Privacy Policy

PRIVACY POLICY

Last Updated: March 12, 2026

This Privacy Policy (“Policy”) is entered into by and between you (“User,” “you,” or “your”) and PatriotClaims LLC, a Texas limited liability company with its principal place of business located at 14205 Burnet Road, Suite 570, PMB 553893, Austin, Texas 78728-6529 (“Company,” “we,” “us,” or “our”). This Policy governs the collection, use, processing, storage, disclosure, and protection of Personal Information (as defined herein) in connection with your access to and use of the VetClaims.ai platform, including but not limited to the website located at https://vetclaims.ai/, any mobile applications (iOS and Android), application programming interfaces (APIs), and all related services, features, content, and functionality (collectively, the “Platform” or “Services”).

By accessing, browsing, registering for, or using the Platform in any manner, you acknowledge that you have read, understood, and agree to be bound by this Policy and our Terms of Service, which is incorporated herein by reference. If you do not agree to the terms of this Policy, you must immediately cease all use of the Platform and Services.

I. RECITALS AND PURPOSE

A. Company Identity and Mission

PatriotClaims LLC is a United States-based technology company specializing in the development and deployment of artificial intelligence-driven educational tools and resources designed to assist United States military veterans (“Veterans”) in understanding, preparing, and navigating claims for disability compensation and related benefits administered by the United States Department of Veterans Affairs (“VA”). The Company’s mission is to empower Veterans through accessible, accurate, and comprehensive educational resources, thereby enhancing their ability to pursue benefits to which they may be entitled under applicable federal law.

B. Non-Representation Disclaimer

The Company is not a law firm, does not engage in the practice of law, and does not provide legal advice, legal representation, or legal services of any kind. The Company is not accredited by the VA Office of General Counsel as an attorney, agent, claims agent, or Veterans Service Organization (“VSO”) under Title 38 of the Code of Federal Regulations, Part 14 (“38 C.F.R. Part 14”), or any other applicable federal or state regulation or statute. The Services provided by the Company consist solely of educational content, informational resources, and technological tools intended to assist Users in understanding VA disability claims processes and preparing documentation for submission by the User directly to the VA. The Company does not represent Users in any administrative, quasi-judicial, or judicial proceedings before the VA, the Board of Veterans’ Appeals (“BVA”), the United States Court of Appeals for Veterans Claims (“CAVC”), or any other governmental body or tribunal.

C. Scope and Applicability

This Policy applies exclusively to Personal Information collected, processed, and maintained by the Company through the Platform. This Policy does not apply to: (i) information collected or processed by third-party websites, applications, or services that may be linked to or integrated with the Platform (“Third-Party Services”), even if accessed through the Platform; (ii) information processed by the Company on behalf of enterprise clients pursuant to separate data processing agreements; (iii) employment-related Personal Information of Company employees, contractors, or job applicants; or (iv) information subject to separate privacy notices or agreements that expressly supersede this Policy.

II. DEFINITIONS

For purposes of this Policy, the following capitalized terms shall have the meanings ascribed to them below:

“Applicable Data Protection Laws” means all federal, state, local, and international statutes, regulations, directives, and rules governing the collection, use, processing, storage, transfer, disclosure, and protection of Personal Information, including but not limited to: (a) the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), 42 U.S.C. § 1320d et seq., and its implementing regulations at 45 C.F.R. Parts 160 and 164; (b) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), Cal. Civ. Code §§ 1798.100 et seq.; (c) the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq.; (d) the Virginia Consumer Data Protection Act (“VCDPA”), Va. Code Ann. §§ 59.1-575 et seq.; (e) the Colorado Privacy Act (“CPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq.; (f) the Connecticut Data Privacy Act (“CTDPA”), Pub. Act No. 22-15; (g) the Utah Consumer Privacy Act (“UCPA”), Utah Code Ann. §§ 13-61-101 et seq.; (h) the Texas Medical Privacy Act, Tex. Health & Safety Code Ann. § 181.001 et seq.; (i) the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq.; (j) the Texas Capture or Use of Biometric Identifier Act (“CUBI”), Tex. Bus. & Com. Code Ann. § 503.001 et seq.; and (k) any other applicable federal, state, or local privacy, data protection, or information security laws, regulations, or standards.

“Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, or any other biological or physiological characteristic that can be used alone or in combination with other information to establish individual identity, excluding: (i) a writing sample, written signature, photograph, human biological sample used for valid scientific testing or screening, demographic data, tattoo description, or physical description such as height, weight, hair color, or eye color; (ii) donated organs, tissues, or parts; (iii) a blood or serum stored for purposes of medical research; or (iv) information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

“Biometric Information” means information based on an individual’s Biometric Identifier used to identify an individual, regardless of how it is captured, converted, stored, or shared.

“Business Associate” has the meaning ascribed to it in 45 C.F.R. § 160.103, and means a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of Protected Health Information.

“Business Associate Agreement” or “BAA” means a written contract between a Covered Entity and a Business Associate, or between a Business Associate and a subcontractor, that satisfies the applicable requirements of 45 C.F.R. §§ 164.314(a) and 164.504(e), governing the use and disclosure of Protected Health Information.

“Covered Entity” has the meaning ascribed to it in 45 C.F.R. § 160.103, and includes health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA.

“Personal Information” or “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including but not limited to: (a) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers; (b) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (c) biometric information; (d) internet or other electronic network activity information, including but not limited to browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement; (e) geolocation data; (f) audio, electronic, visual, thermal, olfactory, or similar information; (g) professional or employment-related information; (h) education information; and (i) inferences drawn from any of the foregoing to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. Personal Information does not include publicly available information obtained from government records, de-identified or aggregated consumer information, or information excluded from the scope of Applicable Data Protection Laws.

“Protected Health Information” or “PHI” has the meaning ascribed to it in 45 C.F.R. § 160.103, and means individually identifiable health information that is: (a) transmitted by electronic media; (b) maintained in electronic media; or (c) transmitted or maintained in any other form or medium. PHI includes information that relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of health care to an individual; or (iii) the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes demographic information and common identifiers such as name, address, birth date, and Social Security number.

“Sensitive Personal Information” means Personal Information that reveals: (a) an individual’s social security, driver’s license, state identification card, or passport number; (b) an individual’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) an individual’s precise geolocation; (d) an individual’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of an individual’s mail, email, or text messages, unless the Company is the intended recipient of the communication; (f) an individual’s genetic data; (g) the processing of Biometric Information for the purpose of uniquely identifying an individual; (h) Personal Information collected and analyzed concerning an individual’s health, sex life, or sexual orientation; or (i) PHI.

III. NOTICE AT COLLECTION

The Company hereby provides notice to all Users, as required by Applicable Data Protection Laws, of the categories of Personal Information that the Company collects, the purposes for which such Personal Information is collected and used, the categories of sources from which such Personal Information is collected, the categories of third parties to whom such Personal Information is disclosed, and the specific pieces of Personal Information that the Company has collected about each User.

A. Categories of Personal Information Collected

The Company collects the following categories of Personal Information from and about Users:

1. Account Registration Data

When a User creates an account on the Platform, the Company collects the following information: (a) full legal name; (b) email address; (c) telephone number; (d) date of birth; (e) username and password credentials; (f) VA file number (if voluntarily provided by User); (g) military service history (including branch of service, dates of service, discharge status, and military occupational specialty, if voluntarily provided); and (h) any other information voluntarily provided by the User during the registration process. If the User elects to register or authenticate using a Third-Party Service (such as Google, Apple, or a social media platform), the Company may receive additional information from such Third-Party Service in accordance with the authorization granted by the User and the Third-Party Service’s privacy policies and terms of service. Such information may include, but is not limited to: (i) the User’s public profile information; (ii) profile image or avatar; (iii) unique identifier assigned by the Third-Party Service; (iv) email address; and (v) any other information that the User has authorized the Third-Party Service to share with the Company.

2. Payment and Financial Data

If the User purchases services offered through the Platform, the Company or its third-party payment processors (including but not limited to Stripe, Inc., Apple Inc., and Google LLC) collect the following payment and financial information:

1. credit card or debit card number;
2. card verification value (CVV) or card security code;
3. billing name and billing address;
4. payment transaction history;
5. purchase history and enrollment type (Paid-in-Full or Complete Care Payment Plan);
6. bank account information, where applicable; and
7. any other financial information necessary to process the User’s payment, issue receipts or invoices, process refunds, or evaluate eligibility for any guarantee or refund under the Company’s Guarantee and Refund Policy.

The Company does not directly store complete credit card or debit card numbers; such information is securely transmitted to and stored by the Company’s third-party payment processors in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The Company retains only limited payment information (such as the last four digits of the User’s card number, card type, and expiration date) for the purposes of identifying the User’s payment method and facilitating future transactions authorized by the User. For billing inquiries, Users may contact the Company at [email protected].

3. Communication and Correspondence Data

When a User contacts the Company via email, web form, chat function, telephone, social media platforms, or any other communication channel, the Company collects the following information: (a) the User’s name; (b) email address; (c) telephone number; (d) username or account identifier; (e) the content, substance, and subject matter of the communication; (f) any attachments, files, or documents submitted by the User; (g) the date and time of the communication; and (h) any other information voluntarily disclosed by the User in the course of such communication. The Company may record telephone calls for quality assurance, training, and compliance purposes, and will provide notice and obtain consent as required by applicable law, including but not limited to the federal Wiretap Act, 18 U.S.C. § 2511, and state-specific consent requirements (such as California’s two-party consent law, Cal. Penal Code § 632).

4. Telephone Call Recording Practices

1. What Is Recorded. The Company records inbound and outbound telephone calls conducted through its customer support and service channels for quality assurance, staff training, dispute resolution, and legal compliance purposes. Audio is recorded. Video is not captured and is disabled on the Company’s call platform. Recordings may include the User’s name, account information, the substance of the conversation, and any Personal Information voluntarily disclosed by the User during the call. For clarity, the Company’s telephone recording system captures audio only. Video functionality is entirely disabled and no video recording takes place. Users will be notified at the commencement of a recorded call, as required by applicable law, including California’s two-party consent law (Cal. Penal Code § 632) and the federal Wiretap Act (18 U.S.C. § 2511).
2. How Recordings Are Used. Call recordings are accessed and reviewed by authorized Company personnel for quality monitoring and training purposes, used to verify the content of conversations in the event of a dispute or complaint, and retained in accordance with the retention schedule set forth in Section III.E. Recordings are not sold to third parties and are not shared with third parties except as required by law or as otherwise disclosed in this Policy.
3. Security. Call recordings are stored in encrypted form on secure servers maintained by the Company’s third-party call recording provider. Access to recordings is restricted to authorized Company personnel only, and the Company’s recording provider maintains industry-leading security certifications as further described in Section III.D.1.
4. User Rights. Users may request access to, or deletion of, call recordings in which they participated by submitting a request to [email protected]. The Company will honor such requests subject to its legal, regulatory, and contractual retention obligations and the timeframes set forth in Section VII.K.

5. User-Generated Input and Output Data

The Platform enables Users to input text, documents, files, images, audio, video, and other forms of content (“User Input”) for the purpose of receiving AI-generated responses, suggestions, recommendations, analyses, draft documents, or other output (“User Output”). Collectively, User Input and User Output constitute “User Content.” User Content may include, but is not limited to: (a) descriptions of medical conditions, symptoms, diagnoses, treatments, and health history; (b) military service records, personnel files, and performance evaluations; (c) personal statements and narratives; (d) buddy statements and supporting declarations; (e) medical records, including doctors’ notes, diagnostic reports, laboratory results, imaging studies, treatment plans, and prescriptions; (f) correspondence with the VA or other governmental agencies; (g) legal documents, including VA decision letters, rating decisions, and notices of disagreement; (h) financial information; and (i) any other information, data, or materials submitted by the User through the Platform. The Company strongly advises Users NOT to include PHI, Sensitive Personal Information, or Biometric Information in User Input unless the User has executed a separate Business Associate Agreement with the Company and has obtained all necessary consents and authorizations as required by HIPAA and Applicable Data Protection Laws. The Company cannot and does not control or limit the information that Users choose to input into the Platform, and Users bear sole responsibility for ensuring that their use of the Platform complies with all applicable laws, regulations, and professional obligations.

6. Feedback, Ratings, and Survey Data

The Company collects feedback, ratings, evaluations, and responses to surveys voluntarily provided by Users. Such information may include: (a) thumbs-up or thumbs-down ratings of User Output; (b) written comments, suggestions, or critiques regarding the Platform’s functionality, accuracy, usefulness, or performance; (c) responses to user experience surveys, satisfaction questionnaires, or feature requests; (d) bug reports and error notifications; and (e) any other feedback voluntarily submitted by Users for the purpose of improving the Platform.

7. Technical, Usage, and Device Data

The Company automatically collects certain technical and usage information when Users access or interact with the Platform, including but not limited to: (a) Internet Protocol (IP) address and associated geolocation data (city, state, and country, but not precise geolocation unless expressly authorized by the User); (b) device type, model, manufacturer, and unique device identifiers (such as IDFA for iOS devices and Advertising ID for Android devices); (c) operating system type and version; (d) browser type, version, and language settings; (e) internet service provider or mobile carrier; (f) referring and exit pages and URLs; (g) clickstream data, including pages viewed, links clicked, and buttons pressed; (h) date and time stamps of access and interactions; (i) session duration and frequency of visits; (j) search queries entered into the Platform; (k) error logs and diagnostic information; (l) cookies, web beacons, pixels, and similar tracking technologies (as further described in the Company’s Cookie Policy); and (m) any other information collected through automated means.

8. Precise Geolocation Data

The Company may collect precise geolocation data (i.e., location information that identifies a User within a radius of 1,850 feet or less) if the User expressly grants permission through device-level settings or application-level prompts. Precise geolocation data may be used to provide location-based services, such as identifying nearby VA facilities, Veterans service organizations, or accredited representatives. Users may revoke consent for precise geolocation tracking at any time by adjusting their device or application settings. The Company will continue to collect approximate geolocation data (e.g., city or state level) derived from IP addresses regardless of whether precise geolocation tracking is enabled.

9. Biometric Information (If Applicable)

The Company does not currently collect, process, store, or use Biometric Identifiers or Biometric Information for any purpose. In the event that the Company implements biometric authentication, identity verification, or other features requiring the collection or processing of Biometric Information in the future, the Company will: (a) provide clear, conspicuous, and timely notice to Users prior to collecting any Biometric Information; (b) obtain express written consent or opt-in authorization from Users in accordance with the requirements of BIPA, CUBI, and all other Applicable Data Protection Laws; (c) publish a publicly available written policy establishing a retention schedule and guidelines for permanently destroying Biometric Information when the initial purpose for collecting or obtaining such information has been satisfied or within three years of the User’s last interaction with the Company, whichever occurs first; (d) prohibit the sale, lease, trade, or other profit-driven disclosure of Biometric Information; and (e) store, transmit, and protect Biometric Information using the same or greater security measures as the Company uses for other confidential and sensitive information, in compliance with BIPA, CUBI, and industry best practices.

10. Social Media and Public Information

The Company maintains official pages, profiles, and accounts on various social media platforms, including but not limited to Facebook, Instagram, Twitter (X), LinkedIn, YouTube, and other similar services. When a User interacts with the Company’s social media presence by posting comments, sending direct messages, liking, sharing, or otherwise engaging with the Company’s content, the Company may collect the following information: (a) the User’s publicly available profile information, including username, display name, profile picture, and bio; (b) the content of the User’s posts, comments, messages, and interactions; (c) the date and time of such interactions; and (d) any other information made available to the Company by the social media platform in accordance with its terms of service, privacy policy, and the User’s privacy settings. Additionally, the Company may collect publicly available information about Users from publicly accessible sources, including but not limited to government records, public databases, news articles, court filings, and other publicly accessible websites or repositories.

11. Cookies and Similar Tracking Technologies

The Company uses cookies, web beacons, pixels, local storage, and other tracking technologies to collect information about Users’ browsing behavior, preferences, and interactions with the Platform. For detailed information about the Company’s use of cookies and similar technologies, Users should refer to the Company’s Cookie Policy, which is incorporated herein by reference and available at https://vetclaims.ai/cookie-policy.

B. Purposes for Collection and Use of Personal Information

The Company collects, uses, processes, and retains Personal Information for the following legitimate business purposes:

1. Provision and Operation of the Platform and Services

To create, maintain, authenticate, and manage User accounts; to provide access to the Platform and its features, tools, and functionalities; to process User Input and generate User Output; to deliver educational content, resources, templates, guides, and other materials; to enable communication features such as chat, messaging, or support ticketing systems; to process payments, subscriptions, and billing; to fulfill the Company’s contractual obligations to Users under the Terms of Service; and to otherwise provide, operate, maintain, and improve the Platform and Services.

Our artificial intelligence systems are designed to support, not replace, human judgment. All AI-generated suggestions, recommendations, analyses, and draft documents produced by the Platform are advisory in nature only. Human review is required before any output is acted upon, and all final decisions are made exclusively by the User or designated human personnel. The Company does not permit AI systems to make autonomous, binding determinations affecting Users’ rights, benefits, or legal status without human oversight.

2. Customer Support and User Assistance

To respond to User inquiries, requests, comments, questions, complaints, and feedback; to provide technical support, troubleshooting, and assistance; to investigate and resolve User-reported issues, errors, or bugs; to communicate with Users regarding their accounts, transactions, or use of the Platform; and to provide information about changes to the Platform, Services, or policies.

3. Research, Development, and Improvement

To analyze, evaluate, and improve the Platform’s performance, accuracy, functionality, usability, and effectiveness; to conduct research and development activities related to artificial intelligence, machine learning, natural language processing, and related technologies; to identify trends, patterns, and insights regarding User behavior, preferences, and needs; to develop new features, products, services, and offerings; to test, refine, and optimize algorithms, models, and user interfaces; and to enhance the overall User experience. User Content may be used for these purposes in de-identified, aggregated, or anonymized form to the extent permitted by Applicable Data Protection Laws.

4. Security, Fraud Prevention, and Legal Compliance

To monitor, detect, investigate, prevent, and respond to fraud, unauthorized access, security incidents, data breaches, cyberattacks, malicious activity, violations of the Terms of Service or Acceptable Use Policy, and other potentially prohibited, unlawful, or harmful conduct; to enforce the Company’s rights and remedies under applicable agreements and policies; to protect the rights, property, safety, and security of the Company, Users, and third parties; to verify User identity and prevent identity theft or impersonation; to comply with applicable laws, regulations, court orders, subpoenas, legal process, governmental requests, and regulatory obligations; to respond to lawful requests from law enforcement, regulatory agencies, or governmental authorities; to defend against legal claims, investigations, audits, or proceedings; and to satisfy record-keeping, reporting, and disclosure requirements.

5. Marketing, Communications, and User Engagement (With Consent Where Required)

To send Users newsletters, updates, promotional materials, educational content, announcements, surveys, and other communications related to the Platform or Services, provided that Users have opted in to receive such communications or that such communications are otherwise permitted under applicable law (such as transactional or relationship messages); to personalize and tailor content, recommendations, and User experiences based on User preferences, behavior, and demographics; to conduct market research and analyze the effectiveness of marketing campaigns; and to engage with Users on social media platforms. Users may opt out of marketing communications at any time by following the unsubscribe instructions provided in such communications or by contacting the Company at [email protected].

6. Analytics and Business Intelligence

To generate reports, statistics, metrics, and analytics regarding the Platform’s usage, performance, and effectiveness; to assess and monitor key performance indicators, business objectives, and strategic goals; to evaluate return on investment for marketing, development, and operational expenditures; to inform business decisions and strategic planning; and to benchmark the Platform against industry standards and competitors.

7. Legal and Regulatory Obligations Under Veterans’ Benefits Laws

To ensure compliance with all applicable federal laws, regulations, and rules governing the provision of assistance to Veterans in connection with VA disability claims, including but not limited to: (a) 38 U.S.C. § 5904, which prohibits the charging of fees for the preparation, presentation, or prosecution of initial claims for VA benefits unless the party providing such assistance is an attorney, agent, or other person recognized by the VA; (b) 38 C.F.R. § 14.636, which governs the payment of fees for representation by accredited attorneys and agents; and (c) 38 U.S.C. § 5905, which imposes criminal penalties for unauthorized charging of fees or unauthorized representation. The Company disclaims any intent to engage in the unauthorized practice of law or to charge fees in violation of these provisions, as further detailed in Section XI below.

C. Sources of Personal Information

The Company collects Personal Information from the following categories of sources:

1. Directly from Users: Information voluntarily provided by Users through account registration, User Input, feedback forms, surveys, communication channels, and interactions with the Platform.
2. Automatically from Users’ Devices: Information collected through cookies, web beacons, log files, and other automated tracking technologies when Users access or interact with the Platform.
3. Third-Party Services: Information received from Third-Party Services (such as Google, Apple, or social media platforms) when Users elect to authenticate or register using such services, subject to the User’s authorization and the Third-Party Service’s privacy policies.
4. Payment Processors: Limited payment-related information received from third-party payment processors (such as Stripe, Apple, or Google) necessary to complete transactions and provide receipts.
5. Publicly Available Sources: Information obtained from publicly accessible government records, databases, websites, social media profiles, news articles, and other public sources.
6. Business Partners and Affiliates: Information received from the Company’s business partners, affiliates, service providers, or contractors in connection with the provision of Services, subject to contractual confidentiality and data protection obligations.

D. Categories of Third Parties to Whom Personal Information is Disclosed

The Company may disclose Personal Information to the following categories of third parties for the business purposes described in this Policy:

1. Service Providers and Subprocessors

Third-party vendors, contractors, consultants, and service providers that perform functions on behalf of the Company, including but not limited to: cloud hosting providers (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform); payment processors (e.g., Stripe, PayPal); customer relationship management platforms (e.g., Salesforce, HubSpot); email delivery and marketing platforms (e.g., Mailchimp, SendGrid); analytics and data intelligence services (e.g., Google Analytics, Mixpanel); customer support and helpdesk platforms (e.g., Zendesk, Intercom); and cybersecurity, fraud prevention, and identity verification services. All service providers and subprocessors are bound by written contracts requiring them to maintain the confidentiality and security of Personal Information, use Personal Information only for the purposes specified by the Company, and comply with Applicable Data Protection Laws.

The Company’s current artificial intelligence service providers include Anthropic, PBC (Claude); OpenAI, LLC (GPT-series models); and Google LLC (Google Cloud AI / Vertex AI). Each provider operates under a data processing agreement with the Company and is contractually prohibited from using User Content or Personal Information submitted through the Platform to train, fine-tune, or otherwise improve its AI models. An updated list of the Company’s AI subprocessors is maintained at https://vetclaims.ai/subprocessors.

None of the Company’s AI service providers — including Anthropic, PBC, OpenAI, LLC, and Google LLC — retain, store, or use User Content or Personal Information submitted through the Platform to train, fine-tune, or otherwise improve their artificial intelligence models. All data transmitted to AI subprocessors is processed transiently solely for the purpose of generating the requested output and is not retained by such providers beyond the period strictly necessary to produce that output.

Telephone call recording, management, and quality assurance services: Aircall SAS (“Aircall”). Aircall maintains SOC 2 Type II certification and is HIPAA compliant. Aircall processes call recordings solely on behalf of the Company and in accordance with a written data processing agreement.

Credential and password management services: 1Password, a product of AgileBits Inc. 1Password is used by Company personnel to securely store and manage access credentials and does not have access to User Personal Information except as strictly necessary to perform its services.

2. Business Associates (for PHI Only)

If the Company processes PHI on behalf of a Covered Entity pursuant to a Business Associate Agreement, the Company may disclose such PHI to its subcontractors or agents (each, a “Business Associate Subcontractor”) solely to the extent necessary to perform the Company’s obligations under the Business Associate Agreement, provided that the Company first enters into a written agreement with each Business Associate Subcontractor that imposes substantially the same obligations on the Business Associate Subcontractor as are imposed on the Company under the Business Associate Agreement and HIPAA.

3. Affiliates and Subsidiaries

The Company’s parent companies, subsidiaries, affiliates, and entities under common ownership or control, for purposes consistent with this Policy, including shared administrative functions, internal research and development, and consolidated reporting.

4. Professional Advisors

Attorneys, accountants, auditors, consultants, and other professional advisors who provide legal, financial, tax, compliance, or strategic advice to the Company, subject to professional duties of confidentiality.

5. Law Enforcement, Regulatory Authorities, and Government Agencies

Federal, state, local, or international law enforcement agencies, regulatory bodies, courts, governmental authorities, or other public officials when the Company is required or authorized to do so by applicable law, legal process (such as subpoenas, court orders, search warrants, or other compulsory disclosures), or governmental request, or when the Company reasonably believes that disclosure is necessary to: (a) comply with legal or regulatory obligations; (b) protect the rights, property, safety, or security of the Company, Users, or the public; (c) detect, prevent, or investigate fraud, security incidents, or other potentially unlawful activity; (d) enforce the Terms of Service or other agreements; or (e) defend against legal claims or proceedings.

6. Business Transaction Parties

In connection with, or during negotiations of, any proposed or actual merger, acquisition, consolidation, restructuring, asset sale, financing, investment, bankruptcy, dissolution, or other transaction or proceeding involving the sale, transfer, divestiture, or disclosure of all or a portion of the Company’s business or assets, Personal Information may be disclosed to prospective or actual purchasers, acquirers, investors, successors, or assigns, subject to confidentiality obligations. In the event of such a transaction, Users will be notified via email or prominent notice on the Platform prior to the transfer of Personal Information, and the transferee will be required to continue to honor the terms of this Policy or provide Users with notice and an opportunity to opt out of any materially different treatment of their Personal Information.

7. Third Parties with User Consent or at User Direction

The Company may disclose Personal Information to third parties when Users explicitly consent to such disclosure or direct the Company to share their information with specific third parties (for example, when a User authorizes the Company to share information with a VSO, attorney, or other representative selected by the User).

8. Other Users (for Publicly Shared Content)

If a User voluntarily posts, shares, or publishes User Content in public forums, community features, or social sharing functions offered through the Platform (if any), such User Content may be visible to other Users or members of the public. Users should exercise caution and discretion when sharing information in public areas of the Platform and should not share PHI, Sensitive Personal Information, or any information they wish to keep private.

E. Retention of Personal Information

The Company retains Personal Information for as long as necessary to fulfill the purposes for which it was collected, as described in this Policy, or as required or permitted by applicable law. Retention periods vary depending on the type of Personal Information, the purpose for which it was collected, and legal, regulatory, operational, and business requirements.

General categories of retention periods include:

1. Account Data: Retained for the duration of the User’s active account plus a reasonable period thereafter (typically up to seven years) to comply with legal, tax, and regulatory obligations, resolve disputes, enforce agreements, and maintain business records.
2. Payment and Transaction Data: Retained for the duration required by tax, accounting, and financial regulations (typically seven to ten years) and as necessary to process refunds, chargebacks, or billing disputes.
3. User Content: Retained for as long as necessary to provide the Services, improve the Platform, or as directed by the User. Users may request deletion of User Content by contacting [email protected], subject to the Company’s legal obligations to retain certain records.
4. PHI: If the Company processes PHI as a Business Associate, PHI will be retained in accordance with the applicable Business Associate Agreement, HIPAA requirements (generally six years from the date of creation or the date when last in effect, whichever is later), and state-specific health information retention requirements (such as the Texas Medical Privacy Act’s ten-year retention period for certain health records). Upon termination of the Business Associate Agreement, the Company will, if feasible, return or destroy all PHI in accordance with 45 C.F.R. § 164.504(e)(2)(ii).
5. Technical and Usage Data: Typically retained for a period of two years from the date of collection for analytics, troubleshooting, and security purposes, after which such data is anonymized, aggregated, or deleted.
6. Marketing and Communication Data: Marketing and Communication Data is retained until the User unsubscribes or opts out. With respect to SMS and text message marketing consent records specifically, the Company retains records of User consent and opt-out status for a period of four (4) years following the date of the User’s opt-out, in accordance with applicable telemarketing regulations and Telephone Consumer Protection Act (TCPA) recordkeeping requirements. All other marketing communication records are retained for a reasonable period following opt-out as necessary to honor the opt-out request and comply with legal obligations.
7. Legal and Compliance Records: Retained for as long as necessary to comply with applicable legal, regulatory, and contractual obligations, defend against legal claims, and enforce the Company’s rights.

At the end of the applicable retention period, Personal Information will be securely deleted, destroyed, anonymized, or aggregated in accordance with the Company’s data retention and destruction policies and Applicable Data Protection Laws.

IV. PROTECTION OF PHI AND HIPAA COMPLIANCE

A. HIPAA Status and Business Associate Relationship

The Company acknowledges that certain User Content may constitute Protected Health Information (PHI) as defined under HIPAA. The Company’s obligations with respect to PHI depend on whether the Company acts as a Business Associate under HIPAA.

1. When a Business Associate Agreement is Required

The Company will act as a Business Associate only if: (a) the User is a Covered Entity (such as a health care provider, health plan, or health care clearinghouse) or another Business Associate; and (b) the User and the Company have executed a separate, written Business Associate Agreement that complies with 45 C.F.R. §§ 164.314(a) and 164.504(e). In the absence of an executed Business Associate Agreement, the Company is not a Business Associate and does not assume the obligations of a Business Associate under HIPAA.

2. Prohibition on Inputting PHI Without a Business Associate Agreement

Users who are not Covered Entities or who have not executed a Business Associate Agreement with the Company represent, warrant, and covenant that they will NOT input, upload, transmit, store, or otherwise provide any PHI to the Company through the Platform. If a User inputs PHI without an executed Business Associate Agreement, the User does so at their own risk and in violation of the Terms of Service. The Company expressly disclaims all liability for any unauthorized use, disclosure, breach, or mishandling of PHI that occurs as a result of a User’s failure to comply with this prohibition.

3. Obligations Under an Executed Business Associate Agreement

If a Business Associate Agreement has been executed, the Company agrees to comply with the applicable provisions of HIPAA and the HITECH Act, including but not limited to the following obligations:

1. Permitted Uses and Disclosures: The Company shall use and disclose PHI only as permitted or required by the Business Associate Agreement, as required by law, or as otherwise authorized in writing by the User (as the Covered Entity or upstream Business Associate). The Company shall not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 (the Privacy Rule) if done by the User.
2. Safeguards: The Company shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, in accordance with 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements), as further described in Section IV.C below.
3. Reporting of Security Incidents and Breaches: The Company shall report to the User any Security Incident (as defined in 45 C.F.R. § 164.304) or Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402) of which the Company becomes aware without unreasonable delay and in no event later than ten (10) business days after discovery of the incident or breach. Such report shall include, to the extent known: (i) a description of the incident or breach; (ii) the date or estimated date of the incident or breach; (iii) the types of PHI involved; (iv) the number of individuals affected; (v) the steps taken or proposed to be taken to mitigate harm; and (vi) contact information for the Company’s designated privacy or security officer. The Company shall cooperate with the User and provide reasonable assistance in connection with any required breach notifications, investigations, or corrective actions.
4. Subcontractors: If the Company engages any subcontractors or agents that will have access to or handle PHI, the Company shall enter into a written agreement with each such subcontractor that imposes substantially the same obligations as those imposed on the Company under the Business Associate Agreement and HIPAA.
5. Access, Amendment, and Accounting: The Company shall, to the extent required by the Business Associate Agreement and 45 C.F.R. §§ 164.524, 164.526, and 164.528, provide access to, allow amendment of, and provide an accounting of disclosures of PHI in the Company’s possession as necessary to enable the User to fulfill its obligations under the Privacy Rule.
6. Compliance with State Laws: In addition to HIPAA, the Company shall comply with state-specific health privacy laws that may be more stringent than HIPAA, including but not limited to the Texas Medical Privacy Act (Tex. Health & Safety Code Ann. § 181.001 et seq.), which imposes additional requirements for the use, disclosure, and protection of protected health information created, received, or maintained by covered entities in Texas.
7. Termination and Return or Destruction of PHI: Upon termination, cancellation, expiration, or other conclusion of the Business Associate Agreement or the User’s account, the Company shall, if feasible, return to the User or destroy all PHI in the Company’s possession or control, including all copies and backups, and certify in writing that such return or destruction has been completed. If return or destruction is not feasible (for example, due to technical limitations or legal retention requirements), the Company shall continue to protect the PHI in accordance with the terms of the Business Associate Agreement and HIPAA and shall limit further uses and disclosures to the purposes that make return or destruction infeasible.

B. Disclaimer of Liability for User-Submitted PHI

THE COMPANY STRONGLY ADVISES USERS NOT TO INPUT PHI INTO THE PLATFORM UNLESS A BUSINESS ASSOCIATE AGREEMENT HAS BEEN EXECUTED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY DISCLAIMS ALL LIABILITY FOR ANY DAMAGES, LOSSES, FINES, PENALTIES, SANCTIONS, LEGAL FEES, OR OTHER COSTS OR EXPENSES ARISING FROM OR RELATED TO: (A) A USER’S INPUT, UPLOAD, TRANSMISSION, OR DISCLOSURE OF PHI WITHOUT AN EXECUTED BUSINESS ASSOCIATE AGREEMENT; (B) ANY BREACH OF PHI CAUSED OR CONTRIBUTED TO BY THE USER’S CONDUCT, NEGLIGENCE, OR FAILURE TO IMPLEMENT APPROPRIATE SAFEGUARDS; (C) ANY INACCURACY, INCOMPLETENESS, OR FALSITY OF PHI PROVIDED BY THE USER; OR (D) ANY VIOLATION BY THE USER OF HIPAA, THE TEXAS MEDICAL PRIVACY ACT, OR ANY OTHER HEALTH PRIVACY LAW. USERS ACKNOWLEDGE AND AGREE THAT THEY BEAR SOLE RESPONSIBILITY FOR ENSURING THAT THEIR USE OF THE PLATFORM COMPLIES WITH HIPAA, PROFESSIONAL LICENSING REQUIREMENTS, AND ALL OTHER APPLICABLE LAWS AND REGULATIONS.

C. Technical and Organizational Measures for Protection of PHI

The Company implements and maintains comprehensive technical and organizational security measures to protect PHI and other Sensitive Personal Information against unauthorized access, use, disclosure, alteration, or destruction, in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and industry best practices. These measures include, but are not limited to:

1. Encryption: All PHI is encrypted both at rest and in transit. Encryption at rest is achieved through the use of Advanced Encryption Standard (AES) 256-bit encryption. Encryption in transit is achieved through Transport Layer Security (TLS) version 1.3 or higher for all data transmissions over public or untrusted networks.
2. Access Controls: The Company enforces role-based access controls (RBAC) to ensure that access to PHI is limited to authorized personnel who require such access to perform their job functions. All access is logged, monitored, and subject to periodic review. The Company requires multi-factor authentication (MFA) for all employees, contractors, and administrators who have access to systems that store or process PHI.
3. Audit Logging and Monitoring: The Company maintains comprehensive audit logs of all access to and use of systems that store or process PHI, including user login attempts, file access, data modifications, and system configuration changes. Logs are retained for a minimum of six years and are regularly reviewed for anomalies, suspicious activity, or potential security incidents. The Company employs automated monitoring, intrusion detection systems (IDS), and security information and event management (SIEM) tools to detect and respond to security threats in real time.
4. Physical Security: The Company’s servers and data centers are hosted in secure, third-party facilities (such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform) that maintain physical security controls, including 24/7 surveillance, biometric access controls, environmental monitoring, redundant power and cooling systems, and fire suppression systems. Physical access to servers and data storage devices is restricted to authorized personnel only.
5. Workforce Training and Confidentiality: All employees, contractors, and agents who have access to PHI are required to complete comprehensive training on HIPAA, the HITECH Act, data privacy, information security, and the Company’s policies and procedures. Training is provided upon hire and annually thereafter. All workforce members are subject to confidentiality agreements and are prohibited from using or disclosing PHI except as necessary to perform their job functions.
6. Incident Response and Breach Notification: The Company has established a formal incident response plan that outlines procedures for detecting, investigating, containing, remediating, and reporting security incidents and breaches of PHI. In the event of a confirmed breach, the Company will provide notification to affected Users and individuals in accordance with 45 C.F.R. § 164.410, state breach notification laws, and the terms of any applicable Business Associate Agreement.
7. Security Testing and Vulnerability Management: The Company maintains an ongoing security testing and vulnerability management program designed to identify, assess, and remediate security weaknesses in the Platform and supporting systems. This program includes, or is designed to include as it matures, regular vulnerability assessments, security audits, and penetration testing conducted by qualified internal personnel and, where appropriate, qualified third-party cybersecurity firms. The Company also employs automated tools to continuously monitor for security weaknesses. All identified vulnerabilities are prioritized, tracked, remediated, and documented in accordance with industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-53 security controls.
8. Data Minimization and Anonymization: The Company collects and retains only the minimum amount of PHI necessary to provide the Services and fulfill the Company’s legal and contractual obligations. Where feasible, the Company employs de-identification, anonymization, pseudonymization, and aggregation techniques to minimize the risk of re-identification and to protect individual privacy.
9. Backup and Disaster Recovery: The Company maintains regular backups of all PHI in geographically diverse locations to ensure business continuity and the ability to restore data in the event of a disaster, system failure, or security incident. Backup data is encrypted and subject to the same access controls and security measures as production data. The Company tests its disaster recovery and business continuity plans on an annual basis to ensure the ability to restore availability and access to PHI within four hours of a disaster or system failure.
10. Vendor Management and Due Diligence: The Company conducts comprehensive due diligence and ongoing oversight of all third-party service providers, subprocessors, and vendors that have access to or handle PHI. All such vendors are required to enter into written agreements that impose appropriate data protection, confidentiality, and security obligations consistent with HIPAA and this Policy.

V. COMPLIANCE WITH STATE DATA PRIVACY LAWS

The Company is committed to complying with all state data privacy laws applicable to its operations and User base. This Section provides additional disclosures and information specific to Users residing in jurisdictions with comprehensive data privacy legislation.

A. California Residents (CCPA/CPRA and CIPA)

1. California Consumer Privacy Act (CCPA/CPRA) Disclosures

For Users who are California residents, the Company provides the following additional information and rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”):

1. Categories of Personal Information Collected, Disclosed, and Sold or Shared: The Company collects the categories of Personal Information described in Section III.A above. The Company discloses Personal Information to the categories of third parties described in Section III.D above for the business purposes described in Section III.B. The Company does NOT sell Personal Information as defined under the CCPA/CPRA, nor does the Company share Personal Information for cross-context behavioral advertising purposes. Accordingly, California residents are not required to opt out of the sale or sharing of their Personal Information.
2. Sensitive Personal Information: The Company collects Sensitive Personal Information as described in the definition of Sensitive Personal Information in Section II above. The Company uses and discloses Sensitive Personal Information only for the purposes permitted under CCPA/CPRA § 1798.121(a), including to perform the services requested by the User, to prevent fraud and security incidents, to verify or maintain the quality of the Platform, and for other purposes specified in this Policy. California residents have the right to limit the Company’s use and disclosure of Sensitive Personal Information to such permitted purposes by submitting a request to [email protected].
3. Retention Periods: The Company retains Personal Information for the periods described in Section III.E above.
4. Automated Decision-Making Technology (ADMT): Effective January 1, 2027. Pursuant to the California Privacy Rights Act of 2020 (CPRA) and regulations adopted by the California Privacy Protection Agency (CPPA), California residents will have the right, effective January 1, 2027, to opt out of, and to request disclosure regarding, the Company’s use of Automated Decision-Making Technology (ADMT) that produces legal or similarly significant effects concerning such residents. Prior to the effective date of applicable CPPA regulations, the Company will implement all required opt-out mechanisms, access rights, and disclosure obligations, and will update this Policy accordingly. California residents with questions about the Company’s ADMT practices may contact the Company’s Privacy Team at [email protected].
5. Rights of California Residents: California residents have the following rights under the CCPA/CPRA:
   • Right to Know: The right to request that the Company disclose the categories and specific pieces of Personal Information the Company has collected about the User, the categories of sources from which such information was collected, the business or commercial purpose for collecting or selling such information, and the categories of third parties with whom the Company shares such information.
   • Right to Delete: The right to request that the Company delete Personal Information that the Company has collected from the User, subject to certain exceptions (such as where retention is necessary to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech rights).
   • Right to Correct: The right to request that the Company correct inaccurate Personal Information maintained by the Company about the User.
   • Right to Opt Out of Sale or Sharing: The right to opt out of the sale or sharing of Personal Information. As noted above, the Company does not sell or share Personal Information.
   • Right to Limit Use of Sensitive Personal Information: The right to limit the Company’s use and disclosure of Sensitive Personal Information to purposes permitted under CCPA/CPRA § 1798.121(a).
   • Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising any of the above rights under the CCPA/CPRA.
6. California “Shine the Light” Law (Cal. Civ. Code §1798.83): Pursuant to California Civil Code §1798.83, commonly known as the “Shine the Light” law, California residents who have provided Personal Information to the Company may request, once per calendar year and free of charge, information regarding the categories of Personal Information (if any) that the Company has disclosed to third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year, together with the names and addresses of such third parties. The Company does not sell or disclose Personal Information to third parties for direct marketing purposes. To submit a Shine the Light inquiry, California residents may contact the Company at [email protected] or by mail at PatriotClaims LLC, 14205 Burnet Road, Suite 570, PMB 553893, Austin, Texas 78728-6529, Attn: Privacy Team.

To exercise any of these rights, California residents may submit a verifiable consumer request by emailing [email protected] or using the online form available at https://vetclaims.ai/privacy-request. The Company will respond to all verified privacy rights requests within forty-five (45) calendar days of receipt. If the Company requires additional time to respond, it will notify you within the initial 45-day period and may extend the response period by an additional forty-five (45) days where reasonably necessary, for a maximum total response period of ninety (90) days.

7. Authorized Agents: California residents may designate an authorized agent to submit requests on their behalf. The Company may require proof of the agent’s authorization and verification of the resident’s identity before processing such requests.
8. Verification: To protect the privacy and security of Personal Information, the Company will verify the identity of the requesting party before processing requests to know, delete, or correct Personal Information. Verification may require the User to provide information such as name, email address, account credentials, and answers to security questions.

2. California Invasion of Privacy Act (CIPA) Consent

Pursuant to the California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.), by accessing or using the Platform, California residents expressly consent to the monitoring, recording, interception, storage, and analysis of their communications, inputs, interactions, and transmissions (including text, voice, and data) with and through the Platform, as described in this Policy and for the purposes outlined herein, including providing, improving, securing, and operating the Platform and Services. This consent applies to all processing activities conducted by the Company and its third-party service providers and subprocessors engaged by the Company. California residents may revoke this consent at any time by ceasing use of the Platform and contacting the Company at [email protected] to request deletion of their account and Personal Information. The Company does not intercept communications for unlawful purposes, and all monitoring and recording activities are conducted in compliance with applicable law.

B. Virginia Residents (VCDPA)

For Users who are Virginia residents, the Company provides the following additional information and rights under the Virginia Consumer Data Protection Act (“VCDPA”):

1. Rights of Virginia Residents

Virginia residents have the following rights under the VCDPA:

• Right to Access: The right to confirm whether the Company is processing Personal Data about the User and to access such Personal Data.
• Right to Correct: The right to correct inaccuracies in Personal Data maintained by the Company about the User.
• Right to Delete: The right to request deletion of Personal Data provided by or obtained about the User, subject to certain exceptions.
• Right to Data Portability: The right to obtain a copy of Personal Data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out: The right to opt out of the processing of Personal Data for purposes of targeted advertising, the sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects. The Company does not engage in targeted advertising, sell Personal Data, or conduct profiling for such purposes.

