Privacy Policy

1. Who we are

PAfolio ("we", "us", "our") is a UK-based digital portfolio platform for Physician Associates and Anaesthesia Associates. PAfolio is operated as a sole trader business in the United Kingdom.

For data protection purposes, we are the Data Controller of your personal information.

Contact: hello@pafolio.co.uk · pafolio.co.uk

2. What data we collect

Account information

• Full name
• Email address (typically NHS email)
• GMC registration number
• NHS Trust / employer
• Professional role (PA or AA)
• Encrypted password (we never see your actual password)

Portfolio data

• CPD activity logs and reflections
• Quality improvement records
• Significant event logs (fully anonymised — no patient data)
• MSF colleague feedback responses (anonymised)
• Patient feedback scores (anonymous — no patient identifiers)
• DOPS, Mini-CEX and CBD assessment records
• Annual appraisal records

Payment information

Payment is processed by Stripe. We do not store your card details. We only receive confirmation that payment was made and your subscription status.

Technical data

• Login timestamps
• Browser type (for security purposes only)

3. How we use your data

• To provide and maintain your PAfolio account
• To store and display your GMC portfolio evidence
• To send you important account emails (receipts, password resets)
• To process your subscription payment via Stripe
• To improve the PAfolio platform based on usage patterns

We never use your data for advertising. We never sell your data. We never share your data with third parties for marketing purposes.

4. Legal basis for processing

Under UK GDPR, we process your data on the following legal bases:

• Contract — to provide the PAfolio service you have subscribed to
• Legitimate interests — to maintain security and improve our service
• Legal obligation — where required by UK law

5. Data storage and security

All data is hosted exclusively in the Supabase Ireland (West) region (eu-west-1), providing full EEA/GDPR compliance. Data is encrypted at rest using AES-256 and in transit over HTTPS/TLS.

Passwords are hashed and never stored in plain text. We implement row-level security (RLS) so users can only access their own data. No data is stored outside the EEA.

PAfolio is designed to align with NHS Data Security and Protection Toolkit (DSPT) standards and is registered with the Information Commissioner's Office (ICO).

We retain your data for as long as your account is active. If you close your account, we delete your personal data within 30 days.

6. Third parties we use

• Supabase — secure database and authentication (Ireland eu-west-1, AES-256 encryption at rest)
• Stripe — payment processing (PCI-DSS compliant)
• Resend — transactional email delivery
• Render — website hosting (UK/EU)
• Cloudflare — DNS and security

Each of these providers is bound by their own GDPR-compliant privacy policies and data processing agreements.

7. Cookies

PAfolio uses only essential cookies required for the service to function:

• Authentication cookies — to keep you signed in securely
• Preference cookies — to remember your settings

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies. We do not use Google Analytics or Facebook Pixel.

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right to access — request a copy of all data we hold about you
• Right to rectification — correct any inaccurate data
• Right to erasure — request deletion of your account and all data
• Right to portability — receive your data in a portable format
• Right to restrict processing — limit how we use your data
• Right to object — object to certain types of processing

To exercise any of these rights, email us at hello@pafolio.co.uk. We will respond within 30 days.

9. Clinical data — important note

PAfolio stores portfolio evidence including CPD logs, significant event reflections and assessment records. Please ensure:

• Significant events are logged in fully anonymised form — no patient names, dates of birth, NHS numbers or other identifiers
• Patient feedback is collected and stored without any patient identifiable information
• You comply with your employer's information governance policies when using PAfolio

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email. Continued use of PAfolio after changes constitutes acceptance of the updated policy.

11. Complaints

If you have concerns about how we handle your data, please contact us first at hello@pafolio.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.