Skip to content
cpd.so

Privacy policy

Last updated 15 May 2026.

This page explains what we collect, why we collect it, and how you can ask us to delete it. We try to keep it short — if you'd like more detail on any point, email info@cpd.so.

What we collect

  • Account basics: email, full name, optional recovery email, optional sex / date of birth, optional NIRA or passport number — only when you fill them in on /profile.
  • Course activity:which courses you enrol in, your module-level progress, assessment attempts and scores, certificates we've issued you, and on-campus attendance.
  • Payment metadata: the amount, currency, and rail (WaafiPay / eDahab / card) of each enrolment payment, plus the transaction ID. We never store full card numbers — those are handled by the payment rail.
  • Operational logs: IP address, browser user-agent, and audit-log entries for admin actions.

How we use it

  • Running the platform — sign-in, course enrolment, certificates.
  • Sending transactional email (enrolment confirmation, certificate issued, password reset) via Resend.
  • If you Connect a regulator, pushing your hours and certificates to that regulator's system.
  • Aggregated, non-identifying reports for cpd's internal operations.

We don't sell your data. We don't share it with anyone outside the providers, employers, and regulators you've transacted with on the platform.

Who sees what

  • Providers see learners who enrolled in their courses (name, email, progress).
  • Employers/Sponsors see the people they invited to seats.
  • cpd super admins see everything, for moderation and accreditation.
  • The public can verify any certificate by code at /verify, but the verify page only shows the awarded-to name, course, provider, hours, and date.

Where it lives

Data is stored on Supabase (Postgres + Storage, region eu-west-1) and Vercel (compute, content delivery). Email is sent through Resend. Payment metadata flows through WaafiPay and eDahab. Each of those vendors has their own privacy terms; we only send the minimum data they need to do their job.

Your rights

  • See what we have on you: /profile and /dashboard show it; email us if you need more.
  • Correct it: edit at /profile, or email us.
  • Delete your account: use the Delete account section on /profile, or email info@cpd.so — we'll remove your sign-in and personal profile fields. Note that cpd ledger and certificate rows are retained in hashed/anonymised form because they're part of a public-verification system and (where applicable) part of a regulator's record.

Cookies

We use a small number of strictly-necessary cookies for authentication (Supabase session) and CSRF protection. We don't use third-party advertising cookies.

Changes

We'll update this page if we materially change how we handle data, and update the date at the top.

Contact

Privacy questions: info@cpd.so.