OperationAppeal LLC ("OperationAppeal," "we," "us," or "our") operates operationappeal.com (the "Service"). This Privacy Policy explains what we collect, how we use it, and the rights you have.
OperationAppeal helps veterans analyze claim documents using AI. We do not retain the original files you upload. We do log a small amount of structured case data and scrubbed text excerpts to help improve outcomes for future veterans. We do not collect your name, address, date of birth, or government identifiers in any field designed to retain them. We do not sell your data.
1. What We Collect — And What We Don't
We collect the minimum information needed to provide useful analysis and to build aggregate outcome data that benefits future veterans.
What we DO collect:
- Anonymous session identifier: a random string generated in your browser. Not linked to your name, email, or any identity. Resets when you clear your browser data.
- Anonymized case metadata: structured classifications and clinical/procedural metrics — service era, branch of service, VA regional office, denial codes, CFR citations, outcome categories, case type, range-of-motion measurements (forward flexion in degrees, combined ROM in degrees), pain scales (0–10), examiner types, claim-history counts, year-only event dates, TBI severity classification (mild / moderate / severe), and medication classes by therapeutic family only (e.g., SSRI, gabapentinoid, NSAID — never specific brand or generic drug names). Designed to contain no personal identifiers.
- Scrubbed text excerpts: portions of the text you enter, text extracted from documents you upload, and the AI's response, after a two-layer scrubber removes (a) structured personal identifiers via pattern matching — SSNs, phone numbers, email addresses, full dates, street addresses, ZIP codes, P.O. boxes, medical record numbers, VA file numbers, DOD IDs/EDIPIs, and similar patterns — and (b) proper names of individual people via AI-assisted detection (with allowlists that preserve legal case citations like "Cafferty v. Brown", government officials in their official capacity, place names, drug names, and condition names). The combined approach targets all 18 HIPAA Safe Harbor identifiers.
- Scrubbed filenames: if you upload a file, the filename is logged after automated redaction.
What we do NOT collect or retain:
- Your name, email address, or phone number (except if you voluntarily email us for support).
- Your Social Security Number, date of birth, or home address in any field designed to retain them.
- The original files you upload. Files are processed in your browser, then transmitted via our secure backend to the AI provider for analysis. The original file is not retained on our servers.
- Medical record numbers, VA file numbers, DOD IDs, or EDIPIs in any field designed to retain them.
- Your IP address as a stored value (used transiently for rate limiting only).
The pattern-spotting that helps your appeal comes from many veterans contributing scrubbed outcomes. Your contribution does the same for the next vet.
Our scrubber combines pattern matching for structured identifiers with AI-assisted detection for personal names. The AI pass targets names of individuals in patient/client context while preserving legal case citations, public officials, place names, and other non-identifying proper nouns. Edge cases — extremely unusual name spellings, identifiers spelled out phonetically ("my social is one two three…"), or identifiers in non-English text — may still slip through. Best protection: don't type personally-identifying details that you wouldn't want kept.
2. Service Providers
We use a small number of vetted service providers to operate this site. They process data only on our behalf, only as needed to deliver the service, and under contracts that prohibit using your data for their own purposes — including no training of AI models on your data.
Our service providers fall into the following categories: AI services (for analysis processing), cloud hosting and edge security (for site delivery and bot/DDoS protection), and database services (for storing scrubbed case metadata and rate-limit counters). All providers operate under contracts that prohibit using your data for any purpose other than delivering the Service.
We do not sell or share your information with advertisers, data brokers, social networks, or analytics companies. There are no tracking pixels or ad scripts on this site.
If you need specific provider information for a regulatory or compliance reason, request it in writing at .
3. How We Use the Information
The metadata and scrubbed excerpts we collect are used for:
- Providing, operating, and maintaining the Service.
- Improving the accuracy and quality of AI analysis.
- Building an aggregate outcomes database that helps refine the analysis for future veterans.
- Internal analytics to monitor Service performance and capacity.
- Licensing aggregated, anonymized statistical data to authorized third parties (such as Veteran Service Organizations and VA-accredited representatives). No individual record is ever shared; only statistical aggregates.
We do not sell personal information. We do not engage in advertising. We do not share information with data brokers.
4. Your Rights (CCPA / State Privacy Laws)
Before any document is submitted for analysis, you are shown a Terms of Service modal that describes this privacy posture and asks for your consent. Your consent is recorded in your browser's local storage and remains in effect until you clear it or until we publish a material update to these terms.
If you are a California resident (or live in another state with similar law), you have the right to:
- Know what data we have associated with your session.
- Delete any data we've stored about your case.
- Opt out of having your scrubbed excerpts contribute to outcome data.
- Non-discrimination — exercising any of the above doesn't change the service you receive.
Categories of personal information collected (CCPA):
- Identifiers: anonymous session ID (not tied to name, email, or government-issued ID).
- Internet or other electronic network activity information: interaction metadata.
- Geolocation: only to the extent inferred from a self-reported VA regional office in your queries; no precise geolocation is collected.
- Commercial information (scrubbed narrative): text excerpts after automated PHI scrubbing.
We do not sell personal information and have not sold personal information in the preceding twelve months.
How to exercise your rights
- Right to know / Right to data portability: visit Manage Your Data and use the "Get a copy of everything we have on you" download.
- Right to opt out of outcome-data contribution: visit Manage Your Data and toggle "Contribute scrubbed outcomes" off.
- Right to delete server-side records: email with subject line "CCPA Deletion Request". In your message, include any identifiers you can provide — your session ID, persistent veteran ID (PVID), and/or the date(s) of your analyses. We handle every request manually and reply within 7 business days. Manual handling lets us verify the request is genuine before we delete, which CCPA requires. Under CCPA we may also be required to retain certain records for legal compliance — we'll tell you in our reply if anything was preserved.
Important — if you've already cleared your browser data: we don't collect names or email addresses by design, so the only links between you and your records are the IDs stored in your browser (session ID, PVID). If those have been cleared before you submit a deletion request, we may not be able to identify which records are yours, and we'll let you know in our reply if that's the case. To be sure of full deletion, submit the request before clearing your browser data.
Outcomes-data contribution preference.
Scrubbed (PHI-redacted) excerpts from your analysis are added to our aggregate outcomes database, which the platform references to identify denial patterns and recurring CFR citations across cases. This is statistical reference, not AI model training; we do not fine-tune any AI model on your data, and your scrubbed excerpts are never sent back to an AI provider as training data. You may opt out of this contribution at any time using the toggle below. Opting out does not affect the analysis you've already received.
5. HIPAA Position
OperationAppeal is not a "Covered Entity" under the Health Insurance Portability and Accountability Act (HIPAA) because we are not a healthcare provider, health plan, or healthcare clearinghouse. We have designed the Service to avoid "Business Associate" status by not retaining Protected Health Information (PHI) on our infrastructure after the analysis request completes. Original document content is processed in your browser, transits our secure backend (which does not store it), and reaches the AI provider for analysis. Multiple layers redact structured PHI before any metadata is written to storage.
6. Security
We use TLS 1.2+ encryption, HSTS, server-side rate limiting, multi-layer PHI redaction, and edge-based bot/DDoS protection. API credentials are stored as encrypted server-side secrets and are never exposed in browser source code. No system can be guaranteed 100% secure. If we become aware of a breach of unencrypted personal data, we will notify affected users and applicable authorities as required by law.
7. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect information from children. If we become aware that a child has provided information through the Service, we will take steps to delete it promptly.