# U.S. State Privacy Addendum

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Purpose
This addendum supplements the Privacy Policy for U.S. state privacy laws. It is drafted as a conservative template for covered businesses/controllers and must be tailored by counsel for current thresholds, exemptions, effective dates, and state-specific definitions.

## 2. Covered-law operating assumption
The U.S. remains a patchwork of state privacy, health privacy, biometric, breach-notification, children/minor, consumer-protection, and sectoral laws. Before publication, determine whether the organization is covered in each state based on revenue, consumer counts, data-sale/share activity, sensitive-data processing, consumer-health-data processing, employment/applicant status, nonprofit status, GLBA/HIPAA/FERPA exemptions, and customer contracts.

## 3. Rights matrix
| Right / obligation | Implementation requirement | Audit evidence |
|---|---|---|
| Notice at collection / privacy notice | Provide categories, purposes, retention, recipients, sale/share/targeted advertising, sensitive-data use, and rights before or at collection. | Published notice, data inventory, product screenshots. |
| Access / know / portability | Provide a secure method to request a copy of personal information, subject to verification and exceptions. | DSAR tickets, identity-verification logic, response records. |
| Deletion | Delete data from active systems and instruct processors unless an exception applies. | Deletion workflow, vendor tickets, backup-cycle documentation. |
| Correction | Correct inaccurate data or explain denial. | Correction logs and appeal records. |
| Opt out of sale/share/targeted advertising/profiling | Provide link, preference center, and signal handling where required. | Consent logs, GPC/UOOM test evidence, CMP configuration. |
| Limit sensitive personal information | Limit use/disclosure to legally permitted purposes unless additional consent exists. | Sensitive-data map and access controls. |
| Appeal | Offer an appeal process where required. | Appeal queue, response templates, escalation logs. |
| Non-discrimination | Do not retaliate for rights exercise; loyalty/financial incentive programs need specific disclosures. | Training and pricing/program review. |

## 4. California-specific audit controls
For California, implement at least two designated request methods where required, honor sale/share opt-outs including browser or device signals where applicable, maintain Notice at Collection content, classify service providers/contractors/third parties, support authorized agents, and avoid dark patterns. Businesses subject to California rules on risk assessments, annual cybersecurity audits, and automated decision-making technology must maintain the relevant assessments and governance records on the applicable effective schedules.

## 5. Universal opt-out mechanisms and GPC
If we sell/share personal information or process personal information for targeted advertising, we must honor required universal opt-out mechanisms in applicable states. The Global Privacy Control signal must be detected and applied before any nonessential sale/share/targeted-advertising technology fires in jurisdictions that require such recognition.

## 6. Sensitive-data and minors controls
Sensitive data may include precise geolocation, racial/ethnic origin, religious beliefs, health diagnosis, sex life/sexual orientation, citizenship/immigration status, biometric/genetic data, children’s data, account login credentials, and other categories depending on state law. Require opt-in, consent, or limitation controls where required. Minors and teens require special treatment for targeted advertising, profiling, and sale/share.

## 7. Automated decision-making and profiling
Automated decision-making in consequential areas must be assessed before launch. At a minimum, maintain purpose, data categories, model/tool provider, human review path, opt-out or appeal obligations, testing for unfair or discriminatory outcomes, and notices. Colorado’s 2026 ADMT legislation and California’s 2025 rulemaking should be reviewed before any consequential-decision workflow is deployed.

## 8. State breach laws
Privacy rights notices do not replace breach notification obligations. The incident team must assess state breach laws, definitions of personal information, encrypted-data safe harbors, regulator/consumer/credit bureau notice thresholds, consumer health data rules, biometrics laws, HIPAA, GLBA, FERPA, and contract obligations.

## 9. Do-not-publish warnings
Do not state “we do not sell or share personal information,” “we do not use targeted advertising,” or “we honor all opt-outs” unless confirmed through technical tests, vendor contracts, SDK inventory, data warehouse queries, and CMP logs.
