Privacy Policy

Effective: May 1, 2026

Flat Rate Nexus, operated by Kasky Online Health, PLLC ("we," "us," "our"), provides independent medical opinion letters for VA disability claims. This policy describes how we collect, use, and protect your personal and health information.

Information We Collect

When you submit an intake form, we collect: your name, date of birth, email address, phone number, branch of service, service dates, military occupational specialty, claimed conditions, and a description of the in-service events related to your claim.

We also receive the medical records and documents you upload, which may include DD-214s, service treatment records, VA medical records, private medical records, personal statements, and buddy statements. These records contain protected health information (PHI).

We collect payment information through Stripe, our third-party payment processor. We do not store credit card numbers on our systems.

How We Use Your Information

We use your information to evaluate your case, draft a medical opinion letter if your case is supportable, communicate with you about the status of your case, and process payments and refunds.

To prepare your letter, we use modern clinical-decision-support technology to help organize your records, surface the strongest medical and regulatory pathways for your claim, and draft an initial medical opinion. The reviewing physician personally develops, evaluates, edits, and signs every letter before delivery. Technology assists the review; it never replaces the physician's judgment.

How We Protect Your Records

We treat the records you share with us with the same standard of care HIPAA requires for protected health information, regardless of whether the structure of our service formally falls under HIPAA. Concretely:

Encrypted in transit. Records are uploaded through HIPAA-grade intake infrastructure (Jotform HIPAA tier) over TLS-encrypted connections only.

Encrypted at rest. Files are stored on encrypted, password-protected systems with full-disk encryption. Backups are encrypted.

Access-restricted. Only the reviewing physician and authorized personnel directly involved in preparing your letter can access your records. Every access is logged.

No advertising or analytics access. Your records are walled off from every marketing and analytics tool we use on the public website.

No secondary use. We do not sell, rent, share, or license your records for any purpose other than preparing the medical opinion you have contracted.

Deletion on request. After your case is complete, you can ask us to delete your records and we will do so within 30 days, subject to any record-retention obligation imposed on the physician by Nevada medical-record law.

Third-Party Services

We use the following third-party services to operate the business and the website:

For handling your records and preparing your letter: Jotform (HIPAA Gold tier) for secure intake-form submission and file uploads, under their Business Associate Agreement. Stripe for payment processing — card numbers are tokenized and never reach our systems. Google Workspace for email correspondence from info@flatratenexus.com. We also use clinical-decision-support services from established U.S. technology providers; their terms of service contractually prohibit retention of your records for model training, marketing analysis, or any purpose unrelated to fulfilling the service we have contracted.

For public-website analytics and advertising measurement: Google Ads conversion tracking, Meta (Facebook) Pixel, Reddit Pixel, Microsoft UET (Bing Ads) conversion tracking, and Microsoft Clarity session analytics. These services receive page-view and event data from the public marketing pages only. They do not receive your name, your records, or any protected health information.

Data Retention

We retain your case records for a period necessary to fulfill our service obligations and comply with applicable record-keeping requirements. If you request deletion of your records after your case is complete, we will honor that request within 30 days, subject to any legal retention requirements.

Data Security

All transmissions use HTTPS/TLS encryption. See How We Protect Your Records above for the full breakdown of encryption, access controls, and storage practices.

Your Rights

You have the right to request a copy of the information we hold about you, request correction of any inaccurate information, and request deletion of your records (subject to legal retention requirements).

To exercise any of these rights, contact us at info@flatratenexus.com.

Cookies and Tracking

Our public marketing website uses cookies and similar technologies for analytics and advertising measurement. These include session analytics (Microsoft Clarity) and advertising conversion pixels (Google Ads, Meta, Reddit, Microsoft UET). They record page views, clicks, and general user behavior on the public marketing pages.

Tracking is limited to the public marketing site. We do not track any behavior inside the intake form, inside the Jotform submission flow, or after you submit records. Your protected health information is never shared with, sold to, or accessible by any advertising or analytics vendor.

Third-party services embedded on our site (such as Jotform and Stripe) may use their own cookies as necessary to provide their services.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. Your continued use of our service after changes are posted constitutes acceptance of the updated policy.

Contact

For questions about this privacy policy or our data practices, contact us at info@flatratenexus.com.