Claim Recon - Version 1.4 - Effective April 24, 2026
Claim Recon respects your privacy. This Privacy Policy explains what data we collect, how we store it, and your rights regarding that data.
The following categories of data may be collected based on what you choose to enter:
CLOUD STORAGE: Your data is stored in our secure cloud database (Supabase PostgreSQL), encrypted at rest and in transit. When you create an account and sign in, your data automatically syncs to the cloud to enable cross-device access and reliable data persistence. Access controls are in place to ensure only you can access your data.
DATA SYNC: When signed in, your data automatically syncs to the cloud database. This includes conditions, symptoms, medications, medical visits, exposures, service history, and other claim-related data you enter. Sync is automatic and cannot be disabled while signed in. This enables cross-device access and data persistence, so your information is available on both iOS and web.
LOCAL CACHING: Claim Recon caches data locally on your device using browser localStorage and IndexedDB to improve performance and enable offline access. Local data is encrypted using AES-256-GCM encryption when a documents passcode is set in Settings. Local caching supplements cloud storage but is not the primary storage method.
ENCRYPTION: Data in transit is encrypted via TLS. Cloud data at rest is encrypted on database servers. You may additionally enable client-side encryption by setting a documents passcode in Settings.
HIPAA NOTICE: Claim Recon is not a HIPAA-covered entity and does not claim compliance with the Health Insurance Portability and Accountability Act (HIPAA). Claim Recon is not a healthcare provider, health plan, or healthcare clearinghouse as defined by HIPAA. While we implement strong security measures including encryption at rest and in transit, role-based access controls, and audit logging, Claim Recon is a self-service educational tool, not a healthcare provider or claims processor. Do not use Claim Recon as your sole repository for protected health information.
When you use AI-powered features, the text you provide is sent to a third-party AI service provider for processing. This data is:
PHI SAFEGUARDS: Before sending text to our AI provider, Claim Recon automatically strips detectable personally identifiable information (SSNs, phone numbers, email addresses, dates of birth, and street addresses) using pattern-based sanitization. Veteran names are replaced with placeholders before transmission and restored client-side. However, free-text fields may contain information that automated sanitization cannot detect. While we automatically strip common identifiers before processing, we recommend you do not enter your Social Security number, date of birth, or full legal name into AI-powered features.
DOCUMENT UPLOADS: When you upload documents (such as DD-214s, medical records, C-Files, DBQ forms, or decision letters) for AI analysis, the document file is sent directly to our AI provider for processing. While Claim Recon applies PII redaction to text-based prompts, uploaded document files are transmitted as-is because binary file contents cannot be pre-screened for PII. Any personally identifiable information visible in the document (names, SSNs, addresses, medical details) will be processed by our AI provider. A disclosure is displayed on each upload screen prior to submission. Do not upload documents containing information you do not want processed by a third-party AI service.
CONTEXTUAL DATA INCLUSION:To improve AI response quality, AI features automatically include relevant data you've logged in the app (such as conditions, symptoms, medications, and service history) as part of the AI prompt. Your name is replaced with '[VETERAN]' before transmission. This contextual data is subject to the same processing and non-retention terms described above.
ANONYMOUS USAGE: If you use AI features without creating an account, an anonymous session is created. Because anonymous sessions are not linked to a known identity, data deletion requests cannot retroactively cover anonymous AI usage. To ensure full control over your data, we recommend creating an account before using AI features.
AI features are entirely optional. The app functions fully without them.
Premium access (Operator at $29.99/month, Annual at $249/year, or Command lifetime at $499) is processed by Stripe, Inc. When you subscribe, Stripe collects and processes your payment information directly. Claim Recon does not collect, store, or have access to your full credit card number, debit card number, or bank account details.
The data shared with Stripe includes your email address and a Claim Recon user identifier to link your purchase to your account. Stripe may collect additional information as described in their Privacy Policy.
We store the following payment-related data in our database: your Stripe customer ID, purchase date, and entitlement status. This data is used solely to determine your access level and is deleted when you delete your account.
iOS Purchases: On iOS, Premium purchases are processed through Apple's App Store via RevenueCat(in-app purchase management). Apple collects and processes your payment information directly per Apple's terms. RevenueCat manages the purchase lifecycle and syncs your entitlement status. Claim Recon stores your RevenueCat customer ID and entitlement status.
You have the right to:
To exercise these rights, use the Settings page or contact support@claimrecon.com.
We strive to honor privacy rights under every applicable U.S. state law. We do not sell personal information. You may exercise any of the rights below by using the Settings page (Export Data, Delete Account) or by contacting support@claimrecon.com. We will verify your identity using the email tied to your account and respond within 45 days (with one 45-day extension if reasonably necessary, and notice to you).
California residents have the right to (a) know what personal information we collect, use, disclose, and retain, (b) request deletion of personal information, (c) correct inaccurate personal information, (d) opt out of the sale or sharing of personal information, (e) limit use and disclosure of sensitive personal information, and (f) be free from retaliation for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes beyond what is reasonably necessary to provide the Service.
