Skip to main content

Privacy policy

About Us

Pharmacy2U is a UK online pharmacy registered with the General Pharmaceutical Council (GPhC). You may review our GPhC registration details at www.pharmacyregulation.org/registers/pharmacy/registrationnumber/9010146.

Our head office address is:

Pharmacy2U Limited,
Lumina,
Park Approach,
Thorpe Park,
Leeds
LS15 8GB

Managing our data processing activities

We have appointed a Data Protection Officer to oversee our handling of personal data. You may contact the Data Protection Officer by email at dpo@pharmacy2u.co.uk, by phone on 0113 265 0222, or by mail at our head office address above.

If you have any questions about our privacy policy or our approach to data protection and privacy, please contact our Data Protection Officer.

Purpose and scope of this privacy policy

This privacy policy provides information about how we handle information about people who visit our website and mobile app, and who use our services.

Our privacy policy provides you with a lot of information. We have organised it into sections to make it easier for you to read and understand. Some information is in expandable sections to make it easier to read.

Your privacy matters to us, so whether you are new to Pharmacy2U or a long-time patient, please do take the time to read this policy. If you have any questions, please contact us. We respect your right to privacy and are committed to explaining clearly and honestly how we use the information we hold about you. This privacy policy will help you to understand what information we collect, why we collect it, and what we do with it.

We do not knowingly collect information from children or other persons who are under 18 years old via our website. If you are under 18 years old, you must not submit any personal information to us directly or subscribe for our services.

The information we collect, how and why we use it

Website and App visitors

When you visit our website we collect information about your visit, including information about which pages you visit and for how long, the website you came from and went to before and after visiting our website, and information about the device you used to access our website such as the type of phone/PC, operating system, and IP address. We may also place cookies on the device you use to access our website, further information about which is in our Cookies Policy.

We collect this information to help us to understand how people use our website and access our services so that we can ensure they are developed to meet customer needs.

The law allows us to collect and use this information for these purposes pursuant to our legitimate interests of operating a commercial business and providing high quality web services. We retain this type of information for no longer than we need it. The Information we collect is used as anonymised, high level data to help us understand website traffic trends. Our website is currently hosted by third party providers who may on occasions have access to the information we collect.

We may also disclose information collected for the purposes listed above with our professional advisors such as marketing agencies and security advisors.

Website and App registration

We collect, store, and use information about people who register to use our services. The information we collect comprises the information that you submit using our data collection forms, which will include your name, address, and contact information. You will know what information we are collecting as this is what you submit into our data collection forms on our website or app.

We use this information to create an account which enables you to use our services. We collect the following information during the registration process:

Type of informationPurpose(s)
Name and Address*
  1. To enable us to identify you,
  2. Personalise your experience on our website and app,
  3. Correspond with you,
  4. Send your orders to you,
  5. To create an account for you on our website and database, and
  6. To verify who you are when you complete an online doctor consultation (We may need to ask for your passport or driving licence if we cannot identify you through your name and address)
Date of birth and gender* to enable us to identify you
Email address and phone numbers* to communicate with you
GP surgery* and NHS number to confirm your medical details with the NHS and your GP, so we can process your prescriptions
Details of any medical exemption* so we know if you are eligible for free prescriptions

The law allows us to collect and use this information because it is in our legitimate interests to provide our services and to process your prescriptions and this information is necessary for us to do so. It is also in the interests of our service users to enable them to place orders for medications and for us to confirm their medical details with the NHS and their GP. Any data concerning health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that prescribed medications are suitable for you.

We use your name, address, and other pieces of ID, gathered at registration for our online doctor's consultation service. The law allows us to do this in order to fulfil your request and to allow us to consult with the online doctor service, with your consent. In order to verify your ID for certain accounts, we may share your details with verification service provider.

We may also use the information listed to prevent fraud, and to enable us to fulfil any orders for medications that you place with us. If you place orders with us, you need to give us the information above to enable us to fulfil your order. If you are not able to provide this, then we will not be able to process any orders for you. This information will also help us to check the performance of our website and app and resolve technical issues.

We only retain this information for as long as we need it or are required by legal or professional guidance to retain it. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors, couriers, and Royal Mail.

Orders, medications, and prescriptions

We collect, store, and use information about orders placed with us. You may place orders for medications and other products on our website, via our app, by email, web chat and over the phone. Because medications can be dangerous, we only take orders from account holders about whom we have collected relevant medical and personal information. When you place an order with us, we will ask you a series of questions to verify your identity. Once we are satisfied that we have verified your identity, you may submit an order with us providing information about the medications you require and other data concerning your health.

We use this information along with other information we hold about you to check that the prescribed medications are suitable for you and your medical condition(s), and to fulfil your order. We collect the following information in a typical order:

Type of informationPurpose(s)
Your medication* to enable us to fulfil any orders you may place and to assess the suitability of medicines that are order, and provide health advice; to send you reminders to order your prescription and provide general health advice
Payment details to take payment for your order, if you are required to pay for the services we provide to you
Your feedback to enable us to answer any complaints or issues you might have, gather and share customer reviews with other customers and prospects to build confidence in our services, and to make us accountable to customers and focus our efforts on service improvements
Safe place for deliveries so we know where to deliver your medication and keep it safe in the event that you are not present to accept the delivery, have consented to the use of a safe place, and the parcel contains items that are appropriate for this delivery method.

The law allows us to collect and use this information to enable us to fulfil the orders that you place with us. Any data concerning your health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that the medications are suitable for you. We use the information to prevent fraud, and to enable us to fulfil any orders for medications that you place with us. You need to give us order and payment information, if you pay for the services we provide, to enable us to fulfil your order. If you are not able to provide this then we will not be able to process any orders for you.

We retain information about orders only for as long as we need it, and for the period we are required to retain it, to comply with relevant legal and professional guidance. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors. We collect customer reviews using specialist third party services including Feefo and Trustpilot in pursuit of our interests of promoting our services and in the interests of our customers to provide them with a mechanism for rating the quality of service they received and/or raise service issues with us. We will only give Trustpilot your email address, so they can ask you to leave a review. Customer reviews are retained for as long as the reviewer wishes (or deleted if they are deemed incorrect or fraudulent). Trustpilot and their sub processors may carry out data transfers, however data processing agreements are in place, which contain EU SCCs with all sub-processors located outside the EEA and they are reinforced by additional safeguards.

Callers

You might telephone us for a variety of purposes. We will record the call and we may make notes on our system about the call.

The law allows us to collect and use this information in pursuit of our legitimate interests of operating a business and to respond to any enquiry or complaint you might make. We record calls for the purpose of monitoring our call handlers and providing appropriate training for them and to keep an accurate record of what was said during a telephone conversation in the event of further issues or complaint. We may use call recordings or transcripts of them to defend ourselves in the event of legal, regulatory, or similar action. We retain call recordings for 6 months or until they are no longer needed by us.

Profiling and segmentation

We use the information marked with an asterisk (*) in the sections above to profile our customers and segment our database:

  1. To help us to understand our customers and to help us identify and market to customers with similar characteristics.
  2. To enable us to determine if our other products and services or those of our sister company Chemist Direct are likely to be of interest to you.
  3. To enable us to determine if products and services of other organisations are likely to be of interest to you.
  4. To enable us to determine if you are likely to be suitable to take part in clinical trials and medical research we may be involved with from time to time (please refer to the section below).
  5. To determine if our products and services of other organisations similar products and services may be of interest to you.

The law allows us to collect and use this information in pursuit of our legitimate interests of operating and developing our commercial pharmacy services. We do not use any medical data, information about your health, or any other special categories of personal data for profiling and segmentation except in relation to the provision of healthcare and treatment such as establishing if you require flu jabs, vaccinations, eligibility for condition specific information, or clinical trials (please refer to the section below). We will use information about the products and services you order for profiling.

We retain database segmentation and customer profile information only for the period we need it which is generally only as long as you have an account with us. This type of information is shared with our professional advisors such as marketing agencies. We may also disclose anonymised information about our customers to sponsors and providers of clinical trials and medical research and our medical advisors. Any information that we disclose in this way is anonymised so that individuals cannot be identified from it.

Clinical research, medical trials and studies and automated decision-making

As a respected medical business, we are often approached by other professional organisations looking for people to participate in medical research, clinical trials of new treatments for example, or other medical studies. We believe that it is vitally important such trials take place and aim to support them as far as we can.

This is how we determine if you would be a suitable participant in a clinical trial.

  • Sponsors of trials approach us with a profile of people they are seeking to participate. This may include information such as gender, age band, geographic location and details of health conditions or medications they are researching.
  • We will look at our database of patients to find people who meet the participant profile using the information we hold about each patient.
  • We will provide all those individuals who have been identified as suitable to participate in a trial with information about it and will, subject always to consent, disclose their contact information to the trial sponsor.

It will always be entirely your decision whether or not to participate in a clinical trial. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to any trial sponsor without your explicit consent.

