top of page

Website Privacy Notice

Your information, what you need to know
This privacy notice explains why the Company collects information about you and how that information may be used, how we keep it safe and confidential and what your rights are in relation to this.

​

This Notice sets out information about how we use, store and transfer personal data which we receive through our website https://www.curia.health/ (the Site or our website) or any other means. We act as a Data Controller in relation to any personal data you provide to us, which means we will only process and share your data in line with the requirements of the applicable data protection laws and we will take all necessary steps to ensure that those with whom we legitimately share your data are equally robust in their approach to data protection.

​​

Controller

Pal S Grewal, MD, PLLC is the data controller and responsible for your personal data.

​

Information we collect

We receive, collect and store any information you enter on our website or provide us in any other way. We may use software tools to measure and collect session information, including page response times, length of visits to certain pages, page interaction information, and methods used to browse away from the page (Website Usage Data). Through our Inquire page we also collect personally identifiable information (including name, email, contact number, comments). (Correspondence Data)

​

What we do with the information we collect

We use the information that we collect to understand your needs and provide you with a better service, including the following:

  • respond to any request/feedback you send us through the Site if you've asked us to

  • provide you with information about our services, if you want it

  • analyse, evaluate and improve this Website via data amalgamated from multiple visitors, which does not identify you personally

​

Our basis for storing your data

​

1. Website Usage Data

  • Purpose: Analysing the use of, and improving, our website and services, security monitoring and fraud detection and to ensure our website is presented in the most effective manner.

  • Legal basis: Our legitimate interests, namely delivering and improving our website, informing marketing strategy, and ensuring the security of the Site.

​

2. Correspondence Data

  • Purpose: To communicate with you. If you have indicated your interest in our services then we may also process correspondence data to provide you with occasional news about our services and marketing communications (although you will be free to unsubscribe at any time).

  • Legal basis: Our legitimate interests, namely properly administering our business and communications, developing our relationships with interested parties and addressing user concerns and queries. Where correspondence data relates to marketing, our legitimate interests in developing our business. Where correspondence relates to a potential contract with you, then our legal basis may be for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you. 

​

How do we store your data

Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall.  

​

Data provided through our Inquire form is stored through Monday.com's data storage systems which are hosted on multiple Availability Zones at Amazon Web Services (AWS) and an established a disaster recovery site in another AWS US region.

​

Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem using the contact details below.

​

Where is your data stored

Your data is stored on servers in the US.

​

Transferring your personal data out of the UK/ EEA

To deliver services to UK based patients, it is necessary for us to share your personal data outside the UK as part of the international team, given the international dimension to the services we are providing to you. Under UK data protection law, we can only transfer your personal data to a country or international organisation outside the UK/EEA where:

1. the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);

2. there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or

3. a specific exception applies under data protection law

 

These are explained below.

 

Adequacy decision

We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:

1. all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);

2. Gibraltar; and

3. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

For the US see: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_7632

Other countries or international organisations we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

 

Transfers with appropriate safeguards

Where there is no adequacy decision, we may transfer your personal data to another country or international organisation if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects. The safeguards will usually include using legally approved standard data protection contract clauses. In relation to transfers to our overseas offices or other companies within our group, the safeguards may instead include legally binding rules and policies that apply to Birketts LLP (known as binding corporate rules), which have been approved by the UK data protection regulator. Transfers under an exception In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under data protection law, e.g.:

1. you have explicitly consented to the proposed transfer after having been informed of the possible risks. By completing our Inquiry form, you are explicitly consenting to the storage of data in the US with the risks outlined here;

2. the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;

3. the transfer is necessary for a contract in your interests, between us and another person; or

4. the transfer is necessary to establish, exercise or defend legal claims

 

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.

​

Sharing your data with others:

We will not share your personal data with anyone outside of the legal basis described above. There are certain parties/situations where we are legitimately permitted to share your data for specific purposes. These include:

Our service providers. We may disclose personal data to our service providers or subcontractors in connection with the uses we have described above. For example, we may disclose:

  • any personal data in our possession to suppliers which host the secure servers on which our data is stored, or who provide hosted software or systems, or communications services to us (and in particular to Wix.com and Monday.com)

  • In particular, we may provide Communication Data to Curia Health LLP regarding UK or EU based interested parties.

 

We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.

​

Compliance. We may also disclose your personal data where necessary to comply with law.
Restructuring. If any part of our business is proposed to be sold or transferred, your personal data may be disclosed to the new owner or in connection with the relevant negotiations.

​

Data retention

We will comply with our legal obligations in relation to the retention and deletion of personal data, and in particular ensure that personal data that we process is not be kept for longer than is necessary for the relevant purposes. In particular:

  • correspondence data will be retained for the period of the enquiry or chain of correspondence and then deleted after twenty-four months, unless it relates to a client in which case it shall be retained for the same period as the related registration and health data specified in our Privacy Notice shared at the point of registration as a client of our services;

  • any data which is anonymised, and therefore not personal data, may be retained by us indefinitely. Typically, this will be derived from usage data.

We maintain system backups for disaster recovery purposes. This means that information which is deleted from our live systems may still remain in backup until it is overwritten.
We may retain your personal data longer than set out above where necessary to comply with law or in connection with any legal claim.

​

Your rights
As an individual whose personal data is processed by Curia Health, you have:

  • The right to be informedTransparency is a key requirement of data protection law. You have the right to be informed about the collection and use of your personal data. This privacy notice is designed to provide you with the information needed to allow you to see how and why your personal data is used when visiting this website.

  • The right to access the data we hold on you: You also have the right to ask for the personal data that we have about you to increase your awareness of and allow you to verify the lawfulness of the processing. To protect your privacy we may ask you to verify your identity.

  • The right to have your data rectified if it is inaccurate: If you believe that personal data we hold on you is inaccurate or misleading then you have the right to request that it is rectified.

  • he right to erasure (in limited circumstances): In some circumstances, you can ask for your personal information to be deleted, for example:

    • ​your personal information is no longer needed for the reason it was collected in the first place

    • you have removed your consent for us to use your information (where there is no other legal reason for us to use it)

    • there is no legal reason for the use of your information

      • Please note that we cannot delete your information where:

        • we're required to have it by law

        • it is necessary for legal claims

  • The right to have your data restricted or blocked from processing: In certain circumstances, if you raise a complaint on how we have handled your personal data, you may also request that we 'restrict processing' meaning that the data will be preserved from further processing 'as evidence' either while we investigate your complaint or to support your complaint

  • The right of data portability (in limited circumstances): Where you have provided your personal data directly to us that is processed by automated means and is done so purely on the basis of your consent, then you will have the right to obtain and reuse your personal data in an electronic format for your own purposes across different services.

  • The right to object to direct marketing: You have an unconditional right to object to direct marketing at any time. As noted within this privacy notice nibusinessinfo.co.uk will not send you direct marketing without your consent and you can withdraw your consent at any time by selecting the 'unsubscribe' link within each email.

  • The right to object to processing of your personal data: Processing is the term under data protection law that describes all uses of your personal data. This will include the collection, sharing, storage, retention and destruction of your data.

  • You have the right to object to any aspect of our processing of your personal data:

    • that is processed based on Curia Health's legitimate interests;

    • that is processed for purposes of scientific/historical research and statistics; and

    • if it involves any automated decision making or profiling carried out by Curia Health

 

If you would like to exercise your right of access in relation to information held on you by Curia Health, email team@curia.health

​

Contacting us
If you have any specific data protection queries or concerns, you can address them to team@curia.health

​

​

​

bottom of page