, aggregate, or otherwise process your claims data for any secondary purposes.

3.2 Improve the Service

Anonymous, non-identifiable usage data (not your VA claims data) is used to:

• Analyze usage patterns to enhance features
• Identify and fix bugs and performance issues
• Develop new features based on user needs
• Conduct testing and quality assurance

3.3 Communicate with You

• Send launch notifications (if you signed up)
• Respond to support requests
• Send important service updates
• Notify you of changes to our policies

3.4 Ensure Security and Compliance

• Detect and prevent fraud or abuse
• Comply with legal obligations
• Enforce our Terms of Service
• Protect the rights and safety of our users

4. How We Share Your Information

4.1 We Do NOT Sell Your Data

VetStack does not sell, rent, or trade your personal information to third parties. Period.

4.2 Third-Party Service Providers

We share limited data with trusted third-party services that help us operate VetStack:

• Firebase (Google): Authentication, database, analytics, and hosting
• Department of Veterans Affairs: VA Benefits Claims API for accessing your claims data

4.3 Third-Party Data Protection Requirements

All third-party vendors are strictly prohibited from using Veteran information without your explicit consent. Our agreements with third-party service providers require them to:

• Use your data only for the specific purposes we authorize (providing VetStack services)
• Never use, share, sell, or disclose your Veteran information for their own purposes
• Maintain the same level of data protection and security standards that we maintain
• Delete your data upon our request or termination of their services
• Notify us immediately of any data breach or unauthorized access
• Comply with all applicable privacy laws and VA data protection requirements

Third-party vendors are held to the same data protection requirements as VetStack. Any violation of these requirements by a third party will result in immediate termination of their access to your data.

4.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Requests from law enforcement or government agencies
• Protection of our rights, property, or safety
• Emergency situations involving potential harm

4.5 Business Transfers and Company Changes

In the event of a transfer of ownership, sale, merger, acquisition, or business closure, the following protections apply to your data:

Your Rights During Business Transitions:

• Prior Notification: We will notify you at least 30 days before any transfer of your data to a new owner
• Data Export: You may request to download a copy of all your data before any transfer
• Account Closure: You may close your account and request deletion of all your data before any transfer takes effect
• Policy Consistency: Any new owner must agree to honor this Privacy Policy or provide you with notice of any changes and the opportunity to delete your data before any new policy takes effect

In Case of Business Closure:

If VetStack ceases operations, we will:

• Notify all users at least 30 days in advance
• Provide instructions for downloading your data
• Delete all Veteran data within 45 days of closure
• Confirm deletion in writing upon request

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Encryption

• In Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
• At Rest: All stored data is encrypted using industry-standard encryption algorithms

5.2 Access Controls

• Limited employee access to user data
• Multi-factor authentication for administrative systems
• Regular security audits and assessments
• Secure credential storage using industry best practices

5.3 OAuth Security

• OAuth tokens are securely stored and encrypted
• Tokens have limited permissions (read-only for claims data)
• Tokens can be revoked at any time through VA.gov

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

5.4 Data Breach Response

In the event of a data breach that affects your personal information, VetStack will take the following steps:

Immediate Response (Within 24-72 Hours):

• Contain the breach and secure affected systems
• Begin forensic investigation to determine scope and cause
• Notify relevant authorities as required by law
• Notify the Department of Veterans Affairs of any breach involving VA data

User Notification (Within 72 Hours of Discovery):

• Notify affected users via email and in-app notification
• Describe the nature of the breach and what data was affected
• Explain what steps we are taking to address the breach
• Provide guidance on steps you can take to protect yourself
• Provide contact information for questions and support

Remediation:

• Implement fixes to prevent similar breaches
• Offer credit monitoring services if financial information was exposed
• Provide regular updates on the investigation and remediation progress
• Document lessons learned and update security practices accordingly

Documentation and Reporting:

• Maintain detailed records of all breach response activities
• Report to state attorneys general as required by state laws
• Comply with all federal and state breach notification requirements
• Provide affected users with a written summary of the breach upon request

6. Data Retention

6.1 Active Accounts

We retain your VA benefits claims data for as long as your VetStack account is active and you maintain authorization for us to access your VA data.