To exercise any of these rights, Virginia residents may submit a request by emailing [email protected]. The Company will respond to all verified privacy rights requests within forty-five (45) calendar days of receipt. If the Company requires additional time to respond, it will notify you within the initial 45-day period and may extend the response period by an additional forty-five (45) days where reasonably necessary, for a maximum total response period of ninety (90) days.

2. Appeals

If the Company refuses to take action on a request submitted by a Virginia resident, the resident may appeal the decision by submitting a written appeal to [email protected] within a reasonable time after receipt of the Company’s decision. The Company will respond to the appeal within sixty (60) days of receipt. If the appeal is denied, the Company will provide the resident with information about how to contact the Virginia Attorney General to submit a complaint.

C. Colorado Residents (CPA)

For Users who are Colorado residents, the Company provides the following additional information and rights under the Colorado Privacy Act (“CPA”), which are substantially similar to the rights provided to Virginia residents under the VCDPA, including the rights to access, correct, delete, obtain a portable copy of Personal Data, and opt out of targeted advertising, sale of Personal Data, and profiling. The Company does not engage in targeted advertising, sell Personal Data, or conduct profiling in furtherance of decisions that produce legal or similarly significant effects concerning Colorado residents. Colorado residents may exercise their rights by emailing [email protected] and may appeal denials of requests in the same manner as Virginia residents.

D. Connecticut Residents (CTDPA)

For Users who are Connecticut residents, the Company provides the following additional information and rights under the Connecticut Data Privacy Act (“CTDPA”), which are substantially similar to the rights provided to Virginia and Colorado residents, including the rights to access, correct, delete, obtain a portable copy of Personal Data, and opt out of targeted advertising, sale of Personal Data, and profiling. The Company does not engage in targeted advertising, sell Personal Data, or conduct profiling in furtherance of decisions that produce legal or similarly significant effects concerning Connecticut residents. Connecticut residents may exercise their rights by emailing [email protected] and may appeal denials of requests in accordance with applicable law.

E. Utah Residents (UCPA)

For Users who are Utah residents, the Company provides the following additional information and rights under the Utah Consumer Privacy Act (“UCPA”), which are substantially similar to the rights provided to Virginia, Colorado, and Connecticut residents, including the rights to access, delete, obtain a portable copy of Personal Data, and opt out of targeted advertising and sale of Personal Data. The Company does not engage in targeted advertising or sell Personal Data. Utah residents may exercise their rights by emailing [email protected].

F. Illinois Residents (BIPA) – Biometric Information Disclosures

The Company does not currently collect, use, store, or disclose Biometric Identifiers or Biometric Information from Illinois residents or any other Users. In the event that the Company implements any feature, functionality, or service that involves the collection, use, storage, or disclosure of Biometric Identifiers or Biometric Information in the future, the Company will, prior to collecting any such information from Illinois residents, comply fully with the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., including but not limited to the following requirements:

1. Written Notice and Consent: The Company will provide Illinois residents with clear, conspicuous, and timely written notice that Biometric Identifiers or Biometric Information is being collected, stored, or used, including disclosure of the specific purpose and length of time for which such information will be collected, stored, and used. The Company will obtain written consent (or, in the context of an electronic transaction, consent via an electronic signature or affirmative opt-in) from Illinois residents prior to collecting, capturing, or otherwise obtaining their Biometric Identifiers or Biometric Information.
2. Publicly Available Retention and Destruction Policy: The Company will develop, publish, and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying Biometric Identifiers and Biometric Information when the initial purpose for collecting or obtaining such information has been satisfied or within three (3) years of the individual’s last interaction with the Company, whichever occurs first.
3. Prohibition on Sale, Lease, or Trade: The Company will not sell, lease, trade, or otherwise profit from Biometric Identifiers or Biometric Information, nor will the Company disclose, redisclose, or otherwise disseminate Biometric Identifiers or Biometric Information to any third party unless: (a) the individual consents to such disclosure; (b) the disclosure is required by law or legal process; (c) the disclosure is necessary to complete a financial transaction requested or authorized by the individual; or (d) the disclosure is made to a service provider performing services on behalf of the Company, provided that such service provider is bound by the same or more stringent obligations as those imposed on the Company by BIPA.
4. Standard of Care for Storage and Protection: The Company will store, transmit, and protect Biometric Identifiers and Biometric Information using the same standard of care, and in a manner that is the same or more protective than the manner in which the Company stores, transmits, and protects other confidential and sensitive information, including Personal Information and PHI. At a minimum, such protection shall include encryption, access controls, and reasonable security measures to protect against unauthorized access, disclosure, or misuse.
5. Private Right of Action: Illinois residents are hereby notified that BIPA provides a private right of action for aggrieved individuals, allowing them to recover liquidated damages or actual damages (whichever is greater), as well as reasonable attorneys’ fees and costs, in the event of a violation of BIPA by the Company.

G. Texas Residents (CUBI and Texas Medical Privacy Act)

1. Texas Capture or Use of Biometric Identifier Act (CUBI)

The Company does not currently capture or use Biometric Identifiers from Texas residents or any other Users. In the event that the Company captures or uses Biometric Identifiers for a commercial purpose in the future, the Company will, prior to capturing such identifiers from Texas residents, comply fully with the Texas Capture or Use of Biometric Identifier Act (“CUBI”), Tex. Bus. & Com. Code Ann. § 503.001 et seq., including but not limited to the following requirements:

1. Notice and Consent: The Company will provide Texas residents with notice that Biometric Identifiers are being captured and will obtain consent from Texas residents before capturing their Biometric Identifiers for a commercial purpose. Notice will include disclosure of the purpose for which the Biometric Identifier is being captured and the length of time the Biometric Identifier will be retained.
2. Retention and Destruction: The Company will destroy Biometric Identifiers within a reasonable time, but not later than one (1) year after the date the purpose for which the Biometric Identifier was collected has been satisfied, unless retention is required or permitted by law.
3. Security and Confidentiality: The Company will store, transmit, and protect Biometric Identifiers from unauthorized access, disclosure, or misuse using reasonable care and in a manner that is the same or more protective than the manner in which the Company stores, transmits, and protects other confidential and sensitive information.
4. Prohibition on Sale or Disclosure: The Company will not sell, lease, or otherwise disclose Biometric Identifiers to third parties for monetary consideration, unless: (i) the individual consents to such disclosure; (ii) the disclosure is required by law or court order; (iii) the disclosure is necessary to complete a financial transaction requested by the individual; or (iv) the disclosure is made to a service provider that is contractually obligated to comply with the same or greater protections as required by CUBI.
5. Enforcement: Texas residents are hereby notified that CUBI is enforced exclusively by the Texas Attorney General, and violations may result in civil penalties of up to $25,000 per violation, with no maximum cap.

2. Texas Medical Privacy Act

To the extent that the Company collects, uses, discloses, or maintains protected health information (as defined in the Texas Medical Privacy Act) of Texas residents, the Company will comply with the requirements of the Texas Medical Privacy Act, Tex. Health & Safety Code Ann. § 181.001 et seq., including but not limited to: (a) implementing and maintaining reasonable safeguards to protect the confidentiality and integrity of protected health information; (b) providing notice to affected individuals and the Texas Attorney General in the event of a breach of protected health information; and (c) honoring individual rights to access, amend, and obtain an accounting of disclosures of protected health information.

H. Additional State-Specific Disclosures

The Company monitors developments in state data privacy legislation and will update this Policy as necessary to ensure compliance with new or amended laws. Users residing in states with comprehensive data privacy laws not specifically addressed in this Section (such as Montana, Oregon, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Maryland, Minnesota, Rhode Island, Indiana, Kentucky, or any other state that enacts such laws in the future) are encouraged to contact the Company at [email protected] to inquire about their rights and the Company’s data practices.

VI. COMPLIANCE WITH FEDERAL LAWS GOVERNING ASSISTANCE TO VETERANS

The Company is committed to full compliance with all federal laws, regulations, and rules governing the provision of assistance to Veterans in connection with claims for VA disability benefits. This Section provides detailed disclosures regarding the Company’s compliance with such laws and the limitations on the Services provided by the Company.

A. Non-Accreditation Status

The Company is not accredited by the VA Office of General Counsel as an attorney, agent, claims agent, or Veterans Service Organization (VSO) under Title 38 of the Code of Federal Regulations, Part 14 (“38 C.F.R. Part 14”). Only individuals or organizations accredited by the VA are authorized to represent Veterans in the preparation, presentation, and prosecution of claims for VA benefits and to charge fees for such representation. The Company does not represent Veterans in any capacity and does not engage in any activities that would constitute representation under applicable law.

