At Private Prescriptions , your trust and the security of your personal and health data are at the absolute core of everything we do. We understand the highly sensitive nature of the information you share with us. This Privacy Policy explains in detail how we collect, use, store, share, and protect your data when you use our website and services. We are committed to upholding the highest standards of privacy, security, and transparency, in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Private Prescriptions (referred to as "we", "us", or "our") operates as a private prescription comparison and fulfilment facilitation service. We are the Data Controller responsible for your personal data collected via this website.

2. Data Protection Principles

We adhere to the UK GDPR data protection principles, ensuring that your data is:

• Processed lawfully, fairly, and transparently.

• Collected for specified, explicit, and legitimate purposes.

• Adequate, relevant, and limited to what is necessary.

• Accurate and kept up to date.

• Retained only for as long as necessary.

• Processed in a manner that ensures appropriate security.

3. What Personal Data We Collect and Why

We collect various types of information to provide our service, ensuring that we only collect what is essential.

a) Personal Identification & Contact Data:

• What we collect: Name, address, email address, phone number, date of birth.

• Purpose: To create and manage your account, verify your identity, communicate with you about your prescription requests and orders, facilitate delivery, and for billing purposes.

• Legal Basis: Performance of a contract with you (to provide our service) and compliance with legal obligations (e.g., patient safety, age verification).

b) Sensitive Health Data (Special Category Data):

• What we collect: Images of your private prescription, details of medications prescribed, dosage, medical conditions relevant to the prescription, and any other health information you choose to provide (e.g., allergies, existing conditions).

• Purpose: To accurately process your prescription request, obtain price comparisons, ensure the safe and appropriate supply of medication, and for clinical governance.

• Legal Basis: This is 'special category data' under UK GDPR. Our lawful basis for processing is that it is necessary for the provision of health or social care or treatment or the management of health or social care systems and services (Article 9(2)(h) UK GDPR). We also rely on explicit consent where appropriate (e.g., for certain non-essential communications or specific data sharing beyond direct care).

c) Payment Data:

• What we collect: Credit/debit card details, billing address.

• Purpose: To process payments for your medication.

• Legal Basis: Performance of a contract. We use secure, PCI-compliant third-party payment processors (e.g., Stripe, PayPal), and we do not store your full card details on our servers.

d) Technical & Usage Data:

• What we collect: IP address, browser type, operating system, pages visited, time spent on site, referral source.

• Purpose: To ensure the proper functioning and security of our website, analyse website performance, understand user behaviour, and improve our services. This data is often anonymised or aggregated.

• Legal Basis: Legitimate interests (to improve our service and ensure website security).

e) Communications Data:

• What we collect: Records of your interactions with us via email, chat, phone calls, or WhatsApp.

• Purpose: To provide customer support, resolve queries, improve our service, and for training purposes.

• Legal Basis: Performance of a contract, legitimate interests, and compliance with legal obligations.

4. How We Collect Your Data

We collect data from you in the following ways:

• Directly from you: When you register an account, upload a prescription, complete forms, communicate with our customer service, or subscribe to our newsletters.

• Automatically: Through cookies and similar technologies as you interact with our website (see section 9).

• From third parties (where necessary): In specific cases, and with your explicit consent or where legally required, we may receive information from other healthcare providers involved in your care.

5. How We Use Your Data

Your data is primarily used to:

• Process and fulfil your private prescription requests.

• Provide you with price comparisons from our network of GPhC-registered pharmacies.

• Securely transmit your prescription details to the chosen dispensing pharmacy.

• Arrange secure and discreet delivery of your medication.

• Manage your account and communicate with you about your orders.

• Provide customer support and address your queries.

• Improve our website, services, and user experience.

• Conduct internal analysis and research to enhance our offerings (using anonymised or aggregated data where possible).

• Comply with legal, regulatory, and professional obligations (e.g., GPhC standards, audit requirements).

• For fraud prevention and security purposes.

6. How We Share Your Data (Always Securely and Only When Necessary)

Your data is treated with the utmost confidentiality. We will only share your data with third parties when it is necessary for the provision of our service, with your explicit consent, or as required by law.

• Dispensing Pharmacies: We will share your prescription details, personal identification, and contact data with the GPhC-registered pharmacy you select (or that provides the best price) for the purpose of dispensing and fulfilling your order.

• Payment Processors: Your payment information is securely shared with PCI-compliant payment gateways to process transactions.

• Delivery Services: Limited personal data (name, address, contact details) is shared with trusted couriers (e.g., Royal Mail, DPD) for the sole purpose of delivering your medication.

• IT & Service Providers: We use third-party service providers for website hosting, data storage, analytics, and customer support tools. These providers are contractually bound to keep your data secure and process it only in accordance with our instructions and data protection laws.

• Regulatory & Legal Authorities: We may disclose your information if required by law, court order, or to comply with regulatory bodies such as the GPhC, MHRA, ICO, or law enforcement agencies.

• Professional Advisors: We may share data with our professional advisors (e.g., lawyers, accountants) as necessary for legal or business purposes, under strict confidentiality.

We never sell or rent your personal or health data to third parties for their marketing purposes.

7. Data Security – Our Commitment to Your Protection

We implement robust technical and organisational measures to protect your personal and health data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include:

• Encryption: All data transmitted between your device and our servers, and between our platform and partner pharmacies, is encrypted using industry-standard SSL/TLS technology.

• Secure Storage: Your data is stored on secure servers with strict access controls, firewalls, and regular security audits. Sensitive health data is stored with additional layers of encryption.

• Access Control: Access to your data is strictly limited to authorised personnel who require it to perform their duties (e.g., pharmacists, customer service). All staff undergo regular data protection training and sign confidentiality agreements.

• Regular Audits & Updates: We regularly review our security practices and update our systems to guard against new threats.

• Data Minimisation: We only collect and retain data that is necessary for the purposes outlined in this policy.

• DPIA (Data Protection Impact Assessments): We conduct DPIAs for any new processing activities that are likely to result in a high risk to your privacy.

8. Data Retention

We retain your personal and health data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting requirements. For health data related to prescription dispensing, we adhere to professional guidelines (e.g., GPhC guidelines for patient records, which typically require retention for 8-10 years after the last entry). After this period, your data will be securely deleted or anonymised.

9. Cookies and Similar Technologies

Our website uses cookies and similar technologies to enhance your browsing experience, analyse site usage, and support our marketing efforts. You can manage your cookie preferences through your browser settings. For more detailed information, please refer to our separate Cookie Policy.

10. Your UK GDPR Rights

Under the UK GDPR, you have the following rights concerning your personal data:

• The Right to Be Informed: To know how your data is being used (which this Privacy Policy aims to do).

• The Right of Access: To request a copy of the personal data we hold about you.

• The Right to Rectification: To request that inaccurate or incomplete data be corrected.

• The Right to Erasure (the "Right to be Forgotten"): To request that your data be deleted, where there is no overriding legal or legitimate reason for us to continue processing it (note: this right is limited for health data due to legal retention requirements).

• The Right to Restrict Processing: To request that we limit the way we use your data in certain circumstances.

• The Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format and have it transferred to another controller.

• The Right to Object: To object to the processing of your data in certain situations (e.g., for direct marketing).

• Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you, unless certain exceptions apply. We do not currently use automated decision-making that would have such legal effects.

To exercise any of these rights, please contact our Data Protection Officer using the details below. We may require proof of identity to verify your request.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal or regulatory reasons. We will notify you of any significant changes by posting the new policy on our website and, where appropriate, by email. We encourage you to review this policy periodically.

12. How to Contact Us

If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise your rights, please contact our Data Protection Officer:

• Email: [email protected]

•Postal Address: 61 Woodland Court,, Hove East Sussex BN3 6DQ

Attn: Data Protection Officer

13. Complaints

If you are not satisfied with our response to a privacy query or believe we are not processing your personal data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection issues.

• ICO Website: www.ico.org.uk

• ICO Helpline: 0303 123 1113