Curia | Empowering Cancer Patients

CURIA Users Privacy Notice

The protection of your privacy and the legal use of your personal data are a matter of the highest priority for Innoplexus AG (hereinafter “Innoplexus AG”, “we” or “us”). We are the company that provides and operates the software application named “CURIA” (hereinafter “CURIA” or “CURIA App”) and we are located at Frankfurter Str. 27, Eschborn, Germany 65760, where we operate and maintain the CURIA App and its website: https://curia.app/.

This privacy notice (the “Privacy Notice”) explains how we collect, use, store and disclose your personal data in connection with the CURIA App: this data processing applies to CURIA’s website, platform and mobile application (jointly or indistinctly, the “Platform(s)”), and to the different services provided through them (collectively, the “Services”), including the following:

a) Receive information about possible cancer treatment options, physicians and clinical studies and trails;
b) Apply to cancer clinical trials; and
c) Connect with other users whose cancer diagnosis is similar to yours.

Innoplexus AG, in its capacity as data controller, will carry out the processing of your personal data in accordance with the applicable provisions of the Constitution of the United Mexican States, Mexico’s Federal Law on the Protection of Personal Data in Possession of Private Parties (“LFPDPPP”) and its Regulations (“RLFPDPPP”) (hereinafter jointly, the “Regulations”).

When you register to the CURIA App, you enter into a legally binding agreement with us. This agreement constitutes a valid legal basis for the processing of your personal data in accordance with the LFPDPPP and the other applicable Regulations. We recommend that you carefully read this Privacy Notice and CURIA’s terms and conditions of use before using any of the Services. We may modify this Privacy Notice from time to time, especially if, there are changes in our operations or in any applicable laws and/or regulations.

I. DEFINITIONS

For the purposes of this Privacy Notice, the definitions of the terms: “ARCO Rights” (Derechos ARCO); “data controller” (responsable); “data owner” (titular); “data processing” or “processing” (tratamiento);“data processor” (encargado); “personal data” (datos personales); “right of access” (derecho de acceso); “right of cancellation” (derecho de cancelación); “right of opposition” (derecho de oposición); “right of rectification” (derecho de rectificación); “sensitive personal data” (datos personales sensibles); and “transfer” (transferencia), will have the same meaning as attributed to these terms in the Regulations.

II. PERSONAL DATA THAT IS COLLECTED

In order to carry out the purposes described in this Privacy Notice, we may process the following personal data:

a) Identification data. First and last name(s), sex, age, date of birth and picture.

b) Contact information. Address, location, telephone number, cell phone number and e-mail address.

c) Logging and log file data. Username, password and other credentials managed by you on our Platforms to access CURIA’s Services. Also, we may collect the following log file data when you use the CURIA App: IP address, API logs, date and time of the request, content of the request (concrete page, concrete API endpoint), access status/HTTP status code, amount of data transferred in each case, end device from which the request comes, user agent, operating system and its interface, and language and version of the user agent.

d) Personal data collected by automatic capture tools on our Platforms (Cookies). Browser type, language, means of identifying the session with our Platforms, passwords to access our Platforms, the date and time of your visit and the time you have remained on our Platforms, IP address, the URL (Uniform Resource Locator) of reference, the pages visited on our Platforms, the operating system of the computer system used to access our Platforms, information about the browser and devices used to access our Platforms, user behavior and information derived from and/or related to the interaction you have with our emails and/or our Platforms.

In addition to the personal data mentioned above, we will also process the following sensitive personal data for the purposes informed in this Privacy Notice:

a) Health data. Current and past health status, clinical picture, and cancer-specific parameters, such as type, status, stage, grade and cancer indications, genetic mutations, genetic markers, hormone receptors, other health data depending on your cancer type, information about clinical trial you wish to register for, applications to participate in clinical trials, medical questionnaires and information about your medical inclusion and exclusion criteria.

