Qura • Regain control of your health.

Information on the processing of personal data of the Site and the Platform pursuant to Article 13 of the GDPR

“Qura” in its capacity as the data controller as set out in this notice, informs pursuant to Article 13 EU Regulation no. 2016/679 (“GDPR”) and the applicable regulations on personal data protection represented by Legislative Decree no. 196/2003, as subsequently amended by Legislative Decree no. 101/2018 and its subsequent amendments and integrations (hereinafter, “Privacy Code”), as well as by any further regulations issued by the Authority (e.g., provisions, guidelines, general authorizations, etc.) (hereinafter, “Privacy Regulations”), that the data provided through the website https://www.qura.co (the “Site”) and the platform https://app.qura.co (“Platform”), regardless of the method or tool used, will be processed in the following ways and for the following purposes.

Premise Qura has developed a technological platform, assisted by Artificial Intelligence systems, capable of supporting the conduct of preventive and personalized medical performance, diagnosis, blood tests, and remote consultation of healthcare professionals and/or socio-healthcare facilities (“Healthcare Services”), considered as entities practicing healthcare professions according to applicable regulations, directly or indirectly (“Healthcare Professionals”). In this regard, Qura by its technology does not offer laboratory, analysis, opinions, or medical consultations or any other medical or healthcare service, providing only a technological service. Therefore, Qura does not qualify as a Healthcare Professional nor as a healthcare or socio-healthcare facility that employs Healthcare Professionals. In this context, preliminarily, we inform you that Qura processes your personal data acting both as the Data Controller and as the Data Processor.

Qura - Data Processor On one hand, Qura collects and processes on behalf of the Healthcare Professionals you will contact for the implementation of Healthcare Services and based on their instructions a series of personal data attributable to you as specified below (“Personal Data”).

Regarding such Personal Data, Qura acts as the Data Processor ex Article 28 of the GDPR, allowing the execution of the Healthcare Services by Healthcare Professionals. The Personal Data may be processed via the Platform, which also uses software based on artificial intelligence systems capable of assisting the Healthcare Professional in diagnostic reporting and in healthcare activity under their exclusive competence.

In this respect, it is noted that Qura, as the data processor, does not use your personal data in any automated decision-making process (where decisions are made exclusively through the creation and application of technologies without human intervention) or profiling (processing of personal data using a series of technologies that reduce human intervention to evaluate certain conditions regarding an individual), producing a legal or equally significant effect concerning you.

Each decision that might affect your rights and freedoms, including diagnostic and health assessments broadly speaking, is indeed exclusively entrusted to the Healthcare Professional you appointed and is based on the entirety of personal data and information in their possession and not solely on the information processed and communicated by Qura. The purposes of this processing will be specified and described in the appropriate notice ex art. 13 of the GDPR provided by the Healthcare Professional and delivered to you at the first useful contact. Therefore, for more information on the processing of your Personal Data related to Healthcare Services, we invite you to review the notice provided by the Healthcare Professional.

Qura - Data Controller On the other hand, Qura acts as the Data Controller when it independently decides for what purposes it will use your Personal Data (for example, when creating a Platform account).

The Personal Data may be processed via the Platform, which also uses software based on artificial intelligence systems designed for recommending blood tests to perform and offering ancillary, preparatory, support, and management services to Healthcare Professionals (“Non-Healthcare Services”).

With this document, Qura intends to explain how it will process the Personal Data it collects from you as a visitor of the Site and Platform (the “Visitor”) and as a registered user of the Platform or a potential user of the Platform (respectively a “User” or “Potential User”) (collectively and indistinctly, the “Data Subjects”), for its purposes and different from those of the Healthcare Professionals.

Given the potential for processing personal data, including health-related data, of third parties, such as your family members, provided by you to Qura through the completion of the information collection forms on the Platform to utilize Healthcare and Non-Healthcare Services, it is specified that in this instance you act as the autonomous data controller, assuming all legal obligations and responsibilities. In this respect, you provide the broadest indemnity concerning any claims, demands, damage compensation requests from processing, etc., that might be raised against Qura by third parties whose personal data have been processed through the Platform and provided by you in violation of applicable personal data protection regulations, and you ensure that this specific processing scenario is based on an adequate legal ground pursuant to Article 6 of the GDPR and, if you provide data related to health or other data belonging to special categories, pursuant to Article 9 of the GDPR, which legitimizes the processing of the referred information.

