Privacy Notice

Version 1.0 · Effective 28 April 2026 · Last updated 28 April 2026

1. Who we are

Jenzer Innovations, trading as MedForm3D ("MedForm3D", "we", "us", "our"), is a Swiss design and additive manufacturing company that produces patient-specific anatomical models, surgical guides, and custom 3D-printed components for healthcare and technical teams.

For the purposes of this notice, the data controller for personal data we collect through this website and our order portal is:

Jenzer Innovations, trading as MedForm3D
Markgräflerstrasse, 4057 Basel, Switzerland
Email: info@medform3d.com

When a clinic or surgeon uploads patient health data through our order portal, the clinic is the data controller for that patient's data and MedForm3D acts as a data processor on the clinic's behalf, governed by our Data Processing Agreement. This notice describes how we, as a controller, handle data about you when you visit the site, sign up for an account, contact us, or order a non-patient product.

2. Scope of this notice

This notice applies to:

• Visitors to medform3d.com and any sub-domain we operate.
• Account holders on the order portal.
• Surgeons, clinical staff, engineers, and procurement contacts who interact with us.
• Recipients of order confirmations, transactional emails, and admin notifications.

It does not describe how a clinic that uses our services handles its own patients' data — that is the clinic's responsibility under its own privacy notice.

3. The legal frameworks that apply

We comply with:

• The Swiss Federal Act on Data Protection (revFADP), in force since 1 September 2023.
• The EU General Data Protection Regulation (GDPR) where it applies because we offer services to people in the European Economic Area.
• The EU ePrivacy Directive as implemented in the user's country, for cookies and similar technologies.
• UK GDPR and the UK Data Protection Act 2018 for users in the United Kingdom.

Where this notice references "GDPR" the equivalent revFADP and UK provisions also apply.

4. Categories of personal data we process

We collect and process the following categories of personal data:

• Identity and contact data: name, professional title, clinic or company name, professional email address, phone number, country.
• Account data: hashed password (we never store it in the clear), account creation date, last login, multi-factor codes (one-time, short-lived).
• Order data: order identifier, requested product type, materials, deadline, internal notes you provide, communication history with our team.
• Patient health data ("special category data") that you upload through the order portal: DICOM medical imaging studies, STL anatomical models, patient age, sex, anatomical pathology, clinical notes, and any other clinical information you choose to share. We process this data only as a processor on behalf of your clinic.
• Files and attachments: any files you upload to support an order or message.
• Technical data: IP address, browser type and version, device type, operating system, language, referring URL, pages viewed, timestamps, and approximate location derived from IP address.
• Cookies and storage: see the Cookie Policy for the full list.
• Communications data: the content of emails, contact-form submissions, push-notification preferences, and any other messages you send us.

5. How we use personal data and the legal basis for each use

We process personal data for the purposes listed below. Each purpose has at least one lawful basis under GDPR Art. 6 (and, where special category data is involved, an additional condition under Art. 9):

5.1 Providing the service

• Purpose: creating and authenticating your account, processing orders, producing the requested model, communicating about your case, and delivering the result.
• Legal basis: performance of a contract with you (Art. 6(1)(b)); for patient health data where we act as processor, the lawful basis is held by the clinic that is the controller, supplemented for our internal handling by Art. 9(2)(h) (preventive or occupational medicine, medical diagnosis, provision of health care or treatment).

5.2 Communicating with you

• Purpose: responding to inquiries, sending order confirmations, providing customer support, and notifying you of issues that affect your order.
• Legal basis: performance of a contract (Art. 6(1)(b)) or our legitimate interest in supporting the relationship (Art. 6(1)(f)).

5.3 Security, fraud prevention, and abuse mitigation

• Purpose: protecting our services, detecting and blocking malicious activity, rate-limiting login and reset flows, and investigating security incidents.
• Legal basis: our legitimate interest in keeping the service secure (Art. 6(1)(f)) and compliance with our security obligations (Art. 6(1)(c)).

5.4 Legal and regulatory compliance

• Purpose: meeting record-keeping, tax, accounting, medical-record retention, and other obligations under Swiss and applicable EU law.
• Legal basis: compliance with a legal obligation (Art. 6(1)(c)); for special category data, Art. 9(2)(h) and (i) where applicable.

5.5 Improving the service

• Purpose: understanding which pages and flows are useful, fixing bugs, and prioritising new features.
• Legal basis: your consent (Art. 6(1)(a)) for non-essential analytics. We do not run analytics on the patient health data you upload.

5.6 Marketing

• Purpose: sending occasional product updates and event invitations to professional contacts who have requested them.
• Legal basis: your consent (Art. 6(1)(a)). You can opt out at any time using the unsubscribe link or by emailing us.

6. Who we share personal data with

We work with a small number of trusted infrastructure providers (hosting, file storage, database services, transactional email, and aggregated performance metrics) to operate the service. They process your data on our behalf, on servers located in the European Union or Switzerland, under written agreements that bind them to confidentiality, security, and our instructions. We do not share personal data with marketing partners, data brokers, or other third parties, and we do not sell personal data or use it for behavioural advertising.

Beyond these infrastructure providers, we may disclose personal data to:

• Our professional advisers (lawyers, accountants, auditors) under duties of confidentiality.
• Public authorities when required by law, court order, or to defend our legal interests.
• A successor entity in the event of a merger, acquisition, or asset transfer, subject to the same protections described in this notice.

You can request the current list of infrastructure providers we use by writing to info@medform3d.com.

7. Where your data is stored

Personal data we process about you is hosted on infrastructure located in the European Economic Area and Switzerland. We do not routinely transfer personal data to countries outside these regions, and we do not share it with partners outside our processing arrangements.

Where, exceptionally, a provider needs access to data from outside the EEA or Switzerland (for example, vendor support engineers handling a specific incident), we put in place the safeguards required by GDPR Chapter V and the revFADP — including Standard Contractual Clauses and the equivalent Swiss provisions, combined with technical measures such as encryption in transit and at rest. You can request a copy of the safeguards in place by writing to info@medform3d.com.

8. How long we keep personal data

We keep personal data for the shortest period that is consistent with the purpose for which it was collected and applicable law. Indicative retention periods:

• Account data: while the account is active and for up to 24 months after closure, then deleted or anonymised.
• Order data and related communications: for the duration of the engagement and for up to 10 years after delivery to comply with Swiss commercial-record obligations and product-liability limitation periods.
• Patient health data uploaded by clinics: processed only on instruction from the controlling clinic. By default we delete the source files within 90 days of order completion unless the clinic instructs otherwise. Some derived production records may be kept longer to comply with medical-device record-keeping rules.
• Security and audit logs: up to 12 months.
• Marketing consents and unsubscribe records: until you unsubscribe, plus a suppression record kept indefinitely so we don't accidentally contact you again.
• Cookies: see the Cookie Policy for individual durations.

9. Your rights

Subject to local law you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase personal data, subject to retention obligations described above.
• Restrict processing while we investigate a request.
• Object to processing based on our legitimate interests.
• Receive a portable copy of data you provided to us, in a structured machine-readable format.
• Withdraw consent at any time, where processing is based on consent — without affecting processing already carried out.
• Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with your local EU supervisory authority.

To exercise any right, write to info@medform3d.com or use the form on the Contact page (subject: "Privacy request"). We respond within 30 days. We may ask for proof of identity to make sure we are not disclosing data to the wrong person.

For patient health data, please address requests to the clinic that controls that data. We will support the clinic in responding within the statutory deadline.

10. Cookies and tracking technologies

We use a small number of cookies, plus browser localStorage and sessionStorage, for sign-in, security, and (with your consent) analytics. The full list is in the Cookie Policy. You can change your choices at any time using the "Cookie preferences" link in the footer.

11. Security

We implement technical and organisational measures appropriate to the risk, including:

• TLS/HTTPS for data in transit, enforced site-wide via HTTP Strict Transport Security.
• Encryption at rest for uploaded files and account data held in our managed file storage and database.
• Hashed passwords (bcrypt) and short-lived multi-factor codes; we never see your password.
• Role-based access — only admin-flagged accounts can read order data, and we record who accessed what.
• Strict Content Security Policy, frame-ancestor restrictions, and a hardened cookie/storage policy.
• Due diligence and signed Data Processing Agreements with each infrastructure provider described in section 6.
• Rate-limiting, anomaly detection, and a documented incident-response runbook.

No system is perfectly secure. If you believe your account has been compromised, email info@medform3d.com immediately.

12. Personal data breaches

If a breach is likely to result in a risk to your rights or freedoms we will notify the FDPIC and, where applicable, the lead EU supervisory authority within 72 hours of becoming aware. We will notify affected individuals without undue delay where the risk is high.

13. Children's data

This site is intended for healthcare and technical professionals. We do not knowingly collect personal data from children under 16. Where a clinic uploads pediatric patient data through the order portal, the clinic is responsible for the lawful basis and parental consent.

14. Automated decision-making and AI

We do not make decisions that produce legal or similarly significant effects about you using purely automated means.

Where you opt to use the AI-assisted 3D-model generation feature, the inputs you submit for that purpose are processed by a specialised third-party AI provider on our behalf, and the resulting model is returned to your account. The output is reviewed by our team before any production work begins.

15. Changes to this notice

We update this notice when our practices change. The version number and effective date at the top of the page are updated each time. Material changes will be highlighted at the top of the page and, where appropriate, communicated by email or through the order portal.

16. Contact

For privacy questions, data-subject requests, and breach reports, write to info@medform3d.com. For all other inquiries, please use the Contact page.