Privacy Policy

1. Information We Collect

1.1 Information You Provide

When you register through the Portal, you voluntarily provide:

• Personal Information: Name, email address, phone number (optional), mailing address, state of residence
• Purchase Information: Order numbers, purchase dates, purchase channels, lot numbers, product usage details
• Health Information: Symptoms, health impacts, medical visits, doctor consultations related to product use
• Documentation: Receipts, product labels, medical records, test results, and other supporting evidence (collectively "Uploads")
• Consent Records: Your acknowledgment of terms, consent to data use, and legal disclaimers

1.2 Automatically Collected Information

• Technical Data: IP address, browser type, device information, access times
• Usage Data: Pages visited, form completion progress, navigation patterns
• Security Logs: Authentication attempts, session data, audit trails for compliance

2. How We Use Your Information

We use the information collected for the following purposes:

• Safety Assessment: To assess your eligibility for participation in the consumer safety investigation related to the Agebox iKids Growth recall
• Documentation: To compile evidence, establish timelines, and support the investigation
• Communication: To send confirmation emails, safety updates, and requests for additional information
• Information Sharing: To share relevant information with qualified professionals evaluating the investigation (only with your consent)
• Compliance: To comply with legal obligations, court orders, and regulatory requirements
• Security: To protect against fraud, unauthorized access, and ensure data integrity
• Analytics: To understand submission patterns, improve the Registry, and allocate resources

3. How We Share Your Information

3.1 With Qualified Professionals

Your information may be shared with:

• Licensed professionals evaluating potential safety claims
• Registry staff conducting research and documentation
• Expert witnesses, including medical professionals and toxicologists (when necessary for safety assessment)

Note: All professionals with access to your information are bound by professional ethics rules and confidentiality obligations.

3.2 Service Providers

We use trusted third-party service providers who process data on our behalf:

• Cloud Storage: Google Cloud Storage for secure file storage (encrypted at rest)
• Database: Managed PostgreSQL services for structured data
• Email Services: Resend for transactional emails and notifications
• Authentication: NextAuth for secure login and session management

All service providers are contractually required to maintain the confidentiality and security of your information.

3.3 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or to protect our legal rights or the rights of others.

3.4 What We Do NOT Do

• We do NOT sell your personal information to third parties
• We do NOT use your information for marketing or advertising
• We do NOT share your information with unrelated parties outside of registry operations

4. Data Security

We implement industry-standard security measures to protect your information:

4.1 Technical Safeguards

• Encryption in Transit: All data transmitted over HTTPS/TLS protocols
• Encryption at Rest: Sensitive data encrypted using AES-256 encryption
• Signed URLs: Temporary, expiring links for file uploads and downloads
• Access Controls: Role-based access (RBAC) limiting data access to authorized personnel only
• Authentication: Multi-factor authentication available for admin access

4.2 Operational Safeguards

• Audit Logs: All data access and modifications are logged for accountability
• Regular Reviews: Periodic security audits and vulnerability assessments
• Limited Access: Only authorized ADMIN role users can view submissions
• Confidentiality Agreements: All personnel with data access sign confidentiality agreements

Important: While we use reasonable security measures, no system is 100% secure. We cannot guarantee absolute security of information transmitted over the internet.

5. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

5.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. You can request this data in a commonly used, machine-readable format.

5.2 Correction

You have the right to request correction of inaccurate or incomplete information. Contact us with your registration ID to update your information.

5.3 Deletion

You may request deletion of your personal information by emailing consumerregistry@gmail.com with your registration ID.

Note: We may need to retain certain information to comply with legal obligations, resolve disputes, or as required for ongoing investigation. In such cases, we will securely archive the data with restricted access.

5.4 Opt-Out of Communications

You may opt out of non-essential communications (updates, newsletters) at any time. However, you cannot opt out of transactional communications (confirmation emails, legal notices) related to your submission.

5.5 State-Specific Rights

• California (CCPA/CPRA): Right to know, delete, opt-out of sale (we do not sell data), and non-discrimination
• Virginia (VCDPA): Access, correction, deletion, and opt-out rights
• Other States: Additional rights may apply based on your state’s privacy laws

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this policy:

• Active Review: Throughout the safety investigation process and any resulting actions
• Legal Requirements: As required by law, court orders, or regulatory obligations
• After Resolution: We may retain anonymized, aggregated data for statistical purposes

Upon report closure or at your request, we will securely delete or anonymize your personal information, except where retention is legally required.

7. Children’s Privacy

This Portal is intended for use by parents, guardians, or authorized representatives submitting information on behalf of minors affected by the Agebox product recall. We do not knowingly collect information directly from children under 13. By submitting information about a minor, you represent that you have the legal authority to do so.

8. International Users

This Portal primarily serves users in the United States. If you are accessing from outside the U.S., please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

9. Cookies and Tracking

We use minimal cookies and tracking technologies:

• Essential Cookies: Session management, authentication, CSRF protection (required for functionality)
• Analytics: Basic usage statistics to improve the Portal (no third-party analytics/advertising)

You can manage cookie preferences in your browser settings, but disabling essential cookies may prevent you from using certain features.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Effective Date"
• Sending email notification to registered users (for significant changes)

Your continued use of the Portal after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

12. Important Disclaimers