Privacy Policy

§ 01

Overview#

Claim Recon respects your privacy. This Privacy Policy explains what data we collect, how we store it, and your rights regarding that data.

§ 02

Data We Collect#

The following categories of data may be collected based on what you choose to enter:

Profile Information: Name, military branch, MOS/AFSC/Rating/NEC/SFSC, service dates, claim type
Service History: Deployments, duty stations, combat history, major events
Health Data: Symptoms (severity, frequency, body area), sleep logs, migraine logs, medications, medical visits, exposures, PTSD symptoms
Claims Data: Conditions being claimed, ratings, evidence status, buddy contact info
Documents: User-uploaded evidence files, generated PDFs, form drafts
AI Interaction Data: Prompts sent to AI features and responses received (processed in real-time, not stored on our servers)
Operational Data: Minimal crash/performance metrics, device/OS type (no PII)
Analytics Data: Anonymous usage metrics including AI call counts, page views, feature engagement frequency, and platform type. This data does not include prompt content, personal information, or any text you enter into the app. Analytics are used solely to improve the Service and monitor usage limits.

§ 03

How Data Is Stored#

Cloud storage

Your data is stored in our secure cloud database (Supabase PostgreSQL), encrypted at rest and in transit. When you create an account and sign in, your data automatically syncs to the cloud to enable cross-device access and reliable data persistence. Access controls are in place to ensure only you can access your data.

Data sync

When signed in, your data automatically syncs to the cloud database. This includes conditions, symptoms, medications, medical visits, exposures, service history, and other claim-related data you enter. Sync is automatic and cannot be disabled while signed in. This enables cross-device access and data persistence, so your information is available on both iOS and web.

Local caching

Claim Recon caches data locally on your device using browser localStorage and IndexedDB to improve performance and enable offline access. Local data is encrypted using AES-256-GCM encryption when a documents passcode is set in Settings. Local caching supplements cloud storage but is not the primary storage method.

Encryption

Data in transit is encrypted via TLS. Cloud data at rest is encrypted on database servers. You may additionally enable client-side encryption by setting a documents passcode in Settings.

HIPAA notice

Claim Recon is not a HIPAA-covered entity and does not claim compliance with the Health Insurance Portability and Accountability Act (HIPAA). Claim Recon is not a healthcare provider, health plan, or healthcare clearinghouse as defined by HIPAA. While we implement strong security measures including encryption at rest and in transit, role-based access controls, and audit logging, Claim Recon is a self-service educational tool, not a healthcare provider or claims processor. Do not use Claim Recon as your sole repository for protected health information.

§ 04

AI Data Processing#

When you use AI-powered features, the text you provide is sent to a third-party AI service provider (currently Google Gemini) for processing. This data is:

(a) Transmitted over encrypted connections (TLS)
(b) Processed in real-time and not stored by Claim Recon on any server
(c) Subject to Google's Gemini API Terms of Service
(d) Never used by Claim Recon for AI model training
(e) Under Google's paid API terms, your data is not used by Google to train or improve their AI models

PII safeguards

Before sending text to our AI provider, Claim Recon automatically strips detectable personally identifiable information (SSNs, phone numbers, email addresses, dates of birth, and street addresses) using pattern-based sanitization. Veteran names are replaced with placeholders before transmission and restored client-side. However, free-text fields may contain information that automated sanitization cannot detect. While we automatically strip common identifiers before processing, we recommend you do not enter your Social Security number, date of birth, or full legal name into AI-powered features.

Document uploads

When you upload documents (such as DD-214s, medical records, C-Files, DBQ forms, or decision letters) for AI analysis, the document file is sent directly to Google Gemini for processing. While Claim Recon applies PII redaction to text-based prompts, uploaded document files are transmitted as-is because binary file contents cannot be pre-screened for PII. Any personally identifiable information visible in the document (names, SSNs, addresses, medical details) will be processed by Google Gemini. A disclosure is displayed on each upload screen prior to submission. Do not upload documents containing information you do not want processed by a third-party AI service.

Contextual data inclusion

To improve AI response quality, AI features automatically include relevant data you've logged in the app (such as conditions, symptoms, medications, and service history) as part of the AI prompt. Your name is replaced with '[VETERAN]' before transmission. This contextual data is subject to the same processing and non-retention terms described above.

Anonymous usage

If you use AI features without creating an account, an anonymous session is created. Because anonymous sessions are not linked to a known identity, data deletion requests cannot retroactively cover anonymous AI usage. To ensure full control over your data, we recommend creating an account before using AI features.

AI features are entirely optional. The app functions fully without them.

§ 05

Payment Processing#

Premium access (Operator at $29.99/month, Annual at $249/year, or Command lifetime at $499) is processed by Stripe, Inc. When you subscribe, Stripe collects and processes your payment information directly. Claim Recon does not collect, store, or have access to your full credit card number, debit card number, or bank account details.

The data shared with Stripe includes your email address and a Claim Recon user identifier to link your purchase to your account. Stripe may collect additional information as described in their Privacy Policy.

We store the following payment-related data in our database: your Stripe customer ID, purchase date, and entitlement status. This data is used solely to determine your access level and is deleted when you delete your account.

iOS purchases

On iOS, Premium purchases are processed through Apple's App Store via RevenueCat(in-app purchase management). Apple collects and processes your payment information directly per Apple's terms. RevenueCat manages the purchase lifecycle and syncs your entitlement status. Claim Recon stores your RevenueCat customer ID and entitlement status.

§ 06

What We Do NOT Do#

We do NOT sell your data to anyone
We do NOT share your data with third parties for marketing
We do NOT use your data for targeted advertising
We do NOT use your data to train AI models
We do NOT track your browsing activity
We do not ask for or require your Social Security Number, date of birth, or financial information (if you voluntarily enter such data in free-text fields, you do so at your own risk)

§ 07

Your Rights#

You have the right to:

ACCESS all your data via the Export feature in Settings
DELETE all local data from your device
DELETE your cloud account and all associated data
PORT your data by exporting to PDF or text format

To exercise these rights, use the Settings page or contact admin@claimrecon.com.

§ 08

Privacy Rights by State#

We strive to honor privacy rights under every applicable U.S. state law. We do not sell personal information. You may exercise any of the rights below by using the Settings page (Export Data, Delete Account) or by contacting admin@claimrecon.com. We will verify your identity using the email tied to your account and respond within 45 days (with one 45-day extension if reasonably necessary, and notice to you).

California (CCPA / CPRA)

California residents have the right to (a) know what personal information we collect, use, disclose, and retain, (b) request deletion of personal information, (c) correct inaccurate personal information, (d) opt out of the sale or sharing of personal information, (e) limit use and disclosure of sensitive personal information, and (f) be free from retaliation for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes beyond what is reasonably necessary to provide the Service.

Colorado (CPA)

Colorado residents have the right to (a) access their personal data, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. We do not engage in targeted advertising, sell personal data, or use automated profiling that produces legal effects. Universal opt-out signals (Global Privacy Control) are honored.

Connecticut (CTDPA)

Connecticut residents have the right to (a) confirm whether we process their personal data and access it, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. You may appeal a denial of your request at the contact email above.

Utah (UCPA)

Utah residents have the right to (a) access personal data, (b) request deletion, (c) data portability, and (d) opt out of the sale of personal data or targeted advertising. Utah law does not provide a right to correct inaccuracies, but you can correct most data yourself via the Settings page.

Virginia (VCDPA)

Virginia residents have the right to (a) access personal data, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. You may appeal a denial of your request at the contact email above.

Other states. If your state has enacted a comprehensive privacy law (including Oregon, Texas, Montana, Tennessee, Indiana, Iowa, Delaware, New Jersey, New Hampshire, or any future law), we will honor equivalent rights upon verified request to the contact email above. Please identify your state of residence so we can route the request correctly.

§ 08A

International Users & Cross-Border Transfers#

Claim Recon is operated from the United States. Our primary infrastructure (Supabase database, Vercel hosting, Google Gemini API, Stripe payments, RevenueCat) is located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, which may have data-protection laws different from your jurisdiction.

European Economic Area, United Kingdom, and Switzerland. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism for personal data processed by our U.S.-based sub-processors. Where a sub-processor has obtained Data Privacy Framework (DPF) certification (including successor frameworks such as the EU-U.S. DPF and UK Extension), transfers to that sub-processor may additionally rely on the DPF. You may request a summary of the SCCs by contacting admin@claimrecon.com.

GDPR rights. If the General Data Protection Regulation applies to your use of the Service, you have the right to (a) access your personal data, (b) rectification, (c) erasure (right to be forgotten), (d) restriction of processing, (e) data portability, (f) objection to processing, and (g) lodge a complaint with your supervisory authority. Our legal basis for processing is (i) performance of our contract with you (providing the Service), (ii) your consent where required (AI features, marketing communications), and (iii) our legitimate interests in operating, securing, and improving the Service.

Automated decision-making. The Service does not use automated decision-making or profiling that produces legal or similarly significant effects on users. AI-generated suggestions are advisory and always require your review before use.

§ 09

Children's Privacy#

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect data from children under 18.

§ 10

Data Retention#

Local data persists on your device until you delete it. Cloud data persists until you delete your account. Upon account deletion, data is removed from active systems immediately. Encrypted backup remnants may persist for up to 30 days in provider backup systems before automatic purge. Cloud data for accounts inactive for more than 365 days may be automatically deleted as part of our data retention practices.

§ 11

Third-Party Services#

The Service uses:

Supabase (cloud database and authentication)
Third-party AI service provider (currently Google Gemini — AI features, optional)
Stripe (payment processing for Premium purchases)
Vercel (web hosting and deployment)
Apple Sign-In (authentication, optional)
Google Sign-In (authentication, optional)
RevenueCat (in-app purchase management and entitlement sync on iOS)
Apple (App Store In-App Purchase processing on iOS)
You.com Search API (You.com, Inc. — web search for cited AI responses)

Each third-party service has its own privacy policy.

You.com Search API (You.com, Inc.)

Purpose: Retrieves publicly available web content — including VA.gov pages, Board of Veterans Appeals decisions, Federal Register notices, and published medical research — to provide cited, current reference information in AI-powered features.

Data Sent:Search queries constructed from general VA-related terms extracted from your input. Queries contain ONLY general topic terms (e.g., "VA disability PTSD rating criteria"). No personally identifiable information is included — PII is automatically stripped by our server-side sanitization pipeline before any search query is constructed. Your original input text is never sent to You.com.

Data Received: Publicly available web page titles, URLs, and text snippets. This is the same information available to anyone via a web search.

Data Retention:Under You.com's paid API terms, search queries processed through the paid Search API are not stored or used to train models. Search results are cached on our servers for up to 7 days to reduce redundant API calls and improve response times.

User Control:Search-enhanced features are integrated into existing AI tools. All non-AI tools function without any external API calls. You may use the app's offline/local features without triggering any search requests.

§ 11B

VA Lighthouse Reference APIs#

Claim Recon uses two VA Lighthouse API connections for public reference data: VA Benefits Reference Data and VA Forms. These integrations do not require you to connect a VA.gov account, and Claim Recon does not receive VA.gov access tokens, read your eFolder, or pull claim status from VA systems.

Data Received: Public VA reference data such as disability names, diagnostic codes where available, contention types, service branch information, form titles, revision dates, official PDF URLs, and related form metadata.

No VA.gov Credential Storage: Claim Recon does not ask for or store VA.gov, eBenefits, DS Logon, ID.me, or Login.gov credentials for these reference integrations.

§ 12

Data Breach Notification#

In the event of a data breach affecting your personal information, we will:

(a) Investigate the scope and nature of the breach promptly
(b) Notify affected users without unreasonable delay via email and/or in-app notification
(c) Provide details about what information was affected and steps you can take to protect yourself
(d) Report to relevant state authorities as required by applicable breach notification laws, including the Michigan Identity Theft Protection Act
(e) Document the incident and remediation steps taken

To report a suspected security incident, contact admin@claimrecon.com.

§ 13

Local Storage and Cookies#

Claim Recon uses browser localStorage and IndexedDB to store your data locally on your device. This is essential for the app to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The local storage is used solely to persist your entered data between sessions. By using the app, you consent to this use of local storage as described in this policy.

§ 14

Changes to This Policy#

We may update this Privacy Policy. Each version will be identified by a version number and effective date at the top of this page. Material changes will be communicated through the app and may require re-acceptance of terms. Continued use after notification constitutes acceptance.

§ 15

Contact#

Privacy questions: admin@claimrecon.com

For legal requests: admin@claimrecon.com