Privacy Policy

Vala, Inc. Effective Date: April 1, 2026

1. Who We Are

Vala, Inc. is a Delaware corporation. We operate a cloud-based software platform (the “Services”) designed to support VA-accredited attorneys, VA-accredited claims agents, law firms, veterans service organizations (VSOs), and related professional entities in managing veterans benefits claims workflows, document processing, client communications, and related operational functions.

Vala is a technology and software provider only. We are not a law firm, not VA-accredited for purposes of claimant representation, and do not provide legal or claims advice. References to “we,” “us,” or “our” in this Privacy Policy refer to Vala, Inc.

2. Scope and Applicability

This Privacy Policy applies to: (a) customers of Vala — the professional entities and individuals who contract with Vala to access the Services (“Customers”); (b) authorized users of the Services acting on behalf of Customers (“Users”); and (c) visitors to valaclaims.com and any affiliated websites or portals (“Site Visitors”).

Vala's Services are designed for use by professional entities, not directly by veterans or claimants. Vala does not intentionally collect data directly from veterans or claimants through the Services. Veterans and claimants whose information is submitted to the Services are clients or end-users of our Customers; their data is processed by Vala solely on behalf of, and at the direction of, the applicable Customer.

This Privacy Policy does not govern the privacy practices of Customers or their relationship with the veterans and claimants they serve. Customers are independently responsible for their own privacy obligations to their clients. If you are a veteran or claimant whose data has been submitted to the Services by a Vala Customer, please contact that Customer directly with privacy requests.

3. Our Role: Data Controller and Data Processor

Vala acts in different privacy roles depending on the type of data involved:

When Vala is a Data Controller

Vala acts as a data controller — making independent decisions about how data is used — with respect to: (a) information collected directly from Customers and Users in connection with account registration, billing, support, and marketing; (b) usage data, telemetry, and analytics generated through operation of the Services; and (c) information submitted by Site Visitors through our website.

When Vala is a Data Processor

With respect to Customer Data — including veteran and claimant information submitted by Customers through the Services — Vala acts as a data processor, processing that data solely on behalf of and at the direction of the applicable Customer. Our processing activities with respect to Customer Data are governed by our Terms of Service and, where executed, a separate Data Processing Addendum or Business Associate Addendum, rather than this Privacy Policy.

4. Information We Collect

4.1 Information You Provide to Us

We collect information that Customers, Users, and Site Visitors provide directly, including:

  • Account registration information: name, email address, organization name, job title, professional credentials (e.g., VA accreditation number, bar number), billing address, and payment information.

  • Communications: messages sent to us via email, support tickets, chat, or contact forms.

  • Customer Data submitted through the Services: documents, VA forms, case notes, client records, and other content uploaded or processed through the platform on behalf of Customers' clients.

  • Feedback, survey responses, and product research submissions.

4.2 Information Collected Automatically

When you access or use the Services or Site, we automatically collect certain technical information, including:

  • Log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and access timestamps.

  • Device identifiers and session tokens.

  • Usage and telemetry data: features accessed, actions taken, workflow events, error logs, and performance metrics.

  • Cookie and similar tracking data — see Section 11 (Cookies and Tracking Technologies).

4.3 Information from Third-Party Sources

We may receive information from third-party sources, including:

  • VA Lighthouse APIs and other government data sources, accessed on behalf of Customers in connection with veterans benefits workflows, subject to applicable VA data use restrictions.

  • Identity verification and credential validation services, used to verify professional accreditation status.

  • Payment processors and billing platforms, which provide transaction confirmation and billing status information.

We do not purchase personal data from data brokers or third-party marketing lists.

5. How We Use Information

We use the information we collect for the following purposes:

Service Delivery and Operations

  • To provide, operate, maintain, and improve the Services.

  • To process Customer Data on behalf of Customers as instructed.

  • To authenticate Users and manage account access and security.

  • To fulfill orders, process payments, and manage billing.

  • To generate and deliver AI-assisted outputs, documents, and analyses within the Services.

Security and Compliance

  • To detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents.

  • To enforce our Terms of Service and other applicable policies.

  • To comply with applicable legal obligations, including VA API terms, HIPAA, the Privacy Act of 1974, and applicable state privacy laws.

  • To respond to lawful subpoenas, court orders, and governmental requests.

  • To maintain audit logs and records required by law or VA requirements.

Communications and Support

  • To respond to support requests and customer inquiries.

  • To send transactional and operational communications (e.g., account alerts, security notices, billing confirmations).

  • To send product updates, policy notices, and legally required notifications.

  • With your consent, to send marketing communications about our products and services (you may opt out at any time).

Product Development and Analytics

  • To understand how the Services are used and to develop new features and improvements.

  • To generate aggregated, de-identified statistical data and analytics that do not identify any individual or Customer.

  • To conduct research on platform performance, accuracy, and quality.

We do not use Customer Data — including veteran and claimant information — for product development, AI model training, or analytics purposes in a manner that identifies individual veterans or claimants, or that is inconsistent with the purposes for which the data was submitted by the Customer.

5a. Data Minimization and Privacy by Design

Vala is committed to collecting and processing only the personal information that is necessary for the specific, legitimate purpose for which it is collected. We apply the following principles across our product development and data handling practices:

  • Data Minimization: We collect the minimum amount of personal information required to provide the Services. We do not collect personal information speculatively or for undefined future uses.

  • Purpose Limitation: Personal information collected for one purpose is not repurposed for incompatible uses without your consent or a lawful basis.

  • Privacy by Design: Privacy protections are built into the architecture of our products and systems from the outset, not added as an afterthought. New features and product changes are reviewed for privacy implications before deployment.

  • Storage Limitation: We retain personal information only for as long as necessary for the purposes described in this Privacy Policy or as required by applicable law. See Section 12 (Data Retention and Deletion) for specifics.

  • Accuracy: We take reasonable steps to keep personal information accurate and up to date, and provide Customers and Users with tools to correct inaccurate information.

6. VA-Specific Data Handling

A significant portion of the data processed through the Services relates to veterans benefits claims and is subject to specific federal laws and VA requirements. Vala handles such data in accordance with the following obligations:

Applicable Federal Law

  • 38 U.S.C. § 5701 — prohibiting unauthorized disclosure of VA beneficiary records and personally identifiable information of veterans.

  • 38 U.S.C. § 7332 — providing enhanced confidentiality protections for records relating to drug abuse, alcoholism, HIV status, and sickle cell anemia.

  • The Privacy Act of 1974 (5 U.S.C. § 552a) — to the extent Customer Data includes records subject to the Privacy Act.

  • HIPAA and the HITECH Act — to the extent Customer Data includes Protected Health Information as defined under HIPAA (45 C.F.R. § 160.103).

VA API Data Use Restrictions

When Vala accesses data through VA APIs (including the VA Lighthouse platform at developer.va.gov) on behalf of Customers, that data is subject to the VA's applicable API terms of service and the following restrictions, which Vala enforces and requires Customers to honor:

  • VA API-sourced data is used exclusively for the authorized purpose for which API access was approved and for no other commercial, analytical, or secondary purpose.

  • VA API-sourced data is stored and processed exclusively within the United States. No VA API-sourced data is transferred to systems, facilities, or subprocessors located outside the United States.

  • VA API-sourced data is not sold, rented, shared with third parties for independent commercial use, or used to build advertising profiles.

  • VA API-sourced data is not used to train, fine-tune, or evaluate any AI or machine learning model without the express written authorization of the VA.

HIPAA and Business Associate Agreements

To the extent Vala processes Protected Health Information (PHI) on behalf of a Customer that is a HIPAA-covered entity or business associate, the parties will execute a Business Associate Addendum (BAA) before such processing occurs. PHI is handled in accordance with the requirements of the BAA and applicable HIPAA regulations. Vala does not process PHI on behalf of any Customer without an executed BAA in place.

7. AI and Automated Processing

The Services include artificial intelligence, machine learning, and automated processing features that assist Customers with document analysis, data extraction, summarization, form population, transcription, and related tasks. The following principles govern our use of AI in connection with personal data:

  • Customer Data — including veteran and claimant information — is not used to train, fine-tune, or improve any publicly shared or general-purpose AI model.

  • AI processing of Customer Data occurs within isolated, Customer-specific environments. Data from one Customer is not used in outputs generated for another Customer.

  • AI-generated outputs are produced within the Customer's account context and are not shared with or accessible by other Customers or third parties.

