Legal
Privacy Policy
This Privacy Policy describes how 3DScanOrthotics, Inc. ("we," "us," or "our")
collects, uses, and discloses information in connection with the 3DScan Orthotics
iOS application (the "App") and the related orders service at
https://orthoticgui.3dscanorthotics.com (the "Service").
The App is a professional tool for licensed clinicians. It is not a consumer health app and is not intended for use by patients to self-diagnose or self-treat any medical condition.
1. Who we are
3DScanOrthotics, Inc.
800 S. Central Ave STE 202, Glendale, CA 91204
privacy@3dscanorthotics.com
If you are a clinician using this App, you are the App's user. If you are a patient whose data is captured by a clinician using this App, your information is treated as third-party Patient Information governed by the Business Associate Agreement (BAA) between us and the clinic.
2. Information we collect
The App collects the following categories of information when a clinician scans a patient and submits an orthotic order. All collection is for the sole purpose of fabricating the prescribed orthotic device and shipping it back to the clinic.
2.1 Clinic information
- Clinic name and clinic address, entered once during device setup or supplied with the device activation code.
- Clinician name, entered per-order.
- Activation token — an opaque identifier that authorizes the device to submit orders on behalf of a specific clinic.
2.2 Patient information
- Name (first and last), as entered by the clinician.
- Date of birth.
- Weight (pounds).
- Shoe size and shoe-size unit.
- Patient ID — a randomly generated identifier (
PT-NNNN) created by the App.
2.3 Clinical scan and prescription data
- 3D foot mesh captured via the iPhone TrueDepth camera, stored locally as a PLY file and submitted with each order.
- Foot landmark coordinates (heel, first metatarsal head, fifth metatarsal head, arch) derived on-device from the scan.
- Per-foot measurements including length, width, and arch height.
- Orthotic prescription: orthotic type, top-cover style, rigidity (1–10), and any free-text lab notes entered by the clinician.
- Modifier selections per foot (e.g. heel skive, rearfoot post, metatarsal pad).
The 3D foot mesh captured via the iPhone TrueDepth camera is the only depth-sensor data collected by the App. The TrueDepth camera is used exclusively to scan the patient's foot.
2.4 Information we do NOT collect
The App does not collect location data (no GPS, no Wi-Fi positioning), microphone audio, contacts, browsing or search history, device advertising identifiers, financial information, photos from your photo library, or any analytics about how you interact with the App. The App does not integrate with HealthKit and does not read or write data to any other Apple system framework that would surface user data.
No face data. The App does not collect, process, or transmit any face
data, facial geometry, facial expressions, ARFaceAnchor data, or any other information
derived from the user's or any person's face. The App does not request or use ARKit face tracking and
does not link against any face-tracking API. TrueDepth frames containing any imagery other than the
patient's foot are not captured or retained.
The App does not collect any data about minors under the age of 13. Patient data submitted by a clinician may relate to a patient of any age; we treat all patient data with the same protections regardless of the patient's age.
3. How we use information
We use the information collected solely to:
- Receive, fabricate, and ship orthotic devices ordered through the App.
- Communicate with the clinic about the status of submitted orders.
- Verify that orders originate from an authorized clinic device.
- Comply with our legal and regulatory obligations.
We do not use the information for advertising, marketing, analytics, profiling, training machine-learning models, or any other purpose not described above. We do not sell, rent, or trade any information collected through the App.
4. Legal basis for processing (GDPR)
For users in the European Economic Area, the United Kingdom, and Switzerland, our legal basis for processing this information is:
- Performance of a contract — to fulfill the clinic's order for a prescribed orthotic device.
- Legitimate interests — to operate, secure, and improve the Service, balanced against the privacy interests of users and patients.
- Compliance with legal obligations under applicable health, consumer-protection, and tax laws.
Patient information categorized as "special category data" under GDPR Article 9 is processed in reliance on the explicit consent the clinic obtains from the patient under its own privacy practices, and on Article 9(2)(h) (provision of medical care).
5. How information is shared
We share information only as follows:
- With the fabrication lab that produces the orthotic device, as necessary to manufacture and ship it.
- With service providers that host our servers, deliver email, and ship physical products. These providers are bound by contract to process information only on our instructions and to protect it.
- As required by law, in response to valid legal process or to protect rights, property, or safety.
We do not share information with advertising networks, data brokers, or social-media platforms.
6. Storage, security, and retention
6.1 Storage
- Scan files (PLY meshes), keypoint sidecars, and the patient roster are stored locally on the clinician's iPhone, encrypted at rest using Apple's
NSFileProtectionCompleteUntilFirstUserAuthenticationprotection class. - Scan files are excluded from iCloud Backup and iTunes Backup to prevent off-device extraction.
- Activation tokens are stored in the iOS Keychain.
- Submitted orders are stored on our servers protected by TLS in transit and at-rest encryption.
6.2 Retention
We retain submitted order data for the period required to fabricate the orthotic, support the clinic's records-retention obligations under applicable healthcare laws, and comply with our own legal obligations. The retention period for completed orders is governed by the BAA between us and the clinic.
Clinics may request deletion of their data at any time by contacting privacy@3dscanorthotics.com. We will honor verified deletion requests within 30 days, subject to retention exceptions required by law.
6.3 Security
We use industry-standard administrative, technical, and physical safeguards to protect information, including encryption in transit (TLS 1.2+), encryption at rest, access controls, and audit logging. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.
7. HIPAA and Business Associate Agreement
Where this App is used by a clinic that is a HIPAA Covered Entity in the United States, we operate as a Business Associate. Use of the App in that context is governed by a Business Associate Agreement (BAA) between 3DScanOrthotics, Inc. and the clinic. The BAA controls in the event of any conflict with this Privacy Policy with respect to patient PHI.
8. Your rights
Depending on where you are located, you may have rights with respect to information about you, including:
- Access — request a copy of information we hold about you.
- Correction — request that we correct inaccurate information.
- Deletion — request that we delete information about you, subject to legal retention requirements.
- Portability — request that we provide information in a machine-readable format.
- Objection / restriction — object to or restrict certain processing.
To exercise any of these rights, contact us at privacy@3dscanorthotics.com. We will respond within the period required by applicable law (typically 30 days).
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
9. International transfers
We are based in the United States. If you access the App from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses adopted by the European Commission or other appropriate safeguards for international transfers.
10. Third-party software in the App
The App is built using the following third-party libraries, none of which transmit data off the device on our behalf:
- ZipArchive — used to package order files for upload; operates locally.
The full PrivacyInfo manifest declaring required-reason APIs is included in the App bundle and available to Apple at App Review.
11. Children's privacy
The App is not directed at children under 13 and is intended for use only by licensed adult clinicians. We do not knowingly collect any information from clinicians under 18. If you believe a minor has used the App, contact us at privacy@3dscanorthotics.com and we will take appropriate steps.
12. Medical disclaimer
The App is a data-capture and ordering tool for licensed clinicians. It is not intended to diagnose, treat, cure, or prevent any medical condition. Clinical decisions remain the responsibility of the prescribing clinician. No information presented by the App constitutes medical advice to any patient.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated to active clinics by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
14. Contact us
For any questions about this Privacy Policy or our privacy practices, contact:
3DScanOrthotics, Inc.
800 S. Central Ave STE 202, Glendale, CA 91204
Email: privacy@3dscanorthotics.com
Privacy inquiries: privacy@3dscanorthotics.com
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. EU/UK residents may contact the supervisory authority in their country of residence.