Privacy Policy

1. Who we are

Resident Doctors Training (“we”, “us”, “our”) operates the website residentdoctor.uk — a platform that allows resident doctors in the United Kingdom to browse GMC National Training Survey data, leave reviews of hospital training placements, and track their training rotations.

For questions about this policy or your personal data, contact us at: [email protected]

2. Data we collect

We collect the following categories of personal data:

• Account information: Your NHS email address and password (stored securely via Supabase Authentication). We require an NHS email address to verify that users are healthcare professionals.
• Profile information: Your optional nickname/display name, training level, specialty, and current hospital. This is provided voluntarily.
• Training rotations: Hospital placements you log on your personal dashboard, including hospital name, specialty, dates, private notes, and personal ratings. Rotation data is private and visible only to you.
• Reviews and comments: Hospital reviews and discussion comments you submit. Reviews are published publicly on the relevant hospital page and attributed to your display name (or as anonymous if no display name is set).
• Usage data: Standard web server logs, including IP addresses, browser type, pages visited, and timestamps. This data is used for security and performance monitoring.
• Mailing list: If you opt in at registration, your email address is stored for the purpose of notifying you about new GMC survey results and relevant platform updates.

3. How we use your data

We use your personal data to:

• Provide and operate the Resident Doctors Training service
• Authenticate your identity and secure your account
• Display your reviews and comments on hospital pages
• Allow you to track and manage your training rotations privately
• Send you a verification email when you create an account (mandatory)
• Send you platform and GMC survey updates if you have opted in (optional)
• Monitor and protect the security and integrity of the platform
• Aggregate anonymised statistics (e.g. number of registered doctors, total reviews)

4. Legal basis for processing

Under UK GDPR, we process your personal data on the following legal bases:

• Contract performance: Processing your account information is necessary to provide the service you have signed up for.
• Legitimate interests: We process usage logs and aggregate statistics to maintain the security and improvement of our platform.
• Consent: Sending optional marketing emails (mailing list) is based on your explicit opt-in consent at registration. You may withdraw this consent at any time by contacting us.

5. Data sharing

We do not sell, rent, or trade your personal data. We share data only with:

• Supabase Inc.: Our database and authentication provider, acting as a data processor under a Data Processing Agreement. Supabase stores your data on servers located in the EU (Frankfurt, Germany). See Supabase's Privacy Policy.
• Vercel Inc.:Our hosting provider. Web requests pass through Vercel's infrastructure; standard access logs may be retained. See Vercel's Privacy Policy.
• Legal obligations: We may disclose your data if required to do so by law or in response to a lawful request by public authorities.

6. Data retention

• Account data: Retained for as long as your account is active. If you delete your account, your personal data will be erased within 30 days, except where retention is required for legal purposes.
• Published reviews and comments: Retained indefinitely as they form part of the public record of hospital training quality. If you request deletion, we will anonymise or remove the content within 30 days.
• Rotation data: Retained while your account exists. Deleted when your account is deleted.
• Server logs: Retained for up to 90 days for security and debugging purposes.

7. Your rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to restriction: Request that we limit how we use your data.
• Right to data portability: Receive your data in a portable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent (e.g. mailing list), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use only essential cookies required for authentication (session tokens set by Supabase). We do not use any third-party tracking, advertising, or analytics cookies. No cookie consent banner is required as we use strictly necessary cookies only.

9. Security

All data is transmitted over HTTPS. Passwords are hashed using industry-standard algorithms via Supabase Authentication. We apply row-level security policies to ensure users can only access their own private data (rotations, profile). We regularly review our security practices.

10. Children

This service is intended for registered medical professionals and is not directed at anyone under the age of 18. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last updated” date at the top of this page will always reflect the most recent revision.

12. Contact

For any privacy-related questions or requests, please contact: [email protected]