# Third-Party SDK and Tracking Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Scope
This policy governs vendors, SDKs, tags, pixels, APIs, data brokers, analytics platforms, ad networks, attribution providers, crash reporters, session replay, tag managers, and embedded scripts.

## 2. Approval gate
No third-party code may be added to websites, apps, mobile apps, tag managers, or server-side events until privacy, security, and procurement approvals are recorded in the tracking-technology inventory and vendor-risk file.

## 3. Required review fields
Vendor name, script/package name, version, domain, data collected, purpose, destination country, retention, downstream recipients, sale/share/targeted-advertising classification, sensitive-data exposure, app-store label impact, contractual role, security evidence, deletion capability, and incident-notice terms.

## 4. Runtime controls
Use consent gating, content security policy, subresource integrity where practical, tag-manager approvals, environment separation, script allowlists, version pinning, dependency scanning, and regular code scans. Remove unknown or orphaned tags immediately.

## 5. High-risk restrictions
Advertising, retargeting, data matching, session replay, heatmaps, and conversion APIs are prohibited in regulated sensitive workflows unless approved in writing after a documented risk assessment.
