Privacy Policy
Summary This Privacy Policy explains how CURE51 collects, uses, shares, and protects personal information of data subjects. CURE51 gathers data such as the name, email address, and IP address to provide and improve its services, personalize the data subject’s experience, and communication. This information may be shared with trusted third parties and is protected by appropriate security measures. Data subjects have the right to access, rectify, and delete personal data. For more details, refer to the General Terms and Conditions of Use (“GTCU”) and Cookie Policy. CURE51 may update this policy, so please review it regularly. For any questions, contact us at contact@cure51.com. |
Table of content
CURE51, acting as a data controller, is committed to processing and protecting personal data in compliance with key regulations, including the GDPR and the French "Informatics and Freedoms" Law. The company implements measures to safeguard personal data and ensures communication with data subjects regarding their rights and the processing of their data. This Privacy Policy applies to interactions with research professionals, patients, and users of the CURE51 website and the eCRF (electronic Clinical Record File) tool developed for the Rosalind study by CURE51, the Patient Profile Platform (PPP), ensuring transparency and adherence to legal standards.
CURE51 processes various types of personal data depending on its relationship with individuals and third parties. For patients in the Rosalind Study, which focuses on exceptional therapy responses in specific cancers, CURE51 collects pseudonymized health data for research purposes. Healthcare professionals' identity and contact details are also collected. For website users, data such as names, phone numbers, and email addresses are gathered through contact forms. Additionally, technical data like browsing history, IP addresses, and device information are collected to enhance user experience and site functionality.
CURE51 collects and uses personal data primarily for research and development, aiming to innovate in healthcare by studying patients with exceptional survival rates. This data is used exclusively for health research and is handled responsibly. Additionally, personal data is used to manage the website, enhance user experience, and respond to user inquiries, as well as to protect CURE51's legal rights and interests, complying with legal requests and ensuring the security of their services.
CURE51's collection and use of personal data are legitimized through several legal bases under GDPR Articles 6 and 9. This includes processing for legitimate interests, such as using research data to understand illnesses better and reusing information from past research, while balancing the rights of data subjects. Compliance with legal obligations necessitates processing for managing access requests and ensuring transparency with healthcare professionals. Additionally, CURE51 processes data based on explicit consent for specific purposes, like sending newsletters, and for fulfilling contractual obligations with data subjects or their employers.
CURE51 collects personal data both directly and indirectly. Direct collection occurs when individuals provide their information, such as during website visits. Indirect collection involves obtaining patient data through authorized partner organizations, which comply with their own confidentiality and data protection policies. CURE51 ensures the quality of indirectly collected data and may direct individuals to contact the partner organizations for questions regarding the initial data collection.
Access to personal data at CURE51 is strictly controlled and limited to authorized individuals and entities. Internally, access is granted to employees and specific centers based on their roles and necessity, ensuring confidentiality and compliance with processing purposes. Externally, data may be shared with legally authorized authorities, potential corporate transaction stakeholders, and GDPR-compliant suppliers, with CURE51 ensuring minimal and necessary data disclosure.
CURE51 retains personal data only as long as necessary for the purposes for which it was collected, adhering to legal and contractual obligations. Data from research activities is kept according to specific research regulations, with participant data retained for up to two years post-publication and archived for 20 years. Contact data is kept for three years post-collection or last contact, while customer relationship data is retained for three years post-relationship and archived based on liability periods. Legal request data is kept for one year. Beyond these periods, data is deleted or anonymized, except when required for legal compliance or evidentiary purposes. Cookies and traffic data are kept for six and thirteen months, respectively, before deletion or anonymization.
Individuals can exercise several rights regarding their personal data under applicable data protection laws. They can request confirmation of data processing and access their personal data in a commonly used electronic format, excluding confidential or legally restricted information. Individuals have the right to update or rectify inaccurate or outdated data. They can object to data processing, such as unsubscribing from newsletters. The right to erasure allows individuals to request data deletion under specific conditions, unless legal obligations or claims require retention. Data portability is granted for data processed based on consent or contract, provided in a machine-readable format. CURE51 does not use automated individual decision-making. Complaints regarding non-compliance can be lodged with the Commission Nationale de l’Informatique et des Libertés (CNIL).
To exercise the rights described, individuals must submit a written request via email to dpo@cure51.com or by post to 203 rue Saint Martin, 75003 Paris, including a copy of a signed identity document. As these rights are individual, CURE51 may verify the requester's identity for security reasons, potentially requesting additional information if there are doubts. Requests will be processed within one month, with a possible two-month extension for complex cases, of which the individual will be notified.
Some data recipients, including subcontractors and research partners, may be located outside the European Union, necessitating the transfer of personal data beyond the EU. Countries like Switzerland have adequacy decisions, ensuring GDPR-equivalent protection and allowing seamless data transfer. For countries without such decisions, CURE51 implements measures like standard contractual clauses and additional safeguards to ensure GDPR-compliant protection for transferred personal data.
CURE51 has implemented comprehensive technical and organizational measures to ensure the integrity and confidentiality of personal data. These measures consider the latest technology, implementation costs, and the nature and risks of data processing. Key security techniques include managing access rights to limit data access to authorized personnel, who are bound by confidentiality agreements. The company employs internal database backups and redundancy to prevent data loss and uses an HDS-certified host for health data. Regular security audits and vulnerability assessments are conducted, alongside an information systems security policy and business continuity plans. Security protocols include encrypted passwords and data transfer via HTTPS. |
Privacy. CURE51 (hereinafter “CURE51”) takes your privacy very seriously and respects the information you entrust to it. This information is protected by law. They are under no circumstances intended to be communicated to third parties outside the context and for the reasons mentioned in this Privacy Policy.
Collected data. The purpose of this Privacy Policy is to inform you of the nature of the information concerning you that we will collect and use in the context of your visit to the Site and/or your use of the Services.
Modification of the Policy. CURE51 reserves the right to modify this Privacy Policy at any time. You are also invited to consult it regularly in order to be aware of any possible modifications. Any new use of the Site and/or communication of information to CURE51 after posting a new version of this Privacy Policy will constitute acceptance of this latest version.
Information. Although the list is intended to be as exhaustive as possible, any new use or modification or withdrawal of any existing processing will be notified to the data subjects by the publication of new versions of this Privacy Policy on the Site. CURE51 invites data subjects to regularly consult this Privacy Policy online in order to be aware of this new use, modification or withdrawal of any existing processing.
Definitions. The capitalized terms below have, if they are not defined in this document, the definition given to them in the General Terms and Conditions of Use (“GTCU”) and the Platform.
DATA CONTROLLER AND DATA SUBJECTS
CURE51 is the data controller. CURE51, as a data controller, processes and protects the personal data it collects. CURE51 undertakes to respect at least the following regulations: (i) Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms known as the amended “Informatics and Freedoms” Law and (ii) European Regulation No. 2016/679/ EU of April 27, 2016 (applicable since May 25, 2018) on data protection (“GDPR”). To do this, CURE51 puts in place procedures and measures to protect your personal data, including in the event of use of subcontractors to carry out the processing of personal data described below.
Communication with the data subjects. The purpose of this Privacy Policy is to meet CURE51’s information obligation under the GDPR (articles 12 to 14) and to document the rights of data subjects regarding the processing of their personal data. Privacy and data protection information notices and/or a consent or non-objection form will be communicated to data subjects, if necessary, regarding the specific situations in which CURE51 may process personal health data. This confidentiality policy does not create any obligation beyond what is provided for by the applicable regulations and/or by the GTCU or other contract binding CURE51 with the data subjects.
Data subjects by the data processing of CURE51. This Privacy Policy applies to all processing of personal data of the data subject, within the framework of CURE51’s relations with (i) professionals involved in research, (ii) patients, (iii) any user of the website: https://www.cure51.com/ (the "Site").
DATA PROCESSING
The personal data that CURE51 processes about data subjects depends on CURE51's relationship with the data subjects, as well as with third parties with whom CURE51 works and who may provide CURE51 with access to the personal data. Thus, CURE51 may process the following personal data:
Non-technical personal data (depending on the circumstances)
Patients included in Rosalind
The Rosalind Study. CURE51 conducts a study with patients who respond exceptionally well to therapy and the molecular changes in their tumours that may explain this response. This research project is called the Rosalind Study. This research focuses on three cohorts covering metastatic pancreatic ductal adenocarcinoma ("PDAC"), glioblastoma ("GBM") and extensive stage small cell lung cancer ("SCLC") and relating to patients who survived more than five (5) years from the diagnosis date of PDAC and SCLC and three (3) years for GBM. Rosalind's objective is to analyze the biological and clinical signatures of patients who survived several years after cancer diagnosis with a very poor prognosis, in order to discover biomarkers, resistance signatures and therapeutic targets in the field of cancer. CURE51 collects health and genetic data from patients included in the study in order to carry out research and other information relevant to Rosalind.
Pseudonymized data. The data concerning patients included in Rosalind is always collected by a health professional, working within an investigative center or a research location. He does not send us information allowing a direct identification, such as first name, last name, address, telephone number. A code is assigned in the databases and this only can make the link between health data and identity. They fall into the regulatory category of “pseudonymized data”.
Legitimate interest. The data we collect is always justified by the protocol that describes the research. It is analyzed and can be reused in aggregated or anonymized form to identify trends, develop new treatments, improve health care and contribute to the advancement of medical knowledge.
Information / consent form. Information notices and/or a consent form are communicated to patients included in Rosalind.
Healthcare professionals participating in Rosalind
We collect data relating to identity and identification (such as surname, first name, email address, telephone number) of healthcare professionals participating in Rosalind.
Site Users.
When filling out our contact form on our website (site www.cure51.com), the following data is collected:
First and last names,
Phone number,
The email address.
Technical personal data (depending on the circumstances)
We collect data relating to browsing history on the Site / PPP and activity data (access time, pages viewed, form completed on the Site, URL clicked, IP address, etc.). Technical information, such as the type of browser and operating system used by the data subject or information on the data subject's device (unique device identifier, hardware model, operating system and version, mobile network information…).
CURE51’S USE PERSONAL DATA
Research and development activities
CURE51 collects and uses personal data, including health data, in order to carry out research and development activities, such as scientific studies, or any other type of scientific research projects. These activities contribute to the search for explanatory factors for patients who have survived poor prognoses with the aim of innovating in their care (new medications, new therapeutic modalities, etc.). The personal data thus collected is used solely for research purposes in the field of health. We are committed to using personal data responsibly and not sharing it with third parties without your explicit consent, except as required by law.
Ensuring the rights of data subjects
CURE51 ensures that personal data is processed in accordance with applicable data protection regulations, including when Data Subjects decide to exercise their rights with CURE51 in accordance with the GDPR.
Management of the Site
Management of the Site (contact form, etc.) requires the use of personal data to improve its operation, personalize the user experience, respond to user requests, send marketing information if the user has consented to receiving it.
Protecting the rights and interests of CURE51
CURE51 may use personal data (i) where required by law, (ii) upon request of a court, (iii) if we believe in good faith that disclosure is reasonably necessary to defend against any claim or third party accusation (iv) protect the security or integrity of our services. We will notify you of any legal process which requires access to personnel data, unless the law prohibits us from doing so. In cases where a court order specifies a period of non-disclosure of the request to data subjects, we will send a delayed notification after the expiration of the non-disclosure period.
CURE51’S LAWFULLNESS IN DATA COLLECTION AND USE
The purposes for which CURE51 processes personal data described above are based on the legal basis described below pursuant to Articles 6 and 9 of the GDPR.
Processing is necessary for the purposes of CURE51's legitimate interest
Legitimate interest. When CURE51 processes personal data for its legitimate interest, CURE51 must take into account the fundamental rights and interests of the data subject, in order to assess whether the legitimate interests pursued by CURE51 do not create an imbalance with the fundamental rights and interests of the person concerned. The following treatments implemented by CURE51 are concerned:
Use of information collected during observational research to better understand illness without changing anything in the usual care.
Reuse of information collected in previous research projects carried out by CURE51 or its partners.
Reuse of information collected in registers or cohorts
Reuse of information collected in the context of care.
Other processing of personal data by CURE51 based on its legitimate interest is as follows:
Protect CURE51 against fraudulent actions or omissions;
Management of contact relationships and commercial development;
Sending newsletters on CURE51 to healthcare professionals and/or subcontractors with whom CURE51 has pre-existing relationships as part of their professional activities.
Public interest. All our research projects meet the public interest criterion provided for by the Data Protection Act. Indeed, CURE51 carries out the processing of personal data that is useful and necessary to achieve the public interest objective of:
To better understand diseases.
Develop new treatments.
The processing is necessary for the purposes of compliance with the legislation applicable to CURE51
CURE51 may process personal data in order to comply with the legal obligations applicable to CURE51 for the following purposes:
Management of access requests from data subjects.
Provide transparency regarding CURE51's relationship with healthcare professionals and/or healthcare organizations or academic institutions or hospitals.
The data subject has given consent to the processing of their personal data for one or more specific purposes
CURE51 may process personal data for one or more specific purposes for which the data subject has clearly expressed consent to the processing of their personal data for those purposes. For instance, communication of the CURE51 newsletter to the data subject is based on consent.
Processing is necessary for the purposes of the performance of a contract
CURE51 may process personal data in the context of the performance of a contract between the data subjects (or their employers) and CURE51.
SOURCES OF PERSONAL DATA
Direct. Personal data may be collected directly from the data subjects (direct collection), when visiting the website for instance.
Indirect. The collection of personal data relating to patients is indirect: it is carried out through specialized partners, such as CURE51 partner organizations, who are authorized to do so in compliance with their applicable law and in application of their own policies. confidentiality and data protection. In such cases, CURE51 takes great care to ensure the quality of the data it receives. If data subjects have any questions relating to the initial collection of their personal data by the partner, where applicable, CURE51 may invite data subjects to contact them directly and/or refer to their data protection policies.
ACCESS OF PERSONAL DATA
Confidentiality. Taking into account the purpose(s) for which the Personal Data of data subjects is processed, CURE51 will ensure that the Personal Data is only accessible to authorized internal and external data recipients who have a need to know it. The recipients of personal data are bound by an obligation of confidentiality. In any case, CURE51 only provides them with the information strictly necessary for the processing of personal data in compliance with the identified purposes. CURE51 decides which data recipients can access which personal data through contract and/or internal policies.
Authorities. Personal data may also be transmitted to any authority legally authorized to receive it. In such cases, CURE51 is not responsible for the manner in which such authorities access and process personal data, but will limit the personal data to which such authorities have access to the strict minimum required by such authorities.
Internal recipients of CURE51 data.
Recipients of patient data. Persons authorized to have access to coded patient data are CURE51 employees.
Employees within CURE51: to patient data within the strict framework of their missions
Investigative centers: only patient data transmitted to CURE51
Pilot centers (leads): to all patient data from the cohort for which they are identified as scientific partners
The DPO of CURE51 if you contact him/her
Exceptionally, the staff of legally authorized health authorities and public control authorities in France or abroad.
Recipients of data of other data subjects. Depending on the purpose(s) of the processing and the personal data processed, authorized CURE51 personnel may include: the communications and marketing team; administrative and financial management; operations management.
External recipients of CURE51 data.
Depending on the purpose(s) of the processing and the Personal Data processed, the External Recipient of CURE51 data may include:
Judicial or administrative authorities, as required by applicable laws and regulations to which CURE51 may be subject;
Potential buyers and other stakeholders in the case of a corporate transaction such as a change of control of CURE51, resulting from a capital increase, a merger, a split or the total or partial sale of Commercial activities;
Suppliers selected upon their respect of GDPR.
DURATION OF DATA RETENTION
Retention period of personal data.
CURE51 undertakes to ensure that the data collected is kept in a form allowing the identification for a period which does not exceed the duration necessary for the purposes for which this data is collected and processed. The retention period of personal data is defined by CURE51 in accordance with its legal and contractual obligations and according to specific needs, in particular in compliance with the following principles:
Data relating to patients and professionals involved in research activities: We apply regulations according to research typologies.
Data relating to research participants: CURE51 retains the Personal Data for the purpose of the Study up to two (2) years after the last publication of research results, or until the final report is signed. After the Study, and in compliance with legal obligations applicable to CURE51, the data is archived for a period of 20 years.
Personal data relating to contacts: Three (3) years from the collection of Personal Data by CURE51 or from the last contact established by the client or potential contact.
For the management of our commercial relationship with customer follow-up: the data is kept for 3 years from the end of the commercial relationship if the individual is a customer. Beyond that, the data is archived for the period when the lawyer's liability may be called into question.
For the management of legal requests regarding the personal data: the data is kept for 1 year.
Beyond the specified deadlines, personal data is either deleted or kept after anonymization, in particular for statistical purposes. They may be kept for evidentiary purposes in the case of pre-litigation and litigation. This data may also be retained for the purpose of complying with a legal obligation or kept in files in accordance with applicable regulations and laws.
Cookies in the interfaces
With regard to cookies, it is specified that the information stored in the terminal (e.g. cookies) or any other element used to identify the User for audience statistics purposes is not kept beyond a period of six (6) months. Beyond this period, the raw attendance data associated with an identifier is either deleted or anonymized. In order to ensure the proper functioning and permanent improvement of the Site and its functionalities, the raw traffic data associated with an identifier are kept for a period of thirteen (13) months. Beyond this period, they are deleted or anonymized. For more details, please read the Cookie Policy.
