About Us

Pharmacy2U is a UK online pharmacy registered with the General Pharmaceutical Council (GPhC). You may review our GPhC registration details at www.pharmacyregulation.org/registers/pharmacy/registrationnumber/9010146.

Our head office address is:

Pharmacy2U Limited,
Lumina,
Park Approach,
Thorpe Park,
Leeds
LS15 8GB

Managing our data processing activities

We have appointed a Data Protection Officer to oversee our handling of personal data. You may contact the Data Protection Officer by email at [email protected], by phone at 0113 265 0222, or in writing at our head office address above.

If you have any questions about our privacy policy or our approach to data protection and privacy, please contact our Data Protection Officer.

Purpose and scope of this privacy policy

This privacy policy provides information about how we handle information about people who visit our website and mobile app, and who use our services.

Our privacy policy provides you with a lot of information. We have organised it into sections to make it easier for you to read and understand. Some information is in expandable sections to make it easier to read.

Your privacy matters to us, so whether you are new to Pharmacy2U or a long-time patient, please do take the time to read this policy. If you have any questions, please contact us. We respect your right to privacy and are committed to explaining clearly and honestly how we use the information we hold about you. This privacy policy will help you to understand what information we collect, why we collect it, and what we do with it.

We do not knowingly collect information from children or other persons who are under 18 years old via our website. If you are under 18 years old, you must not submit any personal information to us directly or subscribe to our services.

The information we collect, how and why we use it

Website and app visitors

When you visit our website we collect information about your visit, including information about which pages you visit and for how long, the website you came from and went to before and after visiting our website, and information about the device you used to access our websites such as the type of phone/PC, operating system, and IP address. We may also place cookies on the device you use to access our website, further information about this is in our cookie policy.

We collect this information to help us to understand how people use our website and access our services so that we can ensure they are developed to meet customer needs.

The law allows us to collect and use this information for these purposes pursuant to our legitimate interests of operating a commercial business and providing high-quality web services. We retain this type of information for no longer than we need it. The information we collect is used as anonymised, high-level data to help us understand website traffic trends. Our website is currently hosted by third party providers who may on occasion have access to the information we collect.

We may also disclose information collected for the purposes listed above with our professional advisors such as marketing agencies and security advisors.

Website and app registration

We collect, store, and use information about people who register to use our services. The information we collect comprises the information that you submit using our data collection forms, which will include your name, address, and contact information. You will know what information we are collecting as this is what you submit into our data collection forms on our website or app.

We use this information to create an account that enables you to use our services. We collect the following information during the registration process:

Type of information & purpose(s)

Name and address

  1. To enable us to identify you

  2. Personalise your experience on our website and app

  3. Correspond with you

  4. Send your orders to you

  5. To create an account for you on our website and database

  6. To verify who you are when you complete an online doctor consultation (we may need to ask for your passport or driving licence if we cannot identify you through your name and address)

Date of birth and gender

to enable us to identify you

Email address and phone numbers

to communicate with you

GP surgery and NHS number

to confirm your medical details with the NHS and your GP, so we can process your prescriptions

Details of any medical exemption

so we know if you are eligible for free prescriptions

The law allows us to collect and use this information because it is in our legitimate interests to provide our services and to process your prescriptions and this information is necessary for us to do so. It is also in the interests of our service users to enable them to place orders for medications and for us to confirm their medical details with the NHS and their GP. Any data concerning health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that prescribed medications are suitable for you.

We use your name, address, and other pieces of ID gathered at registration for our online doctor's consultation service. The law allows us to do this in order to fulfil your request and to allow us to consult with the online doctor service, with your consent. In order to verify your ID for certain accounts, we may share your details with the verification service provider.

We may also use the information listed to prevent fraud and to enable us to fulfil any orders for medications that you place with us. If you place orders with us, you need to give us the information above to enable us to fulfil your order. If you are not able to provide this, then we will not be able to process any orders for you. This information will also help us to check the performance of our website and app and resolve technical issues.

