Privacy Policy

Last updated: 2026-05-08. Compliant with the UK GDPR (retained EU Regulation 2016/679) and the Data Protection Act 2018. We are an independent training tool, not affiliated with the GMC.
Short version. We collect the minimum we need to run the product: account email, exam timer, transcripts and voice recordings. Voice recordings are automatically deleted 30 days after each session. We do not sell or share your data with advertisers. You can delete your account and all associated data at any time.

1. Who we are (controller)

PLAB 2 OSCE Trainer ("we", "us") is operated by an independent developer trading as plab2osce.ai. We act as the data controller for the personal data described below.

Where we send your data to a sub-processor (see §6), they act as a processor on our written instructions under Article 28 UK GDPR.

2. What data we collect (categories)

2.1 Account data

2.2 Session data

2.3 Technical data

We do not collect Article 9 special-category health data about you. The clinical dialogue you produce in role-play is fictional training output, not your medical record.

3. Lawful bases for processing (Article 6 UK GDPR)

PurposeLawful basisArticle 6(1) reference
Run the practice sessions you signed up forContract6(1)(b)
Process payments and issue VAT receiptsContract + legal obligation6(1)(b), 6(1)(c)
Educational / analytical use of transcripts to improve station qualityLegitimate interest (training tool quality)6(1)(f)
Abuse prevention, rate limiting, debuggingLegitimate interest (security)6(1)(f)
Lifecycle emails (welcome, exam reminders, retention)Legitimate interest, with opt-out per UK PECR6(1)(f) + PECR reg. 22
Statutory billing record retentionLegal obligation (UK VAT)6(1)(c)

We do not use your data for behavioural advertising. We do not run third-party marketing or tracking pixels.

4. How long we keep it (retention schedule)

CategoryRetention periodTrigger / basis
Voice recordings (R2)30 days from sessionDaily cron purges delete_after rows
Transcripts & examiner reportsUntil account closure + 30 daysArticle 17 erasure on request
Account email + nameUntil account closureSelf-serve delete in dashboard
IP addresses + rate-limit logs14 daysAbuse-only retention
Stripe billing records7 yearsUK VAT statutory minimum
Audit log (auth, billing, GDPR events)7 yearsUK ICO record-of-processing guidance, Art. 30
Lifecycle email metadata (timestamps)Until unsubscribe + 30 daysPECR opt-out evidence

5. International transfers

Some sub-processors run their primary infrastructure outside the UK and EEA. For each transfer we use a UK-recognised transfer mechanism:

You can request a copy of the relevant SCC schedule from hi@plab2osce.ai.

6. Sub-processors

We use a small number of processors that are contractually bound to UK GDPR-grade data handling. The current list:

Sub-processorPurposeRegion
OpenAI, L.L.C.Whisper STT, TTSUSA (SCC)
Anthropic PBCClaude Haiku (patient), Claude Sonnet (examiner)USA (SCC)
Stripe Payments Europe LtdSubscription + one-off billingEU + US group (SCC)
Cloudflare, Inc. (R2)Encrypted-at-rest audio storage, EU bucket preferredEU + US (SCC)
Sentry GmbH (EU region)Error and performance monitoringEU
Supabase Inc. or Neon Inc. (EU region)Postgres database hostingEU (SCC where applicable)
Resend Inc.Transactional and lifecycle emailUSA (SCC)

We will give existing account holders at least 14 days' notice before adding a new sub-processor that materially changes the cross-border picture.

7. Your rights (UK GDPR Articles 15-22)

You can at any time:

Email hi@plab2osce.ai from your registered address. We respond within 30 days, free of charge for the first request in any given 12-month period.

7.1 Right to lodge a complaint with the ICO

If you are unhappy with how we handle your personal data you can complain to the UK Information Commissioner's Office:

You can also complain to the data protection authority in your country of residence.

8. Cookies

We use one strictly necessary cookie (session JWT) and one CSRF double-submit cookie. We do not use marketing, analytics, or third-party tracking cookies. Server-side request counts (without cookies) are used for non-identifying aggregate metrics like "stations completed today". See the cookie banner on first visit for the simple "OK" interaction.

9. Children

This product is built for qualified medical graduates preparing PLAB 2 / UKMLA-CPSA. We do not knowingly collect data from anyone under 18. If you believe we have, email us immediately.

10. Security

Production data is encrypted in transit (TLS 1.2+) and at rest. Audio objects are stored in R2 with signed URLs that expire after 10 minutes. Production credentials are not committed to source control. We follow the Annex II technical and organisational measures set out in our DPA.

11. Changes to this policy

If we change this policy in a way that materially affects your rights or our retention windows, we will email all account holders at least 14 days before the change takes effect.

12. Related documents

Questions: hi@plab2osce.ai