Privacy Policy

Effective date: 01/01/2026

Overview

This privacy policy “Policy” describes how CuraLinc Healthcare and our entities globally (“CuraLinc”, “we”, “us” or “our”) collects, protects and uses the personally identifiable information (“Personal Information”) you (“User”, “you” or “your”) may provide while using any of its products or services (collectively, “EAP Services” or “Services”). It also describes the choices available to you regarding our use of your Personal Information and how you can access and update this information. This Policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or manage.  

Purpose

CuraLinc, LLC (“CuraLinc” or “CuraLinc”) is committed to protecting all personal and private information in accordance with any and all applicable laws, regulations and standards, including without limitation any standards established in the United States under the Health Insurance Portability and Accountability Act, HITECH (Health Information Technology for Economic and Clinical Health Act and in the United Kingdom under the Data Protection Act of 2018. In the case of our services within the European Union, CuraLinc is subject to the General Data Protection Regulation (Regulation (EU) 2016/679), effective as of May 25, 2018. The legal basis of EU-US data transfer is based on EU Model Clauses (Standard Contractual Clauses) and the derogations as per Art.49 of GDPR. CuraLinc is liable for in cases of onward transfers to third parties.  

Our privacy policy is designed to protect the privacy of individuals. It explains what information we collect from visitors to this site during the duration of our relationship, how we use that information, and how visitors can update and verify the uses of the information provided on this site. We will update this policy from time to time to protect your personal information. We encourage you to review this policy from time to time to keep up to date on how we use and protect your information and continually improve the content of our portal. If we make material changes to the collection, use and/or disclosure of personal information you provide to us, we will notify you by posting a clear and highly visible notice on the portal. By using the portal, you agree to the terms of this Privacy Policy. 

Scope

CuraLinc maintains appropriate administrative, technical and physical safeguards designed to protect your personal information in accordance with the applicable law. CuraLinc uses industry standard encryption on this portal. Unfortunately, the transmission of information via the Internet is not completely secure. Although CuraLinc will do its best to protect your personal data, CuraLinc cannot guarantee the security of your data transmitted to this portal; any transmission is at your own risk. 

CuraLinc will not evaluate any computer, tablet, or other mobile device that you may use to access CuraLinc’s services for the secure handling of your personal information. CuraLinc disclaims any liability for any loss resulting from any security and data protection shortfalls originating from your own electronic devices. 

Information we collect

You must be registered with CuraLinc to have access to our services and this portal. CuraLinc may collect some information from interactive features such as online surveys, contact and registration forms, and using ‘cookies’ as explained below. The information CuraLinc receives in such a manner depends on the settings on your browser. For example, if you visit this portal to read or download information, such as information about a health condition or about one of CuraLinc’s products, CuraLinc may collect certain anonymous, unrestricted, non-personal information about you from your computer, including the type of web browser software you use, the links that you select, traffic data, the name of your Internet domain, the Internet address of the portal used for access, location data, the pages you have visited on this portal, web logs and other communication data. Depending on your choice to use certain features on this portal (i.e. eConnect, Animo Digital Behavioral Health, Textcoach®, etc.), CuraLinc may, with your explicit consent, collect and process personal information which may include: 

  • Name 
  • Date of birth/other vital statistics records 
  • Email address 
  • Physical/mailing address 
  • Telephone number 
  • Personal health information 

For certain services (telephone-based counseling, virtual support groups and anonymous chat), users are free to remain anonymous. However, we will be able to provide limited services only. Users who are uncertain about what information is mandatory are welcome to contact us or discuss with our counselor when you contact us for any services. 

Apart from the data mentioned above, CuraLinc may collect additional data depending upon the platform which you use to connect to CuraLinc (mobile application, etc.). The details are listed in the appropriate sections below.  

SMS

By opting in to SMS communication from a web form or other medium, you are agreeing to receive messages from CuraLinc. Message and data rates may apply. As mobile access and text message delivery is subject to your mobile carrier network availability, such access and delivery is not guaranteed. CuraLinc is not responsible for any delays upon sending or receiving text messages. You may opt out of SMS delivery at any time by replying STOP. SMS notifications may include appointment scheduling, appointment reminders, and responses to support requests. Message frequency may vary. CuraLinc does not sell or share data collected in SMS campaigns to third parties. Carriers are not liable for delayed or undelivered messages. For Help, reply HELP. 

Single sign on

Access to our applications through the Single Sign-On (SSO) feature provided by your Employer shall be limited to sharing of sign-in information only, which is known to the Employer. CuraLinc does not collect your password or other credentials. Your Employer does not have access to any communication between you and CuraLinc. 

Mobile application

When you use the Mobile Application, our servers automatically record information that your device sends. This data may include information such as your device’s IP address and location, device name and version, operating system type and version, language preferences, information you search for in our Mobile Application, access times and dates, and other statistics. You will be able to control the permissions for location and other device specific parameters based on your device (e.g., location, notification). If you choose not to allow this access, some services may not operate effectively as expected. 

If you wish to use the Mobile Application’s features, you will be asked to provide certain Personal Information (for example, your name and e-mail address). We receive and store any information you knowingly provide to us when you create an account or fill any online forms in the Mobile Application. When required, this information may include your email address, name, phone number, or other Personal Information to complete the registration. If you choose not to provide us with your Personal Information, then you may not be able to take advantage of all of the Mobile Application’s features. Users who are uncertain about what information is mandatory are welcome to contact us. 

Telephony

To help our Care Advocates focus on your needs and provide high-quality support, we use secure AI tools to assist with transcribing calls, creating summaries, and supporting our internal quality processes. These tools help our team work more efficiently and ensure accurate documentation.  

  • AI does not make decisions about your care, assess your risk, or take any action that would have a legal or significant effect on you. All decisions are made by qualified professionals. 
  • If your call is recorded, it may be transcribed with identifying details removed before the information is used for summarization or service improvement. 
  • Recordings and transcripts are stored securely and managed in accordance with CuraLinc’s data retention policies
  • Your personal data is processed based on our interest in providing safe, consistent, and high-quality services, and to fulfill our obligations to your employer or plan sponsor. 
  • You have rights over your personal data, including the right to access it, correct it, request deletion, or object to certain types of processing. You can exercise these rights by contacting us at privacy@curalinc.com   

How we use your information

Any of the information we collect from you may be used to provide you services, contact you in relation to our services, keep you updated about our offerings, personalize your experience; improve our services/products; improve customer service and respond to queries and emails of our customers; send notification emails such as password reminders, updates, etc.; run and operate our Platform and Services. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding website/mobile application traffic and usage. This statistical information is not otherwise aggregated in such a way that would identify any individual user of the system. In addition, certain features may use technology to review language patterns or sentiment for the purpose of improving your experience, but these tools do not interpret your symptoms, diagnose any condition, make decisions about your health or create care plans. 

Your employer will not have access to your Personal Data stored on CuraLinc systems. However, if your employer offers an incentive plan that offers rewards for completion of CuraLinc’s online programs or assessments, with your explicit consent, CuraLinc may share your personal information with your employer including your name, employee identification, and details of which online programs or assessments you have completed including the dates. Neither the scores nor responses from your online programs or assessments will be disclosed to your employer as part of an incentive plan. 

If your employer provides a coaching plan that includes an outreach call from a CuraLinc Care Advocate, with your explicit consent, a Care Advocate may contact you using the contact information and preferences you provide. Your employer will not be given any detail regarding the content of your discussion with a Care Advocate. 

CuraLinc is the data controller with respect to the personal data collected directly from the members of our Services. We may process Personal Information related to you if one of the following applies:  

  • You have given your consent for one or more specific purposes. Note that under some legislations we may be allowed to process information until you object to such processing (by opting out), without having to rely on consent or any other of the following legal bases below. This, however, does not apply, whenever the processing of Personal Information is subject to European data protection law 
  • Provision of information is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof 
  • Processing is necessary for compliance with a legal obligation to which you are subject 
  • Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in us 
  • Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. In all cases we will reach out to you for additional consent in case of further processing is required 

Information transfer and disclosure

Under certain circumstances CuraLinc may be required to disclose personal data. These circumstances include those required by applicable law and as set out in Article 6.1 of the GDPR, which establishes that processing shall be lawful only if and to the extent that at least one of the following applies: 

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes 
  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract 
  • Processing is necessary for compliance with a legal obligation to which the controller is subject 
  • Processing is necessary to protect the vital interests of the data subject or of another natural person 
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child 

We disclose information about you to others when we believe in good faith that we are required by law or legal process to respond to claims or to protect the rights, property or safety of CuraLinc or others. 

We will disclose any information we collect, use or receive if required or permitted by law, such as to comply with a subpoena, or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. In the event we go through a business transition, such as a merger or acquisition by another company, or sale of all or a portion of its assets, your user account, and Personal Information will likely be among the assets transferred. 

CuraLinc may transfer the personal information collected about you to countries other than the country in which the information was originally collected. These transfers will be to a service center operated by CuraLinc or one of CuraLinc’s network of providers to provide you with the service you requested. CuraLinc adheres to adequate safeguards required for the international transfers of your personal information outside of the European Economic Area. If you are located in the European Union, CuraLinc may transfer data outside of the European Union in accordance with standards set forth by European Union law including the derogations based on Article 49 of GDPR and the EU model clauses. Nevertheless, access to your personal information may be provided only on a “need-to-know” basis so that CuraLinc may deliver its services upon your request; your personal information will not be disclosed to any other person or entity other than in aggregate reports or in de-identified form without your consent. The storage of EEA personal data is maintained in the United States. 

Third party services

Your personal data provided to us will be secured by taking all technical and organizational security measures in such a way that they are inaccessible for access by unauthorized third parties. When sending very sensitive data or information, it is recommended to use the postal service, as complete data security by e-mail cannot be guaranteed. 

Data security

The personal data provided by you will be stored by us for the duration of use of the portal, our services or in the event of the provision of information, services or support until expiry of the applicable statutory storage period, considering the basic principles of the GDPR and the local laws to the permissible extent. With respect to European Union participants, data is retained for three (3) years from the date of case closure.  

Data retention

The personal data provided by you will be stored by us for the duration of use of the portal, our services or in the event of the provision of information, services or support until expiry of the applicable statutory storage period, considering the basic principles of the GDPR and the local laws to the permissible extent. With respect to European Union participants, data is retained for three (3) years from the date of case closure.

Data breach

In the event we become aware that the security of the applications and/or platform has been compromised or users Personal Information has been disclosed to unrelated third parties as a result of external activity, including, but not limited to, security attacks or fraud, we reserve the right to take reasonably appropriate measures, including, but not limited to, investigation and reporting, as well as notification to and cooperation with law enforcement authorities. In the event of a data breach, we will make reasonable efforts to notify affected individuals if we believe that there is a reasonable risk of harm to the user because of the breach or if notice is otherwise required by law. When we do, we will notify you via email. 

Jurisdiction and applicable law

The laws of the State of Illinois govern this Policy to the extent as not overruled by applicable local law such as the GDPR for data subjects within the EEA or national laws regulating the data for other jurisdictions based on the scope. You irrevocably consent to the jurisdiction of the courts located in the County of Cook, State of Illinois, U.S.A. for any action arising out of or relating to this Statement if no local law gives you the inevitable right to apply to your local court. If the information and materials presented on this website/application includes the sale of goods (e.g. publications, books), then any following rights and obligations that you or CuraLinc may have shall not be governed by the United Nations Convention on Contracts for the International Sales of Goods (“CISG”) and its application is excluded. You may be able to access this site from any region in the world. If your use of any benefit offered by this portal conflicts with the laws of your region, then CuraLinc respectfully requests that you do not use this portal; you are responsible for your own knowledge and understanding of the laws of your region as well as your compliance with them. 

Currently, more than 50 countries have some form of legislation/regulation governing data privacy; the most stringent of which are: HIPAA/HITECH in the United States; the General Data Protection Regulation 2016/679; PIPEDA in Canada; PDPA in Singapore; and National Privacy Principles in Australia. Each country’s laws have elements in common; however, the definition, implementation, oversight, and prosecution of these regulations vary greatly. Nearly all laws share the following: an exemption based on consent that allows the transfer of personal information in situations that impact the health and wellbeing of the individual. 

Our focus is on GDPR, PIPEDA and HIPAA/HITECH. Around the world, CuraLinc has decided to comply with the local standards that give individuals the most comprehensive protection. Local standards in various countries may include: 

  • Health Insurance Portability and Accountability Act (HIPAA) 
  • General Data Protection Regulation 2016/679 (GDPR) 
  • Personal Information Protection and Electronic Documents Act (Canada) 
  • Data Protection Act 2018 (UK) 
  • French Data Protection Act 
  • Privacy Mark certification (Japan) 
  • Privacy Act (Australia) 
  • The Irish Data Protection Act (2018) 
  • Act on Personal Data Protection (Poland) 
  • Law for the Protection of Personal Data (Argentina) 
  • Federal Data Protection Act (Germany) 
  • Personal Information Protection Law (PIPL), (China) 
  • Personal Data (Privacy) Ordinance (Hong Kong) 
  • Personal Data Protection Act 2012 (No. 26 of 2012 Singapore), amended in 2021. 
  • General Data Protection Regulation Implementation Act (Netherlands) 
  • Personal Data Protection Act 2019 (Thailand) 

This list is not comprehensive but represents a sample of country specific regulations. We consider the strictest of them and align our practices accordingly.  

The information requested / required is 

  1. Voluntary as to any receipt of service by an Individuals 
  2. Necessary to conduct the natural operations of CuraLinc’s business and deliver on the contractual obligations
  3. Confidential
  4. Not subject to release except by the consent of the Individual. 

Individual rights

You have certain rights regarding the personal information CuraLinc collects and maintains about you. CuraLinc offers you choices about what personal information is collected from you, how that information is used, and how CuraLinc communicates with you: 

  • You can expect that CuraLinc will collect and process your personal information fairly and in accordance with applicable law 
  • You can choose not to provide personal information to CuraLinc by refraining from using features and programs that request your personal information 
  • You can elect not to have a unique cookie identification number assigned to your computer. 
  • Your personal data may be used for statistical analysis and reporting purposes in a manner that does not identify you in any way 
  • You may agree to the release of any or all of your personal information to anyone or any organization by giving your consent to CuraLinc; otherwise, your personal data will not be routinely released unless CuraLinc has a legal obligation to do so 
  • You may withdraw any consents you previously provided to CuraLinc, or, on legitimate grounds, object at any time to the processing of your personal information or specific categories of data that you consider sensitive 
  • You have the right of data portability so that you can retrieve and reuse your personal information for your own purposes 
  • You have the right to request at any time correction of any error(s) in your personal information that is collected and processed by CuraLinc 
  • You have the right to lodge complaints with any supervisory authority 
  • You have right, under certain circumstances, to invoke binding arbitration to resolve any dispute regarding the collection, processing, retention, and/or release of your personal information 
  • You may, subject to local law requirements, have the right to: 
  • Request access to and receive information about the personal information CuraLinc collects and maintains about you 
  • Update and correct inaccuracies in your personal information  
  • Have your personal information blocked or deleted, as appropriate 
  • You have the right to ask CuraLinc to no longer collect your personal information for information purposes (e.g. sending information to you by email or SMS message, asking your opinion on CuraLinc products and services) by withdrawing your consent. You can exercise your right to withdrawal at any time by contacting CuraLinc 
  • To the extent that it applies to the holding, collection, use or disclosure of your personal information, you may complain about a breach of Privacy Policy by CuraLinc by contacting the Data Protection Officer of CuraLinc at the address provided below.  On receiving your complaint CuraLinc will respond within the timeframe set by the applicable law 

You can access, update and delete certain Personal Information about you. The information you can view, update and delete may change depending on the services. When you update information, however, we may maintain a copy of the unrevised information in our records. We will retain and use your Personal Information for the period necessary to comply with our legal obligations, resolve disputes, and enforce our agreements unless a longer retention period is required or permitted by law. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally. For statistical purposes, we use only anonymized data. Once the retention period expires, Personal Information shall be deleted or anonymized. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period. 

Use of services by minors under age 13

This portal is not directed to, or developed for, minor children. If you have not reached the age of majority, you may not use this portal unless supervised by an adult. CuraLinc’s goal is to comply with applicable laws and regulations relating to collection and use of information relating to children. If you believe that CuraLinc has received information from a child or other person protected under such laws, please notify us immediately (see the “Contacting Us” section below). You must also be at least 18 years of age to consent to the processing of your Personal Information in your country (in some countries we may allow your parent or guardian to do so on your behalf). 

