Privacy Notice

Review Date: 04th May 2026

This Privacy Notice explains how we use the personal information that Qure.ai Technologies Private Limited, its subsidiaries and affiliates collects or generates both in relation to our Website https://qure.ai/ along with any webpages and portals thereof and our mobile application, products and services (“Privacy Notice”) as updated from time to time.

Qure.ai Technologies Private Limited, company registration CIN U74999MH2016PTC283891 having its registered office at 6th Floor, Wing E, Times Square, Andheri-Kurla Road, Marol, Andheri (East), Mumbai - 400059, Maharashtra along with its subsidiaries and affiliates (hereafter “Qure”, “we”, “us” or “our”) collects, uses or processes your (“you” or “your” or “Customer” or “User”) personal data. This Privacy Notice is applicable when you use our Website https://qure.ai/ along with any webpages and portals thereof or the Qure mobile application i.e., QureApp (the “Website” and “Application” respectively) or Qure’s proprietary software including but not limited to qXR, qER, qCT, qScout POqUS, qTrack, AIRA and all its allied renditions, Devices etc. (collectively the “Services”). Our Services also include the https://app.qure.ai/ and portal, which is a platform for free trial of our products.

All definitions in this Privacy Notice shall be interpreted in accordance with applicable data protection laws which refers to the General Data Protection Regulation (Regulation no. 2016/679) and the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), as well as the national implementations and related national legislation. All capitalized terms used herein and not otherwise defined are defined as set forth in the Universal Terms and Data Processing Agreement.

This Privacy Notice shall be construed in accordance with the applicable data protection laws, including but not limited to the Digital Personal Data Protection Act, 2023 (DPDP Act), Data Protection Act, 2018, General Data Protection Regulation (GDPR), Children’s Online Privacy Protection Act (COPPA), Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Health Insurance Portability and Accountability Act (HIPAA).

By visiting our Website, or using our Application or Services, you acknowledge and accept the data processing described in this Privacy Notice, our Website terms and related documents. We will let you know, by posting on our Website or otherwise, if we make any changes to this Privacy Notice from time to time. Your continued use of the Services after notifying such changes will amount to your acknowledgement and acceptance of the amended Privacy Notice.

We strive to treat your personal information as safely and securely as reasonably possible. As described below, your personal data may be collected and used by Qure or disclosed to third parties for use on behalf of Qure. This Privacy Notice describes the information we collect about you and what may happen to that information. You must be at least 18 years old to have our permission to use our Services. Our policy is that we do not knowingly collect, use or disclose Personal data about visitors that are under 18 years of age.

I. About the service

See separate ‘Universal Terms’ (https://qure.ai/legal/) for applicable terms and conditions of the Services that Qure provides.

II. Personal data?

a. What is personal data?

“Personal data” means any information relating to an identified or identifiable natural person, known as ‘Data Subject’, who can be identified directly or indirectly; it may include name, address, gender, email address, phone number, IP address, location data, cookies, call records and similar information. It may also include “special categories of personal data” such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject, data concerning health or data concerning a natural person’s sexual orientation.

b. What Personal data does Qure collect and process?

Qure receives, processes and stores two distinct sets of personal data.  We will process the following personal data on the Services:

User profiles

First and Last Name
E-mail address at the time of sign up

Technical usage data

such as the URL you are accessing the Services from, your IP address, unique device ID, network and computer performance, browser type, language and identifying information and operating system; 
information about your use of the Services, such as what you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), consultation length(s), recurrence of visits and other interaction information, methods used to browse away from the page.

A third set of personal data is processed using the QureApp, which you as a User will upload the data on the platform and Qure will act as Data Processor on behalf as of you as Data Controller for this data:

Anonymised patient case information pseudonymized DICOM images including embedded metadata;
content that you post, upload and/or contribute to the Services;

For the data listed in clause II (b) (3) above, where you as a User of the Services will act as Data Controller and Qure as provider of Services, will act as a Data Processor, you hereby acknowledge and agree for Data Processing Agreement which is effective from the date of your first use of Services. The Data Processing Agreement outlines what kind of processing we are instructed to perform on your behalf regarding Personal data pertaining to Data Subjects where you are the Data Controller.

Information about third parties should only be provided to us if you have demonstrable permission and consent of Data Subjects i.e., your patients, to do so or if the information is available in the public domain. You shall be solely responsible for receiving all informed, written, explicit or implicit consents as required under applicable laws, from the Data Subjects i.e., your patients or similar data owners. Your use of Services is deemed that such consents have been duly received by you and will be available upon request for Qure to audit. We will rely on you to provide information which is accurate, complete and up to date and you agree to ensure this.

