curo.coach › Legal › Privacy Policy

Privacy Policy

Last updated: May 19, 2026 · Terms of Service

On this page

This Privacy Policy explains how Curo Coach (trading as Curo Recruitment Intelligence), based in Suriname and operating the platform at curo.coach, collects, uses, and protects personal data. If anything is unclear, contact us at hello@curo.coach.

1. Who We Are

Legal entity: Curo Coach (trading as Curo Recruitment Intelligence)
Owner: Michael Mc Calman
Location: Suriname
Website: curo.coach
Contact: hello@curo.coach

Curo is a recruitment intelligence platform. Recruiters use it to assess candidates through AI-driven intake interviews and structured reports.

2. Controller and Processor

Curo handles two different categories of data, and our role is different for each.

2.1 Recruiter Data: Curo is the Controller

When you, as a recruiter, register and use your Curo account, Curo is the data controller for the personal data we collect about you directly.

2.2 Candidate Data: Curo is the Processor

When a candidate completes an intake interview, the recruiter who invited them is the data controller. Curo acts as a data processor on the recruiter's behalf. The recruiter decides why and how candidate data is processed. Curo processes that data only as instructed by the recruiter, in accordance with our Terms of Service and applicable law (including the GDPR).

If you are a candidate and want to exercise your rights over your personal data, please contact the recruiter who invited you. If you cannot identify them, contact us at hello@curo.coach and we will help you reach the right party.

3. What We Collect

3.1 From Recruiters

When you register and use Curo, we collect:

  • Full name
  • Agency or company name
  • Email address
  • Password (stored as a secure hash; we never see your actual password)
  • Profile photo (optional)
  • Payment receipts you upload manually
  • Timestamp of your acceptance of our Terms of Service
  • Basic usage information needed to operate the platform (e.g., when you log in, which features you use)

3.2 From Candidates

During an intake session invited by a recruiter, Curo collects:

  • Full name
  • Email address
  • Phone number
  • Years of professional experience
  • Full CV text (uploaded as a file or pasted)
  • The entire transcript of the intake conversation with the AI
  • The AI-generated Report, which includes competency tier scores, key achievements, work experience summary, education, languages, skills, suggested interview prompts, a non-binding recommendation, and coaching notes

3.3 What We Do Not Collect

We do not use tracking cookies, advertising cookies, fingerprinting, or third-party analytics that profile users. We do not collect data about you across other websites.

4. How We Use Personal Data

4.1 Recruiter Data

We use your data to:

  • Provide and operate your account.
  • Generate Reports about candidates you have invited.
  • Process payments and keep records of your subscription.
  • Communicate with you about your account, the service, and material updates to our Terms or Privacy Policy.
  • Improve the platform's reliability and security.

4.2 Candidate Data

We use candidate data only to conduct the AI intake interview, generate the Report for the recruiter who invited the candidate, and make the Report available to that recruiter in their account.

We do not:

  • Sell candidate data to anyone.
  • Share candidate data with other recruiters or third parties, except the operational service providers listed in Section 6.
  • Use candidate data to train AI models.
  • Use candidate data for advertising, profiling for other purposes, or any purpose outside the recruiter's instructions.

5. Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract: to operate your recruiter account and provide the service you signed up for.
  • Legitimate interests: to keep the platform secure, prevent abuse, and improve reliability.
  • Legal obligation: to keep records required by law, such as payment records.
  • Consent: where required. For candidate data, the recruiter is responsible for obtaining the candidate's consent (or another valid legal basis) before sharing the intake link.

6. Third-Party Service Providers

Curo cannot operate without a small number of trusted third parties:

ServiceRoleLocation
Anthropic (Claude API)Powers the AI intake conversation and Report generation. Data sent to Anthropic's API is processed under their Commercial Terms and Data Processing Addendum. API inputs and outputs are deleted after 7 days and are never used to train Anthropic's models.United States
VercelHosts the Curo web application.United States
SupabaseStores account data, candidate data, and Reports.EU / United States

These providers act as sub-processors when handling candidate data, and they are bound by data protection terms consistent with the GDPR. We do not share personal data with any other third parties unless required by law.

7. International Data Transfers

Curo is operated from Suriname and uses providers located in the United States and the European Union. When personal data of EU residents is transferred outside the EEA, those transfers are protected by appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission, or equivalent mechanisms used by our sub-processors.

If you would like more detail about specific transfer mechanisms, contact us at hello@curo.coach.

8. Data Retention

8.1 Recruiter Data

We retain your account data for as long as your account is active.

8.2 Candidate Data

Candidate data, intake transcripts, and Reports are retained as long as the inviting recruiter's account is active, or until the recruiter deletes them.

8.3 Deletion on Account Closure

When a recruiter account is closed (by the recruiter or by us), all associated data (including candidate data, transcripts, and Reports) is deleted within 30 days of account closure.

8.4 Recruiter-Initiated Deletion

Recruiters can delete individual candidates or entire job openings at any time from within the platform. Deletion is permanent — personal data, intake transcripts, and Reports are immediately and irreversibly removed from our active database.

Encrypted infrastructure backups maintained by our database provider (Supabase) may retain a copy of deleted data for up to 7 days before automatic purge. These backups are encrypted, inaccessible to end users, and are used solely for disaster recovery. They are not consulted in the normal course of operating the platform.

8.5 Legal Records

Some records, such as payment receipts and Terms of Service acceptance, may be retained for longer to meet legal and accounting obligations.

9. Security

  • Encryption in transit: All data sent between you, candidates, and Curo is encrypted using HTTPS.
  • Encryption at rest: Data stored in our database is encrypted at rest.
  • Hashed passwords: Passwords are stored only as secure hashes; we cannot see or recover them.
  • Access controls: Only authorized personnel may access production systems, and only when necessary.

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and, where required, the relevant supervisory authority without undue delay.

10. Your Rights

If you are in the European Union, the GDPR gives you the following rights regarding your personal data:

  • Right of access: Ask what data we hold about you.
  • Right to rectification: Ask us to correct inaccurate data.
  • Right to erasure: Ask us to delete your data ("right to be forgotten").
  • Right to restriction: Ask us to stop or limit our use of your data.
  • Right to data portability: Receive your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
  • Right to lodge a complaint: File a complaint with your local data protection authority.

Similar rights may apply under other privacy laws.

How to exercise your rights:

  • If you are a recruiter: contact us directly at hello@curo.coach.
  • If you are a candidate: contact the recruiter who invited you. They are the data controller for your data. If you cannot reach them, contact us at hello@curo.coach and we will assist.

We respond to verified requests without undue delay, and at the latest within one month, as required by the GDPR.

11. AI and Automated Processing

Curo uses an AI system to conduct intake interviews and generate Reports. We want to be clear:

  • The Report is an assessment intended to assist a human recruiter, not an automated hiring decision.
  • The recruiter remains fully responsible for any hiring decision.
  • Candidates are informed at the start of the intake session that they are interacting with an AI system and that a Report will be shared with the recruiter who invited them.

If you are a candidate in the EU and you believe a hiring decision affecting you was made solely by automated means, contact the recruiter who invited you, and you may also contact us at hello@curo.coach.

12. Cookies

Curo uses only the cookies needed to make the platform work. Specifically:

  • Authentication session cookies: to keep you logged in to your recruiter account.

We do not use tracking cookies, advertising cookies, third-party analytics cookies that profile users, or cross-site tracking.

Because we only use strictly necessary cookies, no separate cookie consent banner is required under most GDPR interpretations. If this changes, we will update this policy and ask for your consent where required.

13. Children

Curo is not intended for anyone under 18 years old. We do not knowingly collect personal data from minors. If you believe we have collected data from someone under 18, contact us at hello@curo.coach and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and require you to re-accept the updated terms in the platform before continuing to use it.

The "Last updated" date at the top of this policy always reflects the most recent version.

15. Contact

For questions about this Privacy Policy, or to exercise your rights, contact:

Curo Coach
Email: hello@curo.coach
Website: curo.coach

This Privacy Policy is provided in English. By using Curo, you confirm that you have read and understood it.