Privacy Policy
Last Updated: May 2026
1. Introduction
Paediatric Mentor (“we”, “us”, or “our”) is committed to protecting the privacy of our users. This policy outlines how we collect, use, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller
The data controller responsible for your personal data is Paediatric Mentor Ltd, a company registered in England and Wales. We are registered with the Information Commissioner’s Office (ICO) under registration number ZC086059.
2. Information We Collect
We limit data collection to what is strictly necessary to provide our educational services:
- •Account Information: Name and email address provided during registration.
- •Authentication Data: If you sign in via Google OAuth, we receive your name and email address from Google. We do not access your Google password or any other Google account data.
- •Performance Data: Records of your MCQ answers, scores, bookmarks, annotations, and progress to power your personalised dashboard.
- •Payment Data: Payments are processed by Stripe. We store a Stripe customer reference ID to manage your subscription. We do not store or have access to your full card details.
- •Technical Data: IP addresses, browser type, and device information collected for security and system monitoring.
- •Cookie Data: Essential cookies for authentication and session management. See our Cookie Policy for full details.
3. Lawful Basis for Processing
We process your data under the following legal bases:
- •Contractual Necessity (Article 6(1)(b)): To provide you with the subscription services you have purchased, including account management, question delivery, and progress tracking.
- •Legitimate Interests (Article 6(1)(f)): For platform security, fraud prevention, and service improvement.
- •Consent (Article 6(1)(a)): For optional analytics or marketing communications, which you may withdraw at any time.
4. How We Use Your Data
- •To authenticate your login and secure your account.
- •To deliver clinical vignettes and track your MRCPCH preparation progress.
- •To process payments via our third-party provider, Stripe.
- •To send transactional emails (password reset, subscription confirmation).
- •To monitor platform security and prevent misuse.
5. Third-Party Services (Sub-Processors)
We use the following third-party services to deliver the platform. Each processes personal data on our behalf under appropriate safeguards:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database hosting | All account and performance data | EU (Frankfurt) |
| Render | Backend API hosting | API requests, authentication tokens | EU / US |
| Vercel | Frontend hosting | Page requests, cookies | Global CDN |
| Stripe | Payment processing | Customer ID, payment method, billing | US (EU SCCs in place) |
| OAuth sign-in | Name, email (if Google login used) | US (EU SCCs in place) | |
| Resend | Transactional email | Email address, email content | US (EU SCCs in place) |
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the ICO.
6. Data Retention
We retain your data as follows:
- •Active accounts: Data is retained for as long as your account is active and your subscription is current.
- •Inactive accounts: If your account has had no login activity for 12 months, we will delete your account and associated data.
- •Payment records: Transaction records are retained for 6 years to comply with UK tax and accounting obligations (HMRC requirements).
- •Deleted accounts: When you request account deletion, we remove all personal and performance data within 30 days. Payment records are retained as above.
7. Data Security
Your data is stored in a secure cloud environment using PostgreSQL (Supabase) with strict access controls. All data in transit is encrypted via TLS. Authentication uses httpOnly secure cookies to prevent cross-site scripting attacks. Access to production systems is restricted to authorised personnel only.
8. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights:
- •Right of Access (Article 15): You may request a copy of all personal data we hold about you.
- •Right to Rectification (Article 16): You may request correction of any inaccurate or incomplete data.
- •Right to Erasure (Article 17): You may request deletion of your account and all associated data.
- •Right to Restriction of Processing (Article 18): You may request that we limit how we process your data in certain circumstances.
- •Right to Data Portability (Article 20): You may request a copy of your data in a structured, commonly used, machine-readable format.
- •Right to Object (Article 21): You may object to processing based on legitimate interests at any time.
- •Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.
9. Cookies
We use essential cookies to manage authentication and session state. These are strictly necessary for the platform to function and do not require consent. We do not use advertising or tracking cookies. For full details, please see our Cookie Policy.
10. Children’s Data
This platform is designed for medical professionals and postgraduate trainees. We do not knowingly collect data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The “Last Updated” date at the top of this page will always reflect the most recent revision.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
13. Contact Us
For any data-related queries, please contact us at admin@paediatricmentor.com
— End of Privacy Policy —