DEAready Privacy Policy
Effective as of acceptance. This Privacy Policy ("Policy") becomes effective with respect to a customer as of the date that customer accepts it, recorded against the customer's organization. The current version is identified by its Version / Last Updated date: June 10, 2026.
This Policy describes how DEAready LLC, a Missouri limited liability company with its principal place of business at 210 W Oklahoma St, Branson, MO 65616, doing business as "DEAready" ("DEAready," "we," "us," or "our"), the operator of the websites and applications located at deaready.com and app.deaready.com (collectively, the "Service"), collects, uses, discloses, and protects information.
This Policy is incorporated into, and forms part of, the DEAready Terms of Service. For Protected Health Information ("PHI") that we process on behalf of our customers, the Business Associate Agreement ("BAA") between DEAready and the customer, together with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 and 164) ("HIPAA"), govern and control over this Policy to the extent of any conflict. This Policy governs DEAready's general data practices and the non-PHI information described below.
Precedence. Across the DEAready legal documents: the BAA controls for all matters concerning PHI; this Privacy Policy controls for descriptions of data collection, use, and Subprocessors; and the Terms of Service govern the commercial relationship.
1. Scope, HIPAA Framing, and Roles
This Section is the foundational, load-bearing provision of this Policy. Read it first; every other Section depends on it.
1.1 Two Categories of Data, Two Legal Regimes
The Service handles two distinct categories of information, each governed by a different legal regime:
(a) Protected Health Information (PHI). Controlled-substance logbook entries that may include patient identifiers. DEAready processes PHI solely as a HIPAA Business Associate on behalf of its customer practices, which are the Covered Entities under HIPAA. PHI is governed by HIPAA and the applicable BAA — not by this Policy. Where this Policy describes PHI, it does so only for transparency; the legally binding terms for PHI are in the BAA and HIPAA.
(b) Non-PHI Account and Website Data. Information about the customer practice, its administrative and staff users, prospective customers, and visitors to the Service. This Policy governs category (b) and DEAready's general data practices.
1.2 Roles
- The customer practice is the Covered Entity and the owner of the PHI it submits to the Service.
- DEAready is the Business Associate. DEAready creates, receives, maintains, and transmits PHI only as permitted by the BAA and HIPAA (45 C.F.R. Parts 160 and 164), only as directed by the customer, or as required by law.
- DEAready uses and discloses PHI in accordance with 45 C.F.R. § 164.504(e) and the BAA, and not otherwise.
1.3 Patient Rights Run Through the Covered Entity
DEAready has no direct relationship with the patients whose information may appear in a customer's records. Any patient (or patient's representative) seeking to access, amend, restrict, or obtain an accounting of disclosures of their health information must contact their healthcare provider — the customer practice — which is the Covered Entity that holds the legal relationship and obligation under HIPAA (45 C.F.R. §§ 164.524, 164.526, 164.528, 164.522). As a Business Associate, DEAready will support the practice in fulfilling such requests as the BAA provides, but DEAready does not respond to patient requests directly and has no independent obligation or ability to do so.
1.4 Who This Policy Is For
This Policy is written for, and addressed to, the account-holders, practice administrators, practitioners, staff users, prospective customers, and website visitors who interact with the Service. It is not a notice of privacy practices to patients; patients should refer to the notice of privacy practices provided by their healthcare provider.
2. Information We Collect
We collect the following categories of information. For each, we identify the data elements, the source, and whether the category is or may be PHI.
2.1 Account and Organization Data (Non-PHI)
Organization name, business type (e.g., dental, medical, sedation/surgery, veterinary, pharmacy), practice phone number and address, subscription plan/tier, and location records; and, for each user, full name, work email address, role, and — for practitioner users — DEA registration number, DEA registration expiration date, license identifier, and National Provider Identifier ("NPI"). Source: entered by the account-holder during sign-up and configuration. Note: practitioner DEA registration numbers and NPIs are professional-registration identifiers (business-credential data, not patient PHI); they are encrypted at rest as described in Section 6.
2.2 Authentication and Access Data
A unique Cognito subject identifier, authentication credentials managed by Amazon Cognito (DEAready never stores raw passwords), multi-factor authentication ("MFA") enrollment status, last-login timestamp, and a hashed witness verification PIN (one-way hashed; DEAready cannot recover the plaintext PIN). Source: Amazon Cognito, our authentication subprocessor, and the user. MFA is required for all users (see Section 6).
2.3 Controlled-Substance Logbook and Audit Trail (Core Service Data; May Contain PHI)
Drug catalog entries; container and inventory records; transactions (receive, dispense, administer, waste, dispose, transfer in/out, adjustment, inventory count, void, correction, and theft/loss); counterparty and supplier data; prescriber name and DEA number; reference numbers (e.g., prescription, invoice, or DEA Form 222 numbers); witness attestations; and the tamper-evident audit log (recording who performed an action, what was done, when, and the originating IP address and browser user-agent). Some of these records contain PHI, as described in Section 2.4. Source: entered by practice staff in the ordinary course of recordkeeping under 21 C.F.R. Parts 1304 and 1311.
2.4 Patient Identifiers (PHI — Processed Only as Business Associate)
Depending on the customer's configured minimum-necessary setting (full name; initials plus date of birth; or chart identifier — default: initials plus date of birth), records may include a patient's first and last name, date of birth, address (street, city, state, ZIP), and/or a chart identifier. For veterinary customers, records may include an animal description (the animal is not a human data subject; the animal owner's identity, if recorded, may be personal information). The customer practice controls which identifiers are collected and applies the HIPAA minimum-necessary standard (45 C.F.R. § 164.502(b)); DEAready provides the configuration mechanism but does not decide on the practice's behalf. This data is collected and used only to maintain the customer's controlled-substance records and is governed by the BAA. Patient address fields are entered in plain form fields and are not sent to any address-autocomplete provider (see Section 2.8).
2.5 Billing Data
Subscription plan, subscription status, and Stripe customer and subscription identifiers. Payment card information is collected and processed directly by Stripe and is not stored by DEAready. No PHI is transmitted to Stripe; billing metadata sent to Stripe is limited to organization-level identifiers and excludes patient information. Source: the account-holder, via Stripe's checkout.
2.6 Website, Usage, and Device Data
Pages visited, features used, IP address, browser/device type and user-agent, timestamps, and cookies (see Section 8). Source: collected automatically when you use the Service.
2.7 Error and Performance Monitoring (Sentry)
When an application error occurs, limited diagnostic data may be transmitted to Sentry, our error-monitoring provider. DEAready configures Sentry to scrub data before transmission — including a server-side beforeSend redaction step that strips tokens, cookies, authorization headers, PINs, secrets, and personally identifiable information before transmission. DEAready does not intentionally transmit PHI to Sentry and configures the integration to exclude it. Source: collected automatically on application error.
2.8 Address Autocomplete (Google Maps Platform)
When a user types an organization, location, or supplier/counterparty address into the address-autocomplete-enabled fields, that feature loads Google Maps Platform (Places) in the user's browser, which transmits the typed address fragments to Google in order to return suggestions. This is a third-party feature governed by Google's own privacy terms and is not covered by a HIPAA Business Associate Agreement. Address autocomplete runs only on non-PHI organization, location, and supplier/counterparty address fields. Patient address fields do not use this feature; patient addresses are entered in plain form fields and are not transmitted to Google. Source: the address text a user types into a non-patient address field.
2.9 Communications and Email
Email that DEAready sends (verification messages, alerts, billing notices, support replies, and other transactional notices) is delivered via Amazon Simple Email Service ("SES"). We also receive and retain inbound support emails and their contents. Source: Amazon SES and our support inbox.
3. Subprocessors and Service Providers
DEAready uses the following subprocessors to operate the Service. For each, we identify its function, the data exposed to it, and its PHI/BAA coverage status. All listed subprocessors process data within the United States.
| Subprocessor | Function | Data Exposed | BAA / PHI Status |
|---|---|---|---|
| Amazon Web Services (AWS) — Amazon RDS (PostgreSQL database), Amazon S3 (audit/Merkle archive with Object Lock), AWS KMS (encryption key management), Amazon SES (transactional email), Amazon Cognito (authentication + MFA), and AWS ECS Fargate (application hosting/compute) | Hosting, database, write-once archive, encryption-key management, authentication, transactional email | All application data, including PHI (encrypted) | Covered by the AWS HIPAA Business Associate Addendum; PHI-covered. U.S. region (us-east-1). |
| Stripe | Payments and billing | Billing contact, card data (held by Stripe), subscription identifiers | No PHI. Not a PHI subprocessor; PHI is never transmitted to Stripe. |
| Sentry | Application error monitoring | Redacted diagnostics; possibly IP address | PII/PHI scrubbed by configuration (beforeSend); PHI not intentionally transmitted. See "Owner Must Confirm" regarding any data-processing terms. |
| Google Maps Platform (Places) | Address autocomplete for organization, location, and supplier/counterparty addresses only | Typed non-patient address fragments | Not BAA-covered. Scoped to non-PHI address fields only; patient addresses are not sent to Google (Section 2.8). |
DEAready does not permit subprocessors to use customer data for their own purposes. Each subprocessor that creates, receives, maintains, or transmits PHI on DEAready's behalf is bound by a Business Associate Agreement or Addendum, consistent with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.504(e)(2)(i). DEAready maintains a current list of subprocessors and will provide notice to account-holders of material changes to its PHI subprocessors, consistent with the BAA's subcontractor provisions.
4. How We Use Information
4.1 Permitted Uses
We use the information described above to:
- provide, operate, secure, and maintain the Service, including controlled-substance recordkeeping, inspection packs, PMP/ASAP exports, and the audit trail;
- authenticate users and enforce role-based access controls;
- generate the records, exports, and inspection-ready outputs that the customer requests;
- provide customer support and troubleshooting;
- manage billing and subscriptions;
- provide security, fraud prevention, integrity and abuse monitoring, and audit functions;
- monitor product reliability through error monitoring (Sentry, scrubbed as described in Section 2.7);
- comply with legal obligations and respond to lawful requests; and
- send service-related and transactional communications.
For PHI, our uses are limited to those the BAA permits — namely, performing the controlled-substance recordkeeping service for the customer, and the management, administration, and legal-responsibility uses the BAA expressly authorizes — and nothing more.
4.2 What We Never Do
We state the following commitments explicitly and without qualification:
- We do not sell personal information or PHI.
- We do not use PHI or personal information for advertising, behavioral targeting, or cross-context behavioral advertising.
- We do not use PHI for marketing. Any marketing communications are sent only to account-holders and business contacts, concern the DEAready Service, and never use patient PHI.
- We do not use customer data or PHI to train artificial-intelligence or machine-learning models. (The Service has no AI/ML features as of acceptance; this commitment is intended to survive future product changes — see Section 14.)
- We do not disclose PHI except as the BAA, the customer's instructions, or applicable law permits.
These commitments reflect DEAready's legal posture as a Business Associate: the HIPAA Privacy Rule prohibits the use or disclosure of PHI for marketing or sale absent valid individual authorization (45 C.F.R. §§ 164.508(a)(3)–(4), 164.501, 164.502(a)(5)), and a Business Associate cannot do with PHI what the Covered Entity itself could not.
5. How We Disclose Information
We disclose information only through the following limited channels:
- To the customer (Covered Entity) and its authorized users, who receive their own organization's data, isolated from all other organizations by tenant separation (Section 6);
- To subprocessors identified in Section 3, bound by contract and, where applicable, by a BAA or Addendum;
- As required by law or in response to valid legal process (such as a subpoena, court order, or a DEA or state inspection demand directed at DEAready) — and, where lawful and feasible, we will notify the affected customer practice before disclosing, because the practice (not DEAready) is the record custodian for inspection purposes;
- In a business transfer (such as a merger, acquisition, financing, or sale of assets), subject to the same confidentiality and BAA obligations, with PHI and personal information remaining protected by this Policy and the BAA and any successor handling PHI itself becoming bound; and
- With the customer's direction or consent.
DEAready does not disclose PHI to any party except as the BAA and HIPAA allow.
6. Data Security Safeguards
DEAready maintains administrative, physical, and technical safeguards designed to meet the HIPAA Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312). These include:
- Encryption in transit and at rest. All connections to the Service use TLS (TLS 1.2 or higher). Customer data is encrypted at rest at the database layer (Amazon RDS encryption via AWS KMS). DEAready additionally applies application-layer field-level encryption (AES-256-GCM) to an enumerated set of sensitive identifiers: patient name, date of birth, and address (street, city, state, ZIP) on transactions; the DEA registration number; user DEA number and NPI; registrant business EIN; and stored credential numbers. The field-encryption backfill has been run, so existing records of these fields — not only new writes — are encrypted. Encryption keys are managed through AWS KMS, and the write-once audit archive is encrypted. (Note: field-level encryption applies to the enumerated identifiers above; other PHI is protected by transport and database-layer encryption and the other safeguards in this Section.)
