Back to Home

Website Tracking & Opt-Out Policy

Salus-CM, Inc

Version 0.9, Published 3 November 2025

1. Purpose

This policy describes how we collect, use, and manage tracking technologies (such as cookies, pixels, and analytics tools) on our website, and outlines your rights to control and opt out of such data collection. It ensures compliance with:

  1. HIPAA (Health Insurance Portability and Accountability Act of 1996) and implementing regulations at 45 CFR Parts 160 & 164;
  2. GDPR (General Data Protection Regulation, EU 2016/679);
  3. PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5).

2. Scope

This policy applies to all visitors, users, and customers who access or interact with our website, including any tracking, analytics, or marketing tools that process personal data, device identifiers, or potentially identifiable information.

3. Overview of Tracking Technologies

We may use the following categories of tracking technologies on our website:

  1. Essential / Strictly Necessary Cookies
  2. Analytics Cookies and Tags
  3. Functional Cookies
  4. Advertising or Retargeting Cookies
  5. Web Beacons / Pixels

These technologies may collect data such as IP address, device ID, browser type, pages visited, and session data.

4. Legal Basis for Processing (GDPR Art. 6)

We process personal data collected through cookies and tracking technologies only when there is a lawful basis, including:

  1. Consent (GDPR Art. 6(1)(a));
  2. Legitimate interests (GDPR Art. 6(1)(f));
  3. Legal obligation (GDPR Art. 6(1)(c)).

Under PIPEDA Schedule 1, Principle 4.3, individuals must provide knowledge and consent. Under HIPAA 45 CFR §164.502(a) and §164.508(a)(3), no PHI may be transmitted to third-party tracking services without authorization.

5. Use of Tracking Data

We use tracking data to operate and secure our website (GDPR Art. 32; HIPAA §164.530(c)), measure performance, personalize content, and comply with audit requirements. We employ IP anonymization and data minimization per GDPR Art. 25 and PIPEDA Principle 4.4.1.

6. HIPAA-Specific Requirements

We do not disclose PHI to analytics providers unless a Business Associate Agreement (BAA) exists (HIPAA 45 CFR §164.308(b)(1)). Tracking tools are configured to avoid PHI capture in URLs or metadata. Transmission is secured (HIPAA 45 CFR §164.312(e)(1)).

7. Opt-Out and Consent Management

Users can manage cookies through browser settings or via recognized opt-out tools such as:

  1. Network Advertising Initiative Opt-Out Tool
  2. Digital Advertising Alliance Consumer Choice Page
  3. YourOnlineChoices (EU)

8. Retention and Data Minimization

Tracking data is retained only as long as necessary, consistent with:

  1. GDPR Art. 5(1)(e);
  2. PIPEDA Principle 4.5;
  3. HIPAA 45 CFR §164.530(j).

9. Data Sharing and Transfers

We do not sell or rent tracking data. Cross-border transfers comply with:

  1. GDPR Chapter V (Standard Contractual Clauses);
  2. PIPEDA Principle 4.1.3;
  3. HIPAA 45 CFR §164.308(b) for PHI safeguards.

10. Your Rights

Your applicable rights are determined by your country of legal residency and may include:

  1. GDPR (Art. 12–23): access, rectify, erase, restrict, object, data portability, withdraw consent.
  2. PIPEDA (Principles 4.9–4.9.6): access and challenge accuracy.
  3. HIPAA (45 CFR §164.524, §164.528): access PHI and request accounting of disclosures.

Any requests for actions regarding the data that we retain about you should be sent to ciso@salus-cm.care.

11. Security Safeguards

We employ administrative, technical, and physical safeguards per:

  1. HIPAA 45 CFR §164.308, §164.310, §164.312;
  2. GDPR Art. 32;
  3. PIPEDA Principle 4.7.

Measures include HTTPS/TLS encryption, access controls, pseudonymization, and regular assessments.

12. Policy Review and Updates

This policy is reviewed annually or upon significant regulatory or technical change, as required by:

  1. GDPR Art. 30;
  2. HIPAA §164.316(b).

13. Contact Information

To opt out of website tracking or withdraw consent for non-essential cookies, please contact our CISO at ciso@salus-cm.care. with the subject line 'Tracking Opt-Out Request.' We respond to verified requests under HIPAA, GDPR, and PIPEDA.

Anti-Spam and Unsolicited Advertising & Communications Policy

Salus-CM, Inc

Version 0.9, Published 3 November 2025

1. Purpose

This policy prohibits the use of unsolicited or unlawful electronic communications to advertise, promote, or reference our website, services, or products. It ensures compliance with the following regulatory and industry frameworks:

  1. HIPAA (Health Insurance Portability and Accountability Act of 1996), including:
    1. 45 CFR §164.502(a) – Use and disclosure of protected health information (PHI);
    2. 45 CFR §164.508(a)(3) – Authorization required for marketing uses and disclosures;
    3. 45 CFR §164.530(c) – Safeguards to protect the privacy of PHI.
  2. GDPR (General Data Protection Regulation, EU 2016/679), including:
    1. Article 5 – Principles relating to processing of personal data;
    2. Article 6 – Lawfulness of processing;
    3. Article 7 – Conditions for consent;
    4. Article 21 – Right to object to direct marketing;
    5. Recital 47 – Legitimate interests and direct marketing.
  3. PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5), including:
    1. Schedule 1, Principle 4.3 – Knowledge and consent;
    2. Schedule 1, Principle 4.5 – Limiting use, disclosure, and retention;
    3. Schedule 1, Principle 4.7 – Safeguards;
    4. Section 5(3) – Purpose limitation (“reasonable person” test).
  4. SURBL (Spam URI Real-time Blocklists) standards for responsible link and domain use in electronic messaging.

2. Scope

No person or organization may use unsolicited, unauthorized, or bulk communications — including email, SMS, instant messages, or social media posts — to advertise, promote, or reference our domains, trademarks, or products.

Prohibited actions include:

  1. Sending unsolicited commercial email (“spam”) that includes or references our URLs;
  2. Posting or distributing links to our website in online forums or messaging platforms without consent;
  3. Harvesting or processing personal information for marketing without a lawful basis (GDPR Art. 6; PIPEDA Principle 4.3);
  4. Transmitting any message containing PHI for marketing purposes without prior authorization (HIPAA 45 CFR §164.508);
  5. Engaging in any behavior that risks our inclusion in SURBL, URIBL, or other anti-abuse blocklists.

3. Lawful and Ethical Communications

All communications and outreach must:

  1. Be based on a lawful basis for processing under GDPR Art. 6(1);
  2. Respect an individual’s right to withdraw consent at any time (GDPR Art. 7(3));
  3. Refrain from using PHI for marketing without written authorization (HIPAA 45 CFR §164.508(a)(3));
  4. Meet PIPEDA’s requirements for knowledge and consent (Schedule 1, Principle 4.3);
  5. Include a valid sender identification, contact information, and clear opt-out mechanism (GDPR Art. 21(2); CAN-SPAM Act 15 U.S.C. §7704(a)(5));
  6. Avoid deceptive, misleading, or obscured sender information.

4. Data Protection and Recordkeeping

We maintain appropriate administrative, technical, and physical safeguards to ensure compliance with data protection requirements under:

  1. HIPAA 45 CFR §164.530(c) – Safeguards to prevent unauthorized disclosures of PHI;
  2. GDPR Art. 32 – Security of processing;
  3. PIPEDA Schedule 1, Principle 4.7 – Safeguards proportional to the sensitivity of information.

We also ensure that personal data and PHI:

  1. Are collected only for specified, legitimate purposes (GDPR Art. 5(1)(b));
  2. Are not retained longer than necessary (PIPEDA Principle 4.5.3; GDPR Art. 5(1)(e));
  3. Are reviewed for risk via Data Protection Impact Assessments (DPIAs) where appropriate (GDPR Art. 35).

5. Enforcement and Consequences

Violations of this policy may result in:

  1. Termination of business or affiliate relationships;
  2. Suspension of access to systems, APIs, or platforms;
  3. Notification to regulatory authorities such as:
    1. U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for HIPAA violations;
    2. EU or UK Supervisory Authorities for GDPR breaches;
    3. Office of the Privacy Commissioner of Canada (OPC) for PIPEDA non-compliance.
  4. Legal action or referral to law enforcement where applicable.

We cooperate with SURBL administrators, Internet service providers, and anti-abuse organizations to investigate and mitigate any misuse of our domains.

6. Reporting Violations

If you receive an unsolicited or suspicious message that references or promotes our website, please report it to abuse@salus-cm.care.

Vulnerability Disclosure Policy

Salus-CM, Inc

Version 0.9, Published 29 October 2025

1. Purpose

This policy explains the process to report vulnerabilities and security issues found when using the salus-cm.care website.

2. Scope

Any issues with the https://salus-cm.care website, any issues with email sent from the salus-cm.care domain, and any DNS issues for the salus-cm.care domain.

3. How to Report Vulnerabilities

Please send any vulnerabilities to: security@salus-cm.care.

Please include a detailed description, the steps to reproduce your findings, and your assessment of the potential impact of the vulnerability.

Encrypt reports using our PGP key located at https://salus-cm.care/.well-known/publickey.asc

4. Commitment / Response Policy

We acknowledge receipt within 5 business days.

We provide status updates at least every 2 weeks.

We aim to resolve valid issues within 90 days of confirmation.

5. Safe Harbor / Legal Protections

If you make a good faith effort to comply with this policy, we will not pursue legal action related to your research.

6. Out-of-Scope or Prohibited Activities

Please do not:

  1. Perform denial-of-service attacks
  2. Access or modify any data without permission
  3. Use automated scanning tools without coordination