Effective Date: 27 January 2026
This Privacy Policy explains how eGPHub Limited (“eGPHub”, “we”, “our” or “us”) collects, uses, shares, stores and protects personal data when you use our website (www.egphub.com) and our online learning platform (the “Platform”). We are committed to protecting your privacy and processing personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this Policy carefully to understand how we handle your personal data.
1. Who we are and how to contact us
1.1 Identity of the data controller
1.1(a) eGPHub Limited is a company incorporated in England and Wales. Our registered office is at 128 City Road, London, United Kingdom, EC1V 2NX (company number 16896487), and we operate the website at www.egphub.com as well as the Platform. We are the data controller responsible for the personal data collected and processed via our website and Platform.
1.1(b) If you have any questions about this Privacy Policy or about the way we handle personal data, please contact us at info@egphub.com. If you prefer to write to us, please address your correspondence to E GP HUB LTD, 128 City Road, London, United Kingdom, EC1V 2NX.
2. Scope of this Policy
2.1 This Policy applies to the personal data we collect through:
2.1(a) Our marketing website hosted on WordPress at www.egphub.com (the “Website”);
2.1(b) Our learning management system hosted on Amazon Web Services (AWS) where you access courses and training content (the “Platform”); and
2.1(c) Our payment services processed via Stripe for any paid courses or services.
2.2 This Policy does not apply to third‑party websites or services that may be linked from our Website or Platform. We encourage you to review the privacy policies of any third‑party sites you visit.
3. Personal data we collect
3.1 We collect personal data directly from you when you use our Website or Platform. The types of data we collect include:
3.1(a) Identity and contact data: your full name, email address, phone number, organisation (such as GP practice, NHS trust, or employer name), and your job role or position.
3.1(b) Account data: username, password (stored in a secure hashed form), security questions and answers, and user preferences.
3.1(c) Learning data: course enrolments, progress records, completion status, assessment results and certificates.
3.1(d) Usage data: information about how you interact with the Website and Platform, including log information, IP address, device type, browser type, operating system and pages visited. We collect this data to ensure the security and performance of the Platform and to improve our services.
3.1(e) Communication data: records of communications with us (for example, if you contact us by email or via support tickets) and any feedback you provide.
3.1(f) Payment data: for paid courses, your payment details are processed securely by our payment provider, Stripe. We do not store full payment card numbers or security codes. We receive confirmation from Stripe when your payment is successful and limited transaction metadata (such as the last four digits of your card, expiry date and country).
3.1(g) Cookies and similar technologies: we use cookies and similar tracking technologies to enable the Website and Platform to function, to remember your preferences, and to understand how users navigate our pages. Cookies are small text files stored on your device. You can manage cookies through your browser settings, though essential cookies are necessary for the Website and Platform to operate correctly. We do not use cookies to target advertising or track you across other websites.
3.2 Special Category Data
We do not collect or process special category data (also known as sensitive personal data) as defined under the UK GDPR. This includes data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sex life, or sexual orientation. Although we operate in a healthcare training context and collect information about your job role and learning progress, this does not constitute special category data.
Important notice: You must not upload, submit, or include any patient data, clinical records, health information, or other special category data in any free-text fields, feedback forms, support tickets, or communications with us. If you inadvertently provide such information, please notify us immediately at info@egphub.com so that we can delete it securely. Our Platform and courses are designed for professional training purposes only and are not intended for the processing of patient-identifiable or sensitive information.
4. How we use personal data
4.1 We use personal data only where we have a lawful basis. The main purposes for which we use personal data are:
4.1(a) Account creation and management: to register you on the Platform, create and administer your user account, verify your identity, and manage your user profile.
4.1(b) Course delivery and certification: to provide you with access to courses, track your progress, issue certificates upon completion and store your learning history.
4.1(c) Communication: to send you notices and updates about courses you are enrolled on, to respond to your queries, and to send essential information relating to your account. We may also send you optional newsletters and information about new courses; you can opt out at any time.
4.1(d) Payment processing: to facilitate payment for paid courses and issue invoices. Payments are processed by Stripe on our behalf.
4.1(e) Service improvement and analytics: to monitor usage of the Website and Platform, analyse trends, improve performance, develop new content and ensure the security of our systems.
4.1(f) Legal and compliance: to comply with applicable laws and regulations, respond to lawful requests from regulators or authorities, and enforce our legal rights.
5. Lawful bases for processing
5.1 Under the UK GDPR, we must have a lawful basis for processing personal data. Depending on the context, we rely on one or more of the following bases:
5.1(a) Contract: processing necessary to perform our contract with you, for example to create your account and provide access to courses.
5.1(b) Legitimate interests: processing for our legitimate interests in operating and improving the Platform and ensuring its security, provided your rights and freedoms are not overridden.
5.1(c) Legal obligation: processing necessary to comply with our legal obligations, such as record-keeping or responding to requests from regulatory authorities.
