Privacy Policy

• We collect only what we need to run the service: your account info, the military profile you choose to share, and any documents you upload for AI analysis.
• We never sell your data. Not now, not ever.
• We use Anthropic's Claude API to power the AI assistant and document analysis. Anthropic processes the content you submit to those features but does not train models on your data.
• You can export, correct, or delete your account and all associated data at any time by emailing privacy@milconnect.ai.
• We are not affiliated with the U.S. Department of Veterans Affairs, the Department of Defense, or any branch of the U.S. military.

This Privacy Policy applies to the MILCONNECT AI website at milconnect.ai and all features offered through it (the “Service”), including the homepage, free tools, account-gated tools, the AI chat assistant, document analysis, and the VTS Duffle Bag spouse toolkit.

“We,” “us,” and “MILCONNECT AI” refer to the operator of the Service. “You” refers to anyone who visits the site, creates an account, or uses any of our tools.

We group what we collect into four buckets:

Account information

• Name, email address, and a hashed password (we never store your plain-text password — bcrypt hashing only).
• If you sign in with Google or LinkedIn, the provider's stable user id, your verified email, and your display name. We do not receive your social-network password.
• Session tokens stored in HTTP-only, secure cookies (7-day expiration).

Military profile (optional)

• Status (Active Duty, Veteran, Retired, Reserve/Guard, Family Member), branch, rank, years of service.
• If you complete the assessment: combat deployments, exposure flags (PTSD, TBI, MST, burn pit, Agent Orange), VA disability rating, retirement system, dependents, primary goals.
• Optional address (for state-benefits and BAH calculations) and unit/clearance fields.

Content you create

• Documents you upload to the Record Keeper or any tool (DD-214, LES, VA letters, resumes, etc.) — see Section 5.
• Notes you write inside tools, todo items you add, ratings you submit, and chat history with the AI assistant.

Automatically collected technical data

• IP address (used for rate-limiting signups and bot protection).
• Standard server logs (request method, path, response code, timestamp). We do not log request bodies.
• Browser version and OS, where reported in the User-Agent header. We do not run third-party analytics or fingerprinting on the homepage chat or free tools.

We do not request, collect, or store: Social Security numbers, military service numbers (the field on the signup form is optional and treated as user-supplied free text we do not validate or share), DEERS records, full credit-card numbers, or biometric data.

We use your information only to:

• Operate your account (sign-in, session management, password hashing, account recovery).
• Personalize the tools and AI assistant (e.g., showing rates that match your branch and rank, surfacing the right calculator for your status).
• Save your work — calculator inputs, notes, todos, uploaded documents — so you find them where you left off.
• Run document AI analysis you specifically request, by sending the document content to Anthropic's Claude API.
• Send service messages (e.g., security notifications, password resets). We do not send marketing email without your explicit opt-in.
• Protect the Service from abuse (rate-limiting, bot protection via Cloudflare Turnstile).
• Comply with legal obligations.

The chat assistant and document analysis features are powered by Anthropic's Claude API. When you use those features:

• The text or document you submit is transmitted to Anthropic over TLS, processed to generate a response, and returned to your browser.
• Per Anthropic's commercial API terms, Anthropic does not use API content to train its models.
• We may store the content of your AI conversations on your account so you can scroll back through them. You can delete your conversation history at any time.
• For document analysis, the AI's extracted output (suggestions, identified benefits, structured data) is stored on the document record so you can view it without re-analyzing. The original document remains under your control.

The AI assistant produces informational answers based on the context you provide and our knowledge base. It is not legal, financial, medical, or VA-claim advice. Always verify benefit amounts and eligibility with VA.gov or an accredited Veterans Service Officer (VSO).

The Record Keeper and several tools accept document uploads (DD-214, LES, VA decision letters, resumes, etc.). Here's exactly how those are handled:

• Documents are encoded as base64 strings and stored in our MongoDB Atlas database, on infrastructure operated by MongoDB, Inc. on AWS.
• Documents are scoped to your user record and accessible only to you when authenticated. Server-side authorization checks block any other user from reading your documents.
• When you click “Analyze” on a document, the document content is sent to Anthropic's Claude API for that single request. The extracted analysis (suggestions, benefits, structured fields) is then saved on your document record.
• You can delete any document at any time. Deletion removes the document and its derived analysis from our database.
• We do not run any automated analysis on your documents without your explicit click.

Documents may contain sensitive information (rank, dates, MOS, exposures). Please use your judgment about what to upload — only upload documents you're comfortable having stored and processed by our service for the purpose described above.

