Privacy Policy

Last Updated: May 4, 2026 (v2.3). Your privacy is important to us. This policy explains how Veteransition collects, uses, and protects your data across our web application, mobile apps (iOS and Android), Chrome browser extension, and related services.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, phone number (optional), military branch, rank, years of service, and separation date. This information is essential for personalizing your transition plan.

Transition Data

You voluntarily input transition-related information including:

• Task lists and personal transition plans.
• Goal-setting across Health, Wealth, Career, and Family domains.
• Financial information (income, benefits, expenses).
• Educational and career background.
• Family and household composition.

Device and Usage Information

We collect information about how you use our services:

• Device type, operating system, and unique device identifiers (for mobile app users via Capacitor).
• IP address and general location (country/state level).
• Pages visited, features used, and time spent on each section.
• Analytics data to improve user experience.

International Users

If you are accessing Veteransition from outside the United States, you consent to the transfer, storage, and processing of your data in the United States. Data protection laws may differ from those in your country of residence. By using Veteransition, you acknowledge these differences and accept the terms of this policy.

Payment Information

Veteransition is currently a free service. No payment information is collected. If paid features are introduced in the future, payment will be processed through secure third-party providers, and this policy will be updated accordingly.

2. How We Use Your Data

Your data is used to:

• Deliver the service: Build your personalized transition timeline and provide domain-based accountability tracking.
• Improve the product: Analyze usage patterns to identify features that help veterans most.
• Communicate with you: Send account updates, feature announcements, and service notifications (you can opt out of marketing emails).
• Ensure security: Detect and prevent fraud, abuse, and unauthorized access.
• Comply with law: Respond to legal requests and maintain regulatory compliance.

3. Data Storage and Security

Your data is stored securely on Supabase servers with:

• Encryption in transit using SSL/TLS.
• Encryption at rest provided by our cloud infrastructure provider (AES-256).
• Role-based access controls limiting who can view your data.
• Regular security audits and penetration testing.
• Compliance with industry standards (SOC 2 Type II certification).

Mobile app data (iOS and Android) is synced with the same secure backend. Capacitor handles secure local storage on your device and encrypted transmission to our servers.

3.0a Notepad Client-Side Encryption (V8.1, May 1, 2026)

Notepad entries are encrypted on your device with AES-GCM 256-bit symmetric encryption before they are transmitted to our servers. The per-user encryption key is bound to your authenticated session and is loaded only on devices you have authenticated. Cross-device sync is preserved through the same wrapped-key mechanism. Legacy plaintext entries created before this layer was added are migrated lazily on the next save. The key cache is cleared from your device on sign-out.

3.0b AI Coach Sessions — Persistence Notice (V8.4, May 1, 2026)

Messages you send to the AI Interview Coach and the AI Salary Negotiation Coach are saved as part of your session history so you can review past sessions later. Sessions are stored on our servers under your account, encrypted at rest by our cloud provider, and visible only to you. Personal identifiers (name, email address, phone number) are removed from each message before it is sent to the AI provider, and we do not read these messages.

3.0c Free-Text Keyword Auto-Flag (V8.2, May 1, 2026)

Every free-text input field (Notepad, task descriptions, goal descriptions, AI Interview Coach messages, AI Salary Negotiation Coach messages) runs a client-side keyword check before save and shows you a confirmation prompt if it detects content that looks like medical or sensitive personal information. This is a defense-in-depth measure against accidental Protected Health Information entry; see §4 below.

3.1 Data Retention

We retain your personal data only as long as necessary to provide the Service and fulfill the purposes outlined in this policy:

• Active accounts: Data is retained while your account is active.
• Inactive accounts: Accounts inactive for 12 months may be deleted along with all associated data.
• Deleted accounts: When you delete your account (see Section 6.1), your data is deleted immediately from our production systems. Residual copies may persist in encrypted backups for up to 30 days before being purged.
• Legal retention: Anonymized analytics and data required by law (e.g., financial transaction records) may be retained beyond account deletion.

4. Protected Health Information (PHI) Prohibition

Veteransition is not a medical records system. We do not collect, store, host, or process Protected Health Information (PHI). Do not enter, type, paste, or upload diagnoses, medical conditions, symptoms, medication names or doses, vital signs, treatment plans, mental-health details, therapist or provider information, or any other clinical content into the Notepad, task descriptions, goal descriptions, AI Interview Coach messages, AI Salary Coach messages, or any other free-text input. The application is for transition-planning, fitness, and career-readiness purposes only.

If you accidentally enter PHI, email support@veteransition.com immediately so we can remove the data and document the incident. Continued or repeat violations may result in account suspension. As a defense-in-depth measure, every free-text input field runs a client-side keyword check before save (§3.0c) and shows you a confirmation prompt if it detects content that looks like medical or sensitive personal information.

At signup, every user explicitly acknowledges this prohibition through a separate PHI Warning Acknowledgment consent (versioned and timestamped per the legal-versions registry).

5. Data Sharing

We do not sell or rent your data to third parties. Your transition data is never shared without your explicit consent, except:

• Service providers: Supabase (cloud infrastructure) and analytics platforms that operate under confidentiality agreements.
• Legal requirements: If required by law, court order, or government request.

6. Your Privacy Rights

You have the right to:

• Access: Request a copy of all data we hold about you.
• Correction: Update or correct inaccurate information.
• Deletion: Delete your account and all associated data (see Section 6.1).
• Portability: Download your data in a portable format from Profile Settings.
• Opt-out: Unsubscribe from marketing communications at any time.

To exercise these rights, email support@veteransition.com or use the self-service options in your Profile Settings.

6.1 Account Deletion

You may delete your Veteransition account and all associated data at any time by navigating to Profile Settings → Edit → Delete Account within the app. Before deletion, you will be prompted to download your data. You may also request deletion by emailing support@veteransition.com with the subject line "Account Deletion Request."

Upon account deletion:

• Your account, profile information, transition data, goals, fitness records, notepad entries, interview sessions, and all other user-generated content will be permanently deleted.
• Your authentication credentials will be removed from our systems.
• Local data stored on your device will be cleared.

Retained data: Anonymized, aggregated analytics that cannot identify you. Data required by law (e.g., financial transaction records) may be kept for the legally required period. Residual copies in encrypted backups are purged within 30 days.

7. Cookies and Tracking

We use essential cookies to maintain session security and remember preferences. We do not use tracking pixels or third-party advertising cookies. Mobile app analytics are collected through standard app analytics that respect user privacy.

8. Children's Privacy

Veteransition is not intended for users under 18. We do not knowingly collect data from minors. If we learn we've collected information from a child, we will delete it promptly.

9. AI Features

Veteransition uses Google Gemini to power AI-driven features, including the Interview Coach and Salary Coach. The following practices apply to AI-related data handling:

• Data sent to AI services is anonymized. No personal identifying information is transmitted to Google Gemini.
• Text-to-Speech (TTS) functionality is output-only. No voice input is recorded or processed, and no microphone access is required.
• Users can disable AI features at any time in their profile settings.

9b. Chrome Browser Extension — Data Flow

The Veteransition Chrome browser extension is an optional companion to the web application. The extension's data handling is governed by the same principles as the web application, with the following additional disclosures:

• Page intelligence on `.va.gov` and `.defense.gov` hosts. When you visit a VA, DoW (formerly DoD), or related federal page, the extension reads the visible page content to surface contextual transition tasks and resources. The extension uses hostname-anchored page detection (`new URL().hostname`) so the read is scoped to the exact target host.
• PII redact-then-slice at every boundary. Before any page content is sent through an outbound bridge call (for example, to the AI chat panel), the extension runs a `redactPII()` pass that removes Social Security Numbers, email addresses, phone numbers, and credit-card numbers. Profile fields like rank, MOS, and separation date are generalized.
• `extensionOrigin`-targeted postMessage. All cross-context messaging uses an `extensionOrigin` target so messages cannot be intercepted by other extensions or by an arbitrary parent frame.
• Local storage. The extension stores tier-quota counters and a small set of UI preferences in Chrome's local storage; it does not retain page content between visits.
• Optional features. The AI chat panel, bubble notification badge, and context-menu integration are all optional and can be disabled in the extension's settings panel.

9c. GDPR (EU Users) and CCPA (California Users) Rights

GDPR (EU Users): You have the right to access, correct, delete, port, and withdraw consent for data processing under the General Data Protection Regulation. To exercise these rights, contact support@veteransition.com; we respond within 30 days.

CCPA (California Users): You have the right to know what data is collected, delete your data, opt out of data sales (we do not sell data), and non-discrimination for exercising your rights under the California Consumer Privacy Act. To exercise these rights, contact support@veteransition.com or use Profile Settings.

10. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email or a notice on the service. Your continued use after changes constitutes acceptance of the updated policy.

11. Contact Us

Questions about this privacy policy or your data?

• Email: support@veteransition.com.
• Mailing Address: Veteransition, United States.