Privacy Policy
1. INTRODUCTION
CuraVista GlobalTM is committed to protecting the privacy and personal data of its clients, partners, and website visitors. This Privacy Policy explains how we collect, use, share, and protect your information in compliance with the General Data Protection Regulation (GDPR), India’s Digital Personal Data Protection Act (DPDPA), and other applicable laws.
Explanatory Paragraph
The introduction sets the tone for CuraVista Global’sTM privacy practices, emphasizing legal compliance, transparency, and user trust. The policy applies to all data collected through the company’s websites, services, and partner interactions, reflecting the broad scope of CuraVista’s operations.
2. DATA COLLECTED
2.1. Categories of Data
- Personal identification data (name, date of birth, gender, nationality)
- Contact information (address, email, phone number)
- Health and medical data (medical history, treatment preferences, reports)
- Travel information (passport details, visa status, itinerary)
- Payment information (credit card, bank details, billing address)
- Preferences and feedback (service preferences, dietary restrictions, religious requirements)
- Website usage data (IP address, device information, cookies, analytics)
2.2. Sources of Data
- Directly from users (forms, bookings, communications)
- From third parties (hospitals, clinics, hotels, payment processors)
- Automated collection (website cookies, analytics tools)
Explanatory Paragraph:
CuraVista GlobalTM collects a wide range of data to deliver its services effectively. Personal and health data are essential for medical tourism coordination, while travel and payment information enable seamless logistics and transactions. Website usage data supports security, analytics, and user experience optimization. The company ensures that only data necessary for the specified purposes is collected, adhering to the principles of data minimization and purpose limitation under GDPR and DPDPA.
3. PURPOSE OF DATA USE
3.1. Service Delivery
- Booking and coordination of medical, wellness, and religious tourism services - Product order processing, fulfillment, and delivery - Communication with clients regarding bookings, orders, and support 3.2. Logistics and Compliance
- Visa, travel, and accommodation arrangements
- Compliance with legal, regulatory, and insurance requirements
3.3. Marketing and Analytics
- Sending promotional offers, newsletters, and updates (with consent)
- Conducting surveys and collecting feedback to improve services
- Website analytics and performance monitoring
3.4. Security and Fraud Prevention
- Verifying user identity and preventing unauthorized access
- Detecting and mitigating fraud, abuse, or security threats
Explanatory Paragraph
The purposes of data use are clearly defined and communicated to users, as required by GDPR and DPDPA. Service delivery and logistics are the primary drivers, with marketing and analytics activities conducted only with appropriate consent or legitimate interest. Security and compliance are integral to protecting both users and the company from legal and operational risks.
4. LEGAL BASIS FOR PROCESSING
4.1. Consent
- Explicit, informed consent is obtained for the collection and processing of sensitive data (e.g., health information, marketing communications).
4.2. Contractual Necessity
- Processing is necessary for the performance of a contract with the user (e.g., booking, product purchase).
4.3. Legal Obligation
- Processing is required to comply with legal and regulatory obligations (e.g., tax, customs, health regulations).
4.4. Legitimate Interests
- Processing is necessary for CuraVista Global’sTM legitimate interests, provided these do not override user rights and freedoms (e.g., fraud prevention, service improvement).
Explanatory Paragraph
CuraVista Global’sTM data processing activities are grounded in the legal bases recognized by GDPR and DPDPA. Consent is prioritized for sensitive data and marketing, while contractual necessity and legal obligations justify core service operations. Legitimate interests are carefully balanced against user rights, with data protection impact assessments conducted as needed.
5. DATA SHARING WITH THIRD PARTIES
5.1. Categories of Third Parties
- Hospitals, clinics, and healthcare providers (for treatment coordination)
- Hotels, transport, and logistics partners (for travel arrangements)
- Payment processors and financial institutions
- Insurance companies (for claims and coverage)
- Regulatory authorities (for compliance and reporting)
- IT service providers (hosting, analytics, security)
5.2. Data Sharing Agreements
- All third parties are required to adhere to data protection standards equivalent to those of CuraVista GlobalTM.
- Data sharing agreements specify the purpose, scope, and security measures for data transfers.
5.3. Joint Controllers and Processors
- Where CuraVista GlobalTM and a partner jointly determine the purposes and means of processing, joint controller arrangements are established.
- Processors act only on CuraVista Global’sTM instructions and are subject to contractual safeguards.
Explanatory Paragraph
Data sharing is essential for CuraVista Global’sTM cross-border operations. The company ensures that all third-party partners are contractually bound to protect personal data, with clear delineation of roles and responsibilities. Data sharing agreements and due diligence checks are conducted in line with GDPR and DPDPA requirements, minimizing the risk of unauthorized access or misuse.
6. INTERNATIONAL DATA TRANSFERS
6.1. Cross-Border Transfers
- Personal data may be transferred to countries outside the European Economic Area (EEA) or India as necessary for service delivery.
- Transfers are conducted only to jurisdictions with adequate data protection standards or subject to appropriate safeguards (e.g., Standard Contractual Clauses, Data Processing Agreements).
6.2. Safeguards and Compliance
- Transfer Impact Assessments are conducted to evaluate risks and ensure “essentially equivalent” protection.
- Data localization requirements are observed where mandated by law (e.g., for significant data fiduciaries under Indian DPDPA).
6.3. User Rights and Remedies
- Users are informed of cross-border transfers and their rights to object or request additional information.
Explanatory Paragraph
International data transfers are a core feature of CuraVista Global’sTM business model. The company complies with GDPR Chapter V and DPDPA cross-border transfer rules, using recognized mechanisms such as adequacy decisions, Standard Contractual Clauses, and supplementary measures (encryption, access controls) to protect data in transit and at rest. Users are kept informed and empowered to exercise their rights regarding international transfers.
7. DATA RETENTION
7.1. Retention Periods
- Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or as required by law.
- Medical and health records: retained for a minimum of 10 years after service completion, or as mandated by applicable healthcare regulations.
- Transaction and payment data: retained for the duration required by tax and accounting laws.
- Marketing and analytics data: retained until consent is withdrawn or the data is no longer needed.
7.2. Data Deletion and Anonymization
- Upon expiry of the retention period, data is securely deleted or anonymized.
- Users may request deletion of their data at any time, subject to legal and contractual obligations.
Explanatory Paragraph
Data retention policies are designed to balance operational needs, legal requirements, and user rights. Healthcare data is subject to extended retention periods for regulatory compliance and continuity of care, while marketing and analytics data are minimized to reduce privacy risks. Secure deletion and anonymization processes are implemented to prevent unauthorized access or misuse of obsolete data.
8. USER RIGHTS
8.1. Access
- Users have the right to request access to their personal data held by CuraVista GlobalTM.
8.2. Correction
- Users may request correction of inaccurate or incomplete data.
8.3. Deletion (“Right to be Forgotten”)
- Users may request deletion of their personal data, subject to legal and contractual limitations.
8.4. Objection and Restriction
- Users may object to or request restriction of processing for certain purposes (e.g., marketing).
8.5. Data Portability
- Users may request a copy of their data in a structured, commonly used, and machine-readable format.
8.6. Withdrawal of Consent
- Where processing is based on consent, users may withdraw consent at any time without affecting the lawfulness of prior processing.
8.7. Complaint and Redress
- Users have the right to lodge a complaint with the relevant data protection authority.
Explanatory Paragraph
CuraVista GlobalTM upholds the full spectrum of data subject rights under GDPR and DPDPA, providing clear procedures for users to exercise their rights. Requests are handled promptly and transparently, with appropriate verification to protect user privacy. The company’s commitment to user empowerment fosters trust and accountability.
9. SECURITY MEASURES
9.1. Technical Measures
- Encryption of data at rest and in transit
- Secure servers and firewalls
- Multi-factor authentication and access controls
- Regular security audits and vulnerability assessments
9.2. Organizational Measures
- Staff training on data protection and privacy
- Incident response and breach notification procedures
- Data protection by design and by default in all systems and processes
9.3. Third-Party Security
- Due diligence and contractual safeguards for all third-party processors and partners
Explanatory Paragraph
Robust security measures are essential for protecting sensitive health, financial, and personal data. CuraVista GlobalTM implements industry-standard technical and organizational controls, including encryption, access management, and continuous monitoring. Staff are trained in data protection best practices, and incident response plans are in place to address potential breaches. Third-party partners are vetted and contractually bound to maintain equivalent security standards.
10. COOKIE USAGE AND ANALYTICS
10.1. Cookies and Tracking Technologies
- CuraVista GlobalTM uses cookies and similar technologies to enhance website functionality, analyze usage, and personalize content.
- Users are informed of cookie usage and provided with options to accept, reject, or customize cookie preferences.
10.2. Cookie Consent
- Consent is obtained for non-essential cookies in compliance with GDPR and ePrivacy Directive.
- Users may withdraw or modify consent at any time via the website’s cookie management tool.
10.3. Analytics and Third-Party Tools
- Website analytics are conducted using GDPR-compliant tools, with data anonymization and minimization.
- Third-party analytics providers are contractually bound to protect user data and not use it for unauthorized purposes.
Explanatory Paragraph
Cookie usage is transparently disclosed, and user consent is obtained for all non-essential tracking technologies. CuraVista Global’sTM cookie banner and management tools comply with the latest GDPR requirements, providing granular control and clear information to users. Analytics are conducted responsibly, with a focus on privacy and data minimization.
11. CHILDREN’S DATA
- CuraVista GlobalTM does not knowingly collect or process personal data of children under the age of 16 (or the applicable age of consent in the user’s jurisdiction) without parental consent.
- Parents or guardians may contact CuraVista GlobalTM to request deletion of a child’s data.
Explanatory Paragraph
Special protections are in place for children’s data, reflecting heightened legal and ethical obligations under GDPR, DPDPA, and international standards. Parental consent is required for any processing of minors’ data, and mechanisms are provided for parents to exercise control over their children’s information.
12. CHANGES TO THE PRIVACY POLICY
- CuraVista GlobalTM reserves the right to update this Privacy Policy to reflect changes in legal requirements, business practices, or technology.
- Users will be notified of material changes via the website or email.
- Continued use of services after notice constitutes acceptance of the revised policy.
Explanatory Paragraph
The policy change procedure ensures that users are kept informed of updates and have the opportunity to review and accept new terms. This approach aligns with GDPR’s transparency and accountability principles, fostering ongoing trust and compliance.
13. CONTACT AND DATA PROTECTION OFFICER
- For questions, requests, or complaints regarding this Privacy Policy or data protection practices, please contact:
- Data Protection Officer, CuraVista GlobalTM, [Contact Email], [Registered Address]
Explanatory Paragraph
A designated Data Protection Officer (DPO) serves as the primary point of contact for data protection matters, as required for significant data fiduciaries under DPDPA and for organizations processing sensitive data under GDPR. The DPO ensures that user rights are respected and that CuraVista GlobalTM remains accountable to regulators and clients alike.
14. Conclusion
CuraVista Global’sTM Terms & Conditions and Privacy Policy are designed to provide comprehensive legal protection, regulatory compliance, and consumer transparency across its diverse service offerings. By integrating best practices from medical tourism, e-commerce, and international travel, and by adhering to the highest standards of data protection under GDPR and DPDPA, CuraVista GlobalTM demonstrates its commitment to ethical, secure, and user-centric operations. These documents should be reviewed regularly and updated in line with evolving legal requirements, industry standards, and user expectations, ensuring that CuraVista GlobalTM remains a trusted partner for clients worldwide.
CuraVista GlobalTM is committed to protecting the privacy and personal data of its clients, partners, and website visitors. This Privacy Policy explains how we collect, use, share, and protect your information in compliance with the General Data Protection Regulation (GDPR), India’s Digital Personal Data Protection Act (DPDPA), and other applicable laws.
Explanatory Paragraph
The introduction sets the tone for CuraVista Global’sTM privacy practices, emphasizing legal compliance, transparency, and user trust. The policy applies to all data collected through the company’s websites, services, and partner interactions, reflecting the broad scope of CuraVista’s operations.
2. DATA COLLECTED
2.1. Categories of Data
- Personal identification data (name, date of birth, gender, nationality)
- Contact information (address, email, phone number)
- Health and medical data (medical history, treatment preferences, reports)
- Travel information (passport details, visa status, itinerary)
- Payment information (credit card, bank details, billing address)
- Preferences and feedback (service preferences, dietary restrictions, religious requirements)
- Website usage data (IP address, device information, cookies, analytics)
2.2. Sources of Data
- Directly from users (forms, bookings, communications)
- From third parties (hospitals, clinics, hotels, payment processors)
- Automated collection (website cookies, analytics tools)
Explanatory Paragraph:
CuraVista GlobalTM collects a wide range of data to deliver its services effectively. Personal and health data are essential for medical tourism coordination, while travel and payment information enable seamless logistics and transactions. Website usage data supports security, analytics, and user experience optimization. The company ensures that only data necessary for the specified purposes is collected, adhering to the principles of data minimization and purpose limitation under GDPR and DPDPA.
3. PURPOSE OF DATA USE
3.1. Service Delivery
- Booking and coordination of medical, wellness, and religious tourism services - Product order processing, fulfillment, and delivery - Communication with clients regarding bookings, orders, and support 3.2. Logistics and Compliance
- Visa, travel, and accommodation arrangements
- Compliance with legal, regulatory, and insurance requirements
3.3. Marketing and Analytics
- Sending promotional offers, newsletters, and updates (with consent)
- Conducting surveys and collecting feedback to improve services
- Website analytics and performance monitoring
3.4. Security and Fraud Prevention
- Verifying user identity and preventing unauthorized access
- Detecting and mitigating fraud, abuse, or security threats
Explanatory Paragraph
The purposes of data use are clearly defined and communicated to users, as required by GDPR and DPDPA. Service delivery and logistics are the primary drivers, with marketing and analytics activities conducted only with appropriate consent or legitimate interest. Security and compliance are integral to protecting both users and the company from legal and operational risks.
4. LEGAL BASIS FOR PROCESSING
4.1. Consent
- Explicit, informed consent is obtained for the collection and processing of sensitive data (e.g., health information, marketing communications).
4.2. Contractual Necessity
- Processing is necessary for the performance of a contract with the user (e.g., booking, product purchase).
4.3. Legal Obligation
- Processing is required to comply with legal and regulatory obligations (e.g., tax, customs, health regulations).
4.4. Legitimate Interests
- Processing is necessary for CuraVista Global’sTM legitimate interests, provided these do not override user rights and freedoms (e.g., fraud prevention, service improvement).
Explanatory Paragraph
CuraVista Global’sTM data processing activities are grounded in the legal bases recognized by GDPR and DPDPA. Consent is prioritized for sensitive data and marketing, while contractual necessity and legal obligations justify core service operations. Legitimate interests are carefully balanced against user rights, with data protection impact assessments conducted as needed.
5. DATA SHARING WITH THIRD PARTIES
5.1. Categories of Third Parties
- Hospitals, clinics, and healthcare providers (for treatment coordination)
- Hotels, transport, and logistics partners (for travel arrangements)
- Payment processors and financial institutions
- Insurance companies (for claims and coverage)
- Regulatory authorities (for compliance and reporting)
- IT service providers (hosting, analytics, security)
5.2. Data Sharing Agreements
- All third parties are required to adhere to data protection standards equivalent to those of CuraVista GlobalTM.
- Data sharing agreements specify the purpose, scope, and security measures for data transfers.
5.3. Joint Controllers and Processors
- Where CuraVista GlobalTM and a partner jointly determine the purposes and means of processing, joint controller arrangements are established.
- Processors act only on CuraVista Global’sTM instructions and are subject to contractual safeguards.
Explanatory Paragraph
Data sharing is essential for CuraVista Global’sTM cross-border operations. The company ensures that all third-party partners are contractually bound to protect personal data, with clear delineation of roles and responsibilities. Data sharing agreements and due diligence checks are conducted in line with GDPR and DPDPA requirements, minimizing the risk of unauthorized access or misuse.
6. INTERNATIONAL DATA TRANSFERS
6.1. Cross-Border Transfers
- Personal data may be transferred to countries outside the European Economic Area (EEA) or India as necessary for service delivery.
- Transfers are conducted only to jurisdictions with adequate data protection standards or subject to appropriate safeguards (e.g., Standard Contractual Clauses, Data Processing Agreements).
6.2. Safeguards and Compliance
- Transfer Impact Assessments are conducted to evaluate risks and ensure “essentially equivalent” protection.
- Data localization requirements are observed where mandated by law (e.g., for significant data fiduciaries under Indian DPDPA).
6.3. User Rights and Remedies
- Users are informed of cross-border transfers and their rights to object or request additional information.
Explanatory Paragraph
International data transfers are a core feature of CuraVista Global’sTM business model. The company complies with GDPR Chapter V and DPDPA cross-border transfer rules, using recognized mechanisms such as adequacy decisions, Standard Contractual Clauses, and supplementary measures (encryption, access controls) to protect data in transit and at rest. Users are kept informed and empowered to exercise their rights regarding international transfers.
7. DATA RETENTION
7.1. Retention Periods
- Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or as required by law.
- Medical and health records: retained for a minimum of 10 years after service completion, or as mandated by applicable healthcare regulations.
- Transaction and payment data: retained for the duration required by tax and accounting laws.
- Marketing and analytics data: retained until consent is withdrawn or the data is no longer needed.
7.2. Data Deletion and Anonymization
- Upon expiry of the retention period, data is securely deleted or anonymized.
- Users may request deletion of their data at any time, subject to legal and contractual obligations.
Explanatory Paragraph
Data retention policies are designed to balance operational needs, legal requirements, and user rights. Healthcare data is subject to extended retention periods for regulatory compliance and continuity of care, while marketing and analytics data are minimized to reduce privacy risks. Secure deletion and anonymization processes are implemented to prevent unauthorized access or misuse of obsolete data.
8. USER RIGHTS
8.1. Access
- Users have the right to request access to their personal data held by CuraVista GlobalTM.
8.2. Correction
- Users may request correction of inaccurate or incomplete data.
8.3. Deletion (“Right to be Forgotten”)
- Users may request deletion of their personal data, subject to legal and contractual limitations.
8.4. Objection and Restriction
- Users may object to or request restriction of processing for certain purposes (e.g., marketing).
8.5. Data Portability
- Users may request a copy of their data in a structured, commonly used, and machine-readable format.
8.6. Withdrawal of Consent
- Where processing is based on consent, users may withdraw consent at any time without affecting the lawfulness of prior processing.
8.7. Complaint and Redress
- Users have the right to lodge a complaint with the relevant data protection authority.
Explanatory Paragraph
CuraVista GlobalTM upholds the full spectrum of data subject rights under GDPR and DPDPA, providing clear procedures for users to exercise their rights. Requests are handled promptly and transparently, with appropriate verification to protect user privacy. The company’s commitment to user empowerment fosters trust and accountability.
9. SECURITY MEASURES
9.1. Technical Measures
- Encryption of data at rest and in transit
- Secure servers and firewalls
- Multi-factor authentication and access controls
- Regular security audits and vulnerability assessments
9.2. Organizational Measures
- Staff training on data protection and privacy
- Incident response and breach notification procedures
- Data protection by design and by default in all systems and processes
9.3. Third-Party Security
- Due diligence and contractual safeguards for all third-party processors and partners
Explanatory Paragraph
Robust security measures are essential for protecting sensitive health, financial, and personal data. CuraVista GlobalTM implements industry-standard technical and organizational controls, including encryption, access management, and continuous monitoring. Staff are trained in data protection best practices, and incident response plans are in place to address potential breaches. Third-party partners are vetted and contractually bound to maintain equivalent security standards.
10. COOKIE USAGE AND ANALYTICS
10.1. Cookies and Tracking Technologies
- CuraVista GlobalTM uses cookies and similar technologies to enhance website functionality, analyze usage, and personalize content.
- Users are informed of cookie usage and provided with options to accept, reject, or customize cookie preferences.
10.2. Cookie Consent
- Consent is obtained for non-essential cookies in compliance with GDPR and ePrivacy Directive.
- Users may withdraw or modify consent at any time via the website’s cookie management tool.
10.3. Analytics and Third-Party Tools
- Website analytics are conducted using GDPR-compliant tools, with data anonymization and minimization.
- Third-party analytics providers are contractually bound to protect user data and not use it for unauthorized purposes.
Explanatory Paragraph
Cookie usage is transparently disclosed, and user consent is obtained for all non-essential tracking technologies. CuraVista Global’sTM cookie banner and management tools comply with the latest GDPR requirements, providing granular control and clear information to users. Analytics are conducted responsibly, with a focus on privacy and data minimization.
11. CHILDREN’S DATA
- CuraVista GlobalTM does not knowingly collect or process personal data of children under the age of 16 (or the applicable age of consent in the user’s jurisdiction) without parental consent.
- Parents or guardians may contact CuraVista GlobalTM to request deletion of a child’s data.
Explanatory Paragraph
Special protections are in place for children’s data, reflecting heightened legal and ethical obligations under GDPR, DPDPA, and international standards. Parental consent is required for any processing of minors’ data, and mechanisms are provided for parents to exercise control over their children’s information.
12. CHANGES TO THE PRIVACY POLICY
- CuraVista GlobalTM reserves the right to update this Privacy Policy to reflect changes in legal requirements, business practices, or technology.
- Users will be notified of material changes via the website or email.
- Continued use of services after notice constitutes acceptance of the revised policy.
Explanatory Paragraph
The policy change procedure ensures that users are kept informed of updates and have the opportunity to review and accept new terms. This approach aligns with GDPR’s transparency and accountability principles, fostering ongoing trust and compliance.
13. CONTACT AND DATA PROTECTION OFFICER
- For questions, requests, or complaints regarding this Privacy Policy or data protection practices, please contact:
- Data Protection Officer, CuraVista GlobalTM, [Contact Email], [Registered Address]
Explanatory Paragraph
A designated Data Protection Officer (DPO) serves as the primary point of contact for data protection matters, as required for significant data fiduciaries under DPDPA and for organizations processing sensitive data under GDPR. The DPO ensures that user rights are respected and that CuraVista GlobalTM remains accountable to regulators and clients alike.
14. Conclusion
CuraVista Global’sTM Terms & Conditions and Privacy Policy are designed to provide comprehensive legal protection, regulatory compliance, and consumer transparency across its diverse service offerings. By integrating best practices from medical tourism, e-commerce, and international travel, and by adhering to the highest standards of data protection under GDPR and DPDPA, CuraVista GlobalTM demonstrates its commitment to ethical, secure, and user-centric operations. These documents should be reviewed regularly and updated in line with evolving legal requirements, industry standards, and user expectations, ensuring that CuraVista GlobalTM remains a trusted partner for clients worldwide.