Cure Link

Privacy Policy

Cure Link Ltd

Privacy Policy

UK GDPR Compliant Privacy Notice for Users and Healthcare Professionals

Version: 1.0
Date: 17 February 2026
Reference: CL-PP-001

1. Introduction

Cure Link Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our clinical trial matching platform at www.cure-link.uk (the "Platform").

This policy applies to: (a) individuals seeking clinical trial participation; (b) healthcare professionals referring patients; and (c) visitors to our website.

We act as both a Data Controller and a Data Processor under UK GDPR, depending on our relationship with you and our partner organisations. This document explains both roles.

2. Who We Are

Cure Link Ltd is registered in England and Wales.

For data protection matters, you can contact us at: privacy@cure-link.uk

Data Protection Officer (DPO): Chloe Lok Yee Vong Abrunhosa de Carvalho

Because we process special category health data (Article 9 UK GDPR), appointment of a DPO is mandatory under Article 37(1)(c). Our DPO details must be registered with the ICO.

3. What Personal Data We Collect

3.1 Individual Users (Patients / Public)

We may collect the following categories of data:

  • Identity data: full name, date of birth, gender
  • Contact data: email address, telephone number, postal address
  • Health data (special category): medical condition(s), diagnosis history, current medications, medical history relevant to clinical trial eligibility
  • Eligibility data: responses to screening questionnaires
  • Usage data: how you interact with our Platform, pages visited, search terms used
  • Communications: records of correspondence with us

3.2 Healthcare Professionals

We may collect the following categories of data:

  • Identity and professional data: name, GMC/NMC registration number, employer, speciality
  • Contact data: professional email address, telephone
  • Patient referral data: anonymised or pseudonymised patient information provided for matching purposes
  • Usage data: Platform interaction data

3.3 Data We Do Not Collect

We do not knowingly collect data from individuals under 18 years of age without explicit verifiable parental consent. We do not collect financial payment data directly.

4. How We Use Your Personal Data

4.1 Lawful Bases for Processing (UK GDPR Article 6)

We rely on the following lawful bases to process your personal data:

  • Consent (Article 6(1)(a)): Where you have given clear, informed consent
  • Contract (Article 6(1)(b)): To perform our services to you
  • Legal obligation (Article 6(1)(c)): To comply with regulatory requirements
  • Legitimate interests (Article 6(1)(f)): Platform improvement, fraud prevention

4.2 Lawful Bases for Special Category Health Data (UK GDPR Article 9)

Health data requires an additional condition under Article 9. We rely on:

  • Explicit consent (Article 9(2)(a)): Freely given, specific, informed and unambiguous consent obtained before processing health data
  • Substantial public interest (Article 9(2)(g)): As clinical trial matching serves a significant public health purpose, subject to appropriate safeguards under Schedule 1 DPA 2018
  • Medical purposes (Article 9(2)(h)): Where processing is for the provision of health or social care

You may withdraw consent to health data processing at any time. Withdrawal does not affect the lawfulness of prior processing.

4.3 Purposes of Processing

We process your data for the following purposes:

  • Matching you to relevant clinical trials based on your eligibility criteria
  • Communicating trial opportunities and updates
  • Sharing relevant data with trial sponsors and clinical research organisations (with your consent)
  • Improving our matching algorithms and Platform functionality
  • Complying with regulatory and legal obligations (including MHRA requirements)
  • Preventing fraud and ensuring Platform security

5. Our Role: Controller and Processor

5.1 When We Are a Data Controller

We are the Data Controller when we determine how and why your personal data is processed on our Platform — for example, when we collect your health questionnaire responses and make matching decisions.

5.2 When We Are a Data Processor

We act as a Data Processor when we process personal data on behalf of trial sponsors or clinical research organisations (our clients). In these cases, our processing is governed by a Data Processing Agreement (DPA) with the relevant controller.

6. Sharing Your Personal Data

We may share your data with the following categories of recipients:

  • Clinical trial sponsors and CROs: With your explicit consent, to assess your eligibility for specific trials
  • Technology providers: Cloud infrastructure, analytics, and communication tools (all subject to DPAs)
  • Regulatory bodies: MHRA, ICO, or other authorities where legally required
  • Professional advisors: Legal, compliance, and audit professionals under confidentiality obligations

We do not sell your personal data to third parties.

7. International Data Transfers

Some of our third-party partners may process data outside the UK. Where transfers occur, we ensure appropriate safeguards are in place, including:

  • UK Adequacy Regulations (transfers to adequacy-approved countries)
  • UK International Data Transfer Agreements (IDTAs) or addenda to EU Standard Contractual Clauses
  • Binding Corporate Rules where applicable

8. Data Retention

We retain personal data only as long as necessary for the purposes set out in this policy. For full details, please refer to our Data Retention Policy (CL-DRP-001).

  • User account data: Duration of account plus 2 years
  • Health and eligibility data: Duration of active matching plus 3 years
  • Communications records: 6 years
  • Audit logs: 7 years (legal obligation)

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of your data
  • Right to rectification (Article 16): Correct inaccurate data
  • Right to erasure (Article 17): Request deletion ("right to be forgotten")
  • Right to restrict processing (Article 18): Limit how we use your data
  • Right to data portability (Article 20): Receive your data in a portable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Rights related to automated decision-making (Article 22): Not be subject to solely automated decisions with significant effects
  • Right to withdraw consent: At any time, where processing is based on consent

To exercise any of these rights, contact us at privacy@cure-link.uk. We will respond within one calendar month.

10. Cookies

We use cookies and similar technologies on our Platform. Please refer to our Cookie Policy (CL-CP-001) for full details.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions
  • Regular security assessments and penetration testing
  • Staff training on data protection
  • Incident response and breach notification procedures

12. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be available at www.cure-link.uk. We will notify you of material changes by email or prominent notice on the Platform.

13. How to Complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). Website: www.ico.org.uk, Telephone: 0303 123 1113.

We would, however, appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at privacy@cure-link.uk.