6.2 Dormant Accounts

If your account becomes dormant (no login activity), we will:

• After 12 months of inactivity: Send you a notification asking if you wish to keep your account
• After 18 months of inactivity: Send a final warning that your data will be deleted
• After 24 months of inactivity: Automatically delete all your VA benefits claims data

You may reactivate your account at any time before the 24-month deletion by simply logging in. Anonymous analytics data may be retained after deletion.

6.3 Account Deletion Upon Request

When you request deletion of your account or data, we commit to:

• 100% deletion of all your Veteran information - We will delete all of your VA benefits claims data, profile information, and any other personal data associated with your account
• Deletion within 45 days - All data will be permanently deleted within 45 days of your request
• Confirmation - You will receive email confirmation when deletion is complete
• Third-party notification - We will instruct all third-party service providers to delete your data as well

Note: We may retain anonymized, non-identifiable analytics data that cannot be linked back to you. We may also retain certain records as required by law (such as transaction records for tax purposes), but these will be minimized and will not include your VA claims data.

6.4 Email Notifications

Launch notification email addresses are retained until you unsubscribe or VetStack launches, whichever comes first.

7. Your Privacy Rights

7.1 Access, Download, and Correction

You have the right to:

• Access the personal information we hold about you
• Request corrections to inaccurate information
• Request a copy of your data in a portable format (JSON or CSV)

How to Request Your Data:

1. Email privacy@voostack.com with subject line "Data Export Request"
2. Include your registered email address for verification
3. We will verify your identity and provide your data within 30 days
4. Data will be provided in machine-readable format (JSON) for portability

7.2 How to Request Data Deletion

You have the right to request deletion of 100% of your Veteran information at any time. Here's how:

Option 1: In-App Deletion

1. Open VetStack and go to Settings
2. Select "Account" then "Delete My Account"
3. Confirm your request
4. All your data will be deleted within 45 days

Option 2: Email Request

1. Email privacy@voostack.com with subject line "Data Deletion Request"
2. Include your registered email address
3. We will verify your identity within 5 business days
4. All your data will be deleted within 45 days of verification
5. You will receive email confirmation when deletion is complete

What gets deleted: All VA benefits claims data, profile information, authentication tokens, notification preferences, and any other personal data associated with your account.

7.3 How to Close Your Account

To close your VetStack account:

1. In VetStack: Go to Settings → Account → Delete My Account
2. Via Email: Send a request to support@voostack.com
3. Revoke VA Authorization: Visit VA.gov Profile → Connected Apps → Revoke VetStack

When you close your account, all your data will be deleted within 45 days. You will receive confirmation via email.

7.4 Data Portability - Export Your Information

Before closing your account or at any time, you can download all your data:

1. In VetStack: Go to Settings → Account → Export My Data
2. Via Email: Request export at privacy@voostack.com

Your data will be provided in standard formats (JSON, CSV) that can be imported into other applications or kept for your records.

7.5 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale of personal information (note: we do not sell data)
• Right to deletion of personal information
• Right to non-discrimination for exercising CCPA rights

7.6 European Privacy Rights (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

8. Children's Privacy

VetStack is intended for use by veterans who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected data from someone under 18, we will take steps to delete that information promptly.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use essential cookies for:

• Maintaining your login session
• Remembering authentication state
• Ensuring app functionality

9.2 Analytics Cookies

We use Firebase Analytics to collect usage data. These cookies help us understand:

• How users interact with VetStack
• Which features are most useful
• Where improvements are needed

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect VetStack's functionality.

10. Third-Party Links

VetStack may contain links to third-party websites, including:

• VA.gov
• ID.me
• Login.gov
• VooStack.com

We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies before providing any personal information.

11. International Data Transfers

VetStack is based in the United States, and your information is processed and stored in the United States. If you access VetStack from outside the United States, your data will be transferred to and processed in the United States.

We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email or in-app notification
• Continued use of VetStack after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@voostack.com
• Support: support@voostack.com
• Website: https://voostack.com/contact

14. Data Protection Officer

For privacy-related inquiries or to exercise your data rights, you may contact our Data Protection Officer at:

• Email: dpo@voostack.com