← Back to PanelCoach

PANELCOACH

Privacy Policy

Version 1.0  |  Effective Date: 22 February 2026

Data Controller: Christoforos Gkimpas

Contact: info@panelcoach.co.uk

This Privacy Policy explains how PanelCoach collects, uses, stores, and protects your personal data. It should be read alongside our Terms and Conditions of Use.

1. Who We Are

1.1 PanelCoach is operated by Christoforos Gkimpas, an individual software developer based in England, United Kingdom. For the purposes of UK data protection law, Christoforos Gkimpas is the data controller for your personal data.

1.2 Contact: info@panelcoach.co.uk

2. What Data We Collect

We collect the following categories of personal data:

Category Data Source
Account data Email address, hashed password Provided by you at registration
Content data Personal examples (STAR/CAMP/SPIES answers), question bank selections, AI feedback results Created by you in the App
Subscription data Plan tier, subscription status, PayPal subscription ID, billing period dates Generated when you subscribe
Usage data AI review request counts, token usage, credit consumption records Generated by your use of the App
Audit data Terms acceptance records (IP address, user agent, timestamp, app version) Collected when you accept the Terms
Technical data Browser type, device type (via user agent string) Collected automatically by our hosting provider

2.2 We do not collect: your name, phone number, postal address, NHS employee ID, GMC number, or any patient data. We do not use cookies for advertising or tracking. The App uses only essential session cookies required for authentication.

3. How We Use Your Data

Purpose Lawful Basis (UK GDPR Art. 6)
Provide and maintain your account Performance of a contract (Art. 6(1)(b))
Store your examples and sync across devices Performance of a contract (Art. 6(1)(b))
Process AI review requests (transmit answers to Anthropic) Performance of a contract (Art. 6(1)(b))
Manage subscriptions and process payments via PayPal Performance of a contract (Art. 6(1)(b))
Enforce usage limits and prevent fraud Legitimate interests (Art. 6(1)(f))
Record Terms & Conditions acceptance for legal compliance Legitimate interests (Art. 6(1)(f))
Send subscription renewal reminders and service notifications Legitimate interests (Art. 6(1)(f))
Retain financial records for tax purposes Legal obligation (Art. 6(1)(c))

4. Third-Party Processors and Data Locations

4.1 We use the following third-party services to operate PanelCoach. Your data is processed within the United Kingdom and the EEA, except when you use the AI review feature (see Anthropic below):

Provider Purpose Location Transfer Safeguard
Supabase Inc. Authentication Ireland, EU (eu-west-1) UK adequacy decision
Neon Inc. Database UK (London, eu-west-2) Data stays in UK
Anthropic PBC AI review processing United States SCCs + UK IDTA + Anthropic DPA
Netlify Inc. Hosting & functions UK (London, eu-west-2) Data stays in UK
Zoho Corporation Email delivery EU (Netherlands / Ireland) UK adequacy decision
PayPal (Europe) S.à r.l. Payment processing EU (Luxembourg); may transfer globally including US PayPal BCRs + SCCs + UK IDTA

4.2 Our core infrastructure (database, hosting, serverless functions) is hosted in the United Kingdom (London, eu-west-2) or Ireland (eu-west-1), both within the UK/EEA. Two services may transfer personal data outside the UK/EEA:

  • Anthropic — when you use the AI review feature, your answer text is sent to Anthropic’s API in the United States. This transfer is protected by Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum (IDTA) and Anthropic’s Data Processing Agreement.
  • PayPal — PayPal (Europe) S.à r.l. is based in Luxembourg, but PayPal may process payment data globally, including in the United States, under its Binding Corporate Rules (BCRs) approved by the CNPD (Luxembourg) and Standard Contractual Clauses. Note: PanelCoach itself does not receive or store your PayPal account details (name, address, payment method). We only store the PayPal subscription reference ID.

4.3 We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Retention

Data Category Retention Period Reason
Account data (email, auth) Until account closure + 90 days Service provision
Content data (examples, AI feedback) Until account closure + 90 days Service provision
Subscription & payment records 6 years from last transaction HMRC tax obligations
Terms acceptance records 6 years from last acceptance Legal compliance / audit
AI usage records Until account closure + 90 days Usage tracking / billing
Dormant accounts (no login 24 months + no saved content + no paid subscription) Deleted after 30-day notice Data minimisation

6. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access — request a copy of all personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your data (“right to be forgotten”).
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format (JSON).
  • Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email us at info@panelcoach.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.

7. Data Security

7.1 We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (HTTPS/TLS) for all data between your browser and our servers.
  • Encryption at rest for database storage (provided by Supabase and Neon).
  • JWT-based authentication with short-lived tokens.
  • Row-level security: users can only access their own data.
  • No plain-text password storage (passwords are hashed by Supabase).

7.2 No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

8. Data Breach Notification

8.1 In the event of a personal data breach that poses a risk to your rights and freedoms:

  • We will notify the ICO within 72 hours of becoming aware of the breach (UK GDPR Article 33).
  • If the breach poses a high risk to you, we will notify you without undue delay by email (UK GDPR Article 34).
  • Notifications will include: the nature of the breach, likely consequences, and measures taken to address it.

8.2 We maintain an internal breach register documenting all personal data breaches, including those not reported to the ICO, as required by UK GDPR Article 33(5).

9. Cookies

9.1 PanelCoach uses only strictly necessary cookies required for authentication and session management. These cookies are exempt from consent requirements under the Privacy and Electronic Communications Regulations 2003 (PECR).

9.2 We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

10. Children

PanelCoach is intended for qualified medical professionals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notification at least 14 days before the changes take effect.

The “Effective Date” at the top of this page indicates when this version was last updated.

12. Contact

Data Controller: Christoforos Gkimpas

Email: info@panelcoach.co.uk

Country: England, United Kingdom

ICO: ico.org.uk

Terms and Conditions  |  Back to PanelCoach