Privacy policy

We collect the minimum we need to run a small, paid course: your name, your email, your country, and a record of what you have completed. We do not sell your data. We do not share it with advertisers. We do not run it through third-party trackers outside the small set of vendors named below, all chosen because they have a published GDPR posture and an EU-region option.

You can ask us what we hold about you at any time. You can ask us to delete it. The certificate you have earned is treated specially — see Erasure and certificates below.

PhlebMastery is a paid online phlebotomy theory course operated by Talat Ahmed. The course is built on the World Health Organization’s 2010 Best Practices in Phlebotomy. We are based in the United Kingdom and the site is reachable at phlebotomy-course.com.

For privacy questions, write to support@phlebotomy-course.com. That mailbox is monitored. Queries are answered within seven working days.

When you create an account we ask for your full legal name, your email address, and your country. The name is used on your certificate; the email is used to sign you in and to send you transactional messages about your purchase; the country is used so we can show you the right regional price (we use Purchasing Power Parity tiers).

While you use the course we record which modules you have read, which quizzes you have attempted and how you scored, and which questions you have bookmarked. We use this to unlock the next module, to schedule retake cooldowns on the final assessment, and to issue your certificate when you pass.

When you pay, our payment partner (LemonSqueezy — see Vendors below) creates a billing record. We never see your card details. We do see the order identifier and the customer email, which we store so we can grant you access and process refunds.

When something goes wrong on the site, our error monitor (Sentry) records the error with redacted context so we can fix it. When you visit a page, our analytics layer (Vercel Analytics and Vercel Speed Insights) records the visit so we can see whether the funnel is working and so we can measure how fast the page loaded for you. Both are cookieless by default — they do not set tracking cookies, do not assign you a persistent identifier, and do not let us follow you from page to page as an individual. They report aggregated traffic and aggregated performance only.

We do not collect your card details — ever. They go to LemonSqueezy and stay there. We do not collect health data, patient data, NHS numbers, or any other special-category personal data. This is a theoretical course; we do not need it.

We do not run third-party advertising trackers. The site has no Google Analytics, no Facebook pixel, no advertising SDKs of any kind. We do not run cross-site fingerprinting.

We keep this list short on purpose. Each entry is the minimum context you need to know the data trail.

• Supabase. Account database, authentication, file storage. Hosted in eu-west-1 (Ireland).
• Vercel. Site hosting and edge runtime. Logs request lines but not request bodies.
• LemonSqueezy. Payment processing as Merchant of Record. Holds your billing record. PCI-DSS compliant. We never see your card.
• Resend. Email delivery for sign-up confirmation, magic links, password resets, and purchase receipts. EU sending region.
• Vercel Analytics. Aggregated traffic measurement (page views, referrers, country-level geography). Cookieless by default — no persistent identifier is set for you. Reports aggregates only; we do not see individual visitor journeys.
• Vercel Speed Insights. Aggregated Core Web Vitals (page load speed, responsiveness, layout stability) via the browser's built-in Web Vitals API. Cookieless. Reports performance percentiles, not individual sessions.
• Sentry. Error monitoring. EU regional hosting. Sensitive headers and email-bearing query parameters are stripped before events are stored.
• Google (Sign in with Google). Optional. If you choose Google sign-in, Google sends us your email, name, and profile picture — nothing else. If you sign in by email or magic link, Google is not involved.

None of these vendors use your data to train AI systems, send advertising, or profile you. Each has a published Data Processing Agreement that governs their handling of EU and UK personal data.

Planned, not currently active. We have reserved space for a product analytics tool (PostHog, EU instance) to give us a richer funnel view than aggregated page counts. It is not running on the site today. If we activate it before launch, we will update this page and email registered learners per Changes to this policy below.

The account database, your progress, and your certificate records are in Ireland (Supabase eu-west-1). Email is sent through Resend’s EU sending region. Aggregated analytics and Core Web Vitals are processed by Vercel as part of the site hosting platform. Billing records sit with LemonSqueezy under their published privacy posture.

No PhlebMastery service writes your data outside the EU/UK except where strictly necessary (Google’s OAuth handshake routes through Google’s global infrastructure for the duration of sign-in, by design of how OAuth works).

While your account is active, we keep your records. If you delete your account, we soft-delete your profiles row immediately and purge it permanently after 30 days. Module progress, quiz attempts, and bookmarks are deleted with the account.

Verification logs (records of who looked up which certificate ID) are kept for 12 months and then rolled off. They never contain your name or email.

Active certificates are kept indefinitely — the certificate is the lasting product, designed for an employer to verify years later.

You have the right to ask us what we hold about you, to ask us to correct anything that is wrong, to ask us to delete it, to ask us to restrict how we use it, and to receive a portable copy. You also have the right to object to our use of your data for any purpose, including analytics.

We will respond to any such request within one month. For most requests, that means the same week.

If you are signed in, you can review what we hold about you and start an erasure request directly from your data dashboard. You can also email us at the address below; signed-in self-service is offered as a convenience, not a requirement.

If you think we are mishandling your data, you can complain to the UK Information Commissioner’s Office at ico.org.uk. We’d rather hear about it first — we will fix things faster than the regulator can.

The PhlebMastery certificate is an educational completion record. It is not a regulated professional qualification or an accreditation issued by any awarding body — see our Terms of service for the full framing.

Certificates are treated differently from the rest of your data because they are designed to be a lasting, verifiable record an employer or institution can confirm. If you ask us to delete your account but you have earned a certificate, we will:

• Replace your name on the certificate record with “[deleted user]”.
• Re-render the PDF with the same change so the stored file matches.
• Keep the certificate ID, issue date, course version, and status.
• The certificate continues to exist as a verifiable credential, with your identity removed.

If you want the certificate itself revoked — not just anonymised — you can request that. Revocation is recorded; the certificate ID continues to resolve but shows a revoked status.

The choice between anonymisation and revocation is yours. We explain both in plain language at the moment of account deletion.

We use cookies for one purpose: keeping you signed in. The session cookie is set by Supabase Auth and is essential to the service.

Our analytics layer (Vercel Analytics and Vercel Speed Insights) is cookieless. It does not set tracking cookies or assign you a persistent identifier. It reports aggregated traffic and aggregated page-load performance only.

We do not set advertising cookies, social-media cookies, or third-party tracking cookies.

The marketing-opt-in checkbox at signup is unticked by default. We will not email you with marketing material unless you tick it. If you do, the cap is twelve emails per year; one click in any of them unsubscribes you. Unsubscribe is preserved across future purchases.

Transactional emails (sign-up confirmation, magic link, password reset, purchase receipt, certificate issued, access expiring) are not marketing — they continue while your account is active because they are part of the service.

PhlebMastery is intended for adult learners considering or working in healthcare. We do not knowingly accept users under sixteen. If you believe a minor has signed up, contact us and we will close the account.

When we change this policy in a way that materially affects you, we will email registered learners at least fourteen days before the change takes effect. The effective date at the top of this page reflects the latest version.

The legal bases under UK GDPR Article 6 are: contract for issuing and serving your course and certificate; legitimate interest for error monitoring, analytics on aggregated patterns, and the public verification service; consent for marketing emails. Where we rely on legitimate interest, you have an unconditional right to object.