  • Vala does not make fully automated decisions with legal or similarly significant effects on individual veterans or claimants without human review by the applicable Customer. Vala's AI features are assistive tools, not decision-making systems.

  • Aggregated and de-identified data that cannot reasonably be used to identify any individual may be used to improve the performance, accuracy, and reliability of the Services.

8. Sharing and Disclosure of Information

Vala does not sell, rent, or trade personal information. We may share information only in the following limited circumstances:

Service Providers and Subprocessors

We share Customer Data with third-party service providers and subprocessors that assist us in delivering the Services, including cloud hosting providers, communications infrastructure providers, AI model providers, and security vendors. All subprocessors are bound by written agreements requiring them to: protect Customer Data with at least the same level of protection we apply; process Customer Data only as directed; and, where applicable, process VA API-sourced data exclusively within the United States. A list of our current subprocessors is available upon written request.

Legal Obligations and Rights Protection

We may disclose information where we believe in good faith that disclosure is required to: comply with applicable law, regulation, legal process, or governmental request (including valid subpoenas, court orders, or VA directives); enforce our Terms of Service or other agreements; protect the rights, property, or safety of Vala, our Customers, or the public; or detect, prevent, or address fraud, security incidents, or technical issues. Where legally permitted, we will notify the applicable Customer before disclosing their data in response to legal process.

Business Transfers

If Vala is involved in a merger, acquisition, asset sale, financing, reorganization, or similar transaction, Customer Data and other information may be transferred as part of that transaction. We will notify affected Customers of any such transfer and any material changes to how their data will be handled, and we will require any successor to honor the commitments made in this Privacy Policy.

With Customer Consent

We may share information with third parties when the applicable Customer or User has provided explicit consent, or when sharing is at the Customer's direction in connection with their use of the Services.

What We Do Not Do

  • We do not sell personal information to third parties.

  • We do not share personal information with third parties for their independent advertising or marketing purposes.

  • We do not use veteran or claimant data for any purpose outside of providing the Services to the applicable Customer.

  • We do not transfer VA API-sourced data outside the United States.

9. Data Security

Vala implements commercially reasonable administrative, technical, and physical safeguards to protect personal information and Customer Data against unauthorized access, use, disclosure, alteration, or destruction. Our security measures include:

  • Encryption of data in transit using TLS 1.2 or higher.

  • Encryption of data at rest using AES-256 or equivalent.

  • Access controls, including role-based access control (RBAC) and multi-factor authentication (MFA) requirements for platform access.

  • Continuous security monitoring, vulnerability management, and penetration testing.

  • Audit logging of access to Customer Data, retained for a minimum of three years.

  • Employee security training and background screening.

  • Vendor security assessments for subprocessors handling Customer Data.

No method of transmission over the internet or electronic storage is completely secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security. Customers are responsible for implementing appropriate security practices on their end, including securing their login credentials and managing User access appropriately.

10. Security Incidents and Breach Notification

Vala maintains a written incident response program designed to detect, contain, investigate, and remediate security incidents. In the event of a confirmed or reasonably suspected security incident involving personal information or Customer Data, Vala will apply the following notification procedures:

VA API-Sourced Data Incidents

Where a security incident involves or reasonably appears to involve VA API-sourced data, Vala will provide the applicable Customer with an initial notification within one (1) hour of Vala's determination that an incident has occurred or is reasonably suspected. The Customer, as the VA API account holder, is responsible for notifying the VA in accordance with VA Lighthouse developer agreement timelines. Vala will cooperate fully with Customer's VA-directed reporting obligations.

All Other Personal Data Incidents

For confirmed security incidents involving other personal information, Vala will notify affected Customers without undue delay and in any event within seventy-two (72) hours of confirming the incident. Where applicable law requires notification to affected individuals or regulators, Vala will cooperate with Customers in fulfilling those obligations.

Incident Notification Content

Incident notifications will include, to the extent known at the time of notification:

  • The nature and scope of the incident.

  • The categories and approximate volume of personal information affected.

  • The steps Vala has taken or is taking to contain and remediate the incident.

  • Contact information for Vala's incident response team.

A written incident summary will be provided within thirty (30) days of confirmed discovery, unless prohibited by law enforcement request, court order, or active forensic investigation.

