Privacy Policy
Effective date: 28 June 2026 · Version 1.01. Who We Are
Proven. is a trading name of Nexi Bot LTD, a company registered in England and Wales (Company No. 16502958). Our registered address is Suite 627, 80A Ruskin Ave, Welling DA16 3QQ (correspondence only).
We are registered with the Information Commissioner's Office (ICO) under registration number ZB910034.
For all data protection enquiries, contact us at: [email protected]
2. Our Role Under Data Protection Law
Nexi Bot LTD is the data controller for personal data processed through provencpd.co.uk. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
3. What Personal Data We Collect
3.1 Data you provide directly
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, password (hashed), role (student/NQP/mentor) | Creating and managing your account |
| Professional data | HCPC registration number, registration period start date | Populating your portfolio and audit records |
| Placement records | Provider names, dates, hours, shift types, notes | Tracking your clinical placements |
| CPD entries | Activity titles, dates, types, written notes | Logging your continuing professional development |
| Reflections | Text written within Gibbs/Driscoll/free-form models | Reflective practice records for your portfolio |
| Proficiency records | Competency status updates, evidence notes | Tracking clinical proficiencies |
| Attachments | Files you upload as evidence (certificates, documents) | Supporting your CPD and proficiency records |
3.2 Data collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Session data | Session tokens, IP address, browser user agent | Maintaining your login session securely |
| Log data | Error logs, sign-off audit trail | Security, debugging, and audit integrity |
3.3 Data we do NOT collect
- Patient identifiable information (we actively warn users not to enter this — see Section 9)
- Payment card data (we do not process payments directly)
- Location data
- Data from third-party social media or advertising networks
4. Lawful Basis for Processing
| Processing Activity | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Providing core platform features (CPD, reflections, placements) | Performance of a contract (Art. 6(1)(b)) |
| Generating your PDF portfolio export | Performance of a contract (Art. 6(1)(b)) |
| ICO compliance, audit logs, sign-off records | Legal obligation (Art. 6(1)(c)) |
| Service communications (security alerts, account notices) | Legitimate interests (Art. 6(1)(f)) |
| Improving service performance and fixing bugs | Legitimate interests (Art. 6(1)(f)) |
5. How We Use Your Data
We use your personal data solely to:
- Operate your Proven. account and provide the platform's features
- Generate your HCPC-ready PDF portfolio on demand
- Allow Practice Educators (mentors) assigned to you to view and sign off your proficiencies
- Send you essential service communications (e.g. password resets, security notices)
- Maintain security, prevent fraud, and investigate misuse
- Comply with our legal obligations under UK law
We will never: sell your data, share it with advertisers, use it for AI model training, or transfer it outside the United Kingdom without your explicit consent.
6. Data Sharing
We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:
- Practice Educators / Mentors: Users assigned as your mentor can view your proficiency records and placement summaries strictly within the platform. This access is controlled by the platform and limited to what you have explicitly recorded.
- Hosting infrastructure: Our web hosting provider (Plesk / cPanel hosting within the United Kingdom) stores data on UK servers as a data processor under a written agreement.
- Legal requirement: If required by a court order, regulatory body, or law enforcement authority with lawful authority, we may disclose data. We will notify you where legally permitted to do so.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 12 months after deletion request | Dispute resolution and legal obligations |
| CPD, placement, and reflection records | Duration of account | Core service functionality |
| Audit logs (sign-off records) | 6 years from creation | HCPC and professional accountability |
| Session data | 120 minutes of inactivity | Security |
| Error logs | 30 days rolling | Debugging and security monitoring |
When you request account deletion (see Section 10), we will erase your personal data within 30 days, subject to any legal retention obligations above.
8. Data Security
We implement the following technical and organisational measures to protect your data:
- All data in transit is encrypted via TLS (HTTPS)
- Passwords are stored using bcrypt hashing — we cannot recover your plaintext password
- Uploaded files are stored with access controls and served via expiring signed URLs
- Database access is restricted to the application server (no remote public access)
- CSRF protection on all forms
- Rate limiting on authentication and upload endpoints
- All data hosted in the United Kingdom
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay, as required by UK GDPR Article 33.
9. Patient and Third-Party Data Warning
Proven. applies in-platform warnings and technical guidance to assist with this, but the responsibility for anonymisation rests entirely with you as the user.
10. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
| Right | What This Means | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you | Account → Export Data, or email [email protected] |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Edit directly in your account, or contact us |
| Erasure (Art. 17) | Request deletion of your account and data | Account → Delete Account, or email us |
| Restriction (Art. 18) | Restrict processing of your data in certain circumstances | Email [email protected] |
| Portability (Art. 20) | Receive your data in a machine-readable format | Account → Export Data |
| Object (Art. 21) | Object to processing based on legitimate interests | Email [email protected] |
| Withdraw consent | Where processing is based on consent, withdraw it at any time | Email [email protected] |
We will respond to all rights requests within one calendar month. If your request is complex, we may extend this by a further two months and will notify you. Rights requests are free of charge unless manifestly unfounded or excessive.
11. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
We would, however, appreciate the opportunity to address your concern before you contact the ICO. Please email us first at [email protected].
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the platform at least 14 days before the change takes effect. The current version and effective date are always shown at the top of this page. Continued use of the platform after a change takes effect constitutes acceptance of the updated policy.
13. Contact Us
Nexi Bot LTD (trading as Proven.)
Suite 627, 80A Ruskin Ave, Welling DA16 3QQ
Email: [email protected]
ICO Reg: ZB910034 · Company No: 16502958