Last Updated: April 24, 2024
These State Privacy Notice Addenda for California, Colorado, Connecticut, and Virginia (the “States Privacy Notice Addenda”) supplement the information contained in Curology’s Privacy Notice and describes our collection and use of Personal Information (as defined below for the applicable state). The State Privacy Addenda apply to all visitors of our Website and users of our Services who reside in the states listed below (“Consumers” or “you”). All capitalized terms not otherwise defined in these State Privacy Notice Addenda have the same meaning as set forth in the Curology Privacy Notice, available here: https://curology.com/privacy/.
Curology reserves the right to amend the State Privacy Notice Addenda at our sole discretion and at any time. When we make changes to any of the State Privacy Notice Addenda, we will post the updated addendum on the Website and update the addendum’s last updated date. YOUR CONTINUED USE OF OUR WEBSITE AND SERVICES FOLLOWING THE POSTING OF CHANGES TO OUR STATE PRIVACY NOTICE ADDENDA CONSTITUTES YOUR ACCEPTANCE OF SUCH CHANGES.
If you have any questions or comments about the State Privacy Notice Addenda, the ways in which Curology collects, uses, or discloses your Personal Information, or you wish to exercise your rights described in the State Privacy Notice Addenda, please do not hesitate to contact us at:
Email: privacy@curology.com or hello@curology.com
This Privacy Addendum for California Residents (the “California Privacy Addendum”) supplements the information in our Privacy Notice for residents of California. We adopt this notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”) and any terms defined in the CPRA have the same meaning when used in this notice.
This California Privacy Addendum applies to information that we collect on our Website and when you use our Services that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your device (“Personal Information”). However, publicly available information that we collect from government records and deidentified or aggregated information (when deidentified or aggregated as described in the CPRA) are not considered Personal Information and this California Privacy Addendum does not apply to such information.
This California Privacy Addendum does not apply to employment-related Personal Information collected from our California-based employees, job applicants, contractors, or similar individuals (“Personnel”). Please contact your People and Culture representative if you are part of our California Personnel and would like additional information about how we process your Personal Information. This California Privacy Addendum also does not apply if you are a service provider or have a business-to-business relationship with us.
This California Privacy Addendum does not apply to certain Personal Information that is excluded from the scope of the CPRA, like: (a) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and (b) Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Curology collects, and over the prior twelve (12) months has collected, the following categories of Personal Information about Consumers:
Personal Information Category | Applicable Pieces of Personal Information Collected |
A. Identifiers. | A real name; alias; postal address; unique personal identifier; online identifier; Internet Protocol (IP) address; email address; driver’s license number; and other similar identifiers. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name; physical characteristics or description; address; telephone number; driver’s license or state identification card number; and medical information. Some Personal Information included in this category may overlap with other categories. |
C. Protected classification characteristics under California or federal law. | Age (40 years or older); race; color; ancestry; medical condition; physical or mental disability; sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions). |
D. Commercial information. | Records of products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
E. Internet or other similar network activity. | Browsing history; search history; information on a Consumer’s interaction with a website, application, or advertisement. |
F. Geolocation data | Non-precise geolocation data. |
G. Inferences drawn from other Personal Information. | Profile reflecting a person’s preferences; characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
H. Sensitive Personal Information (“Sensitive Personal Information”) | Government identifiers (driver’s license; state identification card; or passport number) Racial or ethnic origin Health; sex life; or sexual orientation information |
Curology will not collect additional categories of Personal Information without providing you notice. As further described in To Whom Do We Sell or Share Your Personal Information, we may “sell” any categories of Personal Information for monetary or other valuable consideration and we may “share” any categories of Personal Information for cross-context behavioral advertising.
We collect your Personal Information: directly from you, automatically from your use of our Website, and from third parties. We may also create Personal Information about you as you use our Website.
We only use your Personal Information for the purposes described in this California Privacy Addendum.
We may use, “sell” for monetary or other valuable consideration, “share” for the purposes of cross-context behavioral advertising, or disclose the Personal Information we collect and, over the prior twelve (12) months, have used, “sold” for monetary or other valuable consideration, shared for the purpose of cross-context behavioral advertising, or disclosed the Personal Information we have collected, for the purposes described in our Privacy Notice as well as the following additional purposes:
Short-term, transient use, provided the Personal Information that is not disclosed to another third-party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
Curology will not use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Curology may disclose your Personal Information to third parties for one or more business purposes. When we disclose Personal Information to non-affiliated third-parties for a business purpose, we enter a contract that describes the purpose, requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for the specific business purposes for which the Personal Information was disclosed, and requires the recipient to otherwise comply with the requirements of the CPRA.
In the preceding twelve (12) months, Curology has disclosed the following categories of Personal Information for one or more of the business purposes described below to the following categories of third parties:
Personal Information Category | Categories of Third-Party Recipients |
A. Identifiers. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
C. Commercial information. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
D. Internet or other similar network activity. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
E. Geolocation Data | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
F. Inferences drawn from other Personal Information. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
We disclose your Personal Information to the categories of third parties listed above for the following business purposes:
Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
Helping to ensure security and integrity of our Services and IT infrastructure to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes.
Debugging to identify and repair errors that impair existing intended functionality.
Short–term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with us. Our agreements with third parties generally prohibit your Personal Information from disclosure to another third-party and from using your Personal Information to build a profile about you or otherwise alter your experience outside your current interaction with us.
