Pharmacy2U is a UK online pharmacy registered with the General Pharmaceutical Council (GPhC). You may review our GPhC registration details at www.pharmacyregulation.org/registers/pharmacy/registrationnumber/9010146.
Our head office address is:
Managing our data processing activities
We have appointed a Data Protection Officer to oversee our handling of personal data. You may contact the Data Protection Officer by email at email@example.com, by phone at 0113 265 0222, or by mail at our head office address above.
We do not knowingly collect information from children or other persons who are under 18 years old via our website. If you are under 18 years old, you must not submit any personal information to us directly or subscribe to our services.
The information we collect, how and why we use it
Website and App visitors
When you visit our website we collect information about your visit, including information about which pages you visit and for how long, the website you came from and went to before and after visiting our website, and information about the device you used to access our websites such as the type of phone/PC, operating system, and IP address. We may also place cookies on the device you use to access our website, further information about this is in our Cookies Policy.
We collect this information to help us to understand how people use our website and access our services so that we can ensure they are developed to meet customer needs.
Website and App registration
We collect, store, and use information about people who register to use our services. The information we collect comprises the information that you submit using our data collection forms, which will include your name, address, and contact information. You will know what information we are collecting as this is what you submit into our data collection forms on our website or app.
We use this information to create an account that enables you to use our services. We collect the following information during the registration process:
The law allows us to collect and use this information because it is in our legitimate interests to provide our services and to process your prescriptions and this information is necessary for us to do so. It is also in the interests of our service users to enable them to place orders for medications and for us to confirm their medical details with the NHS and their GP. Any data concerning health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that prescribed medications are suitable for you.
We use your name, address, and other pieces of ID gathered at registration for our online doctor's consultation service. The law allows us to do this in order to fulfil your request and to allow us to consult with the online doctor service, with your consent. In order to verify your ID for certain accounts, we may share your details with the verification service provider.
We may also use the information listed to prevent fraud and to enable us to fulfil any orders for medications that you place with us. If you place orders with us, you need to give us the information above to enable us to fulfil your order. If you are not able to provide this, then we will not be able to process any orders for you. This information will also help us to check the performance of our website and app and resolve technical issues.
We only retain this information for as long as we need it or are required by legal or professional guidance to retain it. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, security advisors, couriers, and Royal Mail.
Orders, medications, and prescriptions
We collect, store, and use information about orders placed with us. You may place orders for medications and other products on our website, via our app, by email, webchat and over the phone. Because medications can be dangerous, we only take orders from account holders about whom we have collected relevant medical and personal information. When you place an order with us, we will ask you a series of questions to verify your identity. Once we are satisfied that we have verified your identity, you may submit an order with us providing information about the medications you require and other data concerning your health.
We use this information along with other information we hold about you to check that the prescribed medications are suitable for you and your medical condition(s), and to fulfil your order. We collect the following information in a typical order:
The law allows us to collect and use this information to enable us to fulfil the orders that you place with us. Any data concerning your health that we collect is used for the provision of health care or treatment, the management of health care systems and services, and to check that the medications are suitable for you. We use the information to prevent fraud and to enable us to fulfil any orders for medications that you place with us. You need to give us order and payment information, if you pay for the services we provide, to enable us to fulfil your order. If you are not able to provide this then we will not be able to process any orders for you.
We retain information about orders only for as long as we need it, and for the period we are required to retain it, to comply with relevant legal and professional guidance. This type of information is shared with the NHS and your GP and organisations we use to check, dispatch, and take payment for your order. We may also disclose information collected for these purposes with our professional advisors such as medical advisors, and security advisors. We collect customer reviews using specialist third party services including Feefo and Trustpilot in pursuit of our interests of promoting our services and in the interests of our customers to provide them with a mechanism for rating the quality of service they received and/or raising service issues with us. We will only give Trustpilot your email address, so they can ask you to leave a review. Customer reviews are retained for as long as the reviewer wishes (or deleted if they are deemed incorrect or fraudulent). Trustpilot and their sub-processors may carry out data transfers, however, data processing agreements are in place, which contains EU SCCs with all sub-processors located outside the EEA and they are reinforced by additional safeguards.
You might telephone us for a variety of purposes. We will record the call and we may make notes on our system about the call.
Profiling and segmentation
We use the information marked with an asterisk (*) in the sections above to profile our customers and segment our database:
- To help us to understand our customers and to help us identify and market to customers with similar characteristics.
- To enable us to determine if our other products and services or those of our sister company Chemist Direct are likely to be of interest to you.
- To enable us to determine if products and services of other organisations are likely to be of interest to you.
- To enable us to determine if you are likely to be suitable to take part in clinical trials and medical research we may be involved with from time to time (please refer to the section below).
- To determine if our products and services of other organisations similar products and services may be of interest to you.
The law allows us to collect and use this information in pursuit of our legitimate interests of operating and developing our commercial pharmacy services. We do not use any medical data, information about your health, or any other special categories of personal data for profiling and segmentation except in relation to the provision of healthcare and treatment such as establishing if you require flu jabs, vaccinations, eligibility for condition-specific information, or clinical trials (please refer to the section below). We will use information about the products and services you order for profiling.
We retain database segmentation and customer profile information only for the period we need it which is generally only as long as you have an account with us. This type of information is shared with our professional advisors such as marketing agencies. We may also disclose anonymised information about our customers to sponsors and providers of clinical trials and medical research and our medical advisors. Any information that we disclose in this way is anonymised so that individuals cannot be identified from it.
Clinical research, medical trials and studies and automated decision-making
As a respected medical business, we are often approached by other professional organisations looking for people to participate in medical research, clinical trials of new treatments for example, or other medical studies. We believe that it is vitally important such trials take place and aim to support them as far as we can.
This is how we determine if you would be a suitable participant in a clinical trial.
- Sponsors of trials approach us with a profile of people they are seeking to participate. This may include information such as gender, age band, geographic location and details of health conditions or medications they are researching.
- We will look at our database of patients to find people who meet the participant profile using the information we hold about each patient.
- We will provide all those individuals who have been identified as suitable to participate in a trial with information about it and will, subject always to consent, disclose their contact information to the trial sponsor.
It will always be entirely your decision whether or not to participate in a clinical trial. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to any trial sponsor without your explicit consent.
The law allows us to undertake profiling and automated decision making in pursuit of our interests of promoting our business as a leading provider of pharmaceutical services and maintaining a database of patients for our commercial benefit. The law also allows us to undertake this type of processing to support the interests of sponsors of clinical trials and research. The law (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4) permits us to use medical data and health information for the listed purposes as it is necessary for medical research, and the provision of health care/treatment. The UK introduced a national data opt-out (https://digital.nhs.uk/services/national-data-opt-out) in May 2018 whereby all UK NHS patients were automatically opted into a scheme allowing NHS organisations to share patient information for the purposes of research and planning. You may choose to opt out. For further information please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice.
We may process your data to help us identify patients based on the clinical trial eligibility criteria of the specific trial. The automated decision making that we undertake does not have any legal or other similarly significant effects on our patients because every decision is reviewed by a suitable person before being implemented. What this means is that we will not make decisions about you that are wholly determined by computers alone.
You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.
We retain information about which clinical trials we think you are suitable for and the basis of our decision making only for as long as we need it. The high-level profile information is shared with clinical research companies to allow them to determine if we are likely to have any suitable research/trial candidates. We will ordinarily only disclose information about those people who meet the trial person profile specification with explicit consent unless the research program is so generic that it does not require the disclosure of any data concerning health in which case we may choose to disclose a list of candidates on the basis of the legitimate interests of the trial sponsor. We may also disclose information about our customers' participation in clinical trials and medical research to our professional and medical advisors.
We send automated communications to customers in addition to manual communications which react to a specific inquiry or order. In line with ICO guidance, routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide the information they need about a current contract, services they requested, or past purchases. You will receive these messages, even if you have not opted into marketing or unsubscribed from our email communication.
The ICO also clarifies that general branding, logos, or straplines in these messages do not count as marketing. The sending of service messages without explicit consent is lawful as it is communication in regards to the fulfilment of our contract with you and it is in our legitimate interest to keep our customer base up to date and informed about the service, pursuant to Art.6.1(f) UK GDPR, whereby processing is lawful where it is necessary for the legitimate interest of the controller. Further information is also available on the ICO website.
Data Accuracy Messages
If you have registered with Pharmacy2U for the NHS Repeat Prescription Service, but are not actively using the account you will periodically receive a message and askes to review and update your account details.
Public Health Messages
Occasionally, we process your personal data for purposes directly connected with ensuring that you receive high-quality healthcare through the NHS and informing you of services that may be relevant to you. This includes information about the COVID-19 vaccination programme and the seasonal flu vaccination programme.
If we do this directly on the request of the NHS to support their statutory functions, this can be done without your consent as the NHS is established by Act of Parliament and is required by law to carry out these functions, under Data Protection law they are allowed to process your personal data because the processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.‘.
If not instructed directly, the legal basis for sending these messages is legitimate interest.
Partially completed order Messages
As part of our clinical responsibility to patients, we may also send you emails if you only partially complete a prescription order on our website or app. We assessed that informing the patient about an incomplete prescription order is both in the interest of the patient, as well as in our interest as the registered pharmacy. The legal basis for sending these messages is therefore legitimate interest.
Pharmacy2U is a commercial business and our success is based not only on the trust of our customers but on adopting a responsible approach to marketing. We use the information we hold about our customers for direct marketing purposes including sending direct marketing materials about our products and services that we believe may be of interest to you via mail, email, SMS, and telemarketing. We also may customise the adverts you see on our website. Usually, adverts are customised through automated decision making, based on the pages you have visited on our site previously.
The law allows us to undertake direct marketing in pursuit of our interests in promoting our business. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will only send direct marketing materials to you via email or other electronic messaging if you have consented to us to do so or if they relate to our own products and services similar to those that you have previously expressed an interest in or ordered. We maintain records of consent: you may withdraw your consent at any time.
When we undertake direct marketing by telephone, we will always check whether you are registered on the telephone preference service (TPS), the UK’s register of numbers that may not be used for telephone marketing.
We retain information about your interaction with our direct marketing activities only for as long as we need it which is generally no longer than 2 years from the end of a campaign. We may retain anonymised campaign statistics for a longer period of time to allow us to monitor our direct marketing activities year on year. Like many organisations, we use specialist service providers to help us to carry out our direct marketing including marketing agencies, printing and mailing companies, email/SMS broadcasting providers, telephone marketing agencies and other similar professional advisors which means information about you may be disclosed to them.
When we undertake customer surveys or email broadcasting, we may use specialist services providers in other countries including for example SurveyMonkey and Sailthru both of which are based in the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.
Marketing for others
We also use the information we hold to undertake direct marketing activities on behalf of other organisations. We may send to you direct marketing about the products and services of our sister company Chemist Direct (www.chemistdirect.co.uk).
We also use the information we hold to undertake direct marketing activities on behalf of other organisations, including the NHS. For example, where we have your consent, we may send you the information in the form of specific emails or newsletters about specific partners whose offers we believe may be relevant to you. These may include organisations in these categories:
- Healthcare Products and Services
- Financial Services
- Clinical Trial Operators and Research Organisations
The law allows us to send to you direct marketing materials on behalf of other organisations on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will not send any direct marketing materials to you by email or other electronic methods to any third party without your consent.
We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is generally no more than 2 years after a campaign.
In general, whilst we may undertake direct marketing on behalf of others, we will not disclose any information about you to third parties for them to undertake direct marketing. In that way we retain control over the uses of information about you for direct marketing giving you one point of contact should you wish to object to such use.
We will never share your personal information unless we have legitimate and lawful grounds to do so. We do not sell your data to third parties.
We may obtain information about you from social media channels including Facebook and Twitter. We use content aggregators such as Hootsuite to manage social media content that refers to us so that we can monitor market sentiment towards our brand and address any complaints or brand issues raised on social media.
We may also process your data in order to identify people like you to send them marketing information. Should we use your data in this way your personal information will be anonymised.
If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites, for example, Facebook. We send pseudonymised data in a way that only the intended end user can understand. We recommend you routinely review the privacy notices and preference settings that are available to you on social media platforms. If you do not wish to receive such targeted marketing generally, you are able to switch this off within the social media site.
Online Doctor Service
At the point of registration for Pharmacy2U's Online Doctor Service (POD) we will collect personal information about you to provide you with the services you require.
This may include:
- Your name
- Phone number
And other details relevant to the service(s) that are of interest to you.
We may also collect sensitive personal data concerning health matters from, or about you if you register for the service.
We may supplement the information that you provide gathered from our communications with you or which we receive from other organisations, such as other companies in our group.
We will primarily use personal information:
- to create and maintain your patient record once you have registered.
- to provide and follow up on the services you request from us and to request feedback.
- to respond to any queries, refund requests or complaints. We keep a record of these queries to demonstrate how we communicated with you throughout. We do this based on our contractual obligations, legal obligations, and our legitimate interests as businesses in providing you with the best service.
- to communicate with you if any services requested are unavailable or if there is a query or problem with your order for record-keeping purposes.
- to carry out market research so that we can improve the services we offer (where you consent).
- we may (where you consent) use your personal data, preferences and details of your transactions to keep you informed by email, web/social media, text and telephone. We also include relevant products and services including special offers, discounts, promotions, events and competitions tailored to you. You can opt-out of hearing from us about these at any time.
- to continuously improve our service to our customers by monitoring telephone calls which we receive at our branches and call centres for the purposes of staff training, quality control and service improvement.
- to track and analyse activity on our website.
- to notify you about any changes to our services and to send you service emails.
- as part of our efforts to keep our website safe and secure.
- to comply with applicable law. For example, in response to a request from a court or regulatory body, where such a request is made in accordance with the law.
Lawful grounds for processing
To process your data lawfully we need to rely on one or more valid legal grounds which are as followed:
- your consent to processing activities. For example, where you have consented to us using your information for marketing purposes.
- your request for content, products or services including processing of your personal data to be taken prior to entering a contract with you and any processing that is necessary for the performance of such contract.
- legitimate interests we pursue as a business, except any overridden by your interests and fundamental rights.
- compliance with any legal obligation to which we are subject. For example, the processing for the purposes of complying with applicable law.
Disclosing your personal information
In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the processing activities on our behalf.
These may include:
- technology hosts.
- printing companies.
- providers of digital advertising services.
- providers of marketing and sales software solutions.
- mailing houses.
- and identity verification partners.
We also collect, use and share Aggregated/Anonymised Data such as statistical or demographic data for any purpose.
Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature or we may aggregate your data to build marketing personas or lookalikes to help up advertise to our patients better.
Phone Call Recordings
If you call our customer services centre, we may record or monitor the call. If we call you we will let you know if the call is recorded. We do this for regulatory purposes, for training, to ensure and improve the quality of service delivery, to ensure the safety of our staff and customers, and to resolve queries or issues. Doing so is a legal obligation.
In case we analyse calls to improve our service, we do so as a legitimate business interest.
Your personal information may also be processed if it is necessary: for disclosure to law enforcement or regulatory authority, body or agency; in the defence of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats, to the physical safety of any person or violations of any of our website terms. Personal information relevant to an investigation or a dispute may be retained for longer than our standard retention policy to support any such investigation or action.
The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business, the legitimate interests of third parties, compliance with legal obligations or detecting and investigating criminal activities
The UK’s data protection laws provide you with certain rights: the right to request access to, rectification or erasure and portability of information relating to you as well as the right to request the restriction of our processing/use of information concerning you and the right to object to our processing in certain circumstances. You have the right to withdraw consent at any time for processing that is based on your consent and to information about how we are using information relating to you. You may lodge a complaint about us with the Information Commissioner’s Office (www.ico.org.uk).
- You can ask us for a copy of all the personal information we hold about you. We will respond to your request within one calendar month without any charge.
- You will need to give us enough information for us to identify you (for example, your full name, address, and date of birth). If we cannot identify you from this basic personal information, you will need to provide us with a copy of your ID (for example, your passport, full driving licence, credit card or debit card) before we send you any information; this can be emailed or posted to us.
- You can ask us to correct any incomplete or inaccurate personal information that we hold about you.
- You can ask us to delete or remove the personal information we hold about you in certain circumstances. There are exceptions set out in the law where we may be able to refuse to delete information (for example, if we need the information to keep to any relevant law or in connection with any claims, legal or otherwise, which may arise).
- You can ask us to suspend using certain personal information about you (for example, if you want us to make sure it is accurate) or restrict how we can use it.
- You can ask us to transfer certain information that we hold about you to a third party in certain circumstances.
- You may object to our processing personal data relating to you where that processing is based on our claim of legitimate interests provided that we are not able to demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
- You may object to our using your information for direct marketing purposes including profiling to the extent that the profiling is used for direct marketing purposes.
- You may also object to our use of information relating to you in scientific research or statistical purposes in some circumstances.
- We may contest your objection where we have grounds to do so in the law.
Information Commissioner’s Office
- If you think that we have not handled your information in line with any legal or regulatory requirement, you can make a complaint to the Information Commissioner's Office.
Information Commissioner’s Office
Phone: 0303 123 1113
To exercise any of your rights please contact our Data Protection Officer.
Keeping to data-protection law and related regulations
We are committed to keeping to all data-protection laws that apply, including the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR, 2003) and the General Data Protection Regulation (GDPR).
If you have any questions about data protection and your rights, you can contact our team at firstname.lastname@example.org.
As a ‘data controller’, we try to be open about how we hold and use your personal information. You can claim compensation if you can prove you have suffered as a result of how we have handled your personal information.
Changes to this policy
If we change anything important (the information we collect, how we use it or why), we will undertake reasonable endeavours to make you aware of the changes such as by providing a link to the change on the website or telling you by email.
|11 June 2015
||First draft in current format with substantial changes since the previous version.
|20 July 2015
||Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers.
|24 September 2015
||Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable.
|12 August 2016
||Addition relating to marketing the products and services of other companies in our group of companies.
|29 November 2016
||Addition of provision to market products and services of selected partners.
|24 May 2018
|16 April 2019
||Addition relating to marketing consent for our group of companies and selected partners.
|23 April 2019
||Added information on the Freedom of Information Act 2000.
|31 October 2019
||Added table explaining data processing and revise the layout of policy.
|20 April 2020
||Updated information on data usage for NHS's Real Time Exemption Checking.
|19 October 2020
|28 March 2022
||Further information about communication and phone recording added.