Privacy Policy

Last updated: February 2, 2026

Note: This is a static copy of our Privacy Policy. The canonical version is available at https://varatingassistant.com/privacy.

On this page

1. Who We Are
2. Information We Collect
3. How We Use Information
4. Sensitive Data
5. Storage & Security
6. Third-Party Providers
7. No Sale / No Targeted Ads
8. Retention & Deletion
9. Your Rights
10. Data Location
11. Breach Notification
12. Ownership Changes
13. Policy Changes
14. Contact

1. Who We Are

VA Rating Assistant ("we", "us", "our") is operated by FastWebCreations LLC and provides a platform to help users estimate VA disability ratings and manage related documents. We focus on U.S. users and do not target EU/UK residents. For privacy matters, contact support@varatingassistant.com or write to 522 W Riverside Ave STE N, Spokane, WA 99201-0580. Washington State law governs this policy where applicable.

2. Information We Collect

Identification and contact information (e.g., name, email, phone, address)
Account and profile information (credentials, preferences, profile fields, user/admin role)
Financial information (via Stripe: payment tokens, last4, billing address; no full card numbers)
Health/medical information you provide or generate in the Service (may include PHI)
Files/documents you upload (e.g., VA forms, medical records) and related metadata
Device and usage/telemetry data (IP address, browser/OS, device identifiers, event logs)
Communications (support tickets, feedback messages)
Geolocation: coarse, IP-based for security and fraud prevention (no precise tracking)

We do not import your contacts/address book and we do not accept dependent/family member information.

3. How We Use Information

Provide, operate, maintain, and improve the Service
Process payments and manage subscriptions
Communicate with you (e.g., notifications, support)
Ensure security, prevent fraud/abuse, and perform incident response
Comply with legal obligations and enforce our agreements
Analytics and service improvement, including use of de-identified, anonymized, or pseudonymized data; we do not re-identify such data

4. Special Category & Sensitive Data

Some uploaded documents may contain health information. This data is encrypted, accessed only as needed to provide the Service, and is never sold. Do not upload dependent or family member information; the Service is intended only for your own records relevant to VA disability rating analysis.

5. How We Store and Protect Your Data

Data is stored securely in AWS (Aurora Serverless v2/RDS for database; encrypted S3 for file storage and retention). Your uploaded documents and files are retained in encrypted S3 buckets with customer-managed KMS encryption keys for the duration specified in our retention policy (see Section 8).
Health records and sensitive documents are encrypted at rest and in transit.
Access is restricted to authorized users and administrators following minimum-necessary principles.
We implement administrative, technical, and physical safeguards aligned to HIPAA technical safeguards and SOC 2–aligned controls within the AWS shared responsibility model.

6. Third-Party Service Providers

We use trusted service providers that process data on our behalf under contracts that require confidentiality, security, processing only under our instructions, and no re-identification of de-identified data. Current providers include:

AWS (Lambda, S3, Textract, RDS/Aurora Serverless v2, Cognito, Bedrock; Amplify, CloudFront, Route53) — hosting, storage, authentication, AI processing, CDN; Region: us-east-2 (Ohio); HIPAA BAA in place
Stripe — payments; billing tokens and related metadata; DPA in place
AWS SES — email notifications; email address and message metadata; HIPAA-aligned rule: no PHI in email bodies
Sentry and AWS CloudWatch — error/security logging; minimized personal data; DPA in place

We do not share data with partners beyond processors without your consent. We will update this list as vendors change and notify users of material changes.

7. No Sale and No Targeted Advertising

We do not sell personal data to third parties. We do not use personal information for targeted or cross-context behavioral advertising. We follow strict data protection guidelines per the CARIN Code of Conduct and NCVHS Beyond HIPAA requirements. All data sharing with service providers (as listed in Section 6) is governed by contractual agreements that prohibit data sale and require compliance with applicable privacy laws.

8. Data Retention & Deletion

Uploaded documents (PDFs) retention: Uploaded documents (including medical records and VA forms) are retained for 90 days on Free and one-time plans, then deleted, unless you purchase an active storage subscription before the scheduled deletion date.
Storage subscriptions: If you purchase a storage subscription, your uploaded documents retention window is extended beyond the base 90 days while your subscription is active and paid. If your storage subscription ends and is not renewed, documents are scheduled for deletion at the end of the last paid retention window.
Reminder emails: We send deletion reminder emails at 30, 15, 5, and 1 day(s) before the scheduled deletion date, and we send a confirmation email after deletion.
Deletion scope: Deletion applies to uploaded documents and related stored artifacts generated from those uploads (for example, stored PDFs/exports/artifacts that depend on the uploaded document). If an object is already missing from storage, we treat database deletion as authoritative.
Derived/extracted data: Structured data derived from your documents (for example, extracted condition metadata) may remain available in your dashboard for the life of your account unless you delete your profile/account. If you delete your profile/account, we delete derived data that we control, subject to legal obligations.
Backups: Backups are retained on a rolling overwrite cycle (typically about 30 days).
Logs: We retain audit/security logs for a limited period for security and compliance purposes, and we minimize sensitive content in logs.
Deletion requests: You may request account deletion in-app or by emailing support@varatingassistant.com.
Legal holds: Where required by law or necessary for fraud prevention/disputes/tax compliance, we may retain limited records and restrict access to the minimum required, and delete when the obligation ends.

9. Your Rights & Choices

You can access a copy of your information, request deletion, or ask questions about this policy by contacting us.

Export: You may export your data in PDF, DOCX, or CSV.
Delete: Use in‑app deletion or email us. We will confirm when deletion is complete.

For privacy questions or requests, email support@varatingassistant.com or write to 522 W Riverside Ave STE N, Spokane, WA 99201-0580.

10. Data Location & Transfers

Primary data residency is AWS us-east-2 (Ohio). We focus on U.S. users and do not currently transfer data from the EU/UK to the U.S. or target EU/UK residents.

11. Data Breach Notification

If a data breach affecting your information occurs, we will notify you without undue delay (and within 72 hours where required), describe the incident and affected information, steps we are taking, suggested actions you may take, and how to obtain additional guidance.

12. Changes in Ownership

If there is a merger, acquisition, reorganization, or sale of assets, we will notify you. You will be able to download your information, close your account, and we will ensure any new owner adopts privacy/security protections at least as strong as ours before any transfer of personal information.

13. Changes to This Policy

For material changes, we will provide 30 days’ prior notice via email, in‑app notice, and/or website banner. Legal or security updates may be effective immediately with appropriate notice. Continued use after the effective date constitutes acceptance of the updated policy.

14. Contact

For privacy questions or requests, email support@varatingassistant.com or write to 522 W Riverside Ave STE N, Spokane, WA 99201-0580.