Curia | Empowering Cancer Patients

CURIA Application Privacy Policy

Use of our mobile application

I. Definitions
User: is the person who downloads and uses this mobile application (You).

Personal data: any information about an identified or identifiable natural person. Personal data is any data that can be personally related to you, e.g. name, address, e-mail addresses, user behavior.

Health-related data: personal data relating to your physical or mental health, including the provision of health care services, which reveal information about your state of health;

Consent: any free, specific, informed and unequivocal expression of will by which the User agrees to the processing of his/her personal data.

Data processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, matching or interconnection, restriction, erasure or destruction;

Data controller: the person or company that determines the purposes and means of data processing.

International transfer: involves the transmission of Personal Data outside the territory of your country.

GDPR: is the European General Data Protection Regulation.

LPDP: is the Argentine Personal Data Protection Law Nº 25.326.

DNPDP: is the National Directorate for the Protection of Personal Data of Argentina.

II. Information on the collection of personal data
(1) We provide you with a mobile application (“CURIA”) that you can download on your mobile device. This Privacy Policy is intended to provide the User with information about the collection of his or her personal data during the use of CURIA.

(2) The personal data collected through CURIA are solely for the purpose of developing and fulfilling the services provided to the User through the application and are in no way excessive and/or inadequate in relation to the purpose for which they are collected.

(3) The responsible person in accordance with Art. 4 para. 7 GDPR and Art. 6 b) of the LPDP is:
Innoplexus AG,
Frankfurter Str. 27, 65760 Eschborn, Germany (see our imprint: (“Innoplexus“).

You can contact the data protection officer of the company Innoplexus at the above address, at privacy office or at

(3) When you contact us by e-mail or via a contact form, we will store your e-mail address and, if you have provided them, your name and telephone number in order to respond to your inquiries. We delete data arising in this respect after storage is no longer necessary or, in the case of legal storage obligations, restrict their processing.

(4) If we use contract service providers for individual functions of our offer or if we wish to use your data for advertising purposes, we will inform you in detail about the respective processes below. We will also inform you of the specified criteria for the storage period and the procedure for exercising the right of withdrawal or blocking of your data for such purposes. You are free to exercise this right

III. Collection and Processing of personal data when using CURIA
When downloading CURIA, the required information is transferred to the App Store or Google Play Store ( and, in particular the user name, e-mail address, time of the download and the individual device ID number. We have no influence on this data collection and are not responsible for it. We process data only to the extent necessary to download CURIA on your mobile device. This processing is carried out on the basis of your consent in accordance with Art. 6 para. 1 (a) GDPR and Art. 5 GDPR.

With the uninstallation, the active processing of your personal data will be stopped. After 30 months from the date of uninstallation, the data will be deleted due to the discontinuation of the respective purpose, unless we are subject to legal retention obligations. We accept the loss of purpose after this period because we assume that you are no longer likely to use our services again after this period. However, to give you the opportunity to restore your profile after a shorter period of time, for example, because you previously deleted the application due to lack of need, we temporarily store the data for you. However, if you wish to revoke your consent and not just temporarily suspend its use, you can do so by clicking the “Delete all my personal data” button.

§1 When using CURIA, the following data is collected from the log file:
– IP address, also in the API logs.
– Date and time of the request
– Content of the request (specific page, specific API endpoint)
– Access status / HTTP status code
– Amount of data transferred in each case
– End device from which the request originates
– User agent
– Operating system and its interface
– Language and version of the user agent.

On the one hand, this data is mandatory for us from a technical point of view in order to be able to offer the various CURIA functions as well as to ensure the stability and security of CURIA and, on the other hand, to enable convenient use of the functions. This purpose of processing also represents the legitimate interest which, according to Art. 6 para. 1 p. 1 lit. f) GDPR and Art. 5 GDPR, is the legal basis for data processing.

IP addresses in the log files are deleted after 14 days.

