Legal

Data Protection & DPA

How we protect clinic and patient data, and the basis on which we process it for clinic partners. Last updated: 18 June 2026.

⚠️ Draft template for review. A binding Data Processing Agreement should be prepared and signed with each clinic and reviewed by a qualified data-protection professional, as patient health data is special-category data under UK GDPR.

Controller and processor roles

When a clinic uses Shapecrunch to order orthotics for its patients, the clinic is the data controller and Shapecrunch is the data processor. We process patient data only on documented instructions from the clinic, for the purpose of manufacturing and delivering the ordered devices and providing the service.

Special-category data

Foot images, scans, gait video, prescriptions and related health information are special-category data. Clinics are responsible for establishing the appropriate lawful basis and Article 9 condition (typically the provision of health care) and for any patient-facing transparency and consent.

Our commitments as processor

Sub-processors

We use vetted providers for hosting, manufacturing and shipping. A current list is available on request. [Maintain and link a sub-processor list.]

International transfers

Where processing occurs outside the UK, we put in place appropriate safeguards (e.g. the International Data Transfer Agreement / Addendum). [Specify.]

Security & breach

We maintain measures to protect data and will notify the controller without undue delay on becoming aware of a personal data breach affecting their data.

Request a DPA

To put a signed Data Processing Agreement in place for your clinic, get in touch.