Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.
Data Collection, Minimization, and Retention Policy
Customization required. This template is provided for policy operations and counsel review. Replace every
NEXQ-reviewed value, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.
Effective date: September 18, 2024
Last updated: September 18, 2024
Owner: NEXQ privacy, security, and legal operations
Applies to: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
This internal/public policy sets collection limits for websites, web apps, mobile apps, APIs, healthtech workflows, AI features, analytics, marketing, and customer integrations.
1. Collection principles
We collect personal information only when it is necessary, proportionate, disclosed, lawful, secure, and mapped to a documented purpose. New data collection must be approved before launch through the Data Intake Review.
2. Required intake review
Before collecting a new data element, product, engineering, marketing, security, legal, and privacy teams must document:
- data element and category;
- source and collection point;
- purpose and legal basis;
- whether it is sensitive, health, biometric, children’s, location, financial, education, employment, or regulated data;
- retention period;
- vendors and cross-border transfers;
- user notice and choice;
- security controls;
- deletion and export method;
- whether AI training, analytics, advertising, profiling, or automated decisions are involved.
3. Prohibited or restricted collection
Do not collect passwords in plaintext, government IDs, precise location, biometric identifiers, children’s data, PHI, reproductive or sexual health data, genetic data, financial account data, or highly sensitive files unless legal, product, security, and privacy approve the use case and controls.
4. Web and app telemetry
Logs, SDKs, cookies, crash reports, diagnostics, and analytics must be reviewed before deployment. Telemetry must avoid collecting content fields, health data, payment data, secrets, tokens, and full URLs containing identifiers unless approved and redacted.
5. Mobile permissions
Mobile apps must request the least invasive permission at the time needed, explain why the permission is needed, and degrade gracefully if permission is denied when possible.
6. Retention and deletion
Every data set must have a retention period. Default retention should be the shortest period that supports the purpose. Backups may retain deleted data temporarily, but restore procedures must avoid resurrecting deleted user data into production except for disaster recovery.
7. Data quality and correction
Systems that store account, billing, health, safety, or automated decision data must maintain reasonable correction procedures. Derived inferences must be labeled as inferences and should not be treated as verified facts unless validated.
8. Vendor and subprocessor collection
Vendors may collect or process data only under written agreement, documented instructions, security controls, and privacy review. Vendor SDKs must be inventoried and re-reviewed when SDK versions or vendor data practices change.
9. Data inventory
Maintain a data inventory using
/compliance/data-inventory-template.csv. Review quarterly
for high-risk services and annually for all services.