Privacy policy

Last updated: 28 April 2026

What we collect

We collect your email address, profile details, career stage, portfolio entries, anonymised cases, goals, specialty trackers, evidence files you upload, referral activity, usage counters, and payment metadata from Stripe. Do not enter patient-identifiable information into Clerkfolio.

Why we use it

We use this data to run the Clerkfolio service, authenticate your account, store your portfolio, generate exports, manage billing, send requested email reminders, prevent abuse, and answer support requests.

Where data is stored

Application data and uploaded evidence files are stored in Supabase in the London region (eu-west-2). Vercel hosts the application. Authentication session cookies are used to keep you signed in.

Sub-processors

  • Supabase: database, authentication, and storage in London.
  • Stripe: subscription and billing metadata through Stripe Payments UK.
  • Resend: transactional email delivery; Resend is US-based.
  • Vercel: web hosting and deployment; application data remains in Supabase.

Retention

Soft-deleted portfolio entries and cases remain in trash for up to 30 days before purge. Audit logs are retained for one year. Account deletion removes live account data immediately through cascading deletes, with backups retained for up to 30 days.

Your UK GDPR rights

You can request access, rectification, deletion, portability, or objection to processing. You can export your own data from Settings at any time. For privacy requests, email admin@clerkfolio.co.uk.

Cookies and analytics

Clerkfolio uses authentication cookies required for login sessions. If analytics are enabled, they are used to understand aggregate product usage, not to sell or broker personal data.

Data Controller & Contact

Clerkfolio is operated by Clerkfolio Ltd, registered in England and Wales.

For data subject requests including access, deletion, rectification, portability, or any privacy-related query, contact us at admin@clerkfolio.co.uk.

We aim to respond to all requests within 30 days as required by UK GDPR.