Privacy Policy

Last Updated: February 21, 2026 (Rev. 2) | Effective Date: February 20, 2026

1. Information We Collect

1.1 Information You Provide

When you use VA Benefits App, you may provide us with:

• Account Information: Name, email address, and password when you create an account
• Profile Information: Your veteran status, branch of service, service dates, and areas of interest
• Communication Data: Messages you send through our AI chat feature
• Beta Signup Information: First name, last name, email, user type, and current VA disability rating
• Community Content: Posts, replies, and forum content you submit

1.2 Information Collected Automatically

We automatically collect certain information when you use the App:

• Device Information: Device type, operating system, and unique device identifiers
• Usage Data: Features you use, pages you view, and actions you take within the App
• Log Data: IP address, access times, and app crash reports
• Advertising ID (Android): On Android devices, we access the Google Advertising ID (GAID) to enable interest-based ads via Google AdMob. You can reset or opt out of ad personalization in your device settings under Google > Ads. On Android 13+, the app requests the AD_ID permission in accordance with Google Play policy.
• Approximate Location (via AdMob): Our app uses third-party advertising services (AdMob) that may collect and share your approximate location — such as city-level data derived from your IP address — to provide personalized advertisements and analytics. This approximate location data is processed by Google AdMob and is subject to Google's Privacy Policy. We do not independently collect or store your location data.

1.3 Wellness & Mood Journal Data (Health Data)

Specifically regarding your Wellness data:

• What is collected: Daily mood selections (emoji-based 1–5 scale), optional free-text journal entries, and wellness streak counts.
• Where it is stored: Entirely on your device's local storage. It does not leave your device under any circumstances.
• Who can access it: Only you. We cannot access, read, or retrieve your journal entries from our servers because they are never sent to us.
• Not shared with third parties: We do not share, sell, or disclose your mental health logs, mood data, or journal entries with any third party, advertiser, or external service — ever.
• Not for medical purposes: This feature is for personal self-reflection only and does not constitute medical advice, diagnosis, or treatment.

1.4 Information We Do NOT Collect

• Social Security Numbers
• VA file numbers or claim numbers
• Medical records or clinical health information
• Financial account or payment information (managed by Apple/Google)
• Precise GPS location data
• Biometric identifiers
• Your mood journal entries or wellness data (these stay on your device only)

1.5 CCPA Categories of Personal Information We Collect

The following table identifies the categories of personal information we have collected in the last 12 months, mapped to California Consumer Privacy Act (CCPA) categories:

We do not collect categories E (biometric), I (education), or J (sensitive personal information as defined under CPRA) unless separately disclosed.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Personalize your experience and provide relevant benefit guidance
• Process and fulfill beta access requests
• Respond to your questions and provide customer support
• Send you important updates about the App, your account, and launch information
• Analyze usage patterns to improve our AI responses and features
• Protect against fraud and unauthorized access
• Comply with legal obligations
• Enforce our Terms of Service

3. Data Storage and Security

3.1 Data Stored Locally on Your Device

• Your conversation history with the AI assistant
• Your preferences and settings
• Cached benefit information

3.2 Data Stored on Our Servers

• Account credentials (bcrypt-hashed passwords; we cannot read your password)
• Basic profile information for personalization
• Community forum posts
• Anonymous usage analytics

3.3 Security Measures

We implement industry-standard security measures including:

• Encryption of data in transit (TLS 1.2+)
• Encryption of sensitive data at rest
• Bcrypt password hashing
• Regular security updates
• Secure authentication protocols
• Access controls limiting who can access data internally

While we take reasonable steps to protect your information, no method of transmission over the Internet is 100% secure.

4. Data Sharing and Disclosure

We do NOT sell, rent, or trade your personal information to third parties. We do not share your personal information with third parties for cross-context behavioral advertising.

We may share information only in these limited circumstances:

• Service Providers: Trusted vendors under confidentiality agreements who help us operate the App — including cloud hosting (Neon/PostgreSQL infrastructure), and AI services (Anthropic Claude for AI responses). These providers process data only on our behalf and per our instructions.
• Legal Requirements: When required by law, court order, subpoena, or government request
• Safety: To protect the rights, property, or safety of our users or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets (we will notify you before your data is transferred and becomes subject to a different privacy policy)
• With Your Consent: For any other purpose with your explicit consent

5. Your Rights and Choices

You have the following rights regarding your data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your account and associated personal data
• Portability: Request your data in a commonly used, machine-readable format
• Opt-Out of Marketing: Unsubscribe from marketing communications at any time using the unsubscribe link in any email or by contacting us
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time (without affecting prior processing)

To exercise these rights, contact us at privacy@vabenefitsapp.com. We will respond within 45 days. California residents have additional rights described in Section 13.

6. Children's Privacy

VA Benefits App is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@vabenefitsapp.com and we will delete that information promptly.

7. Third-Party Services

Our App may link to or integrate with third-party websites or services, including:

• VA.gov and government websites — governed by federal privacy law
• Veterans Service Organizations (VSOs) — independent organizations with their own policies
• Apple App Store / Google Play Store — for subscription billing and app distribution
• Anthropic (Claude AI) — AI response generation; messages may be processed per Anthropic's privacy policy
• Google Fonts — font loading from Google's CDN, subject to Google's privacy policy
• Google AdMob — advertising platform. May access the Advertising ID and approximate location (city-level, derived from IP address) to serve interest-based ads and analytics. We do not independently collect or store your location. Subject to Google's Privacy Policy. You may opt out of personalized ads in your device settings under Google > Ads.
• RevenueCat — subscription management. Processes subscription status and purchase history to validate premium access. Subject to RevenueCat's Privacy Policy.

These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review their policies.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods:

• Account data: Retained until account deletion request is fulfilled (within 30 days)
• Beta signup data: Retained until app launch and initial onboarding, then converted to app account data or deleted
• Chat/AI conversation data (local): Stored on your device; you control deletion via app settings
• Server logs: Retained for up to 90 days for security and debugging purposes
• Anonymized analytics: May be retained indefinitely (cannot identify you)
• Legal/compliance records: As required by applicable law

9. Data Deletion Requests

You have the right to request deletion of your personal information at any time. We provide multiple ways to delete your data:

9.1 In-App Account Deletion

Within the VA Benefits App, you can delete your account by navigating to Me > Settings > Account > Delete Account. This will permanently delete your account and all associated personal data from our servers within 30 days.

9.2 Web Deletion Request Form

You can submit an account and data deletion request through our dedicated web form at vabenefitsapp.com/delete-account. Enter the email address linked to your account and submit. We will confirm receipt within 5 business days and complete deletion within 30 days.

9.3 Email Deletion Request

Send a deletion request to support@vabenefitsapp.com with the subject line "Data Deletion Request." Please include the email address associated with your account. We will confirm receipt within 5 business days and complete deletion within 30 days.

9.4 What Gets Deleted

• Your account credentials and profile information
• Email address linked to your account
• Community forum posts (or they may be anonymized)
• Personalization preferences stored on our servers
• Beta signup information

9.5 Deleting Your Mood Journal & Wellness Data

Your mood logs and journal entries are stored only on your device and are fully under your control. You can delete this data at any time by:

• In-App: Navigate to Wellness > Settings > Clear All Journal Data
• Delete Account: Deleting your account via Me > Settings > Delete Account also wipes all local wellness data from your device
• Uninstall the App: Uninstalling the VA Benefits App removes all locally stored data, including journal entries

Because wellness data never reaches our servers, we have no ability to delete it on your behalf — deletion must be performed on your device. If you need assistance, contact support@vabenefitsapp.com.

9.6 What May Be Retained

• Anonymized, non-identifiable analytics data
• Records required for legal compliance
• Backup copies (purged within 90 days)

Local data on your device (conversation history, settings) can be deleted by uninstalling the App or using in-app clear-data options.

10. Data Safety Summary (Google Play)

The following summarizes our data practices as required by Google Play's Data Safety section:

Data collection is required for core app functionality. Mood and wellness data never leaves your device. The Advertising ID is used solely for ad delivery and is not linked to your identity. No data is sold.

11. Sensitive Personal Information

Under California law (CPRA), certain information is classified as "sensitive personal information" and receives heightened protection. Regarding sensitive information:

• Disability rating / veteran health status: You voluntarily provide this to receive relevant benefits guidance. We do not use this for any purpose other than providing the service you request. We do not share this with third parties for non-service purposes.
• Mood & Mental Health Journal Data: Your mood logs and journal entries are classified as sensitive health-related data. As described in Section 1.3, this data is stored exclusively on your device and is never transmitted to us or any third party. We make the following explicit commitments regarding your wellness data:
  • We do not collect, access, or store your mood logs or journal entries on our servers.
  • We do not share your mental health data with any third party — including advertisers, analytics providers, healthcare companies, or government entities — under any circumstances.
  • We do not use your wellness data to train AI models or for any profiling purpose.
  • Your journal data is not linked to your account or any other personally identifiable information on our servers.
• We do not collect Social Security numbers, financial account numbers, precise geolocation, biometric data, or clinical medical records.

11.1 Advertising ID, Ad Personalization & Approximate Location

On Android devices, we access the Google Advertising ID (GAID) through the AD_ID permission to enable interest-based advertising via Google AdMob. The Advertising ID is a resettable, non-permanent identifier. It is not linked to your name, email, or journal data. You can opt out of ad personalization or reset your Advertising ID at any time in your device settings (Google > Ads > "Delete advertising ID" on Android 12+, or "Opt out of Ads Personalization" on earlier versions).

You have the right to direct us to limit the use of your sensitive personal information to only the purposes necessary for providing the service. To exercise this right, contact privacy@vabenefitsapp.com.

12. AI and Automated Processing

VA Benefits App uses artificial intelligence (Anthropic Claude) to generate responses to your questions about VA benefits. Important disclosures about our AI:

• AI responses are generated based on your queries and publicly available VA policy information
• AI responses are for informational purposes only and do not constitute legal, medical, or professional advice
• We do not use AI to make automated decisions that have legal or significant effects on you
• AI responses may occasionally contain errors — always verify important information with official VA sources
• Your queries sent to the AI may be processed by Anthropic per their privacy policy; we have a data processing agreement with Anthropic

13. California Privacy Rights (CCPA/CPRA)

13.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we collect about you
• The categories of sources from which we collect your personal information
• Our business or commercial purpose for collecting your information
• The categories of third parties with whom we share your information
• The specific pieces of personal information we have collected about you

13.2 Right to Delete

You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g., legal compliance, security). See Section 9 for how to submit a deletion request.

13.3 Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you. To request a correction, email privacy@vabenefitsapp.com.

13.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information and do not share it for cross-context behavioral advertising. However, you may still submit an opt-out request. See Section 14.

13.5 Right to Limit Use of Sensitive Personal Information

You have the right to direct us to limit our use and disclosure of sensitive personal information to what is necessary to perform the services you request. Contact us at privacy@vabenefitsapp.com to exercise this right.

13.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not:

• Deny you goods or services
• Charge you different prices or rates
• Provide you a different level or quality of goods or services
• Suggest you will receive a different price or rate or quality of goods or services

13.7 How to Submit a Verifiable Consumer Request

You may submit a request to exercise your California rights by:

• Email: privacy@vabenefitsapp.com with subject line "California Privacy Request"
• In-App: Navigate to Me > Settings > Privacy > Submit Privacy Request

We will verify your identity before processing your request by confirming the email address associated with your account. We will respond within 45 days. If we need additional time (up to 90 days total), we will notify you within the initial 45-day period.

You may make a verifiable consumer request for Right to Know up to twice within a 12-month period at no charge.

13.8 Authorized Agent

You may designate an authorized agent to submit a CCPA request on your behalf. The agent must provide written authorization signed by you, or you must directly confirm the request. We may deny requests from agents who cannot provide sufficient proof of authorization.

13.9 Shine the Light (California Civil Code § 1798.83)

California residents may request information about personal information we have shared with third parties for their direct marketing purposes during the preceding calendar year. We do not share personal information with third parties for their direct marketing purposes, so this law does not require us to provide a list. If you have questions, contact us at privacy@vabenefitsapp.com.

13.10 Categories of Personal Information Disclosed for Business Purposes (Last 12 Months)

We disclosed the following categories of personal information to service providers for business purposes:

• Identifiers (name, email, device ID) — to cloud hosting and AI processing providers
• Internet activity (usage data, crash reports) — to analytics and hosting providers

We did not sell personal information to any third parties in the last 12 months. We did not share personal information for cross-context behavioral advertising.

