Learning Log
Back to home

Legal

Privacy Policy

Last updated: 19 May 2026 (v1.20)

Learning Log is a mobile application and browser extension created and operated by Delta 60 Ltd (“we”, “us”). This policy explains how we collect, use, and protect your personal data when you use the Learning Log app or browser extension, and when you visit or submit information through our website at learninglog.app.

1. Who we are

Delta 60 Ltd is a company registered in England and Wales (company number 17049123). Registered office: Lytchett House, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, BH16 6FA. You can contact us at hello@delta60.com.

Delta 60 Ltd is the data controller for the personal information we hold about you, for the purposes of UK GDPR and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO). Our registration reference is ZC106781.

2. Information we collect

When you use Learning Log, we collect the following categories of information.

Account information

Your email address, name, professional title, occupation, professional registration body and registration number if you choose to provide them, and, for sign-in via Apple or Google, the basic profile information those providers share.

Learning content you create

Reading logs, event records, reflections, learning needs, favourites, saved links, and any notes you choose to save. This information may contain sensitive professional or workplace-related information which we treat with appropriate security and access controls.

Generated outputs

If you generate PDF reports or appraisal outputs, we store the generated file and related metadata such as the title, output type, source log, file size, creation date, and storage path. Generated outputs may include selected Learning Log content and profile details such as your name and professional registration details if those are included in the report.

Professional confidentiality

Learning Log is intended for reflective learning and professional development. You remain responsible for ensuring that anything you enter into the app complies with your professional, ethical, contractual, and legal obligations, including confidentiality obligations, employer policies, and professional guidance from your regulator. You must not enter directly identifiable patient information into Learning Log. Clinical reflections and case discussions should be written in anonymised or non-identifying form. If you accidentally enter information that may identify a patient or another person, you should delete or edit it promptly and contact us if you need help.

Voice recordings

When you use voice entry or inline dictation, the app records audio through your device microphone, with your permission. The audio is sent to our transcription provider, converted to text, and then discarded. We do not retain the audio after transcription, and our agreement with the provider restricts their use of audio to delivering the transcription. The microphone is only active while you are recording.

Location for Jobs

If you use the Jobs tab to find roles near you, the app may use your device location, with your permission, to filter and sort job listings. On Android we request approximate location only. On iOS we use a lower-accuracy foreground location request where available, but the precision available may also depend on your device settings. Your location is used only while you are using the Jobs feature. We do not request background location access, and we do not save your device location to your Learning Log account. Your latitude and longitude may be sent to our backend temporarily to calculate nearby jobs and distances. You can decline location permission and search by postcode instead.

Camera

When you tap a QR or barcode scan button (for example, to add an article, ISBN, or DOI), the app opens the camera to read the code. The camera is only active while the scanner is open. We do not store or transmit camera images; only the decoded code is used by the app. We always ask for your permission before any access to your camera.

Purchase records

If you buy tokens, we store the transaction amount, date, product identifier, token amount, expiry date, and the app store through which the transaction took place. We never see your card details, because payments are handled by the App Store or Google Play directly.

Marketing preferences

Your consent choices for email newsletters about Learning Log and, separately, other products from Delta 60 Ltd.

Push notifications

If you opt in to push notifications, we store your notification preference and an Expo push token for your device. When we send a notification, we may keep an internal delivery record showing whether delivery succeeded, failed, or the device token was no longer valid. You can turn notifications off in the app or in your device settings.

Bug reports, suggestions, and support information

If you report a problem or send feedback in the app, we store the text you submit, your account identifier, and, for bug reports, basic device, operating system, and app version information. We use this to investigate issues, improve the service, and protect against misuse of support channels.

Website forms, contact requests, and beta interest

Our website (learninglog.app) collects the information you submit through its forms. This may include your name, email address, mailing-list choices, beta tester interest, preferred beta platform, and any message you send through the contact form. Beta tester interest is operational rather than marketing: we use it to manage possible TestFlight or Play test track invitations and may email our admin address when you submit the form. Contact form messages are sent to us by email so we can read and respond to your enquiry. We do not use cookies on our website.

Technical and diagnostic information

Basic device, operating system, app version, request, and diagnostic information needed to run the app reliably, investigate faults, measure AI usage and cost, apply rate limits, and protect the service against abuse.

Crash and error reports

When the app or one of our server-side functions hits an unexpected error, an automated diagnostic report may be sent to our error-monitoring provider or stored in our internal diagnostics tables. These reports may include the error details, device and OS version, app version, function name, timing and technical context, and your internal account identifier. They are not intended to contain your name, email, learning content, stored voice recordings, or IP address. Although our provider sees your IP address at the moment of delivery (an unavoidable consequence of any internet connection), we have configured our provider not to retain IP addresses within stored crash reports.

AI and transcription diagnostics

We record operational metadata about AI and transcription features, including the function used, model, token counts, audio duration, approximate internal cost, error type, and request identifiers. If a transcription is rejected by an anti-hallucination or safety gate, we may store a short transcript snippet and related confidence or safety metadata so we can tune the system and investigate failures. If an AI provider returns an unexpected error or malformed response, we may store a short response snippet for diagnostic purposes.

AI content reports

If you flag AI-generated content as wrong, unhelpful, offensive, or otherwise inappropriate, we record the AI’s output, the input that produced it (including any voice transcript), the category you selected, any note you add, and operational metadata about the AI calls involved (model, token counts, audio duration, our internal cost). This is described in more detail in section 6.

News article reports

If you flag a news article from the news feed, we record the article’s URL and title, our internal article identifier, the category you selected, any note you add, and your account identifier. This is described in more detail in section 6.

Security flags

The AI providers we use require us to run safety controls on text we send to their models. To meet this requirement, we run automated moderation checks on AI inputs before they reach the model. If a check identifies text as potentially harmful or abusive, we may record the relevant submitted text or text excerpt, the categories matched, technical metadata, and your account identifier in a security log pending human review. If the moderation check is temporarily unavailable and we cannot complete it, we may record the relevant submitted text or text excerpt, technical metadata, and your account identifier so that content which bypassed the check remains reviewable. We do not routinely review AI content unless it has been flagged by our moderation systems, has been the subject of a user-submitted content report, is needed for security, abuse prevention, or legal compliance, or you have asked us to look at specific content as part of a support request.

Our browser extension uses your Learning Log account and the same data described above. When you click the extension button, it reads the address of the active tab so you can save the page as a favourite or start a reading log from it. It stores your favourites and sign-in session locally in your browser. We do not collect anything from the extension beyond what is listed above; in particular, we do not collect browsing history beyond the webpages you explicitly choose to save or process through the extension.

3. How we use your information

  • To provide the app, browser extension, website, and your account.
  • To store and manage your learning logs, event logs, favourites, generated outputs, and appraisal exports.
  • To process voice entries through our AI transcription and structuring services.
  • To process purchases and manage your token balance.
  • To send transactional emails (account, password, email change, deletion, and operational emails).
  • To send marketing emails only if you have consented to the relevant mailing list.
  • To manage optional push notifications where you have opted in.
  • To respond to contact form messages, bug reports, support requests, and feedback.
  • To manage beta tester interest and possible test track invitations.
  • To monitor AI and transcription quality, including rejected transcriptions, AI failures, and safety events.
  • To improve the app, detect bugs, prevent fraud and abuse, and keep the service secure. Where we use aggregated data for these purposes, it is not linked back to identifiable individuals.

4. Lawful basis (UK GDPR)

We process your personal data on the following lawful bases.

Contract (Article 6(1)(b) UK GDPR): Creating a Learning Log account forms a contract between you and us to deliver the service. We process your account details, learning content, generated outputs, voice transcription, AI-assisted text actions, token balance, and purchase records on this basis because the app would not work without them.

Consent (Article 6(1)(a) UK GDPR): We rely on consent for marketing emails and optional beta tester contact where applicable. You can withdraw marketing consent at any time in the app, through unsubscribe links, or by emailing us. Device permissions such as microphone, camera, location, and notifications are also under your control through the app and your device settings; turning them off stops the relevant feature from using that permission.

Legitimate interests (Article 6(1)(f) UK GDPR): We rely on this for activities where we have a justified business reason that does not override your rights. This includes keeping the app secure, running automated safety checks on AI inputs, diagnosing crashes and AI failures, investigating bug reports and support requests, preventing fraud and abuse, managing rate limits, improving our products using aggregated or minimised data, and keeping limited audit records. You can object to processing based on legitimate interests.

Legal obligation (Article 6(1)(c) UK GDPR): We keep certain records because UK law requires us to, principally financial and accounting records connected with purchases, refunds, and tax reporting.

Special category data: Learning Log is not designed to hold identifiable patient records, and you should not enter directly identifiable patient information. The app is intended for professional learning reflections written in anonymised or non-identifying form. If you choose to include health-related information about yourself or another person, you are responsible for ensuring that you have a lawful and professional basis to do so and that the information is appropriately anonymised. If we become aware that content may contain directly identifiable patient information, we may ask you to remove it, restrict processing of it, or delete it where appropriate.

5. Who we share data with

We use the following processors and service providers to run the service. They process your data only on our instructions, under contract, with appropriate safeguards.

  • Supabase: secure hosting of your account, learning logs, generated outputs, and other app data.
  • OpenAI: speech-to-text transcription and content-moderation checks. Audio and text are processed to provide transcription and safety checks. We configure provider settings and contracts, where available, to restrict use of submitted content to providing the service and maintaining safety.
  • OpenRouter: a routing service that forwards text-AI requests to underlying model providers (currently including OpenAI and Google models). Used for text refinement, title generation, voice-entry structuring, and inline dictation cleanup.
  • Mailgun: sending transactional, support, beta interest, and marketing emails on our behalf.
  • RevenueCat: managing in-app purchase records.
  • Apple and Google: app distribution, sign-in where selected, and payment processing.
  • Expo: delivery of optional push notifications to devices that have opted in.
  • Sentry: automated crash and error reporting. Hosted in the European Union (Frankfurt, Germany).
  • Vercel: hosting the learninglog.app website and website forms.

Where available, we configure AI providers not to use submitted content for training their general-purpose models.

We do not sell your personal information. We do not disclose learning content to advertisers or data brokers.

Legal and regulatory disclosure: We may also disclose personal information where we are required to do so by law, by court order, or by a regulator with legal authority to compel disclosure, and where we reasonably believe disclosure is necessary to comply with a legal obligation, to protect our rights or property, to investigate suspected fraud or abuse, or to prevent serious harm. We will challenge requests that appear overbroad and, where lawfully permitted, will tell affected users.

6. Reporting AI-generated and other content

If AI-generated content in the app appears wrong, unhelpful, offensive, or otherwise inappropriate, you can report it directly from the screen where it appears. You can also report news articles surfaced in the app’s news feed if a link is broken, behind a paywall, in the wrong category, or otherwise inappropriate. When you submit a report we record:

  • The content you are reporting. For AI output, this is the AI’s response and the input that produced it (for voice features, the raw transcript). For news articles, this is the article’s URL and title and our internal reference for that article.
  • The category you selected and any note you add.
  • Your account identifier, so we can follow up if needed.
  • For AI reports, operational metadata about the AI calls involved (the model used, token counts, audio duration where applicable, and our internal cost).

We use these reports to review what our AI and news feed are producing and to improve our prompts, moderation systems, news sourcing, and AI-assisted features. Reports are kept for up to 12 months and then deleted automatically. If you delete your account, your reports are anonymised so they remain useful for moderation analytics but are no longer attributable to you by ordinary account lookup. If you ask us to delete a report before then, we will do so unless we need to keep it for security, fraud prevention, legal compliance, or to handle an active support issue.

Aggregated, non-identifying moderation analytics derived from reports may be retained beyond that point to track trends in AI behaviour and news quality.

7. International transfers

Some of our processors (notably our AI providers and our website host) are based in the United States or may process data outside the UK or EEA. We hold a data processing agreement with each of the processors listed in section 5. Where the processor is based outside the UK or EEA, the data processing agreement includes safeguards required by UK GDPR, typically the UK’s International Data Transfer Addendum, the EU Standard Contractual Clauses, or another legally recognised transfer mechanism.

8. How long we keep your data

  • While your account is active: we keep what we need to provide the service, subject to the limits below.
  • Reading logs, event logs, and generated outputs: kept for up to 24 months from the date you created them, then deleted automatically. This applies whether your account is active or not.
  • Favourites: kept while your account is active. Deleted when you delete your account.
  • Voice recordings: not intentionally retained after transcription completes.
  • Transcription result cache: when you use a voice or dictation feature, the resulting transcribed and AI-processed text is held in a temporary cache for up to 72 hours. This lets the app safely repeat a request interrupted by a lost connection without re-processing your recording or charging your tokens twice. These cached results are deleted automatically after 72 hours, and immediately when you delete your account.
  • AI content reports: kept for up to 12 months and then deleted, as described in section 6.
  • News article reports: kept for up to 12 months and then deleted, as described in section 6.
  • Bug reports and support feedback: bug reports may be kept for up to 12 months after account deletion in anonymised form where needed for support operations, fraud investigation, and abuse prevention. General suggestions and feedback are kept while your account is active and deleted when your account is deleted, unless copied into aggregated, non-identifying product planning notes.
  • Push notification tokens: kept while you are opted in and the token remains valid. If you turn notifications off or the platform tells us the token is no longer valid, we delete or clear the token. Push broadcast and delivery records are kept for operational audit and troubleshooting for up to 12 months.
  • AI and transcription diagnostics: AI failure diagnostics and transcription rejection records are kept for up to 12 months from creation, and AI usage metadata for up to 24 months from creation, after which they are deleted automatically. We keep them for operational monitoring, cost accounting, safety tuning, and abuse prevention. Where these records are retained after account deletion, your account identifier is replaced with an anonymous marker, except for security audit logs where retaining an internal account identifier is necessary for audit, abuse prevention, or legal compliance.
  • Limited financial records: purchases, refunds, and related token ledger records are retained in anonymised form for at least 6 years and normally up to 7 years, unless a longer period is legally required, to meet UK tax and accounting obligations.
  • Marketing lists: kept until you unsubscribe or ask us to delete them. Learning Log account deletion removes you from Learning Log marketing and beta lists, but does not automatically remove you from Delta 60 cross-product marketing because that is a separate consent. You can leave Delta 60 marketing through the unsubscribe link in any Delta 60 marketing email or by contacting us.
  • Beta tester interest: kept while we are managing the beta programme and related invitations, unless you ask us to delete it sooner or we need to retain a limited record for abuse prevention or operational audit.
  • Inactive accounts: if you have not used the app for 12 months (no logs, favourites, or token use) and have no remaining tokens, we will email you to ask whether you want to keep the account. If you do not respond and remain inactive, we may delete the account and its data. You can prevent this by signing back in, creating any log or favourite, or replying to the warning email.
  • After you delete your account: your profile, learning content, favourites, generated outputs, and ordinary personal information are deleted. Limited financial records, AI usage records, content reports, bug reports, and transcription rejection records may be retained in anonymised form for the periods described above. Security audit logs may retain an internal account identifier where needed to evidence account deletion, investigate abuse or fraud, or comply with legal obligations.
  • Backups: deleted data may remain in encrypted backups for a limited period before automatic removal. Backups are restricted to disaster recovery and are not used for any other purpose.

9. Your rights

Under UK GDPR you have the right to:

  • Ask for a copy of the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your account and your data (you can do this from Settings inside the app, or by emailing us).
  • Export your learning logs in a portable format.
  • Object to processing or restrict it.
  • Withdraw consent for marketing emails and manage optional device permissions such as microphone, camera, location, and notifications.
  • Ask us to review or delete support, bug-report, or content-report submissions where this does not conflict with legal, security, or abuse-prevention obligations.
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you.
  • Complain to the UK Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email hello@delta60.com. We will respond within one month.

10. Children

Learning Log is intended for healthcare professionals and is not designed for use by anyone under 18. We do not knowingly collect data from children.

11. Security

We use industry-standard technical and organisational security measures designed to protect personal information, including encryption in transit, encrypted database storage, authenticated access controls, row-level authorisation, and restricted administrative access. No system is perfectly secure. If you believe your account has been compromised, contact us immediately.

Password breach checks: when you set or change a password, we use Supabase's built-in integration with HaveIBeenPwned to check whether your password has appeared in known data breaches. Your password itself is never sent. Only the first five characters of a one-way hash are sent. That fragment matches many possible passwords and cannot identify you.

Local cache on your device: To speed up app start-up, the app keeps a small local cache of recent reading logs, event logs, output metadata, and favourites in the device's standard application data storage. This cache is protected by your device's operating system encryption (iOS Data Protection / Android File-Based Encryption) when the device is locked. It is not separately encrypted by the app. The cache is cleared when you sign out and when you delete the app.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top tells you when it was last updated and published. Material changes will be communicated by email, in-app notice, or another appropriate method.

13. Contact

Delta 60 Ltd · Lytchett House, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, BH16 6FA · Company No. 17049123 · hello@delta60.com