Data Protection Policy

Last Reviewed: 14th June 2018


Our privacy policy will help you understand what information we collect at Orthinc, how Orthinc uses it, and what choices you have.

When we talk about “Orthinc,” “we,” “our,” or “us” in this policy, we are referring to Orthinc Limited., the company which provides the Services. When we talk about the “Services” in this policy, we are referring to our software. Our Services are currently available for use via a web browser or applications specific your mobile device.

  1. Customer Data

    Content and information submitted by users to the Services is referred to in this policy as “Customer Data.” As further explained below, Customer Data is controlled by the organization or other third party that created the workspace (the “Customer”). Where Orthinc collects or processes Customer Data, it does so on behalf of the Customer. If a user account is created for you on a workspace then you are a “user”. If you are using the Services by invitation of a Customer, that Customer determines its own policies regarding privacy and data protection which may apply to your use of the Services.

  2. Other information

    Orthinc may also collect and receive the following information:

    • Workspace setup information. When a Customer creates a workspace using the Services, we may collect an email address, a workspace name, workspace photo, domain details (such as, user name for the individual setting up the workspace, and password. We may also collect administrative team contact info, such as a mailing address.
    • Account creation information. Users may provide information such as an email address, phone number, and password to create an account.
    • Billing and other information. For Customers that subscribe to a paid version of the Services, our third-party payment processors may collect and store billing address and card information on our behalf. Orthinc stores the last four digits of your sixteen-digit card number for authorization purposes. For more information please visit the Stripe payments website.
    • Services usage information. This is information about how you are using the Services, which may include administrative and support communications with us and information about the workspaces, people, content, and links you interact with.
    • Contact information. Any contact information you choose to import is collected when using the Services.
    • Log data. When you use the Services our servers automatically record information, including information that your browser sends whenever you visit a website or your mobile app sends when you are using it. This log data may include your Internet Protocol address, the address of the web page you visited before using the Services, your browser type and settings, the date and time of your use of the Services, information about your browser configuration and plug-ins, language preferences, and cookie data.
    • Device information. We may collect information about the device you are using the Services on, including what type of device it is, what operating system you are using, device settings, application IDs, unique device identifiers, and crash data.
    • Geo-location information. Precise GPS location from mobile devices is collected only with your permission. WiFi and IP addresses received from your browser or device may be used to determine approximate location.
    • Third party data. Orthinc may also receive information from others to make our own information better or more useful. This might be information, such as which IP addresses go with which postal codes, or it might be more specific information, such as about how well an online marketing or email campaign performed.

How we use your information

We use your information to provide and improve the Services. To fulfil these purposes, we may access data to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of our customer who submitted the data, or in response to contractual requirements with our customers.

  1. Customer Data

    Orthinc may access and use Customer Data as reasonably necessary and in accordance with Customer’s instructions to (a) provide, maintain and improve the Services; (b) to prevent or address service, security, technical issues or at a Customer’s request in connection with customer support matters; (c) as required by law or as permitted by the Data Request Policy and (d) as set forth in our agreement with the Customer or as expressly permitted in writing by the Customer. Additional information about Orthinc’s confidentiality and security practices with respect to Customer Data is available at our Confidentiality Policy.

  2. Other information

    We use other kinds of information in providing the Services. Specifically:

    • To understand and improve our Services. We carry out research and analyse trends to better understand how users are using the Services and improve them.
    • To communicate with you by:
      • Responding to your requests. If you contact us with a problem or question, we will use your information to respond.
      • Sending emails and Orthinc messages. We may send you Service and administrative emails and messages. We may also contact you to inform you about changes in our Services, our Service offerings, and important Service related notices, such as security and fraud notices. These emails and messages are considered part of the Services and you may not opt-out of them. In addition, we sometimes send emails about new product features or other news about Orthinc. You can opt out of these at any time.
    • Billing and account management. We use account data to administer accounts and keep track of billing and payments.
    • Communicating with you and marketing. We often need to contact you for invoicing, account management and similar reasons. We may also use your contact information for our own marketing or advertising purposes. You can opt out of these at any time.
    • Investigation and prevention. We work hard to keep the Services secure and to prevent abuse and fraud.
  3. This policy is not intended to place any limits on what we do with data that is aggregated and/or de-identified so it is no longer associated with an identifiable user or Customer of the Services.

