Privacy
Policy

1. Introduction & Scope

This Privacy Policy (“Policy”) describes how The Intent Network, LLC, a Texas limited liability company doing business as VAClaims.io (“VAClaims.io,” “we,” “us,” or “our”), collects, uses, stores, shares, and protects your personal information when you access or use our website at vaclaims.io, our web application, mobile-optimized interfaces, and any related services, tools, or communications (collectively, the “Platform”).

We understand the extraordinary sensitivity of military service records, medical history, and disability claim information. This Policy is designed to be transparent about our data practices so you can make informed decisions about using our services.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, you must discontinue use of the Platform immediately.

This Policy applies to all users of the Platform, including veterans, service members, dependents, Onboarding Advisors, and general visitors.

2. Information We Collect

2.1 Information You Provide Directly

• Account & Identity Data: Full legal name, email address, phone number, mailing address, date of birth, and account credentials.
• Military Service Information: Branch of service, service dates, duty stations, MOS/rating/AFSC, discharge status, DD-214 details, combat/deployment history, and service-connected events.
• Medical & Health Information: Current and historical medical conditions, diagnoses, treatment records, medications, physician information, nexus letters, Disability Benefits Questionnaires (DBQs), and other medical evidence relevant to disability claims.
• Claim Information: Current VA disability ratings, pending claims, appeal status, conditions claimed, personal statements, buddy statements, and evidence documentation.
• Financial & Payment Data: Billing name and address, and the last four digits of your payment card. Full payment card numbers, CVVs, and bank account details are collected and processed exclusively by our payment processor, Stripe, Inc., and are never stored on our servers.
• Communication Content: Messages sent through in-app messaging, email correspondence, call recordings, call transcriptions, survey and intake form responses, and feedback submissions.
• Documents & Files: Files uploaded to the Evidence Vault, including medical records, military records, buddy statements, nexus letters, DBQs, government-issued identification, and other supporting documentation.

2.2 Information Collected Automatically

• Device & Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
• Usage Data: Pages visited, features used, clickstream data, time spent on pages, referring URLs, navigation paths, and interaction patterns.
• Log Data: Server logs including access times, error logs, and API request metadata.
• Cookies & Similar Technologies: Session cookies, persistent cookies, local storage, and similar tracking technologies as described in Section 9 below.

2.3 Information From Third Parties

• Payment Processor: Stripe may provide us with transaction confirmation, payment status, and limited card details (last four digits, card brand, expiration date) for record-keeping purposes.
• Advisor Verification: For Onboarding Advisors, we may verify professional license status through the NPI (National Provider Identifier) Registry and other publicly available professional databases.
• Authentication Providers: If you sign in using a third-party authentication provider (e.g., Google), we receive your name, email address, and profile image from that provider.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Creating and managing your account and authenticating your identity.
• Generating strategic claim research reports, personal statement templates, and other AI-assisted content tailored to your specific situation.
• Matching you with an Onboarding Advisor based on your needs, branch of service, claimed conditions, and advisor availability.
• Facilitating in-app messaging between you and your assigned Onboarding Advisor.
• Scheduling, conducting, recording, and transcribing video consultations via Google Meet.
• Storing, organizing, and managing your documents in the Evidence Vault.
• Processing disability rating calculations and appeal workflow management.
• Delivering course content and coaching resources.

3.2 Communications

• Sending transactional emails (account confirmations, password resets, payment receipts, appointment reminders, and claim status updates).
• Relaying messages between you and your Onboarding Advisor through our email relay system at onboarding@vaclaims.io (see Section 7 for details).
• Sending service-related announcements, updates to our terms or policies, and security alerts.
• With your consent, sending marketing communications about new features, educational content, or promotional offers. You may opt out at any time.
• With your explicit opt-in consent, sending SMS/text messages for appointment reminders, claim status updates, and service communications. Message frequency varies. Message and data rates may apply. You may opt out at any time by replying STOP to any message. SMS opt-in data and consent will not be shared with or sold to any third parties.

3.3 AI-Powered Processing

• Your service history, medical information, and claim details are processed by artificial intelligence systems to generate strategic claim reports, personal statement templates, evidence gap analyses, and other tailored outputs.
• AI processing occurs within our Platform infrastructure. Your data is not sold, licensed, or shared with any third party for the purpose of training external AI or machine learning models.
• AI-generated outputs are tools to assist you — they are not legal advice, medical opinions, or guaranteed outcomes.

3.4 Platform Improvement & Analytics

• Analyzing aggregate, de-identified usage patterns to improve features, user experience, and service quality.
• Monitoring Platform performance, diagnosing technical issues, and preventing fraud or abuse.
• Conducting internal research using anonymized and aggregated data.

3.5 Legal & Compliance

• Complying with applicable federal, state, and local laws and regulations.
• Responding to lawful requests from law enforcement or government agencies.
• Establishing, exercising, or defending legal claims.
• Enforcing our Terms of Service, Advisor Agreement, and other contractual obligations.

We never sell, rent, lease, or trade your personal information, military records, or medical data to any third party for their own marketing or commercial purposes.

4. Advisor Access Model & Data Masking

Onboarding Advisors are independent contractors who assist veterans with claims navigation, information gathering, and educational guidance. To protect your privacy, we implement strict data access controls:

• Masked Identity: Advisors see a masked version of your identity (e.g., “First L.” rather than your full legal name). Your email address, phone number, and full name are not directly visible to Advisors.
• In-App Messaging Only: All communication between you and your Advisor occurs through our Platform’s secure in-app messaging system. Advisors do not receive your direct contact information.
• Email Relay: If email communication is necessary, it is routed through our relay system at onboarding@vaclaims.io, which masks your email address from the Advisor and vice versa (see Section 7).
• No External Data Storage: Advisors are contractually prohibited from downloading, screenshotting, copying, or storing your personal information outside of the Platform.
• Scoped Access: Advisors only have access to the information necessary for the veterans assigned to them, enforced through database-level Row Level Security (RLS) policies.

5. Call Recording & Transcription

Video consultations between you and your Onboarding Advisor are conducted through Google Meet and may be recorded and transcribed to enhance service quality and maintain accurate records.

• Consent: You will be notified at the beginning of each call that the session may be recorded and transcribed. By continuing to participate in the call, you consent to the recording and transcription. You may request that recording be disabled for a specific session.
• Purpose: Recordings and transcriptions are used for quality assurance, training purposes, accurate documentation of your claim details, and to resolve any disputes about the content of a consultation.
• Storage: Recordings and transcriptions are stored securely and are accessible only to authorized personnel. They are subject to the same retention policies described in Section 10 of this Policy.
• Google’s Role: Google Meet is a third-party service provided by Google LLC. Google’s processing of call data during transmission is governed by Google’s own privacy policy and terms of service.

6. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

6.1 Onboarding Advisors

As described in Section 4, Advisors receive limited, masked access to your information necessary to provide claims navigation guidance. All Advisors are bound by confidentiality and data handling obligations under their Independent Contractor Agreements.

6.2 Service Providers & Data Processors

We engage the following third-party service providers who process data on our behalf under contractual obligations to protect your information:

• Supabase, Inc. (hosted on Amazon Web Services): Database hosting, authentication, file storage, and real-time data services. Data is stored in the United States.
• Vercel, Inc.: Application hosting, deployment, edge network delivery, and serverless function execution.
• Stripe, Inc.: Payment processing, subscription management, advisor commission transfers, fraud detection, and financial reporting. Stripe is PCI-DSS Level 1 certified.
• Google LLC (Google Meet & Google Workspace): Video conferencing, call recording, call transcription, and scheduling services.
• Resend, Inc.: Transactional and relay email delivery services, including the onboarding@vaclaims.io relay system.

Each of these providers has their own privacy policy and data processing terms. We encourage you to review those policies. We select service providers that maintain appropriate security standards and limit their use of your data to the services they provide to us.

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests. We will attempt to notify you of such requests unless prohibited by law or court order.

6.4 Business Transfers

If The Intent Network, LLC undergoes a merger, acquisition, reorganization, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

6.5 With Your Consent

We may share your information for purposes not described in this Policy if we obtain your explicit prior consent.

6.6 Aggregated & De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, marketing, or other business purposes.

7. Email Relay System

To protect the privacy of both veterans and Onboarding Advisors, certain email communications are routed through our relay system at onboarding@vaclaims.io.

• When an Advisor sends you an email through the Platform, it is delivered from onboarding@vaclaims.io rather than the Advisor’s personal email address.
• When you reply, your response is routed back through the relay so that the Advisor does not see your personal email address.
• Email relay messages are processed by Resend, Inc. and are subject to their data processing practices.
• Relayed email content may be logged for quality assurance, dispute resolution, and compliance purposes.

8. Data Security

We implement administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction:

• Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption through our infrastructure providers.
• Row Level Security (RLS): Our database implements PostgreSQL Row Level Security policies to ensure that users can only access data they are authorized to view.
• Authentication: Multi-factor authentication options, secure password hashing, and session management with automatic timeouts.
• Access Controls: Role-based access controls limiting employee and contractor access to personal data on a need-to-know basis.
• Infrastructure Security: Our hosting providers (Supabase/AWS and Vercel) maintain SOC 2 Type II compliance, and Stripe maintains PCI-DSS Level 1 certification.
• Monitoring: Continuous monitoring for unauthorized access attempts, anomalous activity, and potential security incidents.

While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

9. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

• Strictly Necessary Cookies: Required for the Platform to function (e.g., session cookies, authentication tokens, CSRF protection). These cannot be disabled.
• Functional Cookies: Remember your preferences, display settings, and form entries to improve your experience.
• Analytics Cookies: Help us understand how visitors interact with the Platform (e.g., pages visited, time on site, navigation patterns). We use this data in aggregate form to improve the Platform.
• Local Storage: We may use browser local storage to cache certain data for performance and user experience purposes.

