1. What information do we collect about you and how do we collect it?
You are not required (by law or by any contract with us) to provide personal information to us when you visit our website. We will only require you to provide personal information to us where it is necessary for us to provide you with a service at your request, such as when you contact us, register an account on our website or undergo an online consultation and purchase our products.
1.1 Information you provide to us
We may collect personal information about you whenever you use our services, such as by doing the following:
- Enquiring about our products or service
- Undergoing our online clinical consultation
- Purchasing our medicines or other products or services
- Supplying us with your products or services
- Using and browsing our website
- Telephoning, texting, writing by post or emailing us.
- Enquiring about, or applying for, job vacancies.
This information may include the following:
- Normal identification information, such as your full name and title, date of birth, age, gender, and marital status
- Contact information, such as your postal address, email address and telephone numbers
- Information about your health, including your current health and wellbeing status, your medical history and records, and details of any medicines or treatment that you are receiving
- Correspondence or information provided by you in your patient area (such as prescriber chat messages, pharmacy chat messages or messages you send to our customer care team)
- Information about your purchase (including your purchase history with us)
- Payment information (this is securely collected and processed by our payment service provider)
- Additional information relevant to your use of our website and services, such as your marketing preferences, survey responses and feedback
We understand that any information concerning your health is particularly sensitive (known as “special categories” of personal data). We take extra precautions to ensure that any special category data is kept secure and confidential and we will only retain this data for as long as necessary for the purposes for which we collect it.
1.2 Information we collect about you on our website
When you visit our website we may collect the following information:
- Which pages you view and which links you follow
- Your IP address and general location
- Details of the hardware and software that you are using to access the website
- Any passwords that you use on our website
- A device identifier (cookie or IP address) for fraud prevention
- Details of your visits to our website and the resources that you access, including, but not limited to, traffic data, location data, web logs and other communication data
You must be at least 18 years old to use our website and services. We do not knowingly collect any personal data relating to children.
1.3.1 What is a cookie?
A cookie is a small text file that is sent by a website server to your browser and stored on your computer. Cookies allow website operators to accumulate useful information, such as whether the computer (or its user) has visited the site before. Cookies are needed for a number of functions which make websites work, or work more efficiently, and they can provide information to website owners about how you use their website. Cookies can also be used to show you adverts that are relevant to you, based on your browsing habits, to personalise your user experience.
We use both persistent cookies (which expire on a specified date) and session cookies (which expire when you close your browser).
The cookies used on this site have been categorised based on definitions given in the ICC UK Cookie Guide. We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. Without these cookies services you have asked for cannot be provided.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region – or your cookies and marketing preferences).
- Analytical/performance cookies. These allow us to recognise and count our website’s visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. We use Google Analytics as well as our own first party cookies to provide anonymous statistics on how our site is used. Some of our performance cookies may be managed by third parties.
- Targeting or advertising cookies. These cookies are used to help us show you adverts that are more relevant to you and your interests. We also use these to cap the number of times you see an advertisement and assist us in analysing the performance of advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. They remember the sites you have visited and this information is shared with other organisations such as advertisers. These cookies will typically be linked to site functionality managed by the other organisation.
We also use services provided by Google and Facebook that work in a similar way to interest-based cookies used in marketing and targeting. These help us to show you adverts when you interact with these platforms, and display our content to existing or potential users of our site. To do this, we share a masked ID, which is an encrypted alias of your email address to ensure you remain anonymous unless additional data about you is provided (which we do not share). This masked ID is linked with a unique code created by Google and Facebook, to help us ensure you receive advertising that is relevant to you. You can opt out of our marketing communications and these adverts will no longer be shown to you on these networks. It’s possible that you will still receive interest-based cookies displaying products and services we offer based on market segments. You can read more at www.youronlinechoices.com/uk.
We also receive aggregate data from Facebook that allows us to see in which cities users are located, what platforms they are using, how many times a user visited our site and whether or not they used our service. You can opt out of these at any time.
Read more about Facebook advertising.
You can configure cookie settings in your web browser. You can find out more about how to do this at the following links:
However, please bear in mind that if you don’t allow us to use certain cookies it may prevent you from accessing parts of our website or result in a loss of functionality which degrades your experience of the website.
1.3.3 Further information about cookies
There’s a lot of good information about cookies available online. For more information about cookies generally visit allaboutcookies.org.
1.3.4 Get in touch
1.4 Information we collect about you from other sources
We may collect information about you from other sources. This may include the following:
- Publicly available information, from sources such as the Electoral Roll or Companies House
- Information you have shared publicly, including on social media (particularly in respect of job applications)
- Information from third party databases such as identity and credit reference agencies, which may include details about your home
- Information from your other healthcare providers (only with your consent, or where it is necessary for us to provide our service, such as fulfilling your or a relative’s NHS prescriptions, or comply with our legal obligations)
This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this policy.
1.5 Information we receive about you from other sources
Sometimes you will have given your consent for other websites, services or third parties to provide information to us.
This could include information we receive about you if you use any of the other websites that we operate or the other services that we provide, in which case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this website. We will also have told you for what purpose we will share and combine your data.
It could also include information from third parties that we work with to provide our products and services, such as payment processors, delivery companies, technical support companies and advertising companies. Whenever we receive information about you from these third parties, we will let you know what information we have received and how and why we intend to use it.
2. How and why do we use your personal information?
We take data protection law seriously, so below we have set out exactly how and why we use your information, and what our legal basis is to be able to use your information in each way.
2.1 Patient Accounts
When you register an account on our website as a patient, we will collect and use your personal information in order to maintain and administer your patient account. This may be necessary in order for us to perform our contract with you or, otherwise, we have a legitimate interest to manage our patients’ accounts to facilitate purchases and communication between us.
You may contact us at any time to close your patient account. However, please bear in mind that we may be required to retain your personal information in order to comply with our legal obligations.
2.2 Online consultations
If you wish to purchase medicines on our site, you will be required to complete an online clinical consultation questionnaire. This information is reviewed by one of our GPhC-registered pharmacy prescribers. If our clinicians feel that they require further information from you after reviewing your answers, they will ask you to provide this via our secure chat facility.
The information you provide during the consultation is essential to the clinical decision-making process. Our prescribers and pharmacists need to know about your current health, your medical history and any other treatment you are receiving, so that they can make sure that the treatment being consulted for is safe and suitable for you. Your current health and medical status may also determine the dose of the medication they prescribe, the length of treatment required, and whether or not you need to seek medical attention in person.
2.3 Supplying our medicines and other products
It is necessary for us to use personal information about you to enter into and perform the contracts that we make with you, such as when you purchase medicines or other products on our website. Using your information in this context is necessary so that we can:
- Provide you with information about our products and services
- Administer your order, including take payments and arranging delivery
- Provide you with information about your purchase and your contract with us
- Make decisions about your purchase, including about the suitability of any medicines
- Provide you with alerts regarding repeat prescription orders and adrenaline pen expiration
- Verify your identity
- Deal with any complaints you may have
- Contact you about any changes that we make to our products or services
- Administer our website, including troubleshooting problems, analysing statistics, conducting research and tests and keeping the website secure
When you purchase any test kits from us, we will use the information you provide to notify you of your result and, if appropriate, suggest a course of treatment.
Part of our service as a pharmacy involves notifying you when your medicine is due to run out. We will therefore send a courtesy email so that you can reorder your treatment if you are on a continuous prescription. We estimate when to send you a reminder email based on the quantity you have ordered. We will only send this email for treatments which are taken on a repeat basis.
2.4 Telling you about other products or services that we think may be of interest to you
We may use your information to identify and tell you about our products or services that we think may be of interest to you. We will only do this where you have informed us that you would like to receive marketing communications, such as where you subscribe to our newsletter. You may update your preferences at any time by Contacting Us.
We may also use your information to invite you to participate in patient feedback surveys and other market research. If we do contact you about market research, you do not have to participate. If you tell us that you do not want to receive market research communications, we will respect this.
Whether you choose to receive marketing communications, or market research communications is entirely up to you. You can choose to receive both, none, or just one or the other. Your choice will not affect any products or services that you have purchased from us, nor will it affect any quotes for products or services you buy in future.
2.5 Telling you about products or services that are similar to ones that you have already bought
If you have already bought medicines or other products from us, we may contact you with information about similar products and services that we offer. We have a legitimate interest to contact you for this purpose, but you may object to receiving these messages at any time.
We will only contact you by email or text message and you can choose not to receive these messages at any time. Simply follow the unsubscribe instructions in the message, or contact us.
2.6 Making our business better
We always want to offer the best products, services and user experience that we can. Sometimes this means we may use your information to find ways that we can improve what we do, or how we do it.
We have a legitimate interest to use your information to improve our business, and we will only use your information where it is necessary so that we can:
- Review and improve our existing products and services and develop new ones
- Review and improve the performance of our systems, processes and staff (including training)
- Improve our website to ensure that content is presented in the most effective manner for you and for your computer
- Measure and understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
2.7 Research and analysis
We may use anonymised data related to your order or use of our site for research or public-facing purposes, for example in: statistical analyses of users accessing our service for a specific purpose; or statistical analyses of test results.
2.8 Contacting you
We want to stay in touch with you. Sometimes we may need to use the information that we have about you in order to respond to your questions or let you know about important changes. We have a legitimate interest to keep in contact with you, as a customer, but this may also be necessary in connection with our contract with you. We will only use your information in this respect where it is necessary so that we can:
Interact and respond to any communications you send us, including any social media posts that you tag us in
Contact you in connection with any orders, including where our clinical team requires further information from you, so that we can notify you of the status of your order, and so that we or our courier partners can inform you when your order is due to arrive
Let you know about any important changes to our business or policies
We will primarily contact you via email, SMS messaging and your patient area on our website to update you on your order. In certain cases, where our customer service team needs to contact you regarding your order, we may contact you by telephone.
If one of our prescribers need to contact you regarding your consultation or test result, or needs more information, they will usually do this via your patient area. When you have a new message in your patient area, you will be notified by email. However on some occasions, our clinicians may need to contact you via telephone to discuss your consultation or test result in more detail.
If we have made several attempts to reach you by email or telephone and have been unsuccessful, we may contact you by sending a written letter to your home address.
2.9 Verifying your identity
We may use your information where it is necessary for us to do so in order to meet our legal obligations and to detect and prevent fraud, money-laundering and other crimes.
2.10 Protecting you and others from harm
We may use your information where it is necessary to protect your interests, or the interests of others, in accordance with our legal obligations and the pursuit of legitimate interests. This may include in the event of criminality such as identity theft, piracy or fraud.
2.11 Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
3. Who do we share your personal information with?
3.1 Sharing your information within our company and group
We share the information that you provide to us with our staff so that we can provide our products and services to you. We may also share the information that you provide to us with other companies within our group and the other websites that we and our group companies operate. In particular, the following persons have access to the data that you provide to us:
- Our UK pharmacy prescribers, also responsible for reviewing your order
- Our clinical lead, who supervises our practice
- Our patient services team, which processes your order
Employees of our parent company, Express Healthcare Ltd, which manages the PharmacyOnline.co.uk website and handles some of our customer care operations
3.2 Sharing your information with third parties
We may share your data with selected third parties. For example, we may share your information with:
- Our payment service provider, to process payments on our behalf. We will share your full name, address, phone number, email address and details of your order for this purpose. Our payment provider will collect and process your payment details; we will not store or have access to your full credit or debit card details.
- Onfido, the credit reference agency, for carrying out identity checks. All orders made through our site are subject to identity checks, in order to prevent online fraud. Your full name, date of birth and home address will be shared for this purpose.
- Third party couriers (e.g. DPD, Royal Mail or UPS) in order to arrange delivery or your order. We will only share your full name, postal address and phone number or email address.
- Your private or NHS GP or Consultant. For patients accessing our private service, we will ask you during consultation if you would like us to inform your GP about the consultation you have taken and the treatment you have ordered or, for patients accessing our referral service, whether you would like to be referred to a specialist consultant for treatment. If you do, we will share with such doctor(s) the type and quantity of treatment you have purchased and/or been prescribed, the date the treatment was prescribed and, where appropriate, details of the consultation. If there is any specific part of your record or consultation you would prefer not to be shared, you can let us know and we will respect this. We strongly recommend that you permit us to inform your GP of the treatment you have received, so that they can continue to provide you with the best possible care. For patients accessing our NHS service, we will share details about you and the treatment(s) you have ordered with your NHS GP, so that they can issue the required prescription(s) for us to fulfil. If you are using our service to manage and request repeat NHS prescriptions on behalf of someone else, we will share details about the individual(s) whom prescriptions are being requested for with that individual’s GP, again so that they can issue the appropriate prescription(s) for us to fulfil.
- TDL Pathology, for processing samples where you order any test kit from us. The data we will share with them includes your name, your date of birth, and your test reference number. TDL systems meet all current EU requirements on encryption, storage and disposal of data.
- Clinical auditors and regulatory bodies. Our pharmacy is registered with the General Pharmaceutical Council. Our prescribers are registered with the General Pharmaceutical Council. Medicines are regulated by the Medicines and Healthcare Products Regulatory Agency. As such, our practices are routinely inspected by these regulatory bodies on a periodic basis. During an inspection, we may be required to share information about your consultation with an approved auditor.
- Contact management systems, to send emails, instant messages, social media messages and SMS messages.
There are certain other exceptional circumstances in which we may disclose your information to third parties. This would be where we believe that the disclosure is:
- Required by the law, or in order to comply with judicial proceedings, court orders or legal or regulatory proceedings.
- Necessary to protect the safety of our employees, our property or the public.
- Necessary for the prevention or detection of crime, including exchanging information with other companies or organisations for the purposes of fraud protection and credit risk reduction.
- Proportionate as part of a merger, business or asset sale, in the event that this happens we will share your information with the prospective seller or buyer involved.
4. How long do we keep your personal information?
We will only store your personal information for as long as we need it for the purposes for which it was collected.
Where we provide you with any service, such as where you register an account as a patient on our website, we will retain any information you provide to us at least for as long as we continue to provide that service to you.
