Legal

Privacy Policy

Last updated: 7 June 2026

1. About this policy

This privacy policy explains how Best in Class Software Systems Ltd ("we", "us", "our") collects, uses, stores, and protects personal data when you use nhslearning.net ("the Service").

We are committed to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). We process data lawfully, fairly, and transparently.

If you have any questions about this policy or about how your data is handled, please contact us at the address in section 14.

2. Who we are

We are Best in Class Software Systems Ltd, a private limited company registered in England and Wales.

Company number: 16369340
Registered office: 8 Yateley Drive, Barton Seagrave, Kettering, NN15 6BN, United Kingdom
ICO registration number: ZC159462

nhslearning.net supports NHS-employed Diagnostic Radiography Practice Educators in their continuing professional development through an AI-assisted coaching tool we call Tendai.

3. The Service in brief, for context

We mention this here because understanding what the Service does is essential to understanding the data we handle.

The Service helps Practice Educators in NHS Trusts to manage their educational work — coordinating student placements, supporting newly qualified colleagues through preceptorship, planning continuing professional development sessions, and progressing through a structured five-stage development pathway. Educators interact with Tendai by email and through a web application, forwarding work-related emails for Tendai to process, asking questions, and recording reflections.

The Service is funded by NHS Trust Continuing Professional Development budgets and is provided under annual licence to individual educators with their Trust's authorisation.

4. The data we handle and our role for each category

Different categories of personal data have different legal arrangements. We have set these out clearly below.

4.1 Educator account data — we are the Data Controller

When you sign up as an educator, you provide us with the following personal data, and we determine how it is processed for the purposes of delivering the Service:

Your full name
Your NHS email address
The name of the NHS Trust that employs you
Your job title and the imaging modalities you work in
Names of universities you work with on student placements
Your current stage on the Practice Educator development pathway
Your preferences (notification settings, holiday dates, signature for outbound emails)
Your conversations with Tendai through our web application
Documents and outputs generated by Tendai on your behalf
Records of your activity on the Service (sign-ins, actions taken, items completed)
Notes you make about your own development and CPD reflections

For this category of data, we are the Data Controller under UK GDPR.

4.2 Professional contact data — we are the Data Controller

When you request CPD funding approval from your Trust through our Service, you provide us with limited personal data about your line manager and your Trust's CPD lead — typically their names and NHS email addresses. We use this data to facilitate the approval and enrolment process you have initiated.

For this category of data, we are the Data Controller, but our processing is narrow in scope and limited to facilitating your CPD funding request.

4.3 Trust billing data — we are the Data Controller

When your Trust authorises payment for your licence, the person processing the payment provides us with billing information — the Trust's billing address, accounts payable email, optional cost code or department reference, and any purchase order number. They may also process a card payment through our payment provider, Stripe.

For card payments, the card details themselves are handled by Stripe and never reach our systems. For billing information, we are the Data Controller.

4.4 Third-party data contained in forwarded emails — we are the Data Processor

In the course of using the Service, educators forward to us emails relating to their professional work. These emails frequently contain personal data about third parties — typically students, preceptees, or colleagues — including their names, dates of birth, university details, performance information, and other information relevant to the educator's role.

Educators handle this data in the course of their NHS employment, with the authority of their employing Trust. When an educator forwards such data to our Service, we process it on their behalf and on behalf of their Trust, following the educator's instructions.

For this category of data:

The Data Controller is the NHS Trust that employs the educator
We act as the Data Processor, processing the data on the Trust's behalf
Our processing activities are limited to those instructed by the educator (typically: generating documents, organising information, providing coaching responses)
We do not use this data for any purpose other than delivering the Service to the educator
We do not use this data to train any AI models or improve our underlying technology
We make a Data Processing Agreement available to NHS Trusts to formalise this relationship

If you are a Trust seeking our Data Processing Agreement, please contact us at the address in section 14.

5. How we collect data

We collect data in three ways:

Directly from you: When you sign up, complete your profile, send us emails, message Tendai through the web application, or interact with our Service in any way, we collect the data you provide.
Automatically through your use of the Service: When you visit our website or use the Service, we collect technical data necessary for the Service to function — your IP address, browser type, timestamps of your activity, pages visited. We use this for security monitoring, abuse prevention, and operational analytics.
From third parties acting on your behalf: When you ask Tendai to send approval emails to your manager or CPD lead, those individuals may then provide us with additional data when they respond, click links, or visit our enrolment page.

6. Why we process your data and our lawful basis

We process personal data only where we have a lawful basis to do so under UK GDPR. The bases we rely on are set out below.

Performance of a contract: To deliver the Service to you under the terms of your subscription, including providing access to Tendai, generating documents, sending coaching responses, and managing your account.
Legitimate interests: To operate, secure, and improve our Service; to communicate with you about your account; to send service notifications and renewal reminders; to prevent fraud and misuse. Our legitimate interests are balanced against your privacy rights, and we have assessed that they do not override those rights for these specific purposes.
Legal obligation: To comply with applicable laws, including responding to lawful requests from authorities, maintaining records required for accounting and tax purposes, and meeting our obligations under data protection law.
Consent: For any optional communications that fall outside the scope of operating the Service (for example, marketing communications, should we introduce these in future). You can withdraw consent at any time.

For data we process as a Data Processor on behalf of NHS Trusts (section 4.4), the lawful basis for processing lies with the Trust as Data Controller, not with us.

7. AI processing and the use of Anthropic

The Service uses artificial intelligence to deliver coaching and generate documents. We use the API of Anthropic, PBC, a US-headquartered company, to access their large language model service (Claude).

When you forward an email, ask Tendai a question, or otherwise generate a response, the relevant content is transmitted to Anthropic's API, processed to produce a response, and returned to you.

We have the following arrangements in place to protect your data in this transmission:

We operate under Anthropic's Commercial Terms of Service and Data Processing Addendum
Anthropic does not use data submitted via its API to train its models, as set out in Anthropic's published policies
Anthropic retains API submissions only as needed to deliver the service and for limited safety review; details are set out in Anthropic's published data retention policy
Where data crosses international borders to be processed by Anthropic, this is governed by the Standard Contractual Clauses approved under UK GDPR for international data transfers

We do not transmit to Anthropic any data beyond what is necessary to fulfil the specific request you have made. We do not share account credentials, payment information, or unrelated personal data with Anthropic.

If you have concerns about AI processing of your data, please contact us before submitting sensitive information through the Service.

8. Other third parties who process your data on our behalf

To operate the Service, we use a small number of third-party providers (sub-processors) who handle data on our behalf. Each is bound by contractual obligations to protect that data.

Provider	Purpose
Vercel Inc.	Application hosting and database. Data hosted in UK or EU regions.
Clerk Inc.	Authentication services (sign-in and account access). Data hosted within UK/EU where supported.
Anthropic, PBC	AI processing services, as described in section 7.
Stripe Payments Europe Ltd	Payment processing. We do not store full card details; Stripe handles card data subject to PCI-DSS standards.
Zoho Corporation B.V.	Email mailbox services for our @nhslearning.net correspondence.
Zoho ZeptoMail	Transactional email delivery (automated messages such as digests, reminders, and payment confirmations).

We keep an up-to-date list of all sub-processors and will provide it to NHS Trusts on request under our Data Processing Agreement.

9. How long we keep your data

We retain data only for as long as necessary to deliver the Service and to meet our legal obligations.

Data category	Retention period	Notes
Educator account data	Duration of subscription + 12 months	The 12-month tail allows you to renew without losing your history, and allows your Trust to access records for audit purposes.
Forwarded email contents (raw)	30 days	Structured data extracted from those emails is retained as part of your account data per the period above.
Chat conversations with Tendai	Duration of subscription	You can request deletion of individual conversations or your full history at any time.
Billing and accounting data	7 years	In line with HMRC requirements for company record-keeping.
Authentication logs and security records	12 months	For security and fraud prevention purposes.

After these retention periods, data is securely deleted from our active systems and from our backups within a reasonable additional period (no more than 90 days).

10. How we protect your data

We take security seriously and have implemented technical and organisational measures appropriate to the data we handle, including:

All data transmission encrypted using TLS 1.2 or higher
All data at rest encrypted using industry-standard methods
Multi-factor authentication on administrator accounts
Role-based access controls limiting who can view what
Regular review of access permissions
Logging and monitoring of access to detect unusual activity
Sub-processor agreements with each of our service providers
A documented incident response process for data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, and we will notify affected individuals where required.

11. Your rights

Under UK GDPR, you have the following rights in respect of your personal data:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct inaccurate or incomplete data.
Right to erasure: You can ask us to delete your data in certain circumstances (also known as the "right to be forgotten").
Right to restrict processing: You can ask us to limit how we use your data while a concern is being investigated.
Right to data portability: You can ask us to provide your data in a portable, machine-readable format.
Right to object: You can object to our processing of your data where it is based on legitimate interests.
Rights in relation to automated decision-making: We do not make automated decisions about you that have legal or similarly significant effects. Tendai's outputs are advisory and educational; they do not constitute decisions made about you.

To exercise any of these rights, please contact us at the address in section 14. We will respond within one month of receiving your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator, at ico.org.uk or by phone on 0303 123 1113.

12. International transfers

We host data primarily in the United Kingdom and the European Union. Where data is transferred outside the UK or EU (principally to Anthropic in the United States for AI processing), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved under UK GDPR and supplementary measures where required.

We do not transfer data to countries that have not been deemed adequate under UK GDPR or covered by appropriate transfer mechanisms.

13. Cookies and similar technologies

We use a minimal set of cookies and similar technologies necessary for the Service to function. These include:

Authentication cookies: To keep you signed in to your account.
Functional cookies: To remember your preferences (such as theme settings).
Security cookies: To detect and prevent unauthorised access.

We do not use advertising cookies. We do not sell your data to third parties for marketing purposes.

If we introduce additional cookies in future (for example, for optional analytics), we will update this policy and where required will request your consent before setting them.

14. Contact us

If you have questions about this policy, wish to exercise your rights, or have any concerns about how we handle your data, please contact us:

Best in Class Software Systems Ltd

8 Yateley Drive

Barton Seagrave, Kettering

NN15 6BN, United Kingdom

tendai@nhslearning.net

We aim to respond to all privacy enquiries within five working days.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, our use of third-party services, or in the law. When we make material changes, we will notify active users by email and update the "Last updated" date at the top of this policy.

We recommend that you review this policy periodically.