Home Features Telemedicine & e-Prescription Pricing Blog Contact
Book a Demo
Legal

Privacy Policy

Effective: 1 June 2026 Last updated: 26 May 2026

Summary: Curasix is a Software-as-a-Service (SaaS) clinic management platform. We collect data to operate our service, we never sell your data, and we comply fully with Malaysia's Personal Data Protection Act 2010 (PDPA). Clinics that use Curasix remain the data controllers for their patients' personal data.

1. Overview

Curasix ("we", "us", or "our") is a product of Eviqex Sdn. Bhd., a company incorporated in Malaysia. We operate the Curasix clinic management platform available at curasix.com and associated subdomains.

This Privacy Policy describes how we collect, use, disclose, and protect personal data when you:

  • Visit our marketing website (curasix.com)
  • Sign up for or use the Curasix clinic management system
  • Contact our sales or support team
  • Interact with us via email, phone, or social media

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our services.

2. Data We Collect

2.1 Account & Contact Information

When you register for Curasix or contact us, we may collect:

  • Full name, email address, and phone number
  • Clinic name, address, and business registration number
  • Number of doctors and staff
  • Billing and payment details (processed securely via our payment provider)
  • Login credentials (passwords are stored hashed and salted)

2.2 Usage & Technical Data

When you access our platform, we automatically collect:

  • IP address and browser type
  • Pages visited and features used
  • Session duration and click-through data
  • Device type and operating system
  • Error logs and performance metrics

2.3 Data You Input into the System

As a clinic management platform, your clinic's staff will input data into the system during normal operations, including patient records, consultation notes, prescriptions, billing information, and appointment schedules. This data is covered under Section 4 (Patient Data & PDPA) below.

2.4 Contact Form Submissions

If you submit our contact or demo request form, we collect the information you provide including your name, clinic name, email, and message.

3. How We Use Your Data

We use the data we collect for the following purposes:

3.1 Service Delivery

  • To create and manage your Curasix account
  • To provide, maintain, and improve the clinic management platform
  • To process payments and issue invoices
  • To deliver customer support and respond to enquiries

3.2 Communications

  • To send transactional notifications (billing receipts, system alerts)
  • To respond to your demo or sales enquiries
  • To send product updates, newsletters, and promotional materials — you may opt out at any time

3.3 Security & Compliance

  • To detect, investigate, and prevent fraud or security incidents
  • To comply with legal obligations under Malaysian law
  • To enforce our Terms of Service

3.4 Analytics & Improvements

  • To analyse usage patterns and improve platform features
  • To conduct internal research and development
  • To generate aggregate, anonymised statistics

4. Patient Data & PDPA Compliance

Important: Your clinic is the data controller for all patient personal data entered into Curasix. Curasix acts as a data processor on your behalf. Your clinic bears responsibility for ensuring patients are informed of data collection and for obtaining appropriate consent under the PDPA 2010.

Curasix is designed to assist clinics in complying with Malaysia's Personal Data Protection Act 2010 (PDPA). As a data processor, we commit to:

  • Processing patient data only on the documented instructions of the clinic (data controller)
  • Implementing appropriate technical and organisational security measures to protect patient data
  • Not disclosing patient data to any third party without the clinic's written authorisation, except where required by law
  • Assisting the clinic in responding to data subject access requests
  • Notifying the clinic promptly of any data breach that may affect patient personal data
  • Deleting or returning patient data upon termination of the subscription, as instructed by the clinic

4.1 Sensitive Health Data

Patient health records stored in Curasix constitute sensitive personal data under the PDPA. Such data receives the highest level of protection in our systems, including:

  • Encryption at rest and in transit (TLS 1.2+)
  • Role-based access controls — only authorised clinic staff may access patient records
  • Audit trails for all data access and modifications
  • Automated backups with multi-region redundancy

5. Data Sharing

We do not sell, rent, or trade your personal data to any third party.

We may share data only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers who process data on our behalf under strict data processing agreements, including:

  • Cloud infrastructure: Amazon Web Services (AWS) — servers located in the Asia Pacific region
  • Email delivery: Microsoft 365 (for transactional and contact form emails)
  • Analytics: Google Analytics 4 (anonymised website usage data only)
  • Payment processing: Our PCI-DSS compliant payment gateway provider

5.2 Legal Requirements

We may disclose data if required to do so by law, court order, or government authority, or to protect the rights, property, or safety of Curasix, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. You will be notified via email and/or a prominent notice on our website prior to any such transfer.

6. Data Security

We take the security of your data seriously and implement industry-standard measures, including:

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS. Data at rest is encrypted using AES-256.
  • Access control: Role-based permissions ensure staff can only access data relevant to their role.
  • Infrastructure security: We host on AWS with security groups, firewalls, and intrusion detection.
  • Regular audits: We conduct periodic security reviews and penetration testing.
  • Incident response: We have a documented incident response plan and will notify affected users of any breach within 72 hours of discovery.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Cookies

Our marketing website (curasix.com) uses cookies and similar tracking technologies.

7.1 Types of Cookies We Use

  • Essential cookies: Required for the website to function. Cannot be disabled.
  • Analytics cookies: Google Analytics 4 tracks anonymous usage data to help us improve the website.
  • Marketing cookies: Google Ads tracking to measure campaign performance.
  • Security cookies: Google reCAPTCHA v3 on our contact form to prevent spam.

You may control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our website.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy:

  • Account data: Retained for the duration of your subscription plus 12 months after termination, unless you request earlier deletion.
  • Patient data: Retained as directed by the clinic (data controller). Upon subscription termination, we will securely delete or return patient data within 90 days.
  • Contact form submissions: Retained for up to 24 months for follow-up purposes.
  • Usage logs: Retained for up to 12 months for security and analytical purposes.
  • Financial records: Retained for 7 years as required by Malaysian tax and accounting regulations.

9. Your Rights

Under Malaysia's Personal Data Protection Act 2010 (PDPA) and applicable data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right of correction: Request correction of inaccurate or incomplete personal data.
  • Right to withdraw consent: Withdraw consent for processing activities based on consent, without affecting the lawfulness of prior processing.
  • Right to prevent processing: Request that we stop processing your data for direct marketing purposes.
  • Right to data portability: Receive your data in a structured, machine-readable format.

To exercise any of the above rights, please contact our Data Protection Officer at privacy@curasix.com or write to us at the address in Section 12. We will respond within 21 days of receiving your request.

10. Children's Privacy

Curasix is a B2B platform intended for use by clinic operators and healthcare professionals. It is not directed at individuals under the age of 18. We do not knowingly collect personal data directly from children. Patient records for minors are managed by clinics under their own PDPA obligations as data controllers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

  • Posting the updated policy on this page with a revised "Last updated" date
  • Sending an email notification to registered account holders
  • Displaying a prominent notice on the Curasix dashboard

Your continued use of Curasix after such changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer
Eviqex Sdn. Bhd. (Curasix)
Kuala Lumpur, Malaysia

Email: privacy@curasix.com
General enquiries: hello@curasix.com
Website: curasix.com

You also have the right to lodge a complaint with the Personal Data Protection Department of Malaysia (JPDP) if you believe your data rights have been infringed.