# Privacy Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Scope, roles, and conflicts
This Policy applies to websites, web applications, mobile applications, APIs, support channels, newsletters, healthcare or healthtech workflows, hospital-facing workflows, developer portals, and related services operated by **NEXQ Inc.**. It is intentionally modular. If a regulated-data appendix conflicts with this general policy, the stricter or more specific appendix controls for that data or workflow.

We may act as a **business**, **controller**, **processor**, **service provider**, **contractor**, **business associate**, **subprocessor**, **vendor**, or **software supplier** depending on the customer, integration, contract, and data flow. Product teams must complete the data inventory before publishing this policy because incorrect role language can create FTC, state privacy, contract, HIPAA, FERPA, GLBA, app-store, or customer-audit exposure.

## 2. Personal information we may collect
We collect only information that is reasonably necessary, proportionate, and compatible with disclosed purposes. Before launch, delete any row that does not apply and add missing categories from the data inventory.

| Category | Examples | Source | Sensitive? | Required publication check |
|---|---|---|---|---|
| Identifiers | name, email, account ID, username, IP address, device IDs | user, device, customer, partners | sometimes | notice at collection; app labels; SDK inventory |
| Account and commercial data | subscription tier, transaction records, support history | user, payment processor, systems | sometimes | retention schedule; payment/PCI disclosures |
| Internet/network activity | pages viewed, referrers, clickstream, session logs, diagnostics | browser, app, SDKs | sometimes | cookie/SDK consent, GPC, analytics review |
| Approximate or precise location | city, region, GPS if enabled | device, user setting | precise location is sensitive | opt-in and mobile permission review |
| Communications | chats, emails, support tickets, call recordings if enabled | user, support tools | can be sensitive | recording consent and retention review |
| Professional, employment, or applicant data | role, employer, resume, interview notes | user, recruiter, employer | sometimes | employee/applicant notice |
| Health, wellness, biometric, or patient data | symptoms, care data, device readings, appointments, PHI/ePHI | user, covered entity, device, customer | yes | HIPAA/consumer-health review; no ad pixels by default |
| Student or education data | school IDs, classroom data, assignments | school, parent, student | often | FERPA/PPRA/customer contract review |
| Financial data | credit checks, loan, insurance, bank, tax, or customer financial records | user, customer, financial partner | often | GLBA/FCRA/PCI review |
| AI inputs and outputs | prompts, uploaded files, model outputs, feedback, embeddings, evaluations | user, product, model systems | depends on content | AI register; retention; training opt-out |
| Sensitive identifiers | government ID, SSN, passport, biometric templates | user, verification vendors | yes | strict minimization and encryption |
| Children/minors data | data from children under 13 or teens/minors | user, parent/guardian, school | yes | COPPA/state minor law review |

## 3. Purposes for collection and processing
We may use personal information to provide and secure the services, authenticate users, process transactions, provide support, communicate service updates, comply with law and contracts, prevent fraud and abuse, debug and improve the services, perform privacy/security audits, maintain records, and conduct marketing only where lawful consent, opt-out, or legitimate basis requirements are satisfied. We do not use sensitive personal information for purposes that are incompatible with the disclosed purpose without additional review and any required consent.

## 4. Cookies, SDKs, pixels, and tracking technologies
Necessary technologies may run to provide security, authentication, load balancing, fraud prevention, preference storage, and consent management. Analytics, advertising, cross-context behavioral advertising, retargeting, fingerprinting, and similar technologies must be blocked until the user has made the required choice or until another legally valid basis has been documented. Global Privacy Control or equivalent universal opt-out signals must be honored where required.

Do not deploy ad pixels, retargeting pixels, session replay, heatmaps, or third-party analytics on patient portals, appointment pages, symptom checkers, authenticated health workflows, billing pages, children-directed services, school-directed services, financial-account workflows, or sensitive-data forms without a written privacy, security, and legal assessment.

## 5. Sale, sharing, targeted advertising, and profiling
Some laws define “sale,” “share,” or “targeted advertising” broadly enough to include certain advertising, analytics, or cross-context tracking arrangements. Before publication, classify each vendor and SDK in the tracking-technology inventory. If we engage in sale/share/targeted advertising, we must provide required notices, opt-out links, and signal handling. If we do not engage in those activities, we must not include conflicting advertising code or vendor contracts.

