Privacy Policy

Last updated: 5 June 2026

This Privacy Policy explains how we collect, use, store and protect your personal data when you use our website and CPD accreditation services. We are committed to being transparent about how we handle your information and to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

The data controller responsible for your personal data is:

For any question about how we handle your data, contact us at [email protected].

Pre-launch notice

If you joined our waiting list

VeritasCPD is currently in active development and not yet operational. If you submitted your email via our waiting-list form, we collect and store only the following:

  • Your email address — used solely to send you a single launch announcement.
  • Your IP address — used for spam protection (Cloudflare Turnstile) and audit purposes.
  • Optional interest data (number of courses, term length) — used in aggregate to size launch capacity, never tied back to you individually in marketing.

We will not share waiting-list data with third parties, will not send marketing newsletters, and will retain entries for at most 12 months from signup or until launch — whichever comes first. After launch, the entries are deleted unless you've separately created an account.

To be removed at any time: email [email protected] from the address you signed up with. We action removal requests within 7 days.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

  • Identity data: your full name and job title.
  • Contact data: your email address, telephone number and postal address.
  • Company data: your organisation name, company registration number (if any), VAT number (if any) and country of operation.
  • Account data: your username, password (stored as a one-way hash), and account preferences.
  • Transaction data: orders, invoices, payment status and accreditation history. Card numbers are not stored on our systems — payments are handled directly by Stripe (see section 9).
  • Technical data: IP address, browser type, operating system, and time zone setting.
  • Usage data: how you interact with our website and platform.
  • Communication data: any enquiry, email or contact-form submission you send us.

3. How We Collect Your Data

  • Registration and application forms when you create an account or apply for accreditation.
  • Contact and waiting-list forms on our website.
  • Email correspondence when you contact us directly.
  • Cookies and similar technologies as you use our site — see our Cookie Policy.
  • Payment data is collected directly by Stripe at checkout; we receive only the transaction outcome (not card details).

4. Why We Collect Your Data and Our Legal Basis

Under Article 6 UK GDPR we rely on the following lawful bases:

4.1 Contract performance

To take steps at your request before entering into a contract, and to perform our contract with you: processing accreditation applications, managing your account, delivering accreditation services, issuing invoices, and communicating about your accreditation status.

4.2 Legitimate interests

To operate, secure and improve our services, to prevent fraud and abuse (including bot-protection on forms), and — for existing business customers — to send occasional communications about our services. Where we rely on legitimate interests we have carried out a balancing test and concluded that your rights and freedoms are not overridden. You can object to this processing at any time (see section 7).

4.3 Consent

Where we rely on your consent (for example, for optional marketing communications), you may withdraw it at any time by emailing [email protected] or using the unsubscribe link in any message.

4.4 Legal obligation

To comply with statutory duties — for example, keeping financial records for HMRC and responding to lawful requests from public authorities.

5. How We Use Your Data

  • Process and manage CPD accreditation applications.
  • Provide and maintain your account on our platform.
  • Issue invoices and process payments through Stripe.
  • Respond to enquiries and provide customer support.
  • Send service-related notifications (renewal reminders, accreditation status updates).
  • Protect our site from abuse and fraud.
  • Comply with legal, tax and regulatory obligations.

6. How Long We Keep Your Data

  • Account data: for the duration of your account and up to 2 years after your last interaction.
  • Accreditation records: for the duration of your accreditation period plus 3 years, to allow for queries or disputes.
  • Contact and waiting-list submissions: up to 12 months from submission.
  • Financial records (invoices, orders, payments): 6 years after the end of the relevant accounting period, as required by HMRC.
  • Marketing preferences: until you withdraw consent or unsubscribe.
  • Server and access logs: up to 90 days.

When your data is no longer needed we will delete or anonymise it securely.

7. Your Rights

Under the UK GDPR you have the following rights:

  • Access — to a copy of the personal data we hold about you.
  • Rectification — to have inaccurate or incomplete data corrected.
  • Erasure — to have your data deleted, where no overriding obligation (such as tax record-keeping) applies.
  • Restriction — to limit how we use your data in specific circumstances.
  • Portability — to receive your data in a structured, commonly used, machine-readable format.
  • Objection — to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — at any time, where consent is our lawful basis.

To exercise any of these rights, email [email protected]. We will respond within one month. If you are not satisfied with our response you have the right to complain to the Information Commissioner's Office (ico.org.uk).

8. Cookies

Our site uses a small number of strictly-necessary cookies required for the site to function (session, CSRF protection, login) and one third-party bot-protection cookie set by Cloudflare Turnstile on the waiting-list form. We do not currently use analytics or advertising cookies. Full details: Cookie Policy.

9. Third Parties and Sub-Processors

We do not sell, trade, or rent your personal data. The following third-party service providers process personal data on our behalf:

Provider Purpose Data processed Location
Stripe Payments UK, Ltd. / Stripe, Inc. Payment processing and fraud prevention at checkout Name, email, billing address, card data (collected directly by Stripe; we do not see card numbers) UK, EU, US
Cloudflare, Inc. Bot-protection (Turnstile) on public forms and infrastructure protection IP address, browser fingerprint, challenge-response token Global, with UK/EU edge nodes
Our hosting provider Website and database hosting All data you submit via the site (stored at rest) UK / EU data centres

All processors are bound by written data-processing terms that require them to handle your data in line with UK GDPR and only on our documented instructions.

10. International Data Transfers

Where a processor transfers your data outside the UK (for example, Stripe and Cloudflare may process data in the United States), we rely on one of the safeguards permitted under UK GDPR:

  • an adequacy decision made by the UK government for that country, or
  • the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with the UK Addendum.

You can request a copy of the relevant safeguard by emailing [email protected].

11. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:

  • encryption of data in transit over HTTPS/TLS;
  • one-way hashing of account passwords;
  • role-based access controls to internal administration tools;
  • regular security updates of the application and its dependencies;
  • a documented incident-response procedure for data breaches, including notification to the ICO within 72 hours where required.

No method of electronic transmission or storage is completely secure, but we maintain the highest practicable standards.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you. Accreditation decisions are made by human assessors.

13. Who Our Services Are For

Our services are directed at professionals and training organisations acting in a business capacity. We do not knowingly collect personal data from anyone who is not a business contact. If you believe we hold data about you that was collected in error, please contact us and we will remove it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be posted on this page with an updated "Last updated" date, and, where we have your contact details, we will notify you by email.

15. Contact Us

If you have any question, concern, or request regarding this Privacy Policy or our data practices:

This policy does not constitute legal advice. For specific legal questions, please consult a qualified solicitor.