Legal, security & compliance

Everything in one place.

Our policies, and how we keep the data of trusts, clinicians and the women whose stories we carry safe.

Last updated · July 2026
Privacy policy

How we handle personal data

Upskill Health is the data controller for the accounts of clinicians and trust administrators, and a data processor for the training records we hold on behalf of NHS trusts. We collect only what a lesson or a compliance report needs — name, role, trust, and learning activity — and we process it under the lawful bases of contract and legitimate interest, and, for special-category data, under the health and social care provisions of the UK GDPR.

Upskill is a training platform, not a clinical system: it is designed to run without any patient-identifiable information, and users are instructed never to enter it. Data is hosted in the UK on Microsoft Azure, and — by agreement with each trust — training records are used to evidence learning and compliance under the trust's data processing agreement, never for disciplinary action or performance management.

The lived-experience stories women share with us are handled separately and only ever with explicit, revocable consent. We never sell data, and we keep records only as long as a trust's contract and the relevant NHS retention schedules require. You can request access, correction or deletion at any time by writing to our Clinical Safety Officer at andrew@upskill.health.

Terms of use

Using the Upskill platform

Access to the Upskill app and compliance dashboard is provided to named users under a trust's subscription agreement. Accounts are personal — credentials must not be shared, and the clinical content is provided for professional education, not as a substitute for local guidelines or clinical judgement. All training material, case studies and the software itself remain the intellectual property of Upskill Health.

The full terms that govern a subscription are set out in the trust's service agreement; this summary does not replace it. Questions about the terms can be sent to admin@upskill.health.

Cookies

What we store on your device

We keep cookies to a minimum. Essential cookies keep you signed in and remember where you are in a lesson — these are always on because the product cannot work without them. We use privacy-respecting analytics to understand which lessons land and where clinicians drop off; these are only set with your consent, and you can withdraw it at any time. We do not run advertising or third-party tracking cookies.

Accessibility

Training everyone can use

Our aim is to support a tired clinician upskilling in the ten minutes they have in the middle of a night shift, so accessibility is never an afterthought. We build to meet the Web Content Accessibility Guidelines (WCAG) 2.2 at level AA — sufficient colour contrast, full keyboard operation, captioned and described video, and clear focus states throughout. We test with screen readers and welcome reports of anything that falls short. If you meet a barrier, tell us at admin@upskill.health and we will fix it as a priority.

Security & compliance

Held to the standards the NHS expects

Data is encrypted in transit and at rest, hosted in the UK, and access is role-based and logged. We complete the NHS Data Security and Protection Toolkit, and our credentials are independently assessed and renewed on schedule.

Cyber Essentials Certified
Cyber Essentials Certified
The UK government-backed baseline for cyber security controls.
ORCHA Certified
ORCHA Assured
Independently reviewed against ORCHA's digital health standards in Spring 2026.
International transfers

Where your data is processed

Core Upskill data — accounts, training records and content — is hosted in the UK on Microsoft Azure.

The one optional feature that can involve processing outside the UK is the AI-powered roleplay, delivered through ElevenLabs (using OpenAI's GPT-4o within that service), where data may be stored and processed in the United States. It is used for simulated communication practice only, and clinicians are instructed never to enter patient-identifiable or patient-specific information. Other platform services that touch international infrastructure — push notifications and transactional email — receive only the minimal data they need, and never patient data. A trust's information-governance team can review our full transfer position as part of due diligence.

DCB0129 alignment

Clinical safety, by choice

DCB0129 is the NHS Data Coordination Board standard for clinical risk management in the manufacture of health IT systems. As a training platform rather than a system that directly informs a clinical decision at the point of care, Upskill sits outside the scope that formally mandates DCB0129 — but we apply its principles anyway, because the subject deserves it.

A named Clinical Safety Officer — a registered clinician who owns safety decisions across the product.
A live hazard log — potential clinical risks identified, assessed and mitigated, and reviewed as the product changes.
A Clinical Safety Case Report — the evidence, kept current, that we can share with a trust's clinical safety team.
Clinical content sign-off — every case is reviewed by clinicians before it reaches a learner.

Everything sits under a clinical safety management plan that a named Clinical Safety Officer reviews every six months and after any material change. Our clinical safety documentation is available to trusts on request as part of due diligence — book a conversation to see it.

© 2026 Upskill Health