The personal data described in the paragraphs of this section are collected: (i) directly and voluntarily from you when you download, register to and/or use the CURIA App; (ii) directly and voluntarily from you when you use CURIA’s Services; (iii) directly and voluntarily from you when you provide your personal data through any of our Platforms or by e-mail, including when you fill out the questionaries provided by us with questions about your clinical picture; and (iv) through transfers by other companies of the corporate group to which Innoplexus AG belongs to. The personal data described in the previous paragraphs may be contained in different documents, either in printed or digital format. Innoplexus AG may request you to show original documentation and/or to provide a copy of such, as evidence to support the information you have provided.

When you download the CURIA App, the required information is transferred to the Apple App Store or Google Play Store, as applicable, in particular your username, e-mail address, time of download and the individual device ID number. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading the CURIA App to your mobile device.

You must register to the CURIA App using your first and last name(s), e-mail address and telephone number in order to take advantage of CURIA’s Services. Alternatively, you can also log-in to the CURIA App using your Apple user account ID or your Google user account. In this case we will collect your first and last name(s) and your e-mail address. The terms, conditions and extent to which your personal data will be processed by Apple or Google through the subsequent use of the CURIA App will be governed by:

Apple’s privacy policy, available at: https://www.apple.com/legal/privacy/data/en/sign-in-with-apple/; or

Google’s privacy policy, available at: https://policies.google.com/privacy?hl=en-US.

III. PURPOSES OF THE TREATMENT

When you register to the CURIA App, you enter into a legally binding agreement with us. This agreement constitutes a valid legal basis for the processing of your personal data in accordance with the applicable Regulations.

A.- We will use the personal data we collect from you for the following purposes which are necessary to receive CURIA’s Services, and to comply with the obligations derived from the legal relationship between Innoplexus AG and you (“Necessary Purposes”):

a) Confirm your identity and contact details, and verify any other information provided;
b) Register you to the CURIA App, and confirm that your registration process was successful;
c) Manage your access to the CURIA App’s Platforms;
d) Offer and allow the use of the various features of the CURIA App;
e) Ensure the stability and security of the CURIA App;
f) Provide you the Services rendered through the CURIA App, including (i) providing you information about possible cancer treatment options, physicians and clinical studies and trials, (ii) registering you for cancer clinical trials, and (iii) connecting you with other users whose cancer diagnosis is similar to yours;
g) Allow the management, administration and security of your personal data;
h) Maintain physical and/or electronic records of your personal data to comply with applicable legal provisions; and
i) Comply with all applicable legal provisions and meet the requirements of competent authorities.

B.- In addition to the above, we will use personal data for the following secondary purposes, which are not necessary to receive the CURIA’s Services, but which allow and facilitate us to provide you better services (the “Secondary Purposes”):

a) Share your comments, suggestions, complaints, and clarifications about CURIA’s Services;
b) Evaluate the quality of CURIA’s Services through various instruments, including surveys;
c) Report problems with CURIA’s Platforms; and
d) Implement activities aimed at promoting, maintaining and improving CURIA’s Services.

IV. CONSENT OF DATA OWNER

In accordance with the applicable provisions of the Regulations, by means hereof you represent that: (i) this Privacy Notice has been disclosed and made available to you by Innoplexus AG prior to the collection and/or processing of your personal data; (ii) you have read, understood and agreed to the terms set forth in this Privacy Notice for the processing of your personal data; and (iii) you acknowledge and agree that, in accordance with articles 8, 10 section IV and 37 section VII of the LFPDPPP, and articles 6, 11 and 17 of the RLFPDPPP, your express or tacit consent is not required in connection with the collection, processing and/or transfer of your personal data, including any sensitive personal data, provided that such personal data is used exclusively for the Necessary Purposes set forth in this Privacy Notice. If we plan to collect, process and/or transfer any of your personal data for any purposes other than for the Necessary Purposes set forth in this Privacy Notice, we will inform you of such circumstance and request from you the required form of consent in accordance with the applicable Regulations prior to collecting, processing and/or transferring your personal data.