We only retain this information for as long as we need it or are required by legal or professional guidance to retain it. This type of information is shared with the NHS, your GP, and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, security advisors, couriers, and Royal Mail.

Orders, medications, and prescriptions

We collect, store, and use information about orders placed with us. You may place orders for medications and other products on our website, via our app, by email, webchat and over the phone. Because medications can be dangerous, we only take orders from account holders about whom we have collected relevant medical and personal information. When you place an order with us, we will ask you a series of questions to verify your identity. Once we are satisfied that we have verified your identity, you may submit an order with us providing information about the medications you require and other data concerning your health.

We use this information along with other information we hold about you to check that the prescribed medications are suitable for you and your medical condition(s), and to fulfil your order. We collect the following information in a typical order:

Type of information & purpose(s)

Your medication

to enable us to fulfil any orders you may place and to assess the suitability of medicines that are ordered, and provide health advice; to send you reminders to order your prescription and provide general health advice

Payment details

to take payment for your order, if you are required to pay for the services we provide to you

Your feedback

to enable us to answer any complaints or issues you might have, gather and share customer reviews with other customers and prospects to build confidence in our services and make us accountable to customers and focus our efforts on service improvements

Safe place for deliveries

so we know where to deliver your medication and keep it safe in the event that you are not present to accept the delivery, have consented to the use of a safe place, and the parcel contains items that are appropriate for this delivery method

The law allows us to collect and use this information to enable us to fulfil the orders that you place with us. Any data concerning your health that we collect is used for the provision of healthcare or treatment, the management of healthcare systems and services, and to check that the medications are suitable for you. We use the information to prevent fraud and to enable us to fulfil any orders for medications that you place with us. You need to give us order and payment information, if you pay for the services we provide, to enable us to fulfil your order. If you are not able to provide this then we will not be able to process any orders for you.

If you are prescribed a bespoke medication or tailor-made medical equipment or appliances, which we need to source externally, we would not share your medical information directly with the
relevant supplier but all suppliers for these medications are NHS registered themselves and would download this data directly from your prescription from the central NHS system. We are sharing contact details for affected patients with the relevant suppliers to enable direct communications e.g. regarding measurements or other tailoring to ensure that a relevant prescription is fulfilled as quickly as possible.

Supplier purpose(s)

Ostomed Healthcare Ltd

to enable us to fulfil any orders containing only appliances (that fall under Part IX of the drug tariff) and to ensure the best levels of service for these appliances sourced from our Dispensing Appliance partner

We retain information about orders only for as long as we need it, and for the period we are required to retain it, to comply with relevant legal and professional guidance. This type of information is shared with the NHS, your GP, and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors. We collect customer reviews using specialist third party services including Feefo and Trustpilot in pursuit of our interests of promoting our services and in the interests of our customers to provide them with a mechanism for rating the quality of service they received and/or raising service issues with us. We will only give Trustpilot your email address, so they can ask you to leave a review. Customer reviews are retained for as long as the reviewer wishes (or deleted if they are deemed incorrect or fraudulent). Trustpilot and their sub-processors may carry out data transfers, however, data processing agreements are in place, which contains EU SCCs with all sub-processors located outside the EEA and they are reinforced by additional safeguards.

Callers

You might telephone us for a variety of purposes we will record the call and we may make notes on our system about the call

The law allows us to collect and use this information in pursuit of our legitimate interests of operating a business and to respond to any enquiry or complaint you might make. We record calls for the purpose of monitoring our call handlers, providing appropriate training for them, and keeping an accurate record of what was said during a telephone conversation in the event of further issues or complaints. We may use call recordings or transcripts to defend ourselves in the event of legal, regulatory, or similar action. We retain call recordings for 6 months or until they are no longer needed by us.

