Terms, Privacy, and Data Protection

Last updated: 12 June 2026. These Terms and this Privacy Notice apply to the FRCS Urology Viva revision website, also referred to as "we", "us", or "our". The service is operated by Cotswold Machine Learning.

The platform is an educational revision tool for healthcare professionals and examination candidates. It is not a medical device, healthcare provider, clinical decision-support system, or emergency service. Do not rely on the platform for diagnosis, treatment, patient management, or any other clinical decision.

1. Contact and Controller

For privacy, data protection, account, or legal requests, contact support@frcsurologyviva.com.

For most direct-to-user use of the website, Cotswold Machine Learning is the data controller. If we provide the service to an institution under a separate written agreement, that agreement may define different controller, processor, or joint controller roles.

2. Terms of Use

You must use the service only for lawful educational and revision purposes.
You are responsible for keeping your login credentials and devices secure.
You must not attempt to bypass access controls, scrape non-public content, disrupt the service, reverse engineer protected parts of the platform, or upload malicious files.
You must not submit real patient-identifiable data, protected health information, or confidential clinical records.
Subscription, trial, and payment features may be administered through Stripe or another payment provider. The payment provider handles card details under its own terms and privacy notice.
We may suspend or terminate access where needed to protect users, the service, or legal rights.

3. Educational Content and AI Feedback

The service includes question banks, model answers, mock viva workflows, transcripts, scoring, summaries, and examiner-style feedback. Some outputs are generated or assisted by AI systems and may be incomplete, inaccurate, or unsuitable for a particular circumstance.

You should check educational content against current clinical guidance, examination requirements, and professional judgement. AI feedback is for revision only and has no legal, employment, clinical, or similarly significant effect.

4. Intellectual Property

The website, software, question banks, model answers, feedback formats, scoring logic, design, and other platform materials are owned by us or our licensors. You may use them for your own personal revision or the authorised use agreed with us. You must not copy, redistribute, resell, publish, or train another system on platform content without written permission.

5. Data We Collect

Account data, such as email address, user identifier, role, programme, and plan status.
Authentication, trial, subscription, and billing metadata.
Practice data, such as selected topics, questions, typed answers, audio recordings, transcripts, normalised transcripts, scores, feedback, confidence ratings, progress, and session history.
Content you submit or administer, such as feedback messages, key paper submissions, uploaded Anki decks, guideline documents, custom flashcards, and admin edits.
Technical data, such as device and browser information, IP-derived security signals, request logs, diagnostic events, hashed user identifiers, analytics events, and error reports.

6. Patient Data, Special Category Data, and HIPAA

The service is designed for simulated examination practice, not for storing or processing real patient records. Do not upload or speak any information that identifies a real patient, including names, dates of birth, hospital numbers, NHS numbers, medical record numbers, addresses, images, or other identifiers.

Unless we have a separate written agreement that expressly says otherwise, we do not operate the service as a HIPAA covered entity or business associate, and the service is not intended to receive protected health information under HIPAA. If you are a HIPAA covered entity or business associate, you must not use the service for PHI unless we have signed a Business Associate Agreement and enabled the required HIPAA operational controls.

If you accidentally submit patient-identifiable, special category, or protected health information, contact us promptly so that we can assess, delete, restrict, or anonymise it where feasible and legally appropriate.

7. How We Use Data and Lawful Bases

To create accounts, authenticate users, manage access, provide trials and subscriptions, and deliver the service: contract or steps taken before a contract.
To transcribe answers, evaluate practice attempts, generate feedback, store progress, and support learning workflows: contract and, for microphone or audio submissions, your active submission or consent.
To secure the service, prevent abuse, debug errors, monitor reliability, improve content quality, and understand aggregate product usage: legitimate interests.
To process payments, tax, accounting, legal requests, disputes, and regulatory obligations: contract and legal obligation.
To send optional product or support communications where applicable: consent or legitimate interests, with opt-out where required.

You may object to processing based on legitimate interests by contacting us. We will stop that processing unless we have compelling legitimate grounds or need it for legal claims.

8. Processors and Sharing

We do not sell personal data. We share data only as needed to run, secure, and improve the service.

Supabase or equivalent infrastructure for authentication, database, and file storage.
Stripe or equivalent payment processors for checkout, subscriptions, invoices, and billing events.
OpenAI or equivalent AI providers for transcription, scoring support, feedback, summaries, and text-to-speech.
PostHog or equivalent analytics/observability services using pseudonymous identifiers where configured.
Sentry or equivalent error monitoring services using minimised diagnostic context where configured.
Hosting, email, security, legal, accounting, and professional service providers.
Authorities, regulators, courts, or counterparties where required by law or to protect legal rights.

9. AI Processing

When you submit audio, text answers, or admin content, relevant content may be sent to AI providers to transcribe, normalise, score, compare, summarise, generate draft content, or provide feedback. We aim to send only the information needed for the specific educational task. Do not include confidential patient, colleague, employer, or third-party personal data in prompts, recordings, uploaded documents, or feedback messages.

10. International Transfers

Our providers may process data in the UK, the EEA, the United States, or other locations where they operate. Where data protection law requires safeguards for international transfers, we rely on appropriate mechanisms such as adequacy regulations, the UK International Data Transfer Agreement or Addendum, EU Standard Contractual Clauses, or equivalent contractual and organisational safeguards.

11. Retention

Account, profile, subscription, and practice history are kept while your account is active.
Audio, transcripts, scores, feedback, and progress may be kept so that you can review prior attempts, receive delayed feedback, and track learning over time.
Security logs, audit records, background job records, diagnostics, and analytics are kept for as long as needed for security, reliability, abuse prevention, legal, and operational purposes.
Payment, tax, accounting, and dispute records may be kept for legally required retention periods.
If you request deletion, we will delete or anonymise personal data unless we need to retain it for legal, security, fraud prevention, accounting, dispute, backup, or legitimate operational reasons.

12. Your Data Protection Rights

Depending on your location and the lawful basis for processing, you may have rights to access, rectify, erase, restrict, object to processing, receive a portable copy of your data, and withdraw consent where processing is based on consent.

You can contact us to exercise these rights. If you are in the UK, you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint. If you are in the EEA, you may also complain to your local supervisory authority.

13. Cookies, Local Storage, and Analytics

We use cookies, local storage, session storage, and similar technologies for essential authentication, account access, admin access, security, preferences, analytics, and reliability. Where analytics is enabled, we use pseudonymous identifiers rather than raw email addresses where feasible. Where consent is required for non-essential analytics, we will request it or provide a practical opt-out. You can control cookies and local storage through your browser settings, but some features may stop working if essential storage is disabled.

14. Security

We use technical and organisational measures intended to protect personal data, including authenticated access, role-based admin controls, transport encryption, upload validation, rate limiting, logging, monitoring, redacted audit events, and separation of service credentials. We investigate suspected security incidents, take containment and remediation steps, and make legally required notifications to affected users or regulators. No internet service can be guaranteed to be completely secure.

15. Children

The service is intended for adult healthcare professionals, trainees, and examination candidates. It is not directed to children, and users must not create accounts for children or submit children's personal data.

16. Liability

To the fullest extent permitted by law, the service is provided as an educational tool without warranties that it will be uninterrupted, error-free, or clinically complete. We are not liable for clinical decisions, examination outcomes, professional consequences, or losses caused by relying on educational or AI-generated content. Nothing in these Terms excludes liability that cannot legally be excluded.

17. Changes

We may update these Terms and this Privacy Notice as the service, law, or provider stack changes. The latest version will be posted on this page. Material changes may also be notified in the service or by email where appropriate.