Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
Global Web and Mobile App Privacy Addendum
Effective date: September 18, 2024
Applies to: websites, web apps, APIs, mobile apps, SDKs, AI features, quantum-enabled security features, and developer integrations operated by NEXQ.
Purpose
This addendum supplements the Global Privacy Policy for products distributed globally through websites, mobile app stores, enterprise distribution, sideloaded builds, embedded SDKs and API integrations. It is designed for global launch readiness and must be customized to actual data flows.
Required disclosures
The product privacy notice must accurately disclose:
- categories of personal data, sensitive data, device data, usage data, location data, health/wellness data, biometric data, children data and AI input/output data collected;
- sources of data, including user entry, device permissions, cookies, pixels, SDKs, APIs, sensors, partners and public sources;
- purposes of processing, including account creation, security, analytics, personalization, advertising, AI inference, training/fine-tuning, support, payments, legal compliance and fraud prevention;
- categories of recipients, including cloud providers, analytics providers, ad networks, payment processors, AI providers, health/clinical partners, subprocessors and app-store operators;
- retention periods or criteria;
- country-specific rights and appeal mechanisms;
- cross-border transfer mechanisms and storage/support locations;
- how to withdraw consent, opt out, delete accounts and contact privacy support.
In-app and pre-permission notices
For mobile apps, display contextual notice before requesting access to camera, microphone, contacts, photos, precise location, health, biometric, Bluetooth, local network, advertising ID, clipboard, notifications, background activity or other sensitive permissions. The notice must state why the permission is needed and whether data leaves the device.
Store disclosure consistency
The published policy, Apple App Privacy Details, Google Data Safety, Samsung/Huawei/Amazon/Microsoft forms, SDK privacy manifests and actual code behavior must be reconciled before each release. A mismatch is a release blocker.
AI and third-party model use
Do not send user content, personal data, sensitive data or regulated data to an AI provider unless the transfer is disclosed, legally justified, contractually protected, reflected in app-store disclosures and enabled only after consent or another lawful mechanism where required.
Quantum and cryptographic claims
The company must not claim that an app is “quantum-proof,” “unbreakable,” or “fully quantum secure” unless the claim is substantiated by security leadership and counsel. Quantum readiness means cryptographic inventory, crypto agility, migration planning and standards-based implementation.
Required operations
- Maintain a data inventory and SDK inventory.
- Keep a rights-request workflow for access, correction, deletion, portability, opt-outs and appeals.
- Honor legally required browser/app privacy signals and platform privacy settings.
- Perform DPIAs, AI risk assessments, transfer assessments and child/health/financial reviews where applicable.
- Maintain incident response and breach notification runbooks.
- Review this addendum before each major release, new SDK, new AI provider, new country, or new app store.