This policy explains how PAfolio collects, uses and protects your personal data. We are committed to handling your data responsibly and in compliance with UK GDPR and the Data Protection Act 2018.
1. Who we are
PAfolio is a clinical portfolio service for Physician Associates (PAs) and Anaesthesia Associates (AAs) registered with the General Medical Council (GMC) in the United Kingdom.
PAfolio is operated as a sole trader business based in the United Kingdom. We are registered with the Information Commissioner's Office (ICO) as a data controller.
2. What data we collect
Information you provide directly
- Account information: Your full name, email address, NHS Trust, speciality and job title
- GMC registration details: Your GMC reference number and registration date
- Portfolio content: CPD logs, significant event reflections, quality improvement activities, appraisal records, scope of practice declarations, competency records and procedure logs
- Colleague and patient feedback: Aggregated and anonymised feedback scores โ we do not store identifiable information about patients or colleagues who provide feedback
- Payment information: Processed securely via Stripe โ we never store your card details
Information collected automatically
- Browser type and device information
- IP address and approximate location
- Pages visited and time spent on the site
- Cookie data (see section 8)
Important: All significant event entries and patient feedback must be fully anonymised before submission. PAfolio does not accept or store any patient identifiable information.
3. Why we collect it and our legal basis
Under UK GDPR, we must have a lawful basis for processing your personal data. Our legal bases are:
- Contract performance: To deliver the PAfolio service you have subscribed to, including building and maintaining your portfolio
- Legitimate interests: To improve our service, ensure security, and send you relevant service updates
- Legal obligation: To comply with UK data protection law, financial regulations and ICO requirements
- Consent: For marketing emails and optional cookies โ you may withdraw consent at any time
4. How we use your data
We use your personal data to:
- Create and maintain your GMC-compliant portfolio dashboard
- Update your portfolio when you send us new evidence or CPD records
- Send you service emails โ portfolio updates, renewal reminders, and revalidation deadline alerts
- Process your annual subscription payment via Stripe
- Provide customer support when you contact us
- Improve the PAfolio platform based on usage patterns
We will never sell your data to third parties, use it for advertising, or share it without your consent except as described in section 5.
5. Who we share your data with
We only share your data with trusted third parties who help us deliver the service:
- Stripe: Payment processing โ subject to Stripe's privacy policy and PCI DSS compliance
- Netlify: Website hosting โ servers based in the EU/UK
- MailerLite: Email communications โ GDPR compliant
- Virtual assistants: Where we use third-party support to help update portfolios, they are bound by a strict data processor agreement and are not permitted to access, copy or retain any personal data
All third parties are required to handle your data in accordance with UK GDPR. We do not transfer your data outside the UK or EEA without appropriate safeguards in place.
6. How long we keep your data
- Active subscribers: We retain your data for as long as your subscription is active
- After cancellation: We will delete your data within 60 days of your subscription ending, unless you request earlier deletion
- Payment records: Retained for 7 years as required by HMRC financial regulations
- Anonymised analytics: May be retained indefinitely as they contain no personal data
7. Your rights
Under UK GDPR you have the following rights:
- Right of access: Request a copy of all personal data we hold about you
- Right to rectification: Ask us to correct any inaccurate data
- Right to erasure: Ask us to delete your data (the "right to be forgotten")
- Right to restrict processing: Ask us to limit how we use your data
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent for marketing at any time
To exercise any of these rights, contact us at hello@pafolio.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.
8. Cookies
PAfolio uses the following types of cookies:
- Essential cookies: Required for the website to function โ no consent needed
- Analytics cookies: Help us understand how visitors use the site (e.g. Google Analytics) โ only set with your consent
- Preference cookies: Remember your settings and preferences โ only set with your consent
You can manage or withdraw cookie consent at any time using the cookie settings banner on our website, or by adjusting your browser settings.
9. Security
We take the security of your data seriously. Our measures include:
- SSL encryption on all pages (HTTPS)
- Secure password storage โ passwords are never stored in plain text
- Access controls โ only authorised personnel can access your data
- Regular security reviews of our hosting and third-party services
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make significant changes we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of PAfolio after changes are made constitutes acceptance of the updated policy.
11. Contact us
If you have any questions about this Privacy Policy or how we handle your data, please contact us: