Privacy Policy

Reflectio EM is built for UK Emergency Medicine trainees to write reflections and workplace-based assessments for their RCEM ePortfolio. This page explains what we collect, why, how long we keep it, and the rights you have over your data.

Version 2.5 · Last reviewed 12 May 2026

Who we are. Reflectio EM is operated by Dr Thomas Porter, an individual sole trader registered with the UK Information Commissioner's Office under reference ZC140250. Contact: privacy@reflectio.io.

Using the Reflectio EM Autofill Chrome extension? A separate, narrower privacy policy applies to Reflectio EM Autofill — a small companion extension that auto-fills your ePortfolio. It processes only what's needed to fill the form and has a much smaller data surface than this main app. See the Reflectio EM Autofill privacy policy. Note that once content is written into your ePortfolio by the extension or copied there manually, it becomes subject to your ePortfolio provider's privacy policy — see the ePortfolio providers — controllership boundary section below.

Pre-pilot testing status

Reflectio EM is currently in closed pre-pilot testing with a small group of invited Emergency Medicine trainees (May–July 2026). Features, subprocessors, and data-handling practices described in this policy may change before the public pilot launch in August 2026.

If we make a material change — for example, adding a subprocessor, changing data residency, or transferring data controller status to a different legal entity — we will notify you in the app and at your registered email before the change takes effect, and increment the version number at the top of this page.

No payment is processed during the pre-pilot. All features are provided free of charge to invited testers during this period.

Version 2.5 (May 2026): Subprocessor disclosure refactored from fully-named list to category-level disclosure with specific names available on request — aligning with standard B2B SaaS practice. No subprocessors have changed.

Privacy by Design

UK GDPR Article 25 requires Privacy by Design. Reflectio EM applies it in five concrete ways:

Local by default. Your entries are saved to your device (browser storage) and nothing is uploaded to our servers unless you explicitly opt in to cloud sync from Settings.
Separate, explicit consent for cloud sync. If you turn on cloud sync, you see a clear warning and must confirm. You can turn it off and delete cloud copies at any time.
Data minimisation. We ask for your email to authenticate you. We do not ask for your name, GMC number, deanery, hospital, or anything else unless it becomes strictly necessary for a feature we build — and only with consent.
Purpose limitation. We use your data only to deliver the service. We do not sell it, share it with advertisers, or use it to train AI models.
User control from day one. Export and account deletion are built into the app — not buried or gated behind support tickets.
Data Protection Impact Assessment. We are completing a Data Protection Impact Assessment (DPIA) for Reflectio EM before the public pilot launch. The DPIA covers AI-assisted processing of professional reflective content, special category data handling, and international transfers to AI subprocessors. A summary will be made available on request to privacy@reflectio.io once finalised.

What we collect, why, and our lawful basis

Under UK GDPR, we must tell you what personal data we process and the legal basis for it. Here is the full picture:

Account data — email and password

What: Your email address and a hashed password (we never see or store your actual password — it is hashed by our authentication provider using industry-standard bcrypt).

Why: To authenticate you and prevent unauthorised access to your account.

Lawful basis: Performance of a contract — UK GDPR Article 6(1)(b). You cannot use the service without an account.

Entries (local storage, always)

What: The text and structured data of the entries you create in the app — reflections, workplace-based assessments (CbD, DOPS, mini-CEX, ACAT, ESLE), RPL, SDL, hit list items, and related learning records.

Why: So you can draft, edit, and reread your own entries.

Where: In your browser's local storage on the device you used to create them. Not uploaded to our servers unless you turn on cloud sync.

Lawful basis: Performance of a contract — Article 6(1)(b).

Entries (cloud sync — only if you opt in)

What: The same entry content, additionally uploaded to a secure database hosted in the United Kingdom.

Why: So you can access your entries from more than one device (for example, draft on your phone, finish on your desktop for pasting into your ePortfolio).

Lawful basis: Explicit consent — Article 6(1)(a) for the personal data, and Article 9(2)(a) in respect of any health-related content that may be inferred from entries. You can withdraw consent at any time by toggling cloud sync off in Settings and deleting the cloud copies.

Billing data (when subscribed)

What: Customer and subscription identifiers, subscription status, current period end, and trial-end date held by our payment provider. Payment card details are handled by our payment provider directly and are never seen or stored by us.