Colorado residents have the right to (a) access their personal data, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. We do not engage in targeted advertising, sell personal data, or use automated profiling that produces legal effects. Universal opt-out signals (Global Privacy Control) are honored.
Connecticut residents have the right to (a) confirm whether we process their personal data and access it, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. You may appeal a denial of your request at the contact email above.
Utah residents have the right to (a) access personal data, (b) request deletion, (c) data portability, and (d) opt out of the sale of personal data or targeted advertising. Utah law does not provide a right to correct inaccuracies, but you can correct most data yourself via the Settings page.
Virginia residents have the right to (a) access personal data, (b) correct inaccuracies, (c) request deletion, (d) data portability, and (e) opt out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions producing legal or similarly significant effects. You may appeal a denial of your request at the contact email above.
Other states. If your state has enacted a comprehensive privacy law (including Oregon, Texas, Montana, Tennessee, Indiana, Iowa, Delaware, New Jersey, New Hampshire, or any future law), we will honor equivalent rights upon verified request to the contact email above. Please identify your state of residence so we can route the request correctly.
Claim Recon is operated from the United States. Our primary infrastructure (Supabase database, Vercel hosting, our AI provider API, Stripe payments, RevenueCat) is located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, which may have data-protection laws different from your jurisdiction.
European Economic Area, United Kingdom, and Switzerland. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism for personal data processed by our U.S.-based sub-processors. Where a sub-processor has obtained Data Privacy Framework (DPF) certification (including successor frameworks such as the EU-U.S. DPF and UK Extension), transfers to that sub-processor may additionally rely on the DPF. You may request a summary of the SCCs by contacting support@claimrecon.com.
GDPR rights. If the General Data Protection Regulation applies to your use of the Service, you have the right to (a) access your personal data, (b) rectification, (c) erasure (right to be forgotten), (d) restriction of processing, (e) data portability, (f) objection to processing, and (g) lodge a complaint with your supervisory authority. Our legal basis for processing is (i) performance of our contract with you (providing the Service), (ii) your consent where required (AI features, marketing communications), and (iii) our legitimate interests in operating, securing, and improving the Service.
Automated decision-making. The Service does not use automated decision-making or profiling that produces legal or similarly significant effects on users. AI-generated suggestions are advisory and always require your review before use.
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect data from children under 18.
Local data persists on your device until you delete it. Cloud data persists until you delete your account. Upon account deletion, data is removed from active systems immediately. Encrypted backup remnants may persist for up to 30 days in provider backup systems before automatic purge. Cloud data for accounts inactive for more than 365 days may be automatically deleted as part of our data retention practices.
The Service uses:
Each third-party service has its own privacy policy.
Purpose: Retrieves publicly available web content - including VA.gov pages, Board of Veterans Appeals decisions, Federal Register notices, and published medical research - to provide cited, current reference information in AI-powered features.
Data Sent:Search queries constructed from general VA-related terms extracted from your input. Queries contain ONLY general topic terms (e.g., "VA disability PTSD rating criteria"). No personally identifiable information is included - PII is automatically stripped by our server-side sanitization pipeline before any search query is constructed. Your original input text is never sent to You.com.
Data Received: Publicly available web page titles, URLs, and text snippets. This is the same information available to anyone via a web search.
Data Retention:Under You.com's paid API terms, search queries processed through the paid Search API are not stored or used to train models. Search results are cached on our servers for up to 7 days to reduce redundant API calls and improve response times.
User Control:Search-enhanced features are integrated into existing AI tools. All non-AI tools function without any external API calls. You may use the app's offline/local features without triggering any search requests.
Claim Recon uses two VA Lighthouse API connections for public reference data: VA Benefits Reference Data and VA Forms. These integrations do not require you to connect a VA.gov account, and Claim Recon does not receive VA.gov access tokens, read your eFolder, or pull claim status from VA systems.
Data Received: Public VA reference data such as disability names, diagnostic codes where available, contention types, service branch information, form titles, revision dates, official PDF URLs, and related form metadata.
No VA.gov Credential Storage: Claim Recon does not ask for or store VA.gov, eBenefits, DS Logon, ID.me, or Login.gov credentials for these reference integrations.
In the event of a data breach affecting your personal information, we will:
To report a suspected security incident, contact support@claimrecon.com.
Claim Recon uses browser localStorage and IndexedDB to store your data locally on your device. This is essential for the app to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The local storage is used solely to persist your entered data between sessions. By using the app, you consent to this use of local storage as described in this policy.
We may update this Privacy Policy. Each version will be identified by a version number and effective date at the top of this page. Material changes will be communicated through the app and may require re-acceptance of terms. Continued use after notification constitutes acceptance.
Privacy questions: support@claimrecon.com
Last updated: April 24, 2026
For legal requests: support@claimrecon.com