CuraPolandEnglish-speaking · EU-regulatedGet my matches

Privacy Policy

Version 1.0 · effective 23 June 2026 1. WHO IS RESPONSIBLE FOR YOUR DATA (CONTROLLER) DHM Agency sp. z o.o., ul. Smoleńska 53, 85-871 Bydgoszcz, Poland, NIP 9532804608, operating as CuraPoland, is the controller of your personal data. Contact for privacy matters: support@curapoland.com. 2. WHAT DATA WE COLLECT - Name, email, country of residence — personal data (Art. 6). - Your selected procedure, case description, treatment preferences — health data, special category (Art. 9). - Photos, X-rays / CT scans you upload — health data (Art. 9). - Messages between you and your advisor — often health data, treated as Art. 9. - Payment confirmation / proof — personal / financial data. - Technical data (device, usage) — personal data. 3. WHY WE USE IT AND ON WHAT LEGAL BASIS - To match you with clinics, collect quotes and produce your report / coordinate your trip — performance of our service to you (Art. 6(1)(b)). - To process your health data for matching and treatment planning — your explicit consent (Art. 9(2)(a)). You can withdraw consent at any time. - To share your data with clinics you select so they can prepare an offer and treat you — your explicit consent (Art. 9(2)(a)). - To take payment and keep accounting records — legal obligation (Art. 6(1)(c)) and our legitimate interest. - To improve and secure the service — legitimate interest (Art. 6(1)(f)). - Marketing — only with your separate, optional consent. 4. WHO WE SHARE IT WITH (RECIPIENTS) 4.1. Clinics in Poland. At the enquiry stage, clinics receive your case description without identifying details (pseudonymised). Your identity and health images (X-rays/CT) are shared only with the specific clinic(s) you choose, and only as needed to prepare an offer and treat you. Once shared, the clinic becomes an independent controller of that data. 4.2. Service providers (processors) acting only on our instructions, each under a data-processing agreement: - Supabase (database & file storage) — your case data and files stored in the EU (Frankfurt, eu-central-1); US parent company; DPA with EU Standard Contractual Clauses + UK Addendum. - Vercel (application hosting) — runs the website/app that processes your data in transit; US company; EU-US Data Privacy Framework + EU SCCs + UK Addendum. - Resend (transactional email) — sends service emails from the EU (Ireland, eu-west-1); account metadata stored in the US; DPA with EU SCCs + Data Privacy Framework. - Stripe (payments) — processes your payment; DPA with EU SCCs + Data Privacy Framework. Your case description, photos and X-rays/CT are stored in the EU (Frankfurt). We do not put health images into emails. 4.3. We do not sell your data. 5. INTERNATIONAL TRANSFERS (UK ↔ EU AND BEYOND) We are based in the EU (Poland); many patients are in the UK. The European Commission renewed the UK adequacy decision in January 2026, valid until 27 December 2031, so personal data can flow freely between the UK and the EU. Your core data (including health data and files) is stored in the EU (Frankfurt). Some processors are US-based or store certain operational data in the US; those transfers are covered by the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses with the UK Addendum. 6. HOW LONG WE KEEP IT (RETENTION) - Case / health data — for the duration of your case and up to 24 months after your case is closed, then deleted or anonymised. - Accounting documents — for the period required by tax law (in Poland, 5 years from the end of the relevant year). - Consent records — kept as long as needed to demonstrate compliance, then deleted. - If you withdraw consent and there is no other lawful basis, we delete the relevant health data without undue delay. 7. YOUR RIGHTS You have the right to: access your data; rectify it; erase it; restrict or object to processing; data portability; and to withdraw consent at any time (without affecting prior processing). You can also lodge a complaint with the supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO); in the UK, the ICO. To exercise any right, contact support@curapoland.com. 8. AUTOMATED PROCESSING We use an automated algorithm to shortlist and rank clinics that fit your case. This supports the service — a human advisor is involved and you always choose which clinics to proceed with. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing (Art. 22 GDPR). 9. SECURITY We use technical and organisational measures to protect your data: private storage with time-limited access links, server-side-only database credentials, and access controls. We will notify you and the authority of any breach as required by law. 10. CHANGES We may update this Policy; the current version is published at curapoland.com. Material changes will be communicated. Controller: DHM Agency sp. z o.o. · ul. Smoleńska 53, 85-871 Bydgoszcz, Poland · NIP 9532804608 · support@curapoland.com