Legal

Privacy Policy

We take your privacy seriously. This policy explains what personal data we collect, why we need it, and what your rights are. It is written in plain English — no legal jargon.

Last updated: 28 May 2026

1. Who we are

PAfolio is a cloud-based revalidation portfolio platform for UK healthcare professionals. For the purposes of UK data protection law, PAfolio is the data controller of your personal data.

2. What data we collect

We only collect data that is necessary to provide the service.

Account details

Your name, email address, professional registration number (GMC or NMC), and employer / NHS trust.

Portfolio entries

CPD records, MSF and patient feedback logs, workplace-based assessments (WBAs), reflective accounts, quality improvement projects, practice hours, and appraisal records that you enter yourself.

Device and session data

A device fingerprint, browser type, IP address, and session activity logs used for security and fraud prevention.

Audit logs

A record of actions performed in your account (logins, data saves, exports) retained for security and compliance purposes.

Payment data

We use Stripe to process payments. Stripe collects your card details directly — we never see or store your full card number.

3. Why we collect your data

We collect and use your personal data for the following purposes:

  • To create and manage your account.
  • To store, display and allow you to export your portfolio entries.
  • To process your subscription payments.
  • To send essential service emails (account confirmation, billing receipts, important service notices).
  • To detect and prevent fraud, abuse, or unauthorised access.
  • To comply with our legal obligations.

4. Our legal basis for processing

Article 6(1)(b) — Performance of a contract

The primary lawful basis for processing your data is that it is necessary to perform our contract with you — that is, to provide the PAfolio service you have signed up for.

Article 6(1)(f) — Legitimate interests

We also rely on our legitimate interests to maintain security, prevent fraud, and improve the reliability of the service. We only do this where it does not override your fundamental rights.

5. Where your data is stored

Your data is stored on Supabase, hosted in the EU (Ireland region). All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We do not transfer your data outside the UK or EEA.

6. How long we keep your data

We retain your personal data for as long as your account is active. If you request deletion of your account, we will delete your personal data within 30 days. Billing records and audit logs may be retained for up to 6 years to comply with UK financial regulations.

7. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email us at support@pafolio.co.uk.

Right of access (Article 15)

You can ask us for a copy of the personal data we hold about you.

Right to rectification (Article 16)

You can ask us to correct any inaccurate or incomplete data.

Right to erasure (Article 17)

You can ask us to delete your personal data. We will do so within 30 days subject to any legal retention obligations.

Right to data portability (Article 20)

You can ask us to provide your portfolio data in a structured, machine-readable format.

Right to object (Article 21)

You can object to processing based on our legitimate interests.

Right to complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use session cookies only, strictly necessary for authentication (keeping you logged in). We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie banner is required because we only set technically necessary cookies.

9. Payments

Subscription payments are handled by Stripe. When you enter your card details, they go directly to Stripe over an encrypted connection. PAfolio never sees, stores, or logs your full card number, CVV, or expiry date. Stripe is PCI DSS Level 1 certified.

10. Third parties

We only share your data with the following sub-processors, who are contractually bound to protect it. We never sell your data to third parties.

ProviderPurposeLocation
SupabaseDatabase storageEU (Ireland)
StripePayment processingEU / US (SCCs)
RenderApplication hostingEU

11. Children

PAfolio is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, please contact us at support@pafolio.co.uk and we will delete it promptly.

12. Changes to this policy

If we make any material changes to this Privacy Policy, we will notify you by email at the address associated with your account at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.

13. Contact us

For any questions about this Privacy Policy or to exercise your data rights, please contact us:

You also have the right to make a complaint to the Information Commissioner's Office (ICO) at ico.org.uk.