Privacy Policy

• Account registration information: name, work email address, organization name, job title, and password.
• Contact and inquiry information: information submitted through our "Request Demo" form, contact forms, or email correspondence, including your name, email, phone number, and the content of your message.
• Payment information: billing address, payment method details (processed by our PCI-DSS-compliant payment processors; we do not store raw card numbers).
• Communications: records of your correspondence with us, including support tickets, feedback, and survey responses.
• Professional credentials: for clinician-facing features, professional license numbers and verification data you submit.

When you access our Site or Services, we automatically collect certain technical information through cookies, web beacons, and similar technologies:

• Log data: IP address, browser type and version, operating system, referral URLs, pages viewed, time and date of visits, and clickstream data.
• Device information: device identifiers, hardware model, operating system version, and mobile network information.
• Usage data: features accessed, actions taken within the platform, session duration, and performance telemetry.
• Location data: approximate geographic location derived from IP address (city/region level; we do not collect precise GPS coordinates from website visitors).

• Integration data: when you connect third-party electronic health record (EHR) systems or data sources to our platform, we receive data according to the permissions you configure.
• Identity providers: if you authenticate via single sign-on (SSO) through a third-party identity provider, we receive the profile information you authorize that provider to share.
• Business partners: information from our resellers, implementation partners, or referral sources in connection with your relationship with them.
• Publicly available data: information available in public professional databases (e.g., NPI registry) for credential verification purposes.

Curely AI processes PHI solely as a Business Associate on behalf of covered entities and other business associates pursuant to a signed BAA. See the HIPAA & PHI section for full details on how PHI is handled.

• Delivering, operating, and maintaining the Curely AI platform and its features.
• Processing transactions and managing your account.
• Providing customer support and responding to your inquiries.
• Training, evaluating, and improving our AI models and platform features — using only de-identified, aggregated, or synthetic data unless you have provided separate written consent for identifiable data use.
• Developing new products, features, and services.
• Monitoring platform performance, security, and infrastructure stability.

• Sending transactional communications such as account confirmations, password resets, billing receipts, and service notifications.
• Sending product updates, release notes, and security advisories relevant to your use of the Services.
• Sending marketing communications about our products and services (you may opt out at any time; see the Your Rights section).
• Responding to your requests, inquiries, and feedback.

• Complying with applicable laws, regulations, legal process, and governmental requests.
• Enforcing our Terms of Service and other agreements.
• Detecting, investigating, and preventing fraud, abuse, security incidents, and other harmful or illegal activity.
• Protecting the rights, property, and safety of Curely AI, our customers, and the public.

• Analyzing usage patterns to understand how our Services are used and to guide product development.
• Conducting internal research and publishing aggregate insights about healthcare AI trends (no individual-level data is included in publications).

We engage trusted third-party vendors to perform functions on our behalf, including cloud hosting, payment processing, email delivery, analytics, customer support tooling, and security auditing. These vendors are contractually bound to use your information only as directed by us and may not use it for their own purposes.

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or enforceable governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing; or (d) protect the safety of our users or the public.

We may share your information with third parties for purposes not covered by this policy when we have your explicit consent to do so.

We may share aggregated or de-identified data — which cannot reasonably be used to identify you — with partners, researchers, or in publications. This data is not subject to the restrictions in this policy.

PHI includes any individually identifiable health information created, received, maintained, or transmitted by our platform on behalf of a covered entity, including: patient names, dates of service, diagnoses, treatment information, clinical notes, lab results, imaging data, and any other data that could identify a patient.

• PHI is processed only as directed by the covered entity customer and only for permitted purposes under the BAA and HIPAA.
• PHI is stored in dedicated, logically isolated environments with encryption at rest (AES-256) and in transit (TLS 1.3).
• Access to PHI is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and audit logging.
• PHI is not used to train general-purpose AI models without explicit written authorization and appropriate de-identification.
• We maintain breach notification procedures consistent with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414).
• Upon termination of a BAA, PHI is returned to the covered entity or securely destroyed in accordance with the agreement.

We implement and maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), including workforce training, access management, audit controls, and transmission security. Our compliance posture is reviewed annually by an independent third party.

Individual patients whose PHI is processed by Curely AI on behalf of a covered entity must exercise their HIPAA rights (access, amendment, accounting of disclosures, etc.) directly with the covered entity, which is the relevant Covered Entity for HIPAA purposes. Curely AI will cooperate with covered entities to facilitate patients' HIPAA rights as required by our BAA.

• Encryption at rest using AES-256 for all stored data, including database fields, file storage, and backups.
• Encryption in transit using TLS 1.3 for all data transmitted between clients and our infrastructure.
• Multi-factor authentication (MFA) enforced for all employee access to production systems.
• Network segmentation and zero-trust architecture limiting lateral movement within our infrastructure.
• Intrusion detection and prevention systems (IDS/IPS) monitoring network traffic in real time.
• Automated vulnerability scanning and penetration testing conducted quarterly by independent security firms.
• Immutable audit logs for all access to sensitive data, retained for a minimum of 7 years.

• Annual security awareness training for all employees and contractors with access to customer data.
• Background checks for all employees with access to PHI or sensitive customer data.
• Formal vendor risk management program evaluating the security posture of all sub-processors.
• Incident response plan with defined response times, escalation procedures, and customer notification protocols.
• SOC 2 Type II audit conducted annually; reports available to customers under NDA upon request.

While we implement robust security measures, security is a shared responsibility. You are responsible for maintaining the confidentiality of your account credentials, configuring appropriate access controls within your organization, and promptly notifying us of any suspected unauthorized access to your account.

• Right to access: request a copy of the personal information we hold about you.
• Right to correction: request correction of inaccurate or incomplete personal information.
• Right to deletion: request deletion of your personal information, subject to legal retention requirements.
• Right to opt out of marketing: unsubscribe from marketing communications at any time using the unsubscribe link in any email or by contacting us at privacy@curely.ai.
• Right to data portability: request your personal information in a structured, machine-readable format.

• Right to object: object to processing of your personal data for direct marketing or legitimate interests.
• Right to restrict processing: request restriction of processing under certain circumstances.
• Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: file a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

• Right to know: request disclosure of the categories and specific pieces of personal information collected, sold, or disclosed about you in the past 12 months.
• Right to opt out of sale or sharing: we do not sell personal information; however, you may submit a request via our Do Not Sell My Personal Information link.
• Right to limit sensitive personal information: request that we limit our use and disclosure of sensitive personal information to purposes permitted by CPRA.
• Right to non-discrimination: exercise your privacy rights without receiving discriminatory treatment.

Required for the Site and Services to function. These cannot be disabled. Examples: session authentication tokens, CSRF protection tokens, load balancer affinity cookies.

Help us understand how visitors interact with our Site. We use privacy-respecting analytics tools (configured with IP anonymization and without cross-site tracking). Data collected is aggregated and not used for ad targeting.

Remember your preferences and settings (e.g., language, timezone, UI preferences) to provide a more personalized experience.

We use limited first-party tracking to measure the effectiveness of our own marketing campaigns (e.g., conversion tracking for our "Request Demo" form). We do not place third-party advertising cookies or share browsing data with ad networks.