Privacy Policy
1. Who we are (controller)
PLAB 2 OSCE Trainer ("we", "us") is operated by an independent developer trading as plab2osce.ai. We act as the data controller for the personal data described below.
- Trading name: plab2osce.ai
- Contact: hi@plab2osce.ai
- ICO registration number:
[ICO_REGISTRATION_NUMBER](placeholder — registration in progress; we will publish the number here once issued) - UK GDPR representative (if controller is established outside the UK): see contact email above
Where we send your data to a sub-processor (see §6), they act as a processor on our written instructions under Article 28 UK GDPR.
2. What data we collect (categories)
2.1 Account data
- Email address — login, receipts, lifecycle emails.
- Hashed password — Argon2id; we never see plaintext.
- Name — used in greetings only; optional.
- Country code selected at signup — VAT and country-of-origin analytics; never sold.
- Stripe customer ID — only when you subscribe or buy a burst.
- Planned exam date (optional) — drives the 1-week / 3-day exam reminder emails. Erased on request.
2.2 Session data
- Voice recordings of your spoken candidate turns (webm/opus).
- Whisper transcripts of those recordings.
- AI patient replies (text, plus generated TTS audio).
- Examiner report — IPS / DG / CM grades, rationales, quotes.
- Timer marks, station id, token usage.
2.3 Technical data
- IP address (kept 14 days for abuse detection and rate-limit logs only)
- Browser user-agent
- One strictly necessary cookie containing your session JWT
- One CSRF double-submit cookie
We do not collect Article 9 special-category health data about you. The clinical dialogue you produce in role-play is fictional training output, not your medical record.
3. Lawful bases for processing (Article 6 UK GDPR)
| Purpose | Lawful basis | Article 6(1) reference |
|---|---|---|
| Run the practice sessions you signed up for | Contract | 6(1)(b) |
| Process payments and issue VAT receipts | Contract + legal obligation | 6(1)(b), 6(1)(c) |
| Educational / analytical use of transcripts to improve station quality | Legitimate interest (training tool quality) | 6(1)(f) |
| Abuse prevention, rate limiting, debugging | Legitimate interest (security) | 6(1)(f) |
| Lifecycle emails (welcome, exam reminders, retention) | Legitimate interest, with opt-out per UK PECR | 6(1)(f) + PECR reg. 22 |
| Statutory billing record retention | Legal obligation (UK VAT) | 6(1)(c) |
We do not use your data for behavioural advertising. We do not run third-party marketing or tracking pixels.
4. How long we keep it (retention schedule)
| Category | Retention period | Trigger / basis |
|---|---|---|
| Voice recordings (R2) | 30 days from session | Daily cron purges delete_after rows |
| Transcripts & examiner reports | Until account closure + 30 days | Article 17 erasure on request |
| Account email + name | Until account closure | Self-serve delete in dashboard |
| IP addresses + rate-limit logs | 14 days | Abuse-only retention |
| Stripe billing records | 7 years | UK VAT statutory minimum |
| Audit log (auth, billing, GDPR events) | 7 years | UK ICO record-of-processing guidance, Art. 30 |
| Lifecycle email metadata (timestamps) | Until unsubscribe + 30 days | PECR opt-out evidence |
5. International transfers
Some sub-processors run their primary infrastructure outside the UK and EEA. For each transfer we use a UK-recognised transfer mechanism:
- OpenAI (United States) — Standard Contractual Clauses (SCC) plus the UK Addendum issued by the ICO. Used for Whisper transcription and TTS synthesis. OpenAI's API data policy excludes API content from model training.
- Anthropic (United States) — SCC plus UK Addendum. Used for Claude Haiku (patient AI) and Claude Sonnet (examiner AI). Anthropic's API data policy excludes API content from model training.
- Stripe (Ireland for EU customers, US group) — SCC plus UK Addendum.
- Cloudflare R2 (we deploy to the EU jurisdiction) — primary audio bucket is set to the EU region wherever feasible. Where Cloudflare's control plane crosses borders, the SCC + UK Addendum apply.
- Sentry (United States, EU region selected) — error monitoring; we use the EU SaaS region. SCC + UK Addendum apply.
- Database hosting (EU region) — Supabase or Neon, EU-hosted Postgres.
You can request a copy of the relevant SCC schedule from hi@plab2osce.ai.
6. Sub-processors
We use a small number of processors that are contractually bound to UK GDPR-grade data handling. The current list:
| Sub-processor | Purpose | Region |
|---|---|---|
| OpenAI, L.L.C. | Whisper STT, TTS | USA (SCC) |
| Anthropic PBC | Claude Haiku (patient), Claude Sonnet (examiner) | USA (SCC) |
| Stripe Payments Europe Ltd | Subscription + one-off billing | EU + US group (SCC) |
| Cloudflare, Inc. (R2) | Encrypted-at-rest audio storage, EU bucket preferred | EU + US (SCC) |
| Sentry GmbH (EU region) | Error and performance monitoring | EU |
| Supabase Inc. or Neon Inc. (EU region) | Postgres database hosting | EU (SCC where applicable) |
| Resend Inc. | Transactional and lifecycle email | USA (SCC) |
We will give existing account holders at least 14 days' notice before adding a new sub-processor that materially changes the cross-border picture.
7. Your rights (UK GDPR Articles 15-22)
You can at any time:
- Request a copy of your data (Article 15 — right of access; we provide a JSON export from your dashboard or by email)
- Correct inaccurate data (Article 16)
- Delete your account and associated data (Article 17 — right to erasure)
- Restrict or object to processing (Articles 18 and 21)
- Receive your transcripts and reports in a portable format (Article 20 — data portability)
- Withdraw consent for any processing based on consent (Article 7(3); note: most of our processing is not consent-based)
Email hi@plab2osce.ai from your registered address. We respond within 30 days, free of charge for the first request in any given 12-month period.
7.1 Right to lodge a complaint with the ICO
If you are unhappy with how we handle your personal data you can complain to the UK Information Commissioner's Office:
- Web: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113 (UK)
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You can also complain to the data protection authority in your country of residence.
8. Cookies
We use one strictly necessary cookie (session JWT) and one CSRF double-submit cookie. We do not use marketing, analytics, or third-party tracking cookies. Server-side request counts (without cookies) are used for non-identifying aggregate metrics like "stations completed today". See the cookie banner on first visit for the simple "OK" interaction.
9. Children
This product is built for qualified medical graduates preparing PLAB 2 / UKMLA-CPSA. We do not knowingly collect data from anyone under 18. If you believe we have, email us immediately.
10. Security
Production data is encrypted in transit (TLS 1.2+) and at rest. Audio objects are stored in R2 with signed URLs that expire after 10 minutes. Production credentials are not committed to source control. We follow the Annex II technical and organisational measures set out in our DPA.
11. Changes to this policy
If we change this policy in a way that materially affects your rights or our retention windows, we will email all account holders at least 14 days before the change takes effect.
12. Related documents
Questions: hi@plab2osce.ai