For Individuals accessing QureApp to upload their DICOMs, Qure will act as Data controller as per applicable laws.

III. (a) Why does Qure process this Personal data?

Qure will process the Personal data sets described above for the following purposes: 

To enable you to verify your account, to administer your account, to enable and provide the Services and integration with third party services, and to provide, personalize and improve your experience with the Services, and to otherwise provide the Services according to the Terms of Service;

to send you alerts or messages by email or otherwise, including to provide you with marketing of our and our related parties’ products and services;
to inform you about updates of the Services or the terms and conditions of Services;
to improve and develop the Services or new services and to analyse your use of the Services;
to ensure the technical functioning of the Services and to prevent the use of the Services in breach of the Terms (including the Universal Terms and any other terms in relation to Application or Services);
to enforce the Terms and any additional Terms (including the Universal Terms and any other terms in relation to Application or Services), including to protect our rights, property and safety and the rights, property and safety of third parties if necessary;

to fulfil our obligations as Data Controller and Data Processor;
to respect and fulfil our obligations in regards to the Rights of the Data Subject;
to respond to any queries you raise with us and to provide customer support; and 
to fulfil requirements by law (see clause VIII below).

III. (b) Lawful Basis for Processing of Personal Data

Qure processes Personal Data only where a valid lawful basis exists under applicable data protection laws. Depending on the nature of the Personal Data and the purpose of processing, the lawful basis relied upon by Qure is set out below.

(i) Processing Necessary for Performance of a Contract
Qure processes the following categories of Personal Data where such processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract:
- User profile information, including first and last name and e-mail address collected at the time of registration;
- Account and access management data required to verify your account, administer user access, enable use of the Services, and provide customer support;
- Service-related communications, including notifications regarding updates to the Services or changes to applicable terms.
The provision of such Personal Data is necessary to enter into and maintain the contractual relationship between you and Qure. Without this information, Qure will be unable to provide the Services.
(ii) Processing Based on Legitimate Interests
Qure processes certain Personal Data on the basis of its legitimate interests, provided that such interests are not overridden by your rights and freedoms. These legitimate interests include ensuring the security, stability, and improvement of the Services.

Processing conducted on this basis includes:
- Technical usage data, such as IP addresses, device identifiers, browser type, operating system, language preferences, log files, and interaction data;
- Analytics and usage data used to monitor performance, diagnose technical issues, prevent fraud, ensure IT security, and improve or develop existing or new Services;
- Enforcement-related processing, where necessary to detect, prevent, or investigate misuse of the Services or breaches of the applicable Terms.
Qure has assessed that such processing is proportionate, limited to what is necessary, and subject to appropriate safeguards.
(iii) Processing Based on Consent
Qure processes Personal Data on the basis of your consent where required by applicable law, including but not limited to:
- Direct marketing communications, where such communications are not otherwise permitted under applicable law without consent;
- Any other processing activities for which consent is expressly obtained at the time of collection or through the Services.
Where processing is based on consent, you may withdraw your consent at any time in accordance with the instructions provided in the relevant communication or within the Services. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.
(iv) Processing to Comply with Legal Obligations
Qure may process Personal Data where such processing is necessary to comply with legal or regulatory obligations, including obligations relating to record keeping, lawful disclosures to public authorities, and responses to valid legal requests.
(v) Processing as Data Processor on Behalf of Users
Where Personal Data is uploaded or otherwise provided to the QureApp by Users acting in a professional or organisational capacity (including, without limitation, healthcare providers, institutions, or authorised practitioners), such Users shall act as Data Controllers, as they determine the purposes and means of processing Personal Data relating to Data Subjects (for example, patients). In such cases:
- Qure acts solely as a Data Processor and processes Personal Data only on the documented instructions of the User acting as Data Controller;
- the lawful basis for processing such Personal Data is determined by the User acting as Data Controller; and
- Qure’s processing is governed by the applicable Data Processing Agreement, which forms part of the contractual arrangement between Qure and the User.
The User acting as Data Controller is responsible for ensuring compliance with applicable data protection laws, including providing appropriate notices to Data Subjects and obtaining any required consents or other lawful bases for processing.

IV. Disclosure of personal data

There are circumstances where we may wish to disclose or are compelled to disclose your Personal data to third parties. These scenarios include disclosure to:

1. our affiliates and sister companies;
2. our service providers who capture and store data collected through the forms that are filled by visitors to our Website;
3. subject to appropriate legal basis such as consent, our advertising and marketing teams who enable us, for example, to deliver personalized ads to your devices or who may contact you by email, telephone, SMS or by other means;
4. public authorities where we are required by law to do so; and
5. other third parties where you have provided your consent.

The service providers are contractually bound not to share Personal data collected from visitors on our Website with anyone else.

We confirm and acknowledge that we do not commercially exploit or distribute Personal data to any third party for commercial purposes. We share and disclose your Personal data to companies with which we have contracts in place. These companies mainly provide data storage, data analytics, advertising, IT support and other services to be able to run and improve our Services.

When you use our Services, you may be directed to other websites where the Personal data collected is not in our control. The privacy notice of such other websites will govern the Personal data obtained from you on that website.

V. Cookie Statement

In order to collect the information including Personal data as described in this Privacy Notice, we may use cookies and similar technology on our Website. A cookie is a small piece of information which is sent to your browser and stored on your computer’s hard drive, mobile phone or other device (“Cookies”). Cookies can be first party, i.e. cookies that the website you are visiting places on your device, or third party cookies, i.e. cookies placed on your device through the Website but by third parties, such as, Google.

We use the Cookies for the sole purpose of making it possible to browse the Website and let you use its functionalities. We use third party Cookies like Google Analytics to collect statistical information in an aggregated form on the number of users accessing the Website and generate statistical data on how the visitor uses the Website. We also use third party advertisements on our Website. Some of these advertisers such as Google through Google AdSense program may collect information including your IP address, your ISP, the browser you used to visit our Website, etc. You can refer to the list of cookies used by us along with the purpose of using them below.

You can choose to disable or selectively turn off our third party cookies in your browser settings, however, this may affect how you are able to interact with our Website as well as other websites.

VI. Our website

Cookie name	Purpose	Duration	Domain	Category
_gat	Used by Google Analytics to throttle request rate	2 years	qure.ai	Statistics
_ga	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	Session	qure.ai	Statistics
_gid	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	Session	qure.ai	Statistics
csrftoken	Helps prevent Cross-Site Request Forgery (CSRF) attacks.	1 year	app.qure.ai portal	Necessary
collect	Used to send data to Google Analytics about the visitor’s device and behavior. Tracks the visitor across devices and marketing channels.	Session	google- analytics.com	Statistics
_gat	Used by Google Analytics to throttle request rate	2 years	qure.ai	Statistics
_ga	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	Session	qure.ai	Statistics
_gid	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	Session	qure.ai	Statistics

Cookie name	Purpose	Duration	Domain	Category
AUTH_SESSION_ID	Requrired for login	Session	accounts.qure.ai	Necessary
AUTH_SESSION_ID_LEGACY	Requrired for login	Session	accounts.qure.ai	Necessary
KEYCLOAK_IDENTITY	Requrired for login	Session	accounts.qure.ai	Necessary
KEYCLOAK_IDENTITY_LEGACY	Requrired for login	Session	accounts.qure.ai	Necessary
KEYCLOAK_SESSION	Requrired for login	10 Days or Session	accounts.qure.ai	Necessary
KEYCLOAK_SESSION_LEGACY	Requrired for login	10 Days or Session	accounts.qure.ai	Necessary
csrftoken	Helps prevent Cross-Site Request Forgery (CSRF) attacks.	1 year	platformapi.qure.ai	Necessary
sessionid	Requrired for login	1 year	platformapi.qure.ai	Necessary
_ga_JPCJ0V0E2R	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	1 year	Qure.ai	Statistics
mp_290aa5bd816866afa3a61ec8c43bd26d_mixpanel	Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.	1 year	Qure.ai	Statistics

VII. Your consent

By contacting us, subscribing to our newsletter, you consent to the processing for the purposes contained in clause II(b) above which includes processing of your name, gender, contact details and preferences as set out in this Privacy Notice By accepting Qure’s Terms, we process your Personal data to be able to fulfil our agreement with you for the purposes listed above in clause III. Qure will process Personal data if it has a legal obligation to do so to fulfil requirements by law as pointed out in clause VIII below’.

