Privacy Policy

1. Introduction and Data Controller Identification

Traceability Trade SL ("we," "us," "our," or "the Company"), registered in Madrid, Spain at Avenida Ventisquero De La Condesa, 7 - Puerta B, Planta 5, 28035 Madrid, with Tax Identification Number (CIF) B23873292, hereby informs you about the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation - GDPR) and Organic Law 3/2018, of 5 December, on Data Protection and Guarantee of Digital Rights (LOPDGDD).

This Privacy Policy applies to all personal data collected through our website ttrade.global (the "Website"), including but not limited to data collected via contact forms, subscription forms, account registration, or any other means of communication or interaction with our services.

2. Purpose of Personal Data Processing

Traceability Trade SL processes personal data for the following specific and legitimate purposes:

2.1 Service Provision and Account Management

• To create, manage, and maintain user accounts on our platform
• To provide access to our Digital Product Passports, blockchain-based traceability solutions, and supply chain tracking services
• To process requests for sustainability certifications and environmental impact assessments
• To manage product lifecycle data, including raw material sourcing, production, distribution, and end-of-life stages
• To enable real-time supply chain monitoring and digital twin engagement features

2.2 Communication and Customer Support

• To respond to inquiries, requests, and support tickets submitted through our contact forms
• To send technical notifications, service updates, and system alerts
• To provide information about our services, including Digital Product Passports, blockchain ledger functionalities, and circular economy credits
• To maintain contractual communications with clients and partners

2.3 Commercial and Marketing Communications

• To send commercial information, newsletters, and promotional content about new services, features, or offerings (with your prior consent or legitimate business relationship)
• To inform existing clients about services similar to those already contracted
• To conduct market research and customer satisfaction surveys (subject to your consent)

2.4 Data Integrity and Security

• To detect, prevent, and address fraud, security incidents, and technical issues
• To monitor and improve the security, integrity, and performance of our platform
• To ensure compliance with our terms of service and legal obligations

2.5 Regulatory and Legal Compliance

• To comply with regulatory requirements in the European Union and Spain, including environmental, data protection, and corporate governance regulations
• To respond to legal requests, court orders, or government authority inquiries
• To maintain audit trails and ensure accountability in blockchain transactions and supply chain records

2.6 Optimization and Analytics

• To analyze usage patterns, user behavior, and platform performance to improve our services
• To develop predictive modeling for supply chain efficiency and waste reduction optimization
• To generate aggregated and anonymized insights about sustainability trends and circular economy metrics

3. Legal Basis for Processing

The processing of your personal data is carried out on the following legal bases as recognized under Article 6 of the GDPR:

3.1 Consent (Article 6(1)(a))

• For marketing communications and newsletters, we rely on your explicit, informed consent, which you can withdraw at any time
• For non-essential cookies and tracking technologies (beyond those necessary for platform functionality)
• For voluntary participation in surveys and market research activities

3.2 Performance of Contract (Article 6(1)(b))

• To execute and manage service contracts, including Digital Product Passport subscriptions, blockchain ledger access, and supply chain tracking services
• To fulfill your requests for product lifecycle tracking and sustainability certifications
• To maintain account management and payment processing

3.3 Legal Obligation (Article 6(1)(c))

• To comply with Spanish and EU environmental regulations, including those related to circular economy reporting
• To fulfill tax, accounting, and corporate record-keeping requirements
• To respond to lawful governmental and judicial requests

3.4 Legitimate Interests (Article 6(1)(f))

• To prevent fraud, abuse, and unauthorized access to our platform and services
• To improve the security, functionality, and user experience of our Website and services
• To maintain business records and ensure proper platform administration
• To conduct aggregated statistical analysis and optimize our services

For processing based on legitimate interests, we have conducted a balance test ensuring that your fundamental rights are not overridden by our interests.

4. Categories of Personal Data Collected

Traceability Trade SL collects the following categories of personal data:

4.1 Identification Data

• Full name
• Professional or business title
• Company name and organization details
• Tax identification numbers or business registration numbers

4.2 Contact Information

• Email address
• Phone number
• Postal address and geographic location
• Country and region information

4.3 Account and Access Data

• Username and password (encrypted)
• Account registration details and authentication credentials
• Account activity logs and access timestamps
• User preferences and settings

4.4 Transaction and Service Data

• Details of products and services purchased or subscribed to (e.g., Digital Product Passports, blockchain ledger services)
• Payment and billing information
• Subscription status and renewal history
• Service usage data and transaction records

4.5 Supply Chain and Product Data

• Raw material sourcing information provided by you or your suppliers
• Product lifecycle details (production, distribution, disposal)
• Carbon footprint calculations and environmental metrics
• Blockchain transaction records and smart contract interactions
• IoT device data and real-time asset tracking information

4.6 Communication Data

• Content of emails, messages, and inquiries submitted to us
• Records of customer support interactions and technical support tickets
• Feedback and survey responses

4.7 Technical and Behavioral Data

• Internet Protocol (IP) address and device identifiers
• Browser type and version, operating system information
• Pages visited, features used, and usage duration
• Cookie identifiers and tracking data
• Information about your interaction with our Website and platform features

4.8 Inferred and Derived Data

• Aggregated sustainability metrics and supply chain performance indicators
• Predictive analytics for supply chain optimization
• Circular economy credit calculations
• User segments and behavioral analysis (anonymized and aggregated)

5. Data Retention Periods

Traceability Trade SL retains personal data in accordance with the following retention periods:

5.1 Service-Related Data

• Account data and subscription information: Retained for the duration of the service contract plus 3 years for tax, accounting, and legal compliance purposes
• Product lifecycle and blockchain ledger records: Retained as long as the immutable blockchain records persist, or as required by applicable law
• Transaction and payment records: Retained for a minimum of 6 years in accordance with Spanish tax regulations

5.2 Communication Data

• Customer support records and inquiries: Retained for 2 years following the final communication or contract termination
• Marketing communications logs: Retained for the duration of your consent or business relationship plus 1 year

5.3 Technical and Behavioral Data

• Access logs and IP addresses: Retained for a maximum of 1 year
• Cookie and tracking data: Retained in accordance with cookie consent preferences (typically 12 months)
• Usage analytics and aggregated data: Retained indefinitely in anonymized form

5.4 Data Subject Rights Requests

• Records of data subject requests: Retained for 3 years in accordance with GDPR Article 12(4)

5.5 General Rule

Data will be deleted or anonymized when it is no longer necessary for the purposes for which it was collected, unless:

• You object to its processing
• You revoke your consent for specific purposes
• Applicable law requires retention for a longer period
• Blockchain immutability constraints prevent deletion

6. Recipients of Personal Data

Personal data collected by Traceability Trade SL may be shared with the following categories of recipients:

6.1 Service Providers and Data Processors

• Web Hosting Provider: Namecheap (EU-based hosting services) - Personal data is stored and processed on EU servers to ensure GDPR compliance. Namecheap operates under Standard Contractual Clauses (SCCs) ensuring adequate data protection
• Payment Processors: Third-party payment service providers to process transactions securely
• Email and Communication Platforms: Services for sending transactional emails, notifications, and newsletters
• Analytics Providers: For aggregated and anonymized user behavior analysis and platform optimization

6.2 Blockchain Network Participants

• Distributed Ledger Network: Supply chain and product data recorded on blockchain ledgers may be visible to network participants on a permissioned or public basis, depending on your configuration
• Smart Contract Executors: Automated systems and network nodes that execute smart contracts related to circular economy credits and asset tokenization

6.3 Business Partners and Integrations

• Supply Chain Partners: Your suppliers and customers may receive product lifecycle data and traceability information shared through your Digital Product Passport
• Third-Party APIs: Integrated services for sustainability reporting, carbon calculation, or IoT data harvesting (only when explicitly authorized by you)

6.4 Legal and Regulatory Authorities

• Government Agencies: Tax authorities, environmental regulatory bodies, and other statutory bodies as required by law
• Judicial or Administrative Bodies: In response to court orders, legal proceedings, or government requests
• Law Enforcement: In case of suspected fraud, security incidents, or criminal activity

6.5 Business Transfers

In the event of merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of such transaction. We will provide notice of any such change and obtain your consent if required by law.

