Confidentiality and privacy policy

Version updated on 06/12/2024

Within this data protection policy, you will find information on how the personal data of users of the website and the Cure51 platform are used:

The company Cure51 (hereinafter “Cure51”) takes your privacy very seriously and respects the information you entrust to it. This information is protected by law. They are under no circumstances intended to be communicated to third parties outside the context and for the reasons mentioned in this Confidentiality and Protection of Privacy Policy.

The purpose of this Confidentiality and Privacy Protection Policy is to inform you of the nature of the information concerning you that we will collect and use in the context of your visit to the Site and/or your use of the Services.

Cure51 reserves the right to modify this Confidentiality and Privacy Policy at any time. You are also invited to consult it regularly in order to be aware of any possible modifications. Any new use of the Site and/or communication of information to Cure51 after posting a new version of this Confidentiality and Privacy Policy will constitute acceptance of this latest version.

The capitalized terms below have, if they are not defined in this document, the definition given to them in the General Conditions of Use of this website and the Platform.

1. Who is the data controller?

In accordance with the applicable legal and regulatory provisions, in particular Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms known as the amended “Informatics and Freedoms” Law and European Regulation No. 2016/679/ EU of April 27, 2016 (applicable since May 25, 2018) on data protection (“GDPR”), Cure51, as data controller, processes and protects the personal data it collects. Cure51 undertakes to respect these regulations. To do this, Cure51 puts in place procedures and measures to protect your personal data, including in the event of use of subcontractors to carry out the processing of personal data described below.

Depending on its research activities in the field of health, Cure51 may be jointly responsible for processing with one or more organizations.

The purpose of this Privacy Policy is to meet Cure51's information obligation under the GDPR (articles 12 to 14) and to document the rights of data subjects regarding the processing of their personal data. Privacy and data protection information notices and/or a consent or non-objection form will be communicated to data subjects, if necessary, regarding the specific situations in which Cure51 may process personal health data.

This confidentiality policy does not create any obligation beyond what is provided for by the applicable regulations and/or by the general conditions of use or other contract binding Cure51 with the persons concerned.

2. Who is affected by this privacy policy?

This Privacy Policy applies to all processing of personal data of the persons concerned, within the framework of Cure51's relations with (i) professionals involved in research, (ii) patients, (iii) any user of the website: (the "Site").

3. What categories of personal data are processed by Cure51?

The personal data that Cure51 processes about data subjects includes a wide range of personal data and depends on Cure51's relationship with the data subjects, as well as with third parties with whom Cure51 works and who may provide Cure51 with access to the data personal.

Thus, Cure51 may process the following personal data:

3.1 Non-technical personal data (depending on the circumstances)


We collect data relating to your health and genetic data for the purpose of conducting our research and other information relevant to our studies.

The data concerning you is always collected by a health professional who follows you and knows you, working within an investigative center or a research location. It does not send us information allowing you to be directly identified, such as your first name, last name, address, telephone number. A code is assigned to you in the databases and only it can make the link between your data and your identity. We therefore speak of “coded data”. They fall into the regulatory category of “pseudonymized data”.

The data we collect is always justified by the protocol that describes the research.

They are analyzed and can be reused in aggregated or anonymized form to identify trends, develop new treatments, improve health care and contribute to the advancement of medical knowledge.

As indicated above, specific privacy and data protection information notices and/or a consent or non-objection form will be communicated to data subjects, if necessary, regarding the specific situations in which Cure51 may process their personal data.

Participants in studies

We collect data relating to identity and identification (such as surname, first name, email address, telephone number).

Site Users

When using the site, and in particular when filling out our contact form, the following data is collected:

- first and last names,

- phone number,

- the email address.

3.2. Technical personal data (depending on the circumstances)

We collect data relating to browsing history on the Site / PPP and activity data (access time, pages viewed, form completed on the Site, URL clicked, IP address, etc.).

Technical information, such as the type of browser and operating system used by the data subject or information on the data subject's device (unique device identifier, hardware model, operating system and version, mobile network information).

4. Why does Cure51 collect and use personal data?

4.1. Research and development activities

Cure51 collects and uses personal data, including health data, in order to carry out research and development activities, including carrying out market studies, scientific studies, clinical studies, observational studies , post-marketing studies or any other type of scientific research projects. These activities contribute to the search for explanatory factors for patients who have survived poor prognoses with the aim of innovating in their care (new medications, new therapeutic modalities, etc.). The personal data thus collected is used solely for research purposes in the field of health. We are committed to using your data responsibly and not sharing it with third parties without your explicit consent, except as required by law.

4.2. Ensuring the security of personal data and the rights of data subjects

Cure51 must ensure that personal data is processed in accordance with applicable data protection regulations, including, for example, the processing of the first and last name of Data Subjects when they have exercised their rights with Cure51 in accordance with the GDPR in order to ensure the efficient management of their request.

4.3. Management of the purposes of the Site

Management of the Site (contact form, etc.) requires the use of personal data to improve its operation, personalize the user experience, respond to user requests, send marketing information if the user has consented to receiving it.

4.4. Protecting the rights and interests of Cure51

Cure51 may use personal data (i) where required by law, (ii) upon request of a court, (iii) if we believe in good faith that disclosure is reasonably necessary to defend against any claim or third party accusation (iv) protect the security or integrity of our services. We will notify you of any legal process which requires access to data about you, unless the law prohibits us from doing so. In cases where a court order specifies a period of non-disclosure of the request to data subjects, we will send you a delayed notification after the expiration of the non-disclosure period.

Although the list is intended to be as exhaustive as possible, any new use or modification or withdrawal of any existing processing will be notified to the persons concerned by the publication of new versions of this Privacy Policy on the Site. Cure51 invites data subjects to regularly consult this Privacy Policy online in order to be aware of this new use, modification or withdrawal of any existing processing.

5. On what basis is Cure51 legitimate in collecting and using the personal data of the persons concerned?

The purposes for which Cure51 processes personal data described above are based on the legal basis described below pursuant to Articles 6 and 9 of the GDPR.

5.1. Processing is necessary for the purposes of Cure51's legitimate interest

When Cure51 processes personal data for its legitimate interest, Cure51 must take into account the fundamental rights and interests of the data subject, in order to assess whether the legitimate interests pursued by Cure51 do not create an imbalance with the fundamental rights and interests of the person concerned.

The following treatments implemented by Cure51 are concerned:

Furthermore, all our research projects meet the public interest criterion provided for by the Data Protection Act. Indeed, Cure51 carries out the processing of personal data that is useful and necessary to achieve the public interest objective of:

Other processing of personal data by Cure51 based on its legitimate interest is as follows:

5.2. The processing is necessary for the purposes of compliance with the legislation applicable to Cure51

Cure51 may process personal data in order to comply with the legal obligations applicable to Cure51 for the following purposes:

5.3. The data subject has given consent to the processing of their personal data for one or more specific purposes

Cure51 may process personal data for one or more specific purposes for which the data subject has clearly expressed consent to the processing of their personal data for those purposes.

Communication of the Cure51 newsletter to the data subject is based on their consent.

5.4. Processing is necessary for the purposes of the performance of a contract

Cure51 may process personal data in the context of the performance of a contract between the data subjects (or their employers) and Cure51.

6. Where does the personal data collected and used by Cure51 come from?

Personal data may be collected directly from the data subjects (direct collection).

The collection of personal data relating to patients is indirect: it is carried out through specialized partners, such as Cure51 partner organizations, who are authorized to do so in compliance with their applicable law and in application of their own policies. confidentiality and data protection.

In such cases, Cure51 takes great care to ensure the quality of the data it receives. If data subjects have any questions relating to the initial collection of their personal data by the partner, where applicable, Cure51 may invite data subjects to contact them directly and/or refer to their data protection policies.

7. Who accesses personal data?

Taking into account the purpose(s) for which the Personal Data of data subjects is processed, Cure51 will ensure that the Personal Data is only accessible to authorized internal and external data recipients who have a need to know it.

The recipients of personal data are bound by an obligation of confidentiality. In any case, Cure51 only provides them with the information strictly necessary for the processing of personal data in compliance with the identified purposes.

Cure51 decides which data recipients can access which personal data through contract and/or internal policies.

Personal data may also be transmitted to any authority legally authorized to receive it. In such cases, Cure51 is not responsible for the manner in which such authorities access and process personal data, but will limit the personal data to which such authorities have access to the strict minimum required by such authorities.

7.1. Recipients of patient data

Persons authorized to have access to coded patient data are Cure51 employees.

7.2. Recipients of data of other data subjects

Depending on the purpose(s) of the processing and the personal data processed, authorized Cure51 personnel may include: the communications and marketing team; administrative and financial management; operations management.

7.3. External recipients of Cure51 data

Depending on the purpose(s) of the processing and the Personal Data processed, the External Recipient of Cure51 data may include:

8. How long do we keep your data?

Cure51 undertakes to ensure that the data collected is kept in a form allowing your identification for a period which does not exceed the duration necessary for the purposes for which this data is collected and processed.

The retention period of personal data is defined by Cure51 in accordance with its legal and contractual obligations and according to specific needs, in particular in compliance with the following principles:

Data relating to patients and professionals involved in research activities: We apply regulations according to research typologies.

Data relating to research participants: Unless there is a need for longer retention for evidentiary purposes, they are kept for a period not exceeding 3 years after the end of the contractual relationship between Cure51 and the User.

Personal data relating to contacts: Three (3) years from the collection of Personal Data by Cure51 or from the last contact established by the client or potential contact.

For the management of our commercial relationship with you and customer follow-up, your data is kept for 3 years from the end of the commercial relationship if you are a customer. Beyond that, the data is archived for the period when the lawyer's liability may be called into question.

For the management of legal requests regarding your personal data: your data is kept for 1 year.

