Terms of service

1. What Curio does

Curio is an email encryption service for Canadian therapists who use Google Workspace. Here's what it does at a technical level:

• Automatic encryption. Every outbound email sent through Curio is encrypted. Curio first checks whether the recipient's email server supports TLS. If it does (roughly 95% of the time), the email is delivered over an encrypted TLS connection. If not, Curio routes the message through an encrypted portal where the recipient reads it securely.
• Canadian audit trail. Every encrypted send is logged in a Canadian database. Audit records include recipient domain, encryption method, timestamp, and delivery status. These records are stored on Google Cloud servers in Montreal and Toronto.

That's V0. The product will grow, and we'll update these Terms when it does.

What Curio does not do

This list matters. Curio is infrastructure, not a clinical tool.

• Curio does not diagnose, treat, cure, or prevent any health condition.
• Curio does not provide legal advice or compliance advice.
• Curio does not manage client consent on your behalf.
• Curio does not store or process the content of your emails. We log metadata for your audit trail, not the message body.
• Curio does not replace your professional obligations as a health information custodian.

Using Curio doesn't make you compliant with PHIPA, HIA, PIPA, or PIPEDA on its own. Email encryption is one part of your compliance obligations. The rest depends on your overall practice: consent processes, record keeping, breach response, and more. Talk to a privacy professional about your specific situation.

2. Account requirements

To use Curio, you need:

• A Google Workspace account. Google Workspace Business Plus or higher is recommended for defensible compliance (it includes additional security controls and audit features that regulators expect).
• Multi-factor authentication (MFA) enabled on your Google account. This is required, not optional. If you disable MFA, we may suspend your account until it's re-enabled.
• A valid email address for account notifications and service communications.

You're responsible for keeping your account credentials secure. If you suspect unauthorized access to your account, contact us immediately at legal@curio.health.

One account per licensed practitioner. Don't share credentials with staff unless they have their own licensed seat.

3. Your responsibilities as a health information custodian

Under Canadian health privacy law, the therapist is the health information custodian. Curio is your electronic service provider (ESP) under PHIPA s. 10(4) and acts as your agent under PHIPA s. 17. Similar designations apply under Alberta's Health Information Act (HIA) and BC's Personal Information Protection Act (PIPA).

What this means in practice: you remain responsible for your compliance obligations. Curio handles the encryption and audit trail. You handle everything else.

Your obligations include:

• Obtaining informed consent from clients before communicating with them by email
• Maintaining your own record keeping and clinical documentation practices
• Ensuring your Google Workspace security configuration meets regulatory requirements
• Responding to client access requests under applicable privacy law
• Reporting privacy breaches that occur outside of Curio's service
• Maintaining your professional registration with your provincial college (CRPO, CAP, CHCPBC, or equivalent)

We built Curio to handle the technical layer of email encryption. We can't handle the practice layer. That's yours.

4. ESP agreement

These Terms govern your general use of the service. A separate Electronic Service Provider (ESP) agreement governs how Curio processes personal health information on your behalf.

Together, these Terms and the ESP agreement form the complete agreement between you and Curio. If there's a conflict between them on matters of personal health information handling, the ESP agreement controls.

If you're a Curio customer and haven't signed an ESP agreement, contact us at legal@curio.health. Under PHIPA, an ESP agreement is required before we process personal health information on your behalf.

5. Acceptable use

Curio is built for therapist to client communication. Use it for that purpose.

You agree not to use Curio for:

• Bulk or marketing email. Curio is not an email marketing tool.
• Sending content that violates applicable law, including content that infringes intellectual property rights.
• Transmitting malware, viruses, or other harmful code.
• Attempting to access other users' accounts, data, or audit trails.
• Reverse engineering, decompiling, or otherwise attempting to extract the source code of the service.
• Any purpose unrelated to your professional practice as a therapist or healthcare provider.

If we determine that you're violating these terms, we may suspend or terminate your account. We'll give you notice when possible, but reserve the right to act immediately if the violation poses a security risk to other users.

6. Payment terms

Pricing

Curio costs $15 per user per month, billed monthly through Stripe.

Billing

Your subscription renews automatically each month. You'll be charged on the same date each month (or the last day of the month, if your billing date doesn't exist in that month). Stripe processes all payments. See Stripe's terms for their payment processing terms.

Cancellation

You can cancel your subscription at any time from your account settings. When you cancel:

• Your access continues until the end of your current billing period.
• No refund is issued for the remaining days in your current billing period.
• We don't charge you again after cancellation.

Failed payments

If a payment fails, we'll notify you by email and retry the charge. If payment isn't resolved within 14 days, we may suspend your account. Your data is preserved during suspension (see Section 12 for data handling on termination).

Price changes

We'll give you at least 30 days' written notice before any price change takes effect. If you don't agree to the new price, you can cancel before it applies.

7. Service availability

We make reasonable efforts to keep Curio available, but we don't guarantee a specific uptime percentage. We're a V0 product, and we're being honest about that.

Scheduled maintenance

We'll notify you by email at least 24 hours before planned maintenance that may affect the service.

Things we aren't responsible for

Curio depends on Google Workspace and other third-party infrastructure. We aren't liable for:

• Google Workspace outages or Gmail service disruptions
• Recipient email server behavior (whether they support TLS, how they handle portal links)
• Internet connectivity issues on your end
• Changes Google makes to their Workspace APIs or services

If the service is unavailable, your emails still go through Gmail normally. They just won't be encrypted through Curio during the outage.

