Get Early Access

Privacy Policy

1. Introduction

At Cura Group Co., Ltd. ("Cura," "we," "us," or "our"), we recognize the importance of protecting your personal data. This Privacy Policy explains our practices regarding the collection, use, and disclosure of personal data in accordance with Thailand's Personal Data Protection Act (PDPA) and the European Union's General Data Protection Regulation (GDPR).

As part of our service, we provide the Cura platform application to qualified medical practitioners and other health professionals for managing patient care and clinical operations. We are committed to protecting your privacy and handling your information with transparency and care.



2. About Us

Cura Group Co., Ltd. is registered in Thailand, with our main office located at 18/407, Khlong Ton Sai, Khlong San, Bangkok, 10600. We serve as the data controller for personal information collected and processed through our platform and services.

You can contact us at any time about the way we handle and safeguard your information:

Data Controller: Cura Group Co., Ltd. Email: hi.curacorp@gmail.com Tel: 0817505473

Data Protection Officer: Chavisa Phukhaonak Email: chavisa@cura.so Tel: 0817505473



3. Core Privacy Principles

At Cura, we are committed to a privacy-first approach where we either:

  1. Process only anonymous data, or

  2. Ensure we do not have access to your sensitive data at all

Our platform is designed with a local-first architecture where your sensitive data, including clinical notes, patient records, and conversations, are stored locally on your device. We believe your data should remain under your control.



4. How We Handle Your Data

Local Storage and Processing

When you use Cura, most data is stored and processed locally on your device. This includes:

  • Clinical notes and documentation

  • Patient records

  • Conversation transcripts

  • Personal settings and preferences

Cloud Processing for Advanced Features

For certain features requiring advanced processing (like our AI-powered clinical documentation), we use a secure architecture where:

  1. Data is sent directly from your device to our authorized service providers ([Fill out service provider names])

  2. Processing occurs in secure environments

  3. Cura does not have access to this data

  4. Data is only processed to serve the immediate request

  5. Service providers do not retain the data after processing

End-to-End Encryption

All data transmission between your device and our service providers is protected by end-to-end encryption. This means:

  • Only you can access your sensitive data

  • Neither Cura nor our service providers can access unencrypted sensitive data

  • Encryption keys remain under your control



5. What Information Do We Collect?

When you access and use our platform or other services, we collect and hold several categories of information. The collection of comprehensive data sets is crucial for enhancing user experience, optimizing service functionality, and ensuring robust security measures.

General Personal Information

We collect information that can identify you, such as your name, address, age or date of birth, gender, and contact details. For healthcare providers, we may also collect information relating to your qualifications, registrations, training, and educational background.

Health Information

As a healthcare platform, we may collect and process health information when healthcare providers use our services. This includes medical records, treatment information, and other health-related data. We handle this sensitive information with extra care and in accordance with applicable healthcare privacy laws.

Payment and Financial Information

To facilitate our services, we may collect information needed for payment processing and financial transactions. This includes credit card information, bank account details, and transaction records.

Device and Technical Information

When you use our platform, we automatically collect certain technical data including:

  • Device identifiers and type

  • IP address and location data

  • Browser type and version

  • Operating system information

  • Log data and usage statistics

6. How Do We Collect Your Information?

We collect information through several methods:

Direct Collection

When you interact with our platform, you provide information directly to us through:

  • Account registration and profile creation

  • Platform usage and feature interaction

  • Direct communications with us

  • Forms and surveys

  • Customer support interactions

Automated Collection

Our systems automatically collect certain information through:

  • Cookies and similar tracking technologies

  • Server logs and analytics tools

  • Application usage tracking

Third-Party Sources

In some cases, we may receive information about you from:

  • Healthcare institutions you work with

  • Professional certification bodies

  • Other authorized third parties

7. How Do We Use Your Information?

We use your personal information to provide and improve our services. Here's how we use different types of data:

Core Service Delivery

Your personal and professional information helps us provide our healthcare platform services, manage your account, and ensure proper access to features. We use this data to authenticate users, maintain security, and deliver the functionality you expect from our platform.

Service Improvement and Development

We analyze usage patterns and platform performance to enhance our services. This includes identifying areas for improvement, developing new features, and optimizing existing functionality. All analysis is conducted with appropriate privacy safeguards in place.

