How we handle personal data under UK GDPR and the Data Protection Act 2018. Last updated: 18 June 2026.
Shapecrunch ("we", "us") provides software and manufacturing services that enable clinics to order custom orthotics. For data submitted through the app by a clinic about its patients, the clinic is the data controller and Shapecrunch acts as a data processor (see our Data Protection / DPA page). For data we collect directly — for example website enquiries — Shapecrunch is the controller.
Contact: [registered company name], [UK address], contact@shapecrunch.co.uk. Data protection contact: contact@shapecrunch.co.uk.
We rely on: performance of a contract (providing the service); legitimate interests (operating and improving the service and responding to enquiries); and consent (marketing communications and non-essential cookies). Where we process patient health data on behalf of a clinic, the clinic is responsible for establishing the appropriate lawful basis and special-category condition (e.g. provision of health care) and for obtaining any necessary patient consent.
To manufacture and deliver ordered devices, operate the app and website, provide support, maintain records, and meet legal obligations.
We share data only with service providers necessary to deliver the service (e.g. hosting, manufacturing, shipping), under appropriate contracts, and where required by law.
Where data is transferred outside the UK, we use appropriate safeguards such as UK adequacy regulations or the International Data Transfer Agreement / Addendum. [Specify locations and mechanisms.]
We keep data only as long as necessary for the purposes above and to meet legal requirements. [Specify retention periods.]
Under UK GDPR you have rights to access, rectify, erase, restrict, object to processing, and data portability. Patients should contact their clinic (the controller) in the first instance. You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We apply technical and organisational measures including encryption in transit and at rest, access controls and supplier due diligence.
We may update this policy and will post changes here with a revised date.