§2 In addition, when CURIA is started for the first time, each installation is assigned a unique installation ID, which is stored on an Innoplexus server. It contains no personal data. If you remove CURIA and then reinstall it, a new installation ID will be generated. This will be assigned so that a connection to the Innoplexus server can be established when starting CURIA on the mobile device, and to check whether the version of CURIA you are using is still up to date. CURIA may be updated, among other things, to implement new functions or to ensure data security.

§3 In order to use the free CURIA services, you must register with your first and last name, e-mail address and telephone number. In this mode a contract of use is created between Innoplexus and you and you will receive your own user account. The legal basis for this is Art. 6 para. 1 b) GDPR and Art. 5 inc. d) LPDP, because we use this personal data for the execution of this contract. The data you provide will be transferred to the Google Cloud and stored on a server in Germany. Google Cloud is operated by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 United States of America.

You can also log in via your Google user account. For this purpose, we collect the following personal data:
– First and last name(s)
– email address

Please refer to Google’s privacy policy to determine the extent to which the personal data you disclose through your subsequent use of CURIA will be processed by Google.

You can also log in through your Apple user account. For this purpose, we collect the following personal data:
– First and last name(s)
– email address

Please refer to Apple’s privacy policy to determine the extent to which the personal data you disclose through subsequent use of CURIA will be processed by Apple.

You can delete your user account at any time by clicking the “Delete my personal data” button within CURIA. Personal data processed by us will be deleted in accordance with Art. 17 GDPR or blocked or restricted in processing in accordance with Art. 18 GDPR and Art. 16 GDPR. Data stored by us will be deleted as soon as the purpose of storage is no longer applicable and the deletion does not conflict with any legal retention obligations.

§4 If you wish to receive information about possible therapeutic options, physicians and clinical trials, you can complete the questionnaire we provide you with questions about your clinical picture. Cancer-specific parameters such as information on genetic mutations, the respective cancer status, etc. will be requested. The information you provide is voluntary and is solely for the purpose of enabling us to provide you with information.

The processing is based on your consent (Art. 6 para. 1 a) GDPR and Art. 5 LPDP). You are free to withdraw your consent at any time with effect for the future without giving reasons. This does not affect the lawfulness of the processing carried out up to that point.

You also have the option to register to participate in clinical trials. To do so, you must provide the following information: Details about the study in which you wish to register, your location, contact information (telephone number or e-mail address), information about your medical inclusion and exclusion criteria. The provision of this personal data is voluntary and based on your consent (Art. 6 para. 1 a) GDPR and Art. 5 LPDP). The purpose of the processing is to carry out the selection procedure. You are free at any time to revoke your consent with effect for the future without giving reasons by selecting the option “Delete all my personal data” in the application. This gives you the option to delete all personal data. After clicking the “Delete all my personal data” option, you will receive an automatic e-mail confirming the deletion of your data. This does not affect the legality of the processing carried out until the deletion.

Registration to participate in other types of clinical trials (such as therapeutic or pharmacological products) requires compliance with strict protocols, ethical evaluations and registrations with health authorities (Agreement N° 1480/2011 issued by the Ministry of Health and Agreement N° 667/2010 issued by the National Administration of Drugs, Food and Medical Technology ‘ANMAT’).

Companies conducting observational studies in which data linked to individuals are analyzed must obtain informed consent from the participant and are also subject to evaluation by a Research Ethics Committee (REC). The IRB must approve both the information provided to potential participants and the mechanisms in place to protect their privacy and confidentiality. For this purpose, it is mandatory to be registered with the National Health Research Registry. When only non-binding data are used in the research, both the requirement for informed consent and IRB review are exempted. Data that are originally linked and then anonymized are considered nonlinkable. In order to anonymize data, the data subject must have given prior consent.