5.1(d) Consent: where we rely on your consent to send you optional communications or marketing. You can withdraw your consent at any time by following the instructions in our communications or contacting us.
5. Lawful bases for processing
5.1 Under the UK GDPR, we must have a lawful basis for processing personal data. Depending on the context, we rely on one or more of the following bases:
5.1(a) Contract: processing necessary to perform our contract with you, for example to create your account and provide access to courses.
5.1(b) Legitimate interests: processing for our legitimate interests in operating and improving the Platform and ensuring its security, provided your rights and freedoms are not overridden.
5.1(c) Legal obligation: processing necessary to comply with our legal obligations, such as record-keeping or responding to requests from regulatory authorities.
5.1(d) Consent: where we rely on your consent to send you optional communications or marketing. You can withdraw your consent at any time by following the instructions in our communications or contacting us.
5.2 Lawful Basis Mapping
The following table shows which lawful basis applies to each purpose for processing your personal data:
Account creation and management
Data: Name, email address, phone number, organisation, role, username, password
Lawful basis: Contract (necessary to perform our contract with you)
Course delivery, progress tracking, and certification
Data: Learning records, course enrolments, progress, completion status, assessment results, certificates
Lawful basis: Contract (necessary to perform our contract with you)
Payment processing
Data: Payment metadata from Stripe (transaction confirmation, last 4 digits of card)
Lawful basis: Contract (necessary to process payment) and Legal obligation (accounting/tax requirements)
Essential communications
Data: Email address, name, communication records
Purpose: Course updates, account notifications, support responses
Lawful basis: Contract (necessary to deliver the service you requested)
Optional newsletters and marketing
Data: Email address, name
Purpose: Information about new courses, updates, news
Lawful basis: Consent (you can opt out at any time)
Platform security, performance, and improvement
Data: Usage data, log information, IP address, device type, browser type
Purpose: Monitor usage, analyse trends, improve Platform, ensure security
Lawful basis: Legitimate interests (operating and improving our Platform, ensuring security)
Legal and regulatory compliance
Data: Any data necessary to comply with legal obligations
Purpose: Respond to lawful requests, maintain financial records, protect legal rights
Lawful basis: Legal obligation
6. Sharing personal data
6.1 We do not sell or rent personal data. We share personal data only when necessary to deliver our services, or where we are legally required to do so. Categories of recipients include:
6.1(a) Service providers: companies that provide services on our behalf, such as cloud hosting (AWS), learning management system services, WordPress hosting, email delivery services, customer support providers, and payment processing (Stripe). These providers have access to personal data only to perform their tasks and are contractually obligated to protect your data.
6.1(b) Professional advisors: our lawyers, accountants and auditors when necessary for the provision of professional services.
6.1(c) Regulatory and professional bodies: where relevant, we may share records of your course completion with professional bodies (for example, General Medical Council, nursing councils, or your employer) where requested by you or required by law.
6.1(d) Authorities: law enforcement or regulatory authorities when required to comply with legal obligations or to protect our rights or the rights of others.
7. International transfers
7.1 Some of our service providers are located outside the United Kingdom or process data outside the UK. When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner’s Office (ICO) and, where applicable, UK adequacy regulations.
7.2 Specific International Transfers
The following service providers may process your personal data outside the United Kingdom:
7.2(a) Amazon Web Services (AWS): Our learning management platform is hosted on AWS infrastructure. While we primarily use AWS regions located within the UK or EU, AWS may process data in other locations as part of their global infrastructure operations. AWS has implemented appropriate technical and organisational measures and standard contractual clauses approved for international data transfers.
7.2(b) Stripe: Payment processing is provided by Stripe, which may process payment data in the United States and other jurisdictions. Stripe has implemented appropriate safeguards including standard contractual clauses for international transfers and maintains compliance with applicable data protection requirements.
7.2(c) Email and communication providers: Our transactional email services may involve data processing outside the UK depending on the provider’s infrastructure. Any such providers are required to implement appropriate safeguards for international data transfers.
In all cases, we ensure that appropriate safeguards are in place before transferring personal data internationally, including standard contractual clauses, adequacy decisions (where applicable), or other mechanisms approved by the ICO. You may contact us for further information about the specific safeguards we use for international transfers.
8. Data retention
8.1 We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. Typically this means:
8.1(a) Active accounts: Account information and learning records (including course enrolments, progress, completion status, assessment results, and certificates) are retained for as long as your account remains active. An account is considered active if you log in at least once within any 24-month period.
8.1(b) Inactive accounts: If your account has been inactive for 24 months, we may delete or anonymise your account data. We will send you an email notification to your registered email address 60 days before any deletion, giving you the opportunity to log in and keep your account active. Learning records and certificates will be retained for an additional 6 years after account deletion to comply with professional record-keeping requirements, after which they will be permanently deleted or fully anonymised.
8.1(c) User-requested deletion: If you request deletion of your account, we will delete your personal data within 30 days of your request, except where we are required to retain certain data for legal, regulatory, or legitimate business reasons (such as financial records for tax purposes or learning records to verify certificates). Data retained for these purposes will be kept only for the minimum period required and will be securely deleted thereafter. Backups containing your data may persist for up to 90 days after deletion from live systems but will not be accessed or restored except in exceptional circumstances.
8.1(d) Communications data: Records of communications with us (emails, support tickets, feedback) are retained for 3 years from the date of the last communication for record-keeping and quality assurance purposes, after which they are permanently deleted.
8.1(e) Payment and financial data: Transaction records and limited payment metadata received from Stripe are retained for 7 years to comply with UK accounting, tax, and financial record-keeping obligations (HMRC requirements).
9. Your rights
9.1 Under data protection law, you have the following rights:
9.1(a) Right of access: you can request a copy of the personal data we hold about you.
9.1(b) Right of rectification: you can ask us to correct inaccurate or incomplete data about you.
9.1(c) Right to erasure: you can ask us to delete your personal data in certain circumstances.
9.1(d) Right to restrict processing: you can ask us to restrict the processing of your data in certain circumstances.
9.1(e) Right to object: you can object to our processing of your data based on our legitimate interests or for direct marketing purposes.
9.1(f) Right to data portability: you can request that we transfer your data to another organisation or to you, where technically feasible.
9.1(g) Right to withdraw consent: where we process data based on your consent, you can withdraw your consent at any time.
9.1(h) Right to complain: you can lodge a complaint with the Information Commissioner’s Office (ICO) or another supervisory authority if you believe we have not complied with data protection laws. For more information, please visit ico.org.uk.
9.2 To exercise any of these rights, please contact us using the details in section 1. We will respond to your request within one month or as otherwise required by law.
10. Security of personal data
10.1 We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. For example, we host the Platform on secure cloud infrastructure (AWS), use encrypted connections (HTTPS), maintain firewalls and intrusion detection systems, and limit access to personal data to staff who need it to perform their duties. While we strive to protect your personal data, no system can be guaranteed to be completely secure, and you acknowledge that you use the Platform at your own discretion.
11. Cookies and tracking technologies
11.1 We use cookies and similar technologies on the Website and Platform to:
11.1(a) Allow you to log in and stay logged in;
11.1(b) Remember your preferences (such as language or accessibility settings);
11.1(c) Understand how you navigate our pages so we can improve usability and performance.
11.2 Essential cookies are necessary for the Platform to function. You may manage other cookies through your browser settings. Our cookies are not used to deliver advertising or to track you across other sites.
11.3 Categories of Cookies
We use the following categories of cookies on the Website and Platform:
(a) Strictly necessary cookies: These are essential for the Website and Platform to function. They enable core functionality such as security, authentication, and session management. These cookies are set by WordPress (our website hosting platform) and our learning management system hosted on AWS. Without these cookies, services you have requested (such as logging into your account) cannot be provided. These cookies do not require your consent as they are necessary for the operation of the service.
(b) Functionality cookies: These cookies allow the Website and Platform to remember choices you make (such as your username, language preference, or region) and provide enhanced, more personalised features. These cookies are set by WordPress and our Platform.
11.4 WordPress Cookies
Our marketing website is hosted on WordPress, which uses standard WordPress cookies including: (a) session cookies to maintain your logged-in session when you access the site; (b) user preference cookies to remember your settings; and (c) security cookies to authenticate users and prevent fraudulent use of login credentials. These are strictly necessary cookies required for the website to function.
11.5 No Analytics or Advertising Cookies
We do not currently use analytics cookies (such as Google Analytics) or advertising/tracking cookies. We do not track you across other websites or use cookies for targeted advertising.
11.6 Managing Cookies
Most web browsers allow you to manage cookie preferences through your browser settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. However, please note that if you disable or refuse strictly necessary cookies, some parts of the Website and Platform may not function properly, and you may not be able to access your account or use certain features. For more information about managing cookies, please visit www.allaboutcookies.org.
12. Changes to this Privacy Policy
12.1 We may update this Policy from time to time. When we make changes, we will post the updated Policy on our Website and Platform with a new effective date. We encourage you to review this Policy periodically. If you continue to use the Website or Platform after any changes take effect, you will be deemed to have accepted the updated Policy.
13. How to contact us and the ICO
13.1 If you have questions about this Policy or wish to exercise your data protection rights, please contact us at info@egphub.com or write to: E GP HUB LTD, 128 City Road, London, United Kingdom, EC1V 2NX.
13.2 If you have a concern about our use of your personal data, you have the right to complain to the Information Commissioner’s Office (ICO). For details on how to contact the ICO, please visit their website at www.ico.org.uk.