B. Prohibition on Charging Fees for Initial Claims (38 U.S.C. § 5904 and 38 C.F.R. § 14.636)

Under 38 U.S.C. § 5904 and 38 C.F.R. § 14.636, only accredited attorneys and agents may charge fees for the preparation, presentation, or prosecution of claims for VA benefits, and such fees may be charged only after the VA has issued a decision on the claim (i.e., not for initial claims). Fees for representation in connection with an initial claim are prohibited. Additionally, any fees charged for representation in connection with appeals or post-decision matters must be reasonable and may not exceed 20% to 33.33% of past-due benefits awarded, depending on the stage of the proceeding and whether a direct-pay fee agreement has been executed.

The Company does not charge fees for representation, preparation, presentation, or prosecution of VA claims. The Company charges fees solely for access to the Platform, educational resources, informational content, and technological tools that enable Users to independently understand, prepare, and manage their own VA disability claims. All fees charged by the Company are flat one-time payments for Platform access and are not contingent upon the outcome of any VA claim, the amount of benefits awarded, or any percentage of past-due benefits. Accordingly, the Company’s fee structure does not violate 38 U.S.C. § 5904 or 38 C.F.R. § 14.636.

C. No Representation or Submission of Claims on Behalf of Users

The Company does not represent Users in any proceedings before the VA, the Board of Veterans’ Appeals, the United States Court of Appeals for Veterans Claims, or any other governmental body or tribunal. The Company does not submit claims, appeals, notices of disagreement, supplemental statements, or any other documents or filings to the VA or any other agency on behalf of Users. Users are solely responsible for reviewing, finalizing, and submitting all documents and materials generated by or with the assistance of the Platform. The Company’s Services are strictly limited to providing educational content, informational resources, and technological tools that assist Users in understanding VA claims processes and preparing documentation for their own submission.

D. Unauthorized Practice of Law

The Company is not a law firm and does not engage in the practice of law. The information, tools, templates, guides, articles, and AI-generated outputs provided through the Platform are for general educational and informational purposes only and do not constitute legal advice. Users should not rely on the Platform as a substitute for professional legal advice tailored to their specific circumstances. Users are strongly encouraged to consult with a VA-accredited attorney, agent, or VSO for personalized legal advice and representation in connection with their VA claims.

E. Disclaimer of Guaranteed Outcomes

The Company does not guarantee, warrant, or represent that use of the Platform or Services will result in approval of any VA claim, award of any benefits, or any specific outcome. The VA makes all final determinations regarding eligibility for and amount of benefits, and such determinations are based on the facts, evidence, and applicable law in each individual case.

F. Consultation Services Distinguished from Representation

To the extent that the Company provides educational consultation, guidance, or advice to Users, such services are provided solely for the purpose of educating Users about the VA claims process and do not constitute representation. The Company relies on the opinion issued by the VA Office of General Counsel on April 28, 2004, which clarified that attorneys (and, by extension, other service providers) may charge Veterans for pre-filing consultations without violating the attorney fees limitation contained in 38 U.S.C. § 5904, provided that such consultations do not involve the preparation, presentation, or prosecution of a specific claim. The Company’s Services are designed to fall within this permissible scope of pre-filing consultation and educational assistance.

VII. USER RIGHTS AND CHOICES

Users have certain rights and choices with respect to their Personal Information, as described below. The availability and scope of these rights may vary depending on the User’s jurisdiction of residence and the applicability of Applicable Data Protection Laws.

A. Right to Access

Users have the right to request confirmation of whether the Company is processing their Personal Information and to obtain access to such Personal Information, including the categories and specific pieces of Personal Information collected, the sources from which it was collected, the purposes for which it is used, and the categories of third parties to whom it has been disclosed.

B. Right to Correct or Rectify

Users have the right to request correction or rectification of inaccurate, incomplete, or outdated Personal Information maintained by the Company.

C. Right to Delete or Erase

Users have the right to request deletion or erasure of Personal Information that the Company has collected from or about the User, subject to certain exceptions (such as where retention is necessary to complete a transaction, comply with legal obligations, detect fraud or security incidents, exercise free speech rights, or engage in research in the public interest).

D. Right to Data Portability

In certain jurisdictions, Users have the right to obtain a copy of their Personal Information in a structured, commonly used, and machine-readable format and to transmit such information to another controller without hindrance from the Company.

E. Right to Opt Out of Sale or Sharing

Users have the right to opt out of the sale or sharing of their Personal Information. As noted above, the Company does not sell or share Personal Information, and therefore no opt-out mechanism is required.

F. Right to Limit Use of Sensitive Personal Information

In certain jurisdictions (such as California), Users have the right to limit the Company’s use and disclosure of Sensitive Personal Information to purposes permitted by law. Users may exercise this right by contacting [email protected].

G. Marketing Communications and Opt-In/Opt-Out Rights

You have the right to control how we use your Personal Information for direct marketing purposes, including communications via email, text message (SMS/MMS), phone calls (including automated or pre-recorded calls), and social media messaging or advertising. We will only send you marketing communications through these channels if you have provided affirmative opt-in consent, as required by Applicable Data Protection Laws and other regulations, such as the Telephone Consumer Protection Act (TCPA), the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, and platform-specific rules for social media services (e.g., Meta, X, LinkedIn).

1. Opt-In Requirement: Marketing communications will only be sent after you explicitly opt in, such as by checking a box during account registration, subscribing to our newsletter, or providing consent through a dedicated form. We will not use your contact information for marketing without this prior express consent. For text messages and phone calls, consent must be clear and conspicuous, and we will obtain prior express written consent where required by law.
2. Opt-Out Rights: You may withdraw your consent and opt out of receiving marketing communications at any time, free of charge, without affecting the lawfulness of processing based on consent before its withdrawal. To opt out:
   1. Email: Click the “unsubscribe” link in any marketing email or reply “STOP” to any marketing text message.
   2. Text Message: Reply “STOP,” “UNSUBSCRIBE,” or “QUIT” to any marketing text message.
   3. Phone Calls: Inform us during the call or contact us at [email protected] to be added to our internal do-not-call list.
   4. Social Media: Adjust your preferences through the social media platform’s settings or contact us directly.
   5. General Opt-Out: Submit a request via email to [email protected], our online form at https://vetclaims.ai/privacy-request, or by calling (737) 344-4399 (available Monday–Friday, 9 AM–5 PM CST). We will process your opt-out request within ten (10) business days or as required by law (e.g., 15 days under CCPA for certain requests).
3. Confirmation and Records: Upon opting in or out, we will send you a confirmation message (where applicable) and maintain records of your consent status in compliance with Applicable Data Protection Laws. Opting out of one type of communication (e.g., email) does not automatically opt you out of others (e.g., text); you must specify or opt out separately if desired.
4. Exceptions: These opt-in/opt-out rights do not apply to non-marketing communications, such as transactional messages (e.g., account verification, service updates, or legal notices), which we may send as necessary to provide the Services.
5. Third-Party Marketing: If we share your Personal Information with third parties for their direct marketing purposes (subject to your consent where required), those third parties are responsible for providing their own opt-out mechanisms in compliance with law. You may exercise your rights directly with them or contact us for assistance.

We do not sell or share your Personal Information for cross-context behavioral advertising, but if our practices change, we will update this Policy and provide appropriate opt-out options.

6. SMS/Text Message Communications

With your prior express written consent, as required by the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, and applicable regulations, the Company may send you text messages (SMS/MMS) for the following purposes:

1. Transactional Messages: account creation confirmations, login verification codes, password reset notifications, billing alerts, and other messages necessary to the administration of your account;
2. Claim Status Updates: notifications regarding the status or progress of your VA disability claim preparation activities within the Platform;
3. Appointment and Consultation Reminders: reminders regarding scheduled calls, consultations, or other appointments related to your use of the Services; and
4. Marketing and Promotional Communications: information about new features, products, services, educational content, and promotional offers (requires a separate, independent opt-in from transactional consent).

Standard message and data rates may apply depending on your mobile carrier and plan. Message frequency varies. You may opt out of SMS communications at any time by replying STOP to any text message sent by the Company, after which you will receive a single confirmation message and no further SMS messages (except as required by law). For assistance, reply HELP or contact [email protected]. Consent to receive SMS messages is not a condition of purchasing or using the Services. SMS consent and opt-out records are retained for four (4) years following the date of opt-out in accordance with the terms of this Privacy Policy.

H. Right to Withdraw Consent

To the extent that the Company’s processing of Personal Information is based on consent, Users have the right to withdraw such consent at any time. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal.

I. Right to Object to Processing

In certain jurisdictions, Users have the right to object to the Company’s processing of Personal Information for certain purposes, including direct marketing, profiling, and legitimate interests. Users may exercise this right by contacting [email protected].

J. Right to Non-Discrimination

Users have the right not to receive discriminatory treatment for exercising any of the rights described in this Section. The Company will not deny goods or services, charge different prices or rates, provide a different level or quality of goods or services, or suggest that the User will receive a different price, rate, level, or quality of goods or services as a result of exercising any privacy rights.

K. How to Exercise Rights

To exercise any of the rights described in this Section, Users may submit a request by:

• Emailing the Company at [email protected];
• Using the online form available at https://vetclaims.ai/privacy-request; or
• Mailing a written request to: PatriotClaims LLC, Attn: Data Protection Officer, 14205 Burnet Road, Suite 570, PMB 553893, Austin, Texas 78728-6529.

The Company will respond to all verified privacy rights requests within forty-five (45) calendar days of receipt. If the Company requires additional time to respond, it will notify you within the initial 45-day period and may extend the response period by an additional forty-five (45) days where reasonably necessary, for a maximum total response period of ninety (90) days.

L. Verification of Identity

To protect the privacy and security of Personal Information, the Company will verify the identity of the requesting party before processing requests to access, correct, delete, or port Personal Information. Verification may require the User to provide information such as name, email address, account credentials, date of birth, and answers to security questions.

M. Authorized Agents

Users may designate an authorized agent to submit requests on their behalf. The Company may require proof of the agent’s written authorization and verification of the User’s identity before processing requests submitted by authorized agents.

N. Appeals

If the Company denies or partially denies a User’s request, the User may appeal the decision by submitting a written appeal to [email protected] within a reasonable time after receipt of the Company’s decision. The appeal must include: (a) sufficient information to allow the Company to verify the User’s identity and identify the original request; and (b) a description of the basis for the appeal. The Company will respond to appeals within the time period required by Applicable Data Protection Laws (typically sixty (60) days). If the appeal is denied, the Company will provide information about how to contact the applicable state attorney general or data protection authority to submit a complaint.

VIII. COOKIES AND TRACKING TECHNOLOGIES

The Company uses cookies, web beacons, pixels, local storage, and other tracking technologies to collect information about Users’ browsing behavior, preferences, and interactions with the Platform. For detailed information about the Company’s use of cookies and similar technologies, including the types of cookies used, the purposes for which they are used, and how Users can manage or disable cookies, Users should refer to the Company’s Cookie Policy, which is incorporated herein by reference and available at https://vetclaims.ai/cookie-policy.

Do Not Track Signals: Some web browsers offer a “Do Not Track” (“DNT”) signal that allows Users to indicate their preference not to be tracked online. Because there is no common industry standard or legal definition for DNT signals, the Company does not currently respond to or honor DNT signals or similar mechanisms. The Company will continue to monitor developments in DNT technology and industry standards and may adjust its practices accordingly in the future.

IX. THIRD-PARTY SERVICES AND LINKS

The Platform may contain links to third-party websites, applications, services, or resources (“Third-Party Services”) that are not owned, controlled, or operated by the Company. This Policy does not apply to Third-Party Services, and the Company is not responsible for the privacy practices, data collection, use, or security of Third-Party Services. Users are encouraged to review the privacy policies and terms of service of any Third-Party Services before providing any Personal Information or interacting with such services. The Company does not endorse, warrant, or make any representations regarding Third-Party Services, and Users access and use Third-Party Services at their own risk.

X. CHILDREN’S PRIVACY

The Platform and Services are not directed to, intended for, or designed to be used by individuals under the age of eighteen (18) years (“Minors”). The Company does not knowingly collect, use, or disclose Personal Information from Minors. If the Company becomes aware that it has inadvertently collected Personal Information from a Minor without verifiable parental consent as required by the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501-6506, or other applicable law, the Company will take prompt steps to delete such information from its systems. Parents or legal guardians who believe that the Company has collected Personal Information from a Minor may contact the Company at [email protected] to request deletion of such information.

The Company’s minimum age requirement of eighteen (18) years reflects the Company’s Veteran-focused user base and constitutes a more protective standard than the minimum age of thirteen (13) required under the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, which remains applicable as a legal floor.

XI. INTERNATIONAL DATA TRANSFERS

The Company is based in the United States, and Personal Information collected through the Platform may be transferred to, stored in, and processed in the United States or other countries where the Company, its affiliates, or its service providers maintain facilities or operations. Such countries may have data protection laws that differ from those in the User’s country of residence and may not provide the same level of protection for Personal Information. By accessing or using the Platform, Users consent to the transfer of their Personal Information to the United States and other countries as necessary to provide the Services. The Company implements appropriate safeguards to protect Personal Information transferred across borders, including the use of Standard Contractual Clauses approved by the European Commission, the UK Addendum to the Standard Contractual Clauses, and other transfer mechanisms recognized under Applicable Data Protection Laws.

XII. DATA SECURITY

The Company implements and maintains reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, loss, or destruction. These safeguards include, but are not limited to: encryption of data in transit and at rest; secure authentication and access controls; regular security audits, vulnerability assessments, and penetration testing; employee training on data privacy and information security; and incident response and breach notification procedures. However, no method of transmission over the internet or method of electronic storage is completely secure, and the Company cannot guarantee absolute security of Personal Information. Users acknowledge and accept the inherent risks associated with transmitting information over the internet and agree that the Company shall not be liable for any unauthorized access, use, or disclosure of Personal Information resulting from circumstances beyond the Company’s reasonable control, including but not limited to acts of third parties, cyberattacks, or force majeure events.

XIII. CHANGES TO THIS PRIVACY POLICY

The Company reserves the right to modify, amend, or update this Policy at any time in its sole discretion. In the event of material changes to this Policy, the Company will provide notice to Users by: (a) posting a revised version of this Policy on the Platform with an updated “Effective Date” or “Last Updated” date; (b) sending an email notification to the email address associated with the User’s account; or (c) displaying a prominent notice on the Platform. Users are responsible for regularly reviewing this Policy to stay informed of any changes. Continued use of the Platform or Services following notice of changes to this Policy constitutes the User’s acceptance of such changes. If a User does not agree to any changes to this Policy, the User must immediately cease all use of the Platform and Services and may request deletion of their account and Personal Information by contacting [email protected].

Prior versions of this Policy are archived by the Company. Users who wish to review a previous version of this Policy may submit a written request to [email protected], and the Company will provide the requested version within a reasonable time at no charge.

XIV. CONTACT INFORMATION

For questions, comments, concerns, or complaints regarding this Privacy Policy, the Company’s data practices, or the exercise of User rights, please contact:

PatriotClaims LLC
Attn: Data Protection Officer
14205 Burnet Road, Suite 570, PMB 553893
Austin, Texas 78728-6529
Email: [email protected]
Online Form: https://vetclaims.ai/privacy-request

For the fastest response to privacy inquiries or requests, Users are encouraged to email [email protected].

XV. REPORTING CHILD SAFETY ISSUES

To report child safety issues, suspected child abuse, or child sexual abuse material, please contact the Company immediately at https://vetclaims.ai/contact. The Company will promptly investigate all reports and, where required by law, will report suspected child sexual abuse material to the National Center for Missing and Exploited Children (“NCMEC”) in accordance with 18 U.S.C. § 2258A and other applicable federal and state laws.

XVI. SECURITY INCIDENT AND VULNERABILITY REPORTING

The Company is committed to maintaining the security and integrity of the Platform and the Personal Information entrusted to it by Users. If you discover or become aware of any actual or suspected security vulnerability, security incident, data breach, unauthorized access, or other security concern affecting the Platform or the Company’s systems, the Company encourages you to report it promptly to our security team.

To report a security vulnerability or security incident, please contact:

Email: [email protected]
Subject Line: Security Vulnerability Report or Security Incident Report

The Company’s Governance, Risk, and Compliance (GRC) team monitors the [email protected] inbox and will acknowledge receipt of your report within a reasonable timeframe. The Company will investigate all reports in good faith and, where appropriate, take prompt remedial action.

When submitting a report, please include, to the extent possible: (a) a description of the vulnerability or incident; (b) the steps to reproduce or identify the vulnerability, if applicable; (c) the potential impact or affected systems; and (d) your contact information if you wish to receive a response.

The Company requests that you do not publicly disclose any discovered vulnerability until the Company has had a reasonable opportunity to investigate and remediate the issue. The Company does not currently operate a formal bug bounty program, but the Company genuinely appreciates responsible disclosure and the contributions of security researchers to the safety of the Platform.

XVII. STATE-SPECIFIC CONSUMER RIGHTS HOTLINES AND RESOURCES

• California Attorney General – Privacy Enforcement: https://oag.ca.gov/privacy
• Virginia Attorney General – Consumer Protection: https://www.oag.state.va.us/consumer-protection
• Colorado Attorney General – Consumer Protection: https://coag.gov/resources/consumer-protection
• Connecticut Attorney General – Privacy and Data Security: https://portal.ct.gov/AG/Privacy
• Utah Attorney General – Consumer Protection: https://attorneygeneral.utah.gov/consumer-protection
• Illinois Attorney General – Consumer Protection: https://illinoisattorneygeneral.gov/consumers
• Texas Attorney General – Consumer Protection: https://www.texasattorneygeneral.gov/consumer-protection

This Privacy Policy was last updated on March 12, 2026.

© 2026 PatriotClaims LLC. All rights reserved.