Privacy Policy
Last updated: 2026-04-28
Introduction
This Privacy Policy explains how [YOUR LEGAL ENTITY NAME, LDA] ("CuraLink", "we", "us") collects, uses, and protects your personal data when you use our platform at https://cura.pt. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and Portuguese data protection law.
Data Controller: [YOUR LEGAL ENTITY NAME, LDA], [RUA, Nº, ANDAR], [0000-000] Lisboa, Portugal. Contact: privacy@cura.pt
Data we collect
- Account information: name, email address, password (stored as a one-way hash)
- Billing information: name, address, company name, VAT number (if provided)
- Order information: products selected, quantities, amounts paid, recipient institution
- Payment data: processed exclusively by Stripe — we never see or store card numbers
- Technical data: IP address, browser type, session identifiers
How we use your data
- To process your donation and arrange delivery to the chosen institution
- To manage your account and provide customer support
- To send order confirmations and transactional emails
- To comply with legal and tax obligations
- To detect and prevent fraud
Legal basis: performance of contract (Art. 6(1)(b) GDPR), compliance with legal obligations (Art. 6(1)(c) GDPR), and legitimate interests (Art. 6(1)(f) GDPR).
Third parties
Stripe
Payment processing is handled by Stripe, Inc. When you make a donation, your payment data is transmitted directly to Stripe and governed by their Privacy Policy (stripe.com/privacy). Stripe is PCI DSS Level 1 certified. We receive only a payment confirmation and the last four digits of the card used.
Hosting & infrastructure
Our platform infrastructure is operated by Vercel, Inc. and Supabase, Inc., both acting as data processors under appropriate data processing agreements and subject to GDPR-compliant safeguards.
Your rights
Under GDPR you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@cura.pt. We will respond within 30 days. You may also lodge a complaint with the Portuguese data protection authority (CNPD — cnpd.pt).
Data retention
Account data is retained for as long as your account is active. Order data is retained for 10 years to comply with Portuguese tax and accounting law. You may request account deletion at any time; personal data will be anonymised within 30 days except where retention is legally required.
Security
We apply appropriate technical and organisational safeguards including TLS encryption in transit, one-way password hashing, and strict access controls. Payment data is never stored on our systems and is handled exclusively by Stripe.
Contact
For privacy-related questions or to exercise your rights, contact us at privacy@cura.pt or write to [YOUR LEGAL ENTITY NAME, LDA], [RUA, Nº, ANDAR], [0000-000] Lisboa, Portugal. You have the right to lodge a complaint with the CNPD (cnpd.pt).