Account, Pricing & Access

Your data and GDPR rights

PathologyLabTraining is a UK service governed by the UK GDPR and the Data Protection Act 2018. As an individual user you have specific rights over the data we hold about you.

What we hold about you

• Account data — email, name, password hash, sign-in history, and authentication factors (2FA settings and recovery codes for platform super-admins, who must enable TOTP; 2FA is not yet open to standard accounts)
• Subscription data — plan, billing history, payment method reference (we never store full card numbers; that lives with Stripe / Paystack)
• Activity data — practice tests taken and scored, simulator sessions, AI Coach transcripts (your side and the assistant's), favorites, portfolio entries, account notifications
• Help-chat telemetry — SHA-256 hash + length of each question asked through the chat widget, plus the source articles surfaced. We never store the raw question text — see the chat widget privacy note for detail.
• Organisation membership — if you joined via a Trust or university, the organisation ID, joined date, and any role within the organisation
• Anonymous traffic analytics — we use Google Analytics (with IP anonymisation) and ReachSurge (cookieless, fingerprint-based) to understand page-view patterns and which AI search engines (ChatGPT, Claude, Perplexity, Gemini) drive traffic to the site. Neither service receives your name, email, or any account details. ReachSurge generates short-lived visitor identifiers from your user agent + screen size + the current date; nothing is stored in your browser.
• Cookies — see the Cookie Policy

What we do NOT hold

• Patient-identifiable data — please do not paste real patient identifiers into AI Coach, Practice Tests, or the help chat. The platform is for training and interview prep, not clinical work.
• Card numbers — handled by Stripe or Paystack; we only see masked references
• Raw chat questions — only their SHA-256 hashes (see help-chat telemetry note above)

Your GDPR rights

Right of access — export your data

Open the Data Protection page (linked from the site footer, or go directly to /data-protection). Under Export Your Data, choose JSON or CSV and click Request Data Export. The archive includes:

• Account profile and settings
• All practice-test results
• All AI Coach session transcripts
• Portfolio entries and attached evidence URLs (we link, not duplicate, large files)
• Subscription history
• Newsletter subscription category preferences

The export runs asynchronously. We email you a secure download link when ready — usually within an hour. You can request one export per 24 hours.

Right of rectification — correct your data

Most fields are editable directly from Account Settings (firstName and lastName under Profile; password under Security). The email field is read-only by design — to change it, email [email protected] from your current account email (see Account Security). For fields that aren't user-editable (e.g. an organisation membership you can't see, billing invoices), email us and we will correct them within 30 days.

Right to erasure — delete your account

There are two equivalent in-app paths:

• Account Settings → Security → Danger Zone → Delete Account
• /data-protection → Delete Your Data

Both trigger the same flow:

1. We confirm by email — you must click the confirmation link within 24 hours.
2. After confirmation we hard-delete account data, sessions, AI Coach transcripts, favorites, and portfolio entries.
3. Retained: anonymised analytics, paid-invoice records (we are required by HMRC to retain these for 6 years), and help-chat telemetry (which contains only SHA-256 hashes, no PII).
4. The deletion is irreversible.

If you just want to end a specific browser session without deleting your account, use Log out in the user menu — this clears only the current device. We do not currently offer a "sign out everywhere" button; if you suspect compromise on another device, email us and we will invalidate all your sessions.

Right to object / restrict processing

Email us if you want to:

• Stop us using your activity data for anonymised product analytics
• Stop us emailing you anything beyond essential service notices
• Restrict processing while a dispute is resolved

Right to data portability

The JSON export above is the portable format. We can also provide CSV per-table on request.

Retention

• Active accounts: data kept while the account is active
• Cancelled subscriptions, account still active: kept (you can resubscribe)
• Deleted accounts: hard-deleted within 30 days of confirmation; backups purged within 90 days
• Invoices: 6 years (HMRC requirement)
• Anonymised aggregate analytics: indefinite (no individual identification possible)

Patient data — explicit reminder

PathologyLabTraining is a training and interview-prep environment. Do not paste real patient-identifiable information into any text field (AI Coach, Practice Test answers, help chat, simulator notes, portfolio reflections). Use anonymised or fictional scenarios.

If you accidentally pasted patient data and want it removed, email us immediately; we will purge the specific record and audit the surrounding logs.

Our regulators

• ICO — Information Commissioner's Office (UK data protection regulator). You can complain to them at any time at ico.org.uk.
• HCPC — Health and Care Professions Council (your regulator as a Biomedical Scientist; relevant to your CPD log, not to your account here).

Contact

• General data queries and Data Protection / Subject Access Requests: [email protected] — please put "Data Protection" or "SAR" in the subject line so the request reaches the responsible person without delay.
• Detailed legal text: see our Privacy Policy and Data Protection pages.