10a. Sensitive Personal Information

By its nature, the Services process categories of information that are legally or practically sensitive, including military service records, health and medical information, disability ratings, government identifiers (e.g., Social Security numbers, VA file numbers), and information about drug or alcohol treatment and HIV status subject to 38 U.S.C. § 7332. Vala applies the following heightened protections to sensitive personal information:

  • Sensitive personal information is processed only as necessary to provide the specific Services requested by the Customer and for no other purpose.

  • Sensitive personal information is not used for advertising, marketing, profiling, or any purpose unrelated to veterans benefits claims services.

  • Access to sensitive personal information within Vala's systems is restricted to personnel with a demonstrated need for access in connection with service delivery, security, or legal compliance — and is enforced through role-based access controls.

  • Sensitive personal information subject to 38 U.S.C. § 7332 (drug abuse, alcoholism, HIV, sickle cell anemia records) receives the enhanced confidentiality protections mandated by that statute and its implementing regulations.

  • Sensitive personal information is encrypted both in transit and at rest using industry-standard encryption protocols.

  • California residents have the right to limit Vala's use of sensitive personal information to that which is necessary to provide the Services. As described above, Vala already limits its use to that purpose. To submit a request to limit use, contact privacy@valaclaims.com.

11. Cookies and Tracking Technologies

Vala uses cookies and similar technologies on our website and within the Services. We use these technologies for the following limited purposes:

Strictly Necessary Cookies

These cookies are required for the Services to function and cannot be disabled. They include session management tokens, authentication cookies, and security cookies. No consent is required for strictly necessary cookies.

Performance and Analytics Cookies

We use analytics tools to understand how the Services are used, identify performance issues, and improve the platform. Analytics data is aggregated and does not identify individual users by name. You may opt out of analytics cookies through our cookie preference center or your browser settings.

What We Do Not Use

We do not use advertising cookies, behavioral tracking cookies, or cookies that share data with third-party advertising networks. We do not use cross-site tracking or serve targeted advertising.

Most browsers allow you to control cookies through their settings. Disabling cookies may affect the functionality of the Services. For more information on managing cookies, visit your browser's help documentation.

Do Not Track

Some browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no industry-wide standard for how DNT signals should be interpreted, Vala does not currently respond to DNT signals. However, because we do not engage in behavioral advertising or cross-site tracking, our practices are consistent with the intent of DNT signals regardless of browser setting.

Third-Party Links

The Services or our website may contain links to third-party websites, tools, or resources — including VA.gov, government portals, or third-party integrations. Vala is not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. The presence of a link does not constitute an endorsement.

12. Data Retention and Deletion

We retain personal information and Customer Data for as long as necessary to fulfill the purposes described in this Privacy Policy, to provide the Services to Customers, and to comply with our legal obligations. Retention periods vary by data type:

  • Account and Customer information: retained for the duration of the Customer relationship and for up to seven (7) years thereafter, or as required by applicable law, whichever is longer.

  • Customer Data (veteran and claimant records): retained in accordance with the Terms of Service, applicable BAA or DPA, and legal hold obligations. Customers may request deletion of Customer Data as provided in the Terms of Service; post-termination deletion timelines are described therein.

  • Audit logs and access records: retained for a minimum of three (3) years, or longer where required by VA requirements, HIPAA, or applicable law.

  • Security incident records: retained for a minimum of seven (7) years.

  • Usage and analytics data: retained in aggregated or de-identified form indefinitely; identifiable usage data retained for up to twenty-four (24) months.

  • VA API-sourced data: retained only for the period necessary to fulfill the applicable Customer's authorized use case, and deleted or rendered inaccessible thereafter, consistent with VA API terms.

Upon Customer request following termination of the Services, we will make Customer Data available for export for thirty (30) days and thereafter delete or render inaccessible Customer Data in accordance with our retention schedules, subject to legal hold obligations. We may retain information where required by law, legal process, audit obligations, or dispute resolution.

13. Your Privacy Rights

Depending on where you are located, you may have certain rights regarding your personal information. Vala will honor requests to exercise these rights to the extent required by applicable law and consistent with our legal obligations.

Rights Available to All Customers and Users

  • Right to Access: You may request a copy of the personal information we hold about you.

  • Right to Correction: You may request that we correct inaccurate or incomplete personal information.

  • Right to Deletion: You may request deletion of your personal information, subject to our legal retention obligations and the terms of any applicable BAA or DPA.

  • Right to Object or Restrict: You may object to or request restriction of certain processing activities where permitted by law.

  • Right to Data Portability: Where applicable, you may request that we provide your personal information in a structured, machine-readable format.

California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following additional rights:

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and share about you, including the categories of information, the purposes for collection, and the categories of third parties with whom it is shared.

  • Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.

  • Right to Correct: You have the right to request correction of inaccurate personal information.

  • Right to Opt Out of Sale or Sharing: Vala does not sell or share personal information for cross-context behavioral advertising. You have the right to opt out of any such activities, and there is nothing to opt out of as we do not engage in these practices.

  • Right to Limit Use of Sensitive Personal Information: Vala uses sensitive personal information (including information about health conditions and government identifiers) only as necessary to provide the Services. You have the right to limit our use of your sensitive personal information to that which is necessary for the Services.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, please contact us at privacy@valaclaims.com or as described in Section 17 (Contact Us). We will respond within forty-five (45) days, with one possible extension of an additional forty-five (45) days where reasonably necessary. We may need to verify your identity before processing your request.

Note: These rights apply to Customers, Users, and Site Visitors whose personal information is processed by Vala in its capacity as a data controller. If you are a veteran or claimant whose data was submitted by a Vala Customer, please direct your request to the applicable Customer, who controls that data.

Right to Appeal a Denied Request

If we deny your privacy rights request, you may appeal our decision by submitting a written appeal to privacy@valaclaims.com within thirty (30) days of receiving our denial, with the subject line “Privacy Rights Appeal.” We will respond to your appeal within sixty (60) days (or within the period required by your state's law). If your appeal is denied, we will provide you with information on how to contact your state's attorney general or applicable data protection authority to submit a complaint.

Virginia, Colorado, Connecticut, Texas, and Other State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws may have similar rights to those described above, including rights to access, correction, deletion, portability, and opt-out of certain processing activities. To exercise these rights, please contact us at support@valaclaims.com. We will respond within the timeframe required by your state's applicable law.

How to Exercise Your Rights

To submit a privacy rights request, email us at support@valaclaims.com with the subject line “Privacy Rights Request”, or submit a request through the designated privacy request mechanism in the Services, where available. We may need to verify your identity before processing your request. We will not fulfill requests that would require us to disclose information we are legally prohibited from disclosing, including information subject to attorney-client privilege, VA confidentiality requirements, or legal hold obligations.

14. International Data Transfers

Vala's Services are operated from, and Customer Data is stored and processed within, the United States. If you are accessing the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

VA API-sourced data is stored and processed exclusively within the United States and is not transferred internationally under any circumstances.

For Customers or Users located in the European Economic Area (EEA), United Kingdom, or Switzerland whose personal information may be transferred to the United States, Vala relies on appropriate transfer mechanisms as required by applicable law, including Standard Contractual Clauses (SCCs) adopted by the European Commission, where required. To request information about the transfer mechanisms we apply to your personal information, please contact support@valaclaims.com.

Vala's primary customer base is domestic. International users should contact us prior to using the Services if they have specific data residency or cross-border transfer requirements.

15. Children's Privacy

The Services are intended for professional use by adults and are not directed to children under the age of 13. Vala does not knowingly collect personal information from children under 13 through the Services or Site. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information.

If you believe that a child under 13 has provided personal information to us, please contact us at support@valaclaims.com.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. If we make a material change, we will provide notice by: (a) posting the updated Privacy Policy on our website with a revised “Last Updated” date; (b) notifying Customers via email or through the Services; or (c) such other means as required by applicable law.

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically. Where required by applicable law, we will obtain your consent before making material changes to how we process your personal information.

Vala conducts an internal review of this Privacy Policy at least annually to ensure it accurately reflects our practices and remains consistent with applicable law. We maintain records of all prior versions of this Privacy Policy, which are available upon request.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your information is handled, please contact us:

Vala, Inc.
Email: support@valaclaims.com
Website: valaclaims.com

For CCPA/CPRA requests, please include “Privacy Rights Request — California” in the subject line of your email. For security incident reporting by Customers, please follow the notification procedure described in our Terms of Service and contact support@valaclaims.com.