Privacy Policy

1. Introduction

Realta Labs (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website at www.realtalabs.com, our clinical ordering portal, and our related services (collectively, the “Service”).

Realta Labs is a trading name of Realta Labs Ltd, registered in Northern Ireland. Our registered address is Co. Down, Northern Ireland.

This policy is drafted in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). We are registered with the Information Commissioner's Office (ICO) as required under data protection legislation.

2. Data Controller and Data Processor Roles

The relationship between Realta Labs and partner clinics follows a controller–processor model:

• Partner clinics act as data controllers for the personal data of their patients. Clinics determine the purposes and means of processing patient data when they submit orders, upload scan files, and include patient reference information through the Service.
• Realta Labs acts as a data processor when processing patient data on behalf of partner clinics. We process this data solely for the purpose of fulfilling orthotic orders and maintaining medical device traceability records as required by law.
• Realta Labs acts as a data controller in its own right for data relating to clinic accounts, website visitors, contact form submissions, and business-related communications.

Data Controller contact: Paul McMullan, Realta Labs, Co. Down, Northern Ireland. hello@realtalabs.com

2.1 Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is available to all partner clinics upon request. The DPA sets out the scope, nature, and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of both parties in accordance with Article 28 of the UK GDPR. Partner clinics may request a copy by contacting hello@realtalabs.com.

3. Data Minimisation

We adhere to the principle of data minimisation as set out in Article 5(1)(c) of the UK GDPR. We only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not require patient names, dates of birth, or NHS numbers. Clinics may use their own internal patient reference identifiers when placing orders.

4. Data We Collect

4.1 Clinic Registration Data

When a clinic registers as a partner, we collect: clinic name, business address, phone number, email address, practitioner names, HCPC registration number (or equivalent professional registration), and billing information.

4.2 Patient Data

Patient data is pseudonymised at source. We receive only the clinic's own patient reference or ID — we never require patient names, NHS numbers, or other directly identifiable patient information. Where provided, we may also receive clinical notes and foot measurements via scan files.

4.3 Scan Files

Scan files uploaded to our platform (.stl, .obj, .ply formats) contain geometric data only — three-dimensional surface measurements of the foot. These files do not contain any personally identifiable information.

4.4 Prescription Data

We collect clinical assessment details and prescription parameters submitted by the ordering clinician to manufacture the prescribed orthotic device.

4.5 Contact Form Submissions

When you use our contact form, we collect your name, email address, phone number, clinic name, and your message.

4.6 Website Visitor Data

When you visit our website, we collect minimal technical data necessary for the website to function. We do not use analytics cookies or marketing cookies. See Section 12 (Cookie Policy) for full details.

5. Legal Basis for Processing

Under Article 6 of the UK GDPR, we rely on the following lawful bases for each processing activity:

6. Sub-processors

We use the following third-party sub-processors to deliver the Service. Each sub-processor has been assessed for UK GDPR compliance and appropriate safeguards are in place, including Standard Contractual Clauses where data is transferred outside the UK:

We will notify partner clinics of any intended changes to sub-processors, providing clinics with the opportunity to object to such changes in accordance with the DPA.

7. How We Use Your Data

We use the data we collect to:

• Provide and maintain the Service, including processing orthotic orders and managing clinic accounts
• Manufacture custom orthotic devices to the specifications prescribed by the ordering clinician
• Communicate with clinics about order status, delivery, and service updates
• Maintain medical device traceability records as required by applicable regulations
• Respond to contact form enquiries
• Send transactional email notifications (e.g. order confirmations, dispatch notifications) via Resend — we do not send marketing emails without explicit consent
• Ensure the security and proper functioning of the Service
• Comply with legal and regulatory obligations

8. Data Storage and Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.3.
• Encryption at rest: all data stored in our database is encrypted at rest using AES-256.
• Row Level Security (RLS): database-level access controls ensure that each clinic can only access its own data.
• Role-based access control (RBAC): access to data within the portal is restricted based on user role (clinician, clinic admin, Realta admin).
• Signed URLs: scan files and attachments are accessed via time-limited, cryptographically signed URLs rather than public links.
• Regular security reviews: we conduct periodic reviews of our security measures and access controls.

Your data is stored securely in Supabase, which is hosted in EU data centres (Frankfurt, Germany).

9. Data Retention

• Order data and production records (including prescription data, scan files, and associated clinic references) are retained for a minimum of 10 years from the date of manufacture, as required by medical device regulations (UK MDR 2002 and MDR 2017/745).
• Clinic account data is retained for the duration of the business relationship and for six years thereafter, in accordance with UK limitation periods for contractual claims.
• Contact form submissions are deleted after 12 months.

10. Data Sharing and International Transfers

We do not sell, rent, or trade your personal data. We share personal data only with the sub-processors listed in Section 6, and only to the extent necessary for them to perform their services. We may also disclose personal data where required to do so by law, by a court order, or by a regulatory authority.

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. This includes reliance on UK adequacy regulations, Standard Contractual Clauses (SCCs) approved by the ICO, or binding corporate rules where applicable.

11. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay in accordance with Article 34. Partner clinics acting as data controllers will be notified promptly so that they may fulfil their own notification obligations.

12. Cookie Policy

Our website uses only strictly necessary cookies that are essential for the Service to function. We do not use analytics cookies, advertising cookies, or marketing cookies.

Because we use only strictly necessary cookies, consent is not required under PECR Regulation 6. No cookie banner is displayed as no optional cookies are set.

13. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access(Article 15) — the right to obtain confirmation as to whether personal data concerning you is being processed, and to access that data.
• Right to rectification(Article 16) — the right to have inaccurate personal data corrected without undue delay.
• Right to erasure(Article 17) — the right to have your personal data deleted, subject to our legal retention obligations (including medical device traceability requirements).
• Right to restrict processing(Article 18) — the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability(Article 20) — the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object(Article 21) — the right to object to processing based on legitimate interests.
• Right to withdraw consent(Article 7(3)) — where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at hello@realtalabs.com. We will respond to your request within one month, as required by Article 12(3) of the UK GDPR.

Note for partner clinics: where a patient wishes to exercise their data subject rights in relation to data processed through the Service, the patient should contact their clinic in the first instance, as the clinic is the data controller for that data. Clinics may then contact us to facilitate the request.

14. Automated Decision-Making and Profiling

We do not carry out any automated decision-making or profiling as defined under Article 22 of the UK GDPR. No decisions with legal or similarly significant effects are made about you based solely on automated processing.

15. Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted in accordance with Article 35 of the UK GDPR, covering the processing activities described in this policy. The DPIA is reviewed periodically and updated when there are material changes to our processing activities. A summary of the DPIA is available to partner clinics upon request.

16. Children's Data

Our Service is a business-to-business (B2B) platform designed for use by registered healthcare professionals. We do not knowingly collect personal data directly from children. Where a clinic submits an order relating to a minor patient, the clinic (as data controller) is responsible for ensuring that appropriate consent has been obtained and that the processing complies with applicable child data protection requirements.

17. Right to Complain

If you are dissatisfied with how we have handled your personal data or any privacy request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Website: ico.org.uk
• Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us at hello@realtalabs.com in the first instance.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Where changes are material, we will notify partner clinics by email. We encourage you to review this policy periodically.