Policy Owner: General Counsel (Privacy Officer)
Effective Date: June 13, 2026
Reviewed: Annually and as new state laws take effect
Frameworks: CCPA/CPRA; VCDPA, CPA, CTDPA, TDPSA, OCPA, MCDPA, ICDPA, and analogous state laws
Effective Date: June 13, 2026
Reviewed: Annually and as new state laws take effect
Frameworks: CCPA/CPRA; VCDPA, CPA, CTDPA, TDPSA, OCPA, MCDPA, ICDPA, and analogous state laws
Purpose & scope
State Neuroscale’s commitments under US state privacy law and index the controls that implement them. Applies to personal information of residents of states with comprehensive privacy laws, currently including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, and Rhode Island (the set grows as laws take effect — maintained in the Legal & Regulatory Register).Commitments
- Notice at collection & privacy policy — categories collected, purposes, per-category retention, and rights, in the Privacy Notice.
- Consumer rights — access/know, delete, correct, portability, and (where applicable) opt-out of sale/share/targeted advertising and profiling/ADMT, and appeal, fulfilled through the Data Subject Rights Procedure on the per-state deadline/appeal matrix.
- No sale/share without opt-out — Neuroscale does not sell or share personal information for cross-context behavioral advertising; opt-out mechanisms (Do-Not-Sell/Share link, GPC) are honored. See the Cookie Notice.
- Sensitive personal information — limited use; the “Limit the Use of My Sensitive Personal Information” right is offered where applicable.
- Non-discrimination for exercising rights.
- Universal opt-out — Global Privacy Control honored.
- Employment context — California applicant/employee disclosures in the California Applicant & Personnel Notice; ADMT opt-out (CPPA regs, effective Jan 1, 2027) per the DSR Procedure.
Control framework
| Requirement | Implemented by |
|---|---|
| Notice at collection / privacy policy | Privacy Notice |
| Rights intake, verification, fulfillment, appeal | Data Subject Rights Procedure |
| Opt-out of sale/share/targeted ads + GPC | Cookie Notice; site opt-out controls |
| Profiling / ADMT opt-out | DSR → Profiling/ADMT opt-out |
| Data inventory & retention | RoPA; Records Retention Schedule |
| Processor/contractor terms | DPA Template |
| Security safeguards | Information Security Policy |
Governance
Obligations are tracked in the Legal & Regulatory Register and reviewed at the ISMS Management Review; new state laws are added on enactment. Nonconformities are handled via Corrective Action.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial version. | Cameron Wolfe | Ishan Jadhwani |