Privacy Policy

Effective Date: February 22, 2026 Version: 1.0.0

Welcome to Curavi. Your privacy is fundamental to us. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Curavi application (“App”), a voice-controlled medication management and wellness tool.

Curavi is committed to complying with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018), and all other applicable data protection legislation.

By using the App, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

1. Data Collection

Curavi collects the following categories of personal data:

1.1 Data You Provide Directly

Account information: name, email address, and authentication credentials.
Health and wellness data: medication names, dosages, schedules, and adherence records that you enter into the App.
Voice data: voice commands processed locally on your device to control App features. Voice data is not transmitted to external servers unless explicitly required for a specific feature and only with your prior consent.
Profile preferences: language settings, notification preferences, and accessibility configurations.

1.2 Data Collected Automatically

Device information: device type, operating system version, unique device identifiers, and App version.
Usage data: interaction patterns, feature usage frequency, and session duration — collected in anonymized or pseudonymized form.
Location data (approximate): used solely to provide weather-based wellness suggestions via the OpenWeatherMap API. Only approximate (city-level) location is used; precise geolocation is never collected or stored.
Log data: error logs and performance metrics to maintain and improve App reliability.

1.3 Data from Third-Party Services

Authentication providers: if you sign in using a third-party service (e.g., Google, Apple), we receive basic profile information as authorized by you.
Weather data: approximate location data is sent to OpenWeatherMap to retrieve local weather conditions for wellness-related suggestions.

2. Purpose of Collection

We collect your personal data for the following specific, explicit, and legitimate purposes:

Providing the core service: managing your medication schedules, reminders, and adherence tracking.
Voice interaction: processing voice commands locally to enable hands-free operation.
Wellness insights: delivering personalized wellness suggestions based on your data and contextual information (e.g., weather conditions).
Account management: creating and maintaining your user account, authenticating your identity, and managing your preferences.
Service improvement: analyzing anonymized usage patterns to improve App functionality, performance, and user experience.
Communication: sending essential service notifications (e.g., medication reminders, security alerts) and, with your explicit consent, optional wellness tips.
Legal compliance: fulfilling legal obligations under GDPR, LGPD, and other applicable laws.
Security: detecting, preventing, and responding to fraud, abuse, or security incidents.

3. How We Use Your Data

Curavi follows a local-first architecture. This means:

Medication data (names, dosages, schedules, and adherence logs) is stored primarily on your device using encrypted local storage.
Synchronization with our cloud backend (hosted on Supabase, with servers located in the European Union) occurs only when necessary for backup, multi-device sync, or features that require server-side processing.
Voice commands are processed on-device whenever possible. No raw audio is transmitted to or stored on external servers without your explicit consent.
Weather queries send only your approximate city-level location to OpenWeatherMap; no personally identifiable information is shared with this service.

All data processing follows the principles of data minimization and purpose limitation: we only process what is strictly necessary for the stated purposes.

Curavi does not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

4.1 Service Providers

Supabase (database and authentication): hosts our backend infrastructure on EU-based servers, subject to GDPR-compliant data processing agreements.
OpenWeatherMap (weather API): receives only approximate city-level location to provide weather data. No personally identifiable information is shared.

4.2 Legal Requirements

We may disclose your data when required by law, regulation, legal process, or enforceable governmental request, including to comply with GDPR, LGPD, or court orders.

4.3 Safety and Rights Protection

We may share data when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Curavi, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. You will be notified of any such change and your rights under this policy will continue to apply.

We may share data with additional third parties when you have given your explicit, informed consent.

5. Data Security

Curavi implements robust technical and organizational measures to protect your personal data:

5.1 Encryption

At rest: all locally stored data is encrypted using AES-256 encryption.
In transit: all communications between the App and our servers use TLS 1.3 (Transport Layer Security), ensuring end-to-end encrypted data transmission.
Database-level: data stored on Supabase servers benefits from server-side encryption at rest.

5.2 Local-First Architecture

Sensitive health and medication data is stored locally on your device by default, reducing exposure to network-based threats.
Cloud synchronization is performed over encrypted channels and only when strictly necessary.

5.3 Access Controls

Strict role-based access controls limit who within our organization can access personal data.
Multi-factor authentication is enforced for all administrative access to backend systems.

5.4 Monitoring and Incident Response

We maintain continuous monitoring for unauthorized access attempts and security anomalies.
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Article 33 and LGPD Article 48.

5.5 Regular Audits

We conduct periodic security assessments and vulnerability testing to ensure ongoing protection of your data.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data Category	Retention Period
Account information	Duration of your account plus 30 days after deletion request
Medication and health data	Duration of your account; deleted upon account deletion
Voice data	Processed in real time on-device; not retained
Usage analytics (anonymized)	Up to 24 months
Log and error data	Up to 12 months
Legal compliance data	As required by applicable law

Upon account deletion, all personally identifiable data is permanently erased from our systems within 30 days, except where retention is required by law. Anonymized data that cannot be linked back to you may be retained for analytical purposes.

7. Your Rights

Under the GDPR and the LGPD, you have the following rights regarding your personal data:

You have the right to obtain confirmation of whether we process your personal data and to access a copy of that data.

You have the right to request correction of inaccurate or incomplete personal data.

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. For EU residents, this is your local Data Protection Authority. For Brazilian residents, this is the Autoridade Nacional de Proteção de Dados (ANPD).

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 72 hours and fulfill it within the timeframes prescribed by applicable law (generally 30 days under GDPR).

8. Data Controller

The data controller responsible for your personal data is:

Curavi Email: [email protected] Jurisdiction: São Paulo, Brazil

As data controller, Curavi determines the purposes and means of processing your personal data and is responsible for ensuring compliance with applicable data protection legislation.

9. Legal Basis

We process your personal data based on the following legal bases under GDPR Article 6 and LGPD Article 7:

Purpose	Legal Basis
Providing the core service	Performance of a contract (GDPR Art. 6(1)(b)) / Contractual necessity (LGPD Art. 7, V)
Medication reminders and adherence tracking	Performance of a contract
Wellness suggestions	Legitimate interests (GDPR Art. 6(1)(f)) / Legitimate interests (LGPD Art. 7, IX)
Weather-based recommendations	Your consent (GDPR Art. 6(1)(a)) / Consent (LGPD Art. 7, I)
Analytics and service improvement	Legitimate interests
Security and fraud prevention	Legitimate interests / Legal obligation
Legal compliance	Legal obligation (GDPR Art. 6(1)(c)) / Legal obligation (LGPD Art. 7, II)

For the processing of special categories of data (health data), we rely on your explicit consent (GDPR Article 9(2)(a)) and LGPD Article 11.

10. Cookies and Local Storage

Curavi is primarily a mobile application and does not use traditional browser cookies. However, we use the following local storage technologies:

Local database (encrypted): stores your medication data, preferences, and adherence records on your device using AES-256 encryption.
Authentication tokens: securely stored on your device to maintain your session and avoid repeated logins.
App preferences: locally stored settings such as language, notification preferences, and theme selection.

If you access any Curavi web-based services (e.g., a companion website), we will provide a separate cookie notice compliant with the ePrivacy Directive.

11. International Data Transfer

Curavi’s backend infrastructure is hosted on Supabase servers located in the European Union, ensuring that your data benefits from the protections afforded by the GDPR.

When data is transferred from the EU to Brazil (where Curavi is headquartered), we rely on:

Adequacy decisions: where applicable, recognizing that the European Commission may issue adequacy decisions regarding Brazil’s data protection framework.
Standard Contractual Clauses (SCCs): approved by the European Commission, ensuring that your data receives an equivalent level of protection when transferred outside the EU/EEA.
LGPD compliance: as a Brazilian entity, Curavi is also bound by the LGPD, which provides a comprehensive data protection framework aligned with GDPR principles.

Data shared with OpenWeatherMap (weather API) is limited to approximate city-level location and does not include personally identifiable information.

12. Children’s Data

Curavi is not intended for use by children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe that your child has provided personal data to Curavi, please contact us at [email protected]. We will promptly delete such data from our systems.

If we become aware that we have collected personal data from a child without verified parental consent, we will take steps to delete that information as quickly as possible.

13. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our Data Protection Officer (DPO):

Data Protection Officer Email: [email protected] Response time: within 72 hours

You may also contact us for:

Data access, rectification, or deletion requests
Questions about our data processing practices
Exercising any of your rights under GDPR or LGPD
Reporting a security concern or data breach
Requesting information about our sub-processors

14. Policy Updates

Curavi reserves the right to update this Privacy Policy at any time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make changes:

Material changes: we will notify you via in-app notification and/or email at least 30 days before the changes take effect.
Minor changes: we will update the “Last Updated” date at the top of this policy.
Continued use: your continued use of the App after the effective date of any changes constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Version History

Version	Date	Description
1.0.0	February 22, 2026	Initial version of the Privacy Policy