Legal

Privacy Policy

How we handle personal data under UK GDPR and the Data Protection Act 2018. Last updated: 18 June 2026.

⚠️ Draft template for review. This page is a starting point and must be reviewed and completed by a qualified data-protection professional before launch — particularly because the service involves patient special-category (health) data.

1. Who we are

Shapecrunch ("we", "us") provides software and manufacturing services that enable clinics to order custom orthotics. For data submitted through the app by a clinic about its patients, the clinic is the data controller and Shapecrunch acts as a data processor (see our Data Protection / DPA page). For data we collect directly — for example website enquiries — Shapecrunch is the controller.

Contact: [registered company name], [UK address], contact@shapecrunch.co.uk. Data protection contact: contact@shapecrunch.co.uk.

2. What we collect

3. Lawful basis

We rely on: performance of a contract (providing the service); legitimate interests (operating and improving the service and responding to enquiries); and consent (marketing communications and non-essential cookies). Where we process patient health data on behalf of a clinic, the clinic is responsible for establishing the appropriate lawful basis and special-category condition (e.g. provision of health care) and for obtaining any necessary patient consent.

4. How we use data

To manufacture and deliver ordered devices, operate the app and website, provide support, maintain records, and meet legal obligations.

5. Sharing

We share data only with service providers necessary to deliver the service (e.g. hosting, manufacturing, shipping), under appropriate contracts, and where required by law.

6. International transfers

Where data is transferred outside the UK, we use appropriate safeguards such as UK adequacy regulations or the International Data Transfer Agreement / Addendum. [Specify locations and mechanisms.]

7. Retention

We keep data only as long as necessary for the purposes above and to meet legal requirements. [Specify retention periods.]

8. Your rights

Under UK GDPR you have rights to access, rectify, erase, restrict, object to processing, and data portability. Patients should contact their clinic (the controller) in the first instance. You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We apply technical and organisational measures including encryption in transit and at rest, access controls and supplier due diligence.

10. Changes

We may update this policy and will post changes here with a revised date.