Privacy Policy

Last updated: June 19, 2026

Veterans’ Rights is an independent resource — not the VA, not the government, and not a law firm. This policy explains, in plain English, what we collect, why we collect it, who we share it with, how long we keep it, and the choices you have. We try to collect as little as possible, and the most sensitive thing you can store here — your symptom journal — is encrypted on your own device so that we cannot read it.

We wrote this ourselves to match how the site actually works. It is a sincere best effort, not legal advice, and it has not yet been reviewed by a lawyer. If anything here ever conflicts with how the site behaves, the more protective reading wins, and we will fix the wording.

What we collect and why

We try to collect only what we need to run the site and the accounts on it. For each item below, we note why we collect it and the general lawful basis we rely on. (We are not lawyers; we use these terms in their ordinary, plain-English sense.)

• Account information. When you sign in, we store your email address and the basic profile fields returned by your sign-in method. We do not ask for or store a password — you sign in with Google or with an emailed magic link, and your session is kept in a signed cookie (a JWT), not in a server-side session store. Why: to create and secure your account. Basis: performing the service you asked for.
• Billing information (accredited representatives only). If you subscribe as a VA-accredited attorney or claims agent, payments are handled by Stripe. We do not see or store your full card number; Stripe stores it and shares a limited summary with us (such as the last four digits, card brand, and subscription status) so we can manage your account. Veterans never pay and never enter payment information. Why: to provide and bill the professional subscription. Basis: performing a contract and meeting tax and accounting obligations.
• Analytics. We use Google Analytics 4 to understand which pages are used and how the site performs. This involves usage data such as pages viewed, approximate (city-level) location, device and browser type, and identifiers tied to cookies. Why: to understand and improve the site. Basis: our legitimate interest in keeping the site useful; see Cookies and analytics below for how to opt out.
• Symptom journal ciphertext. If you use the journal, what reaches our database is encrypted data only — never your readable entries. See Your encrypted symptom journal below. Why: to store and sync the journal you choose to keep. Basis: performing the feature you asked for.
• Messages you send us. If you contact us, we keep the message and your email so we can reply. Why: to respond to you. Basis: our legitimate interest in supporting users.

How we use your information

We use the information above to create and secure your account, send sign-in links, provide the features you ask for, process and manage accredited-representative subscriptions, respond to your messages, understand and improve how the site is used, and meet our legal, tax, and security obligations. We do not sell your personal information, and we do not put veterans up for auction as “leads.” We do not use your information for advertising, and we do not use the contents of your symptom journal for anything — we cannot, because we cannot read it.

Who we share it with (service providers and subprocessors)

We do not sell your personal information. We do rely on a small set of trusted providers to operate the site. Each receives only the data it needs for its specific role, and each is bound by its own terms and privacy commitments:

• Google (Sign-In / OAuth) — lets you sign in with a Google account.
• Resend — delivers transactional email, including magic-link sign-in emails.
• Stripe — processes accredited-representative subscription billing.
• Supabase — hosts our database, including account records and journal ciphertext.
• Vercel — hosts and serves the website itself.
• Google Analytics 4 — provides aggregate usage analytics.
• Google Places — helps enrich and verify representative listing details.

We may also disclose information if we are required to by law (for example, a valid subpoena or court order), to protect the safety and rights of people or the site, or in connection with a merger, acquisition, or sale of assets — in which case we will require any successor to honor this policy. Even then, we cannot hand over readable journal entries, because we do not have them.

Your encrypted symptom journal

The symptom journal uses a “journal vault” that is encrypted in your browser with a passcode you choose. Your entries are encrypted on your device before they are ever sent to us, so our database stores only ciphertext. We do not have your passcode and cannot read, recover, decrypt, or hand over your readable entries. Because of this, if you lose your passcode, we cannot reset it or restore your entries — they are unrecoverable. This design protects you, but it means the responsibility for remembering your passcode is yours.

Public data on this site

Much of what you read here is built from public records — aggregated, published Board of Veterans’ Appeals decisions and the VA Office of General Counsel accreditation directory. That public material is separate from the personal account data described in this policy, and we treat it as public information rather than as data about you.

How long we keep your data (retention)

We keep account and billing records for as long as your account is active and as needed to meet legal, tax, and accounting obligations after that. Analytics data is retained according to our Google Analytics configuration. Journal ciphertext is kept until you delete it or close your account. Support messages are kept as long as needed to handle your request and our records. When data is no longer needed, we delete or de-identify it.

Your choices and rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Here is how to exercise the main ones:

• Access, correction, or export. Contact us and we will help you see, correct, or get a copy of the personal information we hold about you.
• Deletion. To delete your account and associated data, contact us. We will verify your request and delete what we are not required to keep by law.
• Opt out of analytics. You can block analytics cookies in your browser settings or install Google’s opt-out browser add-on. Blocking analytics does not affect your ability to use the site.
• Cancel a subscription. Accredited representatives can manage or cancel billing through the Stripe billing portal at any time.

We will not discriminate against you for exercising any of these rights. We respond as required by applicable law.

Cookies and analytics

We use a signed cookie to keep you logged in (this is necessary for the site to work), and Google Analytics 4 uses cookies and similar technologies to measure usage. You can control or block cookies through your browser settings, and you can opt out of Google Analytics specifically using your browser settings or Google’s opt-out browser add-on. Blocking the login cookie may stop you from signing in; blocking analytics cookies will not affect the features you use.

California privacy (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request access to it or its deletion, to correct it, and to not be discriminated against for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. The categories we collect, our purposes, and the providers we share with are described above. To make a request, contact us.

International users

We operate in the United States, and the providers we rely on may process data in the United States and other countries. If you use the site from outside the U.S., you understand that your information will be processed in the U.S., where privacy laws may differ from those where you live. We still apply the practices described in this policy wherever your data is processed.

Children

This site is intended for adults. It is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, please contact us so we can remove it.

Changes to this policy

We may update this policy as the site evolves or as the law requires. When we do, we will revise the “Last updated” date above, and we will provide more prominent notice if the changes are significant.

How to contact us

Questions about privacy, or want to exercise your rights? Please contact us.