EXERCISING THE GDPR RIGHTS
As data subjects and in accordance with applicable data protection laws, individuals have the right to exercise the following rights:
Confirmation and right of access
Data subjects have the right to ask CURE51 to confirm whether or not their personal data is being processed and request a copy of their personal data. If data subjects request a copy of their personal data electronically, the requested information will be provided in a commonly used electronic format, unless otherwise indicated.Data subjects are informed that this right of access may not cover confidential information or data the communication of which is prohibited by law.
Rights of updating and rectification
Data subjects have the right to request that CURE51 rectify their personal data, in the event that their personal data is inaccurate, incomplete or out of date.
Right to object to processing activities
Data subjects have the right to object to the processing of their personal data, subject to any legal restrictions that may exist with regard to this right of objection. For example, with regard to the newsletter sent by CURE51 to data subjects, each of them can unsubscribe at any time by clicking on the “unsubscribe” link at the bottom of CURE51 newsletters.
Right to erasure
Data subjects may request the deletion of their data if one of the following criteria is met:
The personal data is no longer necessary for the purposes for which they were collected or otherwise processed;
If a data subject withdraws consent on which the processing was based and there is no other legal basis;
The data subject objects to the processing which is necessary for the pursuit of the legitimate interests of CURE51 and there is no other overriding legitimate reason for continuing the processing;
The personal data has been the subject of unlawful processing.
In accordance with the legislation on the protection of personal data, data subjects are informed that this is an individual right which can only be exercised by data subjects in relation to their own information. The data subject's right to erasure does not apply where the processing is carried out in accordance with a legal obligation or if the processing is necessary for the establishment, exercise or defense of legal claims.
Right to portability of personal data
CURE51 will grant requests for personal data portability for purposes based solely on personal consent or contract. iIn such cases, personal data will be communicated in a structured and commonly used format capable of being read by a machine.
Automated individual decision making
CURE51 does not engage in automated individual decision-making.
Complaint before the CNIL
In the event of non-compliance with “Informatics and Freedoms” rights, data subjects can lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL). To find out more: http://www.cnil.fr.
CONTACT
Any request relating to the exercise of the rights described above must be the subject of a written request sent by email to the address dpo@cure51.com or by post to the following address: 203 rue Saint Martin - 75003 Paris, accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, data subjects are informed that the rights set out above are individual rights which can only be exercised by the data subjects themselves with regard to their own information, so that, for security reasons, CURE51 may need to verify the identity of the data subject before communicating personal data to the data subject. If we have reasonable doubt about the identity, we may ask for additional information or documents in order to verify the identity. The request will be processed within one month at the latest, a period which may be extended by two months, taking into account the complexity of the request. In this case, the individual will be informed of this extension of time within one month of receipt of the request.
INTERNATIONAL TRANSFER OF PERSONAL DATA REGULATION
Some data recipients (subcontractors in charge of technical services or research partners) may be located outside the European Union, and may involve the transfer of personal data outside the EU. Some countries, such as Switzerland, have an adequacy decision confirming that they offer a level of protection equivalent to that guaranteed by the GDPR and that data can be transferred to them without any special procedure. Conversely, other countries do not provide an equivalent level of protection. For these countries, CURE51 takes the necessary measures with these service providers and partners, in particular the standard contractual clauses published by the European Commission, to ensure that they undertake to guarantee a level of protection for personal data transferred in this way equivalent to that offered by the GDPR and, where appropriate, that they implement additional technical and organizational measures to protect the data.
ENSURING THE SECURITY OF PERSONAL DATA
CURE51 has implemented technical and organizational measures to protect the integrity and confidentiality of the personal data of the data subjects. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying probability and severity for the rights and freedoms of the data subjects.
This measure includes, for example, security techniques of a physical or logical nature that CURE51 deems appropriate to prevent the accidental or illegal destruction, loss, degradation or unauthorized disclosure of personal data. The main elements of these measures include and are not limited to:
Management of access rights to personal data; CURE51 implements an authorization policy, limiting access to data only to people who need it; CURE51 employees are subject to a specific confidentiality and non-disclosure commitment;
Internal backup and redundancy of databases to guarantee the longevity of information in the event of involuntary destruction ;
HDS certified host: personal health data collected and used by CURE51 are hosted by AWS, certified “health data host”;
Security audits and vulnerability carried out on a regular and multi-annual basis;
Implementation of an information systems security policy;
Implementation of business continuity and disaster recovery plans;
Use of protocols and/or security solutions. In particular:
passwords are encrypted;
data transfer is encrypted using the HTTPS protocol.
