Trust Center
Important — independent training tool, not GMC
PLAB 2 OSCE Trainer is not affiliated with, endorsed by or certified by the General Medical Council (GMC). Examiner scoring is a study aid only and does not represent the GMC PLAB 2 examination. Read the full educational disclaimer.
UK GDPR compliance
We process personal data under the UK GDPR (and the Data Protection Act 2018). Voice recordings, transcripts and email metadata are subject to a 30-day retention default with self-serve export and erasure. Our full Data Processing Agreement (UK GDPR Art. 28) covers the processing description, technical & organisational measures (Annex II) and sub-processor list.
- Lawful basis: contract performance for paid users; legitimate interest for free trial.
- Data subject rights: GDPR Art. 15 export + DELETE /api/account self-serve erasure.
- UK transfers: data primarily stored in EU/UK regions (Cloudflare R2 EU, Supabase EU).
- US transfers (OpenAI): governed by the EU-U.S. Data Privacy Framework + Standard Contractual Clauses.
ZB-XXXXXXX (placeholder pending issue).
Once issued, the registration certificate is published at this URL and linked from the footer of every marketing page.
Sub-processors
The following third parties process candidate personal data on our behalf. Each is bound by a written Article 28 contract.
| Sub-processor | Purpose | Region | Data categories |
|---|---|---|---|
| Anthropic (Claude) | LLM provider — patient persona & examiner scoring | USA (SCC + EU-U.S. DPF) | Transcripts (no audio) |
| OpenAI (Whisper STT, fallback TTS) | LLM provider — speech-to-text + voice synthesis fallback | USA (SCC + EU-U.S. DPF) | Audio bytes, transcript |
| ElevenLabs | Production text-to-speech | USA | Synthesised text payload only |
| Cloudflare R2 | Audio object storage (30-day retention) | EU | Audio recordings |
| Supabase Postgres | Primary database | EU | Account data, transcripts, audit log |
| Stripe | Payments & subscription management | UK / EU / USA | Email, payment metadata |
| Resend | Transactional & lifecycle email delivery | USA | Email address, message body |
| Sentry | Error monitoring | USA / EU | User id, request id, stack traces |
| Cloudflare | Pages hosting, edge delivery and object storage | Global edge / EU storage | Standard request logs (IP, UA) |
Security contacts
Vulnerability reports
Email security@plab2osce.ai. We acknowledge within 48 hours and target a fix within 14 days for high-severity issues. Coordinated disclosure preferred.
Data subject requests
Email hi@plab2osce.ai or self-serve via /account. We respond within 30 days as required by UK GDPR.
Status & incidents
Real-time service status: /status. Subscribe to changelog by RSS or watch the changelog page.
Audit & retention
Every authentication, billing change, audio retrieval, export and erasure event is journaled in our audit_log table for 7 years per ICO guidance.
Technical & organisational measures (TOMs)
- TLS 1.3 in transit; AES-256 at rest (Cloudflare R2, Supabase).
- JWT auth with HttpOnly + Secure + SameSite=Strict cookies; CSRF double-submit.
- Per-IP rate limits on /signup, /login. Constant-time admin token comparison.
- Daily cron purges expired audio & transcript rows (default 30 days).
- Sentry error monitoring; structured JSON logs with request-id correlation.
- Quarterly review of sub-processor list; user notice on material changes.
Reporting concerns to the ICO
If you believe we have mishandled your data, you may complain to the UK Information Commissioner's Office. Phone 0303 123 1113 or visit ico.org.uk. We would prefer the chance to fix it first — please email hi@plab2osce.ai.