With respect to the processing of your personal data which is used for any Secondary Purposes, and which is not considered to be sensitive personal data or data of a financial nature, you hereby acknowledge that it will be deemed that you have provided your tacit consent to the terms of this Privacy Notice and agreed to the transfer of such personal data to third parties for the purposes set forth in this Privacy Notice if you do not object or oppose to its content within twenty four (24) hours after your personal data is collected and this Privacy Notice has been made available to you by any means, including by its publication on the CURIA App’s website. You may object or oppose to the processing and/or to the transfer of your personal data by submitting to us an ARCO Request (as defined below) in accordance with Section VII below.

V. TRANSFER OF PERSONAL DATA

In addition to the cases specified in Regulations, your personal data may be transferred, within and outside the country, with the following persons, companies, organizations, and authorities other than us, for the following purposes:

Recipient of Personal DataPurpose
Cloud Service ProviderThe personal data you provide, including completed questionnaires and applications for participation in clinical trials, will be transferred to the Google Cloud and stored on a server in Germany. The Google Cloud is operated by Google Inc., with address at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA.
Prospective buyers or acquirersIn the event of a merger or acquisition, for the prospective acquirer or buyer to analyze the legal, commercial and/or technical situation of CURIA and/or of Innoplexus AG.
Surviving company or acquirerTo use and process the personal data in the same way it has been used and/or processed by Innoplexus AG.

VI. SECURITY MEASURES

Innoplexus AG agrees to make its best efforts to safeguard the confidentiality of your personal data; therefore, in accordance with our privacy policies and the applicable laws, Innoplexus AG maintains the security measures reasonably necessary in order to protect your personal data and to prevent its loss, alteration, destruction or unauthorized use, access or treatment.

VII. EXERCISE OF RIGHTS AND CONTACT

Innoplexus AG assumes that (i) you comply with the obligations set forth in the Regulations; (ii) that the personal data provided by you is clear, correct and up-to-date for the purposes for which it was collected; and (iii) that you are entitled or authorized to provide Innoplexus AG such personal data.

You may at any time (i) access your personal data held by Innoplexus AG; (ii) rectify your personal data when such is inaccurate or incomplete; (iii) cancel your personal data, except in the cases provided for in the Regulations; (iv) oppose the processing of your personal data for legitimate reasons or oppose the processing of your personal data for specific purposes, except in such cases in which such personal data is needed by Innoplexus AG to comply with a legal obligation; and (v) decline or revoke your consent and oppose to the processing of your personal data, except if such personal data is collected and/or processed for the Necessary Purposes (collectively, the “ARCO Rights”).

You may exercise these rights either directly or through your legal representative by submitting a written request (the “ARCO Request”) to the following e-mail address: compliance@innoplexus.com

Your ARCO Request must contain and accompany:

  • Your full name and address, and any other means of communicating the response to you;
  • The documents proving your identity and/or that of your legal representative (physical or electronic copy of your passport or other official and valid ID, and where applicable, physical or electronic copy of the passport or other official and valid ID of your legal representation);
  • If you are exercising any of your ARCO Rights through a legal representative, the ARCO Request must be accompanied by a physical or electronic copy of the public instrument or proxy letter containing the power of attorney granted by the data owner to its legal representative. Proxy letters shall need to be signed by the data owner and two (2) witnesses, and be accompanied by a physical or electronic copy of such witnesses passports or other official and valid ID);
  • A clear and precise description of the ARCO Rights you seek to exercise and of the personal data with respect to which you seek to exercise any of such rights;
  • Any other element or document that facilitates the location of the Personal Data; and
  • In the case of rectification requests, you must indicate the amendments to be made and provide the documentation supporting your request (when applicable).

