Credentia is operated by Medberry Ltd, registered in England and Wales ("we", "us", "our"). We are the data controller for the personal data processed through the Credentia platform.
Data protection contact: hello@credentia.pro
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email address | Account creation, sign-in via magic link, service communications | Contract performance |
| Marketing opt-in preference | Sending product updates and news by email, where you have opted in | Consent |
| Full name | Personalising your portfolio and generated documents | Contract performance |
| GMC number | Identifying your specialty pathway and generating CESR materials | Contract performance |
We store the evidence entries, document metadata, and portfolio state you create within the app. This data is held in our database (Supabase, hosted in the EU) and linked to your user account.
When you use AI-assisted features such as document analysis, text extraction, or anonymisation, the content of the document is transmitted to our servers and then to a third-party AI provider (see Section 5) for processing. We do not permanently store the raw content of uploaded documents beyond what is necessary to return a result to you.
We may collect standard technical data such as your browser type, IP address, and pages visited for the purpose of maintaining security and improving the service. This data is not used for advertising profiling.
Clinical documents you upload may contain special category data (health information) relating to patients or yourself. You should anonymise or redact patient-identifiable information before uploading documents, using our built-in redaction tools or your own process. We process any residual special category data in uploaded documents solely on the basis of your explicit consent, given at the point of upload, and only to the extent necessary to provide the AI feature you requested.
We do not sell your personal data, use it for advertising, or share it with any party beyond those described in this policy.
We use the following third-party services to deliver Credentia. Each acts as a data processor under our instructions:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (AWS eu-west-1) |
| OpenAI | AI document analysis, evidence extraction, content generation | USA (SCCs / UK IDTA in place) |
Data transferred to processors in the United States is covered by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), ensuring an equivalent level of protection to that required under UK GDPR.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights:
To exercise any of these rights, contact us at hello@credentia.pro. We will respond within one calendar month.
Credentia uses browser local storage to save your portfolio state and preferences between sessions. We do not currently use third-party tracking cookies or advertising cookies. Supabase authentication may set a session cookie necessary for keeping you logged in.
We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), hashed authentication tokens, and role-based access controls. You are responsible for keeping your sign-in email address secure and for not sharing magic-link sign-in emails.
Credentia is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect data from children.
We may update this privacy policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the current version.
If you have concerns about how we handle your personal data, please contact us first at hello@credentia.pro. You also have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
ico.org.uk/make-a-complaint
0303 123 1113