- Access control and role-based permissions. The Service enforces least-privilege, role-based access through the product's roles: Owner, Admin, Staff, Witness-Only, and Read-Only.
- Multi-factor authentication. MFA is required for all users, enforced at sign-in through the Amazon Cognito user pool (TOTP).
- Tenant isolation. PostgreSQL row-level security enforces per-organization isolation so that one practice can never access another practice's data.
- Tamper-evident audit trail. The transaction ledger and audit log are append-only — database controls reject updates and deletions, and corrections are recorded as explicit linked void-and-correction entries. The audit log is hash-chained, and a daily Merkle root is written to AWS S3 Object Lock in write-once-read-many ("WORM") COMPLIANCE mode with a multi-year retention period.
- Monitoring and incident response. We maintain security monitoring and follow the breach-notification commitments in Section 10.
No method of transmission over the Internet or method of electronic storage is completely secure. While we use commercially reasonable measures designed to protect information, we cannot guarantee absolute security.
7. Data Retention, the Immutable Ledger, and Deletion
7.1 Retention Periods
- Controlled-substance records and the audit trail are retained for at least the period required by law. DEAready's default retention period is seven (7) years, and the daily Merkle roots are protected by a seven-year COMPLIANCE-mode S3 Object Lock. This default meets the DEA's two-year federal recordkeeping floor (21 C.F.R. § 1304.04) and the longer requirements of various states (several states, including Arkansas, require approximately five years). The customer's retention configuration operates within these legal floors, and DEAready will not delete records the customer is legally obligated to retain.
- Account and billing data is retained for the life of the account plus a reasonable period thereafter for legal, tax, and audit purposes.
7.2 The Immutable Ledger (Stated Prominently)
The controlled-substance logbook and the audit log are append-only and tamper-evident by design. Entries cannot be edited or erased; an error is remediated by a linked void-and-correction entry that leaves the original record intact. The daily Merkle-root archive in WORM storage cannot be deleted by anyone, including DEAready, for the duration of the Object Lock retention period. Accordingly, deletion requests cannot remove records that controlled-substance recordkeeping law requires DEAready and the practice to retain in immutable form.
7.3 Deletion and Destruction Subject to Retention Law
On valid customer instruction, or on termination of the account as provided in the BAA, DEAready will return or destroy PHI to the extent feasible. Because the records reside in an append-only, hash-chained, Object-Locked ledger, "return or destruction" at the end of the retention period is accomplished by de-identification and/or by expiry of the Object-Lock retention period — not by per-customer cryptographic key destruction (there is a single shared field-encryption key, and per-customer crypto-shredding is not available). Where return or destruction is not feasible — for example, because records reside in the WORM archive or are subject to a legal hold or a statutory retention mandate — DEAready will extend the protections of the BAA to that information and limit further use and disclosure of it for as long as it is retained, consistent with 45 C.F.R. § 164.504(e)(2)(ii)(J).
7.4 Export and Portability
During the subscription term, the customer may export its own records at any time as a complete, portable ZIP archive. The export contains: transactions.csv (the full ledger), containers.csv, drugs.csv, locations.csv (including DEA registration and expiry), inventory-events.csv, audit-log.csv (the full chain with hashes), merkle-roots.json (the daily Merkle roots and their S3 keys), and chain-verification.json (a chain-verification result computed at export time). The export supports data portability and the customer's independent retention obligations. (The rendered Inspection Pack PDF is not part of this export; the Inspection Pack is generated separately, on demand, under Reports.) The export function is currently available to the Owner role.
After termination, the customer may export its records for thirty (30) days; thereafter the records are retained under the retention and Object-Lock period above and are no longer interactively accessible.
8. Cookies and Tracking Technologies
The Service uses only first-party, strictly necessary cookies: a session/authentication cookie (used by NextAuth to keep you signed in) and a user-interface preference cookie (deaready_active_location). The Service uses no third-party advertising cookies, no advertising pixels, no cross-site tracking, and no third-party analytics software-development kits (such as Google Analytics, Mixpanel, or similar). The only third-party browser script used by the Service is Google Maps Platform, for address autocomplete on non-patient address fields (Section 2.8).
