C
CREDENTIA
Turn Evidence Into CESR

Privacy Policy

Last updated: May 2026
Your privacy matters to us. This policy explains what personal data we collect, why we collect it, how it is used, and your rights under UK data protection law.

1. Who We Are

Credentia is operated by Medberry Ltd, registered in England and Wales ("we", "us", "our"). We are the data controller for the personal data processed through the Credentia platform.

Data protection contact: hello@credentia.pro

2. What Data We Collect

Account & Profile Data

Data Why we collect it Legal basis
Email address Account creation, sign-in via magic link, service communications Contract performance
Marketing opt-in preference Sending product updates and news by email, where you have opted in Consent
Full name Personalising your portfolio and generated documents Contract performance
GMC number Identifying your specialty pathway and generating CESR materials Contract performance

Portfolio & Evidence Data

We store the evidence entries, document metadata, and portfolio state you create within the app. This data is held in our database (Supabase, hosted in the EU) and linked to your user account.

Documents You Upload

When you use AI-assisted features such as document analysis, text extraction, or anonymisation, the content of the document is transmitted to our servers and then to a third-party AI provider (see Section 5) for processing. We do not permanently store the raw content of uploaded documents beyond what is necessary to return a result to you.

Usage Data

We may collect standard technical data such as your browser type, IP address, and pages visited for the purpose of maintaining security and improving the service. This data is not used for advertising profiling.

3. Special Category Data

Clinical documents you upload may contain special category data (health information) relating to patients or yourself. You should anonymise or redact patient-identifiable information before uploading documents, using our built-in redaction tools or your own process. We process any residual special category data in uploaded documents solely on the basis of your explicit consent, given at the point of upload, and only to the extent necessary to provide the AI feature you requested.

4. How We Use Your Data

We do not sell your personal data, use it for advertising, or share it with any party beyond those described in this policy.

5. Third-Party Processors

We use the following third-party services to deliver Credentia. Each acts as a data processor under our instructions:

Processor Purpose Location
Supabase Database, authentication, and file storage EU (AWS eu-west-1)
OpenAI AI document analysis, evidence extraction, content generation USA (SCCs / UK IDTA in place)

Data transferred to processors in the United States is covered by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), ensuring an equivalent level of protection to that required under UK GDPR.

6. Data Retention

7. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

To exercise any of these rights, contact us at hello@credentia.pro. We will respond within one calendar month.

8. Cookies & Local Storage

Credentia uses browser local storage to save your portfolio state and preferences between sessions. We do not currently use third-party tracking cookies or advertising cookies. Supabase authentication may set a session cookie necessary for keeping you logged in.

9. Security

We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), hashed authentication tokens, and role-based access controls. You are responsible for keeping your sign-in email address secure and for not sharing magic-link sign-in emails.

10. Children

Credentia is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the current version.

12. Complaints

If you have concerns about how we handle your personal data, please contact us first at hello@credentia.pro. You also have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
ico.org.uk/make-a-complaint
0303 123 1113