Data Privacy Policy

1. Who We Are & How to Contact Us

Curekey LLC
16192 Coastal Highway
Lewes, County of Sussex, Delaware 19958
Email: support@curekey.com

2. Scope of This Policy & Relationship to Medical Groups & Pharmacies

Curekey provides non-clinical technology, support, and administrative services that enable you to access independent medical groups and licensed clinicians (“Medical Groups” and “Providers”) as well as independent mail-order pharmacies (“Pharmacies”).

Important clarifications:

• Curekey does not provide medical care.

Any diagnosis, treatment, or prescription is provided solely by a third-party Medical Group and its licensed Providers.

• Medical Groups provide their own HIPAA Notice of Privacy Practices.

This governs how they may use and disclose Protected Health Information (PHI).

• This Privacy Policy explains how Curekey handles personal information in our own capacity, including some health-related information you submit to us. When Curekey processes PHI on behalf of a Medical Group or Pharmacy, we do so under HIPAA and our Business Associate Agreements (BAAs).

This Policy does not apply to third-party websites or services linked through our platform.

3. Information We Collect

We collect information in three ways: (A) you provide it, (B) we collect it automatically, and (C) we receive it from third parties.

A. Information You Provide to Us

Account & Contact Information

• Name, email, phone number
• Billing/shipping address
• Date of birth

Identity Verification

• Photos of government-issued ID
• Selfies or short videos
• Identity-check metadata (to prevent fraud)

Health & Intake Information

• Medical history, symptoms, conditions
• Treatment goals and questionnaire responses
• Photos of hair/scalp
  When submitted for Provider evaluation, this information may become PHI.

Purchases & Subscriptions

• Order history
• Payment tokens (we do not store full card numbers)
• Subscription preferences

User-Generated Content

• Messages, reviews, survey answers
• Support requests and communications

B. Information We Collect Automatically

Through cookies, pixels, SDKs, and server logs, we may collect:

Device & Usage Data

• IP address, device type, operating system
• Browser type, URLs visited, timestamps
• Error logs and diagnostic information

Cookie Identifiers

• Session cookies, analytics cookies, ad measurement identifiers

Approximate Location

• Derived from IP address unless you disable or restrict this

See Section 10 for cookie details.

C. Information from Third Parties

We may receive information from:

• Payment processors (fraud detection & authorization)
• Identity verification vendors
• Analytics and advertising partners
• Medical Groups/Providers & Pharmacies (e.g., order fulfillment status)
• Logistics and shipping vendors

We do not receive full clinical records unless required for care coordination.

4. How We Use Personal Information

We use information to:

Provide and improve the Services

• Create and manage accounts
• Facilitate telehealth connections
• Process orders, payments, and shipping
• Maintain subscriptions

Support clinical workflows

• Provide intake information to Providers
• Coordinate prescription fulfillment with Pharmacies

Ensure trust, safety, and fraud prevention

• Verify identity
• Detect suspicious or abusive behavior
• Secure our platform

Communicate with you

• Order and shipping updates
• Appointment notifications
• Service announcements
• Customer support messages

Marketing and analytics

• Send promotional communications (optional)
• Measure performance of ads and website features
• Conduct research, testing, and product improvements

Legal and compliance

• Satisfy regulatory obligations
• Enforce our Terms of Service
• Respond to lawful requests

HIPAA Note:

When acting as a Business Associate to a Medical Group or Pharmacy, Curekey uses and discloses PHI only as permitted by HIPAA, the BAAs, and applicable law.

5. Legal Bases for Processing (EEA/UK Visitors Only)

Where applicable, processing is based on:

• Contract performance (providing the Services)
• Your consent (e.g., certain health info, marketing cookies)
• Legitimate interests (security, fraud prevention, service improvement)
• Compliance with legal obligations

6. How We Share Information

We may share information with:

Medical Groups & Providers

• To facilitate intake, telehealth consultations, and treatment
• This may include PHI

Pharmacies

• To process and ship prescribed medications
• This may include PHI

Service Providers / Vendors

Including:

• Hosting & data storage
• Analytics & advertising measurement
• Payment processing
• Identity verification
• Customer support
• Email/SMS delivery
• Security & fraud prevention

All vendors operate under strict contractual confidentiality and security requirements.

Advertising & Analytics Partners

• For measurement and cross-context behavioral advertising
• Some disclosures may be considered “sale” or “sharing” under state law
• Users can opt out — see Section 13

Legal, Safety, and Compliance

• To comply with court orders, subpoenas, or regulatory requests
• To protect rights, safety, or prevent fraud

Business Transfers

If Curekey undergoes a merger, acquisition, financing, or sale of assets.

We do NOT:

• Sell PHI
• Share SMS opt-in consent with unauthorized third parties

7. Your Choices and Controls

You may:

• Access or update account information
• Opt out of marketing emails/SMS at any time
• Manage cookies, advertising identifiers, and browser settings
• Request deletion, correction, or copies of your data (where applicable)
• Withdraw telehealth consent from Medical Groups (may impact your ability to receive care)

To exercise any rights: support@curekey.com

8. Data Retention

We retain data as long as necessary to:

• Provide the Services
• Meet legal, regulatory, and tax obligations
• Maintain pharmacy and telehealth compliance
• Resolve disputes and enforce agreements

When data is no longer required, we securely delete or de-identify it.

9. Children’s Privacy

Curekey does not knowingly collect personal information from children under 13.
We do not knowingly sell/share personal information from users under 16.

If you believe a child has provided information, contact us immediately.

10. Cookies, Pixels & Similar Technologies

We use:

• Essential cookies
• Performance/analytics cookies
• Functionality cookies
• Advertising cookies/pixels

Uses include login functionality, remembering preferences, measuring site usage, and delivering/optimizing ads.

You may manage cookies through:

• Browser settings
• Cookie banner / preference tools
• Global Privacy Control (GPC) — which we honor where required

11. Security

Curekey uses technical, administrative, and physical safeguards to protect data.
No system is 100% secure. If you suspect unauthorized access, notify support@curekey.com immediately.

12. Communications & SMS Terms (Summary)

By providing your phone number/email, you consent to receive:

• Account communications
• Order updates
• Service notifications

Marketing messages are optional and may be opted out at any time.
Message/data rates may apply. Frequency varies.
Full SMS terms may be presented at opt-in or on our website.

13. U.S. State Privacy Rights (CA/CO/CT/VA/UT and others)

Depending on your state, you may have the right to:

• Know/access personal information
• Delete personal information
• Correct inaccuracies
• Opt out of sale or sharing of personal information
• Limit use of certain sensitive information
• Exercise rights without discrimination

To submit a request, email: support@curekey.com with subject “Privacy Request.”

We will verify your identity before processing requests.

We do not sell PHI.

We may “sell” or “share” personal information (non-PHI) for advertising purposes as defined by certain state laws. You may opt-out at any time using:

• Our cookie banner
• GPC signals
• Email request

14. International Users

Our Services are intended for U.S. residents.
If you access the Services from outside the U.S., your data will be processed in the United States, which may have different data protection laws.

15. HIPAA Notice for Telehealth & Pharmacy Services

When Curekey acts as a Business Associate to Medical Groups or Pharmacies:

• We follow HIPAA regulations
• We only use/disclose PHI as permitted
• We implement required administrative, technical, and physical safeguards

HIPAA Patient Rights include:

• Access to your PHI
• Request corrections
• Request restrictions
• Receive an accounting of disclosures
• File a HIPAA complaint

HIPAA Contact:
Geoffrey Bonnechere – Privacy Official
Email: support@curekey.com
Address: 16192 Coastal Highway, Lewes, DE 19958

16. Third-Party Sites & Services

Our Services may link to external websites/apps.
Curekey is not responsible for their privacy practices.
Review their policies accordingly.

17. Updates to This Policy

We may update this Privacy Policy periodically.
The “Effective Date” indicates the latest version.
Material changes will be posted on our website and, where required, we will notify you or request consent.

18. Shine the Light (California Residents)

California Civil Code §1798.83 allows residents to request information about sharing with third parties for direct marketing.
Submit requests to: support@curekey.com

19. Examples of Service Providers & Third Parties

Examples include (subject to change):

• Hosting/CDN providers
• Cloud storage
• Analytics & attribution vendors
• Ad networks (e.g., Meta, TikTok, Google)
• Identity verification tools
• Payment processors
• CRM and customer communication systems
• Fraud-prevention and security tools

For more details or vendor-specific questions, email support@curekey.com.

20. Contact Us

For privacy questions, data requests, or HIPAA concerns:

support@curekey.com
Curekey LLC
16192 Coastal Highway
Lewes, Delaware 19958