Privacy Policy
Last updated: January 2025
VA Record Ready ("we," "us," or "our") is committed to protecting your privacy and the security of your personal and medical information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
1. Information We Collect
Account Information
When you create an account, we collect:
- Name
- Email address
- Password (stored in hashed form)
- Phone number (optional, for multi-factor authentication)
Medical Records
When you use our Service, you upload medical records which may include:
- Protected Health Information (PHI)
- Service treatment records
- VA medical center records
- Private medical provider records
- Diagnostic test results
Automatically Collected Information
We automatically collect limited technical information:
- IP address (for security purposes)
- Browser type and version
- Pages visited and actions taken within the Service
- Date and time of access
2. How We Use Your Information
We use your information solely for providing and improving our Service:
- Service Delivery: To organize and analyze your medical records as requested
- Account Management: To create and maintain your account
- Communication: To send service-related notifications, updates, and support responses
- Security: To protect against unauthorized access and detect potential threats
- Improvement: To improve our Service based on usage patterns (using aggregated, de-identified data only)
3. PHI Safeguards
We implement comprehensive security measures to protect your Protected Health Information:
Encryption
- In Transit: All data transmitted to and from our Service uses TLS 1.2 or higher encryption
- At Rest: All stored data is encrypted using AES-256 encryption
Access Controls
- Role-based access controls limit who can view your data
- Multi-factor authentication available for user accounts
- Employee access is limited to those who need it to provide the Service
Audit Logging
- All access to PHI is logged
- Logs include who accessed data, when, and what actions were taken
- Regular security audits are conducted
Infrastructure Security
- All data is stored on Amazon Web Services (AWS) infrastructure
- AWS data centers are SOC 2 Type II certified
- Data remains within the United States
4. Third-Party Service Providers
We use the following third-party services to operate our Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, and hosting | All Service data (encrypted) |
| Amazon Bedrock | AI-powered document analysis | Medical records for analysis (processed within AWS, not retained by the AI service) |
These providers are contractually obligated to protect your information and may only use it to provide services to us.
5. Data Retention
We retain your information as follows:
- Account Information: Retained while your account is active and for 7 years after deletion
- Medical Records: Retained for 7 years from the date of service to comply with healthcare record retention requirements
- Audit Logs: Retained for 7 years for compliance purposes
The 7-year retention period aligns with VA record-keeping requirements and allows you to access your organized records for future claims or appeals.
You may request earlier deletion of your medical records, and we will accommodate such requests unless retention is required by law.
6. Your Rights
You have the following rights regarding your information:
- Access: You may request a copy of the personal information we hold about you
- Correction: You may request correction of inaccurate information
- Deletion: You may request deletion of your account and associated data, subject to retention requirements
- Download: You may download your organized files at any time through your account
- Restriction: You may request that we limit processing of your information in certain circumstances
To exercise these rights, contact us at contact@varecordready.com. We will respond to requests within 30 days.
7. Cookies and Tracking
We use minimal cookies necessary for the Service to function:
- Authentication Cookies: To keep you logged in securely
- Session Cookies: To maintain your session state
- Security Cookies: To help protect against unauthorized access
We DO NOT use:
- Third-party advertising cookies
- Social media tracking pixels
- Cross-site tracking technologies
You can configure your browser to reject cookies, but this may prevent you from using the Service.
8. Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete that information promptly.
If you believe a child has provided us with personal information, please contact us at contact@varecordready.com.
9. Security Breach Notification
In the unlikely event of a data breach affecting your personal information:
- We will notify affected users within 72 hours of discovering the breach
- We will notify relevant regulatory authorities as required by law
- We will provide information about what data was affected and steps you can take
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last updated" date at the top of this page
- For material changes, we will notify you via email
- We encourage you to review this policy periodically
Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact Information
For questions about this Privacy Policy or our data practices, please contact us:
Email: contact@varecordready.com
For privacy-related requests, please include "Privacy Request" in your email subject line.