Why: To operate paid subscriptions (active during the paid pilot from August 2026 onwards; not collected during the current free pre-pilot).

Lawful basis: Performance of a contract — Article 6(1)(b).

Telemetry and operational logs

What: Per-user (pseudonymous, not anonymous — linked to your user ID) records used for cost control, billing accuracy, and product improvement:

Generation events: type of entry generated, curriculum level, session duration in milliseconds, whether you used "Go deeper", device type (e.g. "iPhone")
AI usage aggregates per day: number of generations, audio-transcription seconds, AI input/output token counts, and cost in cents
Login events: timestamp and device type
Session boundaries: started/last-activity/ended timestamps and device type

No clinical content is logged in any of these tables.

Why: Cost control (we enforce monthly generation and daily audio caps), billing accuracy, and understanding how the product is used so we can improve it.

Lawful basis: Performance of a contract — Article 6(1)(b) for the cost-control and billing slice — and legitimate interests — Article 6(1)(f) — for the product-improvement slice. We have assessed that this minimal telemetry is necessary to maintain the product and does not override your interests.

Special category data — entries about clinical work

Entries about your clinical practice may include health-related information about yourself (for example, how you felt during a difficult case) or, despite our guidance and technical safeguards, may inadvertently touch on information about patients. Under UK GDPR Article 9, health information is a "special category" of personal data with extra protections.

When special category processing occurs. Special category processing can occur in two situations:

AI generation and voice transcription. When you submit an entry for AI generation or use voice dictation, the content is transmitted briefly to our AI generation and voice transcription subprocessors (US-based, see the subprocessors section) to produce the structured output. Even if you do not enable cloud sync, this transient processing may involve health-related content.
Cloud sync. If you enable cloud sync, entry content is additionally stored in a UK-based database.

Lawful basis. We rely on your explicit consent under UK GDPR Article 9(2)(a) for both situations:

For AI generation and voice transcription, your consent is recorded each time you submit an entry through the mandatory per-submission attestation ("I confirm no identifiable patient information").
For cloud sync, your consent is recorded when you enable the feature through a dedicated confirmation dialog that repeats the relevant warnings.

Withdrawing consent. You can withdraw consent at any time. Stop using AI generation and voice features to end transient processing; toggle cloud sync off (with the "delete cloud copies" option) to end cloud storage. Withdrawal does not affect the lawfulness of processing before withdrawal.

What we will never do with special category data. It is never shared with advertisers, never sold, and never used to train third-party AI models. Cloud-synced content is stored exclusively in the United Kingdom. Transient AI processing takes place under contractual safeguards: our AI subprocessors do not use your content to train their models. Specific retention practices vary by provider — our AI generation provider may retain inputs and outputs for up to 30 days for trust and safety review in line with their standard commercial terms; our voice transcription providers process requests on a zero-retention basis where available, or retain transiently for the duration of the request. Specific provider names, retention periods, and contractual terms are available on request to privacy@reflectio.io.

Your rights and how to use them

Under UK GDPR you have the following rights. We will respond to data subject requests within one month, as required by UK GDPR Article 12(3). For complex or numerous requests we may extend this by a further two months and will tell you within the first month if we need to do so.

Right of access

Ask us for a copy of the personal data we hold about you.

Settings → Download my reflections (PDF) for a readable copy, or Download raw data (JSON) for a machine-readable export. You can also email privacy@reflectio.io.
Right to rectification

Ask us to correct inaccurate personal data.

Edit entries directly in the app. For account data, email privacy@reflectio.io.
Right to erasure ("right to be forgotten")

Ask us to delete your personal data.

Settings → Delete my account permanently deletes your account and all associated entries, telemetry, and profile data.
Right to data portability

Receive your data in a structured, machine-readable format so you can take it elsewhere.

Settings → Download raw data (JSON) provides a complete machine-readable export. PDF is also available for a readable version. Email us if you need a different format.
Right to restriction of processing

Ask us to pause how we process your data while you resolve a dispute.

