Privacy Policy

Osteofy provides clinical decision-support tools for bone mineral density analysis. In providing these services, we may process personal data and protected health information (PHI) on behalf of healthcare organisations. This Policy describes our practices as a data processor / business associate; your healthcare provider's own privacy notice will also apply.

Information We Process

Depending on how you use Osteofy, we may process:

• Patient imaging data and associated metadata (e.g. DICOM headers, age, sex, study identifiers).
• Clinical context related to the analysis (e.g. study type, anatomical region, acquisition details).
• Account and usage data for healthcare professionals (e.g. name, email, role, organisation).
• Technical and telemetry data (e.g. IP address, device information, logs) for security and reliability.

How We Use Information

We use the information we process strictly to:

• Provide, maintain, and improve our bone density analysis and reporting services.
• Support clinical users, including troubleshooting, onboarding, and workflow configuration.
• Monitor performance, reliability, and security of the platform.
• Meet legal, regulatory, and contractual obligations with healthcare organisations.

Data Retention

Retention periods for imaging data and PHI are governed by our agreements with healthcare organisations and by applicable law. We retain logs and anonymised or de-identified data only for as long as necessary to operate and secure the service, or as required by regulation. Where feasible, we minimise or remove direct identifiers from datasets used for research, benchmarking, or product improvement.

Security

We implement administrative, technical, and physical safeguards to protect PHI and personal data, including encryption in transit and at rest, access controls, audit logging, and regular security review of our infrastructure and processes. Additional details may be provided in Business Associate Agreements (BAAs) or data processing agreements with your organisation.

International Transfers

Depending on deployment, data may be processed in data centres located in specific geographic regions. For organisations subject to GDPR or similar regulations, we use appropriate safeguards (such as standard contractual clauses) for cross-border data transfers where required, and can discuss data residency options on request.

Contact

If you have questions about this Privacy Policy or wish to exercise rights available under applicable data protection laws, please contact your healthcare provider in the first instance, or reach out to our team via the contact details provided on the Osteofy website.