CuraeAI Privacy Policy

Last updated: 2025-05-07

This Privacy Policy explains how CuraeAI Inc. ("CuraeAI", "we", "us", "our") collects, uses, discloses, and protects information about you when you use our applications, websites, and related services (collectively, the "Services").

By using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Services.

1. Who We Are & Contact

• CuraeAI Inc., a Delaware corporation
• Email (all jurisdictions): privacy@curaeai.com
• EU/UK representative: Details available upon request at the email above

For HIPAA-related inquiries, see Section 11 (Privacy Notices & Your Rights) regarding Notice of Privacy Practices (NPP).

2. Scope

This Policy applies to personal data we process about users of our Services, including health-related information you provide or connect from external Electronic Health Record (EHR) systems and consumer health sources.

3. Information We Collect

We collect:

• Account data: name, email, password (hashed), profile details
• Health data: records imported or connected by you (e.g., from EHRs like Epic®, Cerner®, Apple Health®) and data you enter
• Usage data: app interactions, device information, log data, IP address, diagnostics
• Support communications: messages, attachments, metadata

We obtain data (a) directly from you, (b) from connected third-party sources at your direction, and (c) automatically via the Services.

4. How We Use Information

We use personal data to:

• Provide, maintain, and improve the Services
• Authenticate users, secure sessions, and prevent fraud/abuse
• Import and unify health data at your direction
• Provide insights, dashboards, sharing tools, and related features
• Communicate with you about your account and product updates
• Comply with legal obligations and enforce terms

We do not sell personal data. We do not use health data for marketing without your explicit consent where required by law.

5. Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, our legal bases include: consent, contract performance, legal obligation, and legitimate interests (e.g., security, fraud prevention, product improvement) balanced with your rights and expectations. For special categories (e.g., health data), we rely on your explicit consent and/or other permitted bases under applicable law.

6. Sharing & Disclosure

We may disclose data to:

• Service providers under contract (e.g., hosting, analytics, security) with appropriate safeguards
• EHR networks or third-party APIs at your explicit direction to import or share data
• Professional advisors and authorities where legally required
• Successors in the event of corporate transactions, subject to this Policy

We do not share personal data with advertisers for targeted advertising.

7. Data Retention

We retain personal data as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. You may request deletion subject to legal/technical constraints.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, and monitoring. No system can be guaranteed 100% secure; we maintain incident response processes consistent with applicable law.

9. International Transfers

Where data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) for the EEA and the UK International Data Transfer Agreement/SCC Addendum, and where applicable, participation by recipients in recognized frameworks.

10. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your data, and to object or withdraw consent. To exercise rights, contact privacy@curaeai.com. We will respond within the timeframes required by law.

11. Privacy Notices & Your Rights (HIPAA & Minors)

• HIPAA Notice of Privacy Practices (NPP): Incorporated by reference. For applicable Services, we act as a HIPAA covered entity or business associate as defined by law.
• Minors: Parent/guardian accounts and proxy access may be available; functionality and visibility may change as a child reaches certain ages to comply with applicable laws.

12. Cookies & Similar Technologies

We use cookies and similar technologies for authentication, preferences, analytics, and security. You can control cookies through your browser settings, with the understanding some features may not function properly.

13. Third-Party Links

The Services may contain links to third-party websites or services. We are not responsible for their content or privacy practices. Review their policies before providing data.

14. Changes to This Policy

We may update this Policy to reflect changes in our practices, technologies, or legal requirements. We will indicate the date of the latest update and, where required, provide prominent notice or obtain consent.

15. Contact Us

• General privacy & HIPAA inquiries: privacy@curaeai.com

If you have unresolved concerns, you may have the right to lodge a complaint with your local supervisory authority.