Trust Center

(Privacy • HIPAA & GDPR • Accessibility • Terms)

Effective date: September 1st 2019

Inquiries Contact: support@ricreativestudio.com

Code of Honor & Compliance Commitments

Confidentiality & Consulting Terms

NDA-first. I execute client NDAs and treat all Confidential Information (business, clinical, financial, strategic, technical) as strictly confidential. I will not disclose, reuse, or reference such information outside the engagement, and I do not include client specifics in case studies, talks, or training materials without prior written consent.
Use limitations. Client data is used solely to deliver the agreed Scope of Work (e.g., omnichannel & digital marketing strategy, portfolio dashboards, governance, orchestration, vendor/MLR coordination). I do not train external AI models on client data.
Data protection. Least-privilege access, encrypted storage, and secure transfer only; no PHI is ingested into marketing analytics. If PHI processing is in scope (rare), it requires a BAA and approved secure systems. Data is retained only per client policy and securely destroyed at project end. 
Conflicts & independence. I disclose potential conflicts in writing and avoid competitor-conflicted work unless explicitly approved.
Work product & IP. Unless otherwise agreed in the SOW, the client owns deliverables; I retain background know-how but not client-confidential content.
Independent contractor. I operate as an independent contractor; no employment, partnership, or agency relationship is created.
Publicity. I will not use client trademarks, logos, or brand names in marketing/case studies without prior written permission.
No legal/medical advice. I provide marketing and analytics advice; final legal, regulatory, and medical determinations remain with the client’s counsel/MLR.

Ethical Promotion Codes

FDA/Global Promotional Standards

On-label always. US Rx promotion follows 21 CFR 202.1 and OPDP/APLB guidance—clear, balanced, non-misleading communication with fair balance and appropriate ISI/risk presentation. Local rules prevail in non-US markets.
MLR packet baseline: clean/annotated copy, Claims/Evidence Matrix, references, ISI/boxed warning plan, annotated mocks, and a versioned change log.
Digital short-form: character-limited units (social/search/banner) use risk/ISI placement patterns; landing pages present ISI above the fold.
2253 (US): first-use submissions are tracked where applicable; responsibilities/timelines set in the SOW.
AE/PC routing: adverse event/product complaint intake and forwarding paths are defined for interactive channels.

Transparency (Sunshine/Open Payments)

Privacy, Consent & Data Handling

HIPAA/GDPR + Consent Mode. Consent-first measurement, purpose limitation, data minimization, and regional controls. No marketing tags/retargeting in authenticated or PHI-risk areas. CMP use where applicable; de-identification for reporting; retention per policy.
US state privacy laws. I honor applicable rights under CPRA/CCPA (CA), CPA (CO), VCDPA (VA), CTDPA (CT), UCPA (UT), and similar laws, including opt-out of sale/share/targeted advertising and honoring Global Privacy Control (GPC) signals.
Cross-border transfers. Where personal data moves internationally, I rely on vendor SCCs/UK Addendum/adequacy decisions.

Speak-Up Culture

Privacy Policy

What I collect

Contact form & email: name, work email, company, role, topic, timing, budget, message.
Calendar bookings: name, email, meeting details (via Calendly).
Payments: billing name, email, amount (processed by Stripe). I do not store credit card numbers.
Newsletter: email + topic preferences (optional).
Analytics & performance: page views, device/browser, referrer, approximate location, and events (e.g., CTA clicks).
Cookies: strictly necessary (session, security) and optional (analytics/experience). See Cookies & Preferences.

Processors / sub-processors (service providers)

Webflow (hosting/forms/CDN) • Google Analytics 4 (consent-aware) • Calendly • Stripe (Checkout + Customer Portal) • Mailchimp/HubSpot (if used) • Hotjar (if used; consent-gated, inputs masked).
Data location: Providers may process data in the U.S. and other jurisdictions; EU/UK transfers rely on vendor SCCs or equivalent. 
How I use data: respond to inquiries, deliver services, process payments, send opted-in communications, improve the Site, prevent fraud/abuse, and meet legal/tax obligations.
Retention: inquiries up to 24 months; invoices 3 years; newsletter until unsubscribe; analytics 14–26 months (tool settings); calendar per scheduler policy.

Your choices & rights

Consent: analytics/experience cookies run only after you opt in.
Opt-out: adjust at /cookies anytime.
Unsubscribe: one-click in emails.
Access/Deletion/Correction: email Support@ricreativestudio.com (identity verification required).
US state privacy rights: access, delete, correct, opt-out of “sale/share” or targeted ads—use /do-not-sell-or-share or email me.
EU/UK GDPR rights: access, rectification, erasure, restriction, portability, objection (and the right to complain to your authority).
Children: not directed to under-16; no knowing collection (COPPA awareness).
Security: HTTPS/TLS, least-privilege access, encrypted Stripe checkout, no card storage, periodic access reviews.
Controller/processor roles: For this Site I act as controller of visitor data; for client work I typically act as a processor under a DPA.
Do Not Track/GPC: Where legally required, I honor Global Privacy Control signals as an opt-out of sale/share.
Changes: updates posted here with a new Effective date.

