2.1 Information You Provide Directly

We collect information that you voluntarily provide when using the Service:

Account Information

• Full name
• Email address
• Password (stored in hashed form)
• Phone number (optional)
• Mailing address (optional, for official correspondence)

Military Service Information

• Branch of service (Army, Navy, Air Force, Marines, Coast Guard, Space Force)
• Component (Active Duty, Reserve, National Guard)
• Rank and pay grade
• Military Occupational Specialty (MOS) / Rating / AFSC
• Service dates (entry and separation)
• Deployment history and locations
• Awards and decorations
• Discharge type and character of service
• DD-214 information (when uploaded)

Medical Documents

• Service Treatment Records (STRs)
• VA medical records
• Private medical records
• Diagnostic test results
• Prescription records
• Nexus letters and medical opinions
• Disability Benefit Questionnaires (DBQs)
• VA decision letters
• DD-214 and other separation documents

User-Generated Content

• Personal statements and narratives you write or generate
• Buddy letter requests and statements
• Chat messages with the AI Veteran Advisor
• Feedback and ratings you provide
• Notes and annotations you add to your document packets

Payment Information

• Credit card information is processed directly by Stripe and never stored on our servers
• Billing address (if provided for payment)
• Transaction history (purchases, credits used, dates)

2.2 Information Collected Automatically

When you access the Service, we automatically collect certain information:

Device and Browser Information

• IP address
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen resolution
• Time zone
• Language preferences

Usage Information

• Pages visited and features used
• Time spent on pages
• Click patterns and navigation paths
• Date and time of access
• Referring website or source
• Search queries within the Service
• Error logs and crash reports

2.3 Information from Third Parties

We may receive information from third parties:

• Authentication providers: Basic profile information when you sign in through our identity provider (Keycloak)
• Payment processor: Transaction confirmation from Stripe (no full card numbers)
• Analytics providers: Aggregated usage statistics

3.1 Providing the Service

• Process and analyze your uploaded medical documents using AI
• Identify medical conditions mentioned in your records
• Generate personal statements, buddy letters, and document packet materials
• Provide VA decision letter analysis summaries
• Power the AI Veteran Advisor to answer your questions
• Build and organize document packets from your records
• Track packet status and provide updates

3.2 Account Management

• Create and manage your user account
• Authenticate your identity and secure your account
• Process payments and manage your credit balance
• Send account-related communications (confirmations, security alerts)

3.3 Developer Support Contributions

When you send a voluntary contribution via the /support page, we record the transaction (amount, timestamp, Stripe payment intent ID) and — if provided — your name, email, and optional note. Contributions may be made anonymously without an account. Contributor information is used solely to send a receipt and for our internal financial records; we do not publish contributor lists and do not share contributor identities with third parties except as required by law or as needed to process the payment (see Section 5). These contributions are voluntary tips to a for-profit company — they are non-refundable and not tax-deductible.

3.3 Service Improvement

• Analyze usage patterns to improve features and user experience
• Debug errors and fix technical issues
• Train and improve our AI models using anonymized data
• Develop new features based on user needs

3.4 Communications

• Send important service announcements and updates
• Respond to your support inquiries and requests
• Send optional newsletters and educational content (with your consent)
• Notify you of buddy letter requests and submissions

3.5 Legal and Safety

• Comply with applicable laws and regulations
• Respond to legal requests and prevent harm
• Enforce our Terms of Service
• Protect against fraud, abuse, and security threats

4.1 How PII Scrubbing Works

Our document processing pipeline includes multiple layers of privacy protection:

1. Document Upload: Your document is uploaded directly to encrypted storage
2. OCR Processing: Text is extracted from the document using secure OCR services
3. PII Detection: Microsoft Presidio analyzes the text and identifies PII
4. PII Redaction: Identified PII is replaced with generic placeholders (e.g., "[NAME]", "[SSN]")
5. AI Analysis: Only the redacted text is sent to AI services for analysis
6. Results Stored: Analysis results are stored with your original documents for your use

4.2 What Gets Redacted

The following types of PII are automatically identified and redacted before AI processing:

• Full names and partial names
• Social Security numbers (full and partial)
• Dates of birth
• Physical addresses
• Phone numbers
• Email addresses
• Medical record numbers
• Account numbers and financial identifiers
• Driver's license numbers
• Vehicle identification numbers
• IP addresses within documents

4.3 Original Documents

Your original, unredacted documents are stored securely in encrypted storage and are never shared with third-party AI services. The original documents are available only to you through the Service interface.

5.1 Storage Infrastructure

Your data is stored using industry-standard security measures:

• Encryption at Rest: All data is encrypted using AES-256 encryption
• Encryption in Transit: All data transmission uses TLS 1.3
• Cloud Storage: Documents are stored in AWS S3 with server-side encryption
• Database Security: PostgreSQL database with encryption and access controls
• Geographic Location: Data is stored in secure data centers within the United States

5.2 Access Controls

• Role-based access control (RBAC) limits employee access to user data
• Multi-factor authentication required for administrative access
• Access logging and monitoring for all data operations
• Regular access reviews and least-privilege principles

5.3 Security Practices

• Regular security vulnerability scanning
• Dependency scanning for known vulnerabilities
• Container image security scanning
• Incident response procedures and monitoring
• Regular backups with encryption

5.4 Security Incident Response

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovery
• Provide information about the nature and scope of the breach
• Describe steps we are taking to address the breach
• Offer guidance on protective measures you can take
• Report to relevant authorities as required by law

7.1 Active Accounts

While your account is active, we retain all data necessary to provide the Service:

• Uploaded documents and analysis results
• Generated content (personal statements, buddy letters, packets)
• Chat history with AI Veteran Advisor
• Account settings and preferences
• Transaction and credit history

7.2 Account Deletion

When you delete your account or request data deletion:

• Personal data is marked for deletion immediately
• Documents, analyses, and generated content are permanently deleted within 30 days
• Backup copies are purged within 90 days
• Anonymized, aggregated data may be retained for analytics

7.3 Legal Retention

We may retain certain data beyond the standard retention period if required by law, regulation, or legal process, or to resolve disputes or enforce our agreements.

7.4 Inactive Accounts

Accounts that have been inactive for more than two (2) years may be subject to data deletion after providing notice via email. We will attempt to contact you before deleting any data from inactive accounts.

8.1 Access Your Data

You have the right to access all personal data we hold about you. Through your account dashboard, you can:

• View all uploaded documents
• Download your documents and generated content
• View your account information and profile
• View your transaction and usage history

8.2 Correct Your Data

You can update your account information, profile details, and preferences at any time through your account settings. For corrections to processed data or analysis results, please contact us at support@sickcallranger.vet.

8.3 Delete Your Data

You have the right to delete your account and all associated data. You can initiate account deletion through your account settings or by contacting us. Upon deletion:

• Your account will be immediately deactivated
• All personal data will be permanently deleted within 30 days
• This action is irreversible

8.4 Data Portability

You have the right to receive a copy of your data in a structured, commonly used, machine-readable format. You can download your documents directly through the Service. For a complete data export, contact us at support@sickcallranger.vet.

8.5 Opt-Out of Communications

You can opt out of non-essential communications:

• Marketing emails: Click "unsubscribe" in any marketing email
• Notifications: Adjust notification preferences in account settings

Note: You cannot opt out of essential service communications (security alerts, account notifications, Terms updates).

8.6 Restrict Processing

You can request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of data or object to processing. Contact us to make such a request.

9.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions provided by law.

9.3 Right to Correct

You have the right to request correction of inaccurate personal information.

9.4 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

9.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

9.6 How to Exercise Your Rights

To exercise your California privacy rights, contact us at:

• Email: privacy@sickcallranger.vet

We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

9.7 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, address, phone number)
• Protected classification characteristics (veteran status, disability information)
• Commercial information (purchase history, credits)
• Internet or electronic network activity (usage data, log files)
• Professional information (military service history)
• Sensitive personal information (medical records, Social Security numbers)

12.1 Cookies We Use

We use the following types of cookies:

• Essential Cookies: Required for the Service to function (authentication, security, session management)
• Preference Cookies: Remember your settings and preferences (theme, language, layout)
• Analytics Cookies: Help us understand how users interact with the Service (anonymized usage patterns)

12.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

12.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals. However, we limit tracking to what is necessary for providing and improving the Service.