Privacy Policy

We collect information you provide directly to us, including:

• Account information: name, email address, and password when you create an account with email and password.
• Google Sign-In: if you choose to sign in with Google, Google provides us with your name, email address, profile picture URL, and Google account ID. We use this information solely to create and authenticate your VAI account. We do not request offline access, refresh tokens, or any Google API scopes beyond basic profile (name, email, picture). You can revoke VAI's access to your Google account at any time at myaccount.google.com/permissions.
• Service information: branch of service, service dates, and military occupation code (MOS/rating/AFSC) that you enter to personalize your analysis.
• Medical and service records: documents you upload for analysis (service treatment records, VA medical records, DD-214, C&P exam reports, and similar files).
• Symptom and condition responses: answers you provide during the symptom confirmation and condition interview steps.
• Communications: messages you send us through the contact form or by email.

We also collect certain information automatically when you use the service:

• Usage data: which features you use, when you complete a scan, whether you reached the strategy page — tracked using counts, booleans, and UUID references only. Medical text, file names, extracted evidence, and diagnosis content are never stored in analytics systems.
• Log data: IP address, browser type, pages visited, and timestamps. Document access logs record file UUID and byte counts only — no filenames or record text.

We use the information we collect to:

• Provide, operate, and improve the VAI service.
• Analyze your uploaded records against VA rating criteria and generate personalized documentation.
• Send you transactional emails (account confirmation, password reset, billing receipts).
• Respond to your comments, questions, and requests.
• Monitor and analyze usage patterns to improve the product.
• Detect, investigate, and prevent fraudulent transactions and other illegal activities.

We do not use your medical records or extracted health information to train AI models. AI processing is performed via API calls to third-party providers; your records are not retained by those providers beyond the duration of the request.

Medical record files are stored in a private, encrypted object storage bucket — never in a publicly accessible location. All data is encrypted at rest using AES-256 and in transit using TLS 1.2+.

Your data stays in the United States. Records and account data are stored on US-based infrastructure, and AI analysis is performed only by US-hosted models — our inference gateway blocks routing to non-US models. Your medical content is never sent overseas for processing.

We never expose a permanent public link to your files. Document access is gated by an ownership check on the server, so a file is served only to the account that owns it. Packet exports use short-lived signed URLs that expire after 5 minutes.

Every row in our database is protected by row-level security policies. Your records, conditions, drafts, and documents are accessible only to your authenticated account. No other user can read your data through the application API.

HIPAA position. VAI is not a HIPAA covered entity or business associate. Medical records you upload that originated from HIPAA-covered providers (such as VA medical facilities or civilian clinicians) are treated as your personal records under this Privacy Policy once they are in your possession and uploaded to VAI. We protect them with the security controls described above, but VAI does not assume HIPAA covered-entity obligations.

Breach notification. If a security incident materially affects the confidentiality of your personal information, we will notify affected users within 72 hours of confirmed discovery, in accordance with applicable law. Notification will be sent to the email address on file for your account.

Selling or sharing your data is not our business — and it never will be. We do not sell, trade, rent, or share your personal information with any third party for their own use, advertising, profit, or AI training. The only outside parties that ever touch your data are the service providers we use to operate VAI — each acting strictly on our behalf, under contract, and only to deliver the Service to you. We share information solely in these limited circumstances:

• Service providers: We use Supabase for database, file storage, authentication, and edge-function compute; Vercel for application hosting and CDN; Stripe for payment processing; OpenRouter as the gateway routing AI inference requests to upstream model providers; Resend for transactional email (account, billing, deadline reminders); and Loops for product email (announcements, account-event notifications). Each processes data on our behalf under their own privacy and security policies. The current sub-processor list is maintained on our Trust & Security page.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: If VAI is acquired or merged, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

We retain your account information and uploaded documents for as long as your account is active or as needed to provide the service. You may delete individual documents at any time from the Account page. You may request deletion of your entire account and associated data by contacting us at the address below.

Uploaded medical and service records, generated drafts, and analysis outputs follow the access-window deletion policy described on the Pricing page: after your paid access window (Plus or Pro) ends, hosted records and outputs are deleted unless you have purchased a Secure Archive add-on (6 or 12 months). Your account itself, including your service-history entries, remains until you request deletion.

Depending on your location, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing of your data.
• Receive a copy of your data in a portable format.

To exercise any of these rights, please contact us using the information in Section 9 below. We will acknowledge verified requests within 7 days and complete them within 30 days, except where a longer period is permitted by applicable law (in which case we will tell you why and when to expect completion).

California residents (CCPA/CPRA). If you are a California resident, you have the rights above plus the right to know what personal information we collect and how we use it, and the right not to be discriminated against for exercising your privacy rights. Do Not Sell or Share My Personal Information: we do not sell your personal information, and we do not share it for cross-context behavioral advertising — so there is nothing to opt out of. We will never sell or share your medical records or personal data; it is simply not our business model. To exercise your California rights, contact us at the email in Section 9.

We use essential cookies to maintain your login session. We record internal product-analytics events (which features you use, when you complete a scan, whether you reached the strategy page) to our own database for product improvement — these events are PHI-safe (counts, booleans, and UUID references only; no medical text or filenames). We do not currently load third-party analytics SDKs (no PostHog, no Google Analytics, no advertising or cross-site tracking cookies). If this changes, we will update this policy and notify users.

VAI is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

If you have questions about this Privacy Policy or our data practices, please contact us at:

Veterans AI
[email protected]
or via our contact form

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated "Last updated" date. Your continued use of the service after any changes constitutes your acceptance of the new policy.

Change history

• May 30, 2026: Added a California (CCPA/CPRA) rights section with a "Do Not Sell or Share" statement; added a US data-residency statement; published a direct contact email; clarified our commitment never to sell or share your data; corrected the description of how medical files are accessed.
• May 23, 2026: Initial published version.