This policy explains what personal data SCA Explained collects, why, how it is used, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
Who we are
SCA Explained is the data controller for the personal data described in this policy. If you have any questions, you can contact us at mrcgpexplained@outlook.com.
What data we collect and why
Booking data
When you book a place at a webinar or SCA Intensive, we collect your name and email address. We use this to:
- ●Confirm your booking and send you the Zoom joining link.
- ●Contact you about your booking if anything changes.
The lawful basis for this processing is contract performance — we need your details to provide the service you've booked.
Payment data
Payments for the SCA Intensive are processed by Stripe. We never receive or store your card number, CVV, or other sensitive payment details — these go directly to Stripe and are subject to their own privacy policy. We do store a Stripe checkout session reference alongside your booking record, so we can confirm payment status.
Technical data
Our hosting infrastructure (Vercel) and database (Supabase) may log standard server access data such as IP addresses and request timestamps for security and operational purposes. We do not use this data to profile or track individual users.
Cookies
This site does not use advertising, analytics, or tracking cookies. The only cookies set are those required for the website to function (e.g. session state during the checkout flow). No consent banner is required for strictly necessary cookies under UK law.
How long we keep your data
We keep booking records (name, email, payment reference, booking status) for up to two years from the date of the session, after which they are deleted. We may retain anonymised booking counts for longer for our own internal records (e.g. how many sessions we have run).
Who we share your data with
We share data only to the extent necessary to provide the service:
- ●Stripe — to process your payment. Stripe processes payment data as an independent data controller under their own terms.
- ●Resend — to send transactional emails (booking confirmations). Your email address is passed to Resend solely to deliver your confirmation.
- ●Supabase / Vercel — infrastructure providers that host the database and website. These act as data processors on our behalf and are contractually bound to appropriate data protection standards.
- ●Zoom — you join sessions via a Zoom link. Zoom processes data about session participants under their own terms. We do not share your personal data with Zoom; your name and email are not transmitted to Zoom by us.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
Your rights
Under UK GDPR you have the right to:
- ●Access — request a copy of the personal data we hold about you.
- ●Rectification — ask us to correct inaccurate data.
- ●Erasure — ask us to delete your data, where we have no overriding legal obligation to retain it.
- ●Restriction — ask us to limit how we process your data in certain circumstances.
- ●Portability — receive your data in a structured, machine-readable format.
- ●Object — object to processing based on legitimate interests. (We do not rely on legitimate interests as a basis for any processing described in this policy.)
To exercise any of these rights, email us at mrcgpexplained@outlook.com. We will respond within one month. We will not charge a fee for reasonable requests.
Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk/make-a-complaint. We would, however, appreciate the opportunity to address your concern directly first.
Changes to this policy
If we make material changes to this policy, we will update the date at the top of this page. We recommend checking back periodically.