Privacy policy

Who we are

Path is professional development portfolio software for health professionals. It is operated by Michael Rowe as a personal research and development project, independent of any institution. When this policy refers to "Path", "we", or "us", it means Michael Rowe as sole operator and data controller.

Path is currently in alpha — it is being tested in small invitation-only pilots. The policy itself will change as the service develops. Material changes will be flagged via the in-app notification bell; minor updates (wording, clarifications) may happen without notice. The date at the top of this page reflects the most recent revision.

If you have questions about this policy or your data, please use the contact page.

What data we collect and why

We collect only what is needed to provide the service:

• Your email address and password, used to create and access your account.
• The content you create: claims, CPD entries, reflections, statements, case studies, credentials, and tasks.
• Files you upload as evidence — certificates, documents, images, and other attachments.
• Your professional network contacts (names, roles, contact details you enter).
• Self-assessment ratings and criterion-level notes you record against a framework.
• Share link activity: when a link you created is opened, and any feedback left by a reviewer via that link.
• If you submit a path for internal review at your institution: the feedback, recommendations, and decision recorded against your submission (see “Internal review at your institution” below).
• If you send us a message via the contact form: your name, email address, and the content of your message — used only to respond to your enquiry.
• Technical operational logs generated by our hosting providers (Vercel and Supabase) — such as IP address, browser type, and request timestamps — used to keep the service running and diagnose errors. Path does not run any first-party or third-party analytics, and does not build advertising or behavioural profiles.

Lawful basis (UK GDPR)

We process your data on the following lawful bases:

• Contract: to provide you with the service you have signed up for.
• Legitimate interests: to maintain the security and integrity of the service, and to understand how it is used so we can improve it. We have balanced these interests against your rights and are satisfied they do not override them.
• Consent: where we send you product updates or announcements. You can withdraw consent at any time.

Joining the waiting list

If you ask to join the waiting list, we collect your email address and, if you choose to give it, your organisation. We use these only to contact you about Path — to confirm your place on the list and, when the time comes, to send your invitation or tell you it is available.

The lawful basis is your consent, given when you submit the waiting-list form. We do not use these details for any other purpose, and we do not share or sell them. You can ask us to remove you from the list at any time, and we will delete your details.

How your data is stored

Your data is stored using Supabase, a managed database and storage platform. Data is encrypted at rest and in transit. File attachments (evidence) are stored in Supabase Storage. The Supabase project is hosted in the European Union (Ireland, eu-west-1).

The application is deployed on Vercel. Data transfer between the UK and the EU is covered by the UK government's adequacy decision for the European Economic Area — no additional transfer mechanism is required.

We rely on a small number of trusted sub-processors to run the service, each under a data processing agreement:

• Supabase — database, file storage, and authentication (hosted in the EU, Ireland).
• Vercel — application hosting and delivery.
• Resend — sending transactional and notification emails (e.g. review and deadline reminders). This means your email address and the content of those emails are processed by Resend; transfers outside the UK/EU are covered by the provider's standard contractual clauses.

As service operator, Michael Rowe has administrative access to the database for operational purposes such as monitoring, debugging, and providing user support. This access is not used to read or review personal portfolio content.

Who can see your data

Your portfolio is private by default. Specifically:

• Only you can see your claims, reflections, CPD, evidence, and statements.
• If you belong to an institution, the institution dashboard shows only anonymous, aggregate totals — no individual content is visible to your institution unless you explicitly enable sharing for a specific path.
• When you create a share link for a reviewer, anyone with that link can read that path and leave feedback. You can revoke the link at any time.
• We do not sell your data. We do not share it with third parties for advertising or marketing.
• We may disclose data if required to do so by law or to protect the rights and safety of users.

Internal review at your institution

If your institution uses Path's internal review feature, you can submit a path to be reviewed by colleagues there. This is something you choose to start, and you can withdraw a submission at any time before a decision is made. When you submit a path for review:

• The reviewers your institution's administrator assigns can read the full content of that submission — your claims, the evidence files attached to them, and your self-assessment — in order to give feedback. Reviewers are colleagues at your institution whom an administrator has assigned.
• Your institution's administrators can see that you have submitted, who is reviewing, the reviewers' recommendations, and they record the final decision. Administrators may also assign themselves as a reviewer.
• Reviewer feedback is shared with you anonymously — shown as coming from a “Reviewer” rather than by name. Reviewers work independently: where several are assigned to the same submission, they cannot see one another's feedback.
• A reviewer may add a private note addressed to the administrator. That note is not shown to you.
• The decision and any decision note recorded by the administrator are shared with you.

Outside of a review you have started, your individual content is never visible to your institution — the institution dashboard shows only anonymous, aggregate totals.

Evidence files

Files you upload as evidence may contain sensitive professional or personal information. We store them privately and do not access them except to serve them back to you, to a reviewer via a share link you created, or to a colleague reviewing a path you have submitted for internal review.

You should not upload patient-identifiable information, or any special-category data (such as health information about identifiable individuals), that you are not entitled to share. Redact names and identifying details before uploading. Path is designed to hold evidence about your own professional practice, not records about the people you work with.

Cookies

We use a single session cookie to keep you signed in. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

How long we keep your data

We keep your data for as long as your account is active. If you delete your account, your data is permanently deleted, including all content and uploaded files. We may retain anonymised, aggregate statistics that cannot be linked back to you.

Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data (the right to be forgotten).
• Receive a copy of your data in a portable format — use Profile → Export everything to download your content and records as Markdown files at any time. Uploaded evidence files can be downloaded individually from each item; on request we can provide a full copy of your files.
• Restrict or object to certain processing.
• Withdraw consent where we are relying on consent as our lawful basis.

To exercise any of these rights, please contact us via the contact page. We will respond within one month.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Automated recommendations

Path uses algorithmic recommendations to suggest which criteria to focus on next, based on your coverage data, self-assessment ratings, and any deadlines set on your path. These suggestions are non-binding — you remain in full control of your portfolio and can ignore or override them at any time.

These recommendations do not constitute automated decision-making within the meaning of Article 22 of the UK GDPR, because they have no legal or similarly significant effect on you. They are guidance only.

Security

Access to your data is controlled at the database level using row-level security — one user's data cannot be read by another user. We use HTTPS throughout, and you can enable two-factor authentication on your account (Profile → Account) for an extra layer of protection at sign-in. We review our security practices as the service develops.

If a personal data breach occurs that is likely to risk your rights and freedoms, we will report it to the Information Commissioner's Office within 72 hours of becoming aware of it, and will tell you without undue delay where the risk to you is high.

If you believe you have found a security vulnerability, please contact us immediately via the contact page rather than disclosing it publicly.

Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top of this page and, where the changes are material, notify you via the in-app notification bell. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

Contact

For any questions about this privacy policy or your data, please use the contact page. Path is operated by Michael Rowe in the United Kingdom as the data controller.