Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.
Cookie and Tracking Technologies Policy
Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.
Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered:
NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices
1. Scope
This Cookie Policy covers cookies, mobile SDKs, pixels, local storage, tags, session replay, device identifiers, software development kits, beacons, and similar technologies used on our websites, web apps, mobile apps, and embedded services.
2. Technology categories
| Category | Default status | Examples | Governance rule |
|---|---|---|---|
| Strictly necessary | May load without optional consent | security, authentication, load balancing, consent preference storage | Document vendor and purpose. |
| Functional | Load only where lawful basis and notice support it | language, region, accessibility settings | Do not collect sensitive data unless necessary. |
| Analytics | Block until consent or valid legal basis where required | aggregated usage analytics, performance monitoring | Must honor GPC/UOOM where applicable. |
| Advertising / targeted advertising | Block by default until valid consent/opt-in or lawful opt-out regime is satisfied | ad pixels, retargeting, conversion APIs | Prohibited on regulated sensitive flows without written approval. |
| Session replay / heatmaps | Treat as high risk | keystrokes, clicks, form interactions | Must mask fields, minimize capture, and complete DPIA/PIA. |
| Mobile SDKs | Treat as tracking technologies | attribution SDKs, analytics SDKs, crash logs | Must align with Apple/Google privacy disclosures. |
3. Prior opt-in gating
The provided JavaScript snippet is designed as a conservative starting point: optional analytics and advertising should not load until the user has affirmatively chosen them or until counsel documents another lawful basis. A rejected, missing, expired, or GPC opt-out state must prevent optional scripts from loading.
4. Global Privacy Control and universal opt-out mechanisms
Where legally required, browser or device-based opt-out signals must be recognized as opt-outs from sale/share/targeted advertising. Test this in staging and production using real browsers and document evidence.
5. Regulated-flow prohibition
Never place advertising pixels, retargeting tags, third-party analytics, or session replay on patient portals, hospital portals, telehealth rooms, symptom checkers, appointment pages, medication pages, lab results, insurance/payment portals, children’s services, school-directed services, or financial-account workflows until legal, privacy, security, and product owners approve a written risk assessment.
6. Records and renewal
Maintain a tracking-technology inventory with vendor, domain, script, purpose, category, data collected, recipient country, retention, consent basis, app-store label impact, and opt-out mechanism. Re-review after each new SDK, tag manager change, product launch, acquisition, or vendor contract change.