LastVet Privacy Policy

Effective Date: April 3, 2026 Last Updated: April 28, 2026

Quick Navigation

• Plain Language Summary
• 1. Who We Are
• 2. The SHIELD Standard
• Privacy Officer
• How to File a Complaint
• 3. What Data We Collect
• 4. How We Use Your Data
• 5. How We Share Your Data
• 5.2 Third-Party Vendor Obligations
• 5.3 What Last 1 Enterprises Will Do in the Event of a Data Breach
• 6. Your Rights
• 7. Data Security
• 8. Data Retention
• 10. Changes to This Policy
• 11. Contact Us

Plain Language Summary

LastVet exists to give you control of your health information. Here's what that means:

• You own your data. Your health record belongs to you, not us.
• You decide who sees it. You grant and revoke access to providers, organizations, and individuals — one by one, category by category.
• We never sell your data. Period. No exceptions. No fine print.
• You can leave anytime. Export your full record or delete your account. Your data, your choice.
• We exceed HIPAA. Our SHIELD standard goes beyond what the law requires to protect you.

If anything in the detailed policy below contradicts this summary, the summary wins. We mean what we say.

1. Who We Are

LastVet (last.vet) is operated by Last 1 Enterprises and is part of the Last 1 ecosystem. LastVet is a veteran-controlled health record platform that enables veterans to aggregate, own, and manage their complete health and life data.

Contact:

• Email: [email protected]
• Organization: Last 1 Enterprises
• Nonprofit Governance: Last 1 Nonprofit (last1.org)

2. The SHIELD Standard

LastVet is built on the SHIELD data standard, which exceeds HIPAA requirements in every dimension:

• Sovereign: You own your data. You are the root authority on your record. No institution, provider, or partner can access your information without your explicit consent.
• Holistic: Your record includes your complete health and life picture — medical history, social determinants, housing, employment, behavioral signals, peer connections, and self-reported data. Not just clinical notes.
• Integrated: Your data connects across systems — VA, Community Care Network, out-of-network providers, and community organizations — on your terms, not the institution's.
• Encrypted: All data is encrypted at rest and in transit. Every access is authenticated. Every session is auditable. Security is the default, not a policy.
• Live: Your record updates in real time. Every check-in, every provider interaction, every engagement signal. Your record is alive because your story doesn't stop between appointments.
• Distributed: Your data moves with you across a permissioned network. It doesn't live behind one institution's wall. It follows you, secured by your Last1 ID, governed by your consent.

Privacy Officer

Last 1 Enterprises has designated a Privacy Officer responsible for the handling of personal data, compliance with this policy, and the principles of the CARIN Trust Framework and Code of Conduct.

• Privacy Officer: Ryan Curry, Chief Executive Officer
• Contact: [email protected]

How to File a Complaint

If you believe your personal data has been handled in a way that violates this policy or your rights, you can file a complaint:

1. Email [email protected] with the subject "Privacy Complaint"
2. Include a description of the issue and any relevant details
3. We will acknowledge your complaint within 48 hours
4. We will investigate and respond with a resolution within 30 days
5. If you are not satisfied with our response, you have the right to file a complaint with:
   • U.S. Department of Health and Human Services Office for Civil Rights (https://www.hhs.gov/ocr/complaints/index.html)
   • Federal Trade Commission (https://reportfraud.ftc.gov/)
   • Your state attorney general's office

For easier access, you can also use our dedicated complaints page at last.vet/complaints.

3. What Data We Collect

3.1 Data You Provide Directly

• Account information (name, email, phone number)
• Call sign (your chosen display name)
• Service history (branch, rank, MOS, deployment history, discharge status)
• Self-reported health information (housing status, employment, goals, wellness check-ins)
• Radio Check responses and engagement data
• Care preferences and provider preferences
• Consent decisions

3.2 Data We Pull From the VA (With Your Authorization)

• Health records via the VA Lighthouse Patient Health API (FHIR), including:
  • Conditions and diagnoses
  • Medications
  • Allergies
  • Procedures
  • Immunizations
  • Lab results
  • Clinical notes
• Service history and eligibility (via VA Veteran Verification API)

You authorize this pull. We use the OAuth 2.0 Authorization Code Grant flow — you log in through the VA's identity system (Login.gov or ID.me) and explicitly grant LastVet permission to access your data. You can revoke this authorization at any time.

3.3 Data Contributed by Providers (With Your Consent)

• Clinical notes from non-VA providers
• Treatment plans and care summaries
• Referral outcomes and follow-up records
• Structured data (diagnosis codes, treatment types, outcome measures)

Providers can only write to your record if you have granted them explicit permission. Provider-contributed data is clearly tagged in your record timeline so you always know who wrote what.

3.4 Platform-Generated Data

• Radio Check engagement signals (check-in frequency, response patterns)
• Help signal history
• Referral tracking (request to resolution)
• XP, reputation, and engagement metrics
• Audit logs (who accessed what, when)

3.5 Technical Data

• Device information (for mobile app functionality)
• IP address and session data (for security and authentication)
• App usage analytics (anonymized, for platform improvement)

4. How We Use Your Data

We use your data for:

1. Building and maintaining your living health record — aggregating, displaying, and updating your health and life information across all sources
2. Connecting you with care — matching you to providers, services, and resources based on your record and preferences
3. Radio Check and peer accountability — facilitating check-ins with your unit and detecting when you may need support
4. Help signal routing — ensuring that when you signal for help, the right people are notified immediately
5. Care coordination — tracking referrals from request to resolution and measuring outcomes
6. Platform improvement — using anonymized, aggregated data to make LastVet better for all veterans

We do not use your data for:

• Selling to advertisers, data brokers, or any third party
• Targeted advertising of any kind
• Behavioral profiling for marketing purposes
• Sale to data brokers, advertisers, or marketing partners
• Any transaction — monetary or non-monetary — that you have not explicitly consented to
• Automated decision-making that produces legal or similarly significant effects on you without your explicit consent
• Any purpose you have not explicitly consented to

5. How We Share Your Data

5.1 Who May Receive Your Data (Only With Your Consent)

Your data is shared only with the people and organizations you explicitly authorize through the consent dashboard. You control who can access your data, what they can see, for how long, and for what purpose.

Who may receive your data (only with your consent):

• Healthcare providers you explicitly authorize (for example: therapists, physicians, counselors, specialists) — identified by name in your consent dashboard
• Veteran-serving organizations (VSOs) you explicitly authorize (for example: Team Rubicon, Wounded Warrior Project, local VSO chapters) — identified by name
• Individuals you explicitly authorize (for example: spouse, caregiver, battle buddy) — identified by name
• Research programs you explicitly opt into (anonymized data only)
• RealOutcomes (population-level analytics, anonymized, opt-in only)

Infrastructure partners who process data on our behalf (covered by Business Associate Agreements):

• Railway — cloud hosting and database (PostgreSQL)
• Cloudflare — web hosting and CDN
• Apple — app distribution via App Store and push notifications

These infrastructure partners do not have independent access to your health record. They process data only as necessary to operate the platform under strict contractual obligations.

5.2 Third-Party Vendor Obligations

We contractually bind all third-party vendors and contractors who may access or process your personal data on our behalf to commitments that are substantively similar to the commitments we make to you in this Privacy Policy. Specifically, all such vendors are required to:

• Use your data only for the specific purpose for which it was shared with them
• Implement security safeguards equivalent to or exceeding our own
• Report any unauthorized access, use, or disclosure of your data to us immediately
• Return or destroy your data when our business relationship with them ends
• Not use or disclose your data for their own purposes
• Not re-identify any de-identified data
• Pass these same obligations to any sub-contractors

We prohibit uses or disclosures of your personal data for any purposes not consistent with these commitments without your informed, proactive consent.

Current third-party vendors who may process data on our behalf:

• Railway (cloud infrastructure and database hosting)
• Cloudflare (web hosting and content delivery)
• Apple (iOS app distribution and push notifications)

All of these vendors are bound by Business Associate Agreements (BAAs) where required and contractual obligations consistent with this policy.

5.3 What Last 1 Enterprises Will Do in the Event of a Data Breach

This section describes Last 1 Enterprises' direct breach response commitments (separate from third-party vendor obligations above).

If we discover or are notified of a breach involving your personal data, Last 1 Enterprises will:

• Investigate and contain the breach as quickly as possible to prevent further unauthorized access.
• Notify you within 48 hours of confirming a breach that affects your personal data, via email and in-app notification.
• Clearly describe what happened, what data was involved, and what we are doing about it.
• Report the breach to the U.S. Department of Health and Human Services Office for Civil Rights as required by HIPAA (within 60 days of discovery).
• Report to your state attorney general if required by state law.
• Take immediate steps to remediate the vulnerability that caused the breach.
• Provide guidance on steps you can take to protect yourself.
• Offer credit monitoring services if the breach involved sensitive identifying information such as Social Security numbers.

We will never attempt to conceal a breach or minimize its impact. Transparency with our Veterans is a core commitment.

5.4 Substance Use Disorder Records (42 CFR Part 2)

Records related to substance use disorder treatment receive additional protections under federal law. These records:

• Are displayed separately in your consent dashboard
• Require specific, separate consent before sharing
• Cannot be used in criminal or civil proceedings against you without your specific consent or a court order
• Are subject to stricter controls than standard health information

5.5 De-Identified Data and Re-Identification Prohibition

If you opt in to the RealOutcomes data insights program, your data is de-identified before being shared with researchers, funders, or policymakers. De-identification means:

• Your name, contact information, and direct identifiers are removed
• Data is aggregated with information from many other Veterans
• The data cannot reasonably be linked back to you

We contractually require all third parties who receive de-identified data to:

• Take reasonable measures to ensure the data cannot be associated with any individual
• Publicly commit to maintaining and using the data without attempting to re-identify it
• Be prohibited from attempting to re-identify the data through any means
• Pass these same obligations to any sub-recipients of the data

Violations of these contractual prohibitions result in immediate termination of the data sharing relationship and may result in legal action.

Even with these protections, de-identified data is only shared with your explicit opt-in consent. We do not share or use de-identified data without your prior authorization.

You can opt out at any time with immediate effect.

5.6 Information About Others

Some health information in your record — such as family medical history, genetic predispositions, or hereditary conditions — may have implications for your family members. When you share this information with providers or researchers, it may indirectly reveal health information about your relatives. We encourage you to consider this when making consent decisions about sharing medical history.

Your family members' privacy matters too.

Where you have the option to share or withhold family history or genetic information independently from other categories, our consent dashboard allows you to make that choice on a per-category, per-grantee basis.

5.7 When Required by Law

We may disclose your information when required by law, such as in response to a valid court order or subpoena. We will notify you of any such request unless legally prohibited from doing so.

6. Your Rights

You have the right to:

1. Access your complete record at any time through the LastVet platform
2. Export your data in a portable format (PDF, FHIR, or secure link)
3. Correct inaccurate information in your record
4. Revoke any consent at any time with immediate effect
5. Delete your account and all associated data
6. See who has accessed your data through the audit log
7. Restrict data categories — share some information while keeping other categories private
8. Withdraw from data sharing programs (RealOutcomes, research) at any time
9. File a complaint if you believe your rights have been violated

To exercise any of these rights, contact us at [email protected] or [email protected], or use the controls in your consent dashboard.

7. Data Security

• All data is encrypted at rest and in transit (AES-256, TLS 1.3)
• Access controls enforce the principle of least privilege
• All data access is logged and auditable
• Sessions expire automatically after inactivity
• Multi-factor authentication is available and recommended
• We conduct regular security assessments and penetration testing
• Our infrastructure is hosted on HIPAA-compliant, BAA-covered cloud services

8. Data Retention

• Your record exists as long as your account is active
• If you delete your account, your data is permanently removed within 30 days
• Audit logs are retained for 6 years in compliance with HIPAA requirements
• Anonymized, aggregated data that has already been included in RealOutcomes reports cannot be individually recalled (because it is no longer identifiable)

8.1 Dormant Accounts

If you do not access your LastVet account for 24 months, we will send a notification email to the address on file. If you do not log in within 60 days of that notification, your account and all associated data will be:

• Veteran health record: permanently deleted
• Self-reported entries: permanently deleted
• Profile information: permanently deleted
• Consent grants: marked as revoked, retained per compliance requirements
• Audit logs: retained per HIPAA 6-year requirement, no longer linked to your active identity

You can reactivate a dormant account before deletion by simply logging in. After deletion, you would need to create a new account if you wish to use LastVet again.

8.5 What Happens If Last 1 Enterprises Is Sold or Closes

If Last 1 Enterprises is acquired, merges with another company, or ceases operations:

• We will notify you at least 60 days before any transfer of ownership takes effect, via email and in-app notification
• Your data will only be transferred to a new owner if the new owner agrees in writing to honor this privacy policy and the SHIELD standard in full
• You will have the option to export your complete health record before transfer, delete your account and associated data before transfer, or continue under the new owner if their policies remain consistent with ours
• If no suitable successor exists, all Veteran data will be securely destroyed within 45 days of the company's closure
• Your data will never be sold as a business asset. Your health record is yours — not ours to sell

9. Children's Privacy

LastVet is not intended for use by individuals under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We will notify you of material changes to this privacy policy via email and in-app notification at least 30 days before they take effect. We will never retroactively reduce your privacy protections without your explicit consent.

11. Contact Us

Questions, concerns, or complaints about this privacy policy or our data practices:

• Email: [email protected]
• Privacy Officer: Ryan Curry, Chief Executive Officer
• Privacy Contact: [email protected]
• Governing Organization: Last 1 Nonprofit (last1.org)

You can file a complaint directly at last.vet/complaints. If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.

This privacy policy is a living document. It will be updated as our platform evolves, always in the direction of more transparency and more veteran control — never less.