Because these cookies are strictly necessary to operate the Service and DEAready does not engage in advertising or cross-context behavioral sharing, no cookie-consent banner is required under current United States frameworks. If non-essential cookies or analytics are ever introduced, this Section and the applicable consent mechanics will be updated. You can control or delete cookies through your browser settings; disabling strictly necessary cookies may prevent the Service from functioning.
9. Your Privacy Rights and Applicable U.S. State Laws
9.1 PHI — Rights Run Through the Practice
As stated in Section 1, individuals exercise their HIPAA rights — access, amendment, accounting of disclosures, and restriction (45 C.F.R. §§ 164.524–164.528, 164.522) — through their healthcare provider, the Covered Entity. DEAready supports the practice in fulfilling these requests as the BAA provides and does not act on patient requests directly.
9.2 State Comprehensive Privacy Laws — What Applies and What Is Exempt
We state the legal position plainly:
- PHI processed under HIPAA and the BAA is exempt from U.S. state comprehensive consumer-privacy laws. Such laws generally exempt either HIPAA covered entities and business associates as entities, or PHI as a category of data, or both. PHI is therefore governed by HIPAA and the BAA, not by general U.S. consumer-privacy statutes.
- Non-PHI account and website data. The only residual category that could trigger a state-law right is non-PHI personal data about individual account-holders, practice staff, or website visitors who are residents of a state with a comprehensive privacy law — and only where DEAready meets that state's applicability thresholds, which most business-to-business software of DEAready's scale will not initially meet.
- What we honor. For non-PHI account and website data, DEAready honors reasonable access, correction, and deletion requests, and will comply with any U.S. state comprehensive privacy law that applies to such non-exempt data, honoring the rights that law grants where DEAready is subject to it.
DEAready does not represent that it is subject to, or "complies with," any particular state law as to data to which that law does not apply.
9.3 Rights We Offer (Where a Law Applies)
For non-PHI personal information, and to the extent a law applies, you may request to: access or know what personal information we hold about you; correct inaccurate personal information; delete your personal information (subject to the retention limits in Section 7); and obtain a portable copy of your personal information. Because DEAready does not sell personal information or share it for targeted or cross-context behavioral advertising, the corresponding opt-out rights are inapplicable in practice. To make a request, contact us at support@deaready.com. We will verify your identity before acting on a request, respond within the timeframe required by applicable law (and in any event without undue delay), and we will not discriminate against you for exercising your rights. You may appeal a denied request by replying to our response, and we will inform you of any further appeal mechanism available under applicable law.
10. Breach Notification
As a Business Associate, upon discovery of a breach of unsecured PHI, DEAready will notify the affected customer (the Covered Entity) without unreasonable delay and in no case later than sixty (60) calendar days after discovery, providing the information the practice reasonably needs to meet its own notification obligations to individuals, the U.S. Department of Health and Human Services, and (where applicable) the media. The customer practice is responsible for notifying affected individuals under 45 C.F.R. § 164.404, except as the BAA otherwise provides; DEAready will assist as the BAA requires. This Section mirrors 45 C.F.R. § 164.410; the detailed breach-notification mechanics and timing are governed by the BAA, which controls in the event of any conflict.
For security incidents involving non-PHI personal information, DEAready will notify affected account-holders as required by applicable state breach-notification law.
11. Children's Data
The Service is not directed to children, and DEAready does not knowingly collect personal information directly from children through the website or application; account-holders and users are practice professionals aged 18 or older.
Pediatric PHI is handled differently and separately. Patient information in a customer's records may pertain to pediatric patients (DEAready's customers include pediatric dental and medical practices). Such information is processed as a Business Associate under the BAA and HIPAA, is governed by the customer practice's policies and by HIPAA, and is not subject to the Children's Online Privacy Protection Act ("COPPA") or to this children's-data Section, because it is not information we collect from children online. DEAready does not knowingly collect children's personal information outside the PHI/BAA context, and will delete any such non-PHI data if we become aware of it.
12. Geographic Scope
DEAready is a United States-based service intended for United States customers. Customer data is stored and processed in the United States. DEAready does not offer the Service to data subjects in the European Union, European Economic Area, or United Kingdom and does not intend to be subject to the EU or UK General Data Protection Regulation. If you access the Service from outside the United States, you consent to the processing of your information in the United States.
13. Data Location and Cross-Border Transfers
All production data resides in an AWS United States region (us-east-1). DEAready does not engage in offshore processing of customer data. This Section should be read together with Section 12.
14. Automated Decision-Making and Artificial Intelligence
DEAready does not use customer data or PHI for automated profiling that produces legal or similarly significant effects, and the Service has no artificial-intelligence or machine-learning features as of acceptance. Customer data and PHI are not used to train artificial-intelligence models. If AI features are introduced in the future, this Policy will be updated, and the prohibition on training models with PHI will remain in effect absent a separate, BAA-compliant agreement.
15. Account-Holder and Workforce Data
Information about a practice's own staff users — including names, work email addresses, roles, and professional credentials — is processed to operate the customer's account. The customer practice is responsible for the accuracy of this information, and the practice's administrators are responsible for managing their users' access. This account data is distinct from consumer data and from PHI.
16. Third-Party Links
The Service may contain links to third-party websites and resources (for example, state PMP portals and DEA resources). Those sites are governed by their own privacy policies, and DEAready is not responsible for their content or practices.
17. Changes to This Policy
DEAready may update this Policy from time to time. When we do, we will revise the "Version / Last Updated date" above. We will communicate material changes to account-holders by email and/or in-app notice before they take effect. Your continued use of the Service after the effective date of a change constitutes your acceptance of the revised Policy as to non-PHI matters. Changes to the handling of PHI are governed by the BAA's amendment process and cannot be effected by unilateral changes to this Policy.
18. Contact and Privacy Inquiries
For privacy questions or to exercise a right described in Section 9, contact us:
- All privacy, security, breach, and general support inquiries:
support@deaready.com - Mailing address: DEAready LLC, 210 W Oklahoma St, Branson, MO 65616
Patients seeking their health records, or seeking to exercise HIPAA rights, must contact their healthcare provider (the customer practice). DEAready is a Business Associate and cannot act on patient requests directly.
OWNER MUST CONFIRM
The following items must be supplied or confirmed by the owner before this Policy is published:
- Last Updated date — currently June 10, 2026. Update this date whenever the Policy text changes. (This Policy uses a per-acceptance effective-date model: it is effective as to each customer on the date that customer accepts it, recorded against the customer's organization.)
- Single contact address. This Policy routes all privacy, security, and support inquiries to
support@deaready.com. Confirm this inbox is live and monitored. (privacy@andsecurity@are intentionally not referenced because they are not provisioned.) - Google Maps address autocomplete scope (Sections 2.8 / 3). Confirm that, as of the 2026-06-10 code change, Google Places address-autocomplete is wired only to organization, location, and supplier/counterparty address fields and is never wired to patient-address fields. Patient addresses must continue to be entered in plain form fields and never transmitted to Google; routing a patient address to Google would be a PHI disclosure to a non-BAA-covered vendor.
- Sentry data-processing terms (Sections 2.7 / 3). Confirm whether a Data Processing Agreement (or comparable terms) is in place with Sentry, or rely solely on the "PHI excluded by design /
beforeSendscrub" posture stated here. - AWS BAA execution (Section 3). Confirm the AWS HIPAA Business Associate Addendum has been accepted for the AWS account hosting production (covering RDS, S3, Cognito, SES, KMS, and ECS Fargate).
- Field-encryption backfill (Section 6). Confirm the backfill migration encrypting historical
User.deaNumber,User.npi,Registrant.businessEin, and the enumerated transaction identifier fields has completed, so the encryption-at-rest representation in Section 6 is accurate for all existing records. - Default retention period (Section 7.1). Confirm the 7-year default (and the 7-year COMPLIANCE-mode Object Lock) and that no customer is configured below the applicable federal/state legal minimum.
- Post-termination export window (Section 7.4). Confirm the 30-day post-termination export window (defaulted to 30 days; adjust if a different window is intended).
- Applicable state privacy statute(s) (Section 9). Verify which U.S. state comprehensive privacy statute(s), if any, apply to DEAready's non-PHI account/website data. This Policy intentionally does not assert a specific state consumer-privacy statute or effective date.
- Consistency check. Confirm this Policy's PHI, breach-notification, retention/infeasibility, destruction, and amendment provisions (Sections 1, 6, 7, 10, 17) are consistent with the executed BAA and the Terms of Service; the BAA controls for PHI, this Policy controls for data-practice descriptions and Subprocessors, and the Terms of Service govern the commercial relationship in the event of any conflict.