HIPAA & GDPR Summary (Plain Language)

No PHI on this Site. Please avoid sharing PHI in forms, bookings, or notes.
BAA/DPA available for client work in defined regulated scopes; sub-processors aligned accordingly.
Minimum necessary: analytics/logs configured only to what’s needed for performance/security.
Consent first: analytics beyond necessary run only after consent; consent state appended to events.
Incident response: investigate, contain, assess, notify as required, and document remediation.
Incident response: investigate, contain, assess, notify as required, and document remediation.
Current sub-processors: Webflow, GA4, Calendly, Stripe, Mailchimp/HubSpot (if used), Hotjar (if used).
Breach notification: clients will be notified without undue delay, consistent with law and contract, if I become aware of a security incident affecting their data.

Accessibility Statement

I’m committed to making this Site usable for everyone.

Standards: targeting WCAG 2.2 AA (contrast, keyboard, focus, landmarks, alt text, labels).

Audit cadence: automated + manual checks quarterly and after major releases.

Third-party embeds: Calendly/Stripe/Google Analytics/CRM Platforms configured for accessible modes when available.

Report a barrier: Support@ricreativestudio.com (response target: 2 business days with a remediation plan).

Alternative format: upon request, I can provide content in accessible alternative formats (e.g., large print, tagged PDF).

Terms of Use

Acceptance of terms: by using the Site, you agree to these Terms and applicable laws.

 Permitted use: lawful, informational use; no reverse engineering/disruption.

Intellectual property: Site content (text/graphics/logos/code) is owned or licensed; no copying or derivative works without permission.

No legal/medical advice: content is general information, not legal/medical/regulatory advice.

Third-party links: provided for convenience; I’m not responsible for their content/policies.
Disclaimers & limitation of liability: Site provided “as is”; to the extent permitted by law, liability is limited for indirect/consequential damages.

Indemnification: you agree to indemnify me for misuse/violations.
Governing law: New York, USA; venue New York County, NY (update to your locale if needed).

DMCA/Notice-and-Takedown: If you believe content infringes your IP, email Support@ricreativestudio.com with a detailed notice; I will investigate and remove where appropriate.

Trademarks & fair use: Brand names/logos shown in case studies are the property of their owners and used nominatively for portfolio purposes only. No endorsement is implied.

Changes: updates may occur; continued use = acceptance.

Contact: support@ricreativestudio.com

Live Sessions, Webinars, Courses & Materials — Terms

Scope. These terms govern all video/phone conferences, webinars, office hours, courses/on-demand trainings, advisory “clinics,” Q&A, and any materials you receive or download from this Site (including PDFs, templates, SOPs, and my resume).

Recording & consent. Sessions may be recorded (audio/video/transcripts) only with explicit consent from all parties, consistent with one- or two-party consent laws. If recorded, participants will be notified at start; you may opt out by leaving the session. Unconsented recording or redistribution of my sessions is prohibited.

Confidential information & NDAs. Do not share client-confidential information during public webinars or open courses. Confidential matters belong in a separately scheduled engagement under NDA. Absent an NDA, I treat shared information as non-confidential and will steer discussion to public best practices.

No PHI/PII. Do not disclose Protected Health Information (PHI) or sensitive personal data in any session chat, Q&A, or shared files. I do not ingest PHI into marketing analytics. If a regulated scope requires PHI, it must be under a written SOW and BAA using approved secure systems.

No legal/medical advice; MLR controls. Sessions provide marketing and analytics guidance, not legal, regulatory, medical, or clinical advice. Final promotional decisions remain with your Medical/Legal/Regulatory (MLR) and counsel. Nothing in a session bypasses applicable laws, codes, or your internal SOPs.

IP & license for materials. Unless stated otherwise in a signed SOW: course slides, PDFs, templates, and downloads are licensed to your organization on a non-exclusive, non-transferable, internal-use basis. You may not resell, republish, post publicly, or create derivative works without written permission. My resume is provided solely for evaluation and may not be reposted or scraped.

Attribution & logos. Brand names/logos shown in examples are the property of their owners and used nominatively for portfolio or educational purposes. No endorsement is implied. Do not use my name or logo to endorse a product or service without permission.

Platform providers. Sessions may run on Zoom, Microsoft Teams, Google Meet, or similar. Those providers act as processors of session metadata under their own privacy policies. Features such as live captions or transcripts are enabled where available to support accessibility.

