Privacy Policy

Effective Date: December 11, 2025

Homefront Group, LLC ("Homefront Group," "we," "us," or "our") operates the VA Records Authorization Portal at va.hfgcarl.com. This Privacy Policy describes how we collect, use, store, and protect your information when you use our services.

1. Who We Are

Homefront Group is an accredited veterans law firm that represents veterans in VA disability claims and appeals. We are authorized to represent veterans before the Department of Veterans Affairs under 38 CFR 14.629. Our use of VA data is governed by our legal representation agreement with you and applicable federal regulations.

2. Information We Collect

When you authorize access to your VA records through our portal, we collect:

• Identity Information: Your name and VA Integration Control Number (ICN) as provided by VA.gov during the OAuth authentication process
• VA Benefits Data: Information about your appealable issues, including claim decisions, ratings, and decision dates that you authorize us to access
• Authentication Tokens: OAuth tokens that allow us to access your authorized VA data on your behalf
• Access Logs: Records of when and how your data was accessed for audit and compliance purposes

We do not collect any information beyond what is necessary to provide legal representation services.

3. How We Collect Your Information

We collect your information through the VA.gov OAuth 2.0 authorization process:

• You visit our portal at va.hfgcarl.com
• You click "Authorize Record Access" which redirects you to VA.gov
• You authenticate through Login.gov or ID.me (we never see your VA.gov password)
• VA.gov displays exactly what data will be shared and asks for your consent
• Upon your approval, VA.gov provides us with authorized access to your specified records

4. How We Use Your Information

We use your information solely for:

• Legal Representation: Reviewing your claims history and appealable issues to identify opportunities for rating increases or appeals
• Case Preparation: Building documentation to support your disability claims or appeals
• Communication: Contacting you about your case status and legal options
• Compliance: Maintaining audit logs as required by HIPAA and VA security protocols

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your information for any purpose other than providing legal services.

5. Information Sharing

We may share your information only in the following circumstances:

• With the VA: When filing claims or appeals on your behalf
• Legal Requirements: When required by law, court order, or government regulation
• With Your Consent: When you explicitly authorize us to share information with a specific party

Your information is protected by attorney-client privilege to the extent applicable under law.

6. Data Security

We implement robust security measures to protect your information:

• Encryption: All data is encrypted in transit using TLS and at rest using AES-256 encryption
• Access Control: Only authorized Homefront Group personnel can access your data
• Audit Logging: All access to your data is logged for HIPAA compliance
• Infrastructure Security: Our servers use automated vulnerability scanning, weekly security patching, and continuous monitoring
• Credential Protection: OAuth credentials and API keys are stored as encrypted environment variables, never in source code

7. Data Retention

We retain your information for as long as necessary to provide legal services and comply with our legal obligations:

• Active Cases: Data is retained while we are actively representing you
• Completed Cases: Data may be retained for up to 7 years after case completion as required by legal record-keeping requirements
• Upon Request: You may request deletion of your data at any time, subject to legal retention requirements

8. Your Rights and Choices

You have the following rights regarding your information:

• Revoke Access: You can revoke our access to your VA records at any time by visiting VA.gov Connected Apps. This immediately invalidates our access tokens.
• Access Your Data: You can request a copy of the information we have collected about you
• Correct Your Data: You can request corrections to inaccurate information
• Delete Your Data: You can request deletion of your data, subject to legal retention requirements

To exercise these rights, contact us using the information below.

9. HIPAA Compliance

As a law firm handling protected health information (PHI), we comply with the Health Insurance Portability and Accountability Act (HIPAA). This includes:

• Maintaining appropriate administrative, physical, and technical safeguards
• Training employees on privacy and security procedures
• Conducting regular security assessments
• Maintaining audit logs of all PHI access

10. Breach Notification

In the unlikely event of a data breach affecting your information:

• We will notify you within 72 hours of discovering the breach
• We will immediately revoke all OAuth tokens
• We will report the incident to the VA API team
• We will conduct a root cause analysis and implement remediation
• We will comply with all state and federal breach notification requirements

11. Children's Privacy

Our services are intended for veterans who are 18 years of age or older. We do not knowingly collect information from individuals under 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website with a new effective date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

13. Contact Us