Privacy policy
Last updated: March 2026
Curio Health ("Curio," "we," "us") provides email encryption for Canadian therapists who use Google Workspace. This privacy policy explains what information we collect, how we use it, where it's stored, and what rights you have.
We're a privacy company. We take that seriously, and we want this policy to be readable, not just legally defensible.
If you have questions after reading this, contact us at legal@curio.health.
What information we collect
We collect different types of information depending on how you interact with Curio.
Account information. When you sign up, you authenticate through Google OAuth. We receive your name, email address, and Google Workspace domain. We don't receive or store your Google password.
Email metadata. When Curio processes an outbound email, we log metadata for your audit trail: recipient domain, encryption method used (TLS or portal), timestamp, and delivery status. We do not read, store, or access the content of your emails.
Audit trail data. Every encrypted send generates an audit record. These records are stored in our Canadian database and include the metadata above plus encryption verification details.
Payment information. We use Stripe to process payments. Your credit card number and billing details go directly to Stripe. We receive a transaction record and the last four digits of your card, but we never see or store your full payment details. See Stripe's privacy policy for how they handle your data.
Website analytics. On curio.health (the marketing website), we use Google Analytics with your consent. Analytics cookies only load after you accept them through our consent banner. If you decline, no analytics data is collected. We don't run analytics on the Curio product itself.
Support correspondence. If you email us or use a contact form, we keep that correspondence to respond to you and improve our service.
How we use your information
We use your information for these purposes:
- Providing the service. Encrypting your outbound email, maintaining your audit trail, managing your account.
- Processing payments. Billing through Stripe, managing subscriptions, issuing receipts.
- Improving the service. Analyzing aggregate, de-identified usage patterns to make the product better. We never use individual email metadata for this.
- Communicating with you. Account notifications, service updates, responding to your questions. We won't send marketing emails without your consent.
- Complying with law. Meeting our obligations under the Personal Information Protection and Electronic Documents Act (
PIPEDA), the Personal Health Information Protection Act, 2004 (PHIPA), and other applicable privacy legislation.
We don't sell your information. We don't use it to train AI models. We don't share it with third parties for their marketing purposes.
Where your data is stored
This matters. It's the reason we built Curio the way we did.
Curio's compliance infrastructure is hosted in Canada. Our compliance engine, audit trail database, and email processing all run on Canadian servers:
- Database: Cloud SQL (PostgreSQL) on Google Cloud, in
northamerica-northeast1(Montreal) andnorthamerica-northeast2(Toronto) - Email gateway: Haraka SMTP relay on AWS Lightsail in Montreal
- Application: Next.js on Google Cloud Run, containerized in Canadian regions
- Authentication sessions: Stored in Cloud SQL in Canadian regions
Your audit trail records and encrypted portal messages stay in Canada.
What about Gmail itself?
Here's where we need to be direct. Gmail stores email content on Google's servers, which may be located in the US or EU. Google controls where Gmail data is stored, not Curio. Curio encrypts your outbound email and maintains a Canadian audit trail, but we can't change where Google hosts your Gmail inbox.
This is an important distinction. When we say "Canadian hosted compliance infrastructure," we mean Curio's infrastructure (audit trail, encrypted portal messages, compliance engine). We don't mean all data related to your email.
Third-party services
We work with a limited number of third parties to deliver the service. Here's who they are and what they do.
| Service | What they do | Data they receive | Where they process it |
|---|---|---|---|
| Google Cloud (GCP) | Hosts our database, application, and authentication | Account data, audit trail records | Montreal and Toronto, Canada |
| AWS Lightsail | Hosts our email gateway | Email metadata during processing | Montreal, Canada |
| Google (Workspace) | Integration layer for your email | Your Gmail data (controlled by Google) | US/EU (Google controlled) |
| Stripe | Payment processing | Payment and billing information | US (Stripe privacy) |
| Cloudflare | CDN, DNS, and security headers for curio.health | Website traffic data | Global edge network |
| Google Analytics | Website analytics (with consent) | Anonymized browsing behavior on curio.health | US (Google controlled) |
We require contractual protections from each provider. Where a provider processes data outside Canada, we ensure comparable protections are in place through contractual means, as required under PIPEDA.
We don't share personal health information with any third party. Audit trail data stays in our Canadian database. Email metadata is processed by our Canadian email gateway and stored in our Canadian database.
Data security
Encryption. All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Outbound emails are encrypted via TLS first (approximately 95% of recipients support this). When a recipient's server doesn't support TLS, Curio routes the message through an encrypted portal.