Email privacy@reflectio.io with "Restriction request" in the subject.
Right to object

Object to processing that relies on legitimate interests (i.e. the telemetry described above). You also have an absolute right to object to direct marketing under UK GDPR Article 21(2). We do not currently send marketing emails; if this changes, you will be able to opt out at any time.

Email privacy@reflectio.io with "Objection" in the subject.
Right to withdraw consent

If cloud sync is on, turn it off and delete cloud copies at any time.

Settings → Cloud sync → Off (offers to delete cloud copies in the same step).
Right to complain

We'd encourage you to contact us at privacy@reflectio.io first so we can try to resolve any concerns directly. You also have the right to lodge a complaint with the UK Information Commissioner's Office at any time.

Visit ico.org.uk/make-a-complaint.

Our commitments

Local by default. Your entries stay on your device unless you explicitly enable cloud sync. You can use the whole app without anything ever leaving your phone.
Explicit consent for cloud sync. When you enable sync, you see the full picture: what gets uploaded, where it goes, and how to undo it.
UK storage residency. Cloud-synced data is stored on servers in the United Kingdom and does not leave the UK or EEA at rest. Transient processing for AI generation, voice transcription, and feedback collection takes place under contractual safeguards on US (or, for the feedback widget provider, Australia-based) infrastructure — see the subprocessor section for details.
No training, no selling. Your content is never used to train AI models and never sold or shared with advertisers.
No tracking. No Google Analytics, no Facebook pixel, no third-party advertising trackers. The only logs are the minimal usage counters described above.
AI generation is ephemeral. When you generate content, your input is transmitted securely to our AI generation subprocessor, processed, and not used for training.
Local storage notice (PECR). Reflectio EM uses your browser's local storage to save your entries on your device. This storage is strictly necessary for the service to function and is exempt from consent requirements under the Privacy and Electronic Communications Regulations (PECR) Regulation 6(4)(a). We do not use cookies for analytics, advertising, or tracking.

Your responsibility

The technical safeguards in Reflectio EM are a failsafe — not a substitute for professional responsibility. Under GMC confidentiality guidance, the duty to protect patient information rests with you as the clinician.

To support that duty, Reflectio EM layers several controls:

Account-level agreement at signup: "I agree to the Terms and Privacy Policy, and will not include patient-identifiable information in my reflections."
Per-submission attestation. Every entry form blocks submission until you confirm:
I confirm no identifiable patient information.
Best-effort automated PII removal. A client-side function attempts to remove common identifiers — names, dates, NHS/hospital numbers, addresses, postcodes, phone numbers, email addresses, exact ages over 90 or specific paediatric ages, exact timestamps, rare job titles — from your input before it is sent for AI processing. This is a backstop, not a guarantee: your own anonymisation discipline remains the primary control.
AI system-prompt enforcement. The AI generation, transcription, and text-to-speech systems are instructed under NHS Information Governance, GMC confidentiality guidance, and Caldicott Principles to strip any identifying information that may have slipped through (including identifiers visible in attached images), apply a combination rule for indirect identifiers, and never reintroduce identifiers in output.
Explicit consent for cloud sync. If you enable cloud sync, a confirmation dialog repeats the PII warning and records your Article 9(2)(a) consent.

None of these layers removes your professional duty. Treat them as belt-and-braces — your own anonymisation discipline remains the primary control.

Security incidents and breach notification

If a personal data breach affects you, we will:

Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
Notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by UK GDPR Article 34.
Document the incident, our investigation, and our response in our internal incident log.

Our subprocessors are contractually required to notify us promptly of any security incidents affecting your data — our database provider commits to 48 hours, the others to "without undue delay". This gives us a buffer to assess the impact and meet the ICO deadline.

How long we keep your data

Account data (email, password hash): For as long as your account exists. Deleted within 30 days of account deletion.
Entries (local): In your browser until you delete them or clear browser storage. We have no control over your local data.
Entries (cloud-synced): While your account exists and cloud sync is on. Deleted within 30 days of account deletion, disabling cloud sync with the "delete cloud copies" option, or individual deletion.
Telemetry and operational logs: Currently retained for the lifetime of your account; deleted when you delete your account. We will implement a 12-month rolling deletion job for telemetry rows before the public pilot launch.
Backups: Our database provider's standard backup retention applies — currently 7 days on our plan. We will move to point-in-time recovery (7-day window) when we upgrade to its Pro tier before the paid pilot launch. Deleted account data persists in backup snapshots until those snapshots roll off (up to 7 days); backups are encrypted, access-restricted, and used only for disaster recovery, not for active processing.

Where your data goes (subprocessors)

We use third-party processors to run Reflectio EM. Each is bound by a written Data Processing Agreement or equivalent contractual safeguards. We disclose them publicly by category here, and provide the full specific list — including company names, jurisdictions, DPA terms, and the contractual basis with each — on request to privacy@reflectio.io. We aim to respond to subprocessor-list requests within one month, mirroring our response commitment for data subject rights requests.

Categories of subprocessors we use:

Category	What it does	Where
Database, authentication, and email infrastructure	Stores your account data and, if enabled, your cloud-synced entries. Sends authentication and transactional emails.	UK (data at rest); EU (transactional email delivery)
Application hosting and routing	Hosts the web application and routes requests. No personal data stored at rest.	Global edge
AI generation	Generates reflective text from the input you submit (and, for educational-activity entries, any slide or schedule photos you choose to attach).	USA
Voice transcription	Converts your dictated voice input into text. Used as primary and backup transcription providers.	USA
Optional read-aloud playback	Optional text-to-speech playback of reflective prompts.	USA
Payment processing	Handles paid subscriptions from August 2026 onwards. Card details handled directly by the payment processor as an independent data controller.	UK / EU / USA
In-app feedback	Processes any text and screenshots you submit through the in-app feedback widget. Feedback content may flow through the provider's own AI sub-processors for sentiment and classification.	Australia (AWS US hosting)

Specific subprocessor names available on request. If you would like the full subprocessor list, including the specific company name, jurisdiction, applicable DPA, and contractual safeguards for each category above, email privacy@reflectio.io. We will respond within one month.

International transfers. Transfers to processors outside the UK/EEA take place under contractual safeguards — the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or each provider's auto-incorporated Data Processing Addendum, as applicable. If you do not want any transfer outside the UK/EEA, do not use AI generation or voice dictation, and avoid the in-app feedback widget.

Subprocessor changes. Routine subprocessor changes (e.g. a sub-region added, a provider acquired by another company, replacement with an equivalent-tier provider in the same category) will be reflected in our internal subprocessor register and disclosed on request. Material changes — adding a new subprocessor category, changing data residency for an existing category, or moving an existing processor to a new jurisdiction — will be notified in the app and at your registered email before the change takes effect, and will trigger a version bump of this policy.

ePortfolio providers — controllership boundary

Reflectio EM helps you draft content for your professional ePortfolio (for example, the Royal College of Emergency Medicine ePortfolio hosted by your ePortfolio provider). We are not affiliated with any ePortfolio provider and have no contractual relationship with them in respect of your data.

Where our responsibility ends. Once content is written into your ePortfolio — whether by using the Reflectio EM Autofill extension to auto-fill fields, or by copying and pasting from Reflectio EM — that content is held by your ePortfolio provider as a separate data controller under their own terms and privacy policy. We are not the data controller for content held in your ePortfolio, and we have no ability to access, modify, or delete it.

Practical implication. Deleting your Reflectio EM account removes content from Reflectio EM only. To remove content from your ePortfolio, you must use your ePortfolio's own deletion tools or contact your ePortfolio provider and (where applicable) your training body directly.

Children

Reflectio EM is intended for use by qualified clinicians. It is not directed at, or intended for use by, children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has created an account, please contact privacy@reflectio.io and we will delete it.

Changes to this policy

We will revise this policy when the service changes in a way that affects your data, or when the law requires. Every update increments the version number at the top of this page. If we make a material change (for example, adding a new subprocessor, changing data residency, or transferring data controller status to a different legal entity), we will also notify you in the app before the change takes effect.

Regulatory alignment

Reflectio EM is designed to align with the following frameworks and professional standards:

UK GDPR Data Protection Act 2018 UK GDPR Article 25 (Privacy by Design) ICO Privacy by Design NHS Information Governance Caldicott Principles GMC Confidentiality Guidance (2017) RCEM ePortfolio Standards

Contact

For any privacy question, data subject request, or concern, email privacy@reflectio.io. We respond within one month.