Your choices

We use your information to provide and improve the Services. To fulfil these purposes, we may access data to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of our customer who submitted the data, or in response to contractual requirements with our customers.

  1. Customer Data

    Customer provides us with instructions on what to do with Customer Data. A Customer has many choices and control over Customer Data. For example, Customer may provision or deprovision access to the Services and manage permissions. Since these choices and instructions may result in the access, use, disclosure, modification or deletion of certain or all Customer Data, please review the help documents for more information about these choices and instructions.

  2. Other information

    If you have any questions about your information, our use of this information, or your rights when it comes to any of the foregoing, contact us at

  3. In addition, the browser you use may provide you with the ability to control cookies or other types of local data storage. Your mobile device may provide you with choices around how and whether location or other data is collected and shared. Orthinc does not control these choices, or default settings, which are offered by makers of your browser or mobile device operating system.

Sharing and Disclosure

There are times when information described in this privacy policy may be shared by Orthinc. This section discusses only how Orthinc may share such information. Customers determine their own policies for the sharing and disclosure of Customer Data. Orthinc does not control how Customers or their third parties choose to share or disclose Customer Data.

  1. Customer Data

    Orthinc may share Customer Data in accordance with our agreement with the Customer and the Customer’s instructions, including:

    • With third party service providers and agents. We may engage third party companies or individuals to process Customer Data.
    • With third party integrations. Orthinc may, acting on our Customer’s behalf, share Customer Data with the provider of an integration added by Customer. Orthinc is not responsible for how the provider of an integration may collect, use, and share Customer Data.
  2. Other information

    Orthinc may share other information as follows:

    • About you with the Customer. There may be times when you contact Orthinc to help resolve an issue specific to a workspace of which you are a member. In order to help resolve the issue and given our relationship with our Customer, we may share your concern with our Customer.
    • With third party service providers and agents. We may engage third party companies or individuals, such as third-party payment processors, to process information on our behalf.
  3. Other types of disclosure

    Orthinc may share or disclose Customer Data and other information as follows:

    • During changes to our business structure. If we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Orthinc's assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).
    • To comply with laws. To comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
    • To enforce our rights, prevent fraud and for safety. To protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud.

    We may disclose or use aggregate or de-identified information for any purpose. For example, we may share aggregated or de-identified information with our partners or others for business or research purposes like telling a prospective Orthinc Customer the average number of jobs created within an Orthinc workspace in a day.

  4. In addition, the browser you use may provide you with the ability to control cookies or other types of local data storage. Your mobile device may provide you with choices around how and whether location or other data is collected and shared. Orthinc does not control these choices, or default settings, which are offered by makers of your browser or mobile device operating system.


Orthinc takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology.

To learn more about current practices and policies regarding security and confidentiality of Customer Data and other information, please see our Confidentiality Policy and Data Request Policy. We keep these documents updated as these practices evolve over time.

Our Commitment To GDPR

Last Reviewed: 14th July 2018

Our Commitment to You and the Protection of Your Data

We’re committed to partnering with Orthinc customers and users to help them understand the General Data Protection Regulation (GDPR). The GDPR was the most comprehensive EU data privacy law in decades and will came into effect on May 25, 2018.

Besides strengthening and standardising user data privacy across the EU nations, it required new or additional obligations on all organisations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. Here we explain our methods to GDPR-compliance, both for ourselves and for our customers.

Our preparation for the GDPR

The GDPR’s updated requirements were significant and our team worked diligently to bring Orthinc’s product offerings and contractual commitments in line so customers could prepare themselves before May 25, 2018. Measures to achieve this included:

  • Investing in our security infrastructure
  • Changing our policies and product offerings to include new tools for data portability and data management

As we move forward, we will continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies and will adjust our plans accordingly if it changes.

Our Security Infrastructure and Certifications

Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.

Orthinc has invested heavily in building a robust security team, one that can handle a variety of issues — everything from threat detection to building new tools. In accordance with GDPR requirements around security incident notifications, Orthinc will continue to meet its obligations and offer contractual assurances.>

Confidentiality Policy

Last Reviewed: 14th June 2018

Confidentiality of Customer Data

We take strict measures to ensure the security of Customer Data. Our confidentiality policy will help to explain these measures and how we deal (and will deal) with situations when/if our measures fail.

Our access to your Data

At Orthinc, we are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. This means that in addition to our security measures, we have strict controls over our own employees’ access to your data. This data includes that which you and your users make available via the Orthinc services, such as job information, jobs costs and client names and addresses. The operation of the services Orthinc provides does require that some Orthinc employees have access to systems which store and process Customer Data. For example, if you are experiencing an issue with Orthinc or would like some assistance, Orthinc employees may be required to look at some of your data in order to diagnose the issue or provide help. These employees are prohibited from accessing this data without securely logging into our system and without the intention of providing customer assistance when necessary.

All Orthinc employees are bound to strict policies regarding Customer Data. They must abide by these policies. They also receive privacy and security training during their onboarding with the company as well as on an ongoing basis. They are also required to agree to our security policy covering the security and confidentiality of Orthinc services.


Orthinc services (including databases) are hosted by Amazon Web Services. Here, Orthinc stores your data and hosts its application. AWS maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website.

Security Features for Orthinc users

  1. Data Encryption In Transit and At Rest

    Orthinc enforces the https protocol, encrypting data from your computer until it reaches our servers where it is decrypted and processed.

    Once data leaves your computer, it is encrypted to prevent theft during transit and rest. If the data is sensitive, for example customer information, banking details, passwords ect., then it is re-encrypted before being stored on Orthinc’s databases. Additionally, when communicating with third party APIs, such as our billing provider all data is also secured with end-to-end encryption.

    All cookies, including session tokens, are encrypted; so no plaintext sensitive information is stored locally on your computer.

  2. Access Logging

    Logs detailing when users log into Orthinc and the type of device are available to Orthinc employees and to paying users.

    We also make it easy for Orthinc administrators to remotely sign out all devices that their account is logged into using the Orthinc desktop application.

  3. Cookies

    We use cookies to enable and support our security features, and to help us detect malicious activity. You can read more on our use of Cookies in our Cookies Policy.

  4. Deletion of Customer Data

    At Orthinc, we provide the option for account owners to request that we delete their data from our database.

  5. Return of Customer Data

    We provide, upon request by the account owner, exports of your data so that you may review it.


Of course, we understand that you rely on the Orthinc services to consistently work. We’re committed to making Orthinc an extremely reliable and consistently available service. While we put procedures in place to ensure that our commitment is met, our service runs on systems that are sometimes out of our control. Nevertheless, our systems are built to be failure-tolerant. Your data is backed up (at least) hourly and our team is on-call to quickly resolve unexpected incidents.

Incident Management and Response

In the event of a security breach or data loss, Orthinc will promptly notify you. We have incident management policies and procedures in place to handle such events.

Disaster Recovery

Customer Data is stored at multiple locations in our hosting provider’s data centres to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from data loss. Customer Data and our source code are automatically backed up nightly.

Product Security Practices

New, codes, features, functionality, and design changes go through a security review process by our team so that there is no accidental loss of your information.

Data Request Policy

Last Reviewed: 12th February 2018

Customer Data

All information referred to in this document is named as Customer Data (Company Data / Data) and includes job information (descriptions, costs, etc.) , client names and addresses, business information and staff data.

Requests for Customer Data by enquiring individuals

Except in response to legal authority or in cases or emergency as a means to avoid physical harm to people, Orthinc will not disclose Customer Data to anyone outside of our company without the passing of protection measures outlined herein.

If an individual enquires about Customer Data we require them to correctly answer several security questions pertaining to the company which Customer Data belongs to. Such questions will be open-ended and thus will not disclose any Customer Data or Company Data. Only upon proof of identity of the enquiring individual and/or approval of the company owner, will Orthinc employees disclose any Customer Data.

Requests for Customer Data by the law

We take security very seriously. For the disclosure of Customer Data to a legal authority, we require a search warrant issued by a court of competent jurisdiction. In this event, should it occur, Orthinc will review the request individually. We do not voluntarily release Customer Data.

Notifying our customers

All individuals asking for disclosure of Customer Data must pass security questions detailed above. If the enquiring individual is not the owner of the Orthinc account in question, Orthinc will notify the account owner of the event. The enquiring individual must pass all questions and we must receive explicit approval from the account owner before we disclose Customer Data. Should the individual fail to pass the security questions, no Customer Data will be disclosed.

If Orthinc is legally prohibited from notifying the Customer before disclosure due to a non-disclosure agreement for example, we will take reasonable steps to notify the Customer of the Data enquiry after the nondisclosure requirement expires.