CPD Bee is committed to protecting your privacy and the confidentiality of your professional development records. This policy explains how we collect, use, store, and protect your information.
CPD Bee is a product of Hearing Therapy Ltd (Company No. 12098086, VAT No. 376 9339 43).
What We Collect
When you use CPD Bee, we collect:
Account information โ Name, email address, profession, regulatory body, registration number (e.g. GMC, HCPC, or NMC number)
Professional profile โ Specialty, grade, employer, Royal College memberships, years qualified, learning goals
CPD records โ Activity titles, dates, durations, descriptions, reflections, learning outcomes, and service user benefit statements
Voice recordings โ Audio is processed by your browser's Web Speech API for transcription. CPD Bee does not store audio recordings. The transcribed text is retained as part of your CPD record
Uploaded documents โ PDFs, Word documents, spreadsheets, and presentations uploaded for text extraction. Document text is extracted in your browser and used to generate CPD records
Payment information โ Processed securely by Stripe. CPD Bee does not store your card details
How We Use Your Data
Provide the CPD recording, tracking, and portfolio management service
Transcribe voice recordings into structured CPD records using AI
Analyse uploaded documents to extract CPD activity details
Generate audit-ready reports and export portfolios (PDF, Word, Excel)
Track your revalidation or audit readiness against GMC, NMC, or HCPC requirements
Discover relevant CPD courses from professional body websites
Send essential service communications (password resets, team invitations)
Improve the service based on anonymised, aggregated usage patterns
Data Storage and Security
Encryption at rest: Sensitive record fields โ descriptions, reflections, and service user benefit statements โ are encrypted using AES-256-GCM before being stored. Each user has a unique encryption key derived from their account. Encrypted fields cannot be read directly from the database, even by the developer.
Your data is stored in a cloud database hosted by Supabase, which uses PostgreSQL with infrastructure in the EU. All data is transmitted over HTTPS/TLS encryption. Row-level security (RLS) policies ensure that each user can only access their own records โ no user can see another user's data through the application.
Additional security measures include:
Two-factor authentication โ Optional TOTP-based MFA (compatible with Google Authenticator, Microsoft Authenticator, and Authy)
Leaked password protection โ Passwords are checked against known breach databases (via HaveIBeenPwned) to prevent the use of compromised credentials
No client-side API keys โ All sensitive API operations (AI processing, payment handling) are routed through authenticated server-side functions
AI Processing
CPD Bee uses Anthropic's Claude AI to help structure your CPD records from voice transcripts and uploaded documents. When you use AI features:
Your transcribed text or extracted document content is sent to Claude via an authenticated server-side proxy โ never directly from your browser
Your profession, specialty, and recording style preference are included to improve accuracy
AI-generated content is always presented for your review before saving โ you have full editorial control
Anthropic's data usage policy applies to AI processing. Anthropic does not use API inputs to train their models
No patient-identifiable information should be included in your records (see Healthcare Data Notice below)
Enterprise Teams
If you use CPD Bee's Enterprise plan with team features:
Team leaders can see aggregated progress summaries for team members โ total hours, record counts, activity type distribution, and audit/revalidation readiness scores
Team leaders cannot read individual record content. Descriptions, reflections, and service user benefit statements are encrypted with each user's personal key and are inaccessible to team administrators
Invitations are sent via email with a secure token link that expires after 7 days
Third-Party Services
CPD Bee uses the following third-party services:
Supabase โ Database hosting, authentication, and storage (EU infrastructure)
Netlify โ Application hosting and serverless functions
Stripe โ Payment processing (PCI DSS Level 1 certified). CPD Bee does not store card details
Anthropic (Claude) โ AI-powered record generation and analysis. API inputs are not used for model training
Web Speech API โ Browser-native speech recognition (audio is processed by your browser, typically via Google's speech services for Chrome)
Jina AI โ Web page reading for CPD course discovery from professional body websites
Under the UK General Data Protection Regulation, you have the right to:
Access โ Request a copy of all data we hold about you
Rectification โ Correct any inaccurate personal data
Erasure โ Delete your account and all associated data. You can do this directly from the Account tab in the app, or by contacting us. This complies with Article 17 (Right to Erasure)
Portability โ Export all your CPD records at any time in PDF, Word, or Excel format using the Export feature
Restriction โ Request that we limit the processing of your data
Objection โ Object to processing of your data for specific purposes
Your CPD records are retained for as long as your account is active. If you delete your account, all your personal data, CPD records, and profile information are permanently deleted from our systems. This deletion is irreversible.
We do not retain backups of individual user data after account deletion.
Healthcare Data Notice
CPD Bee is designed for recording your professional development activities, not patient data. Do not include patient-identifiable information in your CPD records. Always anonymise any clinical examples or case studies. If you are recording significant events or clinical reflections, ensure they do not contain information that could identify individual patients.
Cookies
CPD Bee uses minimal cookies for essential functionality:
Authentication session โ Maintains your login session (Supabase JWT)
Local preferences โ Stores your app state and preferences in localStorage
We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
Children
CPD Bee is a professional service for qualified and trainee healthcare professionals. It is not intended for use by anyone under the age of 18.
International Data Transfers
Your data is primarily stored in EU data centres (via Supabase). When you use AI features, your record content is processed by Anthropic's Claude API, which operates from US-based infrastructure. This transfer is necessary to provide the AI-powered record generation service and is covered by appropriate safeguards.
Contact
For privacy questions, data requests, or concerns:
Data Controller: Hearing Therapy Ltd, Company No. 12098086
Changes to This Policy
We may update this policy to reflect changes in our service or legal requirements. Significant changes will be communicated via email or in-app notification. We encourage you to review this page periodically.