Download Curios Mobile App  
Google Play Store Button Apple App Store Button

Privacy

Privacy Policy

This Privacy Policy describes how your personal information is collected, used, and shared when you visit, user, or make a purchase from curios.com, or any of it's subdomains or apps (the “Site”).

Controller & Contact Information

This Privacy Policy applies to Curios, Inc. (“Curios,” “we,” “our,” or “us”). Our principal place of business is in Texas, USA. If you are in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, Curios acts as a data controller for your personal data. For questions or to exercise your rights, please contact our Data Protection Officer (“DPO”), Grant Powell, at [email protected]. See additional information at https://content.curios.com/delete-data/

1. Information We Collect

When you use our services—be it visiting the Curios website, browsing digital content, purchasing content via the Marketplace, or uploading via Studio—we collect:

Device and Usage Data: We collect device and usage data (IP address, browser type, OS, pages viewed, timestamps, referring URLs, analytics, etc.) via cookies, beacons, tags, and similar technologies. (Legal basis: legitimate interest, except where tracking requires consent.)

Order Information: When you purchase content, we collect personally identifying information such as your name, billing address, shipping address (if relevant), email address, and payment/payment instrument information (credit card, bank, crypto wallet, etc.). (Legal basis: performance of a contract and compliance with legal obligations.)

Creator / Fan Shared Data: Under our “shared customer” model, when you purchase content from a creator using our platform, we share your necessary contact details (e.g. name, email, billing address) with that creator only if you have consented or as required to fulfill the purchase. If you opt out, we will not share your email or contact info with that creator beyond what is strictly necessary for delivery. What is necessary for delivery may change, but for now, we only classify a verified email address as information that is necessary for delivery.

Optional Additional Information: We may collect additional data if you voluntarily upload content, message creators, or interact in community features (e.g. profile description, avatar, social links). (Legal basis: consent or contract, depending on feature.)

Marketing & Communications Preferences: If you opt in, we may collect your preferences (e.g. topics, creators you wish to hear from). (Legal basis: consent.)

2. How We Use Your Information

Platform operations, support, debugging, personalization, analytics, and improvements (legal basis: legitimate interest, unless tracking consent is required).

To process your purchases and facilitate payments securely (legal basis: contract).

To share purchaser contact details with creators whose content you've bought (unless you opt out, or to the minimal extent necessary for delivery), so that creators can fulfill or manage content delivery (legal basis: contract / consent, as applicable).

To send marketing communications, recommendations, newsletters, including communications from creators you’ve opted in for (legal basis: consent).

To detect and prevent fraud, misuse, and to enforce terms (legal basis: legitimate interest or legal obligation).

To comply with legal obligations, and to protect against fraud, misuse, or unauthorized activity (tax, reporting, law enforcement).

If you withdraw consent or object under GDPR, we will cease that processing (unless we have another lawful basis).

3. Sharing of Personal Data

With Creators: We share limited contact details with a creator when you purchase their content—only where you have given consent, or where sharing is strictly necessary to deliver/stream that content. Creators only get access to data about fans who have opted in (or necessary minimal data). If you opt out, we will not share your email or address with creators beyond what is strictly necessary (e.g. user ID for licensing).

With Our Service Providers / Processors: We share data with third-party providers who support payments, analytics, marketing, hosting, emailing, customer support, security, and legal compliance. Each such provider must have a Data Processing Addendum (DPA) with Curios to ensure GDPR-level protections.

Legal / Compliance / Safety: We may disclose personal data to comply with laws, legal process, or enforce our rights or protect safety of users (e.g. fraud, abuse, security incidents).

4. Your Privacy Rights

Under the GDPR, data subjects have the following rights:

Right to Access: Confirm whether we process your data and receive a copy in machine-readable form.

Right to Rectification: Correct or complete your data.

Right to Erasure / Deletion: Request deletion, subject to legal/contractual exceptions (see “Data Deletion Policy”).

Right to Restrict Processing / Object: In certain cases, restrict or object when we process under legitimate interest.

Right to Data Portability: Receive a structured export of your personal data (e.g. purchase history, profile) to transmit to another controller.

Right to Withdraw Consent: Where we rely on consent for processing, you may withdraw at any time (e.g. marketing). Withdrawal does not affect processing prior to that time.

Right to Lodge a Complaint: With your local supervisory authority.

To exercise any of these rights, please contact us at [email protected], or go to https://www.curios.com/delete/. We respond in accordance with applicable law.

A) Right to Request Deletion

You may request that Curios deletes your personal data (also called the “right to erasure” or “right to be forgotten”), subject to the limitations described below. To make such a request, please contact us via the email address below or via your account settings.

B) What We Will Delete / Erase

When a valid deletion request is made, we will delete or anonymize all personal data we hold about you that is not required to be retained under law or contract. This includes, for example:

Your profile details (name, avatar, optional contact info).

Behavioral and analytics data (clickstream, session logs) that is stored in identifiable form.

Preferences, playlists, bookmarks, saved content, and settings.

Marketing preferences (opt-ins) and related metadata (unless required to retain minimal data to honor an opt-out).

Any non-essential communication records.

C) What We May Retain (or Archive) and Why

Even after you request deletion, we may lawfully retain certain data as necessary, subject to strict limitation, for:

Legal Compliance / Statutory Obligations
We may retain invoices, payment records, tax documentation, transaction logs, and other accounting records as required by law (typically 6–10 years or per applicable jurisdiction).

Contractual & Dispute Purposes
We may retain minimal data necessary to demonstrate performance of a contract (e.g. proof of purchase, delivery logs, content streaming logs) or defend against legal claims or disputes (e.g. IP infringement, chargebacks).

Suppression / Opt-out Maintenance
If you have unsubscribed or withdrawn consent for marketing communications, we may retain a minimal record (for example, your email address in hashed form) to prevent re-enrollment or inadvertent resubscription.

Security, Fraud Prevention, and Abuse Detection
We may keep anonymized or aggregated log data (or minimal, pseudonymized records) for a limited time to guard against misuse or to preserve platform integrity.

We will not use the retained data for new or incompatible purposes, and it will be strictly limited to what is necessary.

D) Process and Timing

We will confirm receipt of your deletion request within 1 month.

If your request is complex or large, we may extend this by an additional 2 months (with notice).

Once processed, we will send you confirmation that the deletion has been completed (or that your request was declined in part, with reasons).

We will also ensure deletion or anonymization across backups and archival systems as feasible, in accordance with our data retention policy.

E) Limitations & Exceptions

We may decline or partially refuse a deletion request only to the extent we are legally permitted or required to retain certain data (as outlined above). If we do so, we will notify you of the refusal and the specific legal basis for retaining that data.

F) Anonymization Alternative

Where complete deletion is not possible, we may anonymize or pseudonymize your data so that it can no longer be linked to you personally.

5. Data Retention and Security

Data Retention: We retain personal data only as long as necessary to fulfill processing purposes, or as required by law. For example:

  1. Accounting, payment, and tax data: retained for 6–10 years (or per local jurisdiction).
  2. Transaction and content delivery logs: kept for at least the statute of limitation period (e.g. 3–6 years).
  3. Security logs / fraud prevention: retained for up to 12–24 months or as necessary.
  4. Marketing opt-out suppression: indefinitely, but only the minimal required data (e.g. hashed email).
  5. Profile, preferences, behavior analytics: until you delete your account or withdraw consent.

When data is no longer needed, we either delete it or anonymize / aggregate it so it cannot identify you. We also endeavor to purge data from backups and archival systems within a reasonable period, consistent with business and legal needs.

Security Measures: We adopt appropriate administrative, technical, and organizational measures to protect your data, such as encryption (in transit / at rest), pseudonymization, role-based access, regular audits, intrusion detection, and secure software development practices. We also operate under the principle of “data protection by design and default,” meaning we limit data collection to only what is necessary and enforce strict access controls.

6. International Data Transfers

Your data may be transferred to, and stored on, servers located outside your jurisdiction—including outside the EEA or UK. In such cases, we implement appropriate safeguards to ensure compliance with GDPR cross-border transfer requirements. If we transfer your personal data outside the EEA / UK (e.g. to the U.S.), we use appropriate safeguards such as standard contractual clauses (SCCs), binding corporate rules, or other approved transfer mechanisms. Where legally required, we will also implement additional technical, organizational, and contractual measures to protect your rights.

7. Cookies & Tracking Technologies

We use cookies and similar tools to enhance your user experience, analyze usage patterns, and support platform functionality and marketing. You can control cookie preferences via your browser settings or our cookie banner.

8. Updates to This Privacy Policy

We may update this policy periodically to reflect operational or legal developments. Notifications of updates will be visible on our site. Continued platform use after changes implies acknowledgment and acceptance. We will notify you of material changes (e.g. by email or banner). Continued use of our platform after changes implies acceptance. We will keep a version history with effective dates.

9. Complaints & Contact

If you have questions about this Privacy Policy, wish to exercise any of your rights, or wish to file a complaint, you can contact our DPO, Grant Powell, at [email protected]. In the EEA / UK / applicable jurisdictions, you also have the right to lodge a complaint with your local supervisory authority.