Profiling and segmentation

We use the information marked with an asterisk (*) in the sections above to profile our customers and segment our database:

  1. To help us to understand our customers, and to help us identify and market to customers with similar characteristics

  2. To enable us to determine if other Pharmacy2U products and services are likely to be of interest to you

  3. To enable us to determine if products and services of other organisations are likely to be of interest to you

  4. To enable us to determine if you are likely to be suitable to take part in clinical trials and medical research we may be involved with from time to time (please refer to the section below)

The law allows us to collect and use this information in pursuit of our legitimate interests of operating and developing our commercial pharmacy services. We do not use any medical data, information about your health, or any other special categories of personal data for profiling and segmentation except in relation to the provision of healthcare and treatment such as establishing if you require flu jabs, vaccinations, eligibility for condition-specific information, or clinical trials (please refer to the section below). We will use information about the products and services you order for profiling.

We retain database segmentation and customer profile information only for the period we need it which is generally only as long as you have an account with us. This type of information is shared with our professional advisors such as marketing agencies. We may also disclose anonymised information about our customers to sponsors and providers of clinical trials and medical research and our medical advisors. Any information that we disclose in this way is anonymised so that individuals cannot be identified from it.

Clinical research, medical trials and studies and automated decision-making

As a respected medical business, we are often approached by other professional organisations looking for people to participate in medical research, clinical trials of new treatments for example, or other medical studies. We believe that it is vitally important such trials take place and aim to support them as far as we can.

This is how we determine if you would be a suitable participant in a clinical trial:

  • Sponsors of trials approach us with a profile of people they are seeking to participate. This may include information such as gender, age band, geographic location and details of health conditions or medications they are researching.

  • We will look at our database of patients to find people who meet the participant profile using the information we hold about each patient.

  • We will provide all those individuals who have been identified as suitable to participate in a trial with information about it and will, subject always to consent, disclose their contact information to the trial sponsor.

It will always be entirely your decision whether or not to participate in a clinical trial. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to any trial sponsor without your explicit consent.

The law allows us to undertake profiling and automated decision making in pursuit of our interests of promoting our business as a leading provider of pharmaceutical services and maintaining a database of patients for our commercial benefit. The law also allows us to undertake this type of processing to support the interests of sponsors of clinical trials and research. The law (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4) permits us to use medical data and health information for the listed purposes as it is necessary for medical research, and the provision of health care/treatment. The UK introduced a national data opt-out (https://digital.nhs.uk/services/national-data-opt-out) in May 2018 whereby all UK NHS patients were automatically opted into a scheme allowing NHS organisations to share patient information for the purposes of research and planning. You may choose to opt out. For further information please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice.

We may process your data to help us identify patients based on the clinical trial eligibility criteria of the specific trial. The automated decision making that we undertake does not have any legal or other similarly significant effects on our patients because every decision is reviewed by a suitable person before being implemented. What this means is that we will not make decisions about you that are wholly determined by computers alone.

You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.

We retain information about which clinical trials we think you are suitable for and the basis of our decision making only for as long as we need it. The high-level profile information is shared with clinical research companies to allow them to determine if we are likely to have any suitable research/trial candidates. We will ordinarily only disclose information about those people who meet the trial person profile specification with explicit consent unless the research program is so generic that it does not require the disclosure of any data concerning health in which case we may choose to disclose a list of candidates on the basis of the legitimate interests of the trial sponsor. We may also disclose information about our customers' participation in clinical trials and medical research to our professional and medical advisors.

The ICO has produced wider guidance on direct marketing for the public sector. Pharmacy2U, as is the case with other commercial pharmacies, provides pharmaceutical services under the National Health Service Act 2006 and is therefore considered a public authority specified in respect of information relating to those services. This guidance specifically considers the rules on direct marketing in the context of health and care communications. It includes some case studies at the end.

While direct marketing communication sent by electronic mail or text will need the consent of the individual prior to sending that communication. Following NHS England guidance messages and communications about:

  • Communications about research participation from organisations whose tasks and functions include the conduct of health and social care research

  • Information to an individual to inform them about a health or social care research project they may be eligible to participate in

These would be seen as necessary for your organisation's task and function, so are NOT direct marketing.

You have the right to object to any communication about health and social care research, please contact any member of staff or email us at [email protected].

Our Future Health research programme

Our Future Health is the UK’s largest-ever health research programme. It is designed to help people live healthier lives for longer through the discovery and testing of more effective approaches to prevention, earlier detection and treatment of diseases.

Millions of people, from all backgrounds and from right across the UK, are invited to take part. Volunteers will provide information about their health and lifestyles to create an incredibly detailed picture that represents the whole of the UK.

By developing a more detailed understanding of what makes certain people more likely to develop a disease - plus what to look out for before any symptoms appear - Our Future Health has the potential to help to develop far more effective approaches to both prevention and treatment.

Pharmacy2U has been asked to identify people who are eligible and to invite them to join the Our Future Health research programme. We will use the data we hold to identify suitable people and send them an invitation to take part. The data used will include name, date of birth and address. Your personal data will not be shared directly with the research programme.

The programme is organised by Our Future Health is a company limited by guarantee registered in England and Wales (number 12212468) and a charity registered with the Charity Commission for England and Wales (charity number 1189681) and OSCR, Scottish Charity Regulator (charity number SC050917). Registered office: 2 New Bailey, 6 Stanley Street, Manchester M3 5GS.

It will always be entirely your decision whether or not to participate in Our Future Health. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to Our Future Health or the NHS without your explicit consent.

The research programme has requested that all eligible people be contacted once only. To manage the invitation process, we will need to keep the list of people who have been invited until six months after the research programme recruitment is complete. This is to ensure that you are not invited if you have told us you do not want to be contacted, and that no one is invited more than once.

The Health Research Authority has provided legal support to the Our Future Health research programme under Section 251 of the NHS Act 2006 and Regulation 5 of The Health Service (Control of Patient Information) Regulations 2002 which enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be processed by NHS Digital on behalf of the programme. This support provides the legal basis for suitable participants to be invited to join the research programme. This is following advice from the Confidentiality Advisory Group, an advisory body which provides independent expert advice on the use of confidential patient information without consent in England and Wales.

More information is available at https://ourfuturehealth.org.uk/ .

Sharing of Prescription Data with IQVIA

In line with practices common among larger pharmacies, we share prescription and prescriber information with IQVIA Ltd, a company incorporated in England and Wales (Registered Address: 3 Forbury Place, 23 Forbury Road, Reading, RG1 3JH; Company Registration Number: 03022416). This sharing of information is based on the legitimate interest for supporting enhanced healthcare analytics and research, contributing to the broader objectives of healthcare improvement and innovation.

The information shared is in the form of anonymous or aggregated data and does not include any personal data of our customers receiving prescriptions. The prescriber information we share consists only of publicly available data, such as the name and workplace address of prescribers, and is considered non-sensitive.

We believe that this practice presents a very low risk of harm and aligns with the NHS's policy of releasing prescribing information by GP practice.

Communication

Service Messages

We send automated communications to customers in addition to manual communications which react to a specific inquiry or order. In line with ICO guidance, routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide the information they need about a current contract, services they requested, or past purchases. You will receive these messages, even if you have not opted into marketing or unsubscribed from our email communication.

The ICO also clarifies that general branding, logos, or straplines in these messages do not count as marketing. The sending of service messages without explicit consent is lawful as it is communication in regards to the fulfilment of our contract with you and it is in our legitimate interest to keep our customer base up to date and informed about the service, pursuant to Art.6.1(f) UK GDPR, whereby processing is lawful where it is necessary for the legitimate interest of the controller. Further information is also available on the ICO website.

NHS Service Information Messages

As part of our commitment to providing high-quality healthcare services, Pharmacy2U may send communications to patients about relevant NHS services, such as our new NHS oral contraception service. These messages are sent in compliance with NHS direct marketing guidance and are considered necessary communications regarding available NHS services pertinent to your healthcare. They are not classified as 'direct marketing' but are vital to inform you about relevant healthcare options and services that you are eligible for.

The legal basis for sending these NHS Service Information Messages is our legitimate interest in keeping our customers informed about essential healthcare services, as outlined in Article 6(1)(f) of the UK GDPR. This interest aligns with ensuring that you have access to the most relevant and beneficial healthcare services available to you.

While these communications are part of our effort to ensure you are informed about healthcare services that may benefit you, we respect your preference regarding such communications. If you wish not to receive informational messages about NHS services, you may contact our Data Protection Officer at [email protected].

Data Accuracy Messages

If you have registered with Pharmacy2U for the NHS Repeat Prescription Service, but are not actively using the account you will periodically receive a message and askes to review and update your account details.

For clinical reasons and under the Data Protection Act 2018 we have a legal obligation to ensure that our patient data is ‘accurate‘ and is up to date and gets delivered to the right delivery address. The guidance of the Information Commissioner’s Office (ICO) also says, “It may be sensible to periodically ask individuals to update their own details”. Please see Pharmacy2U’s privacy policy for further information.

Public Health Messages

Occasionally, we process your personal data for purposes directly connected with ensuring that you receive high-quality healthcare through the NHS and informing you of services that may be relevant to you. This includes information about the COVID-19 vaccination programme and the seasonal flu vaccination programme.

If we do this directly on the request of the NHS to support their statutory functions, this can be done without your consent as the NHS is established by Act of Parliament and is required by law to carry out these functions, under Data Protection law they are allowed to process your personal data because the processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.‘.

If not instructed directly, the legal basis for sending these messages is legitimate interest.

Partially completed order messages

As part of our clinical responsibility to patients, we may also send you emails if you only partially complete a prescription order on our website or app. We assessed that informing the patient about an incomplete prescription order is both in the interest of the patient, as well as in our interest as the registered pharmacy. The legal basis for sending these messages is therefore legitimate interest.

Marketing

Pharmacy2U is a commercial business and our success is based not only on the trust of our customers but on adopting a responsible approach to marketing. We use the information we hold about our customers for direct marketing purposes including sending direct marketing materials about our products and services that we believe may be of interest to you via mail, email, SMS, and telemarketing. We also may customise the adverts you see on our website. Usually, adverts are customised through automated decision making, based on the pages you have visited on our site previously.

The law allows us to undertake direct marketing in pursuit of our interests in promoting our business. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will only send direct marketing materials to you via email or other electronic messaging if you have consented to us to do so or if they relate to our own products and services similar to those that you have previously expressed an interest in or ordered. We maintain records of consent: you may withdraw your consent at any time.

When we undertake direct marketing by telephone, we will always check whether you are registered on the telephone preference service (TPS), the UK’s register of numbers that may not be used for telephone marketing.

We retain information about your interaction with our direct marketing activities only for as long as we need it which is generally no longer than 2 years from the end of a campaign. We may retain anonymised campaign statistics for a longer period of time to allow us to monitor our direct marketing activities year on year. Like many organisations, we use specialist service providers to help us to carry out our direct marketing including marketing agencies, printing and mailing companies, email/SMS broadcasting providers, telephone marketing agencies and other similar professional advisors which means information about you may be disclosed to them.

When we undertake customer surveys or email broadcasting, we may use specialist services providers in other countries including for example SurveyMonkey and Sailthru both of which are based in the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.

Marketing for others

We also use the information we hold to undertake direct marketing activities on behalf of other organisations. We may send you direct marketing about the products and services of our sister company Chemist Direct (www.chemistdirect.co.uk).

The law allows us to send to you direct information on behalf of Chemist Direct on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will not send any direct marketing materials to you by email or other electronic methods about any third party (including Chemist Direct) without your specific consent.

We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is as long as you are a customer with us, and once you are not, for 3 months beyond then.

We also use the information we hold to undertake direct marketing activities on behalf of other organisations, including the NHS. For example, where we have your consent, we may send you the information in the form of specific emails or newsletters about specific partners whose offers we believe may be relevant to you. These may include organisations in these categories:

  • Healthcare products and services

  • Retail

  • Financial services

  • Leisure

  • Charities

  • Clinical trial operators and research organisations

The law allows us to send to you direct marketing materials on behalf of other organisations on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will not send any direct marketing materials to you by email or other electronic methods to any third party without your consent.

We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is generally no more than 2 years after a campaign.

In general, whilst we may undertake direct marketing on behalf of others, we will not disclose any information about you to third parties for them to undertake direct marketing. In that way we retain control over the uses of information about you for direct marketing giving you one point of contact should you wish to object to such use.

We will never share your personal information unless we have legitimate and lawful grounds to do so. We do not sell your data to third parties.

Social media

We may obtain information about you from social media channels including Facebook and Twitter. We use content aggregators such as Hootsuite to manage social media content that refers to us so that we can monitor market sentiment towards our brand and address any complaints or brand issues raised on social media.

We may also process your data in order to identify people like you to send them marketing information. Should we use your data in this way your personal information will be anonymised.

If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites, for example, Facebook. We send pseudonymised data in a way that only the intended end user can understand. We recommend you routinely review the privacy notices and preference settings that are available to you on social media platforms. If you do not wish to receive such targeted marketing generally, you are able to switch this off within the social media site.

The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business. We retain information on our social media pages and aggregators for no more than 2 years. Some of the social media channels we use to transfer personal data to the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.

Online Doctor service

At the point of registration for Pharmacy2U's Online Doctor Service (POD) we will collect personal information about you to provide you with the services you require.

This may include:

  • Your name

  • Address

  • Email

  • Phone number

And other details relevant to the service(s) that are of interest to you.

We may also collect sensitive personal data concerning health matters from, or about you if you register for the service.

We may supplement the information that you provide gathered from our communications with you or which we receive from other organisations, such as other companies in our group.

We will primarily use personal information:

  • to create and maintain your patient record once you have registered.

  • to verify your identity including against public databases via our Identification Verification partners. We use LexisNexis Identify Verification Services to verify that your identity is genuine. This is a regulatory requirement for us to provide an Online Doctor service. You have a right of access to your personal records held by credit reference and fraud prevention agencies and by LexisNexis. Your rights are set out in the LexisNexis Privacy Policy. LexisNexis may be contacted at Lexis House, 30 Farringdon Street, London EC4A 4HH.

  • to provide and follow up on the services you request from us and to request feedback.

  • to respond to any queries, refund requests or complaints. We keep a record of these queries to demonstrate how we communicated with you throughout. We do this based on our contractual obligations, legal obligations, and our legitimate interests as businesses in providing you with the best service.

  • to communicate with you if any services requested are unavailable or if there is a query or problem with your order for record-keeping purposes.

  • to carry out market research so that we can improve the services we offer (where you consent).

  • we may (where you consent) use your personal data, preferences and details of your transactions to keep you informed by email, web/social media, text and telephone. We also include relevant products and services including special offers, discounts, promotions, events and competitions tailored to you. You can opt-out of hearing from us about these at any time.

  • to continuously improve our service to our customers by monitoring telephone calls which we receive at our branches and call centres for the purposes of staff training, quality control and service improvement.

  • to track and analyse activity on our website.

  • to notify you about any changes to our services and to send you service emails.

  • as part of our efforts to keep our website safe and secure.

  • to comply with applicable law. For example, in response to a request from a court or regulatory body, where such a request is made in accordance with the law.

Lawful grounds for processing

To process your data lawfully we need to rely on one or more valid legal grounds which are as followed:

  • your consent to processing activities. For example, where you have consented to us using your information for marketing purposes.

  • your request for content, products or services including processing of your personal data to be taken prior to entering a contract with you and any processing that is necessary for the performance of such contract.

  • legitimate interests we pursue as a business, except any overridden by your interests and fundamental rights.

  • compliance with any legal obligation to which we are subject. For example, the processing for the purposes of complying with applicable law.

Disclosing your personal information

In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the processing activities on our behalf.

These may include:

  • laboratories

  • technology hosts

  • printing companies

  • providers of digital advertising services

  • providers of marketing and sales software solutions

  • mailing houses

  • and identity verification partners

In these circumstances, we will ensure that personal information is properly protected and that it is only used in accordance with this Privacy Policy.

We also collect, use and share aggregated/anonymised data such as statistical or demographic data for any purpose.

Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature or we may aggregate your data to build marketing personas or lookalikes to help up advertise to our patients better.

However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy. Please note, where we aggregate data for marketing purposes, it will not be combined with your personal data, and you will not be able to be directly or indirectly identified as a result.

Phone call recordings

If you call our customer services centre, we may record or monitor the call. If we call you we will let you know if the call is recorded. We do this for regulatory purposes, for training, to ensure and improve the quality of service delivery, to ensure the safety of our staff and customers, and to resolve queries or issues. Doing so is a legal obligation.

In case we analyse calls to improve our service, we do so as a legitimate business interest.

Other processing

Your personal information may also be processed if it is necessary: for disclosure to law enforcement or regulatory authority, body or agency; in the defence of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats, to the physical safety of any person or violations of any of our website terms. Personal information relevant to an investigation or a dispute may be retained for longer than our standard retention policy to support any such investigation or action.

The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business, the legitimate interests of third parties, compliance with legal obligations or detecting and investigating criminal activities

Your rights

The UK’s data protection laws provide you with certain rights: the right to request access to, rectification or erasure and portability of information relating to you as well as the right to request the restriction of our processing/use of information concerning you and the right to object to our processing in certain circumstances. You have the right to withdraw consent at any time for processing that is based on your consent and to information about how we are using information relating to you. You may lodge a complaint about us with the Information Commissioner’s Office (www.ico.org.uk).

More information

Access

  • You can ask us for a copy of all the personal information we hold about you. We will respond to your request within one calendar month without any charge.

  • You will need to give us enough information for us to identify you (for example, your full name, address, and date of birth). If we cannot identify you from this basic personal information, you will need to provide us with a copy of your ID (for example, your passport, full driving licence, credit card or debit card) before we send you any information; this can be emailed or posted to us.

Rectification/Correction

  • You can ask us to correct any incomplete or inaccurate personal information that we hold about you.

Erasure

  • You can ask us to delete or remove the personal information we hold about you in certain circumstances. There are exceptions set out in the law where we may be able to refuse to delete information (for example, if we need the information to keep to any relevant law or in connection with any claims, legal or otherwise, which may arise).

Restriction

  • You can ask us to suspend using certain personal information about you (for example, if you want us to make sure it is accurate) or restrict how we can use it.

Portability/Transfer

  • You can ask us to transfer certain information that we hold about you to a third party in certain circumstances.

Objection

  • You may object to our processing personal data relating to you where that processing is based on our claim of legitimate interests provided that we are not able to demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

  • You may object to our using your information for direct marketing purposes including profiling to the extent that the profiling is used for direct marketing purposes.

  • You may also object to our use of information relating to you in scientific research or statistical purposes in some circumstances.

  • We may contest your objection where we have grounds to do so in the law.

Information Commissioner’s Office

If you think that we have not handled your information in line with any legal or regulatory requirement, you can make a complaint to the Information Commissioner's Office.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: [email protected]

Phone: 0303 123 1113

To exercise any of your rights please contact our Data Protection Officer.

Keeping to data-protection and related regulations

We are committed to keeping to all data-protection laws that apply, including the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR, 2003) and the General Data Protection Regulation (GDPR).

If you have any questions about data protection and your rights, you can contact our team at [email protected].

As a ‘data controller’, we try to be open about how we hold and use your personal information. You can claim compensation if you can prove you have suffered as a result of how we have handled your personal information.

Privacy Policy for Partnerships

Pharmacy2U acknowledges and respects the importance of your privacy. We have partnered with various service providers to offer you an expanded range of services. While using these services, your data protection remains a priority for us.

When you sign up for services through our partnership program, please note the following:

Data Sharing: Upon registration to our partner services, our partners will share information with Pharmacy2U regarding your sign-up and the specific services you have requested. This shared information is limited to your registration status and service requests.

Legitimate Business Interest: The data shared between Pharmacy2U and our partners is done based on legitimate interest. This allows us to understand and cater to your needs better and enables us to provide a more personalized experience for you.

We assure you that this data sharing respects all applicable laws and regulations regarding data protection and privacy. It is carried out with the utmost level of security and confidentiality.

By signing up for our partner services, you acknowledge and accept these terms related to data sharing and privacy. For any further queries or concerns, you may contact us at [email protected].

Our partnership services are:

‘Pharmacy2U Pet Health’ located at ‘pethealth.pharmacy2u.co.uk’: This service is operated by The PharmPet Co Limited, a company registered in England and Wales with company number 10026316. Their registered office is situated at Unit 7 Stirlin Point, Sadler Court, Sadler Road, Lincoln. LN6 3RG. The PharmPet Co Limited operates under the regulatory supervision of The General Pharmaceutical Council (GPhC).

‘Pharmacy2U Medical Letters’ located at ‘medical-letters.pharmacy2u.co.uk’: This service is provided by ZoomDoc Limited, a company incorporated and registered in England and Wales, with a company registration number of 09540794. Their registered office is located at 2 Chanin Mews, London NW2 4AQ. The doctors associated with this service are registered with the General Medical Council, and ZoomDoc Limited is regulated by the Care Quality Commission.

Changes to this policy

We may change our privacy policy from time to time.

If we change anything important (the information we collect, how we use it or why), we will undertake reasonable endeavours to make you aware of the changes such as by providing a link to the change on the website or telling you by email.

Contacting us

You can phone us on 0113 265 0222 or email or webchat with us from our website at www.pharmacy2u.co.uk/help-and-support. If you have any questions about our privacy policy or our approach to data protection and privacy you may send an email to [email protected], phone us or write to us..

Version control

11 June 2015

First draft in current format with substantial changes since the previous version.

20 July 2015

Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers.

24 September 2015

Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable.

12 August 2016

Addition relating to marketing the products and services of other companies in our group of companies.

29 November 2016

Addition of provision to market products and services of selected partners.

24 May 2018

Privacy Policy updated to include GDPR (EU) 2016/679 legislation.

16 April 2019

Addition relating to marketing consent for our group of companies and selected partners.

23 April 2019

Added information on the Freedom of Information Act 2000.

31 October 2019

Added table explaining data processing and revise the layout of policy.

20 April 2020

Updated information on data usage for NHS's Real Time Exemption Checking.

19 October 2020

Updated information to include profiling and extended amends to the privacy policy.

28 March 2022

Further information about communication and phone recording added.

22 November 2022

Merge between Pharmacy2U and Chemist Direct Privacy Policy.

20 December 2022

Inclusion of Pharmacy2U Shop/Chemist Direct & P2U Services into privacy policy.

20 January 2023

Including information about Dispensing Appliance Partner and the Our Future Health research programme.

11 December 2023

Inclusion of information relating to NHS Service Information Messages