The Data Controller of Personal Data The Data Controller is Qura S.r.l. with registered office in Bologna - Via Guglielmo Marconi 45, P.I. 04314601206, C.F. 04314601206 (hereinafter, the “Data Controller” or the “Company”).

The Data Controller provides the following email address for any communication: gio@qura.co.

‍The Data Controller may designate one or more Data Processors pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical and organizational measures suitable to protect the rights, freedoms, and legitimate interests recognized by law to the Data Subjects.

Description of Processing of Personal Data as Controller

The Controller will process your Personal Data to achieve specific purposes and only in the presence of a specific legal basis. The processing will concern individual operations, or a set of operations, of the following personal data provided by the Data Subject during the use of the services rendered by the Data Controller via the Site and Platform, as described in the following table (the “Personal Data” or the “Data”):
‍

Personal Data Related to the Platform

It should be noted that, with reference to browsing data, the information collected, while not intended to be associated with identified individuals, due to its nature, if associated with other Data held by third parties (e.g. internet service provider), could allow the identification of Data Subjects (e.g., IP addresses, domain names of the computers used, URL addresses of requested resources, request times, numerical code regarding the status of the response given by the server).
‍

Processing of Personal Data as a Data Processor

Qura may process the following Personal Data as a data processor, according to the appointment as data processor signed with each Healthcare Professional, acting as an independent data controller. For further details on the terms and conditions of such processing, please contact the specific Healthcare Professional and/or request a copy of the information notice on the processing of personal and special data with regard to healthcare data.

Treatment Methods The processing of Personal Data:
- is carried out through the operations indicated in Article 4, co. 1, n. 2 of the GDPR, precisely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data;
- is also carried out with the aid of electronic or otherwise automated means, including through artificial intelligence systems;
- is performed also through the use of email or other remote communication techniques.
‍

Transfer of Personal Data The management and storage of Data will primarily occur within the European Economic Area, on third-party company servers appointed and duly designated as data controllers.
The Data Controller can provide access to the Site and the Platform and the services indicated therein also in other countries. In such cases, the transfer of Data to these countries is strictly limited to the actual need to know them. The Data Controller will take the necessary measures to protect the Personal Data of the Data Subjects and prevent unauthorized access.
In cases where Personal Data are transferred to systems used by the Data Controller and/or third-party companies appointed and duly designated as Data Processors even outside the European Union, the Data Controller ensures the application of the European Commission's standard contractual clauses to ensure a secure international data transfer of personal data, in accordance with Articles 44, 45, and 46 of the GDPR. Should such transfer occur to countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any case, a level adequate to protect personal data, the Data Controller will ensure that each of such recipient parties assumes specific contractual obligations in accordance with applicable data protection regulations (including the signing of the European Commission's Standard Contractual Clauses “SCC), or in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, it will request, pursuant to Article 49 of the GDPR, the possibility of transferring personal data to a Third Country after obtaining the specific consent of the Data Subject. In any case, the Data Subject may request further information regarding the transfer of Personal Data by writing to the email address: gio@qura.co
‍

Security Measures The Data Controller has adopted a variety of security measures to protect the Data against the risk of loss, misuse, or alteration, in accordance with the measures expressed in Article 32 of the GDPR. The processing is carried out using computer and/or telematic tools, with organizational methods and with logic strictly related to the purposes indicated.
Every Healthcare Professional recipient of Personal Data, within the scope of their use of Healthcare and Non-Healthcare Services, undertakes to guarantee its security and confidentiality.
‍

Consequences of Failure to Communicate Personal Data While the Data Subject has the option to provide Personal Data to the Data Controller, the provision of Personal Data may be:
- mandatory for the provision of services accessible through the Site and the Platform, and for purposes related to the fulfillment of obligations established by applicable laws and/or regulations, as well as by orders issued by competent authorities/supervisory bodies and/or controls;
- optional with regard to data provided spontaneously by the Data Subject, for the purposes of online reporting and storage of reports and findings, for sending the informative newsletter.
Any refusal by the Data Subject to provide Personal Data to the Data Controller may result in the inability for the Data Controller to provide the requested services and to make the Site and the Platform accessible.
Furthermore, please consider that the revocation of one or more permissions and/or consents not granted by the Data Subject may have consequences on the proper operation and/or the ability to access and/or correctly use the Site and the Platform and/or deliver services by the Data Controller.
‍

Data Retention and Deletion The Personal Data retention period is indicated in the table at the previous point 2.
Upon expiration of the retention period, the Personal Data will be deleted. Therefore, after such a period, the right of access, deletion, rectification, and the right to data portability can no longer be exercised by the Data Subjects.
Personal Data will be stored by means of electronic archives, including portable devices, adopting appropriate measures to ensure their security and limit access exclusively to personnel authorized by the Data Controller and in the strict context of the purposes indicated above.

