This privacy policy explains how CURE51 collects, uses, shares and protects personal information about individuals. CURE51 uses identifying and descriptive data of Experts participating in the Rosalind study or who apply to CURE51 to join this network of Experts.This document presents the General Terms and Conditions of Use (GTU) of the electronic platform developed by Cure51, ROSALINK. It is intended to apply to each User of ROSALINK.

This information may be shared with trusted third parties and is protected by appropriate security measures. Data subjects have the right to access, rectify and delete their personal data.

For further details, please refer to the General Terms and Conditions of Use (‘GTCU’) and the Cookie Policy. CURE51 may update this policy, so please consult it regularly. If you have any questions, please contact us at dpo@CURE51.com.

Effective Date : 17/09/2025

Preview

1. Controller and Data Subject
CURE51, acting as data controller, undertakes to process and protect personal data in compliance with the main regulations, in particular the RGPD and the ‘Informatique et Libertés’ law. The company implements measures to protect personal data and ensures communication with data subjects regarding their rights and the processing of their data. This confidentiality policy applies to ROSALINK, which is intended to lead the community of experts made up of all the healthcare professionals taking part in the Rosalind study and any other healthcare professionals wishing to join.

2. Data Processing
As part of ROSALINK, CURE51 processes categories of personal data such as the identity and contact details of the Experts, their professional background and place of practice, as well as information on their field of expertise. Various communication channels are used, including video for webinars.
In addition, technical data such as browsing history, IP addresses and information about the device used by the Expert are collected to improve the user experience and the functionality of the Platform.

3. User of Personal Data by CURE51
CURE51 collects and uses certain personal data to manage the Platform, improve the user experience and respond to user requests, as well as to protect CURE51's legal rights and interests, comply with the legal framework and ensure the security of its services.
‍
LAWFULNESS OF CURE51 IN THE COLLECTION AND USE OF DATA
The collection and use of personal data by CURE51 is legitimised by several legal bases pursuant to Article 6 of the GDPR. CURE51 processes data on the basis of the explicit consent of the data subjects, for specific purposes, such as the processing of the Experts' image. CURE51 also processes personal data for legitimate interests, such as using research data to improve the operation of Rosalind, while ensuring that the rights of data subjects are respected. Finally, compliance with legal obligations may require the processing of data such as that used to manage requests to exercise the rights of data subjects.

4. Sources of Personal Data
CURE51 collects personal data both directly and indirectly. Direct collection occurs when Experts provide information themselves, for example when filling in the form on the Platform or when creating a User Account. Indirect collection consists of using the Experts' personal data, in particular when they take part in the Rosalind Study or when information on their professional career is accessible on the Internet.

5. Access to Personal
CURE51 takes measures to ensure minimal and necessary disclosure of data. Access to personal data at CURE51 is strictly controlled and limited to authorised persons and entities. Internally, access is granted to CURE51 employees according to their roles and missions. Externally, data may be shared with legally authorised authorities, potential stakeholders in corporate transactions and RGPD-compliant subcontractors.

6. Data Retention Period
CURE51 only keeps personal data for as long as is necessary for the purposes for which it was collected, in compliance with legal and contractual obligations. Contact data is kept for three years after collection or the last contact, while data relating to the professional relationship with the Expert is kept for three years after the relationship and archived in compliance with legal time limits relating to liability claims. Data relating to the management of legal claims is kept for one year. After this period, the data is deleted or anonymised, except where this is necessary for the purposes of legal compliance or evidence. Cookies and traffic data are kept for six and thirteen months respectively before being deleted or anonymized.

7. Exercise of GDPR Rights
Experts may request access to their personal data in a commonly used electronic format, excluding confidential or legally restricted information. Experts have the right to update or rectify inaccurate or obsolete data. They may object to the processing of data, for example by unsubscribing from newsletters. The right to erasure allows Experts to request the deletion of data under specific conditions, unless legal obligations or claims require retention. Data portability is granted for data processed on the basis of consent or contract, provided in a machine-readable format. CURE51 does not make any automated individual decisions. Complaints for non-compliance may be lodged with the Commission Nationale de l'Informatique et des Libertés (CNIL).

8. Contact
To exercise the rights described, individuals must send a written request by e-mail to dpo@CURE51.com or by post to 203 rue Saint Martin, 75003 Paris, accompanied by a copy of a signed identity document. As these rights are individual, CURE51 may verify the identity of the applicant for security reasons, possibly requesting additional information in case of doubt. Requests will be processed within one month, with a possible extension of two months for complex cases, of which the person will be informed.

9. Internal Transfer of Personal Data
Some data recipients, including subcontractors, may be located outside the European Union, which necessitates the transfer of personal data outside the EU. Countries such as the United States have adequacy decisions, guaranteeing protection equivalent to the GDPR and allowing seamless data transfer. For countries that do not have such rulings, CURE51 implements measures such as standard contractual clauses and additional safeguards to ensure RGPD-compliant protection for transferred personal data.

10. Ensuring the Security of Personal Data
CURE51 has implemented comprehensive technical and organisational measures to guarantee the integrity and confidentiality of personal data. These measures take into account the latest technologies, implementation costs and the nature and risks of data processing. The main security techniques include the management of access rights to limit access to data to authorised personnel, who are bound by confidentiality agreements.
‍

Privacy policy. CURE51 (hereinafter ‘CURE51’) takes your privacy very seriously and respects the information you entrust to us. This information is protected by law. Under no circumstances is it intended to be communicated to third parties outside the context and for the reasons mentioned in this Privacy Policy.

Data collected. The purpose of this Privacy Policy is to inform you of the nature of the information about you that we collect and use in connection with your visit to the Platform and/or your use of the Services.

Modification of the Policy. CURE51 reserves the right to modify this privacy policy at any time. You are also invited to consult it regularly in order to take note of any changes. Any new use of the Platform and/or communication of information to CURE51 after the publication of a new version of this Privacy Policy will constitute acceptance of the latest version.

Information. Although the list is intended to be as exhaustive as possible, any new use, modification or withdrawal of any existing processing will be notified to the persons concerned by the publication of new versions of this Privacy Policy on the Platform. CURE51 invites the persons concerned to consult this online Privacy Policy regularly in order to be aware of any new use, modification or withdrawal of any existing processing.

Definitions. Terms beginning with a capital letter below have, if they are not defined in this document, the definition given to them in the General Conditions of Use (‘GCU’) and the Platform.

1. Data Controller and Data Subjects

CURE51 is responsible for data processing. CURE51 processes and protects the personal data it collects. CURE51 undertakes to comply with at least the following regulations: (i) Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms known as the ‘Loi Informatique et Libertés’ as amended and (ii) European Regulation No. 2016/679/EU of 27 April 2016 (applicable since 25 May 2018) on data protection (‘RGPD’). To this end, CURE51 implements procedures and measures to protect your personal data, including when using subcontractors to carry out the processing of personal data described below.

Communication with data subjects. The purpose of this privacy policy is to meet CURE51's information obligation under the GDPR (Articles 12 to 14) and to document the rights of data subjects regarding the processing of their personal data. This privacy policy does not create any obligations beyond what is provided for by the applicable regulations and/or by the GTC or any other contract binding CURE51 with the data subjects.

Persons concerned by the processing of CURE51 data. This Confidentiality Policy applies to ROSALINK, which is intended to lead the community of experts made up of all the healthcare professionals taking part in the Rosalind study and any other healthcare professional wishing to join (hereinafter the Expert(s)).

2. Data Processing

2.1 Purposes

CURE51 has created ROSALINK in order to bring together and form a professional network with the healthcare professionals participating in the Rosalind study and any other professional involved in the healthcare field who have made a request to CURE51 and who have authorised them to access it on the basis of their expertise.

ROSALINK includes an information page that can be consulted by any visitor to the Platform (the Platform) and pages to which access is restricted to Experts with a User Account (the Platform).

ROSALINK offers these Experts the possibility of :

Be listed in the directory of Experts, with a dedicated profile including their photograph, a description of their activities as an Expert, their geographical position on the interactive map and, where applicable, the references of their publications;
Search for Experts in the directory of Experts and have their contact details and location, in order to collaborate on projects;
Access collaborative areas;
Receive newsletters;
Obtain visibility on the progress of the study (dashboard, interactive map, newsletter);
Participate in webinars;
Access live or replay webinars.

2.2 Personal data

2.2.1 Experts

The categories of personal data of ROSALINK Expert Users are as follows:

Surname*;
First name*;
E-mail address*;
Photograph;
Data relating to the profession: position held, Department/Service, name of the organisation in which the Expert works, address, with location on the interactive map;
References to publications.

2.2.2 Other persons

For external persons who are not Experts and who may be taking part in Webinars (e.g. patients providing a testimonial, etc.):

Surname*;
First name*;
E-mail address*.

2.2.3 Users of ROSALINK

When you fill in our contact form on ROSALINK, the following data is collected:

E-mail address*;
Free field for the message.

2.3 Technical data of a personal nature (depending on the circumstances)

Certain information may be collected automatically when using ROSALINK. This includes:

Data relating to the use of the Services: identification of participants present in relation to the number of registrants.
Connection data (such as your IP (Internet Protocol) address, the address of the web pages that you have visited and that integrate functionalities of the Services, the type of browser and its parameters, the date and time of your request, the way in which you have used the Services and data relating to cookies) transmitted by your Internet browser or your mobile application and automatically recorded on our servers;
Cookies (a text file sent by your computer each time you visit our Platform and which is associated exclusively with your user account or your browser) or similar technologies for tracking and recording log files. For more information about how we use cookies, please see our Cookie Policy;
Information about the device with which you use the Services, including the type of device you use, the operating system you use, device settings, unique device identifiers and incident data. Whether we collect some or all of this information often depends on the type of device you are using and its settings. For example, different types of information are available depending on whether you use a Mac or a PC or an iPhone or Android phone. To find out more about the information your device makes available to us, please also consult the policies of the manufacturer of your device or the supplier of your software.

3. Use of Personal Data by CURE51

3.1 Guaranteeing the rights of data subjects

CURE51 ensures that personal data is processed in accordance with applicable data protection regulations, including where data subjects decide to exercise their rights with CURE51 in accordance with the GDPR.

3.2 Management of the ROSALINK platform

The management of the Platform (contact form, etc.) requires the use of personal data to improve its operation, personalize the user experience, respond to user requests, send marketing information if the user has consented to receive them.

3.3 Protection of the rights and interests of CURE51

CURE51 may use personal data (i) where required by law, (ii) at the request of a court, (iii) if we believe in good faith that disclosure is reasonably necessary to defend against any claim or accusation by a third party, (iv) to protect the security or integrity of our services. We will inform you of any legal proceedings requiring access to personal data, unless we are prohibited from doing so by law. In cases where a court order specifies a period of non-disclosure of the request to data subjects, we will send a deferred notification after the non-disclosure period has expired.

4. CURE51's Legal Basis for Collecting and Using Data

4.1 The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes.

CURE51 may process personal data for one or more specific purposes for which the data subject has clearly expressed his/her consent to the processing of his/her personal data for each of these purposes:

The creation of your User Account to benefit from the Services in compliance with the General Terms of Use (GTU);
The management of cookies subject to consent.

4.2 Processing is necessary for the performance of a contract

CURE51 explains to you in the GCU why and how CURE51 needs to capture and distribute your image so that you can benefit from the Services of ROSALINK. CURE51 requests your prior authorization to use your photograph to add to your profile, to film you and to have the rights to broadcast your image on the various ROSALINK communication channels and media (newsletter, interactive webinar map, replay, etc).

Thus, the use of your image is necessary for the execution of the contract (the GCU) that CURE51 concludes with each User when the User Account is created.

An ad hoc contract is concluded before any photographs are taken of people from outside ROSALINK taking part in Webinars.

4.3 Management of the ROSALINK platform

Where CURE51 processes personal data for its legitimate interests, CURE51 must take account of the rights and fundamental interests of the data subject, in order to assess whether the legitimate interests pursued by CURE51 do not create an imbalance with the rights and fundamental interests of the data subject. The following processing operations carried out by CURE51 are concerned:

Protecting CURE51 against fraudulent actions or omissions;
Managing the contact relationship and business development;
Sending newsletters about CURE51 to Experts and/or subcontractors with whom CURE51 has pre-existing relationships in the course of their professional activities.

4.4 The processing is necessary in order to comply with the legislation applicable to CURE51.

CURE51 may process personal data in order to comply with legal obligations applicable to CURE51 for the following purposes:

Management of requests from data subjects to exercise their rights;
Ensuring transparency regarding CURE51's relations with healthcare professionals and/or healthcare organisations, academic institutions or hospitals;
Management of responses to official requests from public or judicial authorities authorised for this purpose.

5. Sources of Personal Data

Direct source. Personal data is collected directly:

When the person concerned has filled in the form when visiting the web platform and exchanged with CURE51 to complete their User profile.
During webinars.

Indirect sources. The following categories of personal data are collected indirectly:

Experts' identification data, via the Platform specific to the Rosalind study when they participate in the Rosalind study ;
Public data, relating to : professional background, areas of expertise, references to the Expert's publications, the Expert's photograph.

Experts may contact CURE51 at any time if they have any questions regarding the collection of their personal data.

6. Access to Personal Data

Confidentiality. In view of the purpose(s) for which the personal data of the persons concerned is processed, CURE51 will ensure that personal data is only accessible to authorised internal and external recipients who may only access the data necessary for the performance of their duties. Recipients of personal data are bound by an obligation of confidentiality. In all cases, CURE51 only provides them with information that is strictly necessary for the processing of personal data in accordance with the identified purposes. CURE51 decides which data recipients may access which personal data by means of contracts and/or internal policies.

Authorities. Personal data may also be transmitted to any authority legally entitled to receive it. In such cases, CURE51 is not responsible for the manner in which these authorities access and process personal data, but will limit the personal data to which these authorities have access to the strict minimum required by these authorities.

6.1 Internal recipients

Depending on the purpose(s) of the processing and the personal data processed, authorised CURE51 staff may include: the clinical team, the communications and marketing team; general management.

6.2 External recipients

Depending on the purpose(s) of the processing and the Personal Data processed, CURE51's External Data Recipient may include:

Judicial or administrative authorities, as required by applicable laws and regulations to which CURE51 may be subject;
Potential acquirers and other stakeholders in the case of a corporate transaction such as a change of control of CURE51, resulting from a capital increase, merger, demerger or sale of all or part of business activities;
Suppliers selected based on their compliance with the GDPR. You can access their privacy policy via the links provided below.

Webflow : Platform design and hosting - https://webflow.com/legal/privacy

Memberstack : Manage user account and session - https://docs.memberstack.com/hc/en-us/articles/11419812024347-Privacy-Policy

Hubspot : Send newsletter - https://legal.hubspot.com/privacy-policy

MatomoPixtures / GA : Monitor traffic and engagement - https://matomo.org/privacy-policy/

AWS : For hosting JSON files with user presentations) - https://aws.amazon.com/fr/privacy/

Google Meet : Webinars - https://policies.google.com/privacy?hl=fr

7. Data Retention Period

7.1 Retention period for personal data

Depending on CURE51 undertakes to ensure that the data collected is kept in a form that allows identification for no longer than is necessary for the purposes for which the data is collected and processed. The length of time personal data is kept is defined by CURE51 in accordance with its legal and contractual obligations and according to specific needs, in particular in compliance with the following principles:the purpose(s) of the processing and the Personal Data processed, CURE51's External Data Recipient may include:

Personal data relating to Experts: Three (3) years from the date of collection of the Personal Data by CURE51 or from the date of the last contact established by the Expert or potential Expert.
For the management of our professional relationship with each Expert: data is kept for 3 years from the end of the professional relationship. After this period, the data is archived for as long as CURE51 may be held liable.
For the management of legal requests concerning personal data: data is kept for 1 year.
After this period, personal data is either deleted or kept after anonymisation, in particular for statistical purposes. It may be kept for evidential purposes in the event of pre-litigation or litigation. This data may also be kept in order to comply with a legal obligation or kept in files in accordance with applicable laws and regulations.

7.2 Cookies in interfaces

With regard to cookies, it is specified that the information stored in the terminal (e.g. cookies) or any other element enabling the User to be identified for the purposes of audience statistics is not kept beyond a period of six (6) months. After this period, the raw traffic data associated with an identifier is either deleted or made anonymous. In order to ensure the smooth running and ongoing improvement of the Platform and its functionalities, the raw traffic data associated with an identifier is kept for a period of thirteen (13) months. After this period, it is deleted or anonymised. For further details, please read the Cookie Policy.

8. Exercise of GDRP Rights

As data subjects and in accordance with applicable data protection laws, individuals have the right to exercise the following rights:

Confirmation and right of access. Data subjects have the right to ask CURE51 to confirm whether or not their personal data is being processed and to request a copy of their personal data. If data subjects request a copy of their personal data electronically, the information requested will be provided in a commonly used electronic format unless otherwise specified. Data subjects are informed that this right of access cannot cover confidential information or data the disclosure of which is prohibited by law.

Right to update and rectify. Data subjects have the right to ask CURE51 to rectify their personal data if it is inaccurate, incomplete or obsolete.

Right to object to processing activities. Data subjects have the right to object to the processing of their personal data, subject to any legal restrictions that may exist with regard to this right of objection. For example, with regard to the newsletter sent by CURE51 to data subjects, each data subject may unsubscribe at any time by clicking on the ‘unsubscribe’ link at the bottom of CURE51 newsletters.

Right to erasure. Data subjects may request the deletion of their data if one of the following criteria is met:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
If a data subject withdraws the consent on which the processing was based and there is no other legal basis;
The data subject objects to the processing which is necessary for the pursuit of the legitimate interests of CURE51 and there is no other compelling legitimate reason for continuing the processing;
The personal data has been processed unlawfully.

In accordance with legislation on the protection of personal data, data subjects are informed that this is an individual right which can only be exercised by data subjects in relation to their own information. The data subject's right to erasure does not apply where processing is carried out in compliance with a legal obligation or where processing is necessary for the establishment, exercise or defence of legal claims.

Right to the portability of personal data. CURE51 will grant requests for the portability of personal data for purposes based solely on personal consent or contract. In this case, the personal data will be communicated in a structured and commonly used format capable of being read by a machine.

8.1 Automated individual decision-making

CURE51 does not engage in automated individual decision-making.

8.2 Complaints to the CNIL

In the event of non-compliance with ‘Informatique et Libertés’ rights, the persons concerned may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL). For more information: http://www.cnil.fr.

9. Contact

Any request relating to the exercise of the rights described above must be made in writing by e-mail to dpo@CURE51.com or by post to 19, rue Richer 75009 Paris, accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, data subjects are informed that the rights set out above are individual rights which can only be exercised by the data subjects themselves in respect of their own information, so that for security reasons CURE51 may need to verify the identity of the data subject before communicating personal data to the data subject. If we have reasonable doubt about identity, we may request additional information or documents in order to verify identity. The request will be processed within one month at the latest, which may be extended by two months depending on the complexity of the request. In this case, the person will be informed of the extension within one month of receipt of the request.

10. International Transfer of Personal Data

Some data recipients acting as subcontractors in charge of technical services may be located outside the European Union, and may involve the transfer of personal data outside the EU. Some countries, such as the United States, have an adequacy decision confirming that they offer a level of protection equivalent to that guaranteed by the GDPR and that data may be transferred to them without any special procedure. Conversely, other countries do not offer an equivalent level of protection. For these countries, CURE51 takes the necessary measures with these service providers and partners, in particular the standard contractual clauses published by the European Commission, to ensure that they undertake to guarantee a level of protection for personal data thus transferred equivalent to that offered by the RGPD and, where appropriate, that they implement additional technical and organisational measures to protect the data.

11. Ensuring the Security of Personal Data

CURE51 has implemented technical and organisational measures to protect the integrity and confidentiality of the personal data of data subjects. These measures take into account the state of the art, the costs of implementation and the nature, extent, context and purposes of the processing as well as the risk of varying likelihood and severity to the rights and freedoms of data subjects.

This includes, for example, security techniques of a physical or logical nature that CURE51 considers appropriate to prevent the accidental or unlawful destruction, loss, damage or unauthorised disclosure of personal data. The main elements of these measures include, but are not limited to:

Management of access rights to personal data; CURE51 implements an authorisation policy, limiting access to data to only those who need it;
CURE51 employees are subject to a specific confidentiality and non-disclosure undertaking;
Internal back-up and redundancy of databases to guarantee the continuity of information in the event of involuntary destruction;
AWS host;
Security and vulnerability audits carried out on a regular, multi-year basis;
Implementation of an information systems security policy;
Implementation of business continuity and disaster recovery plans;
Use of security protocols and/or solutions. In particular: passwords are encrypted; data transfer is encrypted using the HTTPS protocol.