Privacy Policy
Last updated: 2026-04-24
Draft notice
Working draft — pending UK solicitor review before production use.
Our draft status
This document is a working draft. It has not yet been reviewed by a qualified UK solicitor. It reflects our current practices and intent, but it may change once a formal legal review is complete. If you have a specific concern before that review lands, email us at privacy@mycura.co.uk and we will respond within 5 business days.
1. Who we are
Cura Health ("Cura", "we", "us", "our") is a UK-based supplement protocol service operating at mycura.co.uk. We are the data controller for personal data collected through the site.
- Registered office: (to be completed when the company is formally registered)
- Data protection contact: privacy@mycura.co.uk
- Support contact: support@mycura.co.uk
We operate under the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
2. What data we collect
We collect data in three broad categories:
Account data — email, password hash, display name, sign-in provider (Google OAuth or email/password), sign-up timestamp. Supplied by you during account creation.
Health and protocol data — everything you tell us during the intake and subsequent check-ins: goals, symptoms, medications, medical conditions, allergies, dietary restrictions, age band, sex, activity level, and the protocols we build from those inputs. Supplied by you through the intake, clarification, and review flows.
Order and shipping data — shipping address, payment method (held by our payment processor, not by us), order history, tracking information. Supplied by you at checkout and generated through your order lifecycle.
We also collect technical data automatically: IP address, user agent, page views, and device type. This is used for security, fraud prevention, and anonymised analytics.
3. Why we process your data
- To build your protocol — health data is processed to generate and refine supplement recommendations. This is the core purpose of the service.
- To fulfil orders — shipping and order data is shared with our fulfilment partner (3PL) to get boxes to your door.
- To take payment — payment data is processed via Stripe; we never store card numbers ourselves.
- To communicate with you — transactional emails (order confirmations, review nudges, shipping updates) use your email address and name.
- To improve the service — anonymised, aggregate usage patterns help us fix bugs and prioritise improvements.
- To comply with legal obligations — tax records, fraud prevention, and responding to lawful requests from authorities.
Our legal bases are contract (fulfilling the subscription you signed up for), legitimate interests (security, fraud prevention, service improvement), and consent (marketing communications, if you opt in — none are mandatory for the core service).
4. Where your data is stored
Primary storage is in a managed Postgres database (Supabase) hosted in the UK/EU region, encrypted at rest. Row-level security (RLS) locks each row to its owning user — no one can query your data without your auth token.
Payment data is tokenised and held by Stripe under their own UK/EU compliance programme. Email is delivered via a transactional-email provider (launch track will confirm the specific vendor — likely SendGrid or Resend) operating in the UK/EU. Analytics events (anonymised) may be processed by a third-party tool specified at launch.
We do not transfer personal data outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or equivalent).
5. How long we keep data
- Active account data: retained while you have an active account plus a reasonable buffer for recovery if you return.
- Order and financial records: retained for the period required by UK tax and consumer protection law (currently 6 years after the order).
- Health and protocol data: retained while you have an account. Deleted with your account upon request.
- Anonymised aggregate data: may be retained indefinitely once the individual-level data is removed (no re-identification possible).
6. Your rights
Under UK GDPR you have the right to:
- Access a copy of the data we hold about you.
- Correct any inaccurate or incomplete data.
- Delete your account and associated personal data ("right to erasure").
- Restrict processing in specific circumstances.
- Port your data — receive it in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent for any processing that relied on consent.
To exercise any of these rights, email privacy@mycura.co.uk. We will respond within 5 business days and, for deletion requests, complete the deletion within 30 days as required by UK GDPR Article 17.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
7. Who we share data with
We share personal data only where necessary to run the service, and only with carefully selected processors:
- Supabase — database hosting and authentication.
- Stripe — payment processing.
- Our 3PL fulfilment partner — shipping address and order contents for box dispatch.
- Transactional email provider — your email address and first name to deliver emails you've subscribed to.
- Our OpenAI / Anthropic LLM provider — when you submit an intake or a review, the relevant responses are sent to an LLM for processing. We do not send identifying information alongside (no email, no display name, no direct identifiers in the prompt body). Full prompt content and hash are retained for audit per UK health-data best practice.
We do not sell your data. We do not share health data with advertisers. We do not use your health data to train third-party AI models.
8. Security
- In transit: TLS 1.2+ on all connections between your browser and our servers, and between our servers and our processors.
- At rest: AES-256 encryption for database contents.
- Access control: row-level security locks each row to its owning user. Internal admin access is logged, role-limited, and requires two-factor authentication.
- Audit trail: material changes to your account (protocol approvals, safety-rule overrides, subscription actions) are logged with timestamps.
If we ever experience a personal-data breach that creates a risk to your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.
9. Cookies and tracking
We use a minimal set of cookies:
- Strictly necessary: authentication session, security, cart persistence.
- Functional: remembering your cookie preferences, UI settings.
- Analytics: anonymised page-view and flow-completion events. Requires your consent via our cookie banner.
We do not use advertising or tracking cookies.
10. Children
Cura is designed for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from someone under 18, please contact us and we will delete it.
11. Changes to this policy
We may update this policy over time. Material changes will be notified via email to registered users at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact
For any privacy-related question or request:
- Email: privacy@mycura.co.uk
- Response time: within 5 business days
- For deletion requests: processed within 30 days per UK GDPR Article 17
For the UK supervisory authority (ICO): ico.org.uk.