Trust Annexes

Regulatory Annexes

This library translates the trust program into document-specific annexes for privacy, terms, and cookie governance. Use it when you need a more operational, market-by-market view than the broader Regulatory Atlas.

Live legal baseline0 sectionsRights routing activeDocs-ready presentation
Last updated May 31, 2026
Page structure
Hero briefing
Scope, applicability, and status markers
Live surface
Interactive controls, forms, or datasets below
Support docs
Related policies, packs, and trust materials
Related docs
Docs Center
Core policies and rights flows
Privacy Request Center
Access, delete, export
Regulatory Packs
Counsel and diligence view
Vendor Register
Processor and DPA posture
Recommended use

This is the best place to fill the space: not decorative noise, but a useful orientation layer. It gives readers page structure, supporting docs, and a quick sense of what to do next before they reach the live form, pack, or data surface below.

Recommended filler pattern
  • Quick actions or entry points
  • Support response timing or scope note
  • Cross-links to the most relevant trust materials
Open primary docOpen support path

Need the broader law map first?

The Regulatory Atlas gives the cross-framework view. These annexes go one layer deeper by tying individual legal families back to privacy, terms, and cookie documents that users and customers actually read.

Open Regulatory Atlas
Annex families

Regulatory annex library

This library turns the trust program into policy-specific annexes, not just a single summary page. Choose the legal document family you want to inspect, then select the market or regime inside it.

Annex families
3
Regional overlays
23
Base documents
3
Corporate site, Lucid legal surfaces, and shared rights workflow

Privacy annexes

Law-by-law privacy overlays for the corporate site and Lucid notices, covering rights handling, disclosure posture, retention framing, transfer expectations, and sectoral guardrails.

Base documents
Corporate privacy policyLucid privacy noticePrivacy request center
Annex interpretation note

Each annex family inherits the live baseline documents listed here and then layers in jurisdiction-specific obligations. Reviewers should read the supplement cards as controlled deltas, not as disconnected replacement policies.

Regional deltas

Regional privacy supplements

These supplements summarize how the published privacy baseline is intended to map to specific regional laws. They complement the main policy, preserve mandatory local rights, and clarify response timing, complaint routes, verification expectations, and consent posture where those details matter to the user.

Regions
13
Active cards
3
Official sources
16
EEA, UK, and similar European regimes

GDPR

The privacy baseline is written to disclose controller identity, purposes, legal bases, recipients, transfers, retention, rights, and complaint paths in a GDPR-style format.

Official references
GDPR official textEuropean Commission guidance
Interpretation note

Each card below is written as an operational supplement to the baseline document family, not as a standalone contract. It highlights where timing, appeal rights, complaint routes, or consent posture need to diverge by jurisdiction.

01
Regional supplement

Core rights

  • Access, rectification, erasure, restriction, objection, portability, and consent withdrawal routes are preserved where applicable.
  • A rights request can be submitted through the Privacy Request Center or by email to privacy-requests@imagine-tech.org.
  • We disclose transfer safeguards, retention categories, and complaint escalation expectations in the main notice.
  • Where verification is required, it should be proportionate to the request and should not collect more identity data than is reasonably necessary.
02
Regional supplement

Cookie and consent position

  • Non-essential cookies and trackers are intended to remain behind prior consent on covered surfaces.
  • Consent can be refused or withdrawn without losing access to strictly necessary functions.
  • A supported Global Privacy Control signal is treated as a restrictive browser-layer baseline on the covered repository surfaces until the user makes an explicit site-specific choice.
  • Where product-specific analytics or ad-tech changes the scope, the notice and controls should be refreshed before activation.
03
Regional supplement

Response timing

  • Requests are generally handled within one month.
  • Where complexity or volume justifies it, the period may be extended by up to two additional months with notice.
  • Users may also complain to a supervisory authority in their habitual residence, place of work, or place of the alleged infringement where the law provides that route.