← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Data Collection, Minimization, and Retention Policy

Customization required. This template is provided for policy operations and counsel review. Replace every NEXQ-reviewed value, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

Effective date: September 18, 2024
Last updated: September 18, 2024
Owner: NEXQ privacy, security, and legal operations
Applies to: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This internal/public policy sets collection limits for websites, web apps, mobile apps, APIs, healthtech workflows, AI features, analytics, marketing, and customer integrations.

1. Collection principles

We collect personal information only when it is necessary, proportionate, disclosed, lawful, secure, and mapped to a documented purpose. New data collection must be approved before launch through the Data Intake Review.

2. Required intake review

Before collecting a new data element, product, engineering, marketing, security, legal, and privacy teams must document:

3. Prohibited or restricted collection

Do not collect passwords in plaintext, government IDs, precise location, biometric identifiers, children’s data, PHI, reproductive or sexual health data, genetic data, financial account data, or highly sensitive files unless legal, product, security, and privacy approve the use case and controls.

4. Web and app telemetry

Logs, SDKs, cookies, crash reports, diagnostics, and analytics must be reviewed before deployment. Telemetry must avoid collecting content fields, health data, payment data, secrets, tokens, and full URLs containing identifiers unless approved and redacted.

5. Mobile permissions

Mobile apps must request the least invasive permission at the time needed, explain why the permission is needed, and degrade gracefully if permission is denied when possible.

6. Retention and deletion

Every data set must have a retention period. Default retention should be the shortest period that supports the purpose. Backups may retain deleted data temporarily, but restore procedures must avoid resurrecting deleted user data into production except for disaster recovery.

7. Data quality and correction

Systems that store account, billing, health, safety, or automated decision data must maintain reasonable correction procedures. Derived inferences must be labeled as inferences and should not be treated as verified facts unless validated.

8. Vendor and subprocessor collection

Vendors may collect or process data only under written agreement, documented instructions, security controls, and privacy review. Vendor SDKs must be inventoried and re-reviewed when SDK versions or vendor data practices change.

9. Data inventory

Maintain a data inventory using /compliance/data-inventory-template.csv. Review quarterly for high-risk services and annually for all services.