Privacy Policy
This page explains what Curevora collects, why, who else sees it, and how to get any of it back or deleted. Plain English. No 30-page click-through.
If you'd rather just ask a person, email info@curevora.com.
Who we are
Curevora ("we," "us," "Curevora") makes Manual Pay, a checkout plugin that gives small sellers a real checkout for Venmo Business, Zelle, Cash App, and PayPal. We are non-custodial: we don't receive, hold, route, or transmit your money or your customers' money. All payments move directly between customer and merchant inside the relevant payment application.
What we collect
We collect three buckets of information:
1. Information you give us directly.
- Your email address and password when you create a member account.
- Your business name, Venmo / Zelle / Cash App / PayPal handles, product list, locations, and any other data you enter into your Curevora dashboard.
- Anything you send us by email or during a consultation call.
2. Information collected automatically when you visit curevora.com.
- IP address, user agent, referrer, and pages viewed via Google Analytics 4 (cookie ID
_ga). GA4 is configured to anonymize IPs and not share data with Google for advertising purposes. - A Cloudflare bot-management cookie (
__cf_bm) used to keep the site online and abuse-free. It expires after 30 minutes of inactivity.
3. Information collected by your member dashboard.
- Authentication tokens (so you stay signed in) stored in your browser via Supabase Auth.
- QR scan events you generate — which code was scanned, when, and from which location label. We never see GPS coordinates; locations are tagged at print time by you.
We do not run session replay, screen recording, behavior analytics, or any third-party advertising pixel on this site or in the member dashboard.
What we don't collect
- We never see, store, or have access to your payment-app passwords or balances.
- We never see, store, or have access to your customers' payment information, full names, or device data.
- We don't store payment card numbers. Curevora has no card processing.
- We don't sell, rent, or share personal data with data brokers.
Why we collect it
- To run the site and the member dashboard.
- To authenticate you and prevent strangers from seeing your data.
- To answer support questions you send us.
- To measure aggregate site usage (how many people visit, which pages are popular) so we know what to build next.
- To comply with law if we have to.
Who else sees it
We use a small number of subprocessors to operate Curevora:
- Supabase (Auth + Postgres database) — hosts your account and dashboard data. US data centers.
- Cloudflare — CDN, DNS, and bot protection for curevora.com.
- Google Analytics 4 — aggregate site analytics. Anonymized.
- Google Workspace —
info@curevora.comruns on Gmail; if you email us, your email is on Google's servers. - Google Calendar (Appointment Schedule) — when you book a consultation, your name, email, and any notes you provide are processed by Google Calendar.
We do not transfer your data to any other party for any other purpose.
Cookies
_ga,_ga_*— Google Analytics, used to count visitors. Expires after 2 years.__cf_bm— Cloudflare bot management. Expires after 30 minutes.sb-*-auth-token— Supabase auth. Set only after you sign in. Persists until you sign out.
To opt out of Google Analytics across the web, install the Google Analytics Opt-out Browser Add-on.
Your rights
You can ask us to:
- Show you the data we have about you.
- Correct anything that's wrong.
- Delete your account and everything tied to it.
- Export your data so you can take it elsewhere.
Email info@curevora.com and we will respond within 30 days. We do not require you to fill out a form.
California residents have specific rights under the CCPA, including the right to know and the right to delete, exercisable at the same email above. We do not "sell" personal information as that term is defined under the CCPA.
EU/UK residents: our lawful basis for processing is legitimate interest (running the site you visited and the dashboard you signed up for) and contract (delivering the service you bought). You can withdraw consent and request deletion at the same email.
Children
Curevora is built for business sellers. We do not knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.
Data retention
- Marketing-site visitor analytics: 14 months in GA4, then deleted automatically.
- Member account data: retained as long as the account is active, plus 30 days after deletion request to handle billing reconciliation.
- Email correspondence: retained until either party deletes it.
Security
- All traffic to curevora.com is forced HTTPS with HSTS.
- Passwords are hashed by Supabase Auth (never stored in plaintext).
- Database access is restricted by Postgres Row-Level Security; you can only see your own rows.
- We don't have direct production database access for routine work.
No system is bulletproof. If something happens, we'll tell affected members within 72 hours.
Changes
If we change this policy in a way that materially expands what we collect or who sees it, we'll email account holders at least 30 days before the change takes effect. Smaller wording updates we just publish here with a new "Last updated" date.
Contact
Brandon Wilding, Founder
Curevora
info@curevora.com