EU GDPR and UK GDPR Compliance 

Effective Date: [2 January 2025] 

This comprehensive privacy policy outlines how Cure & Travel by Horizonius Ltd processes your personal data in compliance with both the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). We have structured this policy to ensure transparency regarding our data processing activities and to inform you of your rights under current data protection legislation. 

  1. Scope of this Policy

This policy applies to all personal data we process, whether collected online, in person, or through other means, from individuals within the United Kingdom (UK) and the European Economic Area (EEA)1. 

  1. Data Controller Information

For the purposes of UK GDPR and EU GDPR, Cure & Travel by Horizonius Ltd is the data controller responsible for the collection and processing of your personal data1. 

If you have questions about this policy or your data, contact us: 

Cure & Travel by Horizonius Ltd
 124 City Road, EC1V 2NX, London United Kingdom
 Email: privacy@cureandtravel.com
 Phone: +4479600331881 

2.1 Data Protection Officer 

Our designated Data Protection Officer can be contacted at dpo@cureandtravel.com for any data protection enquiries or concerns2. 

2.2 EU Representative 

For EU residents, our designated EU representative can be contacted at eurepresentative@cureandtravel.com as required under Article 27 of the EU GDPR2. 

  1. What Data We Collect

We may collect and process the following categories of personal data: 

3.1 Categories of Personal Data 

  • Identity Data: Name, date of birth, gender, and identification documents. 
  • Contact Data: Address, email, phone number. 
  • Health Data: Relevant medical records if you are using our health services (with explicit consent). 
  • Payment Data: Billing details and transaction history. 
  • Technical Data: IP address, browser type, and device information. 
  • Communication Data: Correspondence between you and us. 
  • Travel Data: Passport information, travel itinerary, and accommodation details if you book travel-related services1. 

3.2 Sources of Personal Data 

Where we obtain personal data from sources other than directly from you, these sources may include: 

  • Partner healthcare providers 
  • Travel agencies or booking platforms when you book through them 
  • Public databases where permitted by law 
  • Insurance providers when you make a claim related to our services2 
  1. How We Use Your Data

We process your personal data based on lawful grounds under UK GDPR and EU GDPR, including: 

  • Consent: When you provide explicit consent for specific purposes (e.g., processing medical data). 
  • Contract: To fulfil contractual obligations (e.g., providing health tourism services). 
  • Legal Obligation: To comply with legal and regulatory requirements. 
  • Legitimate Interests: To improve our services and ensure security (without overriding your rights)1. 

4.1 Purposes of Processing 

We process your data for the following specific purposes: 

  • To provide healthcare coordination and travel services 
  • To process payments and manage accounts 
  • To communicate with you about your bookings and services 
  • To verify your identity and eligibility for medical services 
  • To improve our services through analysis of user data 
  • To comply with legal and regulatory obligations2 

4.2 Lawful Basis for Processing 

For each category of personal data, we rely on the following lawful bases: 

  • For identity and contact data: Contract, Legal obligation, Legitimate interest 
  • For health data: Explicit consent, Provision of healthcare 
  • For payment data: Contract, Legal obligation 
  • For technical data: Legitimate interest, Consent (for cookies) 
  • For communication data: Contract, Legitimate interest 
  • For travel data: Contract, Legal obligation12 
  1. Data Sharing and International Transfers

5.1 Data Sharing 

We may share your personal data with trusted third parties, including: 

  • Healthcare Providers: Clinics, doctors, and medical professionals directly involved in your treatment to ensure proper care coordination. 
  • Travel Providers: Airlines, accommodation providers, and other travel-related entities for booking and arranging your travel needs. 
  • Service Providers: Third-party entities such as payment processors, IT support companies, or other service providers who assist us in delivering our services. These entities operate under strict confidentiality agreements. 
  • Legal Authorities: Government bodies, regulatory authorities, or courts when required by law or a valid court order13. 

All third-party processors are contractually obligated to adhere to the UK GDPR and EU GDPR standards and maintain the confidentiality and security of your personal data. We ensure that any data shared is limited to what is strictly necessary for the intended purpose1. 

5.2 International Data Transfers 

If your personal data needs to be transferred outside the UK or EU—for example, to coordinate with international healthcare providers—we ensure that such transfers are conducted in full compliance with both UK GDPR and EU GDPR standards. Specifically, we take the following steps to safeguard your data: 

  • Appropriate Safeguards: We implement robust safeguards, such as Standard Contractual Clauses (SCCs) or similar mechanisms, to ensure your data is protected during international transfers. 
  • Legal Compliance: All data transfers are carried out in accordance with UK GDPR, EU GDPR, and other applicable legal frameworks to ensure the security and privacy of your information. 
  • Transparency: Where necessary, we will inform you about such transfers and provide details regarding the measures in place to protect your data1. 
  1. Your Data Protection Rights

Under both UK GDPR and EU GDPR, you have the following rights: 

  • Access: Request a copy of your personal data. 
  • Rectification: Correct inaccurate or incomplete data. 
  • Erasure: Request deletion of your data (under certain conditions). 
  • Restriction: Limit the processing of your data. 
  • Objection: Object to processing, including direct marketing. 
  • Data Portability: Request the transfer of your data to another service. 
  • Withdraw Consent: Where we rely on consent, you can withdraw it at any time1. 

To exercise these rights, contact us at privacy@cureandtravel.com. We will respond to all legitimate requests within one month, as required by law12. 

  1. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy or as required by law. Once your data is no longer needed, we will securely delete or anonymise it in accordance with our data retention procedures1. 

7.1 Retention Periods 

Specific retention periods include: 

  • Medical records: Retained in accordance with medical records retention requirements (typically 8-10 years after last treatment) 
  • Financial records: Retained for 7 years as required by tax legislation 
  • Communication records: Retained for 2 years after your last interaction with us 
  • Marketing preferences: Retained until you withdraw consent or opt out2 
  1. Data Security Measures

We are committed to ensuring the security of your personal data. To protect it from unauthorized access, disclosure, alteration, or destruction, we implement robust technical and organisational measures. These measures include, but are not limited to: 

  • Data Encryption: We use advanced encryption technologies to safeguard sensitive data both during transmission and storage, ensuring that your information is protected at all stages of processing. 
  • Regular Security Assessments: We conduct regular security audits, vulnerability assessments, and penetration testing to identify and address potential risks to your data. 
  • Access Controls: We enforce strict access controls within our organisation, ensuring that only authorised personnel with a legitimate need to access your personal data are permitted to do so. All access is logged and monitored for accountability. 
  • Data Anonymisation and Pseudonymisation: Where appropriate, we apply anonymisation or pseudonymisation techniques to your data, reducing the risks associated with potential data breaches. 
  • Secure Systems and Networks: We maintain secure IT systems, firewalls, and anti-malware software to protect your personal data from cyber threats. 
  • Employee Training: Our team members receive regular training on data protection best practices and security protocols to ensure they understand their responsibilities in safeguarding your personal data1. 

8.1 Breach Response 

In the unlikely event of a suspected data breach involving your personal information: 

  • Notification to Affected Individuals: We will promptly notify affected individuals if there is a high risk of harm resulting from the breach. 
  • Reporting to Authorities: Significant breaches will be reported to the Information Commissioner’s Office (ICO) in the UK and the relevant supervisory authority in the EU within 72 hours, as required by law1. 
  1. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience and collect data on website usage. These include: 

  • Essential Cookies: Required for the website to function properly 
  • Analytical Cookies: To understand how visitors interact with our website 
  • Functional Cookies: To remember your preferences and settings 
  • Marketing Cookies: To deliver relevant advertisements and content 

You can manage your cookie preferences through our cookie consent management tool available on our website. You have the right to refuse non-essential cookies, though this might affect some website functionality. 

For more detailed information about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy available at www.cureandtravel.com/cookie-policy. 

  1. Statutory or Contractual Requirements

In some instances, providing certain personal data is a statutory or contractual requirement: 

  • For medical services, providing accurate health information is necessary for appropriate treatment 
  • For travel arrangements, passport and identification information is legally required 
  • For payment processing, financial information is contractually necessary 

Failure to provide required information may result in our inability to provide the requested services or fulfil contractual obligations2. 

  1. Automated Decision-Making and Profiling

We do not make decisions solely based on automated processing, including profiling, that produce legal effects or similarly significantly affect data subjects. Where limited profiling activities are conducted (such as for service personalisation), appropriate safeguards are in place to protect your rights and interests2. 

  1. Contact and Complaints

If you have concerns about our data practices, please contact us: 

Cure & Travel by Horizonius Ltd
 124 City Road, EC1V 2NX, London United Kingdom
 Email: privacy@cureandtravel.com
 Phone: +4479600331881 

If you are unsatisfied with our response, you have the right to lodge a complaint: 

  • UK Residents: Contact the Information Commissioner’s Office (ICO) at https://ico.org.uk. 
  • EU Residents: Contact your national Data Protection Authority (DPA)1. 
  1. Updates to This Policy

This Privacy Policy may be updated periodically to reflect changes in regulations, business practices, or our services. Any updates will be: 

  • Posted on Our Website: The revised policy will be available on our website with a clearly indicated effective date. 
  • Communicated Transparently: Users are encouraged to review this page regularly to stay informed of any changes. The date of the last modification will always be listed at the bottom of the policy. 

We reserve the right to make these updates without prior notice, ensuring that the policy remains accurate and compliant with applicable data protection laws1. 

Last Updated: [2 January 2025].