CurebaseDemo
    New ArticleRead Article →
    Back to Privacy Policy

    Curebase Data Privacy Framework Policy

    Last Updated: February 19, 2026

    Curebase, Inc., and all U.S.-based affiliates and subsidiaries (collectively "Curebase"), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Curebase has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Curebase has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPF Policy or the Curebase Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

    For purposes of this DPF Policy, personal data or information means data about an identified or identifiable individual that is received by Curebase in the United States from the EEA, Switzerland, or the United Kingdom, and recorded in any form, and is within the scope of Regulation (EU) 2016/679 ("General Data Protection Regulation" or "GDPR"), the Swiss Federal Data Protection Act, or the UK Data Protection Act 2018, respectively. This DPF Policy supplements the Curebase Online Privacy Policy.

    Data Privacy Framework Principles

    Notice

    Notice to individuals regarding the personal data collected from them, the purposes for which Curebase collects, uses, and discloses personal data, and to whom Curebase discloses personal data, is set forth in the Curebase Online Privacy Policy and our agreements with Curebase Platform Subscribers.

    Choice

    Individuals have the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.

    To exercise this choice, please contact Curebase at:

    For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), Curebase will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Curebase will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

    Onward Transfer

    To transfer personal information to a third party acting as a controller, Curebase will comply with the Notice and Choice Principles. Curebase will also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Curebase if it makes a determination that it can no longer meet this obligation. The contract will provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

    To transfer personal data to a third party acting as an agent, Curebase will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with Curebase's obligations under the Principles; (iv) require the agent to notify Curebase if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

    Curebase may also be required to disclose, and may disclose, personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements.

    Security

    Curebase will take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

    Data Integrity and Purpose Limitation

    Consistent with the Principles, personal information processed by Curebase is limited to the information that is relevant for the purposes of processing. Curebase will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Curebase will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. Curebase will adhere to the Principles for as long as it retains such information.

    Access

    Individuals whose personal information is covered by this DPF Policy have the right to request access to personal information about them that Curebase holds, as well as the right to request to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. To exercise these rights, please contact Curebase at:

    Recourse, Enforcement and Liability

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Curebase commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Curebase at:

    EU – Ireland Representative

    Adam Brogden

    GDPR Local Ltd.

    Office 2

    12A Lower Main Street, Lucan Co. Dublin

    K78 X5P8

    Ireland

    Email: contact@gdprlocal.com

    Tel: +353 15 549 700

    Reporting Link: https://curebaseinc.gdprlocal.com/eu

    UK Representative

    Adam Brogden

    GDPR Local Ltd.

    1st Floor Front Suite

    27-29 North Street, Brighton

    England

    BN1 1EB

    Email: contact@gdprlocal.com

    Tel: +441 772 217 800

    Reporting Link: https://curebaseinc.gdprlocal.com/uk

    Curebase has a policy of responding to individuals within thirty (30) days of an inquiry or complaint.

    In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Curebase commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In addition, under certain conditions, EU, UK, or Swiss individuals may have the option to invoke binding arbitration for the resolution of a complaint.

    See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for further information.

    In the context of an onward transfer, Curebase is responsible for the processing of personal information it receives under the EU-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. Curebase shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Curebase proves that it is not responsible for the event giving rise to the damage.

    The Federal Trade Commission has jurisdiction over Curebase's compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

    Changes to this Policy

    We may update this DPF Policy from time to time consistent with the requirements of the DPF. When we do so, we will update the Effective Date, above. We encourage you to periodically review this DPF Policy to be aware of updates.

    Questions and Comments

    If you have any questions or comments about this Data Privacy Framework Policy, please contact us at: