qure_logo.svg
icon

Privacy Notice

Your privacy is important to us.

Document

Privacy Notice

Review Date: 1st July 2026 

This Privacy Notice explains how we use the personal information that Qure.ai Technologies Private Limited, its subsidiaries and affiliates collects or generates both in relation to our Website https://qure.ai/ along with any webpages and portals thereof and our mobile application, products and services (“Privacy Notice”) as updated from time to time. 

Qure.ai Technologies Private Limited, company registration CIN U74999MH2016PTC283891 having its registered office at 6th Floor, Wing E, Times Square, Andheri-Kurla Road, Marol, Andheri (East), Mumbai - 400059, Maharashtra along with its subsidiaries and affiliates (hereafter “Qure”, “we”, “us” or “our”) collects, uses or processes your (“you” or “your” or “Customer” or “User) personal data. This Privacy Notice is applicable when you use our Website https://qure.ai/ along with any webpages and portals thereof or the Qure mobile application i.e., QureApp (the “Website” and “Application” respectively) or Qure’s proprietary software including but not limited to qXR, qER, qCT, qScout POqUS, qTrack, AIRA and all its allied renditions, Devices etc. (collectively the “Services”). Our Services also include the https://app.qure.ai/ and portal, which is a platform for free trial of our products. 

All definitions in this Privacy Notice shall be interpreted in accordance with applicable data protection laws which refers to the General Data Protection Regulation (Regulation no. 2016/679), the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), and Digital Personal Data Protection Act, 2023 as well as the national implementations and related national legislation. All capitalized terms used herein and not otherwise defined are defined as set forth in the Universal Terms and Data Processing Agreement.  This Privacy Notice shall be construed in accordance with the applicable data protection laws, including but not limited to the Digital Personal Data Protection Act, 2023 (DPDP Act), Data Protection Act, 2018, General Data Protection Regulation (GDPR), Children’s Online Privacy Protection Act (COPPA), Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Health Insurance Portability and Accountability Act (HIPAA).

By visiting our Website, or using our application or Services, you acknowledge and accept the data processing described in this Privacy Notice, our Website terms and related documents. We will let you know, by posting on our Website or otherwise, if we make any changes to this Privacy Notice from time to time. Your continued use of the Services after notifying such changes will amount to your acknowledgement and acceptance of the amended Privacy Notice.   

We strive to treat your personal information as safely and securely as reasonably possible. As described below, your personal data may be collected and used by Qure or disclosed to third parties for use on behalf of Qure. This Privacy Notice describes the information we collect about you and what may happen to that information. You must be at least 18 years old to have our permission to use our Services. Our policy is that we do not knowingly collect, use or disclose Personal data about visitors that are under 18 years of age.  

I. About the service

See separate ‘Universal Terms’ (https://qure.ai/legal/) for applicable terms and conditions of the Services that Qure provides. 

II. Personal data?

a. What is personal data? 

 “Personal data” means any information relating to an identified or identifiable natural person, known as ‘Data Subject’/ ‘Data Principal’ (these terms maybe used interchangeably throughout the document), who can be identified directly or indirectly; it may include name, address, gender, email address, phone number, IP address, location data, cookies, call records and similar information. It may also include “special categories of personal data” such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject, data concerning health or data concerning a natural person’s sexual orientation.  

b. What Personal data does Qure collect and process? 

Qure receives, processes and stores two distinct sets of personal data.  We will process the following personal data on the Services: 

  1. User profiles
  • First and Last Name 
  • E-mail address at the time of sign up 
  1. Technical usage data
  • such as the URL you are accessing the Services from, your IP address, unique device ID, network and computer performance, browser type, language and identifying information and operating system;  
  • information about your use of the Services, such as what you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), consultation length(s), recurrence of visits and other interaction information, methods used to browse away from the page. 
  • Inquiry and support data: name, email address, and the content of any inquiry or support request submitted to us.  
  • Marketing and business contact data: name, work email address, job title, company name, and marketing preferences, where you have explicitly opted into communications from us. 
  • Patient scan data (Processor role only): de-identified DICOM images and associated embedded metadata uploaded to QureApp by users acting as Data Fiduciaries on behalf of Partner Medical Centers. In this context, Qure acts exclusively as a Data Processor under the applicable Customer Data Processing Agreement. Qure does not independently determine the purpose or means of processing this data.Please note: Where you provide us with personal data relating to a third party (such as patient data), you represent and warrant that you have obtained all necessary consents and authorizations from the relevant Data Principals, in the manner required by applicable law, before providing that data to us. We will rely on the accuracy, completeness, and lawfulness of the data you provide. 

 

For the data listed in clause II (b) (3) above, where you as a User of the Services will act as Data Controller or Data Fiduciary (these terms maybe used interchangeably throughput the document) and Qure as provider of Services, will act as a Data Processor, you hereby acknowledge and agree for Data Processing Agreement which is effective from the date of your first use of Services. The Data Processing Agreement outlines what kind of processing we are instructed to perform on your behalf regarding Personal data pertaining to Data Subjects where you are the Data Controller.  

Information about third parties should only be provided to us if you have demonstrable permission and consent of Data Subjects i.e., your patients, to do so or if the information is available in the public domain. You shall be solely responsible for receiving all informed, written, explicit or implicit consents as required under applicable laws, from the Data Subjects i.e., your patients or similar data owners. Your use of Services is deemed that such consents have been duly received by you and will be available upon request for Qure to audit. We will rely on you to provide information which is accurate, complete and up to date and you agree to ensure this.  

For Individuals accessing QureApp to upload their DICOMs, Qure will act as Data controller as per applicable laws.   

III. (a) Why does Qure process this Personal data?

Qure will process the Personal data sets described above for the following purposes:  

  • To enable you to verify your account, to administer your account, to enable and provide the Services and integration with third party services, and to provide, personalize and improve your experience with the Services, and to otherwise provide the Services according to the Terms of Service;  
  • to send you alerts or messages by email or otherwise, including to provide you with marketing of our and our related parties’ products and services; 
  • to inform you about updates of the Services or the terms and conditions of Services; 
  • to improve and develop the Services or new services and to analyse your use of the Services; 
  • to ensure the technical functioning of the Services and to prevent the use of the Services in breach of the Terms (including the Universal Terms and any other terms in relation to Application or Services); 
  • to enforce the Terms and any additional Terms (including the Universal Terms and any other terms in relation to Application or Services), including to protect our rights, property and safety and the rights, property and safety of third parties if necessary;  
  • to fulfil our obligations as Data Controller and Data Processor; 
  • to respect and fulfil our obligations in regards to the Rights of the Data Subject; 
  • to respond to any queries you raise with us and to provide customer support; and  
  • to fulfil requirements by law (see clause VIII below).  

III. (b) Lawful Basis for Processing of Personal Data

Qure processes Personal Data only where a valid lawful basis exists under applicable data protection laws. Depending on the nature of the Personal Data and the purpose of processing, the lawful basis relied upon by Qure is set out below. 

  1. (i) Processing Necessary for Performance of a Contract

    Qure processes the following categories of Personal Data where such processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract:

    • User profile information, including first and last name and e-mail address collected at the time of registration;
    • Account and access management data required to verify your account, administer user access, enable use of the Services, and provide customer support;
    • Service-related communications, including notifications regarding updates to the Services or changes to applicable terms.

    The provision of such Personal Data is necessary to enter into and maintain the contractual relationship between you and Qure. Without this information, Qure will be unable to provide the Services.

  2. (ii) Processing Based on Legitimate Interests

    Qure processes certain Personal Data on the basis of its legitimate interests, provided that such interests are not overridden by your rights and freedoms. These legitimate interests include ensuring the security, stability, and improvement of the Services.

    Processing conducted on this basis includes:

    • Technical usage data, such as IP addresses, device identifiers, browser type, operating system, language preferences, log files, and interaction data;
    • Analytics and usage data used to monitor performance, diagnose technical issues, prevent fraud, ensure IT security, and improve or develop existing or new Services;
    • Enforcement-related processing, where necessary to detect, prevent, or investigate misuse of the Services or breaches of the applicable Terms.

    Qure has assessed that such processing is proportionate, limited to what is necessary, and subject to appropriate safeguards.

  3. (iii) Processing Based on Consent

    Qure processes Personal Data on the basis of your consent where required by applicable law, including but not limited to:

    • Direct marketing communications, where such communications are not otherwise permitted under applicable law without consent;
    • Any other processing activities for which consent is expressly obtained at the time of collection or through the Services.

    Where processing is based on consent, you may withdraw your consent at any time in accordance with the instructions provided in the relevant communication or within the Services. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

  4. (iv) Processing to Comply with Legal Obligations

    Qure may process Personal Data where such processing is necessary to comply with legal or regulatory obligations, including obligations relating to record keeping, lawful disclosures to public authorities, and responses to valid legal requests.

  5. (v) Processing as Data Processor on Behalf of Users

    Where Personal Data is uploaded or otherwise provided to the QureApp by Users acting in a professional or organisational capacity (including, without limitation, healthcare providers, institutions, or authorised practitioners), such Users shall act as Data Controllers, as they determine the purposes and means of processing Personal Data relating to Data Subjects (for example, patients). In such cases:

    • Qure acts solely as a Data Processor and processes Personal Data only on the documented instructions of the User acting as Data Controller;
    • the lawful basis for processing such Personal Data is determined by the User acting as Data Controller; and
    • Qure’s processing is governed by the applicable Data Processing Agreement, which forms part of the contractual arrangement between Qure and the User.

    The User acting as Data Controller is responsible for ensuring compliance with applicable data protection laws, including providing appropriate notices to Data Subjects and obtaining any required consents or other lawful bases for processing.

IV. Disclosure of personal data

There are circumstances where we may wish to disclose or are compelled to disclose your Personal data to third parties. These scenarios include disclosure to: 

    1. our affiliates and sister companies; 
    2. Cloud infrastructure providers (AWS, Mumbai and Hyderabad): We share account, usage, and processed outputs with our cloud hosting provider to store and operate the Services within India.;  
    3. subject to appropriate legal basis such as consent, our advertising and marketing teams who enable us, for example, to deliver personalized ads to your devices or who may contact you by email, telephone, SMS or by other means;  
    4. Regulatory authorities and law enforcement: Where required by law, court order, or direction of a competent authority, we may disclose personal data. We disclose only the minimum necessary and, where permitted by law, will notify you before doing so. other third parties where you have provided your consent. 
    5. HRMS and recruitment platforms (Zoho): Internal employee and applicant data is shared with our HR platform for HR operations, payroll, and recruitment workflows, under a Data Processing Agreement. 
    6. Background verification agencies: Name, employment history, educational qualifications, and identity documents of candidates who have provided prior consent are shared with BGV agencies for pre-employment screening, under a Data Processing Agreement. 
    7. IT and technical support providers: Minimum account and technical data is shared with support providers as necessary to resolve technical issues, under confidentiality and processing obligations. 
    8. Partner Medical Centres (QureApp): AI-generated diagnostic outputs are returned to the instructing Partner Medical Centre. In this context, the Partner Medical Centre is the Data Fiduciary and Qure is the Data Processor under the Customer Data Processing Agreement. 

All third party The service providers and Data Processors with whom we share personal data are contractually bound not to share Personal data with anyone else. 

We confirm and acknowledge that we do not commercially exploit or distribute Personal data to any third party for commercial purposes. We share and disclose your Personal data to companies with which we have contracts in place. These companies mainly provide data storage, data analytics, advertising, IT support and other services to be able to run and improve our Services.  

When you use our Services, you may be directed to other websites where the Personal data collected is not in our control. The privacy notice of such other websites will govern the Personal data obtained from you on that website. 

V. Cookie Statement

In order to collect the information including Personal data as described in this Privacy Notice, we may use cookies and similar technology on our Website. A cookie is a small piece of information which is sent to your browser and stored on your computer’s hard drive, mobile phone or other device (“Cookies”). Cookies can be first party, i.e. cookies that the website you are visiting places on your device, or third party cookies, i.e. cookies placed on your device through the Website but by third parties, such as, Google.  

We use the Cookies for the sole purpose of making it possible to browse the Website and let you use its functionalities. We use third party Cookies like Google Analytics to collect statistical information in an aggregated form on the number of users accessing the Website and generate statistical data on how the visitor uses the Website. We also use third party advertisements on our Website. Some of these advertisers such as Google through Google AdSense program may collect information including your IP address, your ISP, the browser you used to visit our Website, etc. You can refer to the list of cookies used by us along with the purpose of using them below. 

You can choose to disable or selectively turn off our third party cookies in your browser settings, however, this may affect how you are able to interact with our Website as well as other websites. 

We use cookies of the following categories: .

• Basic Operations – these cookies are essential for proper functioning of our Website and for you to be able to use some important features on our website, such as logging in, navigation on the website and using certain other basic features of the website. In absence of these cookies, certain services may not be available.

• Content Personalization – These cookies collect information about how visitors use our Website, such as which pages are frequently visited and follow user action. The data collected is aggregated and anonymous, allowing us to improve the performance and functionality of our Website.

• Site Optimization – are used to enhance the performance of websites as without them certain functions of the website may not be available as these cookies make using our Website more convenient and makes providing more personalized features possible. For instance, these may remember your name, e-mail or other such details provided by you to ensure that you do not have to re-enter this information next time.

• Ad Personalization – these cookies are used to deliver advertisements that are relevant to you and to your interests. In addition, they are used to limit the number of times you see an advertisement. They are usually placed to the website by advertising networks with the website operator’s permission. These cookies remember that you have visited a website and this information is shared with other organizations such as advertisers. Often targeting or advertising cookies will be linked to site functionality provided by the other organization.

• First party cookies: First-party cookies are the advertising cookies collected by the website a user visits. The primary purpose of such cookies is to track user behaviour and personalize their experiences accordingly.

• Third party cookies: We may allow third-party service providers to place cookies on our Website to enhance its functionality or provide additional services. These cookies are subject to the respective privacy policies of these third-party providers. We do not have control over the information collected by these cookies.

• Some of the cookies used by us are necessary for the functionality of the website to store the consent of the users for dropping advertising and other cookies. We store cookies for varying durations depending on their purpose:

• Session Cookies: These are temporary cookies that remain on your device only for the duration of your browsing session. They are deleted once you close your browser.

• Persistent Cookies: These cookies remain on your device for a specified period or until you manually delete them. They help us remember your preferences for future visits. The specific expiration/retention period for each cookie is detailed in the Cookie Category List below.

VI. Our website

Cookie name  Purpose  Duration  Domain  Category 
_gat  Used by Google Analytics to throttle request rate 2 years qure.ai Statistics
_ga  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. Session qure.ai Statistics
_gid  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. Session qure.ai Statistics
csrftoken  Helps prevent Cross-Site Request Forgery (CSRF) attacks. 1 year app.qure.ai portal Necessary
collect  Used to send data to Google Analytics about the visitor’s device and behavior. Tracks the visitor across devices and marketing channels. Session google-analytics.com Statistics
_gat  Used by Google Analytics to throttle request rate 2 years qure.ai Statistics
_ga  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. Session qure.ai Statistics
_gid  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. Session qure.ai Statistics
Cookie name  Purpose  Duration  Domain  Category 
AUTH_SESSION_ID  Required for login Session  accounts.qure.ai  Necessary 
AUTH_SESSION_ID_LEGACY  Required for login Session  accounts.qure.ai  Necessary 
KEYCLOAK_IDENTITY  Required for login Session  accounts.qure.ai  Necessary 
KEYCLOAK_IDENTITY_LEGACY  Required for login Session  accounts.qure.ai  Necessary 
KEYCLOAK_SESSION  Required for login 10 Days or Session  accounts.qure.ai  Necessary 
KEYCLOAK_SESSION_LEGACY  Required for login 10 Days or Session  accounts.qure.ai  Necessary 
csrftoken  Helps prevent Cross-Site Request Forgery (CSRF) attacks. 1 year  platformapi.qure.ai  Necessary 
sessionid  Required for login 1 year  platformapi.qure.ai  Necessary 
_ga_JPCJ0V0E2R  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. 1 year  Qure.ai  Statistics 
mp_290aa5bd816866afa3a61ec8c43bd26d_mixpanel  Registers a unique ID that is used to generate statistical data on how the visitor uses the Website. 1 year  Qure.ai  Statistics 

VII. Your consent

The consent notice required under applicable law is presented to you before any personal data is collected. This Policy sets out the broader terms governing our data processing practices and your rights.

you consent to the processing for the purposes contained in clause II(b) above which includes processing of your name, gender, contact details and preferences as set out in this Privacy Notice By accepting Qure’s Terms, we process your Personal data to be able to fulfil our agreement with you for the purposes listed above in clause III. Qure will process Personal data if it has a legal obligation to do so to fulfil requirements by law as pointed out in clause VIII below’.

Before we place any cookie that identifies you personally, we require you to review the cookies deployed on our Website, and provide your consent, in accordance with the Digital Personal Data Protection Act, 2023. You may give or withdraw consent for specific cookie categories through our Cookie Preference Centre at any time. Withdrawal of consent will be effective within 7 days and will result in those cookies being disabled. Please note that certain cookies are essential for the operation of our Website, and if these cookies also collect Personal Data and you decline consent, we will be unable to provide you with access to the site. Do note, you may choose to change your preferences in relation to the use of cookies and similar technologies, at any point, through the Cookie Preference Centre.

VIII. Data Subject Rights and How to Exercise Them

Data Subjects may have certain rights in relation to their Personal Data under applicable data protection laws. Qure is committed to enabling Data Subjects to exercise these rights in a transparent, consistent, and timely manner.

a. How to Submit a Data Subject Request
Data Subjects may exercise their rights by submitting a written request to Qure by contacting the Data Protection Officer (DPO) at DPO@qure.ai.
No specific format is required for submitting a request; however, requests should clearly indicate the right being exercised and provide sufficient detail to enable Qure to process the request.
Where required under applicable law, Qure may request reasonable proof of identity to verify the request before processing it.

b. Acknowledgement and Verification
Upon receipt of a complete request:
• Qure will acknowledge the request; and
• verify the identity of the requester or their authorised representative, where applicable.
The statutory response timeline shall commence only once the request has been verified and all required information has been provided.

c. Request Handling Timelines
Where Qure acts as a Data Controller, requests will be addressed without undue delay and, in any event:
• within one (1) month of receipt of a complete and verified request; or
• within such other timelines as prescribed under applicable data protection laws.
This period may be extended where permitted by law in cases of complex or multiple requests. Where an extension applies, the Data Subject will be informed of the delay and the reasons for it within the original response period.

d. Scope and Limitations
The exercise of Data Subject rights may be subject to:
• applicable legal exemptions or limitations;
• the rights and freedoms of other individuals; and
• Qure’s legal and regulatory obligations, including record retention requirements.
Where Qure is acting as a Data Processor, the responsibility of addressing and processing data subject requests lies solely with the relevant Data Controller.

e. Escalation and Grievance Redressal
Where a Data Subject is not satisfied with the response provided by Qure, they may lodge a complaint with the relevant supervisory or regulatory authority, in accordance with applicable law.
Indian Data Principals may also exercise their right to grievance redressal under applicable Indian data protection laws, including escalation to the Data Protection Board of India where required.

f. Additional Information
Further details on Qure’s internal procedures for handling Data Subject Access Requests, including internal review steps, roles, and oversight mechanisms, are governed by Qure’s internal DSAR Policy and Procedure.

g. Data Subject Rights

The following rights are applicable on each Data Subject/Data Principal depending on thei local laws-. 

    1. Right to make a subject access request (SAR): Data Subjects may request in writing copies of their personal data. However, compliance with such requests is subject to certain limitations and exemptions and the rights of other individuals. Each request should make clear that a SAR is being made. You may also be required to submit a proof of your identity and any payment permitted by law, where applicable. 
    2. Right to rectification: Data Subjects may request that we rectify any inaccurate or incomplete personal data. 
    3. Right to withdraw consent: Data Subjects/Data Principals may at any time withdraw their consent to the processing of their personal data carried out by us on the basis of their previous consent. Such withdrawal will not affect the lawfulness of processing based on such previous consent. You may do so by: (a) writing to dpo@qure.ai; (b) using the unsubscribe link in any marketing communication; or (c) updating your preferences through your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. We will action your withdrawal within 30 days of receiving your request. 
    4. Right to object to processing including automated processing and profiling: We do not make automated decisions about Data Subjects. However, we may rely on information provided by third parties such as credit reference agencies which may score Data Subjects on the basis of automated decisions. Profiling may be carried out for business administration purposes, such as monitoring trends in User visits of our Website. We will comply with valid objection requests unless we have a compelling overriding legitimate ground for the continuation of our processing or we have another lawful reason to refuse such request. We will comply with each valid opt-out request in relation to marketing communications. 
    5. Right to erasure: Data Subjects may request that we erase their personal data. We will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping the personal data, such as, our business record retention obligations that we have to comply with. 
    6. Restriction: Data Subjects may request that we restrict our processing of their personal data in various circumstances. We will comply, unless there is a lawful reason for not doing so, such as a legal obligation to continue processing your personal data in a certain way. 
    7. Right to data portability: In certain circumstances, Data Subjects may request the controller to provide a copy of their personal data in a structured, commonly used and machine-readable format and have it transferred to another provider of the same or similar services. We do not consider that this right applies to our Services. However, to the extent it does, we will comply with such transfer request. Please note that a transfer to another provider does not imply erasure of the Data Subject’s personal data which may still be retained for legitimate and lawful purposes. 
    8. Right to lodge a complaint with the supervisory authority: We suggest that Data Subjects contact us about any questions or complaints in relation to how we process their personal data. However, each Data Subject has the right to contact the relevant supervisory authority directly. 

Additional Data Subject Rights under CCPA/CPRA only

  • • Right to Opt-Out of Sale or Sharing of Personal Information: Data Subjects have the right to direct us not to sell or share their personal information with third parties for cross-contextual behavioural advertising purposes.
  • • Right to Limit Use and Disclosure of Sensitive Personal Information: California residents may request that we limit the use and disclosure of Sensitive Personal Information to only what is necessary for delivering requested services.
  • • Right to Non-Discrimination: Data Subjects have the right not to receive discriminatory treatment for exercising any of their privacy rights under the CCPA/CPRA.
  • • Right to Know: Data Subjects have the right to know what personal information is collected, used, shared, or sold by a business, including specific categories and purposes.
  • Additional Data Subject Rights applicable to Vietnam Data Subjects only

  • • Right to Self-Defence: The personal data subject has the right to protect their personal data by themselves or through a representative in accordance with the provisions of this Decree and relevant laws
  • • Right to Claim Damages: Data Subjects may claim compensation from data controllers/processors in cases of unauthorized processing or data breaches that cause harm.
  • Additional Rights applicable to Indian Data Principles only

  • • Right to Nominate: Data Principals may nominate another individual to exercise their data rights in the event of their death or incapacity. To register a nomination, write to dpo@qure.ai with the subject line "Section 14 Nomination" and include full name and the nominee’s full name and contact details. We will acknowledge receipt and maintain a secure register of nominations. Right to Grievance Redressal: Every Data Principal has the right to register a grievance with the Data Fiduciary and, if not resolved within the stipulated period, escalate it to the Data Protection Board of India
  • IX. Responding to Legal Requests

    We may access, preserve and share your Personal data in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other users, including as part of investigations described in Article 23(1) in the GDPR.  

    X. Retention of Personal Data

    Retention periods are determined based on the type of Personal Data, the purpose of processing, and applicable legal or regulatory requirements, in accordance with Qure’s internal data retention and deletion policies.  

    In particular:  

    Account and user profile data is retained for as long as the user has an active profile on the Services. users who have not used our Services will have all personal data deleted after 1 year of inactivity on the Services. 

    If you agree to be added to our mailing list, we will keep your personal information for that purpose unless and until you tell us that you want to unsubscribe or be removed from the list. If you advise that you do not want to be added to our mailing list or you ask to be removed, we will delete your Personal data (aside from keeping a record that you have asked us not to send you marketing information). 

    XI. Personal data of children under the age of 18

    You must be at least 18 years of age to use our Website and webpages. . Qure does not knowingly collect or solicit information from anyone under the age of 18 or allow anyone under the age of 18 to sign up for the Service. In the event that you learn that Qure has gathered personal information from anyone under the age of 18 without verifiable consent of a parent or guardian, we will delete that information as soon as possible upon intimation of such information by contacting dpo@qure.ai. Where Qure processes personal data of a child under 18 or a person with a disability, we will obtain verifiable consent from the parent or lawful guardian before processing commences. 

    You are required under the Children’s Online Privacy Protection Act (“COPPA”) as well as the GDPR and other Personal Data Protection laws (as those may apply) to obtain verifiable parental consent (or from the child’s legal representative) in order to collect, use or disclose Personal Data pertaining to that child. 

    XII. International Data Transfer

    Your personal data may be shared with Qure entities globally. Such cross-border/third-country data transfers are governed by the provisions of the Inter-Group Data Transfer Agreement (IGDTA), ensuring that appropriate safeguards are in place to protect user data.

    XIII. Security Practices

    The importance of security for Personal data is of great concern to us. At Qure, we have gone to great lengths to manage the security and integrity of the Services and to ensure that we use best–in-class services when providing secure transmission of information from your device. Personal Data collected via the Services is stored in secure environments that are not available or accessible to the public; only those duly authorised people, officers, employees or agents of Qure who need access to your information in order to do their jobs are allowed access. . We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or loss. Our measures include:   

    • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256) 

    • Role-based access controls limiting access to authorized personnel on a strict need-to-know basis, with time-limited access grants and formal approval workflows 

    • Multi-factor authentication for all system access 

    • Continuous logging and monitoring of access to systems holding personal data, with quarterly access privilege reviews 

    • Regular vulnerability assessments, penetration testing, and security audits with prompt remediation of identified vulnerabilities 

    • ISO/IEC 27001:2022 certification for our Mumbai operations 

    • SOC 2 Type I attestation; SOC 2 Type II certification in progress 

    Anyone who violates our privacy or security policies is subject to disciplinary action, including possible termination of their contract with Qure and civil and/or criminal prosecution. Qure uses the latest technologies to ensure utmost security, including utilising several layers of firewall security and encryption of Personal data to ensure the highest level of security. As a result, while we strive to protect your Personal data, you acknowledge that: 

    (a) there are security and privacy limitations of the Internet which are beyond our control; 

    (b) the security, integrity and privacy of any and all information and data exchanged between you and us through this Website cannot be guaranteed; and 

    (c) any such information and data may be viewed or tampered with in transit by a third party. 

    XIV. Management of Consent

    As a matter of policy, we apply the following standards to all consent-based processing:   

    • Consent is obtained before personal data is collected.  

    • Consent is obtained through a clear affirmative action, such as an unchecked checkbox that you must actively tick, or a written confirmation.  

    • Each processing purpose requiring consent is presented and consented to separately. Consent to marketing communications is not bundled with consent to service terms or any inquiry submission.  

    • You may withdraw consent for any processing activity at any time with the same ease as it was given, by mailing to dpo@qure.ai.  

    • We maintain timestamped records of all consents obtained, the specific purpose consented to, and any withdrawals received, in a form that can be produced to the Data Protection Board of India upon request. 

    XIV. Grievance Officer

    To exercise your rights, or if you have any questions or complaints regarding our processing of your personal data, you may contact Data Protection Officer (DPO), Mr.Vivek Anand at dpo@qure.ai. In your letter/email please state your full name, your username (if you are a user) and which institution you are linked to. Note that you should sign the request to receive information about the processing of your personal data yourself. Any grievances or request received by the DPO will be resolved within 30 days of receipt of such request or grievance 

    XVI. Escalation to the Data Protection Board of India

    If the Data Principal is not satisfied with our response to their grievance, or if they do not receive a substantive response within the prescribed period, they have the right to file a complaint with the Data Protection Board of India through the digital portal established by the Central Government for this purpose. 

    You are required to raise and exhaust Qure’s internal grievance mechanism before approaching the DPB, except where Qure has failed to establish or maintain a functioning mechanism. Qure will cooperate fully with any DPB inquiry and comply with all DPB orders within the timelines stipulated. 

    Qure will not take any adverse action against a Data Principal for exercising their rights under the DPDPA or for filing a complaint with the Data Protection Board of India. 

    XVII. Personal data breach notification

    In the event of a personal data breach affecting your personal data, Qure will notify the Data Protection Board of India and each affected Data Principal as soon as possible after becoming aware of the breach. The notification will describe the nature of the breach, the categories and approximate volume of personal data affected, the likely consequences, and the steps being taken to address the breach. Qure’s Personal Data Breach Management Policy sets out our internal procedures in full. [JSA Note: Insert Hyperlink] Qure will take all reasonable steps to protect personal data transmitted to us. 

    XVIII. Notice of Changes to the Privacy Notice 

    We may update this Policy from time to time to reflect changes in our data processing activities, applicable law, or our products and Services. If we make changes to this Privacy Notice, we will notify you by posting a copy of the updated policy on our Services prior to any change becoming effective. We will post a copy of the updated policy on our Services prior to any change becoming effective. If your consent is required due to the changes, we will provide you additional prominent notice as appropriate under the circumstances and ask for your consent in accordance with applicable law. The effective date at the top of this Policy reflects when it was last updated. 

    XIX. Policy Governance and Review

    This Policy shall be reviewed by the DPO at least once every year and updated to reflect any changes in applicable law, or Qure’s data processing activities. This Policy and the DPO’s contact details shall be prominently published on Qure’s website and within all applicable privacy and consent notices, in a clear and accessible manner. Material changes to this Policy shall be communicated to all relevant Data Principals with appropriate notice before taking effect.  

    This Policy must be read alongside the Consent Notice, Universal Terms, Customer Data Processing Agreement, Vendor Data Processing Agreement, Master Data Retention Schedule, Grievance Redressal Policy, and Personal Data Breach Management Policy.