PRIVACY POLICY OF CURAE LAB
This website collects certain personal data from its users.

SCOPE OF THE POLICY

Curae Lab places the highest importance on protecting privacy and personal data and complies with applicable legislation.

Regulation (EU) 2016/679 of April 27, 2016, on the protection of individuals regarding the processing of personal data and the free movement of such data (hereinafter “GDPR”) states that personal data must be processed lawfully, fairly, and transparently. This privacy policy (hereinafter the “Policy”) aims to provide you with simple, clear information on how your personal data is processed as you navigate and perform operations on our website.

DATA CONTROLLER

While using the site https://curaelab.com/, we collect and use personal data relating to you, individuals (hereinafter “Data Subjects”).

For all processing activities, Curae Lab, a Simplified Joint Stock Company registered with the Paris RCS under no. 841 285 083, headquartered at 27 RUE CAUCHY 75015 PARIS, determines the means and purposes of the processing. Thus, we act as the Data Controller under the Personal Data Regulation, particularly Regulation (EU) 2016/679 on the protection of individuals regarding the processing of personal data and the free movement of such data.

TYPES OF DATA COLLECTED

By using our website, you provide us with certain information about yourself, some of which can identify you (“personal data”). This occurs when you navigate our site or complete online forms.

The type and quality of personal data collected about you vary depending on the relationship you establish with Curae Lab, including:

• Identification data: Information that allows us to identify you, such as your name and email address.
• Browsing information: As you navigate our website, certain information related to your navigation is collected.
• Data collected from third parties: Personal data you consented to share with us on public social networks and/or data we may collect from other publicly accessible databases.

WHY AND HOW DO WE COLLECT YOUR PERSONAL DATA?

PROCESSING METHODS

We collect your personal data for specific purposes and based on various legal grounds.

Your data is processed for the following purposes:

• Managing your contact requests;
• Conducting commercial prospecting and marketing operations;
• Managing the newsletter;
• Managing cookies requiring your consent;

In the context of Curae Lab’s legitimate interest, your data is processed for the following purposes:

• Establishing product and service improvement statistics.

LEGAL BASIS FOR PROCESSING

The Data Controller may process users’ personal data if one of the following conditions applies:

• Users have given consent for one or more specific purposes;
• The provision of data is necessary for the execution of an agreement with the user or for any pre-contractual obligations;
• Processing is necessary to comply with a legal obligation to which the Data Controller is subject;
• Processing is linked to a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
• Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.

In all cases, the Data Controller will gladly assist in clarifying the specific legal basis that applies to the processing, particularly if the provision of personal data is a legal or contractual requirement or a requirement necessary to conclude a contract.

DO WE SHARE YOUR PERSONAL DATA?

Your data is intended for Curae Lab employees responsible for managing and executing contracts and legal obligations based on the purposes of collection and within their respective scopes.

Data may be transmitted for certain tasks related to the purposes and within the limits of their roles and authorizations, to the following recipients:

• Curae Lab entities, as part of outsourcing activities to another group entity;
• Service providers and subcontractors with whom we work to perform various operations on our behalf, including:
  • OVH
  • ACONSEIL

When your data is shared with our service providers and subcontractors, they are also required to use the data only for the intended purposes. We do our utmost to ensure that these third parties maintain the confidentiality and security of your data.

Only necessary data is shared. We make every effort to ensure secure data communication or transmission.

We do not sell your data.

DATA TRANSFERS TO THIRD COUNTRIES

Curae Lab strives to keep personal data in France or at least within the European Economic Area (EEA).

However, data we collect when you use our platform or services may be transferred to other countries, such as if some of our service providers are located outside the EEA.

In such cases, we ensure that the transfer is conducted:

• To a country with an adequate level of protection, equivalent to what European regulations require;
• Based on standard contractual clauses;
• In accordance with binding corporate rules.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We keep your personal data only for as long as necessary to fulfill the purpose for which we hold it, to meet your needs, or to fulfill our legal obligations.

Retention periods vary based on several factors, such as:

• Curae Lab’s business needs;
• Contractual requirements;
• Legal obligations;
• Recommendations from regulatory authorities.

Data retention periods are as follows:

Purpose	Retention Period
Commercial and marketing activities	2 years from the last contact
Newsletter management	5 years from the last contact
Consent-based cookies management	6 months from the last consent

HOW DO WE ENSURE THE SECURITY OF YOUR PERSONAL DATA?

Curae Lab is committed to protecting the personal data we collect and process against loss, destruction, alteration, unauthorized access, or disclosure.

Thus, we implement all appropriate technical and organizational measures based on the nature of the data and the risks involved. These measures ensure the security and confidentiality of your personal data. They may include practices such as restricted access to personal data by authorized personnel, pseudonymization, or encryption.

Our security practices, policies, and/or physical and/or logical security measures (secure access, authentication process, backup, software, etc.) are regularly reviewed and updated as necessary.

WHAT ARE YOUR RIGHTS?

The GDPR provides Data Subjects with rights they may exercise, including:

1. Right to Information: The right to clear, precise, and complete information on Curae Lab’s use of personal data.
2. Right of Access: The right to obtain a copy of the personal data held by the Data Controller.
3. Right of Rectification: The right to correct inaccurate or outdated personal data and/or complete incomplete data.
4. Right to Erasure / Right to be Forgotten: Under certain conditions, the right to have data erased unless Curae Lab has a legitimate interest in retaining it.
5. Right to Object: The right to object to the processing of personal data by Curae Lab based on the specific circumstances of the requester.
6. Right to Withdraw Consent: The right to withdraw consent at any time when processing is based on consent.
7. Right to Restriction of Processing: Under certain conditions, the right to request that the processing of personal data be temporarily suspended.
8. Right to Data Portability: The right to request personal data be provided in a reusable format.
9. Right Not to Be Subject to Automated Decision-Making: The right to refuse fully automated decision-making.
10. Right to Define Post-Mortem Directives: The right to specify instructions regarding personal data after death.

To exercise your rights, contact the Data Protection Officer (DPO): rgpd@curaelab.com.

For complaints regarding how Curae Lab collects and processes your data, you can also contact the French Data Protection Authority (CNIL): 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.

INFORMATION ON THE RIGHT TO OBJECT TO PROCESSING

If personal data is processed for public interest, official authority, or legitimate interests, users may object by providing a reason related to their particular situation.

Users should know that if their personal data is processed for direct marketing, they may object at any time without justification.

UPDATES TO THE PRIVACY POLICY

This Policy may be updated regularly to reflect changes in personal data legislation.

Last Updated: October 8, 2024

4o