6.6 Data NOT Sold or Licensed

Traceability Trade SL does not sell, license, lease, or otherwise disclose personal data to third parties for commercial purposes, except as explicitly stated above or required by law.

7. International Data Transfers

Traceability Trade SL primarily stores and processes personal data within the European Union through EU-based infrastructure providers.

7.1 EU Data Storage

• Primary Storage: Namecheap (EU hosting provider with servers in the European Union)
• Compliance Framework: All processing within EU territory complies directly with GDPR requirements

7.2 Limited International Transfers

In certain limited circumstances, personal data may be accessed or processed by personnel of Namecheap, Inc. or affiliated entities located outside the European Economic Area (EEA), such as in the United States.

7.3 Transfer Safeguards

All international data transfers are protected by one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs): Adopted by the European Commission and incorporated into our data processing agreements with third-party providers
• Adequacy Decisions: Processing may occur in jurisdictions with an EU adequacy determination
• Explicit Consent: Your prior informed consent where required

7.4 Right to Information

You have the right to request information about the specific safeguards used for any international data transfer. Please contact us using the information in Section 15 of this policy.

8. Data Subject Rights

In accordance with the GDPR and LOPDGDD, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether your personal data is being processed and to access your data. We will provide you with a copy of the data in a structured, commonly used, and machine-readable format.

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate, incomplete, or outdated personal data. You may update certain account information directly through your user dashboard.

8.3 Right to Erasure ("Right to Be Forgotten") (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when:

• Data is no longer necessary for the purposes for which it was collected
• You withdraw your consent and no other legal basis applies
• You object to processing on grounds of legitimate interests
• Data has been unlawfully processed

Limitations: Erasure may not be possible for data required to fulfill contractual obligations, comply with legal requirements, or for blockchain-based records that are immutable by design. We will inform you of any limitations.

8.4 Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in specific circumstances, such as:

• During accuracy verification periods
• When processing is unlawful but you oppose deletion
• When data is no longer needed but you need it for legal claims
• During consideration of your objection

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another data controller without hindrance.

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling. You also have the right to object to direct marketing communications at any time.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you, except where necessary for contract performance or authorized by law.

8.8 Right to Withdraw Consent

Where processing relies on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, including the Spanish Data Protection Authority (Autoridad de Protección de Datos - AEPD), if you believe your rights have been violated.

9. Exercise of Rights and Contact Information

To exercise any of the rights described in Section 8, please contact us using the following methods:

9.1 Primary Contact Methods

Email: protecciondatos@ttrade.global

Postal Address:
Traceability Trade SL
Avenida Ventisquero De La Condesa, 7
Puerta B, Planta 5
28035 Madrid, Spain

Contact Form: You may submit requests through the contact form on our website at ttrade.global/contact

9.2 Response Timeline

• We will respond to your request within 30 days of receipt
• This period may be extended by two months for complex or repetitive requests
• We will inform you of any extension and the reasons for the delay
• In cases where additional information is needed to verify your identity, we may request supporting documentation

9.3 Verification of Identity

To ensure your personal data is only accessed by authorized individuals, we may request proof of identity before processing your request. This may include:

• Copy of government-issued identification
• Verification of the email address or postal address on file
• Other verification methods as appropriate

9.4 Free Exercise of Rights

The first copy of data provided per your request is provided free of charge. We may charge a reasonable fee for additional copies or repetitive requests, or may refuse manifestly unfounded or excessive requests in accordance with Article 12(3) of the GDPR.

10. Data Security Measures

Traceability Trade SL is committed to protecting your personal data against unauthorized access, alteration, disclosure, or destruction. We implement the following technical and organizational security measures in accordance with Article 32 of the GDPR:

10.1 Technical Measures

• Encryption: Data in transit is encrypted using TLS/SSL protocols; sensitive data at rest is encrypted with industry-standard algorithms
• Access Controls: User authentication via encrypted credentials; role-based access control (RBAC) limiting employee access to personal data on a need-to-know basis
• Blockchain Security: Immutable ledger technology with cryptographic verification for supply chain and product data
• Firewall Protection: Network firewalls and intrusion detection systems monitoring for unauthorized access attempts
• Regular Backups: Automated backup systems with secure, redundant storage ensuring data recovery capability

10.2 Organizational Measures

• Data Protection Training: Employees handling personal data receive mandatory GDPR and data protection training
• Access Restrictions: Personal data is accessible only to employees and contractors who require access for legitimate business purposes
• Confidentiality Agreements: All staff are bound by confidentiality and non-disclosure agreements
• Vendor Management: Third-party service providers are contractually bound by data processing agreements (DPAs) incorporating GDPR requirements

10.3 Incident Response

• We maintain an incident response plan for addressing potential data breaches
• In the event of a personal data breach, we will notify affected data subjects without undue delay in accordance with Article 33 of the GDPR
• We report breaches to the Spanish Data Protection Authority (AEPD) when required by law

10.4 Limitations

While we implement comprehensive security measures, no system is completely secure. We cannot guarantee absolute security against all potential risks. Users are responsible for maintaining the confidentiality of their account credentials and for safeguarding their access credentials.

11. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your user experience, analyze website traffic, and personalize content. This section explains how we use these technologies in compliance with GDPR and ePrivacy regulations.

11.1 Types of Cookies

Essential/Necessary Cookies:

• Session cookies enabling core website functionality
• Authentication cookies for secure user login
• Security cookies protecting against fraud and unauthorized access
• Legal requirement compliance cookies

Analytical Cookies:

• Google Analytics and similar tools for measuring website performance and user behavior
• Heatmaps and session recording tools (with consent) for optimizing user experience

Marketing and Advertising Cookies:

• Cookies enabling retargeting and personalized advertising content
• Cookies used by advertising partners to display relevant promotions

11.2 Cookie Consent

• Essential cookies are deployed without prior consent as they are necessary for website functionality
• Analytical and marketing cookies require your explicit prior consent through our cookie consent banner
• You can manage cookie preferences at any time through your browser settings or our consent management platform

11.3 Third-Party Cookies

Our Website may include content from third parties (e.g., embedded videos, social media widgets) that may deploy their own cookies. We recommend reviewing those third parties' privacy policies for information about their cookie practices.

11.4 Managing Cookies

You can disable cookies through your browser settings or opt-out of specific tracking through:

• Cookie consent management interface on our Website
• Browser privacy settings (accept, reject, or delete cookies)
• Third-party opt-out mechanisms (e.g., Google Analytics Opt-Out Browser Add-on)

Please note that disabling certain cookies may affect Website functionality.

12. Children's Privacy

Our Website and services are not directed to individuals under the age of 16 (or the legal age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

If we become aware that personal data from a child under 16 has been collected without appropriate parental consent, we will delete such data and take appropriate measures to ensure compliance with GDPR Article 8.

Parents or guardians who believe their child's information has been collected should contact us immediately using the contact details in Section 9.

13. Third-Party Links and Services

Our Website may contain links to third-party websites, applications, and services that are not operated by Traceability Trade SL. This Privacy Policy applies only to personal data collected through ttrade.global.

We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any linked websites or services before providing personal information.

14. Changes to This Privacy Policy

Traceability Trade SL may update this Privacy Policy periodically to reflect changes in our data practices, technological advancements, or to comply with regulatory changes.

14.1 Notification of Changes

• Material changes will be announced through prominent notices on our Website or via email to registered users
• We will obtain your consent for changes that materially alter our use or sharing of personal data, as required by law

14.2 Continued Use

Continued use of our Website or services following notification of changes constitutes your acceptance of the updated Privacy Policy.

14.3 Current Version

Always review the "Last updated" date at the top of this policy to identify the most current version.

15. Contact Information and Supervisory Authority

For questions, concerns, or to exercise your data subject rights, please contact:

Spanish Data Protection Authority (AEPD):
If you are not satisfied with our response or believe your rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Authority:

Calle Jorge Juan, 6
28001 Madrid, Spain
Phone: +34 91 266 35 00
Website: www.aepd.es

Additional Supervisory Authorities: You may also lodge a complaint with your local data protection authority if you reside in a different EU member state.

16. Data Accuracy and User Responsibility

16.1 Data Accuracy

You guarantee that all personal information you provide to Traceability Trade SL is true, accurate, complete, and current. You are responsible for:

• Ensuring that any data about yourself, your organization, or third parties is accurate and not misleading
• Updating your information promptly when changes occur
• Notifying us of any inaccuracies or changes through your account settings or by contacting us

16.2 Third-Party Data

If you provide personal data belonging to third parties (such as suppliers, customers, or employees), you:

• Have obtained their explicit consent to provide their data to Traceability Trade SL
• Have informed them of the content and purpose of this Privacy Policy
• Assume full responsibility for compliance with applicable data protection laws
• Indemnify Traceability Trade SL against any claims, damages, or liabilities arising from your unauthorized disclosure of third-party data

16.3 Blockchain and Supply Chain Data

Data you or your partners upload to our blockchain ledgers or supply chain tracking systems becomes immutable. Ensure accuracy before submission, as blockchain records cannot be retroactively altered. Once recorded, such data may be visible to authorized network participants.

17. Personal Data and Intellectual Property Rights

17.1 User-Hosted Content

In cases where you upload files, documents, or product data to our hosted services (including blockchain ledgers, digital twins, and supply chain records):

• Traceability Trade SL is not responsible for your failure to comply with GDPR or other data protection regulations
• You retain full responsibility for ensuring that any hosted content complies with applicable laws
• You are responsible for protecting any intellectual property rights contained in hosted content

17.2 Data Processing Responsibility

When using our services as a platform or processor, you (as the data controller for your supply chain data) remain responsible for:

• Obtaining necessary consents from individuals whose data you submit
• Complying with GDPR and other applicable data protection laws
• Managing your own data retention and deletion policies
• Responding to data subject rights requests regarding your data

17.3 Data Processing Agreement

For clients processing large volumes of personal data or sensitive categories of data, we offer separate Data Processing Agreements (DPAs) that detail processor obligations under Article 28 of the GDPR. Please contact us for DPA terms.

18. Specific Provisions for Blockchain and Immutable Records

18.1 Blockchain Immutability

Product lifecycle data, supply chain records, and sustainability metrics recorded on our blockchain-based ledgers are designed to be immutable and transparent. This means:

• Once data is recorded on the blockchain, it cannot be deleted or modified
• Such data may be visible to authorized network participants
• Erasure requests cannot be fulfilled for immutable blockchain records; instead, we may delist records or flag them as subject to a deletion request

18.2 Right to Be Forgotten and Blockchain Records

For data stored on blockchain ledgers, the right to erasure may be limited by the technical architecture of distributed ledgers. Where erasure is impossible:

• We will disconnect your account from the immutable record
• We may delist or archive records to make them less accessible
• We will inform you of the specific technical limitations

18.3 Supply Chain Transparency

Be aware that when you or your partners submit product lifecycle data to our platform, such data may be shared with:

• Your authorized supply chain partners
• End customers accessing your Digital Product Passport
• Regulatory authorities if legally required
• Blockchain network participants if on a permissioned or semi-public ledger

19. Legitimate Interests Assessment

For processing activities based on Traceability Trade SL's legitimate interests (Article 6(1)(f)), we have conducted a Legitimate Interests Assessment (LIA) balancing our interests against your fundamental rights and freedoms.