File sharing & security. For any pre-reads or workbooks, use secure links designated by your company (e.g., SharePoint/OneDrive, Box). Do not email sensitive files. Access is least-privilege and time-limited. I will remove access upon project close or at your written request.

Course access & conduct. Course logins are personal to the registrant. No seat sharing. I reserve the right to moderate or remove participants for harassment, discriminatory remarks, or disruptive behavior, and to terminate a session if safety or compliance is at risk.

Accessibility. I aim to meet WCAG 2.2 AA for materials and enable captions on live sessions. If you need reasonable accommodations (e.g., tagged PDFs, extended access windows), email Support@ricreativestudio.com before the session.

Reliance & outcomes. You are responsible for how you apply guidance in your environment. I do not warrant specific outcomes or regulatory approvals. Always route promotional materials through your MLR process and follow local rules (e.g., 21 CFR 202.1, OPDP/APLB; PhRMA/EFPIA/IFPMA codes; PAAB, ABPI/PMCPA, etc.).

CME/CE disclosure. Unless explicitly stated, sessions are not accredited for CME/CE. If a session is accredited, accreditation and required disclosures will be provided by the accredited provider.

Payments & refunds (courses/webinars). Fees, refunds, and rescheduling terms (if any) will be shown at checkout or in the registration confirmation and prevail over this summary.

Export controls & sanctions. You agree not to access or use the materials in violation of applicable export control, sanctions, or anti-bribery/anti-corruption laws.

Privacy for sessions. I collect limited session metadata (e.g., name, email, join time, polls/Q&A) to deliver the event and follow up on requested resources, per the Privacy Policy. Recordings, if any, are retained only as long as necessary for the stated purpose.

Changes. I may update these session terms from time to time; continued attendance or use of materials indicates acceptance of the then-current terms.

Cookies & Preferences (Summary)

Strictly necessary: security, load balancing, form submission.

Analytics (opt-in): GA4.

Experience (opt-in): Hotjar (if enabled; inputs masked; keystrokes disabled).

Payments: Stripe sets essential cookies for checkout and fraud prevention.

Manage preferences: /cookies (banner + center).

US opt-out: /do-not-sell-or-share.

GPC: Opt-out preferences can also be communicated via Global Privacy Control signals where recognized.

Security & Vulnerability Disclosure

security.txt: I publish a /.well-known/security.txt file with a contact for responsible disclosure.

Responsible disclosure: If you discover a vulnerability, email Support@ricreativestudio.com with details; do not publicly disclose until remediation.

Standards: role-based access, MFA on admin tools, encrypted backups, and periodic access reviews.

Case Studies, Portfolio & Audience Notice

Professional audience only. This Site targets professional readers (brand/agency/analytics). It is not intended for patients or the general public.

No off-label promotion. Case studies and examples describe process/operations; they do not promote any product, indication, or make therapeutic claims.

Sanitized content. Case studies are sanitized of confidential details and do not include PHI. Any endorsements are clearly labeled.

Disclaimer: All case studies presented are derived from real project frameworks and execution methods; however, any proprietary data, brand performance metrics, or dashboard values have been redacted, anonymized, or modified to remain compliant with confidentiality agreements, MLR/OPDP/APLB standards, and applicable data privacy regulations (HIPAA, GDPR, and client NDAs). These examples are intended solely for educational and demonstrative purposes to illustrate process and methodology, not to disclose or imply actual commercial results.

Jurisdiction-Specific Notices

California (CPRA/CCPA): I disclose categories of personal information collected/used and provide opt-out of sale/share via /do-not-sell-or-share. Sensitive personal information is processed only for limited purposes.

EU/UK: If required, I will designate an EU/UK representative under GDPR/UK GDPR. Cross-border transfers rely on SCCs/UK Addendum/adequacy decisions.

Canada (PIPEDA/PAAB), Brazil (LGPD), Quebec (Law 25): Addenda available on request, covering local rights/consents and ad standards (e.g., PAAB for promotional review).

Consulting Engagement Terms (Addendum to SOW)

SOW precedence: If there is a conflict between this page and a signed SOW/MSA, the SOW/MSA controls.

Fees & payments: payment terms, late-fee policy, expenses, and taxes are defined in the SOW.

Cancellation/rescheduling: workshops/clinics may be rescheduled with 7 business days’ notice; otherwise a cancellation fee may apply (see SOW).
Non-solicitation (optional): mutual non-solicitation can be included for a defined period post-project.

Export controls/sanctions/ABAC: I comply with applicable sanctions and anti-bribery/anti-corruption laws; no facilitation payments.

Insurance (on request): COI available (professional liability/E&O).

Version History

2019-09-01: Initial publication

2025-10-01: Expanded MLR elements (packet, short-form, 2253, AE/PC), state privacy rights & GPC, cross-border transfer basis, DMCA/IP, security.txt, audience/off-label disclaimers, and engagement addenda.