14. Do Not Sell or Share My Personal Information

Although we do not currently sell or share personal information as defined by CCPA, you may submit an opt-out preference at any time by:

• Email: privacy@vabenefitsapp.com with subject line "Do Not Sell or Share My Personal Information"
• In-App: Me > Settings > Privacy > Data Sharing Preferences

We will honor your request within 15 business days of receipt. We will not ask you to create an account or pay a fee to opt out.

If our data sharing practices change in the future, we will update this Privacy Policy and provide prominent notice before doing so.

15. GDPR — Rights for EEA, UK & Swiss Users

15.1 Data Controller

VA Benefits App acts as the data controller for personal data collected through the App and our website. Our contact for GDPR matters is privacy@vabenefitsapp.com. As we are a U.S.-based application primarily serving U.S. veterans, we do not currently operate a formal EU establishment, but we are committed to honoring GDPR rights for all EEA/UK/Swiss users.

15.2 Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract (Art. 6(1)(b)): Account registration information (name, email, password) is processed to create and manage your account and deliver the services you requested.
• Legitimate Interests (Art. 6(1)(f)): Device identifiers and anonymized usage analytics are processed to maintain security, fix bugs, and improve the app. We have conducted a balancing test and determined this does not override user rights given the minimal nature of the data.
• Consent (Art. 6(1)(a)): Where we use the Advertising ID (Google AdMob) for personalized advertising, we rely on your consent. You may withdraw consent at any time by resetting or opting out of the Advertising ID in your device settings.
• Legal Obligation (Art. 6(1)(c)): Where we are required by law to process or retain data.

Mood Journal and Wellness data is stored exclusively on your device and is never transmitted to our servers. GDPR does not apply to data we do not process or control.

15.3 Your GDPR Rights

Under GDPR (and UK/Swiss equivalents), you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request permanent deletion of your personal data. Submit via our account deletion form or email privacy@vabenefitsapp.com. Data will be purged within 30 days.
• Right to Restriction of Processing (Art. 18): Request that we restrict how we process your data in certain circumstances.
• Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format where technically feasible.
• Right to Object (Art. 21): Object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights Related to Automated Decision-Making (Art. 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

To exercise any of these rights, email privacy@vabenefitsapp.com or use our data deletion form. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

15.4 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority via the EDPB member list. In the UK, the relevant authority is the Information Commissioner's Office (ICO). In Switzerland, it is the Federal Data Protection and Information Commissioner (FDPIC). We encourage you to contact us first so we can resolve your concern directly.

15.5 International Data Transfers

Our servers and primary infrastructure are located in the United States. If you access the App from the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the U.S. At present, U.S. companies are not covered by an adequacy decision equivalent to the EU-U.S. Data Privacy Framework unless self-certified. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission where required for transfers to U.S.-based service providers (such as cloud hosting). You may request a copy of the applicable transfer mechanism by emailing privacy@vabenefitsapp.com.

15.6 Advertising ID & Consent for EEA/UK Users

On Android devices in the EEA and UK, the use of the Advertising ID (GAID) for personalized advertising requires your prior consent under GDPR and the ePrivacy Directive. Where required by applicable law, the app will request your consent before enabling personalized ads. You may withdraw consent at any time by navigating to your device's Google > Ads settings and selecting "Delete advertising ID" or "Opt out of Ads Personalization." Non-personalized ads may still be shown.

VA Benefits App is designed for use within the United States. Our services are intended for U.S. veterans and their families. If you access the App from outside the U.S., please be aware that your information may be transferred to and processed in the United States, where data protection laws may differ from your home country. EEA, UK, and Swiss users should refer to Section 15 for their specific rights and transfer safeguards.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy in the App with an updated "Last Updated" date
• Sending an email notification for significant changes to the email address on file
• Displaying a prominent in-app notice for major changes

Your continued use of the App after changes constitute acceptance of the updated policy. If you disagree with changes, you may close your account.

18. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or to exercise your privacy rights, please contact us:

• Privacy Requests: privacy@vabenefitsapp.com
• General Contact: hello@vabenefitsapp.com
• Website: vabenefitsapp.com

For CCPA-specific requests, use the subject line "California Privacy Request" and include your account email address.