Pharmacy2U is a UK online pharmacy registered with the General Pharmaceutical Council (GPhC). You may review our GPhC registration details at www.pharmacyregulation.org/registers/pharmacy/registrationnumber/9010146.
Our head office address is:
Managing our data processing activities
We have appointed a Data Protection Officer to oversee our handling of personal data. You may contact the Data Protection Officer by email at firstname.lastname@example.org, by phone on 0113 265 0222, or by mail at our head office address above.
We do not knowingly collect information from children or other persons who are under 18 years old via our website. If you are under 18 years old, you must not submit any personal information to us directly or subscribe for our services.
The information we collect, how and why we use it
Website and App visitors
When you visit our website we collect information about your visit, including information about which pages you visit and for how long, the website you came from and went to before and after visiting our website, and information about the device you used to access our website such as the type of phone/PC, operating system, and IP address. We may also place cookies on the device you use to access our website, further information about which is in our Cookies Policy.
We collect this information to help us to understand how people use our website and access our services so that we can ensure they are developed to meet customer needs.
Website and App registration
We collect, store, and use information about people who register to use our services. The information we collect comprises the information that you submit using our data collection forms, which will include your name, address, and contact information. You will know what information we are collecting as this is what you submit into our data collection forms on our website or app.
We use this information to create an account which enables you to use our services. We collect the following information during the registration process:
The law allows us to collect and use this information because it is in our legitimate interests to provide our services and to process your prescriptions and this information is necessary for us to do so. It is also in the interests of our service users to enable them to place orders for medications and for us to confirm their medical details with the NHS and their GP. Any data concerning health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that prescribed medications are suitable for you.
We use your name, address, and other pieces of ID, gathered at registration for our online doctor's consultation service. The law allows us to do this in order to fulfil your request and to allow us to consult with the online doctor service, with your consent. In order to verify your ID for certain accounts, we may share your details with verification service provider.
We may also use the information listed to prevent fraud, and to enable us to fulfil any orders for medications that you place with us. If you place orders with us, you need to give us the information above to enable us to fulfil your order. If you are not able to provide this, then we will not be able to process any orders for you. This information will also help us to check the performance of our website and app and resolve technical issues.
We only retain this information for as long as we need it or are required by legal or professional guidance to retain it. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors, couriers, and Royal Mail.
Orders, medications, and prescriptions
We collect, store, and use information about orders placed with us. You may place orders for medications and other products on our website, via our app, by email, web chat and over the phone. Because medications can be dangerous, we only take orders from account holders about whom we have collected relevant medical and personal information. When you place an order with us, we will ask you a series of questions to verify your identity. Once we are satisfied that we have verified your identity, you may submit an order with us providing information about the medications you require and other data concerning your health.
We use this information along with other information we hold about you to check that the prescribed medications are suitable for you and your medical condition(s), and to fulfil your order. We collect the following information in a typical order:
The law allows us to collect and use this information to enable us to fulfil the orders that you place with us. Any data concerning your health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that the medications are suitable for you. We use the information to prevent fraud, and to enable us to fulfil any orders for medications that you place with us. You need to give us order and payment information, if you pay for the services we provide, to enable us to fulfil your order. If you are not able to provide this then we will not be able to process any orders for you.
We retain information about orders only for as long as we need it, and for the period we are required to retain it, to comply with relevant legal and professional guidance. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors. We collect customer reviews using specialist third party services including Feefo and Trustpilot in pursuit of our interests of promoting our services and in the interests of our customers to provide them with a mechanism for rating the quality of service they received and/or raise service issues with us. We will only give Trustpilot your email address, so they can ask you to leave a review. Customer reviews are retained for as long as the reviewer wishes (or deleted if they are deemed incorrect or fraudulent). Trustpilot and their sub processors may carry out data transfers, however data processing agreements are in place, which contain EU SCCs with all sub-processors located outside the EEA and they are reinforced by additional safeguards.
You might telephone us for a variety of purposes. We will record the call and we may make notes on our system about the call.
Profiling and segmentation
We use the information marked with an asterisk (*) in the sections above to profile our customers and segment our database:
- To help us to understand our customers and to help us identify and market to customers with similar characteristics.
- To enable us to determine if our other products and services or those of our sister company Chemist Direct are likely to be of interest to you.
- To enable us to determine if products and services of other organisations are likely to be of interest to you.
- To enable us to determine if you are likely to be suitable to take part in clinical trials and medical research we may be involved with from time to time (please refer to the section below).
- To determine if our products and services of other organisations similar products and services may be of interest to you.
The law allows us to collect and use this information in pursuit of our legitimate interests of operating and developing our commercial pharmacy services. We do not use any medical data, information about your health, or any other special categories of personal data for profiling and segmentation except in relation to the provision of healthcare and treatment such as establishing if you require flu jabs, vaccinations, eligibility for condition specific information, or clinical trials (please refer to the section below). We will use information about the products and services you order for profiling.
We retain database segmentation and customer profile information only for the period we need it which is generally only as long as you have an account with us. This type of information is shared with our professional advisors such as marketing agencies. We may also disclose anonymised information about our customers to sponsors and providers of clinical trials and medical research and our medical advisors. Any information that we disclose in this way is anonymised so that individuals cannot be identified from it.
Clinical research, medical trials and studies and automated decision-making
As a respected medical business, we are often approached by other professional organisations looking for people to participate in medical research, clinical trials of new treatments for example, or other medical studies. We believe that it is vitally important such trials take place and aim to support them as far as we can.
This is how we determine if you would be a suitable participant in a clinical trial.
- Sponsors of trials approach us with a profile of people they are seeking to participate. This may include information such as gender, age band, geographic location and details of health conditions or medications they are researching.
- We will look at our database of patients to find people who meet the participant profile using the information we hold about each patient.
- We will provide all those individuals who have been identified as suitable to participate in a trial with information about it and will, subject always to consent, disclose their contact information to the trial sponsor.
It will always be entirely your decision whether or not to participate in a clinical trial. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to any trial sponsor without your explicit consent.
The law allows us to undertake profiling and automated decision making in pursuit of our interests of promoting our business as a leading provider of pharmaceutical services and maintaining a database of patients for our commercial benefit. The law also allows us to undertake this type of processing to support the interests of sponsors of clinical trials and research. The law (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4) permits us to use medical data and health information for the listed purposes as it is necessary for medical research, and the provision of health care/treatment. The UK introduced a national data opt-out (https://digital.nhs.uk/services/national-data-opt-out) in May 2018 whereby all UK NHS patients were automatically opted in to a scheme allowing NHS organisations to share patient information for the purposes of research and planning. You may choose to opt-out. For further information please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice.
We may process your data to help us identify patients based on the clinical trial eligibility criteria of the specific trial. The automated decision making that we undertake does not have any legal or other similarly significant effect on our patients because every decision is reviewed by a suitable person before being implemented. What this means is that we will not make decisions about you which are wholly determined by computers alone.
You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.
We retain information about which clinical trials we think you are suitable for and the basis of our decision making only for as long as we need it. The high-level profile information is shared with clinical research companies to allow them to determine if we are likely to have any suitable research/trial candidates. We will ordinarily only disclose information about those people who meet the trial person profile specification with explicit consent unless the research program is so generic that it does not require the disclosure of any data concerning health in which case we may choose to disclose a list of candidates on the basis of the legitimate interests of the trial sponsor. We may also disclose information about our customers participation in clinical trials and medical research to our professional and medical advisors.
Pharmacy2U is a commercial business and our success is based not only on the trust of our customers but on adopting a responsible approach to marketing. We use the information we hold about our customers for direct marketing purposes including sending direct marketing materials about our products and services that we believe may be of interest to you via mail, email, SMS, and through telemarketing. We also may customise the adverts you see on our website. Usually, adverts are customised through automated decision making, based on the pages you have visited on our site previously. As part of our clinical responsibility to patients we may also send you emails if you only partially complete a prescription order on our website or app.
The law allows us to undertake direct marketing in pursuit of our interests of promoting our business. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will only send direct marketing materials to you via email or other electronic messaging if you have consented for us to do so or if they relate to our own products and services similar to those that you have previously expressed an interest in or ordered. We maintain records of consent: you may withdraw your consent at any time.
When we undertake direct marketing by telephone, we will always check whether you are registered on the telephone preference service (TPS), the UK’s register of numbers that may not be used for telephone marketing.
We retain information about your interaction with our direct marketing activities only for as long as we need it which is generally no longer than 2 years from the end of a campaign. We may retain anonymised campaign statistics for a longer period of time to allow us to monitor our direct marketing activities year-on-year. Like many organisations, we use specialist service providers to help us to carry out our direct marketing including marketing agencies, printing and mailing companies, email/SMS broadcasting providers, telephone marketing agencies and other similar professional advisors which means information about you may be disclosed to them.
When we undertake customer surveys or email broadcasting, we may use specialist services providers in other countries including for example SurveyMonkey and Sailthru both of which are based in the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.
Marketing for others
We also use the information we hold to undertake direct marketing activities on behalf of other organisations. We may send to you direct marketing about the products and services of our sister company Chemist Direct (www.chemistdirect.co.uk).
We also use the information we hold to undertake direct marketing activities on behalf of other organisations, including the NHS. For example, where we have your consent, we may send you information in the form of specific emails or newsletters about specific partners whose offers we believe may be relevant to you. These may include organisations in these categories:
- Healthcare Products and Services
- Financial Services
- Clinical Trial Operators and Research Organisations
The law allows us to send to you direct marketing materials on behalf of other organisations on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will not send any direct marketing materials to you by email or other electronic method about any third party without your consent.
We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is generally no more than 2 years after a campaign.
In general, whilst we may undertake direct marketing on behalf of others, we will not disclose any information about you to third parties for them to undertake direct marketing. In that way we retain control over the uses of information about you for direct marketing giving you one point of contact should you wish to object to such use.
We will never share your personal information unless we have legitimate and lawful grounds to do so. We do not sell your data to third parties.
We may obtain information about you from social media channels including Facebook and Twitter. We use content aggregators such as Hootsuite to manage social media content that refers to us so that we can monitor market sentiment towards our brand and address any complaints or brand issues raised on social media.
We may also process your data in order to identify people like you to send them marketing information. Should we use your data in this way your personal information will be anonymised.
If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites, for example Facebook. We send pseudonymised data in a way that only the intended end user can understand. We recommend you routinely review the privacy notices and preference settings that are available to you on social media platforms. If you do not wish to receive such targeted marketing generally, you are able to switch this off within the social media site.
Your personal information may also be processed if it is necessary: for disclosure to a law enforcement or regulatory authority, body or agency; in the defence of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats, to the physical safety of any person or violations of any of our website terms. Personal information relevant to an investigation or a dispute may be retained for longer than our standard retention policy to support any such investigation or action.
The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business, the legitimate interests of third parties, compliance with legal obligations or detecting and investigating criminal activities
The UK’s data protection laws provide you with certain rights: the right to request access to, rectification or erasure and portability of information relating to you as well as the right to request the restriction of our processing/use of information concerning you and the right to object to our processing in certain circumstances. You have the right to withdraw consent at any time for processing that is based on your consent and to information about how we are using information relating to you. You may lodge a complaint about us with the Information Commissioner’s Office (www.ico.org.uk).
- You can ask us for a copy of all the personal information we hold about you. We will respond to your request within one calendar month without any charge.
- You will need to give us enough information for us to identify you (for example, your full name, address, and date of birth). If we cannot identity you from this basic personal information, you will need to provide us with a copy of your ID (for example, your passport, full driving licence, credit card or debit card) before we send you any information; this can be emailed or posted to us.
- You can ask us to correct any incomplete or inaccurate personal information that we hold about you.
- You can ask us to delete or remove personal information we hold about you in certain circumstances. There are exceptions set out in the law where we may be able to refuse to delete information (for example, if we need the information to keep to any relevant law or in connection with any claims, legal or otherwise, which may arise).
- You can ask us to suspend using certain personal information about you (for example, if you want us to make sure it is accurate) or restrict how we can use it.
- You can ask us to transfer certain information that we hold about you to a third party in certain circumstances.
- You may object to our processing personal data relating to you where that processing is based on our claim of legitimate interests provided that we are not able to demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
- You may object to our using your information for direct marketing purposes including profiling to the extent that the profiling is used for direct marketing purposes.
- You may also object to our use of information relating to you in scientific research or statistical purposes in some circumstances.
- We may contest your objection where we have grounds to do so in the law.
Information Commissioner’s Office
- If you think that we have not handled your information in line with any legal or regulatory requirement, you can make a complaint to the Information Commissioner's Office.
Information Commissioner’s Office
Phone: 0303 123 1113
To exercise any of your rights please contact our Data Protection Officer.
Keeping to data-protection law and related regulations
We are committed to keeping to all data-protection laws that apply, including the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR, 2003) and the General Data Protection Regulation (GDPR).
If you have any questions about data protection and your rights, you can contact our team at email@example.com.
As a ‘data controller’, we try to be open about how we hold and use your personal information. You can claim compensation if you can prove you have suffered as a result of how we have handled your personal information.
Changes to this policy
If we change anything important (the information we collect, how we use it or why), we will undertake reasonable endeavours to make you aware of the changes such as by providing a link to the change on the website or telling you by email.
|11 June 2015
||First draft in current format with substantial changes since the previous version.
|20 July 2015
||Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers.
|24 September 2015
||Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable.
|12 August 2016
||Addition relating to marketing the products and services of other companies in our group of companies.
|29 November 2016
||Addition of provision to market products and services of selected partners.
|24 May 2018
|16 April 2019
||Addition relating to marketing consent for our group of companies and selected partners.
|23 April 2019
||Added information on the Freedom of Information Act 2000.
|31 October 2019
||Added table explaining data processing and revise layout of policy.
|20 April 2020
||Updated information on data usage for NHS's Real Time Exemption Checking.
|19 October 2020