Privacy Policy,
POPIA & PAIA Manual

Cura is a mental wellness platform operated by Cura (Pty) Ltd, a company registered in the Republic of South Africa. We provide individuals and organisations with digital tools, an AI wellness companion (Vana), structured wellness programmes, and access to vetted human counsellors.

Cura (Pty) Ltd is the Responsible Party as defined under the Protection of Personal Information Act 4 of 2013 (POPIA). This means we determine the purpose and means of processing your personal information.

Information you provide directly

• Name and email address when you register
• Password (stored in encrypted form — we never see it in plain text)
• Daily mood check-in responses (1–10 scale, stress source, sleep quality, energy level)
• Responses to wellness assessments (WHO-5, PSS-10, MBI-GS)
• Journal entries you choose to write within the app
• Messages exchanged with Vana, our AI companion
• Preferences you set (Faith Mode, notification times, space selections)
• Contact form submissions on our website

Information collected automatically

• App usage patterns (which Spaces you visit, features you use, session duration)
• Device type, operating system, and app version
• Engagement metrics (check-in streaks, programme completion rates)
• IP address and general location (country/province level only)

Information from employers (if you use Cura through an employer account)

• Your employer may provide your name and work email address to enable access
• No individual wellness data is ever shared back with your employer — only anonymised aggregate trends where your cohort has a minimum of 8 people

We collect personal information only for the following lawful purposes:

• To create and manage your Cura account
• To provide and personalise our wellness services, including Vana's responses
• To deliver iCBT programmes and track your progress
• To generate your personalised wellness dashboard and trend insights
• To detect crisis signals and trigger appropriate support responses
• To facilitate connections with human counsellors when requested
• To send transactional notifications (check-in reminders, programme milestones)
• To comply with our legal obligations under South African law
• To improve our services through anonymised, aggregated analytics

Under POPIA Section 26, health information — including mental health data — is classified as special personal information and receives the highest level of legal protection. Your mood scores, assessment results, journal entries, and Vana conversations all fall into this category.

We process your mental health data only on the basis of your explicit, informed consent, which you provide when you create your account. You may withdraw this consent at any time by deleting your account.

What your mental health data is NEVER used for

• Disciplinary proceedings or employment decisions
• Retrenchment or restructuring processes
• Insurance underwriting or premium calculations
• Any decision that negatively affects your employment or legal status
• Marketing or advertising targeting
• Sale to any third party

Employer data separation — architecturally enforced

If you access Cura through an employer account, your individual mental health data is architecturally separated from any employer-facing dashboard. This is not just a policy — it is enforced in code. Your employer can never see your individual check-in scores, assessment results, stress source selections, journal entries, or Vana conversations. Ever.

AI processing (Vana)

Your conversations with Vana and your check-in data are processed by Claude (Anthropic's AI model) to generate contextually appropriate, clinically-structured responses. Anthropic processes this data on our behalf as an operator and does not use your conversations to train their models without explicit consent.

Cryptographic timestamping

Your wellness data entries are cryptographically timestamped using OpenTimestamps (referred to as "Chain Anchor" in the app). This creates a tamper-evident, verifiable record of your wellness trajectory over time. This serves to protect you — it means your data cannot be altered retroactively, and you can produce a verified Cognitive State Record for legal proceedings if you ever need to demonstrate the state of your mental health at a particular point in time.

Aggregated analytics

We use anonymised, aggregated data to understand how our services are used, identify areas for improvement, and conduct research. No individual can be identified from this data.

We share your personal information only in the following circumstances:

Service providers (operators)

• Supabase — database and authentication infrastructure
• AWS (Cape Town region, af-south-1) — cloud infrastructure, chosen specifically for POPIA data residency compliance
• Anthropic — AI processing for Vana conversations
• Brevo — transactional email delivery
• Expo — push notification delivery

All service providers are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.

Counsellors

If you choose to connect with a human counsellor through Cura, we share only the information necessary to facilitate that session. You control what context is shared.

Legal requirements

We may disclose personal information if required to do so by law, court order, or to protect the rights, property, or safety of Cura, our users, or the public. We will notify you of any such disclosure where legally permitted to do so.

Cognitive State Record

A verified forensic export of your wellness data (Cognitive State Record) is produced only under two conditions: (1) your explicit written consent, or (2) a valid court order. No exceptions.

All personal data belonging to South African users is stored within the Republic of South Africa, on AWS infrastructure in the Cape Town region (af-south-1). This has been deliberately chosen to ensure compliance with POPIA's data residency requirements.

Where data is processed outside South Africa (for example, by Anthropic for AI processing), we ensure that appropriate safeguards are in place, including data processing agreements that impose obligations equivalent to POPIA.

• Active account data — retained for as long as your account is active
• Individual wellness data — retained for 24 months from the date of collection, then permanently anonymised
• Chain Anchor cryptographic proofs — retained indefinitely (these are cryptographic hashes, not personal data)
• Account information after deletion — deleted within 30 days of account closure, except where retention is required by law
• Contact form submissions — retained for 12 months

When you delete your account, all personally identifiable information is permanently deleted from our systems within 30 days. Anonymised, non-identifiable data derived from your usage may be retained for research and improvement purposes.

As a data subject under POPIA, you have the following rights. You can exercise any of these by contacting us at privacy@hellocura.co.za.

Right to access

You have the right to request a copy of all personal information we hold about you. We will respond within 30 days.

Right to correction

You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.

Right to deletion

You have the right to request that we delete your personal information. You can do this at any time by deleting your account within the app, or by contacting us directly.

Right to object

You have the right to object to the processing of your personal information on grounds relating to your particular situation.

Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint

If you believe we have violated your rights under POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa.

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security on our database, ensuring users can only access their own data
• Cryptographic timestamping of wellness data entries via OpenTimestamps
• Strict access controls — only authorised personnel can access personal data, and only when necessary
• Regular security reviews and dependency updates

No system is completely secure. If you believe your account has been compromised, please contact us immediately at privacy@hellocura.co.za.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator within the timeframes required by POPIA.

Our marketing website (hellocura.co.za) does not use advertising cookies or third-party tracking pixels. We do not run advertising campaigns that track you across the internet.

The Cura mobile app does not use cookies. App session data is managed through secure authentication tokens stored locally on your device.

We may use basic analytics to understand how our website is used (page visits, referral sources). This data is anonymised and aggregated.

Cura is intended for users aged 18 and older. We do not knowingly collect personal information from children under 18 without verifiable parental consent.

Our HomeSpace includes resources designed to be used by parents with children (such as KiddieSpace resources). These resources are directed at the parent, not at the child, and do not require children to create accounts or submit personal information.

If you believe we have inadvertently collected information from a child under 18, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, where the changes are material, notify you via email or an in-app notification.

Your continued use of Cura after changes are posted constitutes your acceptance of the updated policy. If you do not agree with the changes, you may close your account.

This section constitutes the manual required under Section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA).

14.1 Introduction

PAIA gives every person the right to access records held by private bodies. Cura (Pty) Ltd is committed to transparency and to facilitating reasonable access requests in accordance with PAIA.

14.2 Records available without a formal request

The following records are automatically available on our website without the need to submit a formal PAIA request:

• This Privacy Policy and PAIA Manual
• Our Terms of Use
• POPIA compliance information
• Crisis resources and contact information

14.3 Records that may be requested

Subject to the grounds for refusal set out in PAIA, the following categories of records may be requested:

• Your own personal information held by Cura
• Records relating to your account, wellness data, and usage history
• Records of communications between you and Cura

14.4 Grounds for refusal

Cura may refuse access to records on the following grounds as permitted by PAIA:

• Records containing personal information of a third party, where that party has not consented
• Records that would prejudice commercial interests or confidential business information
• Records protected by legal privilege
• Records that could endanger the safety of a person
• Records that are not reasonably accessible or do not exist

14.5 How to submit a PAIA request

To request access to records, you must submit a written request to our Information Officer. Your request must include:

1. Your full name and contact details
2. A description of the records you are requesting
3. The form in which you require access (electronic copy, printed copy, etc.)
4. Proof of identity (South African ID or passport)
5. If requesting records on behalf of another person, proof of authority to do so

14.6 Fees

Cura does not charge a request fee for access to your own personal information. For other records, fees may apply as prescribed under PAIA regulations. We will notify you of any applicable fees before processing your request.

14.7 Response timeframes

We will respond to your PAIA request within 30 days of receipt. In exceptional circumstances, this may be extended by a further 30 days, and you will be notified of any extension.

14.8 Appeals and complaints

If your request is refused, you will receive written reasons for the refusal and information about your right to appeal. You may appeal by applying to a court or lodge a complaint with the Information Regulator.

For any privacy-related queries, access requests, complaints, or to exercise your rights under POPIA or PAIA, contact our Information Officer:

For crisis support, please contact SADAG at 0800 456 789, available 24 hours.