Account, Pricing & Access

Account Security, 2FA, and Data

Your account controls access to your learning record, portfolio evidence, and any organisation you belong to. This article explains how to keep it secure and how to manage your data.

Changing your email address

For security reasons, you cannot change your email address yourself from Account Settings. The field is read-only and shows the message: "Email cannot be changed directly. Contact support if you need to update your email."

To change your email:

1. Email [email protected] from the email address currently on your account (this proves you control the existing inbox).
2. Tell us the new email address you want to use.
3. We will verify the request, send a confirmation link to the new address, and switch the account over once you click it.
4. The whole process usually takes one working day.

If you have lost access to the email currently on your account (e.g. an old NHS account you no longer use), contact support from any address and we will work through identity verification with you — this can take longer because we have to confirm you are the account holder.

If you sign in via SAML SSO, your email is managed by your institution, not by us. Update it there first; the next time you sign in we will pick up the new address automatically.

Setting a strong password

Use a passphrase of at least 12 characters that you do not use anywhere else. If your organisation uses Single Sign-On, use your institutional login instead — you will not need a separate password here.

Two-factor authentication (2FA)

TOTP 2FA is currently mandatory for platform super-admins only and is not yet available to standard accounts or organisation admins — the 2FA panel in Account Settings → Security only appears for users with the platform super-admin role.

If you want to harden a standard account today, the most effective steps are:

• Use a unique, long passphrase (≥ 12 characters) that you do not reuse anywhere else.
• Store it in a password manager (1Password, Bitwarden, Apple Keychain, etc.).
• If your institution uses SAML SSO, sign in through SSO — your institutional IdP usually enforces its own 2FA.

We are working on opening TOTP 2FA to all accounts. When it ships you will see a new "Two-factor authentication" panel in Account Settings → Security; until then, please do not be alarmed that the section is empty for you — it is intentional.

Resetting your password

Click Forgot password on the login page and enter your email. You will receive a reset link valid for a short time. If the email does not arrive within a few minutes, check your spam folder — NHS mail servers sometimes filter it.

If you use SSO, password reset is handled by your institution, not by us.

Exporting your data (GDPR)

Data export is not in Account Settings — it lives on its own page at /data-protection. Open it from the footer link "Data Protection" or go directly to the URL.

On that page:

1. Choose JSON or CSV format.
2. Click Request Data Export.
3. We produce the archive asynchronously (account, practice results, portfolio entries, organisation membership). You can request one export per 24 hours.
4. You receive an email with a download link when it is ready.

Deleting your account

There are two paths, both permanent and both equivalent in effect:

• Account Settings → Security → Danger Zone → Delete Account: the quickest path; deletes your data in line with the Privacy Policy.
• /data-protection → Delete Your Data: the same delete, available alongside Export so you can grab a copy first.

Before deleting, export any portfolio evidence you still need, and if you are an organisation admin, hand the admin role to someone else first — otherwise your organisation will be left without an admin.

Suspected compromise

If you think someone else has signed into your account, change your password immediately, rotate any 2FA recovery codes, and email [email protected] so we can check the session logs and revoke any active sessions.