To whom we can disclose Personal Data For the purposes indicated above, Personal Data may be made accessible or disclosed to:
- employees and collaborators of the Data Controller, in their capacity as authorized processing staff, within their respective duties and in accordance with the instructions received. These individuals are, in any case, subject to confidentiality and non-disclosure obligations;
- third parties who perform outsourcing activities on behalf of the Data Controller, whose activity is connected, instrumental, or supportive of that of the Data Controller (e.g., management software);
- Healthcare Professionals who act as independent data controllers for the execution of Healthcare Services;
- all those public and/or private subjects, natural and/or legal persons (such as, by way of example, legal, administrative, and tax consulting firms, funds or private insurance and assistance funds, Judicial Offices, Chambers of Commerce) where communication proves necessary or functional to the proper fulfillment of contractual obligations undertaken, as well as obligations arising from the law;
- all those entities (including Public Authorities) who have access to Personal Data by virtue of regulatory or administrative provisions.
In any case, Personal Data collected will not be disseminated.

Rights of the Data Subject The Data Subject can exercise the rights provided by Chapter III of the GDPR within the limits and conditions provided therein:
- access to data (Art. 15): the Data Subject has the right to obtain confirmation from the Data Controller as to whether or not Personal Data concerning them is being processed and, if so, obtain access to the Personal Data in a commonly used electronic format and some information on the processing (e.g., purposes, categories of Data processed, recipients, extra-EU transfers, profiling activities, etc.);
- data rectification (Art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning them without undue delay and/or the completion of incomplete Personal Data, also by providing a supplementary declaration;
- data deletion or "right to be forgotten" (Art. 17): the Data Subject has the right to obtain from the Data Controller the deletion of Personal Data concerning them without undue delay, and the Data Controller has the obligation to delete Personal Data without undue delay;
- processing limitation (Art. 18): the Data Subject has the right to obtain from the Data Controller the limitation of processing;
- data portability (Art. 20): the Data Subject has the right to receive in a structured, commonly used, and machine-readable format, the Personal Data concerning them provided to a Data Controller and has the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom they have provided them;
- Withdrawal of consent (Art. 7, par. 3): the Data Subject has the right to withdraw the consent provided at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
‍
‍Objection to processing (Art. 21): the Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of Personal Data concerning them pursuant to Article 6, paragraph 1, letters e) or f) of the GDPR, including profiling based on such provisions.

Manner of Exercising Rights The Data Subject may exercise the rights at any time by sending:
- an email to the address: gio@qura.co
- a registered letter with acknowledgment of receipt to Qura s.r.l. with registered office in Bologna, via Guglielmo Marconi 45.

The Data Controller commits to providing the Data Subject with information regarding the action taken on a rights exercise request without undue delay and, in any event, no later than 30 (thirty) days from receipt of the request, extendable up to 3 (three) months only in cases of particular complexity.
Any rectification, deletion, or limitation of processing carried out upon specific request of the Data Subject, unless this proves impossible or involves a disproportionate effort, will be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted. The Data Controller can communicate the references of these recipients to the Data Subject, upon request.
For all questions concerning the Personal Data for which Qura is the Data Responsible, you can contact the Healthcare Professional, Data Controller, to whose privacy policy reference is expressly made.

Right to Complaint Data Subjects who believe that the processing of Personal Data is in violation of the provisions of the GDPR have the right to lodge a complaint with the Data Protection Authority: i) via email, to the address garante@gpdp.it or urp@gpdp.it; ii) via fax to number 06.696773785; or iii) by mail to the registered office located in Rome (Italy), Piazza Venezia no. 11 – Cap 00187, or alternatively through appeal to the judicial authority.

Responsible and Appointed The updated list of data processing managers and appointees is kept at the registered office of the Data Controller.

Changes to this policy This policy may be modified and/or updated at any time. Should the Data Controller intend to process Your Personal Data for purposes different from those indicated in this Privacy Policy, they undertake to provide appropriate information regarding such other purposes before any additional processing and to carry out such additional processing in compliance with current legislation, obtaining where necessary the specific consent of the Data Subject.

Update date: August 2025