VIII. Data Subject Rights and How to Exercise Them

Data Subjects may have certain rights in relation to their Personal Data under applicable data protection laws. Qure is committed to enabling Data Subjects to exercise these rights in a transparent, consistent, and timely manner.

a. How to Submit a Data Subject Request
Data Subjects may exercise their rights by submitting a written request to Qure by contacting the Data Protection Officer (DPO) at DPO@qure.ai.
No specific format is required for submitting a request; however, requests should clearly indicate the right being exercised and provide sufficient detail to enable Qure to process the request.
Where required under applicable law, Qure may request reasonable proof of identity to verify the request before processing it.

b. Acknowledgement and Verification
Upon receipt of a complete request:
• Qure will acknowledge the request; and
• verify the identity of the requester or their authorised representative, where applicable.
The statutory response timeline shall commence only once the request has been verified and all required information has been provided.

c. Request Handling Timelines
Where Qure acts as a Data Controller, requests will be addressed without undue delay and, in any event:
• within one (1) month of receipt of a complete and verified request; or
• within such other timelines as prescribed under applicable data protection laws.
This period may be extended where permitted by law in cases of complex or multiple requests. Where an extension applies, the Data Subject will be informed of the delay and the reasons for it within the original response period.

d. Scope and Limitations
The exercise of Data Subject rights may be subject to:
• applicable legal exemptions or limitations;
• the rights and freedoms of other individuals; and
• Qure’s legal and regulatory obligations, including record retention requirements.
Where Qure is acting as a Data Processor, the responsibility of addressing and processing data subject requests lies solely with the relevant Data Controller.

e. Escalation and Grievance Redressal
Where a Data Subject is not satisfied with the response provided by Qure, they may lodge a complaint with the relevant supervisory or regulatory authority, in accordance with applicable law.
Indian Data Principals may also exercise their right to grievance redressal under applicable Indian data protection laws, including escalation to the Data Protection Board of India where required.

f. Additional Information
Further details on Qure’s internal procedures for handling Data Subject Access Requests, including internal review steps, roles, and oversight mechanisms, are governed by Qure’s internal DSAR Policy and Procedure.

g. Data Subject Rights

Data Subjects may have numerous rights in relation to their personal data.

1. Right to make a subject access request (SAR): Data Subjects may request in writing copies of their personal data. However, compliance with such requests is subject to certain limitations and exemptions and the rights of other individuals. Each request should make clear that a SAR is being made. You may also be required to submit a proof of your identity and any payment permitted by law, where applicable.
2. Right to rectification: Data Subjects may request that we rectify any inaccurate or incomplete personal data.
3. Right to withdraw consent: Data Subjects may at any time withdraw their consent to the processing of their personal data carried out by us on the basis of their previous consent. Such withdrawal will not affect the lawfulness of processing based on such previous consent.
4. Right to object to processing including automated processing and profiling: We do not make automated decisions about Data Subjects. However, we may rely on information provided by third parties such as credit reference agencies which may score Data Subjects on the basis of automated decisions. Profiling may be carried out for business administration purposes, such as monitoring trends in User visits of our Website. We will comply with valid objection requests unless we have a compelling overriding legitimate ground for the continuation of our processing or we have another lawful reason to refuse such request. We will comply with each valid opt-out request in relation to marketing communications.
5. Right to erasure: Data Subjects may request that we erase their personal data. We will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping the personal data, such as, our business record retention obligations that we have to comply with.
6. Restriction: Data Subjects may request that we restrict our processing of their personal data in various circumstances. We will comply, unless there is a lawful reason for not doing so, such as a legal obligation to continue processing your personal data in a certain way.
7. Right to data portability: In certain circumstances, Data Subjects may request the controller to provide a copy of their personal data in a structured, commonly used and machine-readable format and have it transferred to another provider of the same or similar services. We do not consider that this right applies to our Services. However, to the extent it does, we will comply with such transfer request. Please note that a transfer to another provider does not imply erasure of the Data Subject’s personal data which may still be retained for legitimate and lawful purposes.
8. Right to lodge a complaint with the supervisory authority: We suggest that Data Subjects contact us about any questions or complaints in relation to how we process their personal data. However, each Data Subject has the right to contact the relevant supervisory authority directly.

Additional Data Subject Rights under CCPA/CPRA

Right to Opt-Out of Sale or Sharing of Personal Information: Data Subjects have the right to direct us not to sell or share their personal information with third parties for cross-contextual behavioural advertising purposes.

Right to Limit Use and Disclosure of Sensitive Personal Information: California residents may request that we limit the use and disclosure of Sensitive Personal Information to only what is necessary for delivering requested services.

Right to Non-Discrimination: Data Subjects have the right not to receive discriminatory treatment for exercising any of their privacy rights under the CCPA/CPRA.

Right to Know: Data Subjects have the right to know what personal information is collected, used, shared, or sold by a business, including specific categories and purposes.

Additional Data Subject Rights applicable to Vietnam Data Subjects

Right to Self-Defence: The personal data subject has the right to protect their personal data by themselves or through a representative in accordance with the provisions of this Decree and relevant laws

Right to Claim Damages: Data Subjects may claim compensation from data controllers/processors in cases of unauthorized processing or data breaches that cause harm.

Additional Rights applicable to Indian Data Principles

Right to Nominate: Data Principals may nominate another individual to exercise their rights in the event of death or incapacity.

Right to Grievance Redressal: Every Data Principal has the right to register a grievance with the Data Fiduciary and, if not resolved within the stipulated period, escalate it to the Data Protection Board of India

IX. Responding to Legal Requests

We may access, preserve and share your Personal data in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other users, including as part of investigations described in Article 23(1) in the GDPR. 

X. Retention of Personal Data

Retention periods are determined based on the type of Personal Data, the purpose of processing, and applicable legal or regulatory requirements, in accordance with Qure’s internal data retention and deletion policies.

In particular:

Account and user profile data is retained for as long as the user has an active profile on the Services. users who have not used our Services will have all personal data deleted after 1 year of inactivity on the Services.

If you agree to be added to our mailing list, we will keep your personal information for that purpose unless and until you tell us that you want to unsubscribe or be removed from the list. If you advise that you do not want to be added to our mailing list or you ask to be removed, we will delete your Personal data (aside from keeping a record that you have asked us not to send you marketing information).

XI. Personal data of children under the age of 18

The QureApp and the Services provided under it are not directed at, marketed to, nor intended for, children under 18 years of age. The Website does not knowingly collect or solicit information from anyone under the age of 18 or allow anyone under the age of 18 to sign up for the Service. In the event that you learn that you have gathered personal information from anyone under the age of 18 without the consent of a parent or guardian, you will delete that information as soon as possible.

You are required under the Children’s Online Privacy Protection Act (“COPPA”) as well as the GDPR and other Personal Data Protection laws (as those may apply) to obtain verifiable parental consent (or from the child’s legal representative) in order to collect, use or disclose Personal Data pertaining to that child.

If you are a parent or guardian of a person under the age of 18 and you become aware of that the child has provided personal data to us without your consent, please contact dpo@qure.ai to exercise your access, rectification, erasure, limiting of processing and objection rights.

XII. International Data Transfer

Your personal data may be shared with Qure entities globally. Such cross-border/third-country data transfers are governed by the provisions of the Inter-Group Data Transfer Agreement (IGDTA), ensuring that appropriate safeguards are in place to protect user data.

XIII. Security Practices

The importance of security for Personal data is of great concern to us. At Qure, we have gone to great lengths to manage the security and integrity of the Services and to ensure that we use best–in-class services when providing secure transmission of information from your device. Personal Data collected via the Services is stored in secure environments that are not available or accessible to the public; only those duly authorised people, officers, employees or agents of Qure who need access to your information in order to do their jobs are allowed access.

Anyone who violates our privacy or security policies is subject to disciplinary action, including possible termination of their contract with Qure and civil and/or criminal prosecution. Qure uses the latest technologies to ensure utmost security, including utilising several layers of firewall security and encryption of Personal data to ensure the highest level of security. As a result, while we strive to protect your Personal data, you acknowledge that:

(a) there are security and privacy limitations of the Internet which are beyond our control;

(b) the security, integrity and privacy of any and all information and data exchanged between you and us through this Website cannot be guaranteed; and

(c) any such information and data may be viewed or tampered with in transit by a third party.

XIV. Grievance Officer

To exercise your rights, or if you have any questions or complaints regarding our processing of your personal data, you may contact Data Protection Officer (DPO), Mr.Vivek Anand at dpo@qure.ai. In your letter/email please state your full name, your username (if you are a user) and which institution you are linked to. Note that you should sign the request to receive information about the processing of your personal data yourself.

XV. Notice of Changes to the Privacy Notice 

If we make changes to this Privacy Notice, we will notify you by posting a copy of the updated policy on our Services prior to any change becoming effective. We will post a copy of the updated policy on our Services prior to any change becoming effective. If your consent is required due to the changes, we will provide you additional prominent notice as appropriate under the circumstances and ask for your consent in accordance with applicable law.