Trust Center

decision-required

Privacy Readiness

Define transparent data practices, rights, retention, processing roles, and regional obligations before protected data enters SCRIMED.

OwnerPrivacy, legal, security, and product
Requirements4
Active controls0
Decisions / external2 / 2

Current posture

Public product flows prohibit PHI and minimize captured data. Final notices, processing records, retention schedules, and regional assessments remain required.

Public commitments

  • Collect only necessary business and evaluation information on public routes.
  • Reject PHI-style content from public pilot intake.
  • Keep protected data processing gated behind approved agreements and controls.

Control register

Evidence, required actions, and launch gates stay linked.

decision-required

Data inventory and processing register

Current public intake fields and prohibited PHI categories are documented.

Map every data category, source, purpose, legal basis, processor, recipient, region, retention period, and deletion path.
  • Owner: Privacy and product
  • Launch gate: Required before adding persistence, analytics, authentication, or protected integrations.
external-review-required

Privacy notices and individual rights

No final legal privacy notice is represented by the current product.

Approve audience-specific privacy notices, rights-request workflow, consent choices, and contact path.
  • Owner: Privacy counsel
  • Launch gate: Required before collecting personal information beyond limited business-contact intake.
decision-required

Retention, deletion, and data minimization

Synthetic-first design and metadata-only denied-execution boundaries reduce current exposure.

Approve retention schedules, deletion verification, backup handling, legal holds, and minimum-necessary rules.
  • Owner: Privacy, security, and engineering
  • Launch gate: Required before durable storage.
external-review-required

Regional privacy and transfer assessment

Global target regions are documented; no universal compliance claim is made.

Map applicable US state, HIPAA role, FTC, GDPR, and priority-region requirements, including cross-border transfer and localization decisions.
  • Owner: Privacy counsel and regional operations
  • Launch gate: Assessment required before entering each new region or customer data environment.

Prohibited actions

These actions remain blocked.

  • Using public-intake data for unrelated purposes without notice and approval.
  • Assuming HIPAA applicability excludes FTC or regional privacy obligations.
  • Claiming global privacy compliance without jurisdiction-specific evidence.

Authoritative references