Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
Global Jurisdiction Launch Policy
Purpose
This policy governs launch of websites, web apps and mobile apps into any of the 195 countries covered by the country matrix and additional marketplace jurisdictions.
Launch tiers
- Tier 1 — low-risk public information site: no account, no analytics except strictly necessary logs, no ads, no children/health/AI decisions. Requires baseline policy and security review.
- Tier 2 — standard consumer app: account, analytics, support, payments or push notifications. Requires data inventory, store-disclosure mapping, rights workflow, cookie/SDK gating and local-country review.
- Tier 3 — sensitive app: health, biometrics, children, precise location, finance, employment, education, government ID, AI profiling or regulated sector. Requires DPIA/PIA, counsel review, vendor contracts and enhanced security.
- Tier 4 — high-risk AI/health/quantum/critical app: medical/clinical, hospital, insurance/credit/employment/education decisions, biometric identification, public-sector, critical infrastructure, long-lived sensitive data or quantum cryptography claims. Requires executive risk acceptance and jurisdiction-specific legal memo.
Country launch checklist
- Confirm country and language availability in each target app store.
- Confirm applicable privacy, consumer, e-commerce, cybercrime, telecom, marketing, tax, sanctions/export, health, financial, children and AI rules.
- Confirm data residency/localization and cross-border transfer requirements.
- Confirm app content rating, prohibited content, payment/IAP and local support requirements.
- Confirm whether local representative, DPO, regulator registration, data protection officer, data protection impact assessment or children-specific process is required.
- Complete launch evidence package and approvals.
Default rule
If a requirement is unclear, the product must default to privacy-protective operation: collect less data, disable non-essential tracking, avoid sensitive data, restrict AI training use, localize notices and seek local counsel before launch.