Access controls. Multi-factor authentication is required for all therapist accounts. Internal access to production infrastructure is restricted and logged.
Audit logging. Every access to personal health information in our system is logged. These logs are immutable (they can't be edited or deleted) and retained for a minimum of six years.
PHI scrubbing. We don't send personal health information to analytics or monitoring tools. Logs used for service improvement are scrubbed of any identifying information before analysis.
Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Audit trail records | Minimum 6 years | Professional regulatory requirements (CRPO Standard 5.6 recommends 10 years for clinical records) |
| Account information | Duration of your account + 30 days after deletion | Service delivery |
| Payment records | As required by tax law (typically 7 years) | Legal obligation |
| Website analytics | 14 months | Google Analytics default retention |
| Support correspondence | 2 years after last contact | Service improvement |
When you close your account, we delete your account information within 30 days. Audit trail records are retained for the minimum period above because they may be needed for regulatory purposes. After the retention period, data is securely destroyed and the destruction is logged.
Your rights
You have rights under PIPEDA and, if you're in Ontario, under PHIPA.
Access. You can request a copy of the personal information we hold about you. We'll respond within 30 days (PHIPA Part V; PIPEDA s. 8(3)).
Correction. If your information is inaccurate, you can ask us to correct it.
Withdrawal of consent. You can withdraw consent for non-essential data processing at any time. Note that withdrawing consent for processing required to deliver the service means we may no longer be able to provide the service to you.
Data export. You can request an export of your audit trail data in a machine readable format.
Complaint. If you're not satisfied with how we handle your information, you have the right to file a complaint with:
Information and Privacy Commissioner of Ontario (IPC)
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Phone: 416-326-3333 / 1-800-387-0073
Website: ipc.on.ca
Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street
Gatineau, QC K1A 1H3
Phone: 819-994-5444 / 1-800-282-1376
Website: priv.gc.ca
To exercise any of these rights, email legal@curio.health.
Electronic service provider obligations
Curio acts as an electronic service provider (ESP) under PHIPA s. 10(4) and as an agent under PHIPA s. 17. This means we have specific obligations regarding the personal health information we process on your behalf.
We require an ESP agreement with every therapist customer. This agreement specifies: the purposes for which we process personal health information, the security measures we maintain, breach notification procedures, data retention and destruction practices, data return on account termination, and restrictions on use.
If you're a Curio customer and haven't signed an ESP agreement, contact us at legal@curio.health.
Breach notification
If we become aware of unauthorized access to your personal information, we'll notify you at the first reasonable opportunity, as required under PHIPA s. 12(2). We'll also notify the Information and Privacy Commissioner of Ontario.
For breaches involving personal information subject to PIPEDA, we'll assess whether there is a real risk of significant harm. If so, we'll notify you and the Office of the Privacy Commissioner of Canada as soon as practicable, and maintain a record of the breach for 24 months (PIPEDA s. 10.1, 10.2, 10.3).
Cookies and tracking
On the marketing website (curio.health): We use a consent banner that loads before any analytics or tracking. Here's what runs and when:
Before consent (always active)
- Cloudflare security features (necessary for site functionality)
- No cookies, no analytics, no tracking pixels
After you accept analytics cookies
- Google Analytics (GA4) via Google Tag Manager
- Session cookies for basic site functionality
If you decline
Nothing loads beyond what's necessary for the site to work. We respect your choice, and we don't use dark patterns to pressure you into accepting.
In the Curio product
We don't run third-party analytics or tracking in the product. Session cookies are used for authentication only.
Provincial health privacy law compliance
Curio Health is designed to comply with provincial health privacy legislation across Canada.
PHIPA (Ontario)
Curio is designed as an electronic service provider under PHIPA s. 10(4). Our Canadian hosted audit trail, encryption infrastructure, and ESP agreements are built to meet PHIPA requirements for health information custodians.
HIA (Alberta)
Curio supports therapists operating under Alberta's Health Information Act. The same Canadian hosted infrastructure and encryption standards apply, with ESP agreement terms adapted to HIA requirements.
PIPA (British Columbia)
Curio supports therapists in British Columbia operating under PIPA. Our infrastructure meets PIPA's requirements for reasonable security arrangements and Canadian data residency.
Changes to this policy
We'll update this policy when our practices change. If we make changes that affect your rights or how we handle your information, we'll notify you by email before the changes take effect.
The "Last updated" date at the top of this page tells you when this policy was last revised.
Contact
For privacy questions, data access requests, or complaints:
Email: legal@curio.health
Curio Health
Ontario, Canada