Legal

Privacy Policy

Your privacy is the foundation of this product. This policy explains, in plain language, what we collect, how we store it and what your rights are.

Effective date: 1 May 2026 · Operated by Odyssey Portfolio Ltd.

1. Who we are

Odyssey Portfolio (“Odyssey”, “we”, “us”) provides a private clinical portfolio for clinicians at odysseyportfolio.com and via mobile applications on iOS and Android. For the purposes of UK GDPR and EU GDPR, Odyssey Portfolio Ltd. is the data controller for personal data we collect about our users. You can contact us at contact@hummingbirdlabs.org.

2. The “no patient data” rule

Odyssey is intended for your professional reflection, not for storing patient records. You are strictly prohibited from entering patient-identifiable data into the platform. This includes, but is not limited to: patient names, addresses, dates of birth, NHS numbers, hospital numbers, photographs, recordings or any combination of attributes that could reasonably identify a specific patient.

Because of this rule, the content you write in Odyssey is treated as your professional intellectual property — your reflection on your own practice — and not as Protected Health Information (PHI). We are not a HIPAA Business Associate or equivalent. The responsibility for ensuring your entries are appropriately anonymised rests with you, the user.

3. What we collect

3.1 Account information

  • Email address — used to authenticate you and send essential service emails.
  • Display name — optional, shown in your profile.
  • Password hash — we never store your raw password. Hashes are computed and stored by our authentication provider, Supabase Auth.

3.2 Content you create

  • Entries, narratives, appraisals, reflections, tags and any text you choose to write inside the application.
  • Optional metadata you attach (date, duration, location category, custom tags).

3.3 Peer-review correspondence

  • If you send an entry for review, we store the supervisor's name and email solely for the purpose of delivering the magic link, recording who signed off the entry, and replying to any review notification bounces.

3.4 Technical data

  • Device & OS information (e.g. iOS 18, Android 14, Chrome 124) — used to triage support issues and target platform-specific updates.
  • Crash reports & diagnostic logs — collected only on opt-in basis for crash telemetry, with personally identifiable fields stripped.
  • IP address & coarse geolocation — captured in server logs for security (e.g. detecting brute-force sign-in attempts) and retained for 30 days.

3.5 Subscription information

  • An anonymised customer ID issued by RevenueCat, the platform we use to reconcile App Store / Google Play subscriptions.
  • The product identifier of your active subscription (e.g. odyssey_pro_monthly) and its expiry / renewal date.
  • We do not receive or store your card number, billing address or App Store / Google Play account email. Payment is handled entirely by Apple or Google.

4. Lawful basis for processing

  • Contract (Art. 6(1)(b)): processing necessary to provide the service to you.
  • Legitimate interest (Art. 6(1)(f)): processing necessary for security, fraud prevention, and improving the product, where this does not override your rights.
  • Consent (Art. 6(1)(a)): for optional analytics or marketing communications, which you can withdraw at any time.

5. Where your data is stored

All of your account data and the content you write is stored on infrastructure provided by Supabase, hosted in the European Union (Frankfurt, Germany). Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Each user's data is isolated by row-level security policies enforced at the database layer.

Static assets (images, PDF exports) are served via Cloudflare CDN and may be cached at edge nodes globally; the underlying storage of origin assets remains in the EU.

6. Sub-processors

We share the minimum data required with the following sub-processors. Each is bound by a Data Processing Agreement.

  • Supabase (Singapore-headquartered, EU region) — database, authentication, storage, edge functions.
  • RevenueCat (USA) — subscription state reconciliation between App Store and Google Play.
  • Apple Inc. — App Store payments (subject to Apple's privacy policy).
  • Google LLC — Google Play payments and authentication (subject to Google's privacy policy).
  • Postmark (USA) — transactional email (sign-in links, peer-review invites).
  • Cloudflare (USA) — CDN and DDoS protection.

For sub-processors based outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) and supplementary measures. We do not sell, rent or trade your personal data to any third party.

7. Retention

  • Active accounts: we retain your data for as long as your account exists.
  • Cancelled subscriptions: your account is reverted to the Free tier; no data is deleted on cancellation. You retain full read and export access.
  • Account deletion (in-app): signed-in users may delete their account and associated content at any time from Settings → Delete account in the iOS, Android or web app. When you complete that flow, we remove your data from the live database without undue delay. Deleting your Odyssey account does not cancel an Apple App Store or Google Play subscription; billing remains with the store until you cancel there (see our Help centre).
  • Account deletion (email): if you cannot sign in, you may request deletion of your account and all associated personal data by emailing contact@hummingbirdlabs.org from the email address tied to your account. We verify ownership, then remove your data from the live database within 24 hours of confirmation and from encrypted backups within 30 days.
  • Server logs: retained for 30 days, then permanently deleted.

8. Your rights

Under UK and EU GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Export your data in a portable format. You can do this in-app at any time via Settings → Your data → Export portfolio PDF.
  • Correct any inaccurate personal data.
  • Erase your account and associated data using Settings → Delete account in the app, or by emailing contact@hummingbirdlabs.org from your sign-in address if you cannot access the app. We will confirm email requests and process them as described under “Retention” above.
  • Restrict or object to processing in certain circumstances.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local supervisory authority if you are in the EU.

To exercise any of these rights outside the in-app flows, email contact@hummingbirdlabs.org. We aim to respond within 30 days.

9. Children

Odyssey is intended for licensed clinical professionals and clinical students. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, please contact us and we will delete the account.

10. Cookies & analytics

Our website uses a small number of strictly necessary cookies for authentication and CSRF protection. We do not use third-party advertising cookies. Optional, anonymised product analytics may be enabled in the future on an opt-in basis only.

11. Security

We employ industry-standard security practices: encryption in transit and at rest, principle-of-least-privilege access controls for staff, two-factor authentication on all production systems, and continuous logging. No system is invulnerable; if we ever discover a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, in line with GDPR.

12. Changes to this policy

We may update this policy as the product evolves. The “Effective date” above will always reflect the most recent revision. Material changes will be communicated by in-app notice or email at least 14 days before they take effect.

13. Contact

All privacy and general enquiries: contact@hummingbirdlabs.org