Performing services on behalf of us, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us.
Providing advertising and marketing services, except for cross-context behavioral advertising, to Consumers.
Undertaking internal research for technological development and demonstration.
In addition to the above, we may disclose any or all categories of Personal Information to any third-party (including government entities and/or law enforcement entities) as necessary to:
comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information;
comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
cooperate with law enforcement agencies concerning conduct or activities that we (or one of our service providers’) believe may violate federal, state, or local law;
comply with certain government agency requests for emergency access to your Personal Information if you are at risk or danger of death or serious physical injury; or
exercise or defend legal claims.
We do not disclose your Personal Information to third parties for monetary consideration. However, our use of advertising and analytics cookies may be considered a disclosure of Personal Information for other valuable consideration.
We may also disclose your Personal Information to certain categories of third parties for the purpose of cross-context behavioral advertising.
“Sale” of Your Personal Information for Monetary or Other Valuable Consideration
As noted in our Privacy Notice, we do not sell Personal Information as the term “sell” is commonly understood to require an exchange for money. However, the use of advertising and analytics cookies on our Website is considered a “sale” of Personal Information as the term “sale” is broadly defined in the CPRA to include both monetary and other valuable consideration. Using this broad definition, our “sale” is limited to our use of third-party advertising and analytics cookies and their use in providing behavioral advertising and their use in understanding how people use and interact with our Website(s). Our “sales” of your Personal Information in this matter is subject to your right to opt-out of those sales (see Your Choices Regarding our “Sale” or “Sharing” of your Personal Information).
“Sharing” of Your Personal Information for Cross-Context Behavioral Advertising
Curology may “share” your Personal Information for the purpose of cross-context behavioral advertising, subject to your right to opt-out of that sharing (see Your Choices Regarding our “Sale” or “Sharing” of your Personal Information). Our “sharing” for the purpose of cross-context behavioral advertising would be limited to our use of third-party advertising cookies and their use in providing you cross-context behavioral advertising (i.e., advertising on other websites or in other mediums). When the recipients of your Personal Information disclosed for the purpose of cross-context behavioral advertising are also permitted to use your Personal Information to provide advertising to others, we also consider this disclosure as a “sale” for monetary or other valuable consideration under the CPRA.
In the preceding twelve (12) months, Curology has “sold” for monetary or other valuable consideration, or “shared” for the purpose of cross-context behavioral advertising, the following categories of Personal Information to the following categories of third parties:
Personal Information Category | Sold or Shared | Categories of Third Parties To Whom Your Personal Information is Sold or Shared |
A. Identifiers. | Sold and Shared | Advertisers and advertising networks; business partners; affiliates, of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Sold and Shared | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
D. Commercial information. | Sold and Shared | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
F. Internet or other similar network activity. | Sold and Shared | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
G. Geolocation Data | Sold and Shared | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
H. Inferences drawn from other Personal Information. | Sold and Shared | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Reselling Personal Information
The CPRA prohibits a third-party from reselling Personal Information unless you have received explicit notice and an opportunity to opt-out of further sales. We may “sell” your Personal Information to the following third-parties and others for monetary or other valuable consideration who may resell that information. To opt-out of these sales, please visit that third-party’s opt-out notice at the link provided below.
Google Analytics. We use Google Analytics. Google Analytics is a web analytics service offered by Google LLC (“Google”) that tracks and reports Site traffic. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: policies.google.com/privacy. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics, available at: tools.google.com/dlpage/gaoptout.
Rakuten Advertising. Rakuten Advertising ("Rakuten") may collect personal information when you access our Website from rakuten.com, a Rakuten ad, or one of Rakuten's affiliate partners ("Rakuten Transactions"), including IP addresses, digital identifiers, information about your web browsing and app usage and how you interact with Rakuten's properties and ads for a variety of purposes, such as personalization of offers or advertisements, analytics about how you engage with websites or ads, and other commercial purposes related to your Rakuten Transactions. For more information about the collection, use, and sale of your personal data and your rights, please use the below links.
https://rakutenadvertising.com/legal-notices/services-privacy-policy/
https://rakutenadvertising.com/legal-notices/subject-requests/
Other Third-Party Cookies. You can disable cookies from third parties by using your browser settings or, if available, directly opting-out of cookie collection with the third-party cookie service provider via their website. The online advertising industry also provides websites from which you may opt-out of receiving targeted ads from our data partners and our other advertising partners that participate in self-regulatory programs. You can access these, and also learn more about targeted advertising and consumer choice and privacy, at the following websites: Network Advertising Initiative, Ad Choices, Facebook, Google Ads.
The CPRA provides California residents with specific rights regarding their Personal Information. This section describes your CPRA rights and explains how to exercise those rights. You may exercise these rights yourself or through your Authorized Agent. For more information on how you or your Authorized Agent can exercise your rights, please see Exercising Your CPRA Privacy Rights.
Right to Know. You have the right to request that Curology disclose certain information to you about our collection and use of your Personal Information over the past 12 months (a “Right to Know” Consumer Request). This includes: (a) the categories of Personal Information we have collected about you; (b) the categories of sources from which that Personal Information came from; (c) our purposes for collecting this Personal Information; (d) the categories of third parties with whom we have shared your Personal Information; and (e) if we have “sold” or “shared” or disclosed your Personal Information, a list of categories of third parties to whom we “sold” or “shared” your Personal Information, and a separate list of the categories of third parties to whom we disclosed your Personal Information to. You must specifically describe if you are making a Right to Know request or a Data Portability Request (discussed next). If you would like to make both a Right to Know Consumer Request and a Data Portability Consumer Request you must make both requests clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. You may make a Right to Know or a Data Portability Consumer Request a total of two (2) times within a 12-month period at no charge.
Access to Specific Pieces of Information (Data Portability). You also have the right to request that Curology provide you with a copy of the specific pieces of Personal Information that we have collected about you, including any Personal Information that we have created or otherwise received from a third-party about you (a “Data Portability” Consumer Request). If you make a Data Portability Consumer Request electronically, we will provide you with a copy of your Personal Information in a portable and, to the extent technically feasible, readily reusable format that allows you to transmit the Personal Information to another third-party. You must specifically describe if you are making a Right to Know request or a Data Portability request. If you would like to make both a Right to Know Consumer Request and a Data Portability Consumer Request you must make both requests clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. In response to a Data Portability Consumer Request, we will not disclose your driver’s license number or other government-issued identification number, or your account password. We will also not provide this information if the disclosure would create a substantial, articulable, and unreasonable risk to your Personal Information, your account with Curology, or the security of our systems or networks. We will not disclose any Personal Information that may be subject to another exception under the CPRA. If we are unable to disclose certain pieces of your Personal Information, we will describe generally the types of personal information that we were unable to disclose and provide you a description of the reason we are unable to disclose it. You may make a Right to Know or a Data Portability Consumer Request a total of two (2) times within a 12-month period at no charge.
Correction. You have the right to request that we correct any incorrect Personal Information about you to ensure that it is complete, accurate, and as current as possible. You may review and correct some Personal Information about yourself by logging into the Website and visiting your “Account Details” page. You may also request that we correct the Personal Information we have about you as described below under Exercising Your CPRA Privacy Rights. In some cases, we may require you to provide reasonable documentation to show that the Personal Information we have about you is incorrect and what the correct Personal Information may be. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect or if the Personal Information is subject to another exception under the CPRA.
Deletion. You have the right to request that Curology delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your Consumer Request (see Exercising Your CPRA Privacy Rights), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies pursuant to the CPRA. Some exceptions to your right to delete include, but are not limited to, if we are required to retain your Personal Information to complete the transaction or provide you the goods and services for which we collected the Personal Information or otherwise perform under our contract with you, to detect security incidents or protect against other malicious activities, and to comply with legal obligations, including those related to medical record retention. We may also retain your Personal Information for other internal and lawful uses that are compatible with the context in which we collected it.
Non-Discrimination. We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not do any of the following as a result of you exercising your CPRA rights: (a) deny you goods or services; (b) charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (c) provide you a different level or quality of goods or services; or (d) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. We may, however, offer you certain financial incentives as described below.
To exercise the rights described above, please submit a request (a “Consumer Request”) to us by either:
Emailing us at hello@curology.com or privacy@curology.com
Visiting this website.
If you or your Authorized Agent submit a Consumer Request to delete your information online, we will use a two-step process in order to confirm that you want your Personal Information deleted. This process may include verifying your request through your email address on record or sending you a text message and requesting that you text us a confirmation. By making a Consumer Request, you consent to us contacting you in one or more of these ways.
If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.
Only you, or your Authorized Agent that you authorize to act on your behalf, may make a Consumer Request related to your Personal Information. To designate an Authorized Agent, see Authorized Agents below.
All Consumer Requests must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an Authorized Agent of such a person. This may include:
(1) Filling out the interactive webform; or
(2) Verifying one or more of the following:
Full first & last name;
Date of birth;
Shipping address on file.
Phone number
Last 4 Digits of Credit Card
PayPal email account
Guardian info
Name of provider
Last transaction charge
Any other appropriate individualized data point
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm which Personal Information relates to you or the individual for whom you are making the request as their Authorized Agent.
Making a Consumer Request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account.
We will only use Personal Information provided in a Consumer Request to verify the requestor’s identity or authority to make the request.
For instructions on exercising sale opt-out rights, see Your Choices Regarding our “Sale” or “Sharing” of Your Personal Information.
Authorized Agents
You may authorize your agent to exercise your rights under the CPRA on your behalf by registering your agent with the California Secretary of State or by providing them with power of attorney to exercise your rights in accordance with applicable laws (an “Authorized Agent”). We may request that your Authorized Agent submit proof of identity and that they have been authorized to exercise your rights on your behalf. We may deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.
If you are 16 years old or older, you have the right to opt-out of our sale and/or sharing of your Personal Information. If you are under 16 years old, you or your legal guardian may opt-in to our sale or sharing of your Personal Information.
“Sale” of Your Personal Information
If you are 16 years of age or older, you have the right to direct us to not sell your Personal Information for monetary or other valuable consideration at any time (the “right to opt-out”). Consumers who opt-in to Personal Information sales may opt-out of future sales at any time. We do not provide services to Consumers under the age of 13.
“Sharing” of Your Personal Information
If you are 16 years of age or older, you have the right to direct us to not share your Personal Information for the purposes of cross-context behavioral advertising, which is showing advertising on other websites or other media based on your browsing history with our Website (the “right to opt-out”). We do not share the Personal Information of Consumers we actually know are less than 16 years of age for this purpose, unless we receive affirmative authorization from either the Consumer who is between 13 and 16 years of age, or their parent or guardian. Consumers who opt-in to our sharing of Personal Information for these purposes may opt-out of future such sharing at any time.
How You May Opt-Out of Our Sale or Sharing of Your Personal Information
You do not need to create an account with us to exercise your opt-out rights. You may be required to provide us with additional contact information so that we may verify your request to opt-in to the sale of your Personal Information. We will only use Personal Information provided in an opt-out request to review and comply with the request.
To opt out of our Sale or Sharing of your Personal Information, you (or your authorized representative) can contact us at hello@curology.com or privacy@curology.com or you can use the following link:
Do not Sell or Share My Personal Information
You (or your authorized representative) may also exercise the right to opt-out of the “sale” of your Personal Information for monetary or other valuable consideration and of “sharing” your Personal Information for the purposes of cross-context behavioral advertising by adjusting your cookie preferences via our Cookie Banner through the “Manage Cookies” link at the bottom of the Website, or by setting your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our Website or other websites. You can find more information about cookies at http://www.allaboutcookies.org.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you (or your Authorized Agent) may change your mind and opt back into the sale of Personal Information at any time by using the “Manage Cookies” link at the bottom of the Website.
Browser Privacy Control Signals
You may also exercise your right to opt-out of the “sale” of your Personal Information for monetary or other valuable consideration and “sharing” your Personal Information for the purposes of cross-context behavioral advertising by setting the privacy control signal on your browser, if your browser supports it. We currently recognize and support the following privacy signals sent by browsers:
Global privacy control (for more information on how to configure your browser to send this signal, please see https://globalprivacycontrol.org/).
Location Information. You may be able to adjust the settings of your device so that information about your physical location is not sent to us or third parties by (a) disabling location services within the device settings; or (b) denying certain websites or mobile applications permission to access location information by changing the relevant preferences and permissions in your mobile device or browser settings. Please note that your location may be derived from your WiFi, Bluetooth, and other device settings. See your device settings for more information. We will not share data obtained through our Transactional or Marketing text message programs, including your phone number or location information, with third parties for their marketing purposes.
When we receive one of these privacy control signals, we will opt you out of any further “sale” or “sharing” of your Personal Information when you interact with our Website through that browser and on that device. In the event you have affirmatively opted-in to our “sale” and “sharing” of your Personal Information as described above and we receive a privacy control signal from your browser, we will request further instructions from you before you are opted out of any further “sale” or “sharing.” In the event you participate in a financial incentive program as described below that requires the “sale” or “sharing” of your Personal Information and we receive a privacy control signal, we will request that you confirm that you no longer wish to participate in the financial incentive program or that you wish us to ignore the privacy control signal.
When we receive a privacy control signal, we may also process it in a frictionless manner, which prohibits us from: (a) charging you a fee or requiring any valuable consideration; or (b) changing your experience with our products and services. We will also display a banner to indicate your choice to opt-out of the “sale” or “sharing” of your personal information. You may configure the privacy control signal to operate in a frictionless manner by consulting the documentation for your browser or plug-in that provides the privacy control signal.
As further described below, we do not use or disclose your Sensitive Personal Information for any purpose other than the following:
to perform the services or provide the goods reasonably expected by an average Consumer who requests such goods or services;
to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that our use of your Personal Information is reasonably necessary and proportionate for such purposes;
to resist malicious, deceptive, fraudulent, or illegal actions directed at Curology and to prosecute those responsible for those actions, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
to ensure the safety of natural persons, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
for short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with us, provided that the Personal Information is not disclosed to another third-party and is not used to build a profile about you or otherwise alter your experience outside the current interaction with us;
to perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us; and
to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
We may offer you certain financial incentives permitted by the CPRA that can result in different prices, rates, or quality levels. Any CPRA-permitted financial incentive we offer will reasonably relate to your Personal Information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. We currently provide the following financial incentives: Curology Reward Program.
In determining the value of your Personal Information we collect as part of your participation in our financial incentives, we consider the average value to Curology of the sale, collection, or deletion of your Personal Information, which we have calculated to be $111.
We retain each category of personal information listed above for as long as necessary to fulfill the purpose for which it was collected, or a related purpose consistent with consumers' expectations, and in accordance with applicable laws and regulations. We use the following criteria to determine how long to retain personal information and sensitive personal information: the purpose for which we collected the personal information, the type, nature, and sensitivity of the personal information, risks associated with retaining the personal information, and legal obligations related to the personal information.
Shine the Light
California Civil Code Section 1798.83 (California’s “Shine the Light” law) permits users of our Website that are California residents and who provide Personal Information in obtaining products and services for personal, family, or household use to request certain information regarding our disclosure of Personal Information to third parties for their own direct marketing purposes. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared your Personal Information with for the immediately prior calendar year (e.g., requests made in 2024 will receive information regarding such activities in 2023). You may request this information once per calendar year. To make such a request, please send an email to privacy@curology.com.
This Privacy Addendum for Colorado Residents (the “Colorado Privacy Addendum”) supplements the information contained in Curology’s Privacy Notice. This Colorado Privacy Addendum applies solely to all visitors of our Website, users of our Services, and others acting only in an individual or household context, each of whom resides in the State of Colorado (“Consumers” or “you”). We adopt this Colorado Privacy Addendum to comply with the Colorado Privacy Act (“CPA”), and any terms defined in the CPA have the same meaning when used in this Colorado Privacy Addendum. We may update this Colorado Privacy Addendum at any time as necessary in the event of changes to the CPA.
This Colorado Privacy Addendum applies to information that we collect on our Website and when you use our Services (both online and offline) that is linked or reasonably linkable to an identified or identifiable individual (“Personal Data”). However, publicly available information that we collect from government records and deidentified data (when deidentified as described in the CPA) are not considered Personal Data and this Colorado Privacy Addendum does not apply to such information.
This Colorado Privacy Addendum also does not apply to certain Personal Data that is excluded from the scope of the CPA, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
We collect information that is linked or reasonably linkable to you, as an identified or identifiable individual or Personal Data, as described in our Privacy Notice, this Addendum, and categorized below.
Personal Data Category | Applicable Pieces of Personal Data Collected |
Contact Information | A real name, alias, date of birth, postal address, unique personal identifier, online identifier, email address, and other similar identifiers. |
Payment Information | Order history, subscriptions, products purchased or considered, payment method information, and shipping history. |
Internet, Information from Cookies, or other similar network activity. | IP address, device information, log data, and cookies and similar technologies. |
Location Data | Non-precise geolocation data. |
Sensitive Data | Racial or ethnic origin, a mental or physical health condition or diagnosis, sex life, the personal data of a known child (over age 13) |
We collect Personal Data about you from the sources described in our Privacy Notice.
We limit the collection of Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the Personal Data is processed. We may process the Personal Data we collect, for one or more of the purposes described in the Privacy Notice (for more information, see How We Use Your Information).
Specifically, Curology may collect and use Personal Data to respond to your inquiries, fulfill your requests and improve your experience; for marketing, advertising, and promotional purposes; for reporting and analytics; to improve the effectiveness of our Services, conduct research and analysis, or for other internal operations purposes; to detect, prevent or investigate potential security breaches, fraudulent transactions and monitor against theft.
We will not process Personal Data for purposes that are neither reasonably necessary to nor compatible with the purposes for which the Personal Data is processed as described in the Privacy Notice without your consent.
As noted in our general Privacy Notice, we do not sell Personal Data as the term “sell” is commonly understood to require an exchange for money. However, the use of advertising and analytics cookies on our Website is considered a “sale” of Personal Data as the term “sale” is broadly defined in the CPA to include both monetary and other valuable consideration. Using this broad definition, our “sale” is limited to our use of third-party advertising and analytics cookies and their use in providing behavioral advertising, and their use in understanding how people use and interact with our Website, App, or Services. Our “sale” of your Personal Data in this matter are subject to your right to opt-out of those sales (see Exercising Your CPA Privacy Rights.).
The categories of Personal Data that we sell or share with third parties, and the categories of third parties with whom we sell or share your Personal Data, are described in the following table:
Personal Data Category | Third Parties With Whom Your Personal Data is Sold or Shared |
Contact Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Payment Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Internet, Information from Cookies, or other similar network activity. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Location Data | N/A |
Sensitive Data | N/A |
The CPA provides Colorado residents with specific rights regarding their Personal Data. This section describes your CPA rights and explains how to exercise those rights. You may exercise these rights yourself or through your Authorized Agent. For more information on how you or your Authorized Agent can exercise your rights, please see Exercising Your CPA Privacy Rights.
Confirmation and Access. You have the right to confirm whether we process your Personal Data and to request access to all the specific pieces of Personal Data we have collected and maintain about you.
Correction. You have the right to correct any inaccuracies in your Personal Data processed by us, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data. We may also not be able to accommodate your request to change the Personal Data if we believe it would violate any law or legal requirement or cause the Personal Data or the information associated with the Personal Data to be incorrect.
Deletion. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account, however, we may not accommodate a request to erase your Personal Data if we believe the deletion would violate any law or legal requirement or cause any information associated with the Personal Data to be incorrect.
Portability. To the extent you provide us with your Personal Data and to the extent we process your Personal Data, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in portable, and to the extent technically feasible, readily usable format that allows you to transmit the Personal Data to another controller without hindrance. We shall not provide data that we believe would disclose our trade secrets. You may only make such a request twice within a 12-month period.
Opt-Out of Certain Processing. To the extent applicable, you have the right to opt-out of processing your Personal Data for the purposes of: (i) targeted advertising; (ii) the sale of your Personal Data; or (iii) profiling in furtherance of decisions that produce legal effects or similarly significant affects concerning. These decisions include decisions that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water. Please note, however, that Curology does not process Personal Data for purposes of profiling within the meaning of the CPA.
Right to Non-Discrimination: We will not discriminate against a Colorado resident for exercising one of the above rights.
Exercising Your CPA Privacy Rights
To exercise the rights described above, please submit a request (a “Consumer Request”) to us by either:
Emailing us at privacy@curology.com
Emailing us at hello@curology.com
Filing out our online form here.
Clicking the “Do Not Sell or Share My Personal Information” link in the footer of our Website.
Enabling a recognized universal opt-out mechanism on your browser, device, or platform. One such preference signal is called the Global Privacy Control (“GPC”) (See Privacy Control Signals).
If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.
Only you, or your Authorized Agent that you authorize to act on your behalf, may make a Consumer Request related to your Personal Data. If applicable, you may also make a Consumer Request on behalf of your minor child. To designate an Authorized Agent, see Authorized Agents below.
All Consumer Requests must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an Authorized Agent of such a person. This may include:
Filling out the interactive webform; or
Verifying Personal Data that we may already have about you, such as your full first & last name, date of birth;, shipping address on file. phone number, last 4 digits of credit card, paypal email account, guardian info, name of provider, last transaction charge, any other appropriate individualized data point
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We are unable to fulfill your request or provide you with Personal Data if we cannot authenticate that the Personal Data that is the subject of your request relates to you through commercially reasonable efforts. In this case, we may request additional information, which we will only use to authenticate you.
Making a verifiable consumer request does not require you to create a password-protected, online account with us. However, if you do have such an account, we may require you to use it in order to make your request. Doing so will enable us to consider your requests through that account to authenticate that the Personal Data that is the subject of your request relates to you.
Privacy Control Signals
You may also exercise your right to opt out of the “sale” of your Personal Data for the purposes of targeted advertising by setting the privacy control signal on your operating system, if your system supports it. We currently recognize and support the following privacy signals sent by mobile operating systems:
Global privacy control (for more information on how to configure your mobile operating system to send this signal, please see https://globalprivacycontrol.org/).
When we receive one of these privacy control signals, we will opt you out of any further “sales” of your Personal Data when you interact with our Website or Services through that mobile device. We are only able to propagate your choice to opt-out to your account if you are currently logged in when we receive the privacy control signal from your mobile device. When we are able to propagate your choice to your account, you will be opted out of “sale” of your Personal Data on all devices on which you are logged in, and for both online and offline “sales.”
Response Timing and Format
We will generally process these requests within 45 days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. If we cannot comply with your request, we will provide you with an explanation of the reasons we cannot comply with a request.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Appeals Process
You may appeal a refusal by us to take action on your request to exercise any of the above rights within a reasonable period of time after we provide you notice of such refusal by contacting us through the contact information listed at the top of the State Privacy Notice Addenda.
Within 45 days after we receive your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including any explanations for the reasons for the decision. If we require more time (up to 60 additional days), we will inform you of the reason and extension period in writing. If your appeal is denied, you may lodge a complaint with the Colorado Attorney General through his/her contact information available at: https://coag.gov/about-us/contact-colorado-office-attorney-general/.
Authorized Agents
You may authorize your agent to exercise your rights under the CPA. We may request that your Authorized Agent submit proof of identity and that they have been authorized exercise your rights on your behalf. We may deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.
This Privacy Addendum for Connecticut Residents (the “Connecticut Privacy Addendum”) supplements the information contained in Curology’s Privacy Notice. This Connecticut Privacy Addendum applies solely to all visitors of our Website, users of our Services, and others acting only in an individual or household context, each of whom resides in the State of Connecticut (“Consumers” or “you”). We adopt this notice to comply with the Connecticut Data Protection Act ("CTDPA”) and any terms defined in the CTDPA have the same meaning when used in this notice. We may update this Connecticut Privacy Addendum at any time as necessary in the event of changes to the CTDPA.
This Connecticut Privacy Addendum applies to information that we collect on our Website or through our Services that is linked or reasonably linkable to an identified or identifiable natural person (“Personal Data”).
Personal Data does not include, and this Connecticut Privacy Addendum does not cover:
Publicly available information from government records or that we have a reasonable belief is lawfully made available to the general public either by widely distributed media, by you, or by a person to whom you have disclosed the information (unless you have restricted the information to a specific audience);
Information that has been de-identified such that the information can no longer be reasonably linked to you or a device linked to you; or
Other information as set forth under the CTDPA.
This Connecticut Privacy Addendum also does not apply to certain Personal Data that is excluded from the scope of the CTDPA, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
We collect information that is linked or is reasonably linkable to you as an identified or identifiable person, or Personal Data, as described in our Privacy Notice, and categorized below.
Personal Data Category | Applicable Pieces of Personal Data Collected |
Contact Information | A real name, alias, date of birth, postal address, unique personal identifier, online identifier, email address, and other similar identifiers. |
Payment Information | order history, subscriptions, products purchased or considered, payment method information, and shipping history. |
Internet, Information from Cookies, or other similar network activity. | IP address, device information, log data, and cookies and similar technologies. |
Location Data | None. |
Sensitive Data | Racial or ethnic origin, a mental or physical health condition or diagnosis, sex activity. |
We limit the collection of Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the Personal Data is processed. We may process the Personal Data we collect, for one or more of the purposes described in the Privacy Notice (for more information, see How We Use Your Information).
Specifically, Curology may collect and use Personal Data to respond to your inquiries, fulfill your requests, and improve your experience; for marketing, advertising, and promotional purposes; for reporting and analytics; to improve the effectiveness of our Services, conduct research and analysis, or for other internal operations purposes; to detect, prevent or investigate potential security breaches, fraudulent transactions and monitor against theft.
We will not process Personal Data for purposes that are neither reasonably necessary to nor compatible with the purposes for which the Personal Data is processed as described in the Privacy Notice without your consent. Additionally, Curology does not process Personal Data for targeted advertising.
Curology may share your Personal Data to a third party. When we disclose Personal Data, we enter into contract that describes the purpose and requires the recipient to both keep that Personal Data confidential and not use it for any purpose except performing the contract. The categories of Personal Data that we share with third parties, and the categories of third parties that we share your Personal Data with, are described in the following table:
Category of Personal Data Shared with Third Parties | Categories of Third Parties the Personal Data are Shared With |
Contact Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Payment Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Internet, Information from Cookies, or other similar network activity. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Location Data | N/A |
Sensitive Data | N/A |
As noted in our general Privacy Notice, we do not sell Personal Data as the term “sell” is commonly understood to require an exchange for money. However, the use of advertising and analytics cookies on our Website is considered a “sale” of Personal Data as the term “sale” is broadly defined in the CTDPA to include both monetary and other valuable considerations. Using this broad definition, our "sale" is limited to our use of third-party advertising and analytics cookies and their use in providing behavioral advertising, and their use in understanding how people use and interact with our Website, App, or Services. Our “sale” of your Personal Data in this manner is subject to your right to opt-out of those sales (see Exercising Your CTDPA Privacy Rights).
