Privacy and Cookie Policy

CuraMi takes care of not only your health but also your privacy. We know how sensitive the data you entrust to us is: that's why we handle it with the utmost care, security, and responsibility. This policy helps you understand what data we collect, why we do it, and how you can control it. Our goal is to offer you a transparent, ethical service built around what truly matters: your well-being.

Index

1. Introduction

Protecting your privacy and the security of your personal data is a priority for CuraMi (the "Company").

This policy on the processing of personal data and cookies ("Policy") applies to the processing of your personal data that occurs on this website ("Site").

We invite you to carefully read this Policy and the Terms of Service before using any of the Services or opening an account on the Site.

2. Who it applies to

This Policy applies to any individual who uses the Site and any of the Services. For the purposes of this document:

End User: any person who registers or uses the Site for the purpose of making bookings with Professionals or providing reviews about Professionals
Patient: a person who has made one or more bookings with a Professional through the Site
Professional: any Nurse and Nursing Clinic that has an Account
User: depending on the context, an End User, a Professional, a Visitor or, where applicable, a Patient
Visitor: any individual who browses the Site but does not have an Account and does not use the Services

The nature of the personal data we collect and use, as well as the purposes of the processing and the related legal bases on which the processing is founded, depends on the type of User.

3. PURPOSE OF THE POLICY

The main purpose of this Policy is to provide comprehensive information on how we collect, use, store, disclose, and process Users' personal data when we act as a Data Controller ("Controller"). The Controller is the entity that determines the purposes and means of the processing of personal data. In other words, the Company is a Controller when it decides what to use your personal data for and how to do it. On the other hand, Professionals also process personal data as a Controller, particularly when they process their patients' data. In these cases, CuraMi acts as a Data Processor. This means that it is the Professionals who determine the purposes and methods of processing personal data, while the Processor carries out processing operations on behalf of the Professional and following their instructions. This Policy primarily focuses on our role as a Controller. However, we also provide general information about our role as a Processor. The Professional is required to explain to the End User how they process their data as a Controller. It is therefore important that when you contact or interact with a Professional, you read their personal data processing policy. The information provided in this Policy does not replace the information provided by the Professionals.

The Data Controller decides the purposes (what for) and the means (how) used to process your personal data.

The Data Processor follows the instructions of the Data Controller. When we act as a data processor for health professionals, we simply follow their instructions.

Booking an appointment with a professional. If you schedule a service with a professional through our website, CuraMi acts as the Data Controller. In these cases, a copy of your data is sent to the health professional, who in turn becomes an independent Data Controller. For this copy of the data, CuraMi acts only as a Data Processor. As a Data Controller, the health professional decides what to do with your personal data, including sending communications through CuraMi's systems. CuraMi does not participate in the decisions of health professionals and cannot delete this personal data, unless requested by the health professional.

Writing reviews about Professionals, CuraMi is the Data Controller when you write reviews that are published on our website regarding our Professionals.

4. General information for all users

4.1. Origin of data

All personal data is collected at the time of Account creation. The Site also collects data automatically when Visitors browse the Site, through tracking technologies (such as, for example, cookies). To learn more about cookies and other tracking technologies we use, go to section 8.

4.2. Identity of the Data Controllers

CuraMi is a company committed to the digital health sector. In order to provide you with the Services, CuraMi acts as a Data Controller for personal data. The details are provided below.

Independent Data Controller CuraMi, tax code STRPTR89R04M052X and VAT number 04204710133, with registered office in Calolziocorte (LC) via Don Minzoni 6H, 23801, acts as an independent Data Controller of your personal data for the purposes of managing the contractual relationship, managing requests and complaints, responding to data subject requests, and managing the flow of reviews published by End Users and the ordinary management of the relationship with Users.

If you wish to obtain more information about the specific purposes for which the Company processes your personal data, please contact us using the contact details available in the "Contacts" section below.

4.3 How we protect your data

We take the protection of your data very seriously. We adopt appropriate technical and organizational security measures to protect your personal data from, among other things, unauthorized access. We follow industry-accepted standards to protect the personal information you provide to us, both during transmission and after receipt: for example, regular platform security testing, segmentation and control of data access within the organization, and the use of pseudonymization, anonymization, or encryption techniques.

Unfortunately, the transmission of information via the Internet (including email) is not always completely secure. Therefore, when using our applications, you should only use a secure Internet connection and always maintain the security of your device. Once we have received the User's information, we use strict procedures and appropriate security features to prevent any unauthorized access or sharing. Regarding health data, we apply additional protection measures such as, for example, different levels of encryption or pseudonymization techniques.

4.4 Sharing data with third parties

We may share your personal data:

With Professionals: whenever you make a booking and whenever you decide to share information with them
Cloud hosting and server maintenance service providers
Telephone, video conferencing, or digital communication tool providers
Content providers
Survey tools
Social media providers
Customer service tool providers
Call centers
Consultants or auditors
Payment service providers, banks, credit recovery and fraud prevention agencies
Insurance companies
IT companies that provide us with software, information security, or similar services
Courts, law enforcement, and other public authorities: to comply with legal or regulatory requirements whenever we receive a legitimate request
Other companies: in the event of a merger, acquisition, or investment in such a business entity, or in the event of a corporate reorganization

The third parties mentioned in this section may act, depending on the case, as Processors or as independent Controllers. When they act as data processors, we ensure that we enter into a data processing agreement as required by Article 28 of the GDPR and the requirements of local regulations.

If you are an End User, we will share your data with the Professionals with whom you have booked an appointment, as Data Controllers, as explained in section 5.

4.5 Your rights regarding personal data protection

The User can exercise their rights (access, rectification, erasure, restriction, portability, and objection) at any time by writing to the email address info@curami.app.

When possible, CuraMi offers simplified digital tools for the autonomous management of personal data, accessible directly from the User's reserved area. The platform commits to responding to every request within 30 days of receipt, in compliance with the obligations provided for by the European Regulation.

right to be informed about the processing of your personal data (e.g., the purposes of the processing, the type of personal data processed, to which recipients it is communicated, the retention periods, if international data transfers are made). Remember that Professionals are required to provide a separate notice when they process your data as Data Controllers;
right of access to your personal data processed by the Company;
right to erasure of your personal data, except in cases where there is a legal obligation or our legitimate interest for their retention;
right to rectify your personal data if it is not accurate, complete, or correct. You can rectify this information yourself or ask us to do it. Following your request, we will rectify the personal information in our possession;
right to object to, and therefore to restrict, the processing of your data by us;
right to withdraw previously given consent. We may not be able to provide certain Services from the moment your consent is withdrawn;
request the "portability" of your data stored by us, in digital format. This means receiving your personal data in a structured, commonly used, and machine-readable format, to transfer it to another data controller, or to have such a transfer made directly, if this is technically feasible;
right to lodge a complaint with the Data Protection Authority.

We reserve the right to charge a reasonable fee if your requests are manifestly unfounded or excessively burdensome (e.g., due to the repetitive nature of the request, because the request involves an additional commitment, an additional cost, or because it involves a time-consuming activity that goes beyond what is required by personal data processing regulations).

We will always respect our legal obligations regarding your rights. We commit to responding to you within a reasonable time and, in any case, within 30 days of your request (or another period that we will communicate to you promptly in case of complex or numerous requests).

To protect your privacy from unauthorized access, we reserve the right to verify your identity (only if we have reasonable doubts about it).

4.6 Legal basis for processing

You are not required to provide personal data if you do not want to. However, to open an Account and to use the Services, it is necessary for you to provide us with some personal data.

If you do not provide us with the data necessary to provide the requested Services, or if you object to such data processing, we may not be able to provide the Services (or we may only be able to provide them partially).

The purposes of the processing and the related legal bases are indicated in sections 5 and 6.

For some activities, we process your personal data on the basis of our legitimate interest. When this happens, we conduct a balancing test to ensure that your fundamental rights are not harmed or put at risk by the exercise of our legitimate interest. You can always contact us to object to our processing that is based on legitimate interest (see section 4.5).

4.7 Automated decision-making and profiling

We do not process personal data that involves decisions based entirely and solely on the automated processing of your personal data. We do not use fully automated decision-making processes based on your personal data that produce legal effects or similarly significantly affect you.

4.8 Contacts

We have set up the following point of contact to allow you to exercise your rights and send us questions: info@curami.app

4.9 DPO contact details

You can contact our Data Protection Officer ("DPO") by sending an email to info@curami.app

You have the right to file a complaint with our DPO. In that case, we will do our best to provide you with a timely response. You also have the right to file a complaint with the Data Protection Authority, if you believe that we are processing your personal data in a manner that does not comply with the law.

4.10 Links to other websites

The Site may contain links to other sites, applications, or platforms, including through "social" buttons. Although we make every effort to ensure that these links are always to sites, apps, or platforms that share our high standards regarding privacy, we are not responsible for the content, security, or policies and/or notices regarding the privacy of other websites. Furthermore, a link on our Site or App does not constitute an endorsement of the destination site of the link.

If you are transferred to another site, app, or platform, you must comply with the terms of service of that third party (including its privacy policy and related practices). We encourage you to review the terms of service, policies, and/or privacy notices of such third parties before sharing your personal information with them.

