Consent & privacy
Scope-based beneficiary access on the Curably Platform — captured at point of care (kiosk, counter, provider device), not via a patient dashboard app.
Last updated June 2026
Consent model
Curably is an institution-first platform — there is no patient dashboard product. Beneficiary consent is still required for cross-org record access, but it is captured at the point of care: kiosk check-in, pharmacy counter, or provider-assisted intake.
Curably uses granular scopes — not blanket chart access. Each institution requests only the data types needed for the current interaction. Consent is org-scoped, time-bounded, and revocable.
Outbound sync gate
Scopes
| Scope | Patient-facing label |
|---|---|
| records.read | Complete medical record |
| allergies.read | Allergies & reactions |
| vitals.read | Vital signs (last 24 hours) |
| history.read | Visit history (last 5 visits) |
| labs.read | Lab results & imaging |
| medications.read | Current medications |
| insurance.read | Insurance / scheme information |
Scopes map to record types in GET /api/records. Request minimum necessary scopes per workflow.
Capture flows
- Kiosk / provider device (primary) — beneficiary grants scopes after a plain-language summary at check-in (English, French, Swahili). Use
auto_approve: trueonPOST /api/consentswhen capture happens on-site. - Pharmacy counter — allergy and medication scopes granted during verified dispense (see Pharmacy integration)
- Pending + notification (optional) — when a request cannot be captured on-site, Curably can SMS/email a one-time review link. Approval completes the consent record; there is no standalone patient portal dashboard.
- Smart Consent AI — comprehension assist in the provider workspace for low-literacy contexts
- Dependent coverage — guardian grants on behalf of dependents via
family_members.cura_id
API
/api/consentsList consents. Query: subject_cura_id, org_id, include_revoked=1.
/api/consentsCreate a consent request with scopes array.
{
"org_id": "uuid",
"subject_cura_id": "CURA-XXXX",
"scopes": ["medications.read", "allergies.read"],
"purpose": "Pharmacy dispense — allergy check",
"expires_in_hours": 24
}/api/consents/approveMark a pending consent as granted — typically after on-site capture or a one-time review link, not a patient dashboard session.
/api/consents/revokeRevoke active consent; triggers consent.revoked webhook.
Consent events stream to registered webhooks — see REST API & webhooks.
Revocation
- Provider-assisted revocation at facility, org admin action, or beneficiary request via support channel
revoked_atset; active API reads return empty or 403- EHR outbound sync jobs cancelled for that org/subject pair
- Audit log entry with actor and timestamp
Emergency access
Break-glass access is available for life-threatening emergencies with strict controls:
- Minimum necessary fields only (allergies, critical meds)
- Supervisor PIN or dual authorization where configured
- Automatic expiry (default 4 hours)
- Beneficiary notified post-event (SMS/email) with audit disclosure
Transparency & audit
Every consent grant, read, and revocation is written to immutable audit logs. Institutions and regulators query access history via audit exports — not through a consumer-facing patient app. This aligns with NDPR (Nigeria) and Kenya Data Protection Act requirements. See Privacy policy and Security overview.