Privacy Policy
ACP Portfolio Pro · Aberdour Medical Ltd · Last updated: 10 June 2026
Summary: We store your portfolio entries securely in the UK (EU West, London region). We never sell your data. You can delete your account and all data at any time from within the app.
1. Who we are
ACP Portfolio Pro is operated by Aberdour Medical Ltd, a company registered in England and Wales. We are the data controller for the personal data processed through this app.
Contact: mattwebb1973@gmail.com
2. What data we collect
- Account data: your email address and a hashed password (managed by Supabase Auth).
- Profile data: your name, professional body, registration number, and training pathway — which you provide voluntarily.
- Portfolio entries: clinical narratives and critical reflections you write within the app. You must not include patient-identifiable information. The app automatically removes common PII patterns (NHS numbers, dates of birth, postcodes, patient names) before entries are saved.
- Competency selections: the NHS England framework codes you associate with each entry.
- Usage data: basic technical logs (Supabase platform logs). We do not use third-party analytics trackers.
3. How we use your data
- To provide the portfolio tool — storing, displaying, and exporting your entries.
- To maintain your account and authenticate you.
- To process your payment if you purchase full access (via Stripe — see Section 6).
- We do not use your data for advertising, profiling, or marketing.
4. Legal basis (UK GDPR)
We process your data on the basis of contract performance (Article 6(1)(b)) — providing the app service you signed up for — and legitimate interests (Article 6(1)(f)) for security and fraud prevention.
5. Where your data is stored
All data is stored on Supabase servers located in EU West (London, United Kingdom). Data does not leave the UK. Supabase is ISO 27001 certified and SOC 2 compliant. Your data is encrypted in transit (TLS 1.2+) and at rest.
6. Payments
One-time payments are processed by Stripe. We do not store card details. When you purchase, Stripe shares confirmation with us (your email and payment status) so we can unlock your account. Stripe's privacy policy is at stripe.com/gb/privacy.
7. Your rights under UK GDPR
You have the right to:
- Access a copy of your data — email us and we will respond within 30 days.
- Erasure (Right to be Forgotten) — use the "Delete Account" button in the app's profile section. This permanently deletes your account and all associated portfolio data from our systems immediately.
- Rectification — update your profile data within the app at any time.
- Portability — your portfolio entries are exportable as HTML documents from within the app.
- Object to processing — contact us at the email above.
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.
8. Data retention
We retain your data for as long as your account is active. If you delete your account, all data is deleted immediately and permanently. We do not retain backups of deleted accounts.
9. Patient data and clinical safety
This app is a personal portfolio tool. It is not a clinical decision support system and does not influence patient care decisions. You must not enter patient-identifiable information. The app applies automatic PII redaction as a safeguard, but the responsibility for ensuring entries are de-identified rests with you as the practitioner.
10. Cookies and local storage
The app uses your device's localStorage to cache your portfolio data for offline use. No third-party tracking cookies are used. No advertising cookies are used.
11. Changes to this policy
We may update this policy. If we make material changes, we will notify you via the app. The "Last updated" date at the top of this page will reflect any changes.