Curekey Privacy Policy

Effective Date: September 16, 2025

Your privacy matters. This Privacy Policy explains how Curekey LLC ("Curekey," "we," "us," or "our") collects, uses, discloses, and protects information about you when you visit Curekey.com, use our mobile or web applications, communicate with us, or otherwise interact with our services (collectively, the "Services").

This Privacy Policy is incorporated by reference into our Terms & Conditions. By using the Services, you consent to the practices described here.

1) Who We Are & How to Contact Us

Curekey LLC
 16192 Coastal Highway, Lewes,
 County of Sussex, Delaware 19958
Email: support@curekey.com

‍2) Scope & Important Relationships

Curekey provides non‑clinical Services and technology that enable access to independent medical groups and licensed clinicians ("Medical Groups" and "Providers") and independent pharmacies ("Pharmacies"). Medical Groups and Pharmacies are independent third parties.

• Curekey is not a healthcare provider and does not practice medicine.
• If you receive clinical care via the Services, your patient relationship is with a Medical Group/Provider, and the Medical Group will provide its HIPAA Notice of Privacy Practices (NPP) governing protected health information (PHI).
• This Privacy Policy governs information that Curekey processes in its own capacity (e.g., account, payments, customer support, marketing). Some of that information may include health‑related details you provide to us, which may or may not be PHI depending on context. When Curekey acts as a Business Associate to a Medical Group/Pharmacy, we handle PHI in accordance with HIPAA and our Business Associate Agreement.

3) Information We Collect

We collect information in three main ways: you provide it, we collect it automatically, and we receive it from third parties.

A. Information You Provide

• Account & Contact: name, email, phone number, date of birth, billing/shipping address.
• Identity Verification: photos of your government ID, selfies, and similar data to verify identity and prevent fraud.
• Health & Intake Details: medical history, symptoms, photos of hair/scalp, treatment goals, questionnaire responses. When provided to or for Providers/Medical Groups, this may be PHI.
• Transactions: order history, payment method token (we do not store full card numbers), subscription preferences.
• Communications & UGC: messages, reviews, survey responses, support requests, and any content you submit.

B. Information Collected Automatically

• Log & Usage Data: IP address, device/OS/browser, pages viewed, referring/exit pages, timestamps, and error diagnostics.
• Device Data: unique identifiers, cookie identifiers, app instance IDs, language, time zone, settings.
• Approximate Location: derived from IP address or device settings (with your consent where required).
• Cookies & Similar Tech: pixels, SDKs, tags, local storage (see Section 10).

C. Information From Third Parties

• Payment processors for fraud prevention and transaction facilitation.
• Identity verification vendors.
• Analytics/advertising partners for audience insights and ad measurement.
• Medical Groups/Pharmacies (e.g., order/fulfillment status) to coordinate your care, if applicable.

4) How We Use Information

We use information to:

• Provide, maintain, and improve the Services.
• Facilitate care coordination among you, Medical Groups/Providers, and Pharmacies where permitted/required.
• Process orders, subscriptions, payments, shipping, and returns.
• Verify identity, prevent fraud/abuse, and ensure platform security.
• Communicate with you about accounts, orders, support, and service updates.
• Send marketing and promotional messages (you can opt out at any time—see Section 12).
• Conduct analytics, research, A/B testing, and product development.
• Comply with legal obligations and enforce our terms.

Where we act as a Business Associate to a Medical Group/Pharmacy, we use/disclose PHI only as permitted by HIPAA, applicable law, and the Business Associate Agreement.

5) Legal Bases (EEA/UK Visitors)

If you visit from the EEA/UK, our processing is based on: contract (to provide Services), consent (e.g., certain marketing/cookies; sensitive data you choose to provide), legitimate interests (e.g., service improvement, security), and legal obligations.

6) How We Share Information

We share information with:

• Medical Groups/Providers and Pharmacies to coordinate care, fulfillment, and support (including PHI where permitted/required).
• Service Providers/Vendors (e.g., hosting, storage, analytics, advertising, identity verification, payment processing, customer support, communications, security/fraud). These parties process data on our behalf under contractual safeguards.
• Advertising/Analytics Partners for measurement, reporting, and cross‑context behavioral advertising ("sale"/"sharing" as defined under some state laws—see Section 13 for your choices).
• Law enforcement/Regulators as required by law or to protect rights, safety, and security.
• Business Transfers in connection with a merger, acquisition, financing, or sale of assets (your information may be transferred as part of the transaction).

We do not sell PHI. We do not share SMS opt‑in consent or SMS originator data with third parties outside service providers necessary to deliver messages.

7) Your Choices & Controls

• Account Data: Access/update via your account or by emailing support@curekey.com.
• Marketing Emails/SMS: Opt out via the message footer or by contacting us. Transactional messages may still occur.
• Device Settings: Use browser/app/device settings to manage cookies, advertising IDs, location permissions, and notifications.
• Telehealth Consents: Withdraw consents provided to Medical Groups per their NPPs and policies (may affect your ability to receive care).

8) Retention

We retain information as needed to provide the Services, comply with legal obligations (including healthcare, pharmacy, and tax laws), resolve disputes, and enforce agreements. When no longer needed, we delete or de‑identify data according to our retention schedules and applicable law.

9) Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 provided information, contact us to delete it. We do not knowingly sell or share data of users under 16.

10) Cookies, Pixels & Similar Technologies

We use first‑party and third‑party cookies and similar technologies to enable core functionality (e.g., login, cart), understand usage, personalize content, and deliver/measure advertising.Types: essential, performance/analytics, functionality, and advertising cookies/pixels.Choices: You can manage cookies in your browser settings and via any cookie banner or preferences tool we present. Some features may not function without certain cookies. Where legally required (e.g., in California via Global Privacy Control (GPC) signals), we honor browser‑based opt‑out signals for sale/sharing and targeted advertising.

11) Security

We use administrative, technical, and physical safeguards designed to protect information. However, no method of transmission or storage is 100% secure. If you suspect an account/security issue, contact support@curekey.com.

12) Communications; SMS Terms (Summary)

By providing your phone number or email, you consent to receive communications about your account, orders, and Services. Marketing messages are optional and you can opt out at any time. Message/data rates may apply. Frequency varies. For help, contact support@curekey.com. For full mobile terms (including STOP/HELP keywords), see our Mobile Messaging Terms, which may be presented at opt‑in or on our site.

13) U.S. State Privacy Disclosures & Rights (e.g., CA/CO/CT/UT/VA)

Certain U.S. state laws (e.g., California CCPA/CPRA) grant residents specific rights regarding personal information (excluding PHI covered by HIPAA). Subject to exceptions, you may have the right to:

• Know/Access the categories and specific pieces of personal information we collected about you.
• Correct inaccurate personal information.
• Delete personal information.
• Opt‑Out of sale or sharing of personal information for cross‑context behavioral advertising.
• Limit Use/Disclosure of sensitive personal information to what is necessary to provide requested services.
• Non‑Discrimination for exercising your rights.

Categories we collect may include identifiers, commercial data, internet activity, geolocation, inferences, and (in limited contexts) sensitive data (e.g., health‑related info you provide to us outside of PHI). We do not sell PHI. We may engage in activities considered “sale” or “sharing” under state laws via advertising/analytics partners. You can opt out via: (i) cookie banner/preferences; (ii) honoring GPC signals; or (iii) emailing support@curekey.com with “Privacy Request – Do Not Sell/Share.”How to Submit a Request: Email support@curekey.com with the subject “Privacy Request” and specify your request (Access, Delete, Correct, Do Not Sell/Share, or Limit Sensitive PI). We will verify your identity (and, if applicable, your agent’s authority) before fulfilling requests. If we deny a request, you may appeal by replying to our decision email with “Appeal” in the subject.

14) International Visitors

Our Services are intended for use in the United States. If you access the Services from outside the U.S., you understand your information will be processed in the U.S., which may have different data protection laws than your country. Where required, we implement appropriate safeguards for international transfers.

15A) HIPAA Notice of Privacy Practices

When CureKey acts as a Business Associate to independent Medical Groups or Pharmacies, we comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and related regulations.Protected Health Information (“PHI”) may be collected, used, or disclosed to facilitate telehealth consultations, prescriptions, and care coordination.
 We implement administrative, technical, and physical safeguards to protect PHI as required by HIPAA and our Business Associate Agreements.Patient Rights under HIPAA:
 You have the right to:

• Access or request copies of your PHI.
• Request corrections or amendments.
• Request limits on use or disclosure.
• Receive an accounting of disclosures.
• File a complaint if you believe your privacy rights have been violated.

Contact for HIPAA/Privacy Questions:Geoffrey Bonnechere
 Privacy Official – CureKey LLC
 Email: support@curekey.com
 Address: 16192 Coastal Highway, Lewes, County of Sussex, Delaware 19958

15B) Third‑Party Links & Services

The Services may link to third‑party sites, apps, and services that are not owned or controlled by Curekey. Their privacy practices are governed by their own policies. Review those policies; we are not responsible for their content or practices.

16) Changes to This Policy

We may update this Privacy Policy from time to time. The Effective Date above indicates the latest version. Material changes will be posted on our site (and, where required by law, we will notify you and/or obtain consent). Your continued use of the Services after changes take effect indicates acceptance of the updated policy.

17) Notice for California Residents (Shine the Light)

California Civil Code §1798.83 permits users who are California residents to request information regarding the disclosure of certain personal information to third parties for their direct marketing purposes. To make a request, email support@curekey.com with “California Shine the Light” in the subject.

18) Supplemental Disclosures (Illustrative List of Third Parties)

We may use third parties for hosting, storage, analytics, advertising, communications, payments, and support. Examples include (subject to change): cloud hosting/CDN providers, payment processors, analytics platforms, advertising networks, identity verification vendors, customer support tools, email/SMS service providers, and anti‑fraud/security vendors. For an updated list or questions about specific vendors, contact support@curekey.com.

19) Your Rights Summary (EEA/UK)

Subject to exceptions, you may have the right to access, correct, delete, restrict, object, and port your personal data, and to lodge a complaint with your local supervisory authority. You may also withdraw consent at any time where processing is based on consent.

20) Contact Us

Questions or privacy requests?
support@curekey.com


Postal: Curekey LLC, 16192 Coastal Highway, Lewes, County of Sussex, Delaware 19958