The CTDPA provides you, as a consumer in Connecticut with specific rights regarding your Personal Data. This section describes your CTDPA rights and explains how to exercise those rights. You may exercise these rights yourself or through your authorized agent. For more information on how you or your authorized agent can exercise your rights, please see Exercising Your CTDPA Privacy Rights.
Right to Know and Access. You have the right to confirm whether or not we are processing your Personal Data and to have access to that Personal Data.
Correction. You have the right to correct any inaccuracies in your Personal Data processed by us, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data. We may also not be able to accommodate your request to change the Personal Data if we believe it would violate any law or legal requirement or cause the Personal Data or the information associated with the Personal Data to be incorrect.
Deletion. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account. We may not accommodate a request to erase your Personal Data if we believe the deletion would violate any law or legal requirement or cause any information associated with the Personal Data to be incorrect.
Portability. To the extent you provide us with your Personal Data and to the extent we process the Personal Data by automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the Personal Data to another controller without hindrance.
Opt-Out of Certain Processing. You have the right to opt-out of processing your Personal Data for the purposes of: (i) targeted advertising; (ii) the sale of your Personal Data, except as permitted under the CTDPA; or (iii) profiling in furtherance of solely automated decisions that produce legal effects or similarly significant effects. These decisions include decisions that result in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water. Please note, however, that Curology does not process Personal Data for purposes of profiling within the meaning of the CTDPA.
Right to Non-Discrimination. We will not discriminate against a Connecticut resident for exercising one of the above rights.
Right to Appeal. Connecticut residents have the right to appeal a refusal by us to act on your request to exercise any of the above rights. See Appeal Process below for more information.
Exercising Your CTDPA Rights
To exercise the rights described above, please submit a request to us by contacting us by either:
Emailing us at privacy@curology.com
Emailing us at hello@curology.com
Filing out our online form here.
Clicking the “Do Not Sell or Share My Personal Information” link in the footer of our Website.
Enabling a recognized universal opt-out mechanism on your browser, device, or platform. One such preference signal is called the Global Privacy Control (“GPC”) (See Privacy Control Signals).
You may only make a request to exercise the above rights twice within a 12-month period. The request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Data if we cannot authenticate that the Personal Data that is the subject of your request relates to you through commercially reasonable efforts. In this case, we may request additional information, which we will only use to authenticate you.
Making a verifiable consumer request does not require you to create a password-protected, online account with us. However, if you do have such an account, we may require you to use it in order to make your request. Doing so will enable us to consider your requests through that account to authenticate that the Personal Data that is the subject of your request relates to you.
Response Timing and Format
We will generally process these requests within forty-five (45) days of receiving them. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing. If we cannot comply with your request, we will provide you with an explanation of the reasons we cannot comply with a request.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Appeals Process
You may appeal a refusal by us to take action on your request to exercise any of the above rights within a reasonable period of time after we provide you notice of such refusal by contacting us through the Contact Information at the top of the State Privacy Notice Addenda. Within sixty (60) days after we receive your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including any explanations for the reasons for the decision. If your appeal is denied, you may lodge a complaint with the Connecticut Attorney General through their contact information available at: www.portal.ct.gov/AG/Contact-the-Attorney-Generals-Office/Contact-the-Attorney-Generals-Office.
We will not discriminate against you for exercising any of your CTDPA rights. Unless permitted by the CTDPA, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CTDPA that can result in different prices, rates, quality levels, or selection of goods and services (including the possibility of offering our Services for no fee), if you have exercised your rights to opt-out of certain processes as described above or if the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
This Privacy Addendum for Virginia Residents (the “Virginia Privacy Addendum”) supplements the information contained in Curology’s Privacy Notice and further describes our collection and use of Personal Data (as defined below). This Virginia Privacy Addendum applies solely to all visitors of our Website, users of our Services, and others acting only in an individual or household context, each of whom resides in the Commonwealth of Virginia (“consumers” or “you”). We adopt this notice to comply with the Virginia Consumer Data Protection Act of 2021 (“VCDPA”), and any terms defined in the VCDPA have the same meaning when used in this notice.
This Virginia Privacy Addendum applies to information that we collect on our Website or App and when you use our Services that is linked or reasonably linkable to an identified or identifiable natural person (“Personal Data”).
Personal Data does not include, and this Virginia Privacy Addendum does not cover:
Publicly available information from government records or that we have a reasonable belief is lawfully made available to the general public either by widely distributed media, by you, or by a person to whom you have disclosed the information (unless you have restricted the information to a specific audience);
Information that has been de-identified such that the information can no longer be reasonably linked to you or a device linked to you; or
Other information as set forth under the VCDPA.
This Virginia Privacy Addendum also does not apply to certain Personal Data that is excluded from the scope of the VCDPA, such as protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”), health records, patient identifying information, and other sets of data identified in Va. Code § 59.1-576 that relate to compliance with various federal laws.
We collect information that is linked or is reasonably linkable to you as an identified or identifiable person, or Personal Data, as described in our Privacy Notice, and categorized below.
Personal Data Category | Applicable Pieces of Personal Data Collected |
Identifiers | A real name, alias, date of birth, postal address, unique personal identifier, online identifier, email address, and other similar identifiers. |
Payment Information | Order history, subscriptions, products purchased or considered, payment information, and shipping history. |
Internet, Information from Cookies, or other similar network activity. | IP address, geolocation information, device information, log data, and cookies and similar technologies. |
Location Data | Non-precise geolocation data. |
Sensitive Data | Racial or ethnic origin, mental or physical health diagnosis |
We limit the collection of Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the Personal Data is processed. We may process the Personal Data we collect, for one or more of the purposes described in the Privacy Notice (for more information, see How We Use Your Information).
Specifically, Curology may collect and use Personal Data to respond to your inquiries, fulfill your requests, and improve your experience; for marketing, advertising, and promotional purposes; for reporting and analytics; to improve the effectiveness of our Services, conduct research and analysis, or for other internal operations purposes; to detect, prevent or investigate potential security breaches, fraudulent transactions, and monitor against theft.
We will not process Personal Data for purposes that are neither reasonably necessary to nor compatible with the purposes for which the Personal Data is processed as described in the Privacy Notice without your consent.
Curology may share your Personal Data with a third party. When we disclose Personal Data, we enter into contract that describes the purpose and requires the recipient to both keep that Personal Data confidential and not use it for any purpose except performing the contract. The categories of Personal Data that we share with third parties, and the categories of third parties that we share your Personal Data with, are described in the following table:
Category of Personal Data Shared with Third Parties | Categories of Third Parties the Personal Data are Shared With |
Contact Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Payment Information | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Internet, Information from Cookies, or other similar network activity. | Advertisers and advertising networks; business partners; affiliates of Curology; social media companies; and Internet cookie information recipients, such as analytics and behavioral advertising services. |
Location Data | N/A |
Sensitive Data | N/A |
We do not sell your Personal Data to third parties for their own commercial use.
The VCDPA provides you, as a consumer in Virginia with specific rights regarding your Personal Data. This section describes your VCDPA rights and explains how to exercise those rights. You may exercise these rights yourself or through your authorized agent. For more information on how you or your authorized agent can exercise your rights, please see Exercising Your VCDPA Privacy Rights.
Confirmation and Access. You have the right to confirm whether or not we are processing your Personal Data and to have access to that Personal Data.
Correction. You have the right to correct any inaccuracies in your Personal Data processed by us, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data. We may also not be able to accommodate your request to change the Personal Data if we believe it would violate any law or legal requirement or cause the Personal Data or the information associated with the Personal Data to be incorrect.
Deletion. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account. We may not accommodate a request to erase your Personal Data if we believe the deletion would violate any law or legal requirement or cause any information associated with the Personal Data to be incorrect.
Portability. To the extent you provide us with your Personal Data and to the extent we process the Personal Data by automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in portable, and to the extent technically feasible, readily usable format that allows you to transmit the Personal Data to another controller without hindrance.
Opt-Out of Certain Processing. You have the right to opt-out of processing your Personal Data for the purposes of: (i) targeted advertising; (ii) the sale of your Personal Data; or (iii) profiling in furtherance of decisions that produce legal effects or similarly significant effects. These decisions include decisions that result in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water. Please note, however, that Curology does not process Personal Data for purposes of profiling within the meaning of the VCDPA.
Right to Non-Discrimination. We will not discriminate against a Virginia resident for exercising one of the above rights.
Right to Appeal. Virginia residents have the right to appeal a refusal by us to act on your request to exercise any of the above rights. See Appeal Process below for more information.
Exercising Your VCDPA Rights
To exercise the rights described above, please submit a request to us by contacting us by either:
Emailing us at privacy@curology.com
Emailing us at hello@curology.com
Filing out our online form here.
Clicking the “Do Not Sell or Share My Personal Information” link in the footer of our Website.
You may only make a request to exercise the above rights twice within a 12-month period. The request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Data if we cannot authenticate that the Personal Data that is the subject of your request relates to you through commercially reasonable efforts. In this case, we may request additional information, which we will only use to authenticate you.
Making a verifiable consumer request does not require you to create a password-protected, online account with us. However, if you do have such an account, we may require you to use it in order to make your request. Doing so will enable us to process your requests through that account to authenticate that the Personal Data that is the subject of your request relates to you.
Response Timing and Format
We will generally process these requests within forty-five (45) days of receiving them. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing. If we cannot comply with your request, we will provide you with an explanation of the reasons we cannot comply with a request.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Appeals Process
You may appeal a refusal by us to take action on your request to exercise any of the above rights within a reasonable period of time after we provide you notice of such refusal by contacting us through the Contact Information at the top of the State Privacy Notice Addenda. Within sixty (60) days after we receive your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including any explanations for the reasons for the decision. If your appeal is denied, you may lodge a complaint with the Virginia Attorney General through their contact information available at: https://www.oag.state.va.us/contact-us/contact-info.
We will not discriminate against you for exercising any of your VCDPA rights. Unless permitted by the VCDPA, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the VCDPA that can result in different prices, rates, quality levels, or selection of goods and services (including the possibility of offering our Services for no fee), if you have exercised your rights to opt-out of certain processes as described above or if the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.