8. Intellectual property

We own the service. Curio, including its software, design, branding, and documentation, is owned by Curio Health Inc. These Terms don't transfer any intellectual property rights to you.

You own your data. Your email content, client information, and the data in your audit trail belong to you. We don't claim any ownership over your data and we won't use it for purposes other than providing the service to you.

We don't use customer data to train AI models. We don't sell customer data. We don't share it with third parties for their marketing purposes. Our privacy policy covers data handling in detail.

9. Limitation of liability

Curio is infrastructure. We provide email encryption and audit logging. We don't provide legal advice, compliance advice, or clinical guidance.

To the maximum extent permitted by applicable law:

(a) Curio is not liable for compliance decisions you make or fail to make. Email encryption is one component of health privacy compliance. Whether your overall practice meets regulatory requirements depends on factors outside our control.

(b) Curio is not liable for the behavior of recipient email servers. We encrypt outbound email using TLS where supported and portal delivery where not. We can't control what happens after delivery.

(c) Curio is not liable for Google Workspace configuration issues. You're responsible for your Google Workspace security settings.

(d) Curio is not liable for regulatory changes. Privacy legislation changes. If a new regulation creates obligations that our service doesn't currently address, that's not a breach of these Terms.

(e) Our total aggregate liability for any claims arising from or related to the service is limited to the amounts you've paid us in the 12 months before the claim arose.

(f) Neither party is liable for indirect, incidental, consequential, special, or punitive damages, including lost profits or lost data, regardless of the theory of liability.

These limitations apply to the fullest extent permitted by law. Some jurisdictions don't allow certain liability exclusions, in which case those exclusions won't apply to you.

10. Disclaimer of warranties

The service is provided "as is" and "as available," to the extent permitted by applicable law.

We don't warrant that:

• The service will be uninterrupted or error free
• The service will meet all of your compliance requirements (compliance depends on your entire practice, not just email encryption)
• All recipient email servers will support TLS encryption
• Regulatory bodies will consider the service sufficient for your specific compliance obligations

We do warrant that we'll operate the service with reasonable care and in accordance with the technical specifications described in our documentation.

To the maximum extent permitted by law, we disclaim all other warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement.

11. Indemnification

You agree to indemnify and hold Curio harmless from claims, losses, and expenses (including legal fees) arising from:

• Your violation of these Terms
• Your violation of applicable law, including privacy legislation
• Your use of the service in a manner inconsistent with its intended purpose
• Any claim by a third party related to your professional practice

We agree to indemnify and hold you harmless from claims, losses, and expenses arising from:

• Our violation of these Terms
• Our negligent handling of data within our control
• A security breach of our infrastructure caused by our failure to maintain reasonable security measures

12. Data handling on termination

When your account is closed (whether you cancel or we terminate), here's what happens:

Account data

Your account information (name, email, Workspace domain, subscription details) is deleted within 30 days of account closure.

Audit trail records

Your audit trail data is retained for a minimum of 6 years after account closure. This is because regulatory requirements (including CRPO Standard 5.6, which recommends 10-year retention for clinical records) may require these records for compliance or legal purposes. After the retention period, records are securely destroyed.

Data export

Before your account closes, you can request an export of your audit trail data in a machine readable format by emailing legal@curio.health. We'll provide the export within 30 days of your request.

ESP agreement

If you have an ESP agreement with us, its data return and destruction provisions also apply and take precedence over this section where there's a conflict.

For full details on data retention and your rights, see our privacy policy.

13. Suspension and termination

By you

You can cancel your account at any time through your account settings, or by emailing legal@curio.health.

By us

We may suspend or terminate your account if:

• You violate these Terms or the acceptable use policy
• Your payment is overdue for more than 14 days
• We're required to do so by law or regulation
• Continuing to provide service to you poses a security risk to other users

When possible, we'll give you 30 days' notice before termination and an opportunity to export your data. In cases involving security risks or legal requirements, we may act immediately.

14. Changes to these terms

We may update these Terms from time to time. When we do:

• We'll notify you by email at least 30 days before changes take effect.
• The "Last updated" date at the top of this page will change.
• Continued use of the service after the effective date means you accept the updated Terms.

If you don't agree to the updated Terms, cancel your account before the effective date.

15. Governing law and disputes

These Terms are governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Any disputes arising from these Terms or your use of the service will be brought before the courts of the Province of Ontario, and you consent to the jurisdiction of those courts.

Before filing any formal proceeding, both parties agree to attempt to resolve disputes informally by contacting each other in writing. If informal resolution fails after 30 days, either party may pursue formal legal remedies.

16. General provisions

Entire agreement. These Terms, together with your ESP agreement and our privacy policy, form the entire agreement between you and Curio regarding the service.

Severability. If any provision of these Terms is found unenforceable, the remaining provisions continue in full force.

Assignment. You may not assign your rights under these Terms without our written consent. We may assign our rights in connection with a merger, acquisition, or sale of assets, provided the assignee agrees to honor these Terms.

Waiver. Our failure to enforce any provision of these Terms isn't a waiver of that provision.

Force majeure. Neither party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, government actions, internet disruptions, or pandemics.

Notices. We'll send notices to the email address associated with your account. You can send notices to legal@curio.health.

17. Contact

For questions about these Terms:

Email: legal@curio.health

For privacy-related questions:

Email: legal@curio.health

Curio Health
Ontario, Canada