Communication and Support

We use your contact information to:

  • Send important service updates and notifications

  • Respond to your inquiries and support requests

  • Provide information about features and updates

  • Share relevant educational content and resources

Security and Compliance

Your information helps us maintain the security and integrity of our platform by:

  • Preventing unauthorized access and fraud

  • Verifying identity and credentials

  • Meeting regulatory requirements

  • Conducting security audits and monitoring

8. Data Security

We implement comprehensive security measures to protect your personal data, maintaining confidentiality, integrity, and availability. Our security framework includes:

Technical Safeguards

We employ industry-standard encryption for data in transit and at rest, maintain secure access controls, and regularly update our security infrastructure to protect against emerging threats.

Organizational Controls

Our team follows strict data handling procedures, undergoes regular security training, and operates under clear security policies. Access to personal data is limited to authorized personnel on a need-to-know basis.

Compliance Monitoring

We regularly assess our security measures through:

  • Security audits and penetration testing

  • Compliance reviews and certifications

  • Incident response planning and testing

  • Regular policy updates and improvements

9. Cookie Policy

We use cookies and similar tracking technologies to improve your experience on our platform. Cookies are small text files that websites place on your device to help the sites provide a better user experience.

Types of Cookies We Use

Essential Cookies: These cookies are necessary for the website to function properly. They enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies: We use these cookies to help us understand how visitors engage with our website. They help us understand which pages are the most popular, how visitors move around the site, and whether they encounter any errors. This data helps us improve our services.

Functional Cookies: These cookies enable enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you reject these cookies, some or all of these services may not function properly.

Managing Cookies

Most web browsers allow you to control cookies through their settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

10. International Data Transfers

Transfer Locations and Mechanisms

We transfer and store data in the following locations:

  • Primary data storage: [Fill out primary data center location]

  • Backup locations: [Fill out backup locations]

  • Third-party service providers: [Fill out locations of key service providers]

For transfers outside Thailand or the European Economic Area (EEA), we implement these safeguards:

  1. EU-US and Other Transfers:

    • Standard Contractual Clauses (SCCs) approved by the European Commission

    • EU-US Data Privacy Framework compliance where applicable

    • Additional technical measures such as encryption and access controls

  2. Adequacy Decisions: For transfers to: [Fill out countries covered by adequacy decisions] Based on: [Fill out relevant adequacy decisions]

  3. Additional Safeguards:

    • End-to-end encryption for data in transit

    • Data minimization practices

    • Regular security assessments of recipients

EU Representative

For EU residents, our designated representative under GDPR Article 27 is: [Fill out EU representative details including:

  • Name of representative

  • Company

  • Address

  • Contact email

  • Phone number

Supervisory Authority

EU residents have the right to lodge complaints with their local supervisory authority. The lead supervisory authority for Cura is: [Fill out lead supervisory authority details]

You may also contact Thailand's Personal Data Protection Committee (PDPC) at [Fill out PDPC contact details].

11. Automated Decision-Making and Profiling

Our platform may employ automated decision-making and profiling techniques in the following ways:

Types of Automated Processing

  1. Clinical Decision Support:

    • Nature: [Fill out description of automated clinical decision support]

    • Logic involved: [Fill out explanation of decision logic]

    • Significance and consequences: [Fill out impact on healthcare decisions]

  2. Appointment Scheduling:

    • Nature: [Fill out description of automated scheduling]

    • Logic involved: [Fill out explanation of scheduling logic]

    • Impact on service delivery: [Fill out impact on users]

Your Rights Regarding Automation

You have the right to:

  • Obtain human intervention in automated decisions

  • Express your point of view about automated decisions

  • Contest automated decisions that affect you significantly

  • Opt out of automated decision-making where legally permitted

12. Processor-Controller Relationships

Our Role as a Processor

When healthcare institutions use our platform, we act as a data processor under their direction. In these cases:

  1. Data Processing Agreements:

    • We execute Data Processing Agreements (DPAs) with healthcare institutions

    • We process data only as instructed by the controller

    • We implement appropriate technical and organizational measures

  2. Processor Obligations:

    • Maintain records of processing activities

    • Assist controllers with data subject requests

    • Support privacy impact assessments

    • Report data breaches within [Fill out timeframe]

Sub-processors

We engage the following sub-processors: [Fill out list of sub-processors including:

  • Name

  • Location

  • Purpose

  • Safeguards implemented]

13. Consent Management

Obtaining Consent

We obtain explicit consent for:

  • Processing sensitive health information

  • Marketing communications

  • Cross-border data transfers

  • [Fill out other consent requirements]

Managing Your Consent

You can manage your consent preferences through:

  1. Platform Settings:

    • Location in the platform: [Fill out where to find settings]

    • Available options: [Fill out consent options]

    • Update frequency: [Fill out when users can update]

  2. Direct Requests: You can withdraw or modify consent by:

    • Emailing our Data Protection Officer

    • Using the consent management interface

    • Contacting customer support

14. Third-Party Data Sharing

Categories of Recipients

We share personal data with these categories of third parties:

  1. Essential Service Providers:

    • Cloud hosting: [Fill out provider]

    • Analytics: [Fill out provider]

    • Authentication: [Fill out provider]

  2. Healthcare Partners:

    • Electronic Health Record systems: [Fill out partners]

    • Laboratory interfaces: [Fill out partners]

    • Pharmacy systems: [Fill out partners]

Purposes of Sharing

Data is shared for these specific purposes:

  1. [Fill out purpose 1]

  2. [Fill out purpose 2]

  3. [Fill out purpose 3]

Safeguards

For each third-party sharing arrangement, we implement:

  • Data Processing Agreements

  • Security assessments

  • Regular compliance audits

  • Data minimization practices

15. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including satisfying any legal, accounting, or reporting requirements.

Retention Periods

Different types of personal data are subject to different retention periods:

Account Information: We retain your account information for the duration of your active relationship with us and for [Fill out period] afterward to comply with legal obligations and handle any post-service matters.

Health Records: Medical and health-related information is retained in accordance with applicable healthcare regulations and laws, typically for [Fill out period] after the last interaction.

Technical Logs: System logs and technical information are typically retained for [Fill out period] before being automatically deleted.

Financial Records: Transaction records and financial information are kept for [Fill out period] to comply with tax and accounting requirements.

Deletion Procedures

When personal data reaches the end of its retention period, we ensure it is deleted or anonymized securely and permanently. If you request deletion of your data, we will honor your request subject to our legal obligations and legitimate business needs.

16. Children's Privacy

We take special precautions when it comes to children's data. Our services are not intended for users under the age of 20 without parental consent, in accordance with Thai law.

If you are under the age of 20, you must obtain consent from your parent or legal guardian before using our services or providing any personal information. If we discover that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. When we do, we will revise the "Last Updated" date at the top of this Privacy Policy and take appropriate measures to inform you, consistent with the significance of the changes we make.

We will notify you of any material changes through prominent notice on our platform or by sending you a direct notification. Your continued use of our services after the updated Privacy Policy takes effect indicates your consent to the revised policy.

18. Additional Information for EU Residents

If you are located in the European Union, you have additional rights under the GDPR, including:

  • The right to object to processing based on legitimate interests

  • The right to lodge a complaint with your local data protection authority

  • Enhanced data portability rights

  • Additional protections regarding automated decision-making

[Fill out specific details about EU representative and supervisory authority contact information]

19. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

General Inquiries: Cura Group Co., Ltd. 18/407, Khlong Ton Sai, Khlong San Bangkok, 10600 Email: hi.curacorp@gmail.com Tel: 0817505473

Data Protection Officer: Chavisa Phukhaonak Email: chavisa@cura.so Tel: 0817505473

20. Legal Bases for Processing

We process personal data on the following legal bases:

Consent: Where you have given clear consent for us to process your personal data for a specific purpose.

Contract Performance: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

Legal Obligation: Where processing is necessary for compliance with our legal obligations.

Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

21. Your Rights and Choices

We respect your right to control your personal data. Under both PDPA and GDPR, you have significant rights regarding your personal data, and we are committed to honoring these rights and making it easy for you to exercise them.

Understanding Your Rights:

The right to access your personal data that we hold about you and request information about how we use it.

The right to request that we rectify or update your personal data if it is inaccurate or incomplete.

The right to request deletion of your personal data in certain circumstances.

The right to restrict or object to our processing of your personal data.

The right to data portability, allowing you to obtain and reuse your personal data across different services.

The right to withdraw consent at any time for processing based on consent.

How to Exercise Your Rights

You can exercise any of these rights by contacting our Data Protection Officer at chavisa@cura.so. We will respond to your request within 30 days and will make reasonable efforts to fulfill your request unless prevented by law or legitimate business purposes.