With regard to cookies, it is specified that the information stored in the terminal (e.g. cookies) or any other element used to identify the User for audience statistics purposes is not kept beyond a period of six (6) months. Beyond this period, the raw attendance data associated with an identifier is either deleted or anonymized.

In addition, in order to ensure the proper functioning and permanent improvement of the Site and its functionalities, the raw traffic data associated with an identifier are kept for a period of thirteen (13) months. Beyond this period, they are deleted or anonymized. (For more details, please complete by integrating the link to the cookie management policy)

Beyond the specified deadlines, personal data is either deleted or kept after anonymization, in particular for statistical purposes. They may be kept for evidentiary purposes in the case of pre-litigation and litigation. This data may also be retained for the purpose of complying with a legal obligation or kept in files in accordance with applicable regulations and laws.

Data subjects are reminded that deletion or anonymization are irreversible operations and that Personal Data cannot be subsequently restored by Cure51. As such, it will no longer be possible to identify the persons concerned, even indirectly, and any link between you and your data will be deleted. Once personal data is anonymized, no one will be able to link the anonymized data and the original Personal Data, and Cure51 will no longer be able to respond to requests to exercise the data subject's rights as described below.

9. What are your rights as a data subject?

As data subjects and in accordance with applicable data protection laws, individuals have the right to exercise the following rights:

Confirmation and right of access

Data subjects have the right to ask Cure51 to confirm whether or not their personal data is being processed and will be granted access rights and a right to request a copy of their personal data. Any abuse of this right will be subject to costs which would be borne by the persons concerned.

If data subjects request a copy of their personal data electronically, the requested information will be provided in a commonly used electronic format, unless otherwise indicated.

Data subjects are informed that this right of access may not cover confidential information or data the communication of which is prohibited by law.

Rights of updating and rectification

Data subjects have the right to request that Cure51 rectify their personal data, in the event that their personal data is inaccurate, incomplete or out of date.

Right to object to processing activities

Data subjects have the right to object to the processing of their personal data, subject to any legal restrictions that may exist with regard to this right of objection.

For example, with regard to the newsletter sent by Cure51 to data subjects, each of them can unsubscribe at any time by clicking on the “unsubscribe” link at the bottom of Cure51 newsletters.

Right to erasure

The data subject's right to erasure does not apply where the processing is carried out in accordance with a legal obligation or if the processing is necessary for the establishment, exercise or defense of legal claims.

In other circumstances, data subjects may request the deletion of their data if one of the following criteria is met:

In accordance with the legislation on the protection of personal data, data subjects are informed that this is an individual right which can only be exercised by data subjects in relation to their own information.

Right to restriction of processing

Data subjects are informed that the right to restriction of processing is not intended to apply when the processing carried out by Cure51 is carried out in order to comply with the laws and regulations applicable to Cure51 and/or when the processing of data to personal character is necessary for the execution of its services.

Right to portability of personal data

Cure51 will grant requests for personal data portability for purposes based solely on personal consent or contract.

In such cases, personal data will be communicated in a structured and commonly used format capable of being read by a machine.

Automated individual decision making

Cure51 does not engage in automated individual decision-making.

Rights after death

The persons concerned are informed that they have the right to decide regarding the conservation, erasure and communication of their data after their death.

Complaint before the CNIL

In the event of non-compliance with your “Informatics and Freedoms” rights, you also have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL). To find out more:

10. How to contact us ?

Any request relating to the exercise of the rights described above must be the subject of a written request sent by email to the address or by post to the following address: 26 RUE DES RENAUDES in PARIS (75017), accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, data subjects are informed that the rights set out above are individual rights which can only be exercised by the data subjects themselves with regard to their own information, so that, for security reasons, Cure51 may need to verify the identity of the data subject before communicating personal data to the data subject. If we have reasonable doubt about your identity, we may ask you for additional information or documents in order to verify your identity.

Your request will be processed within one month at the latest, a period which may be extended by two months, taking into account the complexity of the request. In this case, you will be informed of this extension of time within one month of receipt of your request.

11. How do we regulate possible transfers of personal data to international organizations?

If, in the context of the processing activities described above, Cure51 needs to transfer Personal Data of Data Subjects established in the European Economic Area (“EEA”) to recipients located outside the Economic Area European, such as its service providers and/or partners and/or affiliates, Cure51 will ensure that adequate and appropriate safeguards are implemented as required by the GDPR (for example, by ensuring that the adequacy decisions of the European Commission are in force in the following countries: in accordance with Article 45 of the GDPR, or a binding legal act or standard contractual clauses of the European Commission have been signed with the recipient, where applicable applicable).

12. How do we ensure the security of personal data?

Cure51 has implemented technical and organizational measures to protect the integrity and confidentiality of the personal data of the persons concerned. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying probability and severity for the rights and freedoms of the data subjects. persons concerned.

This measure includes, for example, security techniques of a physical or logical nature that Cure51 deems appropriate to prevent the accidental or illegal destruction, loss, degradation or unauthorized disclosure of personal data. The main elements of these measures include and are not limited to: