Privacy Policy
How PortfoLeo handles your data
Last updated: April 26, 2026
1. What Is PortfoLeo
PortfoLeo is an incorporated company (trading as Portfoleo Ltd) that functions as a Chrome extension and supporting web application that allows users to upload or record audio files, transcribe it using AI, and generate structured outputs to assist with completing forms such as those on the ISCP platform. It is a software for recording and summarising reflective debrief conversations for educational portfolio administration. There is no patient-identifiable data, no patient-specific advice, no diagnosis, triage, treatment, monitoring, or risk scoring, no recommendation that changes patient care and is not intended use by patients or for patient management. Portfoleo is positioning as a portfolio/admin tool for reflective practice. It is not intended for diagnosis, treatment, patient monitoring, or clinical decision support and therefore is not a medical device as defined by MHRA.
2. Information We Process
We may process the following types of data:
- Audio recordings you upload or record
- File metadata (e.g. filename, content type)
- Transcription output generated from audio
- Structured or reformatted text generated from transcription
- Authentication and session-related data
3. How We Use Information
We use this data only to provide the functionality of the service, including:
- Processing and transcribing audio
- Generating structured outputs using AI
- Returning results to the user
- Supporting authentication and job tracking
- Enabling user-triggered autofill functionality
- Logs for debugging during development
4. Data Processing and Third Parties
Data is processed using third-party services including:
- Amazon Web Services (AWS) – including S3, Lambda, and DynamoDB
- OpenAI APIs – including Whisper and GPT models
These services are used solely to provide the functionality of the application.
5. Third-Party Service Providers
Third-party providers process data in accordance with their own privacy policies and terms of service. While we take reasonable steps to use reputable providers and limit data processing to what is necessary, we do not control how these providers handle data once it is transmitted to them.
6. Data Retention
Data is retained only as long as necessary to process your request.
- Uploaded audio files and their processed counterparts are stored temporarily in AWS S3
- Job metadata is stored temporarily in DynamoDB
- Automated lifecycle and expiry rules delete data after a 24hour retention period
Deletion is asynchronous and may not occur exactly at the expiry time.
7. Sensitive Information
You must not upload or record sensitive information using this service.
- No patient or health data
- No confidential personal information
- No identifying or protected data
Users are responsible for ensuring they do not submit sensitive or restricted information.
8. Local Storage
The extension may store limited data locally in your browser (e.g. authentication tokens, job IDs, and recent results) to support functionality.
9. Permissions
The extension uses the following permissions:
- storage – to store authentication data and results
- identity – to handle secure sign-in
- activeTab – to enable autofill on supported pages
To use the audio recording feature, you must grant microphone access to the extension. This permission can be enabled through your browser settings:
Settings > Extensions > PortfoLeo > Details > Site Settings > Allow Microphone.
You may need to reload the extension for the permission to take effect.
10. Autofill Functionality
When triggered by the user, the extension may interact with supported websites (ISCP) to autofill form fields using generated content.
11. Security
We take reasonable steps to protect your data during transmission and processing. This includes the use of secure communication (HTTPS), authenticated access, and trusted cloud infrastructure providers such as AWS.
Access to data is limited to what is necessary to provide the service, and processing is performed in controlled environments.
However, no system can be guaranteed to be completely secure, and we cannot ensure absolute protection against all potential risks.
12. Acceptable Use
You agree not to misuse the service. This includes:
- Uploading unlawful or harmful content
- Attempting to disrupt or overload the service
- Attempting unauthorised access to systems
13. Changes to This Policy
We may update this Privacy Policy from time to time. Updates will be posted on this page.
14. Contact
If you have any questions please contact: