Whenever we refer to “we”, “us” or “our” in this Privacy Policy we mean: Curandus sp. z o.o. (Polish limited liability company) with its seat at 6 Postępu str., 02676 Warsaw, Poland, registered in the District Court for the Capital City of Warsaw 13th Commercial Division of the National Court Register under the number KRS 0000746260, tax identification number (NIP): 521-383-81-78, share capital: 50,000.00 PLN.
We carefully safeguard the information we hold about our partners, clients and employees. We endeavor to comply with the General Data Protection Regulation and the local laws applicable in the countries in which we operate.
This Privacy Policy applies to personal data collected by us as a data controller of the personal information that you provide to us when you visit our website at: www.curandus.io or through the e-mail contact. If you are visiting our website as a prospective staff member, please look at the section that applies to our job applicants.
In this Privacy Policy we would like to provide you with information on how we use your personal data collected from you, why we process them and explain your rights regarding the use of your personal data.
Our website and services are not intended for children, and we do not collect personal data relating to children.
HOW TO CONTACT US
If you have any questions about this Privacy Policy or would like to contact us about any other matter related to the processing of your personal information, please use the following contact information:
Curandus sp. z o.o.
6 Postępu Street
02-676 Warsaw, Poland
E-mail: gdprcontact@curandus.io
HOW WE COLLECT YOUR PERSONAL DATA
We collect personal data when you provide your contact details to us when requesting information about our products or services, either via e-mail, telephone or face-to-face.
WHAT TYPES OF INFORMATION WE COLLECT ABOUT YOU
"Personal data" is any information that relates to you and that identifies you either directly from that information or indirectly, by reference to other information that we have access to. The personal data that we collect, and how we collect it, depends upon how you interact with us. Categories of personal data that we routinely collect about you includes:
- Full name and surname;
- Email address;
- Postal address;
- Job title/position;
- Company name;
- Other contact details;
- Data relating to our website/apps: IP address, cookies and other collected during your visit at our website (for more details, please see also our Cookies Policy).
This policy also applies for processing personal data in the recruitment process for which we use an additional tool, Bamboo HR. If you are a job applicant, we may also process information included in your CV or cover letter, such as employment history, academic background, skills and competencies, languages spoken, if you provide such information to us.
If you are a patient, you may provide us your contact data (name and surname, e-mail and/or telephone number), your country of residence and your interests in specific indication or disease if you would like to learn more about it and get from us updates and/or marketing information connected with your interests, including the research projects in which we are involved in, to your e-mail or through your mobile followed by your consent expressed during phone call or via e-mail correspondence.
We do not collect any special categories of personal data, as defined under the General Data Protection Regulation through our website.
Curandus has developed and manages a communication platform that enables healthcare providers engage in conducting clinical trials to monitor important health information and to connect with patients directly about their treatments, feedback and concerns. Such services, however, are provided for those patients who have expressed a consent for participating in clinical trials and processing their personal data in respect to such trials, including processing necessary for services performed via communication platform on behalf of Sponsor as a data controller.
Providing your personal data is voluntary, however if you do not provide us with the necessary information, we will not be allowed to perform the services, conclude an agreement or reply to your enquiry.
WHAT WE DO WITH YOUR PERSONAL DATA
Your personal data will be processed only for the purposes as described in this Privacy Policy:
| Purpose | Lawful basis for processing |
|---|---|
| To respond to your e-mail and to administer e-mail correspondence with you | Article 6 paragraph 1 point f of the GDPR (our legitimate interests to process this information, so that we can contact you and send you tailored and relevant information) or Article 6 paragraph 1 point b of the GDPR (if we have or will enter into a contract with you) |
| To fulfil a query, to respond to your other online inquiries and fulfil your requests for services and/or to administer our services | Article 6 paragraph 1 point f of the GDPR (our legitimate interests to process this information, so that we can contact you and send you tailored and relevant information) or Article 6 paragraph 1 point b of the GDPR (if we have or will enter into a contract with you) |
| To facilitate your attendance at one of our events / meetings | Article 6 paragraph 1 point b of the GDPR |
| To maintain records of prospective, current and past clients and partners. If you agree, we’ll add your contact details to our client database and we may occasionally reach out to you and send you e-mail invitations to Curandus events, marketing updates and other related materials concerning the projects in which we are involved in. | Article 6 paragraph 1 point f of the GDPR - our legitimate interest in undertaking marketing activities to offer you products or services that may be of your interest |
| To track your use of our websites and interaction with our services. For example, to understand which website content is most popular with our visitors. | Article 6 paragraph 1 point f of the GDPR - our legitimate interest in enhancing, facilitating and improving our website content and our services that you may use or are using – for more details please see our Cookies Policy |
If you are a job applicant, your personal data provided in the application documents will be processed for the following purposes:
| Purpose | Lawful basis for processing |
|---|---|
| To conduct the ongoing recruitment and take action before concluding an employment agreement with you (if applicable) | Article 6 paragraph 1 point c of the GDPR in connection with relevant local labour laws |
| To carry out future recruitment, if you grant us such consent | Article 6 paragraph 1 point a of the GDPR – your consent that you can provide us with voluntarily |
| To establish or pursue claims that may arise in connection with recruitment process, until the end of the period of limitation in the event you are not employed in the position for which you applied. | Article 6 paragraph 1 point f of the GDPR (legitimate interest of the data controller - the right to defense against the claims of a person who has not been employed) |
We take appropriate steps to ensure your personal data is stored in a secure environment to prevent any unauthorized access. We will not share your personal information with any third parties for them to use for their own marketing purposes. We may disclose your personal data if required to do so by law.
If this is compliant with applicable law, we may transfer your personal data to other entities, including our service providers, subcontractors and companies from our company’s capital group, provided that you give us your consent or there is another legal basis to provide these data to those entities. In case of data transfer to the companies from our capital group, we may have a legitimate interest in sending personal data for internal administrative purposes.
We may process your personal information abroad, including outside the European Economic Area (EEA), provided we comply with the applicable laws and regulations. In cases where we are sharing your personal data with organizations outside the EEA, we will ensure they agree to apply equivalent levels of protection as we do, and the transfer of your personal data is compliant with applicable law.
WHAT RIGHTS AND OBLIGATIONS YOU HAVE
You have a number of rights under data protection law, which have been strengthened under the General Data Protection Regulation (GDPR):
You have the right to request access to and rectification or erasure of your personal data, as well as restriction of processing, data portability, the right not to be subject to a decision based solely on automated processing, including profiling, and the right to object to your personal data processing.
You have the right to object the personal data processing where the processing is carried out based on legitimate interests and/or for statistical purposes and your objection is justified by your particular situation.
You have the right to withdraw your consent to personal data processing at any time to the extent to which your consent applies. Withdrawal of your consent does not affect the lawfulness of processing based on your consent before its withdrawal.
If you are unhappy with the way in which we have handled your personal data you have the right to file a complaint with the supervisory body dealing with the protection of personal data in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes provisions of the General Data Protection Regulation.
We encourage you to contact us in the first place as we aim to promptly, efficiently and satisfactorily resolve any concerns or complaints you may have in relation to the processing of your personal data.
To fulfill your request, we will require you to provide satisfactory proof of your identity in order to ensure that your rights are respected and protected. This is to ensure that your personal data is disclosed only to you.
HOW LONG WE STORE YOUR PERSONAL DATA FOR
We will only retain personal data for as long as is necessary for the purposes we are using it for – the retention period will vary depending on the purposes it is used for.
If you contact us through our contact forms or e-mail address either as a patient or a business partner, we will process your data only for the time necessary to reach out to you, leave you our feedback and/or provide you with relevant information that you asked for or send you our marketing content, unless there is a legal obligation to store the data for longer.
If you no longer want to receive information and/or marketing content from us, you can email us at gdprcontact@curandus.io and withdraw your consent without affecting the processing carried out prior to the withdrawal.
For the recruitment process purposes, we may process your personal data in the scope covered by the labor law until the recruitment process is completed, and the data provided by you voluntarily in a wider scope than required by the law, until your consent to the processing of personal data is revoked.
Upon completion of the recruitment process, we may process your personal data in order to defend against potential claims that may occur in connection with recruitment until the end of the period of limitation of these claims.
If you give us consent to use your personal data for the purpose of future recruitment, your data will be used for up to 3 years.
PRIVACY POLICY UPDATES
This Privacy Policy may be amended or updated from time to time, so please check it regularly for updates. If we make any significant changes to its content, we will communicate this to you where possible through available means.
Please contact us on the details above if you have any questions about our Privacy Policy or processing of your personal data at: gdprcontact@curandus.io
PRIVACY NOTICE AMENDMENT FOR CALIFORNIA RESIDENTS
This Notice applies solely to residents of the State of California, and to information that is defined by California law as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with California consumers or households (“California Personal Information”).
Curandus provides this Notice to comply with our obligations in our capacity as a Business under the California Consumer Privacy Act of 2018 (“CCPA”). Any terms defined in the CCPAhave the same meaning when used in this notice.
This Notice does not apply to information Curandus collects, maintains, or discloses in our capacity as a Service Provider under the CCPA on behalf of our clients, including clinical and medical information that we collect, host, and use as part of the clinical research associated services that we perform under contracts with our clients. If your information has been submitted to us as part of our performance of those services and you would like to learn more about the handling of that information or exercise any rights you may have under the CCPA, please inquire with the client directly.
Moreover, California Personal Information does not include, and this Notice does not apply to:
- information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration;
- publicly available information lawfully made available from federal, state, or local government records;
- deidentified or aggregated consumer information; or
- other information excluded from the CCPA’s scope, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), and
- personal information covered by other sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Driver’s Privacy Protection Act of 1994, and the federal Gramm-Leach-Bliley Act, and implementing regulations, or the California Financial Information Privacy Act.
Categories of California Personal Information We Collect or May Collect:
Identifiers such as name, email address, telephone number, mailing address, Social Security number, driver’s license identifiers, online identifiers, or other similar identifiers.
Internet or other electronic network activity information, such as information concerning individuals’ interactions with our websites, applications, or advertisements.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), including signature, financial information, medical information, education and employment history, medical information, or health insurance information.
Characteristics of protected classifications under California or federal law, such as age, medical condition, physical or mental disability, gender, information relating to pregnancy or childbirth, sexual orientation, or veteran or military status.
In respect of our employees and job applicants, professional or employment-related information, including current or past job history; professional specialties, affiliations, licenses, and certifications; financial compensation information, and performance evaluations, personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as signature, education and employment history, medical information, or health insurance information, characteristics of protected classifications under California of federal law, such as age, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions). Inferences drawn from any of the above information to create a profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Sources of California Personal Information
We collect the categories of California Personal Information listed above from among the following categories of sources:
- Directly from you, including when you provide information to us online, in-person at health screening events or over the phone;
- Indirectly from you, such as when we automatically collect technical and usage information when you use our websites;
- Public sources and data resellers;
- Third-party websites and other online services, such as online advertisements and solely with respect to job applicants, information provided via the BambooHR human resources online resource.
Purposes for which We Collect and Use California Personal Information
We may use the California Personal Information listed above for the following business and commercial purposes:
- To provide our clinical trial recruitment, enrollment, and retention services to our clients, including maintaining and updating our patient database, identifying and notifying prospective patients of clinical trials in which they may be interested, evaluating prospective patients for qualification in clinical trials, and referring patients to clinical trial sites;
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to apply for a loan or ask a question about our products or services, we will use that personal information to respond to your inquiry.
- To respond to your inquiries;
- To contact you regarding changes or updates to our service offerings;
- To conduct recruiting and candidate evaluation activities and to inform our employment decisions;
- To provide, support, personalize, and develop our websites, applications, and product or service offerings;
- To audit our interactions with you, such as counting impressions or verifying the quality and effectiveness of content including ads;
- To prevent malicious, deceptive, fraudulent, or illegal activity, and participating in any prosecution or enforcement of laws or agreements meant to prevent or punish such activity;
- To maintain the safety, security, and integrity of our websites, applications, other technology assets, and our business, including the detection of security incidents.
- To debug, identify, or repair errors or effectuate similar functional enhancements in connection with our websites and other applications.
- To develop, improve, and deliver marketing and advertising.
- For internal operational uses such as research, analytics, development, audits, and security.
- For legal and operational compliance purposes, such as monitoring whether our operations are effectively implementing this policy.
- To engage in or enable internal uses consistent with our relationship with you, or compatible with the context in which you provided the information, such as internal research and development; and
- For any other purpose described to you when collecting your California Personal Information before or at the time of collection.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing of California Personal Information
We may share California Personal Information with the following categories of third parties:
- Our affiliated companies;
- Our service providers;
- Our clients;
- Other third parties to protect our legal rights or comply with legal requirements;
- Other third parties as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
- Other third parties involved in a merger, sale, joint venture or other transaction involving a transfer of our business or assets; and
- Other third parties with your prior consent.
Sales of California Personal Information
Curandus did not sell California Personal Information within last 12 months.
Your Rights and Choices with Respect to California Personal Information
The CCPA provides California residents with specific rights regarding California Personal Information. This section describes your CCPA rights and explains how to exercise those rights.
Right to Know Request - Access and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your California Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section below on Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories of California Personal Information we collected about you.
- The categories of sources for the California Personal Information we collected about you
- Our business or commercial purpose for collecting or selling that California Personal Information.
- The categories of third parties with whom we share that California Personal Information
- The specific pieces of California Personal Information we collected about you (also called a data portability request).
- If we sold or disclosed your California Personal Information for a business purpose, two separate lists disclosing disclosures for a business purpose, identifying the California Personal Information categories disclosed; and sales, identifying the California Personal Information categories sold and that each category of recipient purchased.
Deletion Request Rights
You have the right to request that Curandus delete any of your California Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your California Personal Information from our records, unless an exception under CCPA applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
- sending request via postal e-mail or calling using data indicated on this website in section contact us
- emailing us at: gdprcontact@curandus.io
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your California Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected California Personal Information, or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with your California Personal Information if we cannot verify your identity or authority to make the request and confirm the California Personal Information relates to you. We will verify your identity by matching the identifying information provided by you to the personal information already maintained by us, or, in cases where your request requires a higher degree of certainty, we may use a third-party identity verification service or ask for a photo ID or for more information. Any information you provide us that is not already in our system will be deleted after your request has been fulfilled.
Making a verifiable consumer request does not require you to create an account with us.
We will only use California Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Any disclosures we provide in response to a request will only cover the 12-month period preceding the request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your California Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Response Timing
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
Fee
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision, and we reserve the right to either refuse to act on your request or charge you a reasonable fee to complete your request if it is excessive, repetitive, or manifestly unfounded.
Non-Discrimination
You have a right to not receive discriminatory treatment for exercising your CCPA rights, and we will not discriminate against you for exercising any of your CCPA rights.
Changes to this Notice
We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated notice to our websites and update the notice’s date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.