5. SPECIFIC INFORMATION FOR END USERS

We retain your personal data for as long as necessary for the purposes indicated in this Policy or to comply with the legal and contractual obligations to which we are subject.

The retention period of your data varies depending on the type of data and the purposes for which we process it. We may change these retention periods by updating this policy.

The retention periods indicated below apply to data processed by the Company as a Controller; they do not apply to data processed by Professionals as independent data controllers. This is because health regulations provide for specific retention obligations for Professionals (i.e., periods during which they must retain your personal data, including health data). Regarding data processed by Professionals using our systems, we follow the instructions of the Professionals themselves. For operational reasons, we may also define predetermined retention periods. However, it is the Professional's obligation to ensure they retain your data for as long as necessary (within or outside our platform).

To learn more about the retention periods applied by Professionals, you will need to contact them directly. The following table shows the retention periods that the Company applies as a Data Controller:

NOTE: If you do not access your Account, nor use the Site, for 3 years, we will consider your Account as inactive ("Inactive") and will delete your personal data, unless you provide contrary instructions. The data indicated in the table below will be deleted after 3 years from the last access, unless a shorter retention period is indicated, as per the following table, or a longer one, in case of complaints or legal proceedings.

PURPOSE, WHAT DATA WE PROCESS, LEGAL BASIS, RETENTION PERIOD

Account creation and management: We obtain your personal data directly from you when you register on the Site. Additionally, you can register using Google. In this case, you will be asked to allow these third-party providers to share some of your personal information with us. When you register, you accept our Terms of Service and, therefore, establish a contractual relationship with us governed by those terms. We process your name, surname, email address, and phone number. We will also process your gender, IP address, user ID, login data, your consents, the features or functionalities you have used, and the permissions or objections you have communicated to us. The legal basis is that the processing of personal data is necessary to provide you with the Services. We will keep this data for as long as your Account is active. If you delete your Account, or if you ask us to delete your data, we will keep it for a period of 3 years, for the purpose of fulfilling our legal obligations and to defend ourselves against any claims.

Booking appointments with Professionals: When you book an appointment on the Site, we process your data for the purpose of allowing you to make the booking. You can also check your appointment history and manage your Account (including automatic notifications). We process identification data, the date and time of the appointment, type of intervention, health insurance, IP address, user ID, and profile picture or video (if you decide to upload them). We also process your location (only if you allow us to use it). This allows us to show you the professionals closest to you. It is always possible to disable location information directly on your device. If you decide to save them in your account, we process allergies, current and past treatments, and medications taken. We also process any other information about your health you wish to add, and your tax code. When you book an appointment, we need to process health data: for health data, we base the processing on your consent (see section 4.7). We will keep this data for as long as your Account is active. If you delete your Account, or if you ask us to delete your data, we will keep it for a period of 3 years, for the purpose of fulfilling our legal obligations and to defend ourselves against any claims.

Sending appointment booking data to the Professional: When you book an appointment through our platform, we save this data and communicate it to the Professional. Once your personal data has been sent to the Professional, the latter is an independent data controller and will process the data according to their own purposes. This processing will be governed by the Professional's personal data processing notice. The data processed is the same as the previous point. The legal basis is that the processing of personal data is necessary to provide you with the Services. Professionals are independent controllers of this personal data and process it on the basis of their own data processing notice, of which they should provide you with a copy. We invite you to ask Professionals for a copy of their personal data processing notice. We will keep this data for as long as your Account is active. If you delete your account, if you ask us to delete your data, or if your account becomes inactive, we will begin the deletion process. However, please note that, due to technical complexities, the deletion process may take some time and your data may not be deleted immediately.

Submitting a review about your experience with a Professional: Submitting a review about your experience with a Professional is optional. If you do, we process your data to ensure that the review complies with our Terms of Service and our guidelines. We invite you not to include personal data that would allow your identification, nor any other private or sensitive information. Remember that the review will be visible to all Users of the Site. We process your identification data, the content of the review, and the reason for the visit. We process personal data on the basis of your consent or, if you request that the review be deleted, we will keep the review by deleting your personal data, on the basis of our legitimate interest. The reviews you submit, published on our Platform, will not be deleted unless you expressly request it. In this case, we will keep the review by deleting your personal data, so that it is not possible to recognize the author. We carry out this activity on the basis of our legitimate interest in publishing reviews on the Site and you can object at any time to such processing. Furthermore, a review will be deleted if a public authority requests it, or if the review does not comply with our guidelines or the law.

In addition to the data provided directly, CuraMi may collect Browse information via technical cookies and tracking tools (e.g., pixels, tracking tags, analytics tools), for the purpose of improving the platform's functionality and understanding the use of services in an aggregated way.

Some personal data may be kept even after the deletion of the account, for the time strictly necessary to:

comply with legal or tax obligations,
manage any disputes, complaints, or controversies,
protect the rights of CuraMi in or out of court.

Such data will in any case be processed in compliance with the principles of minimization and security.

5.2 Creating an Account or making a booking on behalf of third parties

An End User may make a booking and/or create an Account in the name and on behalf of a third person (generally, a minor under the guardianship or supervision of the End User, or a relative, hereinafter the "Beneficiary") provided that the End User has been previously expressly authorized by the Beneficiary; or is legally authorized to act on behalf of the Beneficiary.

In these cases, the End User may make a booking and/or create an Account only if they have a valid basis for transmitting the Beneficiary's personal data (including contact details) to the Company and the Professionals, and undertakes to provide accurate, complete, and correct information about the Beneficiary.

By providing the Beneficiary's personal data, the End User declares to be legally authorized, or expressly authorized by the Beneficiary, to manage or transmit the data on their behalf.

If the End User, for any reason, loses the basis on which they dispose of the Beneficiary's data, they must immediately delete the Beneficiary's Account or contact the Company to transfer the Account to the Beneficiary or to an authorized third party.

5.3 Inclusion of third-party data in the End User's account

As an End User, you can decide to include in your profile personal data of your family members, including health data (for example, if such data is relevant to your clinical history) and, where applicable, share such data with Professionals. In these cases, it is necessary that you include such third-party personal data only if you have their consent; and include only the personal data strictly necessary to receive healthcare from the Professionals.

5.4 The role of CuraMi as a Data Processor

The Professional becomes an independent data controller of the End User's personal data when the latter makes a booking with the Professional within the Site; or in all other cases where the Professional receives the data from the User or from CuraMi, and processes it for their own purposes. In these cases, the End User becomes a Patient, which means that the Professional will decide how and for what purposes to process the End User's personal data. Therefore, CuraMi will have the role of Data Processor for the End User's personal data and will act only on the instructions of the Professional.

The methods of processing the Patient's data are established by the Professionals and governed by their privacy notice and any other related documents. Professionals should provide you with information on how your data is processed. We simply follow their instructions.

6. SPECIFIC PROVISIONS APPLICABLE TO PROFESSIONALS

If the User is a Professional using the Services, they have an Account, and therefore have established a contractual relationship with CuraMi, accepting our Terms of Service for the use of the Site and/or entering into a contract for the use of the Services.

7. SPECIFIC PROVISIONS APPLICABLE TO VISITORS

If you are a Visitor, we may process the following data about you:

information about the device used;
IP address (which will show your geolocation);
time zone and language;
the browser used;
information on how you interacted with our Site;
information on the date and time of access to the Site and the duration of the connection.

The processing of this data is necessary to access our Site and our services in a reliable and secure manner. This data is sent directly from your browser to our servers when you browse the Site. For security reasons, we also use this data to document access to our servers.

Although we do not process any personal data that directly identifies you, some of this data could indirectly identify you and, therefore, could be considered personal data. Some of this data may be collected through cookies or other similar technologies, we invite you to consult our cookie policy for more information.

If you want to exercise your rights, please refer to section 4.6.

We will keep your data for one year from the date of your last visit to the Site.

8. COOKIE E ALTRE TECNOLOGIE SIMILI

In this section are described the information we collect through cookies and other similar technologies, how we use it and why we sometimes need to store and retain these cookies. We also describe how to prevent these cookies from being stored, although in some cases this may result in reducing or interrupting some elements and functionalities of the Site.

There are also some cookies (so-called "necessary cookies") that are necessary to provide the Services and to ensure that these Services function correctly and do not interfere with the functions of the Site. These cookies cannot be refused and will always be installed if you use the Site. You will find more information below.

8.1 What are cookies

Cookies are small files that are downloaded to your computer or any other device you use to browse the Site. Almost all professional websites use cookies. Typically, a cookie includes the following information: the name of the website it comes from, how long the cookie will remain on your device, and a value (often a randomly generated unique number). Some cookies may include additional data, particularly relating to the time zone or language used when Browse websites.

When this policy refers to "cookies," it also means any other technology we may use, as described below.

8.2 What cookie-like technologies we use

In addition to actual cookies, we may also store information locally on your device or in session storage objects. These files are similar to cookies, as they are used to store small pieces of information on your device for the same purposes for which cookies are used.

We may also use so-called tracking pixels. These are small, often transparent, images downloaded to your device along with the rest of the Site's content. By downloading such images to your device, some inform