Trust Center

Last updated: 2026-05-08. Compliance, security and the GMC disclaimer in one place.

Important — independent training tool, not GMC

PLAB 2 OSCE Trainer is not affiliated with, endorsed by or certified by the General Medical Council (GMC). Examiner scoring is a study aid only and does not represent the GMC PLAB 2 examination. Read the full educational disclaimer.

UK GDPR compliance

We process personal data under the UK GDPR (and the Data Protection Act 2018). Voice recordings, transcripts and email metadata are subject to a 30-day retention default with self-serve export and erasure. Our full Data Processing Agreement (UK GDPR Art. 28) covers the processing description, technical & organisational measures (Annex II) and sub-processor list.

ICO registration: ZB-XXXXXXX (placeholder pending issue). Once issued, the registration certificate is published at this URL and linked from the footer of every marketing page.

Sub-processors

The following third parties process candidate personal data on our behalf. Each is bound by a written Article 28 contract.

Sub-processorPurposeRegionData categories
Anthropic (Claude) LLM provider — patient persona & examiner scoring USA (SCC + EU-U.S. DPF) Transcripts (no audio)
OpenAI (Whisper STT, fallback TTS) LLM provider — speech-to-text + voice synthesis fallback USA (SCC + EU-U.S. DPF) Audio bytes, transcript
ElevenLabs Production text-to-speech USA Synthesised text payload only
Cloudflare R2 Audio object storage (30-day retention) EU Audio recordings
Supabase Postgres Primary database EU Account data, transcripts, audit log
Stripe Payments & subscription management UK / EU / USA Email, payment metadata
Resend Transactional & lifecycle email delivery USA Email address, message body
Sentry Error monitoring USA / EU User id, request id, stack traces
Cloudflare Pages hosting, edge delivery and object storage Global edge / EU storage Standard request logs (IP, UA)

Security contacts

Vulnerability reports

Email security@plab2osce.ai. We acknowledge within 48 hours and target a fix within 14 days for high-severity issues. Coordinated disclosure preferred.

Data subject requests

Email hi@plab2osce.ai or self-serve via /account. We respond within 30 days as required by UK GDPR.

Status & incidents

Real-time service status: /status. Subscribe to changelog by RSS or watch the changelog page.

Audit & retention

Every authentication, billing change, audio retrieval, export and erasure event is journaled in our audit_log table for 7 years per ICO guidance.

Technical & organisational measures (TOMs)

Reporting concerns to the ICO

If you believe we have mishandled your data, you may complain to the UK Information Commissioner's Office. Phone 0303 123 1113 or visit ico.org.uk. We would prefer the chance to fix it first — please email hi@plab2osce.ai.