1. Who we are
Skeletal Plan is published by N2 Medical Ltd ("we", "us"), a company registered in England and Wales. Questions about this policy: skeletalsurgery@icloud.com.
2. What the app is
Skeletal Plan is a pre-operative surgical planning and documentation aid for spinal surgeons. It runs entirely on your device (web browser, installed web app, or native app). It is offline-first: all program code and resources are bundled locally and it works without a network connection. There is a single, optional exception in the installed phone apps — an implant-catalogue lookup that never involves any patient or personal data (see section 6).
3. Information we collect
We collect none. The app contains no analytics, no tracking, no advertising, no user accounts, and no telemetry. We do not operate a back-end service that receives your data. We cannot see what you do in the app.
4. Information you enter (including patient-identifiable data)
You may enter clinical information to build a surgical plan or record — which can include patient-identifiable data (PID) such as a name, identifier, date of birth, and procedure details. This information:
- is stored only on your device (in the browser/app local storage), encrypted at rest using the device's standard cryptography (AES-GCM via the Web Crypto API);
- is never transmitted to us or to any third party by the app;
- remains under your control and your organisation's control at all times, and persists only until you delete it or clear the app's data.
Because this information never reaches us, N2 Medical Ltd is neither the data controller nor a data processor of any patient data you enter. The data controller is you and/or the healthcare organisation on whose behalf you act. You are responsible for handling PID in line with your organisation's information-governance rules (in the UK: the UK GDPR, the Data Protection Act 2018, the common-law duty of confidentiality, and Caldicott principles).
Safeguards you control: the app offers a privacy mode that omits identifiers from saved files and exports, and you choose whether to save anything to the device at all. On shared or unmanaged devices, do not save identifiable data, and clear the app's data when finished.
5. Camera
On supported devices the app can use the camera to scan implant barcodes (UDI/GTIN). Camera frames are processed on the device only to read the code; no image or video is stored or transmitted. Camera access requires your explicit permission and can be revoked in your device settings.
6. Implant catalogue lookups (installed apps only)
When you scan an implant barcode that is not in the catalogue bundled with the app, the installed phone apps may look the code up against the public US FDA openFDA device registry (api.fda.gov) to identify the implant. Only the implant's barcode / reference number is sent — a product identifier, not patient or personal data. No patient information is ever transmitted. This lookup happens only in the installed phone apps, only when you scan, and only when the implant is not already known to the app. The web and standalone versions make no such call.
7. Sharing your information
We do not share your information, because we do not have it. Any sharing of a plan or record (for example exporting a PDF, or transferring a case by file or QR code) is an action you initiate and control; the data goes only where you send it.
8. Hosting
The web version is served as static files from a content host (GitHub Pages). Like any website, the host may log standard technical request data (such as IP address) to deliver the page; this is governed by the host's own policy and contains none of your clinical data. The installed and native apps load their resources locally and do not contact this host in normal use.
9. Children
The app is a professional tool intended for clinicians and is not directed at children.
10. Your rights
As we hold no personal data about you, there is nothing for us to access, correct, or erase. For any patient data held within the app, the responsible data controller is the clinician or healthcare organisation that entered it; requests relating to that data should be directed to them.
11. Changes
We may update this policy. The effective date above will change accordingly; material changes will be noted on this page.
12. Contact & supervisory authority
Contact: skeletalsurgery@icloud.com. If you are in the UK and have concerns about data handling, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.