Innoplexus AG will notify you within a period of no more than twenty (20) business days from the date on which the corresponding ARCO Request was received of the decision made, so that if applicable, such can be made effective within fifteen (15) business days following the date in which Innoplexus AG notified you of the corresponding response. In the event that the documents and/or information contained in your ARCO Request is erroneous or insufficient, or the corresponding accreditation documents are not accompanied, we may request you to provide additional documents and/or information necessary to process your ARCO Request. You will have ten (10) working days following the date in which you receive our request for additional documents and/or information to provide such additional documents and/or information, in the understanding that if you don’t provide the requested documents and/or information within this period, your corresponding ARCO Request will be considered not submitted.

In the case of requests for access to personal data, the delivery of such personal data shall be made upon proof of identity of the data owner and/or that of his/her legal representative, as the case may be. It will be considered that access to your Personal Data has been granted when they are made available to you, regardless of the means or format.

Regarding the revocation of your consent, please note that this will only proceed in certain cases in accordance with the applicable provisions of the Regulations.

In case of doubts regarding the processing of your personal data, or the procedure for exercising your rights, please contact our data protection officer through email at the following e-mail address: compliance@innoplexus.com, or in writing at the following address: Frankfurter Str. 27, Eschborn, Germany 65760.

VIII. LIMITATION OF USE AND DISCLOSURE OF INFORMATION

We will only keep and maintain your personal data for as long as necessary to manage the legal relationship we have with you and to comply with the purposes set out in this Privacy Notice, or as long as necessary to comply with the applicable legal obligations to which we are subject to.

To limit the use and disclosure of your personal data, please contact our data protection officer through email at the following e-mail address: compliance@innoplexus.com, or in writing at the following address: Frankfurter Str. 27, Eschborn, Germany 65760.

IX. AUTOMATIC DATA COLLECTION

We may collect personal data through the use of automatic data capture tools in our Platforms. Among such automatic data capture tools we use cookies.

Use of Cookies.- The correct functioning of CURIA’s website require the enabling of “cookies” in your internet browser. Cookies are small data files transferred by the website to the hard drive of your computer or mobile device when you browse a website. In most browsers cookies are automatically accepted by virtue of their default settings, and you can adjust your browser preferences to accept or reject cookies. Disabling cookies may disable various features of CURIA’s website or cause it to not display correctly. In case you prefer to delete the cookies, you can delete the file at the end of each browsing session.

These Cookies can be disabled. To know how to do it, you can consult the following links:

Microsoft Edge- https://support.microsoft.com/es-es/windows/eliminar-y-administrar-cookies-168dab11-0753-043d-7c16-ede5947fc64d

Google Chrome- https://support.google.com/chrome/answer/95647?hl=es-es

Firefox- https://support.mozilla.org/es/kb/Borrar%20cookies
Safari(Mac)- https://support.apple.com/es-us/guide/safari/sfri11471/mac#:~:text=Elimina%20cookies%20y%20datos%20almacenados,Eliminar%20o%20en%20Eliminar%20todo.

Safari(Mobile)- https://support.apple.com/es-us/HT201265

X. PROTECTION OF MINORS OR PEOPLE IN A STATE OF INTERDICTION.

We do not collect or carry out the processing of personal data of minors or persons in a state of interdiction and encourages parents and/or guardians to take an active role in the online activities of their children and/or represented. In the event that we consider that any personal data has been provided by a minor or a person in a state of interdiction in contravention of this Privacy Notice, we will proceed to eliminate such personal data as soon as possible. If you are aware that such Personal Data has been provided by a minor or by a person who is in a state of interdiction, please contact our data protection officer through email at the following e-mail address: compliance@innoplexus.com, or in writing at the following address: Frankfurter Str. 27, Eschborn, Germany 65760.

XI. CHANGES TO THE PRIVACY NOTICE

Changes to this Privacy Notice will be published and made available to you through CURIA’s website: https://curia.app/ and/or to the e-mail address you have provided us.

Last updated: May 8, 2022.