California residents

If you are a resident of California the following information and rights are provided to you as required by the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA), and all implementing regulations, as may be further amended from time to time (collectively, the “CCPA”). Any terms defined in the CCPA have the same meaning when used in this notice.  

  • Personal information under CCPA does not include: 
    • Publicly available information from government records 
    • De-identified or aggregated consumer information 
    • Information excluded from the CCPA’s scope, such as:
      • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data 
    • Financial Information covered by the Gramm-Leach-Bliley Act and implementing regulations 

Personal information disclosure

During the past twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose:

  • Identifiers: Name, residential address, Internet Protocol (IP) address, ‎email address, or other similar identifiers‎

  • Customer records information: Name, address, telephone number, ‎medical information, health insurance information‎

  • Characteristics of protected classifications under California or federal law: ‎Gender, language preference, age‎

  • Internet or other similar network activity: Information on a consumer’s interaction with our website and applications

  • Geolocation data: IP-based geolocation‎

  • Professional or employment-related information‎

 We may also collect the following Sensitive Personal Information:

  • Social security, employee or member identification number

  • Health information‎‎: Survey responses concerning anxiety, depression, alcohol use, other substance use, and work productivity

This information is collected as noted in the section above, entitled “Information We Collect”. The business purposes for which we collect and disclose this information are:

  • Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, verifying customer information, providing services, providing analytic services, or providing similar services on behalf of the business‎

  • Helping to ensure security and integrity‎

  • Debugging to identify and repair errors that impair existing intended functionality‎

  • Undertaking internal research for technological development and demonstration‎

  • Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance the services‎

In the past 12 months, we have disclosed your Personal Information for a business purpose to the following ‎categories of third parties:‎

  • Business Communication and Collaboration Tool: Email communications, email marketing, SMS providers, public knowledge base, survey providers

  • Sales and Marketing Tool: CRM providers, sales assistance providers

  • Product Engineering and Design Tool: Software design, deployment automation

  • eCommerce: Marketing websites

  • Finance and Accounting: Financial tracking and accounting software

  • ISP: Internet service providers

  • Service Providers: Cloud hosting, email delivery, telehealth video platform, service desk management, platform ‎usage analytics, business analytics, geolocation‎

In addition to the above, we may disclose any or all categories of Personal Information to any third-party (including government entities and/or law enforcement entities) as necessary to:

  • Comply with federal, state, or local laws, cooperate with law enforcement agencies, or to comply with a court order or subpoena to provide information

  • Cooperate with law enforcement agencies concerning conduct or activities that we (or one of our service providers’) believe may violate federal, state, or local law‎

  • Comply with certain government agency requests for emergency access to your Personal Information if you are at risk or danger of death or serious physical injury‎

  • Exercise or defend legal claims‎

Sale or sharing of personal information

The categories and methods that we use to collect your Personal Information and Sensitive Personal Information and our business and commercial purposes for using this information are set forth above. We do not "sell" or "share" your Personal Information for non-business purposes. Please note, that “share” under the CCPA means to share your information with a third party for the purpose of cross-context behavioral advertising. You may remove or adjust your cookie preferences on your device or browser as they permit, and you may contact us exercise your rights at any time (see “Contacting Us” below). We do not sell or share the personal information of minors under 16 years of age. 

Your rights and choices ‎

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information, including: 

  • Right to Know and Access – The right to know and request access to certain information about our collection and use of your Personal Information over the past 12 months 
  • Right to Request Deletion – The right to request deletion of Personal Information that we have collected and retained (subject to certain exceptions) 
  • Right to Request Correction – The right to correct Personal Information that we have collected to ensure that it is complete, accurate, and as current as possible 
  • Right to Limit the Use of Your Sensitive Personal Information – We use and disclose sensitive personal information we collect about you 
  • Opt-out – The right to opt-out of selling and sharing the information we collect 

You may submit a consumer request to us to by contacting us as indicated below. We will process such requests in accordance with applicable laws. 

Submitting consumer requests

You may submit a consumer request to us by email at privacy@curalinc.com, or by mail at the address below in the “Contacting Us” section to make a consumer request.  You may make up to two access requests in any 12-month period.  Please review the consumer request forms below.  

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.  

