Privacy

Privacy Policy

Last updated: May 2026

Plain-English summary

Your injury records, ratings, and statements stay in your browser. We don’t upload them to our servers. The only data we keep server-side is what we need to run your account (email + auth) and process your payment. You can export or delete your local data at any time using the in-app export tools.

1. Who we are

ENDEX is operated by CG Web Lab, LLC (“ENDEX,” “we,” “us”). ENDEX is a documentation and organization tool for veterans preparing their own VA disability claim materials. It is not a VA product, is not affiliated with or endorsed by the U.S. Department of Veterans Affairs, and does not file claims on your behalf.

2. What stays on your device

The substance of what you put into ENDEX — your injuries, ratings, timelines, secondary conditions, special claims, and personal statements — is stored locally in your browser’s storage. We don’t see it, our servers don’t store it, and it isn’t transmitted anywhere by the app.

That has consequences you should be aware of:

  • Clearing your browser data wipes your records.Use the in-app Export button regularly to save a file copy you control.
  • Records don’t sync across devices automatically.To move data, export from one device and import on the other.
  • Anyone with access to your device’s browser profile can read your data. Use a passcode/biometric on your device.

3. What we do collect server-side

To run your account and bill you, a small amount of data does live on our infrastructure (Supabase) and our payment processor (Stripe):

  • Account identity: email address; if you sign in with Google or Apple, the basic profile fields they return (name, email, and a unique provider ID). We store no password — Supabase hashes and salts it on its end if you use email/password.
  • Access state: whether you signed up via subscription or access key, and which plan or key you hold.
  • Subscription metadata (Stripe): Stripe customer ID, subscription ID, plan, billing status, and renewal/cancellation dates. Card numbers are handled by Stripe and never touch our servers.
  • Auth session cookies: a Supabase session cookie that keeps you signed in. You can clear it at any time by signing out.
  • Operational logs: request logs (timestamp, route, status, anonymized request ID) for security and debugging. Logs are retained on a rolling basis and don’t include the contents of your injury records.
  • Anonymous visit analytics: aggregated page-visit counts to understand which features get used. No injury data and no content from your records is included.

4. How your data is used

  • To create and maintain your account, sign you in, and protect against unauthorized access.
  • To process subscription payments and grant or revoke access based on billing status.
  • To respond to support requests you initiate.
  • To detect, investigate, and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations.

We do not sell your personal data. We do not use your data to train AI models. We do not use your data for advertising.

5. Service providers we share data with

We use a short list of subprocessors to operate the service. They receive only the data they need to perform their function:

  • Supabase — hosted Postgres + auth (account identity, session, access state).
  • Stripe — payment processing (billing identity, subscription state, card data on Stripe’s side).
  • Axiom — operational logging (request metadata, no record content).
  • Google & Apple — only if you use Sign in with Google or Apple, the OAuth handshake passes through them.
  • Hosting/CDN — the platform that serves the application (request routing, no record content).

6. Your rights

Because the bulk of your data lives on your own device, you have direct control over it: export, edit, or delete it at any time from inside the app. For the limited account data we hold server-side:

  • Access: request a copy of the account data we have.
  • Correction: update inaccurate account info from your settings or by contacting us.
  • Deletion: close your account and we will delete your account record. Some Stripe billing records must be retained for tax/audit reasons.
  • Withdraw consent: stop using the service and clear your local browser storage.

To exercise any of these, email [email protected]. Residents of California, the EU/UK, and other jurisdictions with stronger privacy rights have the additional rights afforded by their local laws and may exercise them via the same address.

7. Security

We use industry-standard transport encryption (HTTPS) for everything between your browser and our servers. Account passwords are hashed by our auth provider. Card data is handled by Stripe under PCI-DSS. No system is perfectly secure — if you suspect a breach, please contact us immediately.

8. International users

ENDEX is operated from the United States. By using the service, you consent to your account data being processed in the United States and in the regions of our subprocessors.

9. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced in the app and via email to active subscribers. The “Last updated” date at the top reflects the most recent revision.

10. Contact

Questions about this policy? Email [email protected].

Terms of Service
Back to home
ENDEX is a tracking, education, and organizational tool. Not an official VA product.
PrivacyTerms
© 2026 CG Web Lab, LLC. All rights reserved.