CuraFlow
Explore plans
Template — needs legal review. This Privacy Notice is a starting point drafted to UK GDPR / Data Protection Act 2018 norms. Before going live to paying customers you should have it reviewed and adapted by a UK solicitor or DPO.

Privacy Notice

Last updated: 2 June 2026

1. Who we are

Cura Compliance (“we”, “us”, “our”) is the data controller for personal data collected via the CuraFlow platform.

Contact: curacompliance@gmail.com.

2. What we collect

  • Account data: email address (for magic-link sign-in), sign-in timestamps.
  • Company profile: business name, addresses, registered manager and policy officer details (name, email, phone), CQC/Ofsted IDs, logo image.
  • Subscription data: Stripe customer ID, plan tier, subscription status. Card details are stored only by Stripe — we never see or store them.
  • Compliance records: which policy each user acknowledged and when (for audit purposes).
  • Communications: messages sent via the contact form or live chat.
  • Operational data: server logs (IP address, user-agent, response codes) for security and debugging, retained for 30 days.

3. Lawful bases

We rely on the following lawful bases under UK GDPR:

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to keep the Service secure, debug, and improve usability.
  • Legal obligation — to keep tax / accounting records of payments and to respond to lawful regulator requests.
  • Consent — for any marketing emails (you can opt out at any time).

4. Data processors and where data lives

We use the following processors. All process data on our behalf under appropriate Data Processing Agreements:

  • Supabase (database, authentication, file storage) — region: EU.
  • Vercel (application hosting) — global edge with EU primary processing.
  • Stripe (payment processing) — EU + global banking infrastructure.
  • Resend (transactional email — magic links, invites, contact forms) — EU.
  • Tawk.to (live chat widget) — USA, GDPR-aligned.

5. Retention

  • Account + company data: while your account exists; deleted on request.
  • Compliance records: 7 years (UK statutory record-keeping).
  • Stripe transaction records: 7 years (UK tax / accounting requirements).
  • Server logs: 30 days.

6. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion (subject to retention obligations);
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time where consent is the lawful basis.

To exercise any right, email curacompliance@gmail.com. We will respond within one month.

7. Cookies

We use cookies that are strictly necessary for the Service to function (authentication session, security). We do not use advertising or analytics cookies that require consent under UK PECR. The Tawk.to live chat sets cookies to recognise returning visitors; you can decline by not opening the chat.

8. Complaints

If you have a concern about how we handle your data, please contact us first. You also have the right to complain to the Information Commissioner's Office: ico.org.uk.

9. Changes

We may update this Privacy Notice. Material changes will be notified via email or in-app notice before the new terms take effect.