1. Who we are
This privacy notice is issued by PillSorted Ltd (“we“, “us“, “our” or “PillSorted“), a company registered in England and Wales with company number 11689270.
When we collect and process your personal data in the course of providing you with pharmaceutical services through this website, we are a data controller of your personal data and are responsible for ensuring that it is properly protected. This privacy notice will explain how we process it.
We collect, use and are responsible for certain personal data about you and we are subject to the UK data protection laws. We are registered with the Information Commissions Office in the UK with registration number ZA559528.
Please see the ‘How to contact us’ section at the end of this privacy notice if you have any questions about this privacy notice or the information we hold about you.
2. This privacy notice
Please read this privacy notice carefully as it contains important information about who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
3. Our collection and use of your personal data
Personal data means any information about an individual from which they can be directly or indirectly identified.
How your personal data is collected
We collect personal data about you in difference ways, including:
- Direct interactions. You may give us your personal data when you access our website, register to use our personalised pharmacy service or other health care services (such as stop smoking services and flu vaccinations), contact us, send us feedback, purchase over-the-counter medication from us through our website or complete patient surveys.
- Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
- Third parties. We receive information (including health data) about you from the NHS or your health practitioner (such as your registered GP or nurse practitioner, private medical providers and hospitals). In addition to information we may collect from you directly (such as your name and address), this includes information contained on your prescription (such as your NHS number, DOB, home address and medication details), as well as any information that your healthcare professionals may disclose to us which are required as part of the care services we are providing.
Personal data we collect about you
The personal data we collect about you depends on how and why you engage with us. We may collect and use the following data about you:
- Identity Data – full name, marital status, title, date of birth and gender.
- Contact Data – home address, email address and telephone number(s).
- Health Data – information about your health and wellbeing, your medical history, medication you are taking (or may have taken previously), your registered GP or medical advisor, allergies, ethnicity, weight, age, lifestyle preferences (e.g. whether you are a smoker or non-smoker).
- Financial Data – bank account and payment card details.
- Transaction Data – details about payments to and from you and other details of medication and products you have purchased from us.
- Technical Data – internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data – your username and password, orders made by you, your preferences.
- Usage Data – data about how you use our website, products and/or services, including survey responses.
- Marketing and Communications Data – your preferences in receiving marketing from us and your communication preferences.
We need this personal data to provide you with products (specifically medication) and services. If you do not provide personal data we ask for, it may delay or prevent us from dealing with your request.
Our website and pharmaceutical services are not intended for use by children. We do not knowingly collect or use personal data relating to children under the age of 18, except where we are administering medication for children to their parents or guardians.
Special Category Personal Data
As part of our services, we routinely collect Special Categories of Personal Data. Special category personal data includes: details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.
We collect and process: details about your race or ethnicity, information about your health, and genetic data. We collect and process this type of Special Categories of Personal Data as it is necessary for the purposes of providing you with medication or treatment, medical advice where appropriate and our pharmaceutical services.
We do not collect any information about criminal conviction and offences.
We may also collect and use Aggregated Data (such as statistical or demographic data) for the purposes of business analysis and customer trends, and service updates and improvements. Aggregated Data may be derived from your personal data but is not considered personal data in law as it does not include information that can directly or indirectly identify you. For example, we may aggregate your data in order to analyse the quantities of particular medications used by our patients, or Usage Data to calculate the percentage of users accessing a specific website feature, or review customer trends about our products or certain medication.
How and why we use your personal data
Under data protection law, we can only use your personal data if we have a lawful basis for doing so, which includes:
- Consent: where you have given us clear consent for us to process your personal data for a specific purpose;
- Contract: where our use of your personal data is necessary to fulfil a contract we have with you, or because you have asked us to take specific steps before entering into a contract;
- Legal obligation: where our use of your personal data is necessary for us to comply with the law (not including contractual obligations); or
- Legitimate interests: where our use of your personal data is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides our legitimate interests) and these can include business interests, individual interests or broader societal benefits.
The table below explains what we use your personal data for and why, as well as what our legitimate interests are where we are relying on our legitimate interests as the lawful basis to process your personal data:
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register you (or your organisation if you are a Care Home) as a new patient / customer for our pharmaceutical services||(a) Identity |
|Performance of a contract with you. Necessary for ours and a third party’s legitimate interests (to set up and manage our patient and customer relationships)|
|To collect your prescriptions, dispense, manage and deliver medication to you, provide you with medical advice (as appropriate) or discuss your medication with your medical advisor||(a) Identity |
(c) Health Data
(d) Transaction Data
(e) Profile Data
|(a) Performance of a contract with you.|
(b) Necessary to comply with a legal obligation (we must process certain Health Data about you in order to meet our legal and regulatory obligation as a registered and licensed pharmacy)*.
*In order to process your health data in this way, we are required to satisfy an additional condition of processing. Our processing of your health data is necessary for the provision of health care or treatment (Article 9(2)(h) UK GDPR).
|To provide products (through our website shop) and/or our delivery services to you, including:|
(a) to manage payments, fees and charges
(b) to collect and recover money owed to us
|(a) Identity |
|(a) Performance of a contract with you|
(b) Necessary for our legitimate interests (to recover debts due to us and to provide our products/services to our paying customers)
|To manage our relationship with you which will include:|
(a) Notifying you about changes to our products and/or services, terms or privacy notice
(b) Asking you to leave a review or take a survey
(c) Responding to queries you may raise
|(a) Identity |
(e) Marketing and Communications
|(a) Performance of a contract with you|
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to manage our customer relationships, keep our records updated and to study how customers use our products and/or services)
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity |
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with a legal obligation
|To deliver relevant website content and marketing materials to you and measure or understand the effectiveness of the marketing we send to you||(a) Identity|
(e) Marketing and Communications
|(a) Consent, where we are required to collect it from you|
(b) Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)
|To use data analytics to improve our website, marketing, customer relationships and experiences||(a) Technical |
|Necessary for our legitimate interests (to define types of patients / customers for our products and/or services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about products and/or services that may be of interest to you||(a) Identity |
|Necessary for our legitimate interests (to develop our products and/or services and grow our business)|
4. Who we share your personal data with
We routinely share personal data with the organisations below:
- As part of your care – we have a duty to share certain information with your GP or medical professional and the wider NHS.
- To manage our payments –
- sharing your information with the NHS Business Services Authority, others in the wider NHS, and sometimes Local Authorities, and only limited information to those external to the NHS who negotiate and check the accuracy of our payments; and
- our external payment service provider, Stripe. For more information about how Stripe uses your Financial and Payment Data, please visit: https://stripe.com/gb/privacy.
- For management of our business –
- sharing only limited information with the NHS Business Services Authority and others in the wider NHS, and sometimes Local Authorities, as well as those external to the NHS who ensure we maintain appropriate professional and service standards and that your declarations and ours are accurate. This may include: the General Pharmaceutical Council (GPhC) as part of an inspection or audit; and
- other external third parties we use to help us run our business, for example our website hosts, client relationship management platforms, and companies that provide us with marketing tools, such as Zendesk; and
- Optimoroute, which provides scheduling and route optimisation for our delivery team.
- our external professional advisors (such as our lawyers or accountants);
- Royal Mail and other delivery and courier companies used to provide part of our services to you..
We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.
We may disclose your personal data to law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share personal data with other third parties, such as potential buyers of some or all of our business or during a company re-structuring. Alternatively, we may seek to acquire other business or merge with them. Personal data will be anonymised where possible, but this may not always be possible. The recipient of the personal data will be bound by confidentiality obligations.
5. Transferring your personal data out of the UK and EEA
To provide products and/or services to you, it is sometimes necessary for us to share your personal data outside the UK, for example, with our service providers either located outside the UK or transfer personal data outside of the UK.
Transfers of personal data outside of the UK are subject to special rules under UK data protection law. This is because non-UK countries do not have the same data protection laws as the United Kingdom. We will ensure the transfer complies with data protection law and all personal data will be secure.
As a result, when we transfer personal data outside of the UK we will ensure that the transfer complies with data protection law by following one of the below steps:
- Confirming that the recipient is located in a country which has been recognised as having an adequate level of protection for personal data, for example countries located within the EEA;
- Putting in place safeguards (such as approved standard contractual clauses) so that you have enforceable rights and effective legal remedies; or
- Confirming that a specific exception applies under data protection law. For more information about our international transfers, please contact us using the information below.
For more information about our international transfers, please contact us using the information below.
6. Cookies and other tracking technologies
We may use your personal data to send you updates (by email, text message, telephone or post) about our products and/or services, including exclusive offers, promotions or new products and/or services.
We often have a legitimate interest in using your personal data for marketing purposes (see the table above). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this separately and clearly.
We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.
Regardless of whether you have given your consent to receive marketing communications, or it is in our legitimate interests to send them, you always have the right to opt out of receiving further promotional communications by:
- contacting us at DPO@pillsorted.com; or
- using the ‘unsubscribe’ link in emails.
We may ask you to confirm or update your marketing preferences if there are changes in the law, regulation, or the structure of our business.
Please note that we may also send you other communications in relation to your purchase of products and/or services or in order to respond to queries you have raised, such communications are service communications and are not considered a form of marketing communications.
8. Your rights
You have the following rights, which you can exercise free of charge:
|Access||The right to be provided with a copy of your personal data (the right of access)|
|Rectification||The right to require us to correct any mistakes in your personal data|
|To be forgotten||The right to require us to delete your personal data-in certain situations. Information about a customer may be retained where this is required by law, is part of a fraud investigation or is required for accounting and audit purposes.|
|Restriction of processing||The right to require us to restrict processing of your personal data-in certain circumstances, e.g. if you contest the accuracy of the data|
|Data portability||The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party-in certain situations|
|To object||The right to object:|
-at any time to your personal data being processed for direct marketing (including profiling);
-in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
|Not to be subject to automated individual decision making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you|
For further information about your rights please contact us or see the guidance provided by the UK Information Commissioner’s Office (ICO) on individuals’ rights.
If you would like to exercise any of your rights, please:
- email us – see the ‘How to contact us’ section at the end of this notice;
- let us have enough information to identify you e.g. your full name, address and customer or matter reference number);
- let us have proof of your identity if requested; and
- let us know which right you want to exercise and the data to which your request relates.
9. How long your personal data will be kept
We will not retain your personal data for longer than necessary for the purposes set out in this privacy notice. Different retention periods apply for different types of personal data.
When it is no longer necessary to retain your personal data, we will delete or anonymise it.
In respect of your Health Data, we will hold your information for as long as is advised by the NHS or required as part of our legal and regulatory obligations as a pharmacy. For all other types of personal data, we will keep your personal data while we are providing medication to you, selling products to you and/or providing with our services. Thereafter, we will keep your personal data for as long as is necessary:
- to respond to any questions, complaints or claims made by you or on your behalf;
- to show that we treated you fairly; and
- to keep records required by law.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
You can request further details of retention periods for different aspects of your personal data by contacting us.
10. Keeping your personal data secure
We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Our pharmacists are responsible for the confidentiality of your Health Data.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
11. How to complain
Please contact us if you have any query or concern about our use of your personal data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.
12. How to contact us
You can contact us and/or our Data Protection Officer if you have any questions about this privacy notice or the data we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are shown below:Email: DPO@pillsorted.com
Address: Carthouse 3, Copley Hill Business Park Cambridge, CB22 3GN
Telephone number: 0333 4050380
13. Changes to this privacy notice
This privacy notice was last updated in April 2023. We keep our privacy notice under regular review to make sure it is up to date and accurate. If we change our privacy notice from time to time, we will post the details of any changes here. We may also take reasonable steps to notify you if such changes affect how your personal data is processed.