Privacy Policy

Personal Information (Non-Medical)

When you apply for a grant or create an account, we collect the following personally identifiable information (PII):

• Full name, email address, and phone number
• Military service information (branch, years of service, discharge status)
• Personal intentions and healing goals (text essays)
• Travel information and availability dates
• Supporting documents (DD214, government-issued ID) uploaded to secure storage

What We Do NOT Collect (No PHI)

Automatically Collected Information

When you visit our website, we automatically collect:

• Usage Data: Pages visited, time spent, clicks, and navigation patterns (via Vercel Analytics)
• Technical Data: IP address, browser type, device information, operating system
• Session Data: Authentication cookies, session identifiers

We use your information to:

• Process Grant Applications: Review and evaluate applications for veteran retreat grants
• Communicate: Send application updates, retreat information, and integration support
• Verify Eligibility: Confirm veteran status and program requirements
• Accept Donations: Process secure payments via Square (card data never stored on our servers)
• Improve Services: Analyze website usage to enhance user experience
• Security & Compliance: Maintain audit logs, prevent fraud, and comply with legal requirements

Secure Storage

All personal data is stored securely using industry-standard encryption:

• Database: Supabase (PostgreSQL) with encryption at rest and in transit
• File Storage: Private storage buckets with signed URLs (no public access)
• Uploaded Documents: DD214 and ID files stored in encrypted, access-controlled storage
• Row Level Security (RLS): Database policies ensure users can only access their own data

Security Measures

• HTTPS Encryption: All data transmission uses TLS/SSL encryption
• Multi-Factor Authentication (MFA): Required for panel and admin accounts
• Session Security: Secure, HttpOnly cookies with 30-minute idle timeout
• Rate Limiting: Prevents abuse (10 applications/day, 20 donations/hour, 30 AI messages/hour)
• CSRF Protection: Double-submit cookie pattern on all forms
• Input Sanitization: All user input sanitized before database insertion
• Audit Logging: Permanent record of sensitive operations for security forensics

We use cookies to maintain your session and improve your experience:

Session Cookies

• Purpose: Keep you signed in as you navigate the site
• Security Settings: HttpOnly (prevents JavaScript access), Secure (HTTPS only), SameSite=Lax (CSRF protection)
• Expiration: 30 minutes of inactivity (session timeout)
• Required: Yes (cannot use authenticated features without cookies)

CSRF Protection Cookies

• Purpose: Prevent cross-site request forgery attacks
• Security Settings: HttpOnly, Secure, SameSite=Strict
• Expiration: 1 hour

No Third-Party Cookies

We do not use third-party tracking cookies or advertising cookies. All cookies are first-party and essential for site functionality.

We use Vercel Analytics to understand how visitors use our website:

• What We Track: Page views, navigation patterns, time spent, referral sources
• Privacy-Friendly: No personal data, no cookies, no IP tracking
• Aggregated Data Only: All analytics are anonymized and aggregated
• Purpose: Improve user experience, understand popular content, optimize site performance

Our AI-powered chatbot (powered by Anthropic Claude) is designed to provide general information about our programs:

What We Store

• Conversation Context: Temporarily stored in your browser session only
• No Server Storage: Chat messages are NOT saved to our database
• Rate Limiting Metadata: IP address tracked for rate limiting (30 messages/hour)

Third-Party Processing

Chat messages are sent to Anthropic's API for processing:

• Anthropic's Privacy Policy: anthropic.com/legal/privacy
• No Training on Your Data: Anthropic does not use customer data to train models
• Enterprise Agreement: We use Anthropic's commercial API with enterprise privacy protections

Important: Do not share sensitive health information with the AI chatbot. For medical questions, please consult the Safety & Eligibility page and complete the Medical Disclosure form.

We use the following trusted third-party services:

We retain your data for the following periods:

• Grant Applications: 12 months from submission date
• User Profiles: Until you request deletion or close your account
• Application Files (DD214, ID): 12 months from submission
• Audit Logs: Permanent (required for compliance and security)
• Donation Records: 7 years (IRS requirement for 501(c)(3) organizations)

Rationale: The 12-month retention period allows for one full retreat cycle (2 retreats per year) plus administrative follow-up. Data is automatically purged after this period unless there are active legal holds or compliance requirements.

You have the following rights regarding your data:

To exercise any of these rights, please contact us at privacy@vinesandvalor.com. We will respond within 30 days.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. Our standard eligibility requirement is 21-65 years of age (with special consideration for ages 18-20). If you believe we have inadvertently collected information from a minor, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Effective Date" at the top of this page
• We will notify active users via email if changes significantly affect how we handle their data
• Continued use of our services after changes constitutes acceptance