Your security.
Built into everything we do.
You're trusting us with your medical history, your military service record, and your personal health details. We don't take that lightly. Here's exactly how we protect it — no marketing language, no vague promises.
Your claim data belongs to you.
We will never sell it, share it with insurers or attorneys, use it to train AI models, or retain it after you ask us to delete it. This is not buried in a terms of service — it is our operating principle.
How we protect your data
We never store your password
VA Claim Pilot uses Google OAuth for sign-in. That means your credentials live with Google — one of the most security-hardened systems on the planet. We never see, receive, or store your password. If Google's authentication is good enough for your Gmail and your bank, it's good enough for your VA claim.
Your records are locked to your account at the database level
Every table in our database has Row Level Security (RLS) enforced — not just in the app, but at the database engine itself. This means even a bug in our application code cannot return someone else's records. Your data is structurally inaccessible to any other user. This is the same approach used by enterprise financial and healthcare platforms.
Encrypted everywhere, all the time
Your data is encrypted at rest using AES-256 — the same standard used by the U.S. Department of Defense. All traffic between your browser and our servers uses TLS (HTTPS), so nothing you submit travels across the internet in plain text. We enforce HTTPS — there is no plain HTTP fallback.
We only collect what your claim needs
We ask for your conditions, symptoms, service history, and supporting details — because that's exactly what's required to build a strong claim packet. We do not collect your Social Security number, financial account information, or any data unrelated to your claim. If we don't need it to help you, we don't ask for it.
Your data is never sold. Full stop.
We do not sell your data to insurance companies, attorneys, data brokers, advertisers, or anyone else. We do not use your health information to train AI models. We do not share your information with third parties for marketing. Your claim data exists for one purpose: to help you build a stronger VA claim. That's it.
You own your data. You can delete it.
You have the right to delete your account and everything associated with it at any time. Email us at info@vaclaimpilot.com and we will permanently remove your data within 30 days. No dark patterns, no "are you sure?" loops, no retention after deletion. When you say delete, we delete.
Built on certified infrastructure
We don't build security from scratch — we run on platforms that have already earned the industry's highest certifications. Their compliance is your protection.
Supabase
Our database and authentication infrastructure. SOC 2 Type 2 certified, PostgreSQL-backed, with built-in encryption at rest and row-level security enforcement.
View security details →Vercel
Our hosting and deployment platform. SOC 2 Type 2 certified, with automatic HTTPS, DDoS mitigation, and global edge infrastructure.
View security details →Google OAuth
Authentication handled entirely by Google. No passwords stored by VA Claim Pilot. Google's security infrastructure protects your sign-in credentials.
View security details →What we're still working toward
We believe transparency builds more trust than a polished checklist. Here's what we haven't done yet — and what's on the roadmap:
Independent penetration testing
Planned — scheduled before public launch at scale.
SOC 2 Type 2 certification for VA Claim Pilot itself
On the roadmap. We currently inherit compliance from Vercel and Supabase, but plan to pursue our own certification as the platform grows.
In-app account deletion flow
Currently handled via email request. A self-serve delete button is in development.
Bug bounty program
Planned. Responsible disclosure contact available now at info@vaclaimpilot.com.
A note on HIPAA
VA Claim Pilot is a claim preparation tool, not a healthcare provider or health plan. We are not legally classified as a HIPAA "covered entity." However, because you share sensitive health information with us, we follow HIPAA-inspired data handling practices — minimum necessary collection, access controls, encryption, and strict non-disclosure — as a matter of principle, not just compliance.
If you have questions about how your specific data is handled, email us directly at info@vaclaimpilot.com. We will respond plainly, not with a legal form letter.
Ready to build your claim with confidence?
Your data is protected. Your claim is yours. Let's get started.