Get in touch

Privacy Policy

For LeoShape Software Services

Effective Date: March 11, 2026

1. Introduction and Our Roles

This Privacy Policy explains how Leopoly Ltd. (Registered office: 6000 Kecskemét, Homokszem u. 3., Hungary) and Leopoly Next Inc. (3 E 3RD AVE San Mateo Clocktower, CA 94401, USA) — collectively referred to as “Leopoly”, “Service Provider”, “we”, “us”, or “our” — collect, use, store, and protect personal and health-related data when you use the LeoShape editors, the Order Management System (OMS), and the LeoCapture mobile application (collectively: the “Services”).

To align out practices with key data protection laws, including the European General Data Protection Regulation (GDPR) and we applicable the U.S. Health Insurance Portability and Accountability Act (HIPAA), Leopoly acts in two distinct legal capacities depending on the type of data:

  • As a Data Controller: When we collect and process the personal data of the professionals, clinics, doctors, or technicians (hereinafter: “Subscribers” or “Users”) who register to use our Services (e.g., account credentials, billing information).
  • As a Data Processor / Business Associate: When we store and process the personal and health-related data of the patients uploaded or captured by our Subscribers using our Services (e.g., 3D scans, diagnoses, order details). In this scenario, the Clinic / Professional is the Data Controller / Covered Entity, responsible for obtaining patient consent. Leopoly processes this data solely on behalf of the Subscriber, strictly following their instructions and the applicable Data Processing Agreement (DPA) or Business Associate Agreement (BAA).

2. Information We Collect

A) Information Collected from Subscribers (Professionals):

  • Identification Data: Email address, name (optional), passwords (encrypted).
  • Contractual and Billing Data: Company details, workplace, job title, and payment information.
  • Technical and Usage Data: IP addresses, login timestamps, browser and device types, and analytics regarding the usage of the Services (e.g., number of downloads, edits performed).

 

B) Information Managed about Patients (Processed on behalf of Subscribers):

While using the Services, Subscribers may highly customize the patient data they record. We treat all such data as sensitive health data and, where applicable for U.S. healthcare customers, as Protected Health Information (PHI). This may include:

  • Patient name or identification number.
  • Patient address (for shipping purposes).
  • 3D scans and captures of limbs or other body parts.
  • Scan dates, order IDs, and order status history.
  • Final orthosis/prosthesis geometry and CAD design parameters.
  • Free text notes (which may contain medical history, clinical relationship, or manufacturing instructions).
  • Patient-clinician-doctor relationship details
  • Project files for the orthosis editor
  • Photos of human body parts and order forms – produced by the clinician

3. Purpose and Legal Basis for Processing

For Subscriber (Professional) Data:

  • Purpose: To provide access to the software, manage user permissions within the OMS, provide customer support, process billing, maintain system security, and enforce our Terms of Service (ToS).
  • Legal Basis (under GDPR): Processing is necessary for the performance of a contract (Art. 6(1)(b)) and our legitimate interests in improving and securing our software (Art. 6(1)(f)).

 

For Patient Data:

  • Purpose: To provide the core functionalities of the software (3D scanning, CAD editing, order management, and tracking) for Clinics and Labs to prepare for the manufacturing process (3D printing / CNC). We never use patient data for our own marketing purposes, nor do we sell this data to third parties.
  • Legal Basis (under GDPR): The legal basis for uploading patient data is established by the Data Controller (the Clinic/Doctor), for example on the basis of healthcare provision or other applicable legal grounds under the GDPR and/or HIPAA. Leopoly acts solely upon the instructions of the Clinic based on the executed DPA/BAA.

4. Data Security (HIPAA & GDPR Compliance)

Safeguarding the Protected Health Information (PHI) and personal data uploaded to our Services is our top priority.

  • Encryption: Data is encrypted both in transit and at rest on our servers.
  • Access Controls: Within the OMS, our Subscribers can configure strict, role-based access levels. Leopoly personnel only access specific patient data when explicitly authorized by the Subscriber for technical support or troubleshooting.
  • Hosting Infrastructure: Data is securely hosted with industry-leading cloud service providers (e.g., Amazon Web Services – AWS). We strive to respect data residency requirements for region-sensitive clients (e.g., hosting production environment for U.S. clients in the US and for EU clients in the EU), subject to our infrastructure design and the terms of the applicable DPA/BAA.

5. Data Sharing and Sub-processors

We only share personal and health data with trusted sub-processors strictly necessary for operating our Services:

  • Cloud Hosting Providers (e.g., AWS).
  • Payment Processors (e.g., Stripe – exclusively for Subscriber billing data; they do not have access to patient data).
  • Manufacturing Integrations: If a Subscriber chooses to forward data directly to a third-party laboratory or 3D printing service via the OMS or Editor, this transfer is executed strictly at the Subscriber’s command and responsibility.

 

Leopoly executes appropriate Data Processing Agreements and Business Associate Agreements with all sub-processors to ensure GDPR and HIPAA compliance.

Where we engage sub‑processors located outside the EEA, any transfer of personal data is carried out on the basis of the Data Controller’s documented instructions and appropriate safeguards, such as the EU Standard Contractual Clauses and, where applicable, the EU‑U.S. Data Privacy Framework, supplemented by additional technical and organizational measures where required.

6. Data Retention Policy

  • Subscriber Data: We retain your account data for as long as your contract (ToS) is active, or as required by applicable accounting and tax laws.
  • Patient Data: 3D models, order IDs, and notes are stored as long as the Clinic uses our Services and in accordance with the data retention instructions and legal obligations of the Clinic as Data Controller. If a Subscriber terminates their contract, all associated patient data will be deleted from our servers or returned upon request, in accordance with the terms of the DPA/BAA. Subscribers can also independently delete their patients’ data from the OMS at any time.

7. Data Subject Rights (Access, Correction, Deletion)

If you are a User of the Software (Professional / Doctor): You have the right to request access to, correction, or deletion of your personal data, or object to its processing under the GDPR. You can exercise these rights by contacting us at moc.y1774759579lopoe1774759579l@yca1774759579virp1774759579. Please indicate “Data protection” or “Data breach notification” in the subject line so that we can ensure your request is handled without undue delay.

If you are a Patient (whose data was recorded in our system by your doctor): Because Leopoly acts as a Data Processor/Business Associate, you must exercise your data privacy rights (such asas access, correction, or deletion under the GDPR, or your HIPAA rights) directly with your healthcare provider or Clinic (the Data Controller/Covered Entity). Leopoly is contractually obligated to assist Clinics technologically in fulfilling these requests promptly.

8. International Data Transfers

Because Leopoly Ltd. is based in the European Union and Leopoly Next Inc. is based in the United States, cross-border data transfers may occur.

Any such cross‑border transfers of personal data relating to individuals in the EEA/UK will be carried out only on the basis of the Data Controller’s documented instructions and subject to appropriate safeguards as required by applicable data protection laws.

  • For United States clients (HIPAA), data is stored on servers located within the USA.
  • For European Union clients (GDPR), data is stored within the EU (e.g., AWS Frankfurt/Ireland). If international data transfer is required, we rely on legally approved mechanisms such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework.

9. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy periodically to reflect changes in our Services or legal requirements. We will notify our Subscribers of any material changes via the OMS platform or by email prior to the changes taking effect.

10. Contact Us

If you have any questions about our privacy practices, data processing, or DPA/BAA agreements, please contact us at: