Privacy Policy

When you join the waitlist we store: your email address, an optional preferred handle, the referrer URL your browser reports, your browser’s user-agent string, and the timestamp you joined.

When our landing page is loaded, standard HTTP request data (IP address, request path) is processed by our hosting provider (Vercel) for rate-limiting and abuse prevention. We do not store IP addresses in our own database.

• Email — so we can tell you when Cureo opens.
• Preferred handle — to help us gauge demand and reserve names in order.
• Referrer + user-agent — aggregate product analytics (where people came from, what browsers they use). Not used to identify you.
• IP address — transient rate-limiting only, never stored by us.

We do not sell your data. We do not share it with advertising networks. The only parties that see it are:

• Supabase — our database and auth provider. Your waitlist entry is stored on Supabase infrastructure.
• Vercel — our hosting provider. Handles incoming requests.
• Resend / Postmark (or a similar transactional email provider) — when we email you about launch, they handle the send.

Each of these providers is a processor acting on our behalf and is contractually required to protect your data.

Cureo uses a single cookie-style value: a consent record stored in localStorageto remember whether you’ve accepted or dismissed the cookie banner. That’s it. We do not set tracking cookies, analytics cookies, or advertising cookies on the waitlist landing.

Waitlist entries are kept until Cureo opens to the public and for a reasonable follow-up period (up to 12 months after launch) so we can onboard you. After that, inactive entries are deleted. You can request deletion at any time.

You can, at any time, ask us to:

• Tell you what data we hold about you.
• Correct or update that data.
• Delete your entry entirely.
• Stop emailing you about the launch.

Email hello@cureo.design from the address you signed up with and we’ll action it within 30 days, per GDPR.

Your waitlist row is stored in a database with row-level security enabled — only the server-side service role can read it, and that key never leaves our backend. We use HTTPS everywhere. If we ever suffer a data breach that affects you, we’ll notify you within 72 hours as required by GDPR.

Cureo is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has joined the waitlist, email us and we’ll remove them immediately.

If we change this policy materially, we’ll update the “Last updated” date at the top and, if you’re on the waitlist, email you about it before any meaningful change takes effect.