## 6. AI, automated decision-making, and consequential decisions
AI systems, machine-learning models, rules engines, automated decision tools, and generative AI features must be listed in the AI system register. For employment, housing, lending, credit, insurance, education, healthcare, criminal justice, essential services, or other consequential decisions, complete an impact assessment, provide notices and explanations where required, support human review and appeal where required, monitor for bias and accuracy, and avoid making legal, clinical, credit, or employment determinations solely through unvalidated automation.

## 7. Health, healthcare, and consumer health data
Where we handle protected health information for or on behalf of a HIPAA covered entity or business associate, HIPAA contract terms and the Healthcare Privacy Policy control. Where health or wellness data is not HIPAA-regulated, the FTC Health Breach Notification Rule, state consumer-health-data laws, app-store rules, customer contracts, and state breach laws may still apply. Product teams must not assume “not HIPAA” means “not regulated.”

## 8. Children, teens, and students
We do not knowingly collect personal information from children under 13 without legally required parental consent. Services directed to children, school users, or minors must complete the Children Privacy Impact Assessment, COPPA review, state minor-law review, and FERPA/PPRA review where school records or school-directed services are involved.

## 9. Financial, payment, and regulated financial data
Payment-card processing should be handled by PCI-compliant processors. If we are a financial institution or service provider under GLBA, the Financial Data / GLBA Policy controls. Do not collect bank, loan, insurance, tax, credit, or consumer-report data unless the collection is explicitly approved, disclosed, protected, and supported by a retention/legal-basis entry.

## 10. Disclosure of information
We may disclose information to service providers, subprocessors, professional advisors, affiliates, corporate transaction parties, customers or account administrators, law enforcement or regulators when lawfully required, and others with user direction or consent. Contracts must require confidentiality, purpose limitation, appropriate security, deletion/return, incident notice, audit cooperation, and flow-down of special obligations for HIPAA, FERPA, GLBA, consumer health data, AI, or restricted cross-border transfers.

## 11. International, cross-border, and restricted-country transfers
International transfers require a transfer mechanism appropriate to the jurisdictions involved, such as contracts, approved frameworks, or other lawful mechanisms. Separate review is required for bulk sensitive personal data, government-related data, sensitive health, geolocation, biometric, genomic, financial, or other data that may be restricted by the U.S. Department of Justice Data Security Program or customer contract.

## 12. Retention and deletion
We retain data only for the period necessary for disclosed purposes, contract performance, legal compliance, security, fraud prevention, dispute resolution, audits, backups, and legitimate business needs. Each data category must map to the retention schedule. Backups must be protected and deleted or overwritten on a defined cycle unless a legal hold applies.

## 13. Security
We maintain administrative, technical, and physical safeguards appropriate to the nature of the data, including access controls, encryption in transit and at rest where appropriate, logging, vulnerability management, secure development, vendor review, incident response, workforce training, and change management. Public statements must not claim SOC 2, ISO, HITRUST, HIPAA compliance, FedRAMP, PCI, FDA clearance, or other certification/authorization unless evidence exists.

## 14. Privacy rights and requests
Depending on location and law, users may have rights to know/access, portability, deletion, correction, opt out of sale/share/targeted advertising, limit certain sensitive-data uses, withdraw consent, appeal a denial, avoid discrimination for exercising rights, or authorize an agent. Submit requests through **https://nexq.us/legal#privacy-requests** or **hello@nexq.us**. We verify requests proportionately, respond within legally required periods, and provide an appeal process where required.

## 15. Contact and escalation
Questions, complaints, privacy requests, security incidents, subpoenas, law-enforcement requests, and regulator inquiries must be routed immediately to **hello@nexq.us**, **hello@nexq.us**, and **hello@nexq.us**. Do not improvise legal or privacy answers in support tickets.

## 16. Pre-publication checklist
- Complete data inventory, retention schedule, subprocessor register, tracking inventory, AI register, and regulated-data questionnaires.
- Confirm actual disclosures against code, SDKs, contracts, data warehouses, mobile permissions, and app-store forms.
- Remove non-applicable regulated sections or mark them as not applicable only after counsel approval.
- Test the cookie banner, GPC recognition, opt-out links, DSAR form, deletion workflow, and unsubscribe workflow.
- Review diction for consistency: never state “we never,” “fully secure,” “HIPAA compliant,” “anonymous,” “quantum-impervious,” or “no data sharing” unless independently verified.
