CurioCurio
Back to Home

Privacy Policy

Effective Date: May 27, 2026

1. Overview

Curio ("we," "us," "our") is committed to protecting the privacy of our users. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your information. This policy applies to all users of the Curio platform, including Business Users (businesses using our dashboard) and End Users (customers interacting with NFC polls).

2. Information We Collect

2.1 From Business Users (Account Holders)

  • Name and email address (via account registration)
  • Business name, business type, and location information
  • Google Place ID (for review integration)
  • Billing information (processed securely by Stripe; we do not store card details)
  • Team member information (names, emails, roles)

2.2 From End Users (Poll Respondents)

End Users interact with Curio by tapping an NFC device and responding to a poll. No account creation is required. We collect:

  • Poll responses — the answer option selected
  • IP address — used for vote deduplication and approximate geographic segmentation
  • Session identifier — a randomly generated ID stored in a browser cookie to prevent duplicate votes within a session
  • Timestamp — when the interaction occurred
  • User agent / device metadata — browser type and operating system
  • NFC device identifier — which physical device was tapped

We do not collect names, email addresses, phone numbers, or any other directly identifying information from End Users.

2.3 Automatically Collected Information

  • Pages visited and features used within the dashboard
  • Referring URLs
  • Browser type, screen resolution, and operating system

3. How We Use Your Information

  • To operate and maintain the Service
  • To provide analytics and insights to Business Users
  • To process payments and manage subscriptions
  • To prevent fraud and enforce vote deduplication
  • To communicate service updates, security alerts, and support
  • To improve and develop new features
  • To generate Aggregated Data for commercial use (see Section 4)

4. Aggregated & De-Identified Data

We create aggregated, anonymized datasets from poll responses and interaction data. This Aggregated Data does not identify any individual End User and cannot be used to re-identify any person.

We may use Aggregated Data for research, benchmarking, and commercial purposes, including licensing insights to third parties. For example, we may report that "70% of fitness studio customers prefer morning classes" — but we will never share individual responses or link data to specific people.

For full details on our data rights, see Section 5 of our Terms of Service.

5. Cookies & Session Tracking

We use the following cookies:

  • Session cookie — a randomly generated session ID used to prevent duplicate poll votes. This cookie does not contain personal information and is not used for advertising or cross-site tracking.
  • Authentication cookies — set by our authentication provider (Clerk) to manage Business User login sessions.

We do not use advertising cookies, tracking pixels, or share data with ad networks.

6. Data Sharing & Third Parties

We share data with the following categories of third parties:

  • Payment processor (Stripe) — to process subscription billing
  • Authentication provider (Clerk) — to manage user identity and access
  • Infrastructure providers — cloud hosting and database services necessary to operate the Service
  • Aggregated Data recipients — third parties who license anonymized, aggregate market research insights (see Section 4)

We will never sell, rent, or share individual End User data or individual poll responses with third parties.

7. Data Retention

Business User account data is retained for the duration of the active account and for a reasonable period afterward to comply with legal obligations.

End User poll response data (including IP addresses and session IDs) is retained for analytics purposes. IP addresses may be purged or further anonymized after 90 days. Aggregated Data derived from this information is retained indefinitely.

8. Data Security

We implement industry-standard security measures to protect your data, including encrypted data transmission (TLS/SSL), secure database access controls, and regular security audits. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your personal data
  • Object to or restrict certain data processing activities
  • Data portability (receive your data in a structured format)

To exercise any of these rights, contact us through the support channels provided within the Service or on our website. We will respond within 30 days.

Note: Because End User poll responses are collected without accounts or identifying information, we may be unable to locate or associate specific responses with an individual requesting access or deletion.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect and how it is used
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information
  • The right to non-discrimination for exercising your CCPA rights

We do not sell personal informationas defined under the CCPA. Our Aggregated Data practices (Section 4) involve only de-identified, non-personal data that cannot reasonably be linked to any individual, and therefore do not constitute a "sale" of personal information under the CCPA.

11. Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contract performance — to provide the Service to Business Users who have agreed to our Terms
  • Legitimate interests — to operate, improve, and secure the Service; to generate Aggregated Data; and to prevent fraud
  • Consent — End Users implicitly consent to data collection by voluntarily responding to polls; Business Users consent during account creation
  • Legal obligations — to comply with applicable laws and regulations

12. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your data to countries that may have different data protection laws than your country of residence.

13. Do Not Track Signals

Our Service does not respond to "Do Not Track" (DNT) browser signals. However, as described in Section 5, we do not engage in cross-site tracking or use advertising cookies.

14. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law. Notification will be provided via email (for Business Users) or through a prominent notice on the Service.

15. Children's Privacy

The Service is not directed at individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child under the applicable age threshold, we will take steps to delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service at least 30 days before taking effect. The "Effective Date" at the top of this page reflects the most recent revision.

17. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us through the support channels provided within the Service or on our website.

Terms of ServiceHome