Privacy Policy

CUVR Spatial Systems (“CUVR,” “we,” “our,” or “us”) is a Dubai Health Authority (“DHA”) licensed provider of immersive, clinical-grade physical therapy delivered through virtual reality. Because our service captures health-related data, biometric signals, and movement telemetry, we treat your privacy as a clinical obligation — not just a legal one.

This Privacy Policy explains what we collect, why we collect it, how we use and protect it, and what choices you have under UAE Federal Law No. 2 of 2019 on the Use of ICT in Health Fields (the “ICT Health Law”), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”), and the DHA Health Data and Information Standards. It applies to our website, mobile and desktop applications, in-clinic VR sessions, and any related services that link to this policy.

Account & identity: name, email address, password hash, date of birth, and (where applicable) the clinic or provider that referred you.

Clinical & biometric: range-of-motion readings, joint-angle telemetry, balance and gait data, heart rate and respiration cues, and clinician notes captured during sessions.

Session telemetry: headset model, controller inputs, spatial-tracking data, environment selected, session length, and performance scores.

Device & technical: IP address, browser/app version, device identifiers, crash logs, and diagnostic events used to keep the service stable.

We use your information to deliver and personalize your recovery program, to enable your care team to monitor progress, to keep our systems secure, to comply with legal obligations, and — only with explicit consent — to improve our protocols through aggregated, de-identified research.

We do not sell personal information. We do not use your clinical data to target advertising.

Your data is shared only with: (a) your authorized DHA-licensed clinicians and care team, (b) the Dubai unified health information exchange (NABIDH) as mandated by DHA Circular 67 of 2021, (c) trusted infrastructure providers under written data processing agreements aligned with the PDPL, (d) regulatory authorities (DHA, UAE Data Office, Ministry of Health and Prevention) when required by law, and (e) parties you explicitly direct us to share with.

Health data is hosted on infrastructure located within the United Arab Emirates in accordance with the ICT Health Law's data residency requirements. Any cross-border transfer occurs only with your explicit consent and to jurisdictions that meet the PDPL's adequate-protection standard.

When we engage subprocessors, they are bound to confidentiality, minimum-necessary access, and audit obligations equivalent to ours.

Clinical and biometric data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is gated by role-based permissions, hardware-backed multi-factor authentication for our staff, and continuous audit logging. Production systems are isolated from development environments and reviewed against the DHA Health Data and Information Standards, the ICT Health Law, and ISO/IEC 27001 controls.

No system is impervious. If we ever detect a breach affecting your data, we will notify you, the DHA, and the UAE Data Office within the windows required by Article 9 of the PDPL and applicable DHA guidance.

In line with DHA medical records retention requirements, adult clinical records are retained for at least 25 years from the date of last patient contact. Pediatric records are retained until the patient reaches the age of 21 plus an additional 25 years. Telemetry and diagnostic logs are retained for shorter, role-defined windows (typically 12–24 months) and then anonymized or deleted.

Under the PDPL and the ICT Health Law you have the right to (a) access and obtain a copy of your personal and health data, (b) correct inaccurate or incomplete data, (c) request erasure or restriction of processing where permitted, (d) object to processing, (e) request portability of data you have provided, and (f) withdraw any previously granted consent. Submit requests through your account settings or by contacting privacy@cuvr.ae. We respond within 30 days. You also have the right to lodge a complaint with the UAE Data Office or the DHA.

CUVR is not directed at children under 13. Pediatric care, when offered, is delivered exclusively under verified parent or guardian authorization in accordance with UAE Federal Law No. 3 of 2016 on Child Rights (Wadeema's Law) and the DHA Pediatric Care Standards, with the additional safeguards described in our Pediatric Care Addendum.

We may update this policy as our services evolve. Material changes will be communicated by email and surfaced in-product before they take effect. The effective date below always reflects the current version.

Questions, complaints, or requests? Reach our Data Protection Officer at privacy@cuvr.ae or by mail at CUVR Spatial Systems, Attn: Data Protection Officer, Building 64, Block E, Dubai Healthcare City, P.O. Box 505276, Dubai, United Arab Emirates. DHA Sheryan Facility ID available on request.