The law allows us to undertake profiling and automated decision making in pursuit of our interests of promoting our business as a leading provider of pharmaceutical services and maintaining a database of patients for our commercial benefit. The law also allows us to undertake this type of processing to support the interests of sponsors of clinical trials and research. The law (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4) permits us to use medical data and health information for the listed purposes as it is necessary for medical research, and the provision of health care/treatment. The UK introduced a national data opt-out (https://digital.nhs.uk/services/national-data-opt-out) in May 2018 whereby all UK NHS patients were automatically opted in to a scheme allowing NHS organisations to share patient information for the purposes of research and planning. You may choose to opt-out. For further information please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice.

We may process your data to help us identify patients based on the clinical trial eligibility criteria of the specific trial. The automated decision making that we undertake does not have any legal or other similarly significant effect on our patients because every decision is reviewed by a suitable person before being implemented. What this means is that we will not make decisions about you which are wholly determined by computers alone.

You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.

We retain information about which clinical trials we think you are suitable for and the basis of our decision making only for as long as we need it. The high-level profile information is shared with clinical research companies to allow them to determine if we are likely to have any suitable research/trial candidates. We will ordinarily only disclose information about those people who meet the trial person profile specification with explicit consent unless the research program is so generic that it does not require the disclosure of any data concerning health in which case we may choose to disclose a list of candidates on the basis of the legitimate interests of the trial sponsor. We may also disclose information about our customers participation in clinical trials and medical research to our professional and medical advisors.

Marketing

Pharmacy2U is a commercial business and our success is based not only on the trust of our customers but on adopting a responsible approach to marketing. We use the information we hold about our customers for direct marketing purposes including sending direct marketing materials about our products and services that we believe may be of interest to you via mail, email, SMS, and through telemarketing. We also may customise the adverts you see on our website. Usually, adverts are customised through automated decision making, based on the pages you have visited on our site previously. As part of our clinical responsibility to patients we may also send you emails if you only partially complete a prescription order on our website or app.

The law allows us to undertake direct marketing in pursuit of our interests of promoting our business. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will only send direct marketing materials to you via email or other electronic messaging if you have consented for us to do so or if they relate to our own products and services similar to those that you have previously expressed an interest in or ordered. We maintain records of consent: you may withdraw your consent at any time.

When we undertake direct marketing by telephone, we will always check whether you are registered on the telephone preference service (TPS), the UK’s register of numbers that may not be used for telephone marketing.

We retain information about your interaction with our direct marketing activities only for as long as we need it which is generally no longer than 2 years from the end of a campaign. We may retain anonymised campaign statistics for a longer period of time to allow us to monitor our direct marketing activities year-on-year. Like many organisations, we use specialist service providers to help us to carry out our direct marketing including marketing agencies, printing and mailing companies, email/SMS broadcasting providers, telephone marketing agencies and other similar professional advisors which means information about you may be disclosed to them.

When we undertake customer surveys or email broadcasting, we may use specialist services providers in other countries including for example SurveyMonkey and Sailthru both of which are based in the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.

Marketing for others

We also use the information we hold to undertake direct marketing activities on behalf of other organisations. We may send to you direct marketing about the products and services of our sister company Chemist Direct (www.chemistdirect.co.uk).

The law allows us to send to you direct information on behalf of Chemist Direct on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will not send any direct marketing materials to you by email or other electronic method about any third party (including Chemist Direct) without your specific consent.

We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is as long as you are a customer with us, and once you are not, for 3 months beyond then.

We also use the information we hold to undertake direct marketing activities on behalf of other organisations, including the NHS. For example, where we have your consent, we may send you information in the form of specific emails or newsletters about specific partners whose offers we believe may be relevant to you. These may include organisations in these categories:

  • Healthcare Products and Services
  • Retail
  • Financial Services
  • Leisure
  • Charities
  • Clinical Trial Operators and Research Organisations

The law allows us to send to you direct marketing materials on behalf of other organisations on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.

We will not send any direct marketing materials to you by email or other electronic method about any third party without your consent.

We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is generally no more than 2 years after a campaign.

In general, whilst we may undertake direct marketing on behalf of others, we will not disclose any information about you to third parties for them to undertake direct marketing. In that way we retain control over the uses of information about you for direct marketing giving you one point of contact should you wish to object to such use.

We will never share your personal information unless we have legitimate and lawful grounds to do so. We do not sell your data to third parties.

Social Media

We may obtain information about you from social media channels including Facebook and Twitter. We use content aggregators such as Hootsuite to manage social media content that refers to us so that we can monitor market sentiment towards our brand and address any complaints or brand issues raised on social media.

We may also process your data in order to identify people like you to send them marketing information. Should we use your data in this way your personal information will be anonymised.

If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites, for example Facebook. We send pseudonymised data in a way that only the intended end user can understand. We recommend you routinely review the privacy notices and preference settings that are available to you on social media platforms. If you do not wish to receive such targeted marketing generally, you are able to switch this off within the social media site.

The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business. We retain information on our social media pages and aggregators for no more than 2 years. Some of the social media channels we use transfer personal data to the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.

Other Processing

Your personal information may also be processed if it is necessary: for disclosure to a law enforcement or regulatory authority, body or agency; in the defence of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats, to the physical safety of any person or violations of any of our website terms. Personal information relevant to an investigation or a dispute may be retained for longer than our standard retention policy to support any such investigation or action.

The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business, the legitimate interests of third parties, compliance with legal obligations or detecting and investigating criminal activities

Your rights

The UK’s data protection laws provide you with certain rights: the right to request access to, rectification or erasure and portability of information relating to you as well as the right to request the restriction of our processing/use of information concerning you and the right to object to our processing in certain circumstances. You have the right to withdraw consent at any time for processing that is based on your consent and to information about how we are using information relating to you. You may lodge a complaint about us with the Information Commissioner’s Office (www.ico.org.uk).

Access

  • You can ask us for a copy of all the personal information we hold about you. We will respond to your request within one calendar month without any charge.
  • You will need to give us enough information for us to identify you (for example, your full name, address, and date of birth). If we cannot identity you from this basic personal information, you will need to provide us with a copy of your ID (for example, your passport, full driving licence, credit card or debit card) before we send you any information; this can be emailed or posted to us.

Rectification/Correction

  • You can ask us to correct any incomplete or inaccurate personal information that we hold about you.

Erasure

  • You can ask us to delete or remove personal information we hold about you in certain circumstances. There are exceptions set out in the law where we may be able to refuse to delete information (for example, if we need the information to keep to any relevant law or in connection with any claims, legal or otherwise, which may arise).

Restriction

  • You can ask us to suspend using certain personal information about you (for example, if you want us to make sure it is accurate) or restrict how we can use it.

Portability/Transfer

  • You can ask us to transfer certain information that we hold about you to a third party in certain circumstances.

Objection

  • You may object to our processing personal data relating to you where that processing is based on our claim of legitimate interests provided that we are not able to demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
  • You may object to our using your information for direct marketing purposes including profiling to the extent that the profiling is used for direct marketing purposes.
  • You may also object to our use of information relating to you in scientific research or statistical purposes in some circumstances.
  • We may contest your objection where we have grounds to do so in the law.

Information Commissioner’s Office

  • If you think that we have not handled your information in line with any legal or regulatory requirement, you can make a complaint to the Information Commissioner's Office.

    Information Commissioner’s Office
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire
    SK9 5AF

    Email: casework@ico.org.uk

    Phone: 0303 123 1113

    To exercise any of your rights please contact our Data Protection Officer.

Keeping to data-protection law and related regulations

We are committed to keeping to all data-protection laws that apply, including the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR, 2003) and the General Data Protection Regulation (GDPR).

If you have any questions about data protection and your rights, you can contact our team at dpo@pharmacy2u.co.uk.

As a ‘data controller’, we try to be open about how we hold and use your personal information. You can claim compensation if you can prove you have suffered as a result of how we have handled your personal information.

Changes to this policy

We may change our privacy policy from time to time.

If we change anything important (the information we collect, how we use it or why), we will undertake reasonable endeavours to make you aware of the changes such as by providing a link to the change on the website or telling you by email.

Contacting us

You can phone us on 0113 265 0222 or email or web chat with us from our website at www.pharmacy2u.co.uk/help-and-support. If you have any questions about our privacy policy or our approach to data protection and privacy you may send an email to dpo@pharmacy2u.co.uk, or phone us or write to us.

Version control

11 June 2015 First draft in current format with substantial changes since the previous version.
20 July 2015 Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers.
24 September 2015 Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable.
12 August 2016 Addition relating to marketing the products and services of other companies in our group of companies.
29 November 2016 Addition of provision to market products and services of selected partners.
24 May 2018 Privacy Policy updated to include GDPR (EU) 2016/679 legislation.
16 April 2019 Addition relating to marketing consent for our group of companies and selected partners.
23 April 2019 Added information on the Freedom of Information Act 2000.
31 October 2019 Added table explaining data processing and revise layout of policy.
20 April 2020 Updated information on data usage for NHS's Real Time Exemption Checking.
19 October 2020 Updated information to include profiling and extended amends to the privacy policy.