Privacy Policy
Last updated 23 June 2026
This policy explains how Command Pulse Portfolios ("we", "us", "our") collects, uses and protects personal data when you use our website and application (the "Service"). We are the data controller for the personal data described here. We process data in accordance with the UK GDPR and the Data Protection Act 2018.
1. Important: no patient data
Command Pulse Portfolios is not a patient record system.
You must never enter patient-identifiable information or images. The Service is designed for anonymous CPD and reflective notes only. Entering identifiable patient data breaches our Terms of Service and may breach data-protection law.
2. Data we collect
- Account data: your email address, password (stored only as a secure hash), and optional name and skill grade.
- CPD content you create: diary entries, reflections, CPD records and any files you upload. This should contain no patient-identifiable information.
- Billing data: your subscription status and a customer reference held by our payment processor. Card details are handled by Stripe — we never see or store your full card number.
- Technical data: limited data needed to operate the Service securely, such as session information and server logs (including IP address) used for security and abuse prevention.
3. How and why we use your data
- to create and operate your account and provide the Service;
- to take payment and manage your subscription;
- to send essential service emails (for example account verification, password reset and important notices);
- to keep the Service secure and prevent abuse;
- to comply with our legal obligations.
Our lawful bases are: performance of our contract with you (providing the Service and taking payment); our legitimate interests (securing and improving the Service); and compliance with legal obligations.
4. Sharing & processors
We do not sell your data. We share data only with service providers who process it on our behalf under appropriate safeguards, including:
- Stripe — payment processing and subscription management;
- Resend — sending transactional emails;
- Amazon Web Services (AWS) — encrypted storage of uploaded files and hosting infrastructure.
- Anthropic — powers optional AI features (e.g. smart import). Only the content you submit to that feature is sent for processing, and only when you use it. As with the rest of the Service, do not include patient-identifiable information.
We may also disclose data where required by law or to protect our rights. Some providers may process data outside the UK/EEA; where they do, appropriate transfer safeguards apply.
5. Security
We use appropriate technical and organisational measures to protect your data, including encryption of passwords, encryption of uploaded files at rest, encrypted connections (HTTPS), and access controls. No system is completely secure; you also play a part by keeping your password safe and never entering patient-identifiable data.
6. Retention
We keep your account data for as long as your account is active. If you close your account (or we delete it), we remove your personal data and uploaded files within a reasonable period, except where we must retain limited records to meet legal, accounting or security obligations.
7. Your rights
Under UK data-protection law you have rights to access, correct, delete or restrict the processing of your personal data, to object to certain processing, and to data portability. You can update or export much of your data within the app, or contact us to exercise your rights. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
We use a single essential cookie to keep you signed in. We do not use advertising or third-party tracking cookies.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by reasonable means. The "last updated" date at the top shows when it last changed.
10. Contact
For any privacy question or to exercise your rights, email liam@commandpulseportfolios.co.uk.