Privacy Notice
Effective: 29 April 2026 | Version: 2026-04-29
CPD Standards Office Limited (CPDSO
, we
, us
) is the data controller for personal data processed through the CPD accreditation service. This notice explains what we collect, why, who else processes it on our behalf, how long we keep it, and the rights available to you under the UK GDPR and the Data Protection Act 2018.
If anything here is unclear or you want to exercise a right described below, contact privacy@cpdstandards.com. We respond within 30 days as required by Article 12(3).
Who we are
- Controller: CPD Standards Office Limited, United Kingdom.
- Privacy contact: privacy@cpdstandards.com
- ICO registration: registered with the UK Information Commissioner's Office.
Information we collect
We collect:
- Identity and contact details — name, email, phone, organisation, role. Provided by you (or by your organisation's account holder) when you book or take part in an accreditation assessment.
- Assessment intake responses — the answers you submit on our pre-assessment survey, hosted by GoHighLevel.
- Call recordings, transcripts, and AI-generated analysis — see the dedicated section below.
- Account and authentication data — log-in records, sessions, password hashes for staff users.
- Billing data — handled by Stripe; we receive transaction metadata, not card details.
- Diagnostic and error data — request metadata, error stack traces, performance traces. PII is filtered before being sent to our error monitor.
We do not collect special-category data (Article 9) and do not knowingly process data about children under 16.
Lawful basis
| Activity | Lawful basis |
|---|---|
| Delivering the accreditation service you or your organisation contracted for | Article 6(1)(b) — contract performance |
| Recording and transcribing assessment calls; AI-assisted analysis of those recordings | Article 6(1)(a) — consent, captured at survey intake |
| Retaining evidence after accreditation expires | Article 6(1)(f) — legitimate interests (defence of legal claims, accreditation integrity) and Article 17(3)(e) |
| Billing, fraud prevention, accounting records | Article 6(1)(c) — legal obligation |
| Error monitoring and security of the service | Article 6(1)(f) — legitimate interests (security of processing, Article 32) |
Call recordings and AI
When you take part in an accreditation assessment call, the call is recorded and a transcript is produced. We use AI (large-language-model) tools to help draft supporting analysis on the assessor's report.
- Consent. The pre-assessment survey asks you to confirm consent before the call takes place. You can decline, and the assessment will be conducted without recording or AI analysis where that is operationally possible.
- Who decides the result. A qualified human assessor scores each principle (Green / Amber / Red) and makes the formal accreditation decision. Those scores — not the AI output — determine the accreditation outcome that is recorded against your organisation.
- What the AI produces. The AI generates supporting analysis (summary, observations, suggested wording) which appears alongside the assessor's scoring on the report. The assessor's scores remain the binding decision in every case.
- Right to human review. If you believe AI-generated content on your report misrepresents the assessment, you can request human re-review by emailing privacy@cpdstandards.com. A senior assessor will re-examine the report and respond within 30 days.
- Article 22. Because the formal decision is made by a human assessor, this is not a
solely automated
decision under Article 22. The right to human review above is available in any case. - Sub-processors. Recordings and transcripts are processed by Deepgram (transcription) and OpenAI (analysis) as set out in the table below. We use the standard API tiers, which contractually exclude use of customer data for model training.
Sub-processors
We use the following sub-processors. Each is bound by a Data Processing Agreement (DPA) and the disclosed transfer mechanism where data leaves the UK or EEA.
| Sub-processor | Purpose | Data | Location of processing | Transfer mechanism | DPA |
|---|---|---|---|---|---|
| GoHighLevel (LeadConnector) | CRM, survey intake, communications, billing workflow | Contact details, survey answers, communication history | United States | UK IDTA / EU SCCs in vendor DPA | ghl.com/legal |
| Stripe | Card payments and billing | Cardholder data, transaction metadata | United States, Ireland | UK IDTA / EU SCCs in vendor DPA | stripe.com/legal/dpa |
| Deepgram | Speech-to-text transcription of recorded assessment calls | Call audio, transcript | United States | UK IDTA / EU SCCs in vendor DPA | Deepgram account portal |
| OpenAI | AI-assisted analysis of call transcripts (API tier) | Transcript text, prompt context | United States | UK IDTA / EU SCCs in vendor DPA. Default API tier — content not used for model training. | openai.com/policies/data-processing-addendum |
| Sentry | Application error monitoring and diagnostics | Stack traces, request metadata (PII filtered before send) | Frankfurt, Germany (EU region) | EEA hosting — no third-country transfer required | sentry.io/legal/dpa |
| DigitalOcean | Application and database hosting | All service data at rest | London, United Kingdom | UK hosting | digitalocean.com/legal/data-processing-agreement |
We update this list when we add or change sub-processors. Material changes are flagged at the top of this notice.
How we share your information
We share personal data only with:
- the sub-processors listed above, acting on our written instructions;
- the organisation that purchased your accreditation, where you are an assessment participant (so that they receive the accreditation outcome);
- professional advisers, auditors, and insurers, where bound by confidentiality;
- public authorities, where required by law.
We do not sell personal data, and we do not use it for advertising.
Retention
We hold data for the shortest period consistent with the purpose for which we collected it.
| Tier | Data | Retention |
|---|---|---|
| Short | Webhook payloads, raw API debug logs | 90 days from receipt |
| Evidence | Call recordings, transcripts, AI analysis | While the linked accreditation is current, plus 6 years from accreditation expiry — to defend legal claims (Limitation Act 1980) and protect accreditation integrity |
| Outcome record | Assessment outcome, certificate metadata, assessor name, date | Indefinite — published / member-facing proof of accreditation |
| Compliance records | Subject-rights requests, consent records, audit log entries | Indefinite, as proof of compliance under Article 5(2) |
When evidence-tier retention ends, transcripts and AI analysis are permanently nullified; the outcome record remains. Where retention does not apply (no current accreditation, no overlapping legal-claims period), we anonymise on request.
Your rights
Under the UK GDPR you have the right to:
- Access a copy of the personal data we hold about you (Article 15).
- Rectify inaccurate or incomplete data (Article 16).
- Erase data where no overriding lawful basis applies (Article 17). We may refuse during the evidence-retention window above on Article 17(3)(e) grounds, and offer partial erasure of non-evidence data.
- Restrict or object to processing (Articles 18, 21).
- Portability — receive a structured copy of data you provided (Article 20).
- Withdraw consent at any time, where consent is the lawful basis. Withdrawing consent does not affect lawfulness of processing carried out before withdrawal.
- Request human review of any AI-generated content on your assessment report (see
Call recordings and AI
). - Complain to the UK Information Commissioner's Office at ico.org.uk. We would prefer a chance to address your concern first.
To exercise any of these rights, email privacy@cpdstandards.com. We will verify your identity (typically by replying from a known email address) and respond within 30 days. If a request is complex we may extend by a further two months and will tell you why within the first 30 days.
If a member of our team receives a rights request through any other channel, they are required to forward it to privacy@cpdstandards.com on the same day, so the 30-day clock under Article 12(3) is not delayed.
International transfers
The sub-processor table above lists each transfer location and mechanism. Where data is transferred outside the UK we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision, as appropriate. Copies of the relevant agreements are available on request.
Security
We apply technical and organisational measures appropriate to the risk, including:
- field-level encryption at rest for sensitive content (call transcripts, AI analysis, webhook payloads);
- TLS in transit;
- least-privilege access controls and authenticated sessions for staff;
- application error monitoring with PII filtering;
- redaction of personal identifiers from application logs;
- regular review of sub-processor security posture.
Internal access controls within our application currently match those of our CRM (GoHighLevel): all staff users in your organisation's account can view assessment records associated with that account. Tighter role-based controls are on our roadmap; this notice will be updated when they are in place.
Cookies and similar technologies
We use only cookies necessary for authentication and session management on our application. We do not use advertising or cross-site tracking cookies on the application. Marketing pages on our website may use analytics cookies under separate notice.
Changes to this notice
We may update this notice from time to time. The version and effective date at the top change with each revision. Material changes (new categories of data, new sub-processors, changed retention) are highlighted at the top of the notice for at least 30 days.