Completed questionnaires and registrations for participation in clinical trials are transferred to the Google Cloud and stored on a server in Germany. Google Cloud is operated by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. If you have met all eligibility criteria for the clinical trial application, the personal data you have provided will be transferred to the internal clinical trials board of Innoplexus. This data can be accessed by the CURIA application team, which is partly based in India and belongs to Innoplexus Pune.

§5 We use Google Analytics and Google Firebase, both services provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, to analyze the generalized use of CURIA, including, but not limited to, installation / uninstallation of the app, disease questionnaires, treatment search activities and clinical trial enrollment, login and password forgotten (Google Analytics).

Collect diagnostic data to ensure the technical stability of the application (Google Firebase).

Your IP address will be processed. We use Google’s anonymization function, whereby the IP address is shortened in the EU/EEA for anonymization purposes and transmitted in shortened form to Google servers in the USA. We use the anonymized reports on the general use of CURIA created by Google and transmitted to us to continuously improve our service and increase the user-friendliness of CURIA. The reports we receive do not contain personal data. We process the information for the aforementioned purposes on the basis of your previously granted consent in accordance with Art. 6 para. 1 a) GDPR and Art. 5 of the GDPR.

The data will be deleted when they are no longer necessary for the purpose of their collection because the option to collect and process further diagnostic and usage behavior information in the CURIA app has been deactivated.

For more information, please refer to the terms and conditions of Google Analytics and Google Firebase.

You are free to revoke your consent at any time with effect for the future without stating reasons. This does not affect the lawfulness of the processing carried out up to that point.

IV. Collection and Processing of personal data when using the Cancer Twin feature
A Curia Twin is a patient in the Curia community whose cancer diagnosis is similar to yours. Curia twins can use a private chat to share experiences. The chat is based on Ethereum blockchain technology. The goal of the new functionality is to bring cancer patients closer together.

§1 As part of a matching process, you as a user will be matched with maximum 3 other cancer patients, the Curia Twins (Cancer Twins), who have activated this feature and have a similar profile. To find a matching Curia twin, the following parameters are compared, which we collect from you to carry out the matching process:
– Cancer indication
– Stage
– Hormone receptors
– Genetic markers
– Gender (sex)
– Age
– Other health data, according to cancer type
– Distance

Innoplexus uses this data for matching purposes only, but does not share it with patients in the Curia community.

The purpose of this function is to bring cancer patients together and to promote the exchange of experiences and information among patients who have a similar cancer diagnosis. The processing is based on your explicit consent (art. 6, para. 1 lit. a RGPD and and art. 5 LPDP). You are free to revoke your consent at any time without giving reasons with effect for the future. This does not affect the lawfulness of the processing carried out up to that point.

If the last date of access to the account is more than 6 months ago, the corresponding profile is automatically deleted from the database and can no longer be matched with new Cancer Twins.

§2 Curia Twins can interact in a chat integrated in the CURIA application. Patients must register for the feature and select an alias before being matched with their Curia twin(s). This alias can be edited in the settings. When users exchange messages via the built-in chat, messages are stored end-to-end encrypted via Ethereum’s public blockchain technology.

For this purpose, Innoplexus has provided a node that acts as an intermediary to forward the chat message to the Ethereum blockchain. Before a message is transmitted and stored on the blockchain, it is fully encrypted locally on the patient’s mobile device using end-to-end encryption. The private key needed to encrypt the message is stored on their physical device at all times and is not shared with Innoplexus or other users. Only when the encrypted message is received by the recipient is the message decrypted with the corresponding key on the mobile device of the Curia twin who received the message.

The aim of this chat function is to enable the exchange of information and experiences in a simple and unobtrusive way, while offering a high level of security. The processing is based on your consent (art. 6, para. 1 of the GDPR and art. 5 LPDP). You are free to revoke your consent at any time without giving reasons with effect for the future. The lawfulness of the processing carried out up to that point will not be affected thereby.

In this case, the chat associated with your profile will be deleted from your device, the private key is lost and no one can decrypt the data, not even Curia / Innoplexus. The alias and chat content on the device of the Curia twin with whom the messages were exchanged will also disappear. In addition, your profile will be automatically removed from the Curia Twins database if the last access date was more than 6 months ago.

Usually, the server location cannot be assigned to a specific country due to the infrastructure of the blockchain technology (Ethereum’s public one), but by encrypting the chat content using a public key encryption method, the data is highly pseudonymized for everyone else, so a data transfer to a third country can be considered “secure”.

Encrypted metadata is not stored on the Ethereum blockchain.

V. International Transfer. Express Consent.
The User understands and agrees that the domicile of the servers of Google Inc (who provides or operates Google Clude, Google Analytics and Google Firebase services) and/or of Innoplexus Pune or its affiliates and/or of the servers to which information is transferred through blockchain technology could be located in countries that, in accordance with the provisions of Provision 60 – E/2016 issued by the DNPDP, do not ensure adequate levels of protection for personal data, authorizing and consenting hereby to the international transfer of their data to such jurisdictions, in accordance with the provisions of art. 12 of Decree No. 1558/2001.

VI. Security measures
Innoplexus states that it adopts with respect to Personal Data all the security measures established by provision 47/2018 of the Argentine Agency for Access to Public Information, in order to ensure an adequate level of security and confidentiality of the data of Users from such countries.

VII. Confidentiality
Personal data collected by Innoplexus shall not be disclosed or transferred to third parties without the express authorization of the Users, except: (i) when there is a legal obligation to do so, (ii) by virtue of an order issued by a competent judicial authority.

VIII. Minors
The User declares to be over 18 years of age and/or to have the express authorization of his/her parents or guardians and to be fully capable and competent to accept this Privacy Policy.

Innoplexus does not knowingly collect Personal Data from minors under 18 years of age without authorization from their parents or guardians.

IX. E-Mail-Marketing
We will only send you marketing information electronically (e.g. by email) only when you have actively provided your consent to us for this processing. We will contact you to let you know about the progress we are making against the latest research developments, advice, on our products and services etc. We also notify you about the introduction of new functions, announce the conclusion of new partnerships and what this means for you when using CURIA.

You can withdraw your consent at any time by clicking the Unsubscribe; link provided in the emails.Even if you opt out of receiving promotional messages from us, you will continue to receive administrative messages from us.

X. Your Rights
(1) You have the following rights towards us with respect to your Personal Data:
– The User has the right to exercise the right to access his or her personal data free of charge at intervals of no less than six months, unless a legitimate interest to that effect is accredited, as set forth in Article 14, paragraph 3 of Law No. 25,326.

– The User also has the right to request the rectification, updating or deletion of his/her personal data. The exercise of such rights may be made effective through a communication addressed to Innoplexus at []. Once the communication is received, the company will proceed to rectify, update and/or delete the Personal Data in the terms established by the Argentine regulations, when appropriate.

– Right to information – Art. 15 RGPD,
– Right to limitation of processing – Art. 18 RGPD,
– Right to object to processing – Art. 21 RGPD,
– Right to the transfer of data – Art. 20 RGPD.
– Right of withdrawal according to Art. 7 para. 3 of the GDPR

(2) You also have the right to go to a data protection supervisory authority in your country and file a complaint about the processing of your personal data by our association.

In compliance with the provisions of Resolution 14/2018 issued by the Agency of Access to Public Information we inform that “THE AGENCY OF ACCESS TO PUBLIC INFORMATION, in its capacity as Supervisory Body of Law No. 25,326, has the power to address the complaints and claims filed by those whose rights are affected by a breach of the rules in force regarding the protection of personal data.

For users in Argentina, the applicable law, in relation to their personal data and privacy, is the LPDP, Decree No. 1558/2001, Provision 15/2018 of the DNPDP and other regulations relating to the protection of Personal Data in Argentina, as well as the provisions of the GDP

Last updated 30th of August 2022