Privacy Policy
Last updated: 28 February 2026
1. Who controls your data
The CPD of CPDs is operated by its registered owner (“we”, “us”, “our”). We are the data controller for personal data processed through this service.
Contact: For all data protection enquiries, please email hello@cpduniverse.com.
If you are based in the United Kingdom, we process your data under the UK GDPR and the Data Protection Act 2018.
2. Data we collect
We collect and process the following categories of personal data:
- Authentication data — email address, hashed password (stored and managed by Supabase Auth).
- Profile data — professional body membership, job title, CPD cycle dates, and regulatory body information you provide during onboarding.
- CPD activity records — activity titles, dates, hours, categories, learning outcomes, and reflective notes you enter into the service.
- Evidence files — documents, images, and certificates you upload as evidence for CPD activities.
- Usage data — pages visited, actions taken, and error events collected automatically for service improvement and security monitoring.
- Technical data — IP address, browser type, and device information collected automatically when you use the service.
3. Purposes and lawful bases
We process your personal data for the following purposes:
- Providing the service (lawful basis: performance of a contract) — creating and managing your account, storing your CPD records, and generating audit-ready reports.
- Security and fraud prevention (lawful basis: legitimate interests) — monitoring for unauthorised access attempts and protecting the integrity of the service.
- Legal compliance (lawful basis: compliance with a legal obligation) — retaining records as required by applicable law and responding to lawful requests from authorities.
- Service improvement (lawful basis: legitimate interests) — analysing usage patterns to improve features and fix bugs.
4. Sharing and processors
We do not sell your personal data. We share data only with the following sub-processors who help us deliver the service:
- Supabase — database hosting and authentication. Data is stored in the EU (West). See Supabase Privacy Policy.
- Vercel — application hosting and edge network. See Vercel Privacy Policy.
- Payment provider (future) — when billing is introduced, a PCI-DSS compliant payment processor will be added. This policy will be updated at that time.
5. International transfers
Your data is stored primarily within the United Kingdom and European Economic Area. Where sub-processors operate outside these regions, we rely on Standard Contractual Clauses or equivalent safeguards as approved under UK GDPR. Supabase and Vercel both publish their transfer mechanisms on their respective privacy pages.
6. Retention and deletion
We retain your personal data only for as long as necessary to provide the service or comply with legal obligations. For a full breakdown of retention windows by data category, see our Data Retention Policy.
When you delete your account, your personal data is scheduled for hard-deletion within 30 days, except where retention is required by law. Evidence files are removed from storage within the same window.
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data (“right to be forgotten”) subject to legal retention obligations.
- Restriction — ask us to limit processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email hello@cpduniverse.com. We will respond within one calendar month.
8. Complaints
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
9. Contact us
For any data protection queries or to submit a Subject Access Request, contact: hello@cpduniverse.com