Privacy Notice
1. What PCS Express is
PCS Express is an independent platform that helps U.S. service members, DoD civilians, and military families navigate Permanent Change of Station (PCS) moves. It is not endorsed by, affiliated with, sponsored by, or coordinated with the U.S. Department of Defense, the Department of Veterans Affairs, or any military branch.
2. What this notice covers
The web app at pcsexpress.app, the iOS app, and the Android app (collectively, the "App").
3. Information we do NOT collect
- We do not require accounts, sign-ups, passwords, or any form of login.
- We do not ask for SSN, date of birth, EDIPI/DoD ID, military rank, orders, GBL number, or any officially identifying document.
- We do not accept document uploads or photographs anywhere in the App.
- We do not use third-party analytics, advertising trackers, or session replay services. (See §7 on advertising.)
- We do not sell, rent, or share any information with data brokers.
4. Information stored on YOUR device only
Stored locally, encrypted at rest using AES-256-GCM with a non-extractable IndexedDB key generated in your browser:
- Your PCS profile (first name, branch, component, gaining installation, family composition, EFMP status, religious preference, etc.)
- Checklist progress, reminders, notes
- Saved routes, saved translations, inventory and pet-relocation worksheets
- Audit log of the above (event names + timestamps only, no field content)
Nothing in this list is transmitted to PCS Express servers. Clearing site data or using "Reset" deletes all of it. There is no server-side backup.
5. Information sent off your device
| Feature | What is sent | Where | Why |
|---|---|---|---|
| AI Assistant | Your typed question + a non-PII context blob (branch, phase, open-task count) | Anthropic, Inc. (api.anthropic.com) via our server | Contextual answers |
| Translation widget (opt-in) | Page content as you read it | Google LLC (Google Translate) | Only when you turn translation on |
| Navigation tab | Addresses you type, origin/destination pairs | OpenStreetMap (nominatim.openstreetmap.org, router.project-osrm.org) | Geocoding + routing |
| Local resource lookups (business directory, jobs, housing rates, market stats, schools, family activities) | Your gaining installation's city / state / ZIP, and any address you type | Public APIs via our server: SAM.gov, USASpending.gov, USAJOBS (OPM), FRED, HUD User, TheMuse, RemoteOK, OpenStreetMap | Fetch local results for the gaining area |
| Demo / contact form | Name, email, org, role, message, your request IP | PCS Express server (ephemeral application logs only — no database) | Respond to inquiries |
| Push notifications (opt-in) | Browser push subscription endpoint | PCS Express server | Send reminders you requested |
We do not retain server-side copies of AI Assistant or Translation traffic. Anthropic and Google process their respective inputs under their own privacy terms.
6. Cookies and similar technologies
PCS Express does not set tracking, fingerprinting, or advertising cookies.
- A first-party cookie named
googtransis set only if you opt into Google Translate, to remember your language across page loads. - Your browser stores AES-encrypted site data as IndexedDB / localStorage entries. These are not cookies and are not sent with HTTP requests.
7. Advertising (Google AdSense)
PCS Express has applied for the Google AdSense program and our publisher ID is declared in our ads.txt file, but advertising is not currently served on the web app, and never inside the iOS/Android apps. The AdSense script does not load and sets no advertising cookies until you grant consent through a Consent Management Platform — which is not yet enabled. Before any ads are served, we will: (a) require prior consent in the EU/EEA and the UK via a Google-certified consent banner, (b) default to non-personalized ads, and (c) update this notice with the data Google receives. Google's use of advertising cookies is described in Google's Advertising Privacy & Terms notice.
If we ever introduce personalized ads, a granular consent banner will be added before personalization is enabled — including a clearly-labelled opt-out for users covered by CCPA / CPRA / GDPR / ePrivacy.
8. Data we receive automatically
Your browser/device sends standard HTTP information (IP, user agent, language, request path, status) to our servers, our hosting providers (Vercel, Inc. and Railway Corp.), and CDNs. Used for security and abuse prevention. Not associated with any user identifier. Retained per the hosting providers' platform-level log retention.
9. Children
The App is intended for adult service members, DoD civilians, and adult family members. It is not directed at children under 13 (COPPA). If you believe a minor has provided personal information, email info@cyberwaveglobal.com and we will delete it.
10. Your rights
Depending on where you live, you may have the right to request a copy of your personal information, request correction or deletion, opt out of any sale or sharing (we don't do either), or withdraw consent for any opt-in feature.
For California residents (CCPA/CPRA): the categories of personal information collected are listed in §5. We do not "sell" or "share" personal information as defined.
For EU / UK / EEA residents (GDPR Art. 13): the lawful basis for each off-device transfer in §5 is your consent (translation, push notifications, demo form) or our legitimate interest in providing the service you requested (AI Assistant, Navigation).
To exercise these rights, email info@cyberwaveglobal.com.
11. Security
- HTTPS enforced for every request (HSTS with
preload). - Content Security Policy with
default-src 'self',object-src 'none',frame-ancestors 'self', and an explicit allowlist of the few third-party script/frame origins required for maps and (when enabled) advertising. - Push endpoints restricted by hostname allowlist.
- AI prompts sanitized for prompt-injection and capped in length.
12. International data transfers
Servers in the United States. Data accessed from outside the U.S. is transferred to and processed in the U.S.
13. Changes
We will update this notice when practices change. The effective date will be updated and material changes flagged in the Compliance screen.
14. Contact
Questions or requests: info@cyberwaveglobal.com
Security vulnerabilities: see /.well-known/security.txt