This Privacy Policy explains how we, Universal Pharmacy Ltd, trading as Medpal Universal Pharmacy (“we”, “us”, “our”), collect, use and protect your personal information.
‍
We are a company registered in England and Wales (company number 07534072) with registered office at 26 Stroudley Road, Brighton, East Sussex, BN1 4BH.
‍
Our registered pharmacy premises are:
Medpal Universal Pharmacy
25 Turbine Way
Ecotech Business Park
Swaffham
PE37 7XD
‍
We are regulated by the General Pharmaceutical Council (GPhC).

This Privacy Policy applies to:
- Your use of our website and online services (including prescription ordering and clinical services);
- Our provision of pharmacy and related healthcare services by phone, email, post or other remote means; and
- Any other interactions you have with us as a patient, customer, carer or visitor.It explains what personal data we collect, how and why we use it, and your rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

For most activities described in this Privacy Policy, Universal Pharmacy Ltd is the “data controller”. This means we decide how and why your personal data is processed.
In some situations (for example where we provide services on behalf of the NHS or another organisation), we may act jointly with, or as a processor for, other data controllers such as NHS England, an Integrated Care Board (ICB) or your GP practice. Where this is the case, we will explain this on request.If you have any questions about this Privacy Policy or how we use your data, you can contact us:- Email: support@medpal.co.uk- Phone: 01760 336774- Post: Data Protection Lead, Medpal Universal Pharmacy, 25 Turbine Way, Ecotech Business Park, Swaffham, PE37 7XD.

The information we collect will depend on the services you use and your relationship with us. It may include:

4.1 Identity and contact details
- Name, date of birth, gender
- Address and delivery details
- Email address and telephone numbers
- NHS number (where needed for NHS services)
- Contact details for your GP or other prescribers
- Details of a carer, parent or representative (where applicable)

4.2 Health and prescription information
Because we are a pharmacy, we routinely process “special category” data about your health. This may include:
- Details of current and past medicines, prescriptions and dosage
- Relevant medical history, conditions, allergies, pregnancy or breastfeeding status
- Clinical notes and records made by our pharmacists and clinicians
- Information that prescribers, NHS bodies or other healthcare professionals share with us so we can provide safe care
- Information you give us through online questionnaires, forms or consultations

4.3 Service, order and payment information
- Details of medicines and products you order from us
- Information about NHS or private services you receive from us
- Payment transaction information (for example, method of payment and whether payment was successful – we do not store full card details)
- Entitlement to exemptions from NHS charges or other schemes, where relevant

4.4 Website and technical information
When you use our website, we may collect:
- IP address and approximate location
- Device and browser type
- Pages visited, time and date of visits, and how you interact with our site
- Cookie and tracking information (for example, for essential site functionality and, where permitted, analytics)
More detail is provided in our separate Cookies Policy.

4.5 Communications
- Records of emails, letters, calls, web forms and other communications
- Feedback, survey responses and complaints, including outcomes and follow-up actions

We may collect information:
- Directly from you, when you register with us, create an account, use our services, complete forms or communicate with us;
- From other healthcare professionals and organisations, such as your GP, prescribers, other pharmacies, NHS England, ICBs or hospitals, where necessary for your care or for the management of NHS services;
- From our website and apps, through cookies and similar technologies; and
- From third party service providers (for example, payment processors, delivery partners or identity verification services), where this is necessary to provide our services and satisfy legal requirements.

We only use your personal data when we have a lawful basis to do so. Depending on the context, this may include:

6.1 Performance of a contract
So we can provide you with products or services you have requested, including:
- Dispensing NHS and private prescriptions;
- Delivering medicines and health products to you;
- Providing clinical and pharmacy services.

6.2 Legal obligations
To comply with laws and regulations that apply to pharmacies and healthcare providers, including:
- Medicines and NHS legislation and guidance;
- Record keeping requirements;
- Responding to requests from regulators or law enforcement where legally required.

6.3 Vital interests
To protect you or another person where there is a serious or imminent risk to life or health.

6.4 Public task / provision of healthcare
For the performance of tasks carried out in the public interest or in the exercise of official authority, particularly in connection with the organisation and delivery of health and care services (for example, NHS-funded services).

6.5 Legitimate interests
Where we have a legitimate interest in using your data, and this is not overridden by your rights and interests, for example:
- Managing and improving our services and website;
- Handling queries and complaints;
- Preventing abuse or misuse of our services;
- Audit, training and quality assurance.

6.6 Consent
We will usually rely on consent:
- For certain optional communications (for example, some types of marketing); or
- Where we ask your explicit permission to share information in ways not covered above.

You can withdraw your consent at any time (see section 12), although this will not affect the lawfulness of any processing carried out before consent was withdrawn.

As a pharmacy, we routinely process information about your health. Additional legal conditions apply to this “special category” data. We normally rely on one or more of the following conditions:
- Provision of health or social care or treatment;
- Management of health or social care systems and services;
- Public interest in the area of public health;
- Establishment, exercise or defence of legal claims;
- Your explicit consent (for example, for certain optional services).

We may use your information to:- Dispense and supply medicines, devices and other products;
- Provide pharmacy and clinical services, including reviewing prescriptions, checking for interactions and giving professional advice;
- Verify your identity and eligibility for services (including NHS funding or exemptions);
- Communicate with you about your orders, prescriptions, deliveries and clinical care;
- Handle queries, feedback and complaints;
- Manage safety incidents, safeguarding concerns and quality assurance;
- Meet legal, regulatory and professional requirements;
- Improve our services, website and patient experience, including through anonymous or aggregated analysis;
- Protect our organisation against fraud, misuse and security risks.We will not use your health information for automated decision making that produces legal or similarly significant effects without appropriate human involvement.

We do not use your health information for direct marketing.
We may contact you with information about our services where this is allowed by law and where you have not opted out. Where required, we will ask for your consent before sending marketing communications by email, SMS or other electronic means.
You can opt out of marketing at any time by following the unsubscribe instructions in our communications or by contacting us directly.

We use cookies and similar technologies on our website to:
- Provide essential site functionality (for example, keeping you logged in or remembering your basket);
- Improve site performance and security;
- Understand how our website is used, so we can improve it.
Some cookies are essential and cannot be turned off. Non-essential cookies (for example, certain analytics or personalisation tools) will only be used in accordance with your preferences.
For more details, including the types of cookies we use and how to manage your preferences, please see our Cookies Policy.

We will only share your information when necessary and lawful. Depending on the services you use, we may share data with:
- Your GP, prescribers and other healthcare professionals involved in your care;
- NHS organisations such as NHS England, ICBs and NHS Business Services Authority;
- Our delivery partners and couriers, so your medicines and products can be delivered;
- IT and system providers who support our website, patient record systems and communications;
- Payment service providers, to process payments;
- Regulators and professional bodies (for example, GPhC, NHS bodies, CQC, ICO) where required;
- Organisations that support us with incident management, complaints handling or dispute resolution;
- Law enforcement agencies, courts or other authorities where we are legally required to do so or where it is necessary to protect individuals from serious harm.
Whenever we share information with third parties who process data on our behalf, we require them to keep it secure and use it only in accordance with our instructions and the law.
We do not sell your personal data to third parties.

Most of our data processing takes place within the UK or European Economic Area (EEA). If we need to transfer personal data outside the UK or EEA (for example, where a service provider uses servers in another country), we will ensure that appropriate safeguards are in place, such as:
- An adequacy decision by the UK government; or
- Standard contractual clauses approved for use in the UK; or
- Other suitable protections as required by data protection law.You can contact us for more information about international transfers involving your data.

We will keep your personal data only for as long as necessary for the purposes described in this Privacy Policy, and to meet legal, clinical and regulatory requirements.
This means that different categories of records may be kept for different periods. For example, pharmacy records, prescription details and clinical notes are usually kept for a number of years in line with NHS and professional guidance.
When information is no longer needed, we will securely delete or anonymise it.

We take appropriate technical and organisational measures to protect your personal data against loss, unauthorised access or misuse. These include:
- Access controls so that only authorised staff can see relevant information;
- Staff training and professional confidentiality obligations;
- Secure systems for storing and transmitting data;
- Procedures for responding to data protection incidents.While we work hard to protect your information, no system can be completely secure. We encourage you to keep your own login details safe and to tell us if you suspect any misuse of your account.

Under data protection law, you have a number of rights in relation to your personal data. These may include the right to:
- Access a copy of your personal data and obtain information about how it is used (right of access);
- Ask us to correct inaccurate or incomplete information (right to rectification);
- Ask us to delete or remove your information in some circumstances (right to erasure);
- Ask us to restrict the way we use your data in some circumstances (right to restriction);
- Object to certain types of processing, including processing based on our legitimate interests and, in some cases, direct marketing (right to object);
- Ask for your data to be provided in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller where technically feasible (right to data portability);
- Withdraw consent where we rely on your consent to process your data.These rights are not absolute and may be subject to conditions and legal exemptions. If we cannot fully comply with your request, we will explain why.To exercise your rights, please contact us using the details in section 3. We may need to confirm your identity before we act on your request.

If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve your concerns.
You also have the right to complain to the UK regulator, the Information Commissioner’s Office (ICO):
- Website: www.ico.org.uk
- Telephone: 0303 123 1113

Our services are primarily intended for adults. We may process information about children or vulnerable adults where this is necessary for their care, with appropriate involvement of parents, guardians or other responsible representatives and in line with professional obligations.

We may update this Privacy Policy from time to time, for example to reflect changes in law, guidance or our services. Any changes will be posted on our website with an updated “Last updated” date.
We encourage you to review this policy periodically to stay informed about how we use your data.