We retain personal data relating to patient health care and prescriptions in accordance with the guidance issued by the Information Governance Alliance and the NHS (please see the links for detailed information about the minimum retention periods for different types of records). On the expiry of these periods, we will review the information that we hold and, unless we have a legitimate reason to keep holding that information (in accordance with our legal obligations and the purposes set out in this policy), it will be securely deleted.
Generally, we may retain personal data relating to prescriptions issued and dispensed and other care records for a period of 13 years (for adult patients) or 25 years (for any patient who is pregnant).
In all other circumstances (such as where you contact us without making a purchase), we will keep your information for a period of no more than 3 years.
5. How do we protect your personal information?
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy.
We try to ensure that all information you provide to us is transferred securely via the website (always check for the padlock symbol in your browser, and “https” in the URL, to ensure that your connection is secure).
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Any data you send to us using the NHS app goes through encryption in transit, to protect your privacy.
6. What rights do you have in respect of your personal information?
If you require any further information about your rights as explained below, or if you would like to exercise any of your rights, please contact us.
6.1 You have the right to be informed
We have a legal obligation to provide you with concise, transparent, intelligible and easily accessible information about your personal information and our use of it. We have prepared this policy to do just that, but please contact us if you have any questions.
6.2 You have the right to access your personal data
You have the right to ask us to confirm whether or not we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following:
- Why we have been using your information.
- What categories of information we were using.
- Who we have shared the information with.
- How long we envisage holding your information.
In order to maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. The first copy of your information that you request from us will be provided free of charge, if you require further copies we may charge an administrative fee to cover our costs. Please contact us to request access to your data.
6.3 You have the right to correct any inaccurate or incomplete personal data
If you believe that any of the information we hold about you is inaccurate, incomplete, or out of date, you have the right to require us to rectify that information. You can update or change your personal information in the patient area on our website. Alternatively, please contact us so that we can correct our records.
6.4 You have the right to be forgotten
There may be times where it is no longer necessary for us to hold personal information about you. This could be if:
- The information is no longer needed for the original purpose that we collected it for
- You withdraw your consent for us to use the information (and we have no other legal reason to keep using it)
- You object to us using your information and we have no overriding reason to keep using it
- We have used your information unlawfully
- We are subject to a legal requirement to delete your information
In these situations you have the right to require us to delete your personal data (although please be aware that we may be required to retain certain information in order to comply with our legal obligations). If you believe one of these situations applies to you, please contact us.
6.5 You have the right to have your data transferred to you or a third party in a common format
Also known as data portability, you have the right to require us to transfer your personal information, in a structured, commonly used and machine-readable format, either to you or to another service provider.
If you would like us to do this, please contact is. There is no charge for you exercising this right.
6.6 You have the right to object to direct marketing
You can tell us at any time that you would prefer that we do not use your information for direct marketing purposes. If you would not like to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications.
6.7 You have the right to object to us using your information for our own legitimate interests
Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes when we tell you about products or services that are similar to ones you have already bought; when we use your information to help us make our business better; and when we contact you to interact, communicate or to let you know about changes we are making.
We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. Unless we have a compelling reason to continue, we must stop using your personal data for these purposes. If you have any objections to our using your personal data for our legitimate interests, please contact us.
6.8 You have the right to withdraw your consent
In most cases, we do not require your consent to use your personal information in the ways set out in this policy. However, where we do rely on your consent (such as where you subscribe to our newsletter), you have the right to withdraw that consent at any time. You can use the “unsubscribe” links in any of the communications that we send you, or contact us to withdraw your consent.
6.9 You have the right to restrict how we use your personal data
You have the right to ask us to stop using your personal data in any way other than simply keeping a copy of it. This right is available where:
- You have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this
- You have objected to us using your information for our own legitimate interests and we are in the process of considering your objection
- We have used your information in an unlawful way, but you do not want us to delete your data
- We no longer need to use the information, but you need it for a legal claim
For example, you may wish for us to retain your contact details on our “do not contact” list to ensure that we do not send marketing emails to you in the future. If you wish to exercise this right please contact us.
6.10 You have rights related to automated-decision making and profiling
Any automated decision-making or profiling we undertake is solely for the purpose of tailoring the information which we provide to you. We will not use automated decision-making or profiling to make any decisions which will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions. If you have any concerns or questions about this right, please contact us.
This version was last updated on 05/05/20 and historic versions can be obtained by contacting us.
If you wish to make a complaint about our collection or use of your personal data, please contact us in the first instance so that we may seek to resolve your complaint.
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the statutory body which oversees data protection law in the UK. Please visit the ICO website if you wish to lodge a complaint with the ICO.
9. Contact Us
If you have any questions about your privacy or our use of your personal data, please contact our Data Protection Officer:
- Karen Christie - 32 Welbeck Road, Glasgow, G53 7SD.
If you would like to speak to us, or you have any questions about our website, please get in touch using the contact page or by telephone.