We do not use third-party advertising cookies or participate in behavioral advertising networks. We do not track you across third-party websites.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

10. Data Retention & Deletion

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements:

• Active Account Data: Retained for the duration of your account and active use of the Platform.
• Claim Records & Evidence Vault: Retained for a minimum of three (3) years after your last account activity, or longer if required by law, to support potential appeals or future claims.
• Call Recordings & Transcriptions: Retained for two (2) years from the date of the recording, unless a longer retention period is required for an active dispute or legal obligation.
• Payment & Transaction Records: Retained for seven (7) years to comply with tax, accounting, and financial reporting requirements.
• Communication Logs: In-app messages and email relay logs are retained for two (2) years from the date of communication.
• Analytics & Log Data: Retained in identifiable form for up to one (1) year, after which it is aggregated or deleted.

Account Deletion

You may request deletion of your account and associated personal data by emailing privacy@vaclaims.io. Upon receiving a verified deletion request:

• We will delete or anonymize your personal information within thirty (30) days, except as required by law or legitimate business interests (e.g., fraud prevention, financial record-keeping).
• Some data may persist in encrypted backups for up to ninety (90) days before automatic deletion.
• Deletion is permanent and irreversible. We cannot recover your claim reports, evidence vault files, or other data after deletion.
• We recommend downloading any reports or documents you wish to retain before requesting deletion.

11. Your Privacy Rights

Depending on your state of residence, you may have the following rights regarding your personal information:

• Right to Know / Access: Request a copy of the personal information we hold about you.
• Right to Correct: Request correction of inaccurate or incomplete personal information.
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Data Portability: Request a machine-readable copy of your data.
• Right to Opt Out of Sale: We do not sell personal information. However, if this practice ever changes, you will have the right to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at privacy@vaclaims.io. We will verify your identity before fulfilling any request. We will respond to verified requests within forty-five (45) days, with an extension of up to an additional forty-five (45) days if reasonably necessary, with notice to you.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain legal exceptions.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (including health/medical data and military records) only as necessary to provide our services. You may request that we limit the use of such data.
• No Sale or Sharing: We do not “sell” or “share” your personal information as those terms are defined under the CCPA/CPRA.
• Authorized Agent: You may designate an authorized agent to submit requests on your behalf, subject to identity verification.

Categories of Personal Information Collected (per CCPA categories): Identifiers; personal information under Cal. Civ. Code § 1798.80(e); characteristics of protected classifications (veteran/military status); commercial information; internet/electronic network activity; geolocation (general, not precise); professional information; sensitive personal information (health/medical data); and inferences drawn from the above.

California residents may submit requests at privacy@vaclaims.io or by writing to the address in Section 18. We do not use or disclose financial incentives that require opt-in.

13. Texas Privacy Law Compliance

As a Texas-based company, we comply with the Texas Data Privacy and Security Act (TDPSA) and the Texas Identity Theft Enforcement and Protection Act. Texas residents have the following rights:

• The right to confirm whether we are processing your personal data and to access such data.
• The right to correct inaccuracies in your personal data.
• The right to delete personal data you have provided.
• The right to obtain a portable copy of your personal data in a readily usable format.
• The right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not currently engage in any of these activities.

To exercise these rights or to appeal a decision regarding your request, please contact us at privacy@vaclaims.io. If you are not satisfied with our response to your appeal, you may contact the Texas Attorney General’s office.

14. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Investigate and contain the breach as quickly as reasonably possible.
• Notify affected individuals by email (or by mail if email is unavailable) within sixty (60) days of discovering the breach, or sooner if required by applicable state law.
• Provide details about what information was compromised, what steps we are taking to address the breach, and what steps you can take to protect yourself.
• Notify the Texas Attorney General if the breach affects 250 or more Texas residents, as required by the Texas Identity Theft Enforcement and Protection Act.
• Notify other state attorneys general and regulatory bodies as required by applicable law.
• Offer credit monitoring services or other appropriate remedies where warranted by the nature and scope of the breach.

15. Children’s Privacy

The Platform is not intended for, and we do not knowingly collect personal information from, individuals under the age of eighteen (18). If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information as soon as possible. If you believe a minor has provided us with personal information, please contact us at privacy@vaclaims.io immediately.

16. International Data & Geographic Limitations

The Platform is designed for and operated exclusively within the United States. Our services are intended for U.S. veterans, service members, and their dependents. All data is stored and processed within the United States.

We do not intentionally collect information from individuals located outside of the United States. If you access the Platform from outside the U.S., you do so at your own risk and are responsible for compliance with your local laws. By using the Platform, you consent to the transfer, processing, and storage of your information in the United States.

We do not offer services under the European Union’s General Data Protection Regulation (GDPR) or similar international frameworks, as we do not target or serve users in those jurisdictions.

17. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, the Platform does not currently respond to DNT signals. We do not track users across third-party websites and do not use third-party advertising cookies.

18. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

• The Intent Network, LLC d/b/a VAClaims.io
• San Antonio, Texas
• Email: privacy@vaclaims.io

We aim to respond to all privacy-related inquiries within ten (10) business days.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

• We will update the “Last Updated” date at the top of this Policy.
• We will provide notice of material changes via email to the address associated with your account and/or through a prominent notice on the Platform at least thirty (30) days before the changes take effect.
• Your continued use of the Platform after the effective date of any revised Policy constitutes your acceptance of the changes.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information.