Making a verifiable consumer request does not require you to create an account with us.  

When you submit a verifiable consumer request, we will take steps to verify your request by email or mail.  In some cases, we may request additional information to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor.  Authorized agents will be required to provide proof of their authorization, and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent. 

We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request. 

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

Response time and format

We will respond to a verifiable consumer request within 10 days of its receipt. We will generally process these requests within 45 days of its receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically. Any disclosures we provide will only cover the ‎‎12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. 

Verification

You may use an authorized agent to submit a consumer request.  To use an authorized agent, you will need to (i) provide written instruction to your agent, and verify your identity to us, or (ii) provide a power of attorney pursuant to California Probate Code Sections ‎‎4000 to 4465. For privacy protection, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. 

Non-discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not: 

  • Deny you goods or services 
  • Charge you different prices or rates for goods or services, including through:
    • Granting discounts or other benefits, or imposing penalties
    • Provide you a different level or quality of goods or services
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services 

Updates to this policy

We may change this Privacy Policy. The “Effective Date” at the top of this page indicates when this Privacy Policy was last revised. Any changes to the policy will become effective on this date. Your use of the Services following these changes means that you accept the revised Privacy Policy. 

Data processing

Data privacy framework

CuraLinc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CuraLinc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. CuraLinc has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) regarding the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit: https://www.dataprivacyframework.gov/ 

EU general data protection regulation

In case of processing of personal data to which the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is applicable, the information below pursuant to EU General Data Protection Regulation (“GDPR Privacy Notice”) shall apply in addition to the above. In such case, in the event of any conflict between the above and the GDPR Privacy Notice, the provisions of the GDPR Privacy Notice shall prevail.  

This GDPR Privacy Notice applies to the processing of your personal data by CuraLinc, LLC, a company incorporated and existing under the laws of U.S.A, with its registered office at 314 West Superior Street, Chicago, IL 60654, ID No.: 33-1206383 (“CuraLinc” or “we”), to which the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”) is applicable.  

Processors

CuraLinc decides why and how your personal data is handled and is therefore the data controller.  

CuraLinc may transfer your personal data to other CuraLinc group companies and companies that provide services to CuraLinc (such as providers of software or IT services) and that work with your personal data as processors. CuraLinc may transfer your personal data to public authorities or other third parties if it is obliged to do so under applicable laws or is permitted to do so by applicable laws.  

Your employer will not have access to your personal data stored on CuraLinc systems. However, if your employer offers an incentive plan that offers rewards for completion of CuraLinc’s online programs, with your explicit consent, CuraLinc may share your personal data with your employer including your name, employee identification, and details of which online programs you have completed including the dates. Neither the scores nor responses from your online programs will be disclosed to your employer as part of an incentive plan. 

Processing purpose 

We are working with your personal data to enable you to use CuraLinc’s services and/or platform (employee assistance program), as you decide to use them. 

Processing legal basis 

We work with your personal data based on the following legal titles: 

  • The processing is necessary for the performance of an agreement to which you are a party, and which governs the terms and conditions of your use of CuraLinc’s services and/or platform (employee assistance program). 
  • In the event you provide us with your personal data relating to your health, such information will be processed based on your consent. 

Processing locations 

Your personal data will be processed in the USA. Your personal data may also be transferred to another third country (a country outside the EU), including countries that do not guarantee an adequate level of protection of personal data according to the GDPR. For transfers of personal data to third countries that are not covered by the European Commission’s adequacy decision, CuraLinc has taken all necessary measures and safeguards to ensure that personal data is afforded an adequate level of protection as required by applicable law by attaching a standard contractual clause in the wording of the relevant European Commission decision.  

If you wish to get more information about the measures and safeguards taken or obtain a copy, please contact us at the contact details below. 

Automated decision making 

In relation to your personal data, automated decision-making and profiling may occur to a reasonable extent, to personalize the user experience and provide personalized recommendations. Automated decision-making involves the use of algorithms and computer programs to analyze personal data and make decisions without human intervention. Profiling is a type of automated decision-making that involves analyzing personal Data to make predictions or decisions about an individual. The information we have for you is made up of what you tell us and data we collect when you use our services or from third parties we work with, such as name, address, age, gender and platform engagement. 

You will not be subject to decisions that will have a significant impact on you based solely on automated decision making or profiling, unless we have a lawful basis for doing so and we have notified you. Our legal basis for using automated decision making is legitimate interest. We comply with the General Data Protection Regulation (GDPR) and other relevant laws and regulations. 

You may have the right to restrict or object to us using your personal information or using automated decision-making or profiling. Opting out of automated decision-making and profiling may result in reduced personalization. To exercise these rights or ask questions about our privacy policy see the “Contacting Us” section below. 

Processing duration 

The personal data provided by you will be stored by us for the duration of use of the portal, our services or in the event of the provision of information, services or support until expiry of the applicable statutory storage period, considering the basic principles of the GDPR and the local laws to the permissible extent. With respect to European Union participants, data is retained for three (3) years from the date of case closure.  

Processing rights 

As this is guaranteed by the applicable data protection legislation, particularly the GDPR, you may request from us:  

  • Access to your personal data processed by us 
  • Restriction of the processing of your data 
  • Rectification of your data 
  • Erasure of your data 
  • You may object to the data processing 
  • You may exercise your right to data portability 
  • In the case of personal data processed based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal 

To exercise any of these rights, please contact us. If you believe that we are violating the law by processing your personal data, you can file a complaint with the national supervisory authority. You can contact us at any time (see the “Contacting Us” section below). 

Dispute resolution 

If a privacy complaint or dispute relating to Personal Data received by CuraLinc, LLC in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ 

Binding arbitration 

Following the dispute resolution process, you or VeraSafe may refer the matter to the U.S. Federal Trade Commission, which has DPF investigatory and enforcement powers over CuraLinc. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any other of the DPF mechanisms. For more information, see the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework: https://www.dataprivacyframework.gov 

Privacy policy addendum for South Africa 

Data Subject Rights 

If you reside in South Africa, you have the right to lodge a complaint with a supervisory authority, in addition to those set out in the Privacy Policy, and the details of the supervisory authority is set out below: 

  • Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, Gauteng, South Africa, 2017 

Privacy policy addendum for Ukraine 

Data Subject Rights 

If you reside in Ukraine, you may have certain rights in addition to those set out in the Privacy Policy, including: 
•The right to know about the sources of collecting and the location of your personal data, the purpose of its processing, location of controller or empower the authorized parties for obtaining such information; 
•The right to obtain information on conditions for providing access to their personal data, in particular information about third parties to whom their personal data is transferred to; 
• The right to obtain information on whether their personal data is being processed and the content of such data within 30 calendar days; 
• The right to protect their personal data from unlawful processing and accidental loss, destruction, damage, as well as from provision of information that is inaccurate or discredit honor, dignity and business reputation; 
• The right to private action; 
• The right to restrict the processing of your personal data; 
• The right to be informed of the logic of automatic processing (if applicable); and 
• The right to protect yourself from automated decision-making (if applicable) that results in legal consequences. 

Privacy policy addendum for Barbados 

This Privacy Policy Addendum for Barbados is for users of CuraLinc who are located in Barbados. If you’re located in Barbados, you should read both the CuraLinc Privacy Policy and this Privacy Policy Addendum for Barbados to understand your rights and options.  

Basis of Lawful Processing  

Barbados data protection laws require us to be specific about our reasons or grounds for using your personal information. CuraLinc processes the personal information of users in Barbados on these grounds:  

  • Consent. When you have provided your consent or, in the case of sensitive personal information, when you have provided your explicit consent, to our collection of your information;  
  • Performance of a contract with you. When we need to perform the service you are seeking or have agreed to, according to the Terms of Use you agree to when you create an account with CuraLinc;  
  • Legitimate interests. When we have a legitimate business or commercial reason for using your information, and your interests and your fundamental rights do not override those interests. We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests. You can obtain information on any of our balancing tests by contacting us using the details set out later in this notice; and/or  
  • Legal obligation. When we need to comply with a legal or regulatory obligation.  

Before collecting or using any special categories of data (referred to as sensitive personal information in the Privacy Policy), we will only use that information:  

  • With your explicit consent;  
  • For the establishment, exercise or defense by us or third parties of legal claims; or  
  • If there is an exemption under local law that allows us to use it, such as in relation to the processing of special categories of data for insurance purposes, or for determining benefits under an occupational pension scheme. 

CuraLinc may process your personal information on more than one ground depending on the reason or grounds for using your personal information. Please contact us if you need details about the specific grounds, we are relying on to process your personal information.  

Transfer of Personal Information Outside Barbados  

CuraLinc will ensure that adequate safeguards are implemented if and when we need to transfer personal information outside of Barbados so that a similar degree of protection is afforded to it. Please contact us if you want more information on how we transfer and protect your personal information out of Barbados.  

Cookies 

While visiting this portal, CuraLinc may place text files called ‘cookies’ on your computer. Any information that CuraLinc collects using cookies is non-personal information. The cookies on this portal are strictly session cookies used for authentication. Those cookies time out or are destroyed once you leave the portal. You are always free to decline to accept CuraLinc’s cookies, as permitted by your browser; however, some functions of this portal may not work properly if you choose to do so.  

Using cookies, pixel tags/web beacons, and similar technologies, CuraLinc may use third-party tracking and advertising providers to act on CuraLinc’s behalf to track and analyze usage of this portal; the third-party provider may use this information for the purpose of evaluating your use of the portal, compiling reports on portal activity and providing other services for CuraLinc relating to portal activity and internet usage. Your browser’s IP address, transmitted for analytical purposes, will not be associated with any other data held by the third-party analytical service provider. If you choose to accept a cookie, you can delete it at any time through your web browser. If you do not wish to receive cookies or wish to manage the acceptance cookies in general, you may set your browser to reject cookies or to alert you when a cookie is placed on your computer. To choose to decline specific cookies, please see the following link: www.networkadvertising.org/choices/#completed. 

Types of cookies 

We utilize the following types of cookies: 

  • Necessary or Essential Cookies - These cookies are essential for the functioning of the website. They cannot be switched off in the systems and are usually only set in response to actions made by a person that amount to a request for services, such as privacy preferences, logging in or filling in forms. 
  • Preference or Functional Cookies - These cookies allow a website to remember information that changes the way a website behaves or looks. They remember user preferences, like language selection, region and the user interface’s customization. 
  • Analytics or Statistics Cookies - These cookies collect information on how websites are used, helping the business to understand the effectiveness of their product. They provide statistics on visitors, such as the number of visitors, the tracking of user’s journey, etc., that can be used for improvements. 
  • Marketing or Advertising Cookies - They track user’s online activity to help advertisers deliver more relevant advertising. These cookies can share that information with other organizations or advertisers. 
  • Social Media Cookies - These cookies allow the user to share pages and content through third-party social media and other websites. 

Cookies in use

Below is a table providing the details of the cookies used on our website, including their names, descriptions, type and duration.

Cookie Name Description Type Duration
PHPSESSID Identifies a user’s session on the website Necessary Session
vanguard_session Identifies a user’s session on the website Necessary Session
mindstream_session Identifies a user’s session on the website Necessary Session
crssid Internal group identifier. Used for generating Flash Course certificates Necessary Session
crsid Internal page identifier. Used for generating Flash Course certificates Necessary Session
crsurl Group’s homepage URL. Used for generating Flash Course certificates Necessary Session
landing URL to redirect to and from mobile app Functional 5 minutes
announcements List of banners the user has chosen to dismiss or no longer view Functional Persistent
wp_lang Language selected by user used for localization Functional 1 year
wp_lang-id Internal language ID used for localization Functional 1 year
wglang Used to store the current language selected by the user Functional Persistent
wg-translations Used to provide localization functionality Functional Persistent
ZD-Suid Used to store unique session identifier Statistics 20 minutes

Consent

By continuing to use this portal, you acknowledge that you have read, understand and agree to be bound by all terms and conditions and disclaimers for the use of this portal and services provided by this portal. Our general terms of use and privacy practices are updated periodically. CuraLinc encourages you to review our policies each time you visit this portal. 

Contacting us

If you have any questions or concerns about our privacy policy or the collection of your information, you can contact us at any time by sending an email to privacy@curalinc.com or via the following mailing address: 

Attn: Data Protection Officer
CuraLinc Healthcare
314 West Superior Street
Chicago, IL 60654

Please be aware that email is not the most secure way of communication, we therefore recommend not to send sensitive personal data via email in the first instance.