decision-required
Privacy Readiness
Define transparent data practices, rights, retention, processing roles, and regional obligations before protected data enters SCRIMED.
Current posture
Public product flows prohibit PHI and minimize captured data. Final notices, processing records, retention schedules, and regional assessments remain required.
Public commitments
- Collect only necessary business and evaluation information on public routes.
- Reject PHI-style content from public pilot intake.
- Keep protected data processing gated behind approved agreements and controls.
Control register
Evidence, required actions, and launch gates stay linked.
decision-required
Data inventory and processing register
Current public intake fields and prohibited PHI categories are documented.
Map every data category, source, purpose, legal basis, processor, recipient, region, retention period, and deletion path.
- Owner: Privacy and product
- Launch gate: Required before adding persistence, analytics, authentication, or protected integrations.
external-review-required
Privacy notices and individual rights
No final legal privacy notice is represented by the current product.
Approve audience-specific privacy notices, rights-request workflow, consent choices, and contact path.
- Owner: Privacy counsel
- Launch gate: Required before collecting personal information beyond limited business-contact intake.
decision-required
Retention, deletion, and data minimization
Synthetic-first design and metadata-only denied-execution boundaries reduce current exposure.
Approve retention schedules, deletion verification, backup handling, legal holds, and minimum-necessary rules.
- Owner: Privacy, security, and engineering
- Launch gate: Required before durable storage.
external-review-required
Regional privacy and transfer assessment
Global target regions are documented; no universal compliance claim is made.
Map applicable US state, HIPAA role, FTC, GDPR, and priority-region requirements, including cross-border transfer and localization decisions.
- Owner: Privacy counsel and regional operations
- Launch gate: Assessment required before entering each new region or customer data environment.
Prohibited actions
These actions remain blocked.
- Using public-intake data for unrelated purposes without notice and approval.
- Assuming HIPAA applicability excludes FTC or regional privacy obligations.
- Claiming global privacy compliance without jurisdiction-specific evidence.
Authoritative references