Updated: 2026-04-20
Privacy Policy
Effective Date: March 29, 2026
Bits & Bond GmbH (“we,” “us,” or “our”) operates the Curea mobile application (the “App”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our App. Please read this policy carefully. By using Curea, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address through our authentication provider (Supabase Auth). This is used to identify your account, sync your preferences across devices, and communicate important service updates.
1.2 Search and Usage Data
We collect your search history within the App, including procedure searches, hospital lookups, and saved comparisons. This data is used to provide personalized features such as recent searches and saved items.
1.3 Location Data
With your permission, we may collect your approximate location via GPS or network-based geolocation to show nearby hospitals and distance-based search results. You may also manually enter a ZIP code instead. Location data is used solely to provide location-relevant results and is not sold to third parties. You can revoke location permissions at any time through your device settings.
1.4 Subscription and Payment Data
If you subscribe to Curea Pro, payment processing is handled by Apple (App Store) or Google (Google Play) depending on your device. We do not store your credit card number or payment details. We receive only your subscription status and entitlement information via RevenueCat to manage your account.
1.5 Device and Technical Data
We may collect basic device information such as device type, operating system version, and app version for the purpose of providing technical support and improving the App experience.
2. How We Use Your Information
We use the information we collect to:
- Provide and maintain the App and its features
- Process and manage your subscription
- Show nearby hospitals and distance-based results
- Save your search history and preferences
- Send service-related communications (e.g., subscription confirmations)
- Improve the App and develop new features
- Detect and prevent fraud or abuse
3. How We Store and Protect Your Data
Your data is stored securely using Supabase, which provides encrypted data storage and transmission (TLS/SSL). Authentication tokens and sensitive data are encrypted both in transit and at rest. We implement industry-standard security measures including row-level security policies on our database to ensure users can only access their own data.
4. Third-Party Services
We use the following third-party services that may receive or process your data:
- Supabase — Authentication, database storage, and backend infrastructure. Subject to the Supabase Privacy Policy.
- Apple / Google — Payment processing for Pro subscriptions via App Store and Google Play in-app purchases.
- RevenueCat — Subscription management and entitlement tracking. Subject to the RevenueCat Privacy Policy.
- Expo (EAS) — App build and update distribution services. Subject to the Expo Privacy Policy.
We do not sell your personal information to any third party.
4A. Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
| Processing | Legal basis |
|---|---|
| Account creation & authentication | Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| Location-based results | Consent (Art. 6(1)(a)) — granted via device permission dialog |
| Subscription management | Contract (Art. 6(1)(b)) |
| Security, fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting the service and users |
| Service communications | Contract (Art. 6(1)(b)) |
| Product improvement analytics | Legitimate interests (Art. 6(1)(f)) — balanced test documented internally |
4B. International Data Transfers
Your data is hosted in the EU where possible. Some third-party sub-processors may transfer data outside the EU/EEA. Specifically:
- Supabase — data hosted in AWS Frankfurt (eu-central-1) by default
- Apple / Google — may process payment and app distribution data in the US
- RevenueCat — US-based service, operates under EU Standard Contractual Clauses (SCCs)
- Expo (EAS) — US-based service, operates under SCCs
Where transfers occur outside the EU/EEA, we rely on EU Standard Contractual Clauses approved by the European Commission.
5. Local Storage
The App uses AsyncStorage (a local on-device storage mechanism similar to cookies in web browsers) to store your preferences, settings, and cached data locally on your device. This data remains on your device and is not transmitted to our servers unless you are signed in and choose to sync your data. You can clear this local data at any time through the App settings.
6. Analytics and Tracking
We may collect anonymized, aggregated usage analytics to understand how the App is used and to improve our service. We do not use third-party advertising trackers. We do not build advertising profiles based on your activity, and we do not share individual usage data with advertisers.
7. Your Rights
You have the right to:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of any inaccurate personal data.
- Deletion — Request deletion of your account and associated data. You can initiate this through the App settings or by contacting us.
- Data Portability — Request an export of your data in a commonly used, machine-readable format.
- Opt-Out — Opt out of non-essential communications at any time.
To exercise any of these rights, please contact us at support@bitsandbond.com. We will respond to your request within 30 days.
7A. Right to Lodge a Complaint (GDPR Art. 77)
If you believe our processing of your personal data infringes data protection law, you have the right to lodge a complaint with the supervisory authority of your EU member state of residence. The German supervisory authority responsible for Bits & Bond GmbH is:
Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz Hintere Bleiche 34, 55116 Mainz, Germany poststelle@datenschutz.rlp.de https://www.datenschutz.rlp.de
8. Children’s Privacy
Curea is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe your child has provided us with personal information, please contact us at support@bitsandbond.com.
9. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you with the App’s services. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the App and updating the “Effective Date” above. Your continued use of the App after any changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.
11. Data Protection Officer
We have not appointed a formal Data Protection Officer (DPO), as we are not required to do so under GDPR Art. 37. For all data protection inquiries, please contact support@bitsandbond.com.
12. Cookies on this Website
This website (curea.app) does not use cookies, analytics trackers, or any third-party scripts that store data on your device. Fonts are self-hosted. No cookie consent banner is required because no non-essential cookies are set.
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
Bits & Bond GmbH Löwengasse 12 67346 Speyer Germany Email: support@bitsandbond.com