Privacy Policy

Last updated: 7 May 2026

Folio is a service for UK NHS doctors. This policy explains what data we collect, why, and how we protect it.

1. Who we are

Folio is a service of Zero Longitude Ltd, a private limited company registered in England and Wales (company number 17200187). Its registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For data protection enquiries, contact us at privacy@folio.healthcare. This is also our Data Protection contact address.

2. What data we collect

Account information

Your email address, display name (if you provide one), training stage, and target specialty. Collected when you create an account.

Portfolio data you enter

Scoring information you input about your portfolio — your self-reported domain scores, tracked specialties, and action completions. This stays on Folio's servers and is only accessible by you.

Audit projects

Any audit plans you generate or save through the Audit Builder feature.

Usage data

Which features you use, when, and how often. We use this for product improvement and abuse prevention.

Payment data

Handled entirely by Stripe. We never see or store your card details. We receive only a subscription status and basic payment event data from Stripe's webhook.

AI usage

Text you submit to the Audit Builder is sent to Anthropic's Claude API for processing. We track usage volume per user to manage costs. See section 5 for where this data goes.

Email notification list

If you sign up to be notified when new competition data is published, we store your email address for that purpose only.

3. What we do not collect

✓Real-world clinical data, patient information, or any NHS confidential data.
✓Tracking data across other websites — we don't follow you around the internet.
✓Advertising or marketing data — we don't sell, share, or rent your data to third parties for marketing.
✓Third-party tracking pixels or advertising cookies.

4. Why we collect it

To provide the Folio service — scoring, recommendations, career planning, and pay calculation.
To process payments through Stripe.
To comply with our legal obligations.
To improve the product based on how it's actually used.
To prevent abuse, rate-limit API usage, and detect fraud.

5. Where we store it

Hosting and database: Google Cloud Platform, region europe-west2 (London). Our database is Cloud SQL Postgres in the same region.

Authentication: Firebase Authentication (Google). Your login credentials are managed by Firebase.

Payment processing: Stripe. Data may transfer to the United States. Stripe is GDPR-compliant and uses Standard Contractual Clauses for international transfers.

AI processing: Anthropic API. When you use the Audit Builder, the text you submit is processed by Anthropic's servers. Data may transfer to the United States. Anthropic is GDPR-compliant; we have a data processing agreement in place. Anthropic does not use commercial API data to train its models.

6. How long we keep it

Data type	Retention period
Account data (profile, scores, audit plans)	While your account is active. If you request deletion, your account enters a 30-day cooling-off period before permanent deletion is completed.
Email notification list	Until you unsubscribe.
Payment records	7 years (UK tax law requirement).
AI usage logs	12 months (for cost management and abuse prevention).

7. Your rights under UK GDPR

You have the right to:

Access:Request a copy of the data we hold about you.

Correct:Ask us to correct any inaccurate or incomplete data.

Delete:Request deletion of your account and associated data. If you use the self-serve setting, we apply a 30-day cooling-off period before permanent deletion.

Export:Request your data in a machine-readable format (data portability). We currently handle export requests manually.

Restrict or object:Ask us to stop or limit how we process your data in certain circumstances.

Withdraw consent:For any processing based on consent — though most of our processing is based on contract or legitimate interest.

Complain:Lodge a complaint with the UK Information Commissioner's Office (ICO).

To exercise any of these rights, email privacy@folio.healthcare. We will respond within 30 days.

To complain to the ICO: ico.org.uk or 0303 123 1113.

8. Cookies

Folio uses a small number of essential and product-analytics cookies/local storage entries:

A Firebase Authentication session cookie, so you stay signed in.
A small set of internal preference values (e.g. dismissed banners, UI state). These are stored in your browser's localStorage, not as HTTP cookies.
PostHog analytics storage, used to understand page views, clicks, journeys through the app, and product usage.

We do not use advertising cookies or third-party ad trackers. We do use PostHog for product analytics so we can understand how Folio is used and improve the product.

9. Sharing your data

We share your data only with the third-party services strictly necessary to operate Folio:

Stripe — payment processing.
Firebase / Google Cloud — authentication and hosting.
Anthropic — AI text processing for the Audit Builder, when you use it.
PostHog — product analytics and usage measurement.

We do not share data with anyone else. We do not sell data. We do not use data brokers.

10. Children

Folio is a service for qualified medical doctors. It is not intended for users under 18. We do not knowingly collect data from anyone under 18.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify users by email. The latest version is always at folio.healthcare/privacy.

12. Contact

For privacy questions: privacy@folio.healthcare

For complaints you believe we haven't resolved, contact the UK Information Commissioner's Office at ico.org.uk or call 0303 123 1113.

← Back to Folio Terms of Service →