We share information only with the service providers we need to run MILCONNECT AI, and only for the specific purpose listed below. Each provider is contractually required to use your data only on our behalf.

We may also disclose information when we're legally required to (subpoena, court order, lawful government request) or to protect the rights, property, or safety of our users, the public, or our service. If we're required to disclose your information, we will notify you unless legally prohibited from doing so.

If MILCONNECT AI is acquired or merged, this policy carries forward to the acquiring entity. We'll notify you before any change of control affects your data.

We do not sell, rent, or trade your personal information to advertisers, data brokers, or any third party. We do not run third-party advertising on the Service.

We use the smallest set of cookies necessary to operate the Service:

• session_token — HTTP-only, Secure, SameSite=Lax. Identifies your authenticated session for 7 days.
• oauth_state — short-lived (10 min) cookie used during OAuth sign-in to prevent CSRF.
• Cloudflare Turnstile may set its own challenge cookies on the signup page only.

We do not use Google Analytics, Facebook Pixel, or any third-party analytics that track you across sites.

• Account data: for as long as your account is active. Deleted within 30 days of you closing your account.
• Documents and notes: until you delete them or your account is closed.
• Server logs: rolled up to aggregate metrics within 30 days; raw logs retained no longer than 90 days.
• Backups: our database backups are retained on a rolling 30-day window. After deletion, your data is purged from backups within 30 days.

• All traffic between your browser and our servers is encrypted in transit (TLS 1.2+).
• Passwords are stored only as bcrypt hashes (cost factor 12). We never store, log, or transmit your plain-text password.
• Database storage is encrypted at rest by MongoDB Atlas.
• Session cookies are HTTP-only and Secure. We use SameSite=Lax to mitigate CSRF.
• Rate-limiting on signup and login throttles brute-force and enumeration attempts.
• Cloudflare Turnstile protects the signup endpoint from automated abuse.
• Server-side authorization checks scope every request to the authenticated user's own data.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you without undue delay and within timelines required by applicable law.

You can:

• Access your account data and uploaded content directly from the dashboard, profile, and Record Keeper.
• Correct any field on your profile from the profile page.
• Export your data — email privacy@milconnect.ai and we'll send a machine-readable copy of everything we have on file within 30 days.
• Delete your account and all associated content — email the same address. We'll confirm within 7 days and complete deletion within 30 days, including from backups within the 30 days that follow.
• Object to specific processing — write to us with the specifics and we'll respond within 30 days.
• Withdraw consent for optional features (e.g., AI processing) at any time by ceasing to use that feature.

If you reside in California, you have the rights described in Section 11 above, plus the rights to know, correct, delete, limit use of sensitive information, and opt out of sale or sharing of your personal information. Because we don't sell or “share” (as defined under CCPA) your personal information, no opt-out is necessary, but you can submit any of the other requests through privacy@milconnect.ai or the contact form. We will not discriminate against you for exercising your rights.

You may designate an authorized agent to make a request on your behalf. We will require verification of your identity before honoring the request.

If you reside in the European Economic Area, the United Kingdom, or Switzerland, MILCONNECT AI is the data controller for personal information collected through the Service. Our legal bases are:

• Contract — to provide the Service you signed up for (account, tools, document storage).
• Consent — for optional features such as AI document analysis.
• Legitimate interests — security, abuse prevention, and improving the Service.
• Legal obligation — when required by applicable law.

You have the right to lodge a complaint with your local data protection authority. Personal information we receive may be transferred to and processed in the United States; we rely on appropriate safeguards (e.g., Standard Contractual Clauses) for those transfers.

MILCONNECT AI is intended for individuals 18 years of age or older. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact privacy@milconnect.ai and we will delete it promptly.

MILCONNECT AI is operated from the United States. By using the Service, you acknowledge that your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

We may update this policy as the Service evolves. When we make material changes, we will:

• Update the “Effective” date at the top of this page.
• Post a notice on the homepage and inside the dashboard for at least 14 days.
• For changes that expand how we use your existing data, request your consent the next time you sign in.

Privacy questions, data requests, or feedback on this policy:

• Email: privacy@milconnect.ai
• General contact: milconnect.ai/contact

MILCONNECT AI is operated by an independent veteran-led team. We are not affiliated with the U.S. Department of Veterans Affairs, the Department of Defense, or any branch of the U.S. military. All product and benefit names referenced on the Service are property of their respective owners.