Privacy Policy

1. Introduction

This privacy notice explains how Curistica Ltd (“we”, “us”, “our”) collects, uses, discloses, and safeguards your personal data when you visit our website, use our online tools, engage with us as a client, or receive marketing communications from us. It also sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and how you can exercise them.

We are committed to being transparent about how we handle your personal information. We do not collect or process special category data.

2. Who We Are

Curistica Ltd (Company number 14679626) is a provider of professional services relating to clinical safety assurance and healthcare technology governance. We are the data controller for the personal information described in this notice, meaning we decide how and why your personal data is processed.

Email: privacy@curistica.com 

Address: Unit A6, Dittons Road, Polegate, England, BN26 6QH, United Kingdom

3. Data Protection Contact

For any questions regarding this privacy notice or our data protection practices, please contact us at privacy@curistica.com.

We will respond to your enquiry within one calendar month.

4. What Personal Data We Collect

We collect different types of personal data depending on how you interact with us. The table below sets out the categories of data we collect for each processing activity.

Processing Activity

Personal Data Collected

How We Collect It

Website browsing

IP address, browser type and version, operating system, time zone, pages visited, time spent on pages, referring website

Collected automatically via cookies and Google Analytics when you visit our website

Client enquiries and engagement

Name, email address, telephone number, organisation name, job title, correspondence records, records of meetings and decisions

Provided directly by you or your organisation when you contact us or engage our services

Active client services

Name, contact details, organisation name, engagement history, records relating to services we deliver on your behalf, payment and invoicing details

Provided directly by you, generated in the course of delivering our services

Marketing and newsletters

Name, email address, organisation name, marketing preferences, email engagement data (opens, clicks)

Provided by you when you subscribe or request information; engagement data collected automatically

Online tools

Email address, organisation name, information you input into the tool, auto-generated report outputs

Provided directly by you when you use the tool

5. Why We Use Your Personal Data and Our Lawful Basis

Under the UK GDPR, we must have a lawful basis for each processing activity. The table below sets out our purposes and the specific lawful basis we rely on for each.

Purpose

What We Do

Lawful Basis

Delivering our services to clients

Managing client relationships, delivering contracted work, communicating about engagements, processing invoices and payments

Performance of a contract (Article 6(1)(b))

Responding to enquiries

Replying to prospective clients who contact us via our website, email, or other channels

Legitimate interests (Article 6(1)(f)) – to respond to business enquiries and develop client relationships

Marketing and newsletters

Sending updates, newsletters, and information about our services to those who have opted in

Consent (Article 6(1)(a))

Website analytics

Understanding how visitors use our website to improve content and user experience

Consent (Article 6(1)(a)) – via cookie consent mechanism

Online tools

Processing your inputs to generate automated reports; storing your data and report outputs for your future reference

Legitimate interests (Article 6(1)(f)) – to deliver the tool functionality you have requested and to follow up where appropriate

Legal and regulatory compliance

Retaining financial records, responding to legal requests, meeting tax obligations

Legal obligation (Article 6(1)(c))

Where we rely on legitimate interests, we have carried out a balancing test to ensure that your rights and freedoms are not overridden. You have the right to object to processing based on legitimate interests at any time (see Section 10).

6. Cookies

Our website uses cookies to help us understand how visitors use the site and to improve your experience. We use Google Analytics, which places cookies on your device to collect information about your browsing behaviour in an anonymised and aggregated form.

We will ask for your consent before placing any non-essential cookies on your device. You can withdraw your consent or manage your cookie preferences at any time through our cookie consent tool on the website. You can also control cookies through your browser settings.

Strictly necessary cookies, which are essential for the website to function, do not require consent.

7. Who We Share Your Information With

We only share your personal information where there is a lawful reason to do so. We do not sell your personal data to any third party.

Data processors

The following third parties process personal data on our behalf under written data processing agreements:

Processor

What They Do For Us

FreeAgent

Accounting, invoicing, and expense management

Google (Workspace, Analytics)

Email, office tools, cloud storage, and website analytics

Zoho CRM

Client relationship management and project management

Notion

Company knowledge base

Miro

Collaborative online whiteboard services

Other recipients

We may also share your personal data with the following where necessary:

  • Professional or legal advisors, for the purpose of obtaining professional advice
  • Insurance providers, in relation to professional indemnity or other business insurance claims
  • Financial or fraud investigation authorities, where required by law
  • Relevant regulatory authorities, where we are legally obliged to do so
  • Emergency services, where there is an immediate risk to safety

8. International Transfers

Some of our data processors (including Google) may transfer personal data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place in accordance with the UK GDPR. If you would like further information about the specific safeguards in place for any particular transfer, please contact us.

9. How Long We Keep Your Information

We retain personal data only for as long as necessary for the purpose it was collected. The table below sets out our standard retention periods.

Data Category

Retention Period

Reason

Client engagement records

Duration of contract plus 6 years

Contractual limitation period and HMRC requirements

Financial and payment records

6 years from end of financial year

HMRC tax and accounting requirements

Marketing and newsletter data

Until you unsubscribe or withdraw consent

Consent-based; no reason to retain after withdrawal

Enquiry correspondence

2 years from last contact

Reasonable period for follow-up and business development

Website analytics data

26 months

Google Analytics default retention; anonymised after this period

Online tool data

12 months from report generation, unless you request earlier deletion

To allow you to access your report and for service improvement purposes

When we no longer need your personal data, we will securely delete or anonymise it. If deletion is not immediately possible (for example, because data is held in backup archives), we will securely isolate your data from further processing until deletion can be completed.

We may also use anonymised and aggregated data, from which you cannot be identified, to analyse trends, improve our tools and services, and develop new features. Because this data is no longer personal data, it falls outside the scope of data protection law and may be retained indefinitely.

10. Your Data Protection Rights

Under data protection law, you have a number of rights over your personal data. However, the rights available to you depend on the lawful basis we rely on for each processing activity. The matrix below shows which rights apply to each purpose described in Section 5.

Your Right

Delivering services

Responding to enquiries

Marketing

Website analytics

Online tools

Legal compliance

Lawful basis

Contract

Legitimate interests

Consent

Consent

Legitimate interests

Legal obligation

Access

Rectification

Erasure

Restrict processing

Object

Data portability

Withdraw consent

✓ = This right applies.  ✗ = This right does not apply for this processing activity.

What these rights mean

  • Access: You can request a copy of the personal data we hold about you.
  • Rectification: You can ask us to correct inaccurate data or complete incomplete data.
  • Erasure: You can ask us to delete your personal data where we no longer need it. This does not apply where we are required by law to retain the data.
  • Restrict processing: You can ask us to limit how we use your data, for example while we verify its accuracy.
  • Object: You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your rights.
  • Data portability: You can ask us to provide the data you gave us in a structured, machine-readable format, or to transfer it to another organisation. This applies only where processing is based on consent or contract.
  • Withdraw consent: Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.

You do not need to pay a fee to exercise your rights. If you make a request, we have one calendar month to respond.

To exercise any of these rights, please contact us at privacy@curistica.com.

11. Automated Decision-Making

Some of our online tools use automated processing to generate reports based on information you provide. These tools do not make decisions that produce legal effects or similarly significant effects on you. The outputs are informational and advisory in nature.

If you have concerns about how automated processing has been applied to your data, please contact us and we will review the matter.

12. How We Keep Your Information Safe

We have implemented appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls restricting data to authorised personnel only
  • Regular review of security practices and procedures
  • Use of reputable, GDPR-compliant cloud service providers

While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining robust protections and responding promptly to any incidents.

13. How to Complain

If you have any concerns about how we use your personal data, please contact us at privacy@curistica.com and we will do our best to resolve your concern.

If you remain dissatisfied after raising your concern with us, you have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

14. Changes to This Privacy Notice

We may update this privacy notice from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the date below. We encourage you to review this notice periodically.

Last updated: 09/02/2026
Next scheduled review: 08/02/2027

© Curistica Ltd. All Rights Reserved.

Legal
Privacy policyCookie policy
Services
Tech companiesService providers
About us
Our teamOur insightsContact usAI in the NHS
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept