Skip to main content

Privacy policy

Crystal Mark 22798 - Clarity approved by the Plain English Campaign


This policy describes how we, Pharmacy2U Limited, aim to repay the trust you have shown by sharing your personal information with us.

We are a leading online pharmacy in the UK, registered with the General Pharmaceutical Council (see our registration details at

We respect your right to privacy and are committed to giving you clear and honest information to explain how we use the information you give us. We understand that legal documents such as privacy policies can be difficult to understand. For that reason, we have provided this short overview of our privacy policy to highlight the main points that you should know about.

This privacy policy has been reviewed by Plain English Campaign to make sure that it is clear and understandable.

We run our website at (our site) and provide pharmacy services.

Our address is:

Pharmacy2U Limited,
Park Approach,
Thorpe Park,
Leeds LS15 8GB

You can phone us on 0113 265 0222 or email us from our website at

If you have any questions about our privacy policy, send an email to

When you use Pharmacy2U’s services, you trust us with your information. This privacy policy will help you to understand what information we collect, why we collect it and what we do with it. This policy applies to our website visitors and service users.

Your personal information is collected and processed by Pharmay2U Limited, a company incorporated under the laws of England.

Your privacy matters to us, so whether you are new to Pharmacy2U or a long-time patient, please do take the time to get to know our practices – and if you have any questions, please contact us.

The information we collect, the uses and the lawful basis

We will collect store and use your personal information to allow you to access parts of our website, register for an account, to provide our services and solutions. We have identified within the table below the types of information we may collect or receive, how we will use it and why we need your information.

AreaWhat information we collectHow and why we use your informationThe lawful basis for this information
  • Name
  • Address
  • Email address
  • Telephone number/s
  • Email
  • GP Surgery
  • NHS number
  • Exemption details
  • Delivery safe place
  • NHS Number
  • Your IP address.
  • Confirm your medical details with the NHS and GP systems to allow us to process your prescriptions
  • So we know where and how to deliver your medication
  • So we can contact you and provide updates on your order
  • Assess the suitability of certain medicines you order
  • To track user behaviour in order to improve our service
  • Gather reviews from our patients through Trustpilot or Feefo to help us improve our service to patients
  • To send you reminders to re-order.

Legitimate Interests

  • Provide our service
  • Provide customer service
  • Promote our services and products including those of our sister company Chemist Direct
  • To identify fraudulent activity
  • To identify and protect patients from any clinical risks associated with their medication.
Placing an order
  • Your medication list
  • Your payment details
  • So we know which medication to request for you
  • So we can take payment for your medication (if you do not have an exemption).
  • Special Category Data in order to provide our service.
  • Your behaviour on our website and apps
  • Technical data such as website and app performance glitches/crashes
  • IP Address.
  • So we can understand how patients use our websites and improve our experience
  • So we can identify any errors and fix them as soon as possible.

Legitimate interest

  • Understand how our customers use our website and our solutions
  • Understand and respond to customer feedback
  • Improve our services and solutions.

We will never collect special category personal information (aka sensitive information) about you without your explicit consent unless this information was obtained based on other lawful grounds for example, for legal obligations with local authorities.

Your personal information may also be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body or agency, in the defence of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats, to the physical safety of any person or violations of any of our website terms. We will not delete personal information if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.

We do not sell your data to third parties.

Pharmacy2U uses the NHS’s Real Time Exemption Checking (RTEC) system to confirm your exemption status. However, if you don’t pay for your NHS prescriptions, it’s your responsibility to keep us up to date with accurate details.

We do not knowingly collect information from children or other persons who are under 18 years old via our website. If you are under 18 years old, you must not submit any personal information to us directly or subscribe for our services.

How long we retain your information

We hold your personal information for as long as we have a legal or business reason to do so, which generally means as long as you remain a Pharmacy2U patient or as required to meet our legal obligations, resolve disputes or enforce our agreements. To fulfil our obligations to the NHS, regulatory or similar bodies, health-related personal information may need to be retained for a period of time after you cease to be a Pharmacy2U patient. We’ll always store your data securely and won’t use it for any other purpose.

Who we share your information with?

We will share personal information with companies, organisations or individuals outside Pharmacy2U if we have a belief in good faith that access, use, or disclosure of the data is reasonably necessary to:

  • Detect, prevent or otherwise address fraud, security or technical issues
  • Verify your identity
  • Meet any applicable law, regulation or enforceable governmental request. For example, where we need to disclose the contact number, call duration along with date and time with the police to assist their investigations
  • Enforce applicable Terms of Service, including investigation of potential violations. If we are involved in an acquisition, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

We also share your information with certain contractors or service providers including, analytics / assessment suppliers, IT suppliers, database providers, and backup and disaster recovery specialists. Our suppliers and service providers will be required to meet our standards on processing information and security. The information we provide them, including your information, will only be provided in connection with the performance of their function. They will not be permitted to use your information for any purposes other than those outlined in this Privacy Policy.

We will never share your personal information unless we have a legitimate and lawful ground to do so.

Your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

International transfers

We will only transfer data to jurisdictions outside the scope of the European General Data Protection Regulation (GDPR) where the appropriate safeguards set out in the GDPR are in place. For example, we use the US-based Survey Monkey to survey our patient base and the CRM platform Sailthru to deliver our transactional messaging to patients.

Any information transferred outside of the EU is necessary for the performance of a contract between the Client and Pharmacy2U or of pre-contractual measures taken at the client’s request.

How we keep your information secure

We work hard to protect Pharmacy2U and our customers from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

  • We encrypt many of our services using SSL. Our app uses SSL which encrypts all transferred data, additionally we encrypt login information (email & password) separately in our database
  • When you enter credit card information to the Pharmacy2U website our secure servers ensure that all details are encrypted at your browser before they are sent to us
  • During the order process, we store your personal details on in-house secure servers
  • We store credit card details separately on servers that are not reachable from the Internet. The servers are physically secured under a locking system
  • We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
  • We restrict access to personal information to Pharmacy2U employees, contractors and agents who need to know that information to process it for us and who are subject to strict contractual confidentiality obligations. They may be disciplined, or their contract terminated if they fail to meet these obligations.

Please bear in mind, if you are using Pharmacy2U services on a device or account issued to you by your employer or another organisation, that company likely has its own policies regarding storage, access, modification, deletion, and retention of communications and content which may apply to your use of any Pharmacy2U services. Content that would otherwise be considered private to you or to a limited group of people may, in some cases, be accessible by your account owner or administrator. Please check with your employer or account administrator about the policies in place regarding your communications.

Your consent:

Your rights

You can opt out of receiving marketing emails through the My Account section of our site, or by clicking on the ‘unsubscribe’ link at the bottom of our emails. You can ask us to stop sending you any information about us and our services by contacting us at

Your data protection rights

  • You can ask us for a copy of all the personal information we hold about you. We will respond to your request within one calendar month and free of charge, unless additional copies of the information are requested
  • You will need to give enough information for us to identify you (for example, your full name, address and date of birth). Under the General Data Protection Regulations, you have the following rights concerning your personal information
  • Access: you are entitled to ask us if we are processing your information and, if we are, you can request access to your personal information. This enables you to receive a copy of the personal information we hold about you and certain other information about it
  • Correction: you are entitled to request that any incomplete or inaccurate personal information we hold about you is corrected
  • Erasure: you are entitled to ask us to delete or remove personal information in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims
  • Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it
  • Transfer: you may request the transfer of certain of your personal information to another party
  • Objection: where we are processing your personal information based on a legitimate interest (or those of a third party) you may challenge this. However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to legal claims. You can object to marketing by contacting us to add you onto the suppression list and certain cookies such as tracking cookies
  • Automated decision making and profiling: we do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you
  • You can ask us for a copy of all the personal information we hold about you. We respond to your request within one calendar month and free of charge, unless additional copies of the information are requested
  • You will need to give enough information for us to identify you (for example, your full name, address and date of birth). You will need to provide ID (for example, your passport, full driving licence, or credit card or debit card) before we send you any information, where we are unable to verify your identity using basic personal information. Under the General Data Protection Regulations, you have the following rights concerning your personal information.

Physical and electronic security

  • We have designed our site to protect the information we collect from unauthorised access. We protect your private information by following appropriate physical, electronic and managerial procedures. To further protect your security, we also take reasonable steps to confirm your identity before we give you access to your account or allow you to make changes to your personal details. We are committed to protecting your privacy and have security measures in place to prevent unauthorised access to your personal information.

Improving our service

  • We will never sell, trade or rent your personal information to others. To better tailor our services to our customers' needs, we use non-identifying general information to help us make decisions on how to improve our services. We also share this general information with our advertisers and other interested, reputable parties we have a formal business relationship with. We do not give advertisers information that identifies individual customers. We also do not use or share identifiable information given to us in any other way without giving our customers the choice to opt out.


  • Cookies are small text files that are transferred to your computer's or device’s hard drive through your web browser, to enable our systems to recognise you and provide shopping features such as recommend products and loyalty discounts, as well as storing items in your shopping basket between visits. The help menu in most common browsers will tell you how to:
    • Prevent your browser from accepting new cookies;
    • Have the browser let you know when you receive a new cookie; and
    • Disable cookies altogether.
  • However, because cookies allow you to take advantage of some of our site’s essential features, we recommend that you leave them turned on. If you do leave cookies turned on, be sure to log off when you finish using a shared computer. You can find more information about cookies in our cookie policy
  • Analytic tools
  • Google Analytics is a system that many websites use to record information about visits to their website. Google set six different cookies with expiry dates ranging from 30 minutes to two years. These cookies are used mainly to differentiate between first-time visitors to a website and repeat visitors. They also allow us to make sure our website performs as well as possible for our users. The cookies can collect an anonymous customer number when a user is logged in to the site, allowing our systems to check the accuracy of Google Analytics data and help us make sure your experience of our site remains relevant across devices. They do not contain any personally identifiable information. You can find out more about how Google use cookies at (English only). These cookies may be used to help us target advertising on platforms such as Google and Facebook
  • Social media plug-ins
  • Social media ‘plug-ins’ for Facebook and Twitter gather information for tracking purposes. This includes the ability to track a user across devices for advertising purposes, in line with the terms of each social-media platform.

International privacy

  • This privacy policy may not apply in all countries, as security policies may vary according to the individual internet laws in different countries.
  • Lodge a complaint with the Information Commissioner’s Office: You have a right to lodge a complaint with the Supervisory Authority should you feel that we have not handled your information in line with legislative and regulatory requirements. This is the Information Commissioner's Office (ICO) in the UK:
    Information Commissioner's Office
    Wycliffe House
    Water Lane
    SK9 5AF
    (t) 0303 123 1113

Compliance with data protection and related regulations

We are committed to complying with applicable data protection laws including the Data Protection Act 2018), Privacy and Electronic Communications Regulations (PECR, 2003) and the General Data Protection Regulation (GDPR, 2018).

As a Data Controller, we try to be open about our holding and use of your personal data. It also entitles you to find out from us what personal data we hold on you, to have that information corrected or erased if it is inaccurate, and to claim compensation if you can prove you have suffered damage from inaccuracy or breach of security.

You can contact our team at for any data protection related queries, to action your rights or for anything else.

Changes to this policy

This notice will be changed from time to time.

If we change anything important about this notice (the information we collect, how we use it or why) we will provide a prominent link to it for a reasonable length of time following the change on the website or notify you by email.

11 June 2015 First draft in current format with substantial changes since the previous version.
20 July 2015 Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers.
24 September 2015 Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable.
12 August 2016 Addition relating to marketing the products and services of other companies in our group of companies.
29 November 2016 Addition of provision to market products and services of selected partners.
24 May 2018 Privacy Policy updated to include GDPR (EU) 2016/679 legislation.
16 April 2019 Addition relating to marketing consent for our group of companies and selected partners.
23 April 2019 Added information on the Freedom of Information Act 2000
31 October 2019 Added table explaining data processing and revise layout of policy
20 April 2020 Updated information on data usage for NHS's Real Time Exemption Checking