Surgical Steps
  • Home
  • Courses
  • Question Bank
  • Sample Questions
  • About
  • Book a Mock

Privacy Policy

Last updated: 16 May 2026

Contents

  1. Who we are
  2. What information we collect
  3. How and why we use it
  4. Legal basis for processing
  5. Who we share it with
  6. How long we keep it
  7. Your rights
  8. Cookies
  9. Security
  10. Changes to this policy
  11. Contact

1. Who we are

Surgical Steps is operated by Surgical Steps Ltd, a company registered in England and Wales (company number 17229091). Our registered office address is available on request. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data we collect through this website.

You can contact us at hello@surgicalsteps.co.uk.

2. What information we collect

Account information

When you create an account we collect:

  • Your full name (which you provide during sign-up)
  • Your email address (used to sign in and to send service emails such as confirmation and password reset)
  • A password (stored in hashed form by our authentication provider; we never see or store your plain-text password)

Usage information

While you use the question bank we collect information about your activity, such as which questions you have viewed and your answers, in order to provide the service to you. This activity data is used only to serve your own account and progress; it is not used for any other purpose.

Technical information

Like most websites, our hosting provider automatically receives standard request information (IP address, user agent, page requested, timestamp) for the purposes of operating the site, security, and abuse prevention.

What we do not collect

We do not collect special category data (such as health information about you personally) and we do not ask for payment card details on this site — payments, if any, are handled by Stripe, who is the data controller for that information.

The clinical scenarios and educational content on this site are provided for exam preparation only and do not constitute medical advice. They must not be relied upon to make decisions about real patients.

3. How and why we use it

  • To create and manage your account, including authenticating you when you sign in.
  • To provide access to the question bank and track your progress through it.
  • To send essential service emails (account confirmation, password reset, important security or service notices).
  • To respond to support enquiries you send us.
  • To monitor for and prevent fraud, abuse, and security incidents.
  • To comply with our legal obligations.

We do not use your personal data for advertising or sell it to third parties.

4. Legal basis for processing

We process your personal data on the following lawful bases under UK GDPR:

  • Contract — processing necessary to provide the service you have signed up for (account, question bank access).
  • Legitimate interests — security monitoring, abuse prevention, and basic operational analytics.
  • Legal obligation — where we are required by law to retain or disclose information.
  • Consent — for any optional communications you have explicitly opted in to (we do not currently send marketing emails; if this changes you will be asked to opt in).

5. Who we share it with

We use the following third-party service providers ("processors") to operate the site. Each is bound by its own data protection terms with us:

  • Supabase (Supabase Inc., USA, with EU data hosting) — authentication and database hosting.
  • Vercel (Vercel Inc., USA) — website hosting and content delivery.
  • Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc., USA) — payment processing. Stripe is the data controller for your payment card details, which we never see or store.
  • Resend (Resend, Inc., USA) — delivery of service emails such as account confirmation and password reset.

Some of these processors are based outside the UK. Where data is transferred outside the UK we rely on appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK addendum.

We do not sell your personal data. We will only disclose your data to other parties where we are required to do so by law (for example in response to a court order) or to protect our or others' rights, property, or safety.

6. How long we keep it

  • Account data — for as long as your account is active. If you delete your account (see "Your rights" below) we will delete your account data within 30 days, except where we are required to retain certain records for legal reasons.
  • Service email logs — up to 90 days for security and deliverability monitoring.
  • Web server logs — up to 30 days.

7. Your rights

Under UK GDPR you have the right to:

  • Be informed about how we use your data (this policy).
  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased ("right to be forgotten") — you can start this from your account page, or email us.
  • Restrict or object to certain types of processing.
  • Port your data to another service.
  • Withdraw consent at any time, where we relied on it.

To exercise any of these rights, email hello@surgicalsteps.co.uk. We will respond within one month.

If you are unhappy with how we have handled your data you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use a small number of strictly-necessary cookies and similar storage mechanisms to operate the site, plus optional functional and analytics cookies that we only set with your consent. The strictly-necessary ones include:

  • Authentication cookies / local storage — set by our authentication provider (Supabase) so that you stay signed in between visits.

We do not use advertising or third-party tracking cookies. We also use a small number of optional functional and analytics cookies to improve the site. These are not set unless you opt in: when you first visit we show a cookie banner allowing you to accept or reject non-essential cookies, and you can change your choice at any time. We do not use advertising or cross-site tracking cookies.

9. Security

We take reasonable technical and organisational measures to protect your data, including:

  • Encryption in transit (HTTPS) and at rest (provided by Supabase).
  • Passwords stored as salted hashes by our authentication provider.
  • Strict HTTP security headers (Content-Security-Policy, X-Frame-Options, Referrer-Policy, etc.).
  • Subresource integrity (SRI) for third-party scripts.

No system is perfectly secure. If you become aware of a security issue, please contact us at hello@surgicalsteps.co.uk.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will reflect the most recent change. Material changes will be notified to active account holders by email.

11. Contact

For any questions about this policy or how we handle your data, contact hello@surgicalsteps.co.uk.