Privacy Policy
Last updated: February 11, 2026
Introduction
Valor Rating LLC ("Valor Rating," "we," "us," or "our") operates the Valor Rating platform at valorrating.com. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our services to prepare VA disability claim documentation.
By using Valor Rating, you consent to the data practices described in this policy. If you do not agree with any part of this policy, please do not use our services.
Information We Collect
Account Information
- Full name, email address, and phone number
- Password (stored as a secure hash, never in plaintext)
Military Service Information
- Branch of service, rank, MOS/AFSC, service dates
- DD-214 documents (uploaded for parsing)
- Deployment locations and combat service history
- Awards and decorations
Sensitive Personal Information
- Social Security Number (encrypted at rest using AES-256-GCM; only used for VA form generation)
- Date of birth
- Mailing address
Health and Medical Information
- Medical conditions and disabilities you are claiming
- Symptom descriptions and functional impact statements
- Exposure history (e.g., burn pits, Agent Orange, radiation)
- Current VA disability rating and rated conditions
- Medical records and supporting documents you upload
Buddy Statement Information
- Names and email addresses of individuals you invite to provide witness statements
- Event descriptions, dates, and locations provided for statement generation
- Digital signatures captured during the statement signing process
How We Use Your Information
We use your information to:
- Generate VA disability claim forms (21-526EZ, 21-4138) with accurate, pre-filled data
- Create AI-assisted personal statements and buddy statement drafts
- Parse your DD-214 to auto-fill service history fields
- Provide personalized guidance through our AI assistant
- Generate C&P exam preparation materials tailored to your conditions
- Send email invitations and notifications related to your claims
- Improve our services through anonymized usage analytics
How We Process Your Data with AI
Valor Rating uses artificial intelligence to help generate your claim documents. It is important to understand how your data flows through our AI systems:
Retrieval-Augmented Generation (RAG)
When you upload documents (DD-214s, medical records) or provide your service history through our intake process, we convert that text into mathematical representations called "embeddings" and store them in a secure vector database within our Supabase infrastructure. When our AI generates documents for you, it retrieves the most relevant portions of your own data to provide context to the AI model. This means:
- Your document embeddings are stored alongside your account data with the same encryption and access controls
- Only your own documents are retrieved for your AI-generated content — your data is never mixed with other users' data
- Embeddings are mathematical representations, not plaintext copies of your documents
- When you delete a document, its associated embeddings are also deleted
No Fine-Tuning or Model Training
We do not use your data to fine-tune or train AI models. Your personal information, service history, medical conditions, and uploaded documents are never used to train, improve, or fine-tune any AI model — ours or any third party's. We use commercially available AI models through their APIs with data processing agreements that prohibit the use of your data for model training.
What Data Reaches AI Models
When generating documents, the following information may be sent to third-party AI providers:
- Sent: Your name, branch of service, rank, service dates, MOS/AFSC, deployment history, medical conditions, symptom descriptions, and relevant document excerpts
- Never sent: Your Social Security Number, date of birth, phone number, email address, or mailing address
AI-generated content may contain errors or inaccuracies. You are responsible for reviewing all generated documents before submitting them to the VA.
Third-Party Services and Data Sharing
We use the following third-party services to operate our platform. We do not sell your personal information to any third party.
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account data, application data, documents |
| Vercel | Application hosting | Application traffic and server logs |
| OpenAI / Anthropic / Google Cloud | AI-powered document generation | Service history, medical conditions, symptom descriptions (no SSN) |
| Amazon Web Services | Document scanning (OCR) | DD-214 images for text extraction |
| Resend | Email delivery | Recipient email addresses and notification content |
Data Security
- Encryption at rest: Your Social Security Number is encrypted using AES-256-GCM before storage. All database connections use SSL/TLS.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted via HTTPS.
- Access controls: Row-level security policies ensure you can only access your own data. Admin access is restricted by database flags and optional IP whitelisting.
- Audit logging: Access to sensitive data (such as SSN) is logged for security monitoring.
- Document storage: Uploaded files are stored in private, access-controlled storage buckets with signed URLs.
Infrastructure and Compliance Standards
Valor Rating is built on infrastructure providers that maintain recognized security certifications:
- Supabase (database and authentication) — SOC 2 Type II certified
- Vercel (application hosting) — SOC 2 Type II certified
- Amazon Web Services (document scanning) — SOC 2 Type II, HIPAA eligible, FedRAMP authorized
- OpenAI / Anthropic / Google Cloud (AI providers) — SOC 2 Type II certified; API usage with data processing agreements
While Valor Rating itself is not yet SOC 2 certified, we leverage the security controls and compliance certifications of our infrastructure providers and follow industry best practices for application security, including OWASP guidelines and regular security reviews. We are committed to pursuing independent security certifications as we scale.
Data Retention
We retain your data for as long as your account is active or as needed to provide our services. If your account is inactive for a period of two (2) years, we may delete your account and associated personal data after providing you with reasonable advance notice via the email address on file.
You may request deletion of your account and associated data at any time by contacting us at support@valorrating.com. We will process deletion requests within forty-five (45) days of receiving a verified request. You will receive a confirmation email once deletion is complete.
When you delete a document through our platform, it is removed from both our database and file storage. We may retain certain data as required by law or for legitimate business purposes (e.g., audit logs, transaction records) for up to three (3) years after account deletion.
Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users by email without undue delay, and no later than seventy-two (72) hours after becoming aware of the breach
- Provide a description of the nature of the breach, including the types of data involved
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Provide recommendations for steps you can take to protect yourself
- Report the breach to applicable regulatory authorities as required by law
Your Rights
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your account and personal data
- Export your data in a portable format
- Withdraw consent for data processing at any time
To exercise any of these rights, contact us at support@valorrating.com.
Notice for Residents of Certain U.S. States
U.S. state consumer privacy laws may provide residents with additional rights regarding our use of their personal information. Residents of states including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia may have some or all of the following additional rights:
- Right to know what personal information we collect, use, disclose, and sell
- Right to delete personal information collected from you, subject to certain exceptions
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information — we do not sell your personal information
- Right to non-discrimination for exercising your privacy rights
- Right to data portability — receive your personal information in a portable, readily usable format
- Right to limit use of sensitive personal information to purposes necessary for providing the Service
California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have specific rights including the right to know, delete, correct, and opt out. We do not sell or share personal information for cross-context behavioral advertising. Categories of personal information we collect are described in the "Information We Collect" section above.
Exercising Your Rights
To exercise any of these rights, contact us at support@valorrating.com. We will verify your identity before processing your request and respond within the timeframe required by applicable law (generally 45 days). You may designate an authorized agent to make a request on your behalf.
Children's Privacy
Valor Rating is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the platform after changes are posted constitutes acceptance of the revised policy.
Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at: