Privacy policy for CURIATM App

Use of our mobile app

I. Information on the collection of personal data
(1) We provide you with a mobile app (“CURIATM“) that you can download to your mobile device. In the following, we provide information about the collection of personal data when using CURIATM. Personal data are all data that can be personally related to you, e.g., name, address, email addresses, health information, user behavior. This Privacy Policy explains the types of Personal Data as this term is defined in the laws of the Member states of the European Union and the United Kingdom and Personal Information as this latter term Is defined within the California Consumer Privacy Act (“CCPA) and U.S. states that have enacted privacy laws to the extent those laws apply to us and to you. If CCPA or a US. state privacy law applies to you as a resident of the state of California (collectively referenced as “Personal Data” throughout this Privacy Policy) or a state that has enacted a privacy law how we collect, how we process that data, and how we will protect it, in accordance with applicable law, though we do not concede the applicability of any U.S state law to us and the applicability of those laws is determined by the text of the laws themselves.

(2) The person responsible in accordance with Art. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is
Innoplexus AG,
Frankfurter Str. 27, 65760 Eschborn, Germany
info@curia.app (see our imprint: www.curia.app/impressum) (Innoplexus).

The company data protection officer of Innoplexus can be contacted at the above address, at Datenschutzabteilung, or at compliance@innoplexus.com.

(3) When you contact us via email or a contact form, we will store your email address and, if you have provided it, your name and telephone number to answer your questions. We delete the data arising in this connection after storage is no longer required or – in the case of legal storage obligations – restrict processing.

(4) If we use contracted service providers for individual functions of our offer or wish to use your data for advertising purposes, we will inform you in detail about the respective processes below. We will also state the specified criteria for the storage period.

II. Processing of personal data when using CURIATM
When downloading CURIATM, the required information is transferred to the App Store or Play store, in particular user name, email address, time of download and the individual device ID number and is processed pursuant to Apple’s privacy policy or Play store privacy policy, linked here: https://www.apple.com/legal/privacy/en-ww/ and https://policies.google.com/privacy?hl=en-US. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading CURIATM to your mobile device. This processing takes place on the basis of your consent according to Art. 6 para. 1 lit. a GDPR.

By uninstalling, the active processing of your personal data is stopped.
30 months from the date of uninstalling, the data will be deleted due to the discontinuation of purpose, unless we are subject to any statutory retention obligations. We accept the loss of purpose after this period because we assume that it is no longer likely that you will use our services again after this period. However, in order to give you the opportunity to restore your profile after a shorter period of time, e.g., because you deleted the app earlier for lack of necessity, we temporarily store the data for you.

However, if you wish to revoke your consent and not just temporarily suspend its use, you can do so by clicking the “Delete all my personal data” button.

§1 When using CURIATM, we collect the following log file data:
IP address, also in the API logs
Date and time of the request
Content of the request (concrete page, concrete API endpoint)
Access Status/HTTP Status Code
Amount of data transferred in each case
End device from which the request comes
User Agent
Operating system and its interface
Language and version of the User Agent.

On the one hand, this data is mandatory for us from a technical point of view in order to offer the various functions of CURIATM as well as to ensure the stability and security of CURIATM and, on the other hand, to enable a comfortable use of the functions. This processing purpose also represents the legitimate interest which, according to Art. 6 para. 1 p. 1 lit. f GDPR, is the legal basis for data processing.
IP addresses in log files are deleted after 14 days.

§2 Furthermore, when CURIATM is started for the first time, we assign a unique installation ID for each installation, which is stored on an Innoplexus server. It contains no personal data. If you delete CURIATM and then reinstall it, a new installation ID will be generated. This will be assigned so that a connection to the Innoplexus server can be established when starting CURIATM on the mobile device to check if the version of CURIATM you are using is still up to date. CURIATM can be updated to implement new features or to ensure data security.

§3 You must register with your first and last name, e-mail address, telephone number in order to take advantage of CURIATM‘s free services. This creates a contract of use between Innoplexus and you and you will receive your own user account. The legal basis for this is Art. 6 para. 1 p. 1 lit. b GDPR, because we use this personal data for the execution of this contract. The data you provide will be transferred to the Google Cloud and stored on a server in Germany. The Google Cloud is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. We have concluded so-called standard contractual clauses with Google, which guarantee an appropriate level of data protection.
– First and Last Name
– E-mail address

To what extent the personal data disclosed by you through the subsequent use of CURIATM will be processed by Google, please refer to Google’s privacy policy.

Alternatively, you can log in using your Apple user account. For this we collect the following personal data:
– First and Last Name
– E-mail address
To what extent the personal data disclosed by you through the subsequent use of CURIATM will be processed by Apple, please refer to Apple’s privacy policy.

You can delete your account at any time by clicking the “Delete my personal data” button within CURIATM. The personal data processed by us will be deleted in accordance with Art. 17 GDPR or blocked or restricted in their processing in accordance with Art. 18 GDPR. The data stored by us will be deleted as soon as the purpose of storage no longer applies and the deletion is not contradicted by any legal storage obligations. 

§4 If you would like to receive information about possible treatment options, physicians and clinical studies, you can fill out the questionnaire provided by us with questions about your clinical picture. Cancer-specific parameters will be asked, such as information on genetic mutations, the status of the respective cancer, etc. The information you provide is voluntary and serves the sole purpose of enabling us to provide you with information.

The processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You are free to revoke your consent at any time with effect for the future without giving reasons by sending an email to info@curia.app. This does not affect the legality of the processing carried out up to that point.

You also have the option of registering for participation in clinical studies. To do so, you must provide the following information: Information about the study you wish to register for, your location, contact information (telephone number or e-mail address), information about your medical inclusion and exclusion criteria. The provision of this personal data is voluntary and is based on your consent (Art. 6 para. 1 lit. a GDPR). The purpose of the processing is to carry out the selection procedure. You are free at any time to revoke your consent with effect for the future without giving reasons by selecting the option “Delete all my personal data” in the app. This gives you the option to delete all personal data. After clicking on the “Delete all my personal data” option, you will receive an automated email confirming the deletion of your data. This does not affect the lawfulness of the processing that took place until the revocation.

The completed questionnaires and applications for participation in clinical trials are transferred to the Google Cloud and stored on a server in Germany. The Google Cloud is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. We have concluded so-called standard contractual clauses with Google, which guarantee an appropriate level of data protection. If you have met all eligibility criteria for the clinical trial request, the personal data you have provided will be transferred to the internal Innoplexus clinical trial dashboard. This data can be accessed by the CURIATM team, which is partly based in India and is part of Innoplexus Pune. Here, an appropriate level of data protection is ensured through the conclusion of standard contractual clauses.

§5 We use Google Analytics and Google Firebase, both services provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, to

  1. analyze the general use of CURIATM, especially app installations/uninstallations, disease questionnaires, activities in the search for treatment and enrollment in clinical trials, starting a session and forgetting a password (Google Analytics).
  2. collect diagnostic data to ensure technical stability of the app (Google Firebase).

Your IP address will be processed. We use the anonymization function of Google, whereby the IP address is shortened in the EU/EEA for anonymization purposes and is transmitted in shortened form to Google servers in the USA. We use the anonymized reports on the general use of CURIATM created by Google and transmitted to us in order to continuously improve our service and increase the user-friendliness of CURIATM. The reports we receive contain no personal data. We process the information for the aforementioned purposes on the basis of your previously granted consent in accordance with Art. 6 para. 1 lit. a GDPR.

The data is processed in the USA, for which we have so-called EU Standard Contractual Clauses with Google that guarantee an appropriate level of data protection.

The data will be deleted when they are no longer necessary for the purpose of their collection because the option to collect and further process information on diagnosis and usage behavior in CURIATM has been deactivated.

You are free to revoke your consent at any time with effect for the future without stating reasons. This does not affect the legality of the processing that has taken place up to that point.

III. Processing of personal data when using the Cancer Twin feature

A Cancer Twin is a patient in the CURIATM community whose cancer diagnosis is similar to yours. Cancer Twins can use a private chat to share experiences. The chat is based on Ethereum blockchain technology. The aim of the new feature is to bring cancer patients together.

§ 1 As part of a matching process, you as a user will be matched together with up to 3 other cancer patients, Cancer Twins, who have activated this feature and have a similar profile. In order to find a matching Cancer Twin, the following parameters are compared, which we collect from you to carry out the matching process:

– Cancer indication 
– Stage 
– Hormone receptors 
– Genetic markers 
– Sex
– Age
– Other health data, depending on cancer type 
– Distance

The purpose of this feature is to bring together cancer patients and promote the exchange of experiences and information between patients who have a similar cancer diagnosis. The processing is based on your explicit consent (Art. 6 para. 1 lit. a GDPR). You are free to revoke your consent at any time without giving reasons with effect for the future. This does not affect the legality of the processing carried out up to that point.

If the last login date is more than 6 months ago, the corresponding profile is automatically removed from the database and can no longer be matched with new Cancer Twins.

§ 2 Cancer Twins can exchange information in a chat integrated in CURIATM. Patients must register for the feature and select a nickname before being matched with their Cancer Twin(s). This nickname can be edited in the settings. When users exchange messages via the built-in chat, the end-to-end encrypted messages are stored on a public Ethereum blockchain.

For this purpose, Innoplexus has provided a node that takes on the function of an intermediary to forward the chat message to the Ethereum blockchain. Before a message is transmitted and stored on the blockchain, it is fully encrypted locally on the patient’s mobile device using end-to-end encryption. The private key needed to encrypt the message is stored on your physical device the whole time and is not shared with Innoplexus or other users. Only when the encrypted message is received by the Cancer Twin, this message is decrypted with a corresponding key on the mobile device of the Cancer Twin who is to receive the message.

The purpose of this chat function is to enable the exchange of information and experiences in a simple way and without big hurdles, offering at the same time a high level of security. The processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You are free to revoke your consent at any time without giving reasons with effect for the future. This does not affect the legality of the processing carried out up to that point.

In this case, the chat associated with your profile will be deleted from your device. In this case, the private key is lost and no one can decrypt the data, not even CURIATM or Innoplexus AG. The nickname and chat content on the device of the Cancer Twin with whom messages were exchanged also disappear. Besides this, your profile will be automatically removed from the Cancer Twin database if the last login date is more than 6 months ago.

The server location cannot generally be assigned to a specific country due to the blockchain infrastructure (Public Ethereum blockchain), but by encrypting the chat content using a public key encryption method, the data is highly pseudonymised for everyone else, so that a data transfer to a third country can be considered “safe”.

Hashed metadata is not stored on the Ethereum blockchain.

VI. Login Through Google

It is not necessary for you to access your CURIATM account by logging in through any social media platform. If you have an account with Google, though, you may log into your CURIATM account through Google by clicking on the Google button on the login screen. If you log into your CURIATM account in this way, your first name, last name and email address (which Google will process to determine to authenticate that your email address indicates that your Gmail account is valid) will be shared with Google. No other personal data and no health information will be shared with Google, but your name and email address will be processed by Google and the scope of that processing and your options with regard to that processing may be found in Google’s Privacy Policy at https://policies.google.com/privacy?hl=en-US.

VII. Your rights: EU/EEA

(1) As a resident of a European Union Member State/EEA, you have the following rights towards us regarding your personal data:

– Right of access – Art.15 GDPR,
– Right to rectification or erasure – Art.16 and 17 GDPR,
– Right to restriction of processing – Art.18 GDPR,
– Right to object to the processing – Art.21 GDPR,
– Right to data portability – Art.20 GDPR, 
– Right of withdrawal according to Art. 7 para. 3 GDPR

(2) You also have the right to complain to a data protection supervisory authority of your choice about the processing of your personal data by our association. Responsible for us is the 

Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
Postfach 3163
65189 Wiesbaden, Germany
Phone: +49 (0) 611 14080

For the United Kingdom users the applicable law, regarding their data protection and privacy, is the Data Protection Act 2018 and the respective articles of such as amended or revised from time to time.

California Residents

While many browsers permit you to send a signal about your Do Not Track (“DNT”) preferences, we do not respond to DNT signals sent from browsers.

If CCPA applies to you and to us (and we do not concede that it applies to us), then CCPA California Civil Code Section 1798.83, The California Consumer Privacy Act (“CCPA”) permits you to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to info@curia.app.

CCPA also provides California residents with additional rights related to data privacy. If you have any questions about this section or whether it applies to you, please contact us at info@curia.app.

Pursuant to the CCPA California residents may, subject to certain exceptions within CCPA:

  • Request access to the specific and Personal Information that we have collected about you over the past twelve months, the categories of sources of that information, our business or commercial purposes for collecting the information, and the categories of third parties with whom the information was shared.
  • Obtain a copy of your Personal Information in a format that would permit you to transfer that Information to another repository.
  • Submit a request for deletion of Personal Information, subject to certain exceptions, including (without limitation) in the event that we may need to retain Personal Information to complete the transaction for which the Personal Information was collected, detect security incidents protect against illegal activity, exercise certain rights of free speech, comply with a legal obligation or for internal uses permitted by law. If your request is subject to any exception, we may deny your request to delete your data.
  • Please note that you must verify your identity and request before further action is taken by us. To do so, we will notify you of what we require for identity verification via email.

Do Not Sell My Personal Information
(Innoplexus or CURIATM) does not sell Personal Information, but the CCPA defines sale more broadly than the traditional sense of an exchange of data for money and may encompass transactions in which we may share your Personal Information.  Accordingly, you may, subject to exceptions in CCPA, request that (Innoplexus or CURIATM) not “sell” your personal information by submitting this request to us at info@curia.app. Please be aware that certain sharing of your Personal Information, such as disclosures of that Information to “Service Providers” as that term is defined and in accordance with CCPA, or for certain business operations of (Innoplexus or CURIATM) are not considered “sale” of Personal Information.

CCPA comprises provisions that explicitly prohibit us from making any adverse decisions about you or your account based upon your exercise of this right (“non-discrimination”).

To exercise these rights, you may contact us at info@curia.app or at +49 6196-9677-311. Consistent with California law, you may designate an authorized agent to make a request on your behalf. In order to designate an authorized agent Please contact us via email or at +49 6196-9677-311.

Children’s Online Privacy Protection Act
(Innoplexus or CURIATM) complies with the Children’s Online Privacy Protection Act (COPPA), which requires the consent of a parent or guardian for the collection of personally identifiable information from children under 13 years of age. (Innoplexus or CURIATM) does not knowingly collect, use or disclose personal information from children under 13, or equivalent minimum age in the relevant jurisdiction, without verifiable parental consent. However, it is possible that we may inadvertently receive information pertaining to children under 13. If you believe that we have received information about your child that is under the age of 13, please do not hesitate to notify us at (privacy contact URL here). When we receive your notification, we will obtain your consent to retain the information or will delete it permanently.

Last updated 20th of October of 2021