Privacy Policy

Effective Date: February 9, 2026

Homefront Group, LLC ("Homefront Group," "we," "us," or "our") operates the VA Records Authorization Portal at va.hfgcarl.com. This Privacy Policy describes how we collect, use, store, and protect your information when you use our services.

1. Who We Are

Homefront Group is an accredited veterans law firm that represents veterans in VA disability claims and appeals. We are authorized to represent veterans before the Department of Veterans Affairs under 38 CFR 14.629. Our use of VA data is governed by our legal representation agreement with you and applicable federal regulations.

2. Information We Collect

When you authorize access to your VA records through our portal, we collect:

• Identity Information: Your name and VA Integration Control Number (ICN) as provided by VA.gov during the OAuth authentication process
• VA Benefits Data: Information about your appealable issues, including claim decisions, ratings, and decision dates that you authorize us to access
• Authentication Tokens: OAuth tokens that allow us to access your authorized VA data on your behalf
• Access Logs: Records of when and how your data was accessed for audit and compliance purposes

We do not collect any information beyond what is necessary to provide legal representation services.

3. How We Collect Your Information

We collect your information through the VA.gov OAuth 2.0 authorization process:

• You visit our portal at va.hfgcarl.com
• You click "Authorize Record Access" which redirects you to VA.gov
• You authenticate through Login.gov or ID.me (we never see your VA.gov password)
• VA.gov displays exactly what data will be shared and asks for your consent
• Upon your approval, VA.gov provides us with authorized access to your specified records

4. How We Use Your Information

We use your information solely for:

• Legal Representation: Reviewing your claims history and appealable issues to identify opportunities for rating increases or appeals
• Case Preparation: Building documentation to support your disability claims or appeals
• Communication: Contacting you about your case status and legal options
• Compliance: Maintaining audit logs as required by HIPAA and VA security protocols

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for any purpose, including marketing, advertising, analytics, or any commercial purpose. We do not use your information for any purpose other than providing legal services as described in this policy.

We do not use de-identified, anonymized, or aggregate veteran data for any purpose. All veteran data we collect is used exclusively for the individual veteran's legal representation and is not repurposed in any form, whether identified or de-identified.

5. Information Sharing

We may share your information only in the following circumstances:

• With the VA: When filing claims or appeals on your behalf
• Legal Requirements: When required by law, court order, or government regulation
• With Your Consent: When you explicitly authorize us to share information with a specific party

Any third party with whom Homefront Group shares veteran data is contractually bound to terms and conditions consistent with the protections set forth in this Privacy Policy, including obligations regarding data security, confidentiality, permissible use, and data retention. Third parties may only use veteran data for the specific purpose for which it was shared and must return or securely destroy the data when it is no longer needed for that purpose.

Your information is protected by attorney-client privilege to the extent applicable under law.

6. Data Security

We implement robust security measures to protect your information:

• Encryption: All data is encrypted in transit using TLS and at rest using AES-256 encryption
• Access Control: Only authorized Homefront Group personnel can access your data
• Audit Logging: All access to your data is logged for HIPAA compliance
• Infrastructure Security: Our servers use automated vulnerability scanning, weekly security patching, and continuous monitoring
• Credential Protection: OAuth credentials and API keys are stored as encrypted environment variables, never in source code

7. Data Retention and Deletion

We retain your information for as long as necessary to provide legal services and comply with our legal obligations:

• Active Cases: Data is retained while we are actively representing you
• Completed Cases: Data may be retained for up to 7 years after case completion as required by legal record-keeping requirements
• Upon Request: You may request deletion of your data at any time by contacting us using the information in Section 14. Upon receiving a verified deletion request, we will delete your data within 45 calendar days. If we are legally required to retain certain portions of your data (such as records required under HIPAA, attorney record-keeping obligations, or other applicable law), we will inform you of which data we must retain and the legal basis for doing so. All data not subject to a legal retention requirement will be securely deleted within the 45-day period.

8. Your Rights and Choices

You have the following rights regarding your information:

• Revoke Access: You can revoke our access to your VA records at any time by visiting VA.gov Connected Apps. This immediately invalidates our access tokens.
• Access Your Data: You can request a copy of the information we have collected about you
• Correct Your Data: You can request corrections to inaccurate information
• Delete Your Data: You can request deletion of your data. We will complete the deletion within 45 calendar days of receiving your verified request, except for data we are legally required to retain (see Section 7)
• Close Your Account: You can request that we close your account and cease all access to your VA records

To exercise these rights, contact us using the information in Section 14.

9. HIPAA Compliance

As a law firm handling protected health information (PHI), we comply with the Health Insurance Portability and Accountability Act (HIPAA). This includes:

• Maintaining appropriate administrative, physical, and technical safeguards
• Training employees on privacy and security procedures
• Conducting regular security assessments
• Maintaining audit logs of all PHI access

10. Breach Notification

In the unlikely event of a data breach affecting your information:

• We will notify you within 72 hours of discovering the breach
• We will immediately revoke all OAuth tokens
• We will report the incident to the VA API team
• We will conduct a root cause analysis and implement remediation
• We will comply with all state and federal breach notification requirements

11. Children's Privacy

Our services are intended for veterans who are 18 years of age or older. We do not knowingly collect information from individuals under 18.

12. Transfer of Ownership or Business Changes

In the event that Homefront Group undergoes a merger, acquisition, sale of assets, transfer of ownership, dissolution, or cessation of business operations, we are committed to protecting your data. If such an event occurs, we will notify you in advance and provide you with the following options regarding your veteran data:

• Secure Disposal, Transmission, or Download: You may request that your data be securely disposed of, transmitted to a party of your choosing, or made available for you to download before the transition takes effect
• Policy Continuity: If your data is to be transferred to a successor entity, we will require that the new owner or entity adopt privacy and data protection policies that are consistent with the protections in this Privacy Policy. We will not transfer your data to any successor entity whose policies are materially less protective than those described here
• Account Closure: You may request to close your account and have all your data securely deleted, subject to any legal retention requirements as described in Section 7

We will provide you with at least 30 days' notice before any transfer of ownership or cessation of operations takes effect, during which time you may exercise any of the above options. If you do not respond within the notice period, we will ensure that any successor entity is bound by terms consistent with this Privacy Policy or, if no successor entity exists, we will securely delete your data in accordance with Section 7.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website with a new effective date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

14. Contact Us