Data Processing Statement

Effective: 2026-04-21 · AustinEco Commerce Limited (Hong Kong).

1. What We Process

• Geometric files uploaded by Clinics: STL, PLY, OBJ, CBCT DICOM bundles.
• Order metadata: specifications, materials, quantities, deadlines, shipping addresses.
• User metadata: names, professional affiliations, payout details.
• Internal patient references: free-text strings that Clinics use to tag Orders. We do not interpret these strings and treat them as opaque.

2. What We Do Not Process

• Patient names, DOB, or other direct identifiers.
• Clinical notes, diagnoses, or treatment plans.
• Insurance or billing records.

Clinics must not upload personally-identifiable patient data to the Platform. Use coded patient references only.

3. How Files Are Used

Uploaded geometric files are (a) transmitted to the assigned Designer or Manufacturer, (b) scanned for geometric validity by an automated quality check, and (c) retained in encrypted storage for the duration of the Order plus 36 months for audit purposes.

Automated QC runs only geometric algorithms (mesh integrity, DICOM series completeness, voxel spacing). No clinical content is analysed.

4. Sharing

Geometric files are shared with the specific Designer or Manufacturer assigned to the Order. They are not shared with any other party except where legally required. Staff of AustinEco may access files for (a) quality check investigation, (b) dispute mediation, or (c) abuse investigation, and only with a recorded reason and full audit trail.

5. Security

• Encryption at rest (AES-256).
• Encryption in transit (TLS 1.3).
• Supabase private storage buckets with signed-URL access (10-minute TTL for staff downloads, 1-year TTL for Order participants).
• Row-level security enforced at the database layer.
• All staff access is logged to an append-only audit table retained for 10 years.

6. GDPR / HIPAA Posture

Because we do not process personally-identifiable patient data, HIPAA Covered Entity status does not apply to us. We act as a pure B2B service provider to Clinics. Clinics may be HIPAA Covered Entities or subject to GDPR; they are responsible for ensuring that the data they upload complies with their own regulatory obligations.

For EU-based Clinics, we offer a Data Processing Agreement on request.

7. Retention and Deletion

• Order files: retained for 36 months after Order completion, then deleted.
• Commission ledger: retained for 7 years (tax).
• Staff access logs: retained for 10 years (FDA/HIPAA).
• User accounts: deleted on request, except for records required by law.

8. Contact

Data processing inquiries: privacy@austin-eco.com.