Who we are

We are Expert Health Limited (EHL) and our medical professionals are providing the remote medical consultation and prescribing services as part of the Pharmacy2U Online Doctor. 

EHL is part of the wider Pharmacy2U Group (P2U). Although part of the wider Group, EHL remains a separate legal entity whose prescribers exercise independent clinical judgement, and it functions as an autonomous data controller for the Services provided. EHL is registered with the ICO (Information Commissioner’s Office): Z9318313 and is established in England & Wales (company no. 04058287). P2U is established in England & Wales (company no. 03802593) and is registered with the ICO: Z714211X. 

Who is the data controller?

For the Online Doctor Service, Expert Health Limited is the controller of your personal data. Pharmacy2U Limited acts as a separate controller for dispensing and pharmacy services.

At Expert Health Limited, we believe in giving our patients the best possible care, which includes taking care of your privacy so that you feel you can trust us and have confidence in the way we handle your information. 

Our Privacy Notice tells you what Personal Data we collect and why; explains your rights; the types of data we might share about you and how we keep your information secure. 

To help you understand how we treat your Personal Data, please read the following Notice carefully. 

We encourage you to only use this Service if you are completely happy with the service we offer, and the practices outlined in this Notice. 

Please note, this website may contain links to other websites which are provided for your convenience. We are only responsible for the privacy practices and security of this site. We recommend that you check the privacy and security notices/procedures of every website that you visit. 

If you have any questions about this Privacy Notice or want to contact our Data Protection Officer, please email: [email protected] or by post to Data Protection Officer, Expert Health Limited, Lumina, Park Approach, Thorpe Park, Leeds, LS15 8GB.

Changes to this Privacy Notice 

We may amend this Privacy Notice at any time. Any changes we may make will be posted on this page, so please check back frequently. Your continued use of our website and our Services after posting will constitute your acceptance of, and agreement to, any changes. 

What is Personal Data? 

Personal Data is any information that is related to a person that can be either directly or indirectly identified. 

Information we collect 

At the point of registration and communication we will collect personal information about you (both written and verbal) to provide you with the Services you require.  

This may include:  

  • your name; 

  • address; 

  • email ; and 

  • phone number. 

And other details relevant to the Service(s) that are of interest to you. 

  • We may also collect sensitive Personal Data concerning health matters from, or about you if you register for the Service. 

  • Your social media username, if you interact with us through those channels, to help us respond to your comments, questions, or feedback. 

  • Correspondences with us by e-mail, telephone or otherwise. 

  • Identity verification data, such as date of birth and verification results;

  • Clinical information you provide for consultations, including questionnaire responses, photographs or videos submitted for assessment, medical history, medication details, and your GP details.

  • Information you provide when you purchase products and/or Services from us. 

  • Information you provide when entering a competition, promotion, or survey. 

  • Technical information about your computer or device, internet connection and browser as well as the country, where your computer or device is located, your IP address, the pages viewed during your visit, the advertisements you clicked on, any search terms you may enter on our website and other information about your visit and how you used our website to deliver the best possible web experience.  

Use of tracking technologies in emails 

We use tracking technologies such as pixels in our email communications to enhance your experience and improve our Services. Tracking pixels are tiny, invisible images embedded in our emails that allow us to collect certain information when you interact with our emails. The data collected includes: 

  • Email Open Rates: We can determine if and when an email is opened. 

  • Click-Through Rates: We can track which links within the email are clicked and how often. 

  • Device Information: We can gather information about the device and browser you use to interact with our email so that we can better tailor our messages to the devices and browsers our recipients use. 

Purpose of Using Tracking Pixels 

The information collected through tracking pixels is used for the following purposes: 

  • Performance Monitoring: To measure the effectiveness of our email campaigns and understand what content resonates with our audience. 

  • Personalisation: To provide more relevant content and offers based on your interactions with our emails. 

  • User Engagement: To better understand your engagement with our emails and improve our communication strategies. 

  • Shared Information: Anonymised analytics may be shared internally and externally. We may verify actions performed by email recipients on a case-by-case basis, when required. 

Your Control Over Tracking 

If you do not wish to have tracking pixels collect this information, you can opt-out by: 

  • Unsubscribing: You can unsubscribe from our email list by clicking the unsubscribe link at the bottom of any of our emails. 

  • Email Client Settings: Some email clients such as Apple allow you to disable the automatic downloading of images, which will prevent tracking pixels from collecting data. 

We may supplement the information that you provide gathered from our communications with you or which we receive from other organisations, such as other companies in our group. 

This information may be combined with other information you provide to us, as described above. 

Information we receive from other sources 

We also work closely with third parties (including, for example, business partners, service providers, advertising networks, analytics providers, and search information providers) and may receive information about you from them. 

This may be combined with other information you provide to us, as described above. 

Information about other people 

If you provide information to us about any person other than yourself, you confirm that you have made that person aware of how we may collect, use, and disclose their information, the reason you have provided it, how they can contact us, the terms of this Notice and that they have consented to such collection, use and disclosure. 

Cookies 

Cookies are small pieces of information that are stored by your browser on your computer’s hard drive and are used to record how you navigate this website on each visit. We use non-essential cookies and similar tech only with your consent, except where the law permits certain low-risk uses such as essential security and first-party analytics. You can change your preferences at any time in our cookie settings. 

To find out how we use cookies on this site, see our Cookies Notice.  

How we use your information 

All personal information that we obtain about you and/or any other person whose details you provide will be recorded, used, and protected by us in accordance with current data protection legislation, our Terms and Conditions and this Privacy Notice. 

We will primarily use the personal information:  

  • At registration 

In order to use the Online Doctor Service, you will be required to register with us and create a personal secure online account. We reserve the right to suspend or terminate your access to the Service at any time if we believe that your continued use of our Services will prejudice others or us. By registering to use the Online Doctor Service, you: a.    confirm that the information you provide is accurate and complete; and b.    agree to keep your username and password confidential and to take reasonable steps to protect and not to share the login details for your online account with anyone; and c.    confirm that you are aged 18 or over. 

  • To verify your identity 

  • To create and maintain your account once you have registered. 

  • To process and fulfil any orders that you place with us (through our website). If we don’t collect your Personal Data during checkout, we won’t be able to process your order. 

  • To respond to any queries, refund requests or complaints. Handling the information, you submit to us enables us to respond effectively. We keep a record of these queries to demonstrate how we communicated with you throughout. We do this based on our contractual obligations, legal obligations, and our legitimate interests as a business in providing you with the best service. 

  • To utilise third party suppliers/ software for the dispensing of your prescribed medication. 

  • To carry out market research so that we can improve the services we offer (where you consent).  

  • We  may (where you consent) use your Personal Data, preferences, and details of your transactions to keep you informed by email, web/social media, text and telephone. We also include relevant products and services including special offers, discounts, promotions, events, surveys, and competitions tailored to you. 

  • To allow you to participate in interactive features of our Services when you choose to do so. 

  • To capture your product reviews (for example when you buy goods and services from us, we may follow it up with an enquiry about your experience of the product to help us gauge customer satisfaction). Or to conduct customer surveys. You are not obligated to leave reviews or complete surveys, but this facility would enable you to get your views of the product across should you wish to do so. 

You can opt out of hearing from us about these at any time. 

  • To continuously improve our service to our customers by monitoring telephone calls which we receive at our call centres for the purposes of staff training, quality control and service improvement.  

  • To track and analyse activity on our website. 

  • To communicate with you in the event that any services requested are unavailable or it there is a query or problem with your order. 

  • To notify you about any changes to our Services and to send you service emails relating to the activities you have asked us to undertake on your behalf. 

  • As part of our effort to keep our website safe and secure. 

  • To comply with applicable law. For example, in response to a request from a court or regulatory body, where such request is made in accordance with law. 

If you provide us with a testimonial, which may include personal information such as your name or alias, location, age, treatment details, and photographs, we will retain this data for as long as necessary to fulfil the purposes for which it was collected. We will always process this data in accordance with our data retention policies, and you may be contacted after a certain period to ask if you wish to provide an updated testimonial. 

The primary purpose of collecting and using testimonials, photographs, and related data is for marketing purposes. This may include displaying the materials on our website, social media platforms (including but not limited to Facebook, Instagram, and Reddit), and within marketing emails. Additional marketing channels may also be utilised as part of our broader marketing strategy and business needs. 

Lawful grounds for processing 

To process your data lawfully we need to rely on one or more valid legal grounds which are as followed:  

  • Provide remote consultations, clinical assessment and prescribing. Art. 6(1)(b) contract; Art. 9(2)(h) health care; DPA 2018 Sch. 1 para 2.

  • Dispensing and delivery coordination with Pharmacy2U Limited. Art. 6(1)(b) contract; Art. 9(2)(h); DPA 2018 Sch. 1 para 2.

  • Safeguarding and serious risk disclosures. Art. 6(1)(c) legal obligation and/or 6(1)(e)/(f); Art. 9(2)(g) substantial public interest and/or 9(2)(c) vital interests; DPA 2018 Sch. 1 paras 18 and/or 4.

  • Regulatory assurance and inspections (for example CQC/RQIA). Art. 6(1)(c) legal obligation; Art. 9(2)(h); DPA 2018 Sch. 1 para 2.

  • Customer service, complaints, and quality monitoring. Art. 6(1)(b) and/or 6(1)(f) legitimate interests; Art. 9(2)(h) where health data is involved; DPA 2018 Sch. 1 para 2.

  • Service communications about your account, orders or care. Art. 6(1)(b) contract.

  • Direct marketing by email/SMS/app notifications. Art. 6(1)(a) consent; PECR consent applies. You can withdraw consent at any time.

  • Analytics and website/app performance. Art. 6(1)(a) consent for non-essential cookies/trackers; Art. 6(1)(f) legitimate interests for strictly necessary security and service diagnostics.

  • Email tracking pixels. Art. 6(1)(a) consent; PECR consent applies for non-essential tracking.

  • Fraud prevention and security. Art. 6(1)(f) legitimate interests; where health data is implicated, Art. 9(2)(g)/(h) as applicable; DPA 2018 Sch. 1 paras 10 or 2.

For some activities (for example, ensuring the security of our systems and direct marketing), we rely on “recognised legitimate interests” under UK law.

We rely on the common law duty of confidentiality for medical information. We will usually seek your consent before disclosing confidential information to your GP or other third-party healthcare professionals, unless another legal basis applies, for example where disclosure is required by law or necessary to protect you or others from serious harm.

Where we process special category data and any criminal offence data, we maintain an Appropriate Policy Document under the Data Protection Act 2018 that describes our safeguards and retention periods.

Disclosing your personal information 

In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the processing activities on our behalf. We will not share your personal information with any organisation other than those directly involved in delivering these services. 

Parties acting as a controller: 

We use Stripe for payments, analytics, and other business services. Stripe may collect Personal Data including via cookies and similar technologies. The Personal Data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and read its privacy policy at  https://stripe.com/privacy

Parties acting as a processor: 

  • Technology hosts. 

  • Providers of digital advertising services. 

  • Providers of marketing and sales software solutions. 

  • Printing companies. 

  • Our advertising partners who enable us to deliver personalised ads to your devices or similar advertising. 

  • Our outsourced service providers or suppliers to facilitate the provision of our products and/or services to you. 

  • Subject to your consent, to our marketing partners, who may contact you by post, email, telephone, SMS or by other means. If you do not wish to be contacted, you may unsubscribe by clicking “unsubscribe” in the message concerned. 

  • Analytics and search engine providers that assist us in the improvement and optimisation of our website. Your Personal Data is generally shared in a form that does not directly identify you. 

  • Our data centre provider for the safe keeping of your Personal Data, webhosting provider through which your Personal Data may be collected. 

  • Third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons. 

  • Our Group companies who may contact you by email, phone or post about other products and services (including those from other organisations) in which you may be interested (where you have consented to such communication). 

  • Another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution, or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company. 

  • Public authorities where we are required by law to do so; 

  • If required, in order to receive legal advice. 

  • Any other third party where you have provided your consent. 

In these circumstances, we will ensure that personal information is properly protected and that it is only used in accordance with this Privacy Notice. 

We also collect, use and share Aggregated/Anonymised Data such as statistical or demographic data for any purpose. 

Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature or we may aggregate your data to build marketing personas or lookalikes to help up advertise to our patients better. 

However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice. Please note, where we aggregate data for marketing purposes, it will not be combined with your Personal Data, and you will not be able to be directly or indirectly identified as a result. 

Offers and opportunities 

We, our group and carefully selected third parties would like to contact you and/or any person whose information you provide to us to tell you and/or them about offers and opportunities that are available and about a range of other initiatives in a number of ways such as, by post, telephone, text/picture/video message, social media or email. 

We do not use your medical information for targeted advertising. Any marketing audiences are built from non-medical profile data where you have given consent.

Details of how-to opt-in or out to receiving details of offers are located in your account and in your welcome email.  

You can opt out of hearing from us about these at any time. 

Security

We take the security of personal information seriously. 

Online Doctor Services use security technology, including firewalls, Secure Socket Layers and Web Application Firewalls to protect information submitted through this website and has procedures in place to ensure paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.  

Nevertheless, electronic transmissions are never completely private or secure and there is a risk, therefore, that any electronic communications sent may be intercepted and potentially read by others. You should, therefore, ensure that any computer, device or telephone you use to access your online account is suitably protected from potential interception. 

You must not misuse the Services by; 

i.    knowingly introducing viruses, trojans, worms, logic bombs or other material that is malicious or technologically harmful. 

ii.    attempt to gain unauthorised access to the Services, the servers on which they are stored, or any server, computer or database connected to the Services. 

iii.    attack the Service via a denial-of-service attack or a distributed denial-of service attack.  

By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use the Services will cease immediately. 

Transfers of Personal Data

In the course of our operations, your Personal Data may be processed within our group of companies located in the United Kingdom. 

Some of our partners to whom we may disclose personal information are located within the European Economic Area (EEA). 

For transfers within the EEA, we rely on adequacy decisions made by the United Kingdom Government, confirming that the data protection standards in those countries are sufficient (Article 45 of the UK GDPR). For transfers to third countries outside the United Kingdom and EEA and not covered by an adequacy decision, such as the United States, we ensure that appropriate safeguards are in place. These safeguards include using the UK’s International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the European Commission supplemented by the International Data Transfer Addendum (UK Addendum) or other mechanisms permitted under the UK GDPR (Article 46). For partners based in the United States, we are monitoring guidance from the ICO regarding appropriate transfers mechanisms. 

Where applicable, we rely on the UK–US Data Bridge or, if not available, the IDTA or SCCs with the UK Addendum. You can request a copy of the relevant transfer safeguards by contacting the DPO.

We have data processing agreements in place with partners to secure the use of your data by these suppliers. 

Updating and correcting information 

We encourage you to promptly update your personal information if it changes online via your account. 

If you are providing updates or corrections about another person, we may require you to provide us with proof that you are authorised to provide that information to us. 

Retention of Personal Data

We will retain data if regulation specifies or where we have a continued legitimate and lawful purpose to do so. We follow NHS and Private Healthcare Regulations and therefore keep your health record for 10 years after the last interaction. The records contain personal and medical data, contact details and messages exchanged with clinicians and patient advisory teams. If you wish for your medical record to be closed before the 10-year retention period, we will deactivate your account which means access will be revoked. Some datasets have different retention periods, for example complaints files (usually six years), financial records (six years), and call recordings (up to two years). We maintain a retention schedule and delete or anonymise data when no longer needed.

If you have registered and not ordered, we will retain this data for one year, or until you notify us and ask for your data to be deleted, whichever is sooner. 

We will not retain beyond these periods, any of your Personal Data that is no longer required for the purposes set out in this Privacy Notice. 

The retention of your Personal Data will be subject to periodic review. 

We may keep an anonymised form of your Personal Data, which will no longer refer to you for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so. 

Your rights

Data protection law provides data subjects with numerous rights, including the right to:   

  • access, 

  • rectify,   

  • erase, 

  • restrict, 

  • transport, 

  • object to the processing of Personal Data, including automated decision making. 

  • and make a complaint to us about our compliance with data protection law (see “How to complain about our use of your data”); and the right to complain to the ICO

Right to Make Subject Access Request (SAR)

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, data subjects have the right to request copies of their Personal Data held by us. For example, this could include a copy of your medical record, a transcript of a phone call, and so on. 

If you would like to make a SAR (i.e., a request for copies of the Personal Data we hold about you), you may do so by: 

Your secure account (recommended) 

Or emailing [email protected] or writing to: 

Data Protection Officer Expert Health Limited Lumina Park Approach, Thorpe Park Leeds LS15 8GB

Please ensure that your request clearly states that a SAR is being made. You may also be required to submit proof of your identity to verify your request. 

We will respond to your request within one month of receipt. Please note that in some cases, where the request is complex or numerous, we may extend this period by a further two months. If an extension is necessary, we will inform you within the initial one-month period. 

Right to rectification

You may request that we rectify any inaccurate and/or complete any incomplete Personal Data. 

Right to erasure  

You may request that we erase your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations. 

Right to restrict and withdraw consent 

You may, as permitted by applicable law, withdraw your consent to the processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent.  

Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your personal data is essential. 

Right to data portability

In certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may still be required for legitimate and lawful purposes. 

Right to object to processing

This includes automated processing and profiling. You have the option, as permitted by applicable law, to request that we stop processing your Personal Data. 

Some triage steps use automated rules to flag potential risk, eligibility or inappropriateness of treatment. These rules consider the answers you provide, such as symptoms, medical history and contraindications. A clinician reviews cases where the rules indicate risk, and you can request human review of any automated outcome, express your point of view and contest the decision.

Your right to complain to us about how we use your personal data

If you believe we have not complied with data protection law, you can make a complaint to us. We will make this easy to do and accept complaints electronically. We will acknowledge your complaint within 30 days of receiving it and respond without undue delay after we have investigated.

You can submit a complaint via your secure account or by emailing [email protected]. You may also write to: Data Protection Officer, Expert Health Limited, Lumina, Park Approach, Thorpe Park, Leeds, LS15 8GB.

You can still raise concerns with the Information Commissioner’s Office (ICO). The ICO generally expects you to try our process first. ICO contact: Wycliffe House, Water Lane, Wilmslow, SK9 5AF, 0303 123 1113, www.ico.org.uk.

Changes to the privacy laws and policies

Privacy laws and practice are constantly developing, and we aim to meet high standards. Our policies and procedures are, therefore, under continual review. We may, from time to time, update our security and privacy policies and suggest that you check this page periodically to review our latest policies. 

How to contact us

Telephone: 020 7989 9888 

Email:  [email protected]

Mail: Data Protection Officer, Expert Health Limited, Lumina Park Approach, Thorpe Park, Leeds, LS15 8GB. 

Page updated: 17/06/2025 

Previous update: 18/12/2024