19.1 Fraud Prevention and Security

• Our Interest: Protecting the integrity of our platform, preventing unauthorized access, detecting and preventing fraud
• Impact on You: Minimal; security measures protect your data and the platform's functionality
• Balance: Legitimate interest outweighs potential impact; proportionate and necessary

19.2 Platform Optimization and Analytics

• Our Interest: Improving service quality, understanding user behavior, optimizing features
• Impact on You: Behavioral analysis may infer preferences; data is primarily aggregated and anonymized
• Balance: Legitimate interest outweighs potential impact; user can object to non-essential analytics

19.3 Business Administration

• Our Interest: Managing accounts, processing payments, maintaining records, compliance
• Impact on You: Necessary for service delivery; limited to essential business operations
• Balance: Legitimate interest is proportionate and necessary for service operation

Full Legitimate Interests Assessments are available upon request.

20. Marketing Communications and Preferences

20.1 Commercial Communications

In accordance with Spain's Law on Information Society Services (LSSI) and GDPR requirements:

• We will not send unsolicited marketing emails or commercial communications unless you have explicitly consented or have a prior business relationship with us
• For existing clients, we may send communications about services similar to those already contracted without additional consent (soft opt-in)

20.2 Opt-Out Mechanism

You can unsubscribe from marketing communications at any time by:

• Clicking the "Unsubscribe" link in any email communication
• Logging into your account and modifying communication preferences
• Sending an opt-out request to protecciondatos@ttrade.global

20.3 Transactional Communications

Regardless of marketing preferences, we will continue to send necessary transactional emails (account updates, technical notifications, payment confirmations, support responses) as these are essential for service delivery.

21. Data Retention and Deletion

21.1 Retention Schedule

See Section 5 for detailed retention periods by data category. After the applicable retention period:

• Data is automatically deleted or securely destroyed
• Blockchain-based records remain immutable but may be delisted or archived
• Anonymized and aggregated data may be retained indefinitely

21.2 Backup and Recovery

• We maintain secure backup systems to ensure data recovery in case of loss
• Deleted data may persist in backups for an additional period (typically 30-90 days)
• Backup deletion follows the same retention schedule as primary data

21.3 User Deletion Requests

For deletion of account and associated personal data:

• Submit a request via protecciondatos@ttrade.global or through your account settings
• We will delete personal data within 30 days unless legal obligations require retention
• Blockchain records cannot be deleted but will be disconnected from your account

22. GDPR Compliance Statement

Traceability Trade SL is committed to full compliance with the General Data Protection Regulation (EU 2016/679) and Spanish Organic Law 3/2018 (LOPDGDD).

22.1 Principles

We process personal data in accordance with the GDPR core principles:

• Lawfulness, fairness, and transparency: Clear legal basis and open communication
• Purpose limitation: Data used only for stated purposes
• Data minimization: Collecting only necessary information
• Accuracy: Maintaining accurate, current records
• Storage limitation: Retaining data only as long as needed
• Integrity and confidentiality: Protecting data against unauthorized access
• Accountability: Documenting processing activities and demonstrating compliance

22.2 Data Protection by Design

Our platform incorporates data protection principles from the design stage, including privacy-preserving defaults, minimal data collection, and security-by-default configurations.

22.3 Data Impact Assessments

For high-risk processing activities (such as large-scale blockchain deployments or IoT data collection), we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 of the GDPR.

23. Final Provisions

23.1 Governing Law

This Privacy Policy is governed by Spanish law and the laws of the European Union. Any disputes arising from this policy shall be subject to the jurisdiction of the courts of Madrid, Spain, in accordance with GDPR provisions.

23.2 Severability

If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

23.3 Entire Agreement

This Privacy Policy constitutes the entire agreement between you and Traceability Trade SL regarding the processing of personal data. It supersedes all prior communications and understandings.

23.4 Translation

This Privacy Policy is available in English and Spanish. In case of discrepancies between versions, the English version shall prevail, unless Spanish law requires the Spanish version to apply.

24. Acknowledgment and Acceptance

By accessing and using ttrade.global, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our Website and services immediately.

This Privacy Policy was last updated in January 2026 and is effective immediately.