Privacy Policy

Osteofy provides clinical decision-support tools for bone mineral density analysis. In providing these services, we may process personal data and protected health information (PHI) on behalf of healthcare organisations. This Policy describes our practices as a data processor / business associate; your healthcare provider's own privacy notice will also apply.

Information We Process

Depending on how you use Osteofy, we may process:

• Patient imaging data and associated metadata (e.g. DICOM headers, age, sex, study identifiers).
• Clinical context related to the analysis (e.g. study type, anatomical region, acquisition details).
• Account and usage data for healthcare professionals (e.g. name, email, role, organisation).
• Technical and telemetry data (e.g. IP address, device information, logs) for security and reliability.

How We Use Information

We use the information we process strictly to:

• Provide, maintain, and improve our bone density analysis and reporting services.
• Support clinical users, including troubleshooting, onboarding, and workflow configuration.
• Monitor performance, reliability, and security of the platform.
• Meet legal, regulatory, and contractual obligations with healthcare organisations.

Data Protection & Processing

Osteofy acts as a data processor when providing BMD analysis services to healthcare organisations. Your organisation remains the data controller and is responsible for obtaining appropriate patient consent before submitting imaging data for analysis. We will only process personal data in accordance with your organisation's documented instructions and for the purposes of delivering the contracted clinical analysis services.

We maintain appropriate technical and organisational security measures — including encryption, access controls, and audit logging — to safeguard personal data against unauthorised access, loss, or misuse. These measures are designed to ensure a level of security appropriate to the risk presented by processing PHI and personal data in a healthcare context.

You have the right to request access to, or correction of, your personal data held by Osteofy. We will provide reasonable assistance to your organisation in responding to such requests and in managing data breach notifications to the appropriate supervisory authority and affected individuals in accordance with applicable legal timelines.

Retention periods for imaging data and PHI are governed by our agreements with healthcare organisations and by applicable law. We retain logs and anonymised or de-identified data only for as long as necessary to operate and secure the service, or as required by regulation. Where feasible, we minimise or remove direct identifiers from datasets used for research, benchmarking, or product improvement.

International Transfers

Depending on deployment, data may be processed in data centres located in specific geographic regions. Where personal data is transferred across borders, we implement appropriate safeguards to ensure that transferred data continues to receive an equivalent level of protection, including contractual protections such as standard data transfer agreements. Data residency options can be discussed on request.

AI System Governance & Transparency

Osteofy's AI-assisted BMD analysis system has undergone conformity assessment against applicable standards for medical device software and is operated within a documented quality management system. The system requires ongoing post-market surveillance, performance monitoring, and periodic review of analytical accuracy.

Users are entitled to be informed when they are interacting with an AI system. All Osteofy-generated reports are clearly labelled as AI-assisted outputs. You may contact us to request a description of the system's intended purpose, the categories of data it processes, its known limitations, and the human oversight measures in place. We maintain records of the system's design, training data provenance, and validation performance to support transparency obligations.

Contact

If you have questions about this Privacy Policy or wish to exercise rights available under applicable data protection laws, please contact your healthcare provider in the first instance, or reach out to our team via the contact details provided on the Osteofy website.