Privacy Policy

1. Relationship With Customers and End Users

Curo provides conversational AI and related tooling to business customers ("Customers") under written agreements. Where Curo processes personal information on behalf of a Customer (for example, where an individual interacts with a Customer's phone, text, chat, email, or website experience powered by Curo), the Customer controls the deployment and is responsible for providing notices and obtaining any required consents.

In those situations, Curo acts as a service provider/processor (and, where applicable, a Business Associate under HIPAA) to the Customer, and Curo's processing is governed by the applicable contract, Data Processing Addendum, and/or Business Associate Agreement.

If you have questions about how a specific Customer uses Curo's services, please contact that Customer directly. Curo's own data practices are described in this Privacy Policy.

2. Definitions

"Personal Information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to an identified or identifiable individual or household. Personal Information does not include publicly available information, aggregated information, or information that has been de-identified.

"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. PHI includes voice recordings, call transcripts, and related metadata generated through Customer deployments when such data contains health-related information.

"Sensitive Personal Information" may include government identifiers, precise geolocation, health information, biometric identifiers (including voice prints or voice patterns), account credentials, and the contents of certain communications when Curo is not the intended recipient.

3. Information We Collect

Depending on how you interact with us, we may collect the following categories of information:

• Identifiers and contact information — name, email address, phone number, postal address, job title, employer.
• Account and administrative information — username, role-based access details, authentication and security metadata.
• Voice and call data — voice recordings, call transcripts, call metadata (duration, timestamp, caller ID, call disposition), and voice-derived analytics generated through Customer deployments of Curo's voice AI platform. Voice recordings and transcripts that contain health-related discussions are classified as PHI.
• Customer support and communications — messages, support tickets, and related metadata.
• Usage and device data — IP address, browser type, device identifiers, pages viewed, referral URLs, and interaction logs.
• Marketing and event information — newsletter sign-ups, demo requests, event attendance, business card information, and preferences.
• Recruiting information — resume/CV, employment history, education, references, and application materials.
• Inferences and analytics-derived information — aggregated insights about feature usage, call patterns, and platform performance.

4. Sources of Information

We may collect Personal Information from: (a) you directly; (b) our Customers (when you interact with a Customer deployment); (c) service providers that help us operate our business; and (d) publicly available sources (such as professional networking profiles) where permitted by law.

Voice and call data is collected exclusively through Customer deployments and is initiated and controlled by the Customer.

5. How We Use Personal Information

We use Personal Information for the following business purposes:

• Provide, operate, maintain, and improve the Services, including quality assurance, troubleshooting, and performance monitoring.
• Process and route voice calls, generate transcripts, book appointments, and execute workflows as configured by the Customer.
• Authenticate users, administer accounts, and enforce security controls.
• Respond to inquiries, provide customer support, and communicate about updates and operational notices.
• Process transactions and manage billing.
• Send marketing and promotional communications (subject to your choices and applicable law).
• Run events, webinars, and surveys, and manage business relationships.
• Recruiting and hiring activities.
• Detect, prevent, and address fraud, misuse, security incidents, and unlawful activity.
• Comply with legal obligations and exercise or defend legal claims.

Important: Curo does not use Customer voice recordings, call transcripts, or PHI to train generalized AI models. Customer data is logically isolated and used solely to provide Services to the applicable Customer. Any quality assurance review of call recordings is conducted under the terms of the applicable Customer agreement.

We may create de-identified or aggregated information ("Anonymous Information"). We may use Anonymous Information for any lawful purpose, including to improve the Services. Anonymous Information is not PHI and is not subject to HIPAA restrictions.

6. HIPAA Compliance

Where Curo processes Protected Health Information on behalf of a healthcare Customer, Curo acts as a Business Associate under HIPAA.

7. Voice Data and Call Recordings

Voice data is central to Curo's Services. This section describes how we handle it:

8. Legal Bases (Where Applicable)

Where required by applicable law (including in certain international jurisdictions), our legal bases for processing may include: (a) performance of a contract; (b) legitimate interests (such as improving and securing our Services, marketing to business contacts, and preventing fraud); (c) compliance with legal obligations; and (d) consent (where required, such as for certain marketing or cookie technologies).

9. How We Share Personal Information

We may share Personal Information as follows:

• Service providers and subprocessors — third parties that help us operate our business, including cloud infrastructure providers, telephony providers, analytics tools, customer support platforms, and billing systems. See Section 10 for subprocessor categories.
• Affiliates and subsidiaries — for internal business purposes, consistent with this Privacy Policy.
• Customers — where necessary to provide the Services or as directed by the Customer.
• Professional advisors — auditors, lawyers, and insurers as necessary.
• Regulators and law enforcement — when required by law or when we have a good-faith belief it is necessary to protect rights, safety, and security. We validate and review all such requests and disclose information only as required or permitted by law.
• Business transactions — in connection with a financing, merger, acquisition, reorganization, bankruptcy, or sale of assets. If such a transaction occurs, we will require the acquiring entity to honor the terms of this Privacy Policy.
• With your consent — at your direction, such as optional integrations.

We do not sell your Personal Information. We do not share your Personal Information for cross-context behavioral advertising purposes.

10. Subprocessors

Curo uses the following categories of subprocessors to deliver the Services. Each subprocessor is bound by contractual obligations to protect Personal Information and PHI:

• Cloud Infrastructure — hosting, compute, and storage services (United States data centers).
• Telephony and Communications — voice call routing, SIP trunking, and SMS delivery.
• EMR Integration Partners — secure middleware for reading and writing to Customer electronic medical record systems.
• AI and Natural Language Processing — speech-to-text, natural language understanding, and text-to-speech services.
• Analytics and Monitoring — platform performance monitoring, error tracking, and usage analytics.
• Billing and Payments — payment processing and invoicing.

A current list of specific subprocessors is available upon request by contacting privacy@curoai.com.

11. Data Security

Curo implements administrative, technical, and organizational measures designed to protect Personal Information and PHI:

• Encryption. TLS 1.3 for data in transit. AES-256 for data at rest.
• Access Controls. Role-based access with least-privilege principles. Multi-factor authentication required for all internal systems.
• Certifications. Curo maintains SOC 2 Type II certification, audited annually by an independent third-party auditor.
• Infrastructure. Data is processed and stored in the United States in data centers that maintain SOC 2 and/or ISO 27001 certifications.
• Monitoring. Continuous security monitoring, intrusion detection, and logging. Security events are reviewed and escalated in accordance with our incident response procedures.
• Workforce. All Curo personnel with access to Personal Information or PHI undergo background checks and complete security and privacy training upon hire and annually thereafter.
• Penetration Testing. Curo conducts regular penetration testing and vulnerability assessments.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and securing the devices and networks you use to access the Services.

12. Data Retention

We retain Personal Information for as long as reasonably necessary to provide the Services and for legitimate business purposes. Specific retention periods include:

• Voice recordings and call transcripts: 90 days by default, or as specified in the Customer agreement.
• Call metadata (timestamps, duration, disposition): 24 months, or as specified in the Customer agreement.
• Account and administrative data: Duration of the Customer relationship plus 12 months.
• Marketing and communications data: Until you opt out or request deletion, plus a suppression record to honor your preference.
• Recruiting data: 24 months from the date of application, unless you request earlier deletion.
• Usage and device data: 24 months.

Customers may request deletion of their data at any time in accordance with their agreement and applicable law. After deletion, certain information may remain in encrypted backups for a limited period before being permanently removed.

13. Your Privacy Rights and Choices

Depending on where you live, you may have rights to:

• Access, correct, delete, or obtain a copy of your Personal Information.
• Object to or restrict certain processing.
• Withdraw consent (where processing is based on consent).
• Data portability (receive your data in a structured, machine-readable format).
• Appeal certain decisions where required by law.
• Opt out of marketing emails using the unsubscribe link in our messages.

To exercise your rights, contact us at privacy@curoai.com. We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before completing your request. We will not discriminate against you for exercising your rights.

If you are a patient who interacted with a Curo-powered phone system, please contact the healthcare provider (our Customer) directly to exercise your rights regarding that interaction. Curo will cooperate with the Customer to fulfill your request.

14. California Privacy Notice (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Categories of Personal Information Collected, Disclosed, and Sold/Shared in the Past 12 Months:

Your California Rights:

• Right to Know — request the categories and specific pieces of Personal Information we have collected about you.
• Right to Delete — request deletion of your Personal Information, subject to exceptions.
• Right to Correct — request correction of inaccurate Personal Information.
• Right to Opt Out of Sale/Sharing — we do not sell or share your Personal Information. No opt-out is necessary.
• Right to Limit Use of Sensitive Personal Information — you may request we limit use of Sensitive Personal Information to purposes necessary for providing the Services.
• Right to Non-Discrimination — we will not discriminate against you for exercising your rights.

You may designate an authorized agent to submit requests on your behalf, subject to verification requirements. We do not respond to browser "Do Not Track" signals.

15. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information to us, please contact us at privacy@curoai.com and we will take appropriate steps to delete such information consistent with applicable law.

16. Account Deletion

If you maintain an account with Curo, you may request deletion by contacting us at privacy@curoai.com. After deletion, certain information may remain in encrypted backups where required for legal, security, or operational reasons for a limited period before permanent removal.

17. Third-Party Services and Integrations

The Services may enable interactions with third-party websites, applications, or integrations not owned or controlled by Curo ("Third-Party Services"). Curo is not responsible for the privacy practices of Third-Party Services. Please review the applicable terms and privacy policies of those third parties before using them.

18. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting an updated policy on our website and, where required, through email notification or in-app notice. The "Last Updated" date at the top indicates when this Privacy Policy was last revised.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, contact us at: