Data Protection

18 Sep

Scope and Controller

This notice explains how personal data is processed by First Pharmacy UK in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

First Pharmacy UK operates as an information resource offering clear, evidence-based guidance on medicines, diseases, and supplements for a United Kingdom audience. We do not provide individual medical diagnosis or prescription services. You should seek advice from a qualified healthcare professional for personalised care.

Controller: First Pharmacy UK (the “Website Owner”).

Registered address: [Postal address to be supplied].

Primary contact email for data protection matters: Email address.

Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

Consent: where you have given clear consent (e.g., to receive newsletters or to use non-essential cookies).
Contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
Legal obligation: where processing is necessary to comply with UK law.
Legitimate interests: where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g., site security, service improvement, and analytics with appropriate safeguards).
Vital interests: only where necessary to protect life, in rare circumstances.

Categories of Personal Data

Identifiers and contact details: name, email address, telephone number (if you provide them), and similar identifiers.
Technical and usage data: IP address, device identifiers, browser type and version, time zone setting, operating system, pages visited, and interaction data collected via cookies or similar technologies.
Communications data: contents of enquiries, feedback, or support requests.
Preference data: your consent choices and cookie preferences.
Special category data: health-related information only if you choose to provide it in your communications with us. We do not solicit such data and ask that you avoid sharing unnecessary sensitive information.

Purposes of Processing

Service delivery: to operate, maintain, and present our UK-focused pharmaceutical information content.
User communications: to respond to enquiries, feedback, or rights requests.
Improvement and analytics: to understand page performance, improve content quality, and enhance user experience (using aggregated or pseudonymised data where feasible).
Security and fraud prevention: to maintain the integrity and security of our website and systems.
Legal and regulatory compliance: to meet our obligations and cooperate with regulatory authorities where required.

Cookies and Similar Technologies

We use cookies and similar technologies to enable core site functionality, remember preferences, and analyse usage. Non-essential cookies are used only with your consent. You can manage your preferences via our cookie controls and through your browser settings.

Strictly necessary cookies: required for security and basic site operation.
Functional cookies: remember choices and improve features.
Analytics cookies: help us understand how content is used and improve the site.

You can withdraw cookie consent at any time by updating your preferences. Disabling certain cookies may affect site functionality.

Sources of Personal Data

Directly from you: when you contact us or submit information through our forms.
Automatically: via your device and browser through cookies, logs, and similar technologies.
From service providers: aggregated or pseudonymised analytics and security data, where applicable.

Sharing and Disclosure

We do not sell personal data. We may share personal data under the following circumstances:

Service providers (processors): for hosting, security, analytics, communications support, and similar services under written contracts and subject to confidentiality and data protection obligations.
Legal and regulatory: to comply with applicable law, court orders, or requests from competent authorities.
Business transfers: in connection with a reorganisation, merger, or transfer of operations, subject to appropriate safeguards and continued protection of your data.

International Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses, and supplementary measures where necessary. You may request further information on these safeguards by contacting us.

Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this notice, including for the purposes of satisfying legal, accounting, or reporting requirements.

Communications (enquiries/feedback): typically retained for up to 24 months, or longer where needed to resolve issues or comply with legal obligations.
Technical and analytics data: typically retained for up to 26 months, subject to system configurations and your consent preferences.
Cookie data: retained in accordance with each cookie’s defined lifespan and your consent settings.

We will securely delete or anonymise data when retention is no longer necessary.

Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, data minimisation, and staff confidentiality commitments. However, no internet transmission is entirely secure; you should take care when choosing what information to share with us.

Special Category Data

We do not require or encourage the submission of health-related or other special category data. If you voluntarily provide such information (for example, within an enquiry), we will process it only where a lawful basis applies, such as your explicit consent or where necessary for the establishment, exercise, or defence of legal claims. Please avoid sharing unnecessary sensitive information.

Children’s Data

Our services are not directed at children under 13 years of age. If you are under 13, you should not provide personal data without verifiable consent from a parent or guardian. If we learn that we have inadvertently collected personal data from a child under 13, we will take steps to delete it.

Your Rights Under UK GDPR

Subject to conditions and exemptions under UK law, you have the following rights:

Right of access: to obtain confirmation and a copy of your personal data.
Right to rectification: to correct inaccurate or incomplete data.
Right to erasure: to request deletion of your data where there is no overriding lawful basis.
Right to restriction: to limit processing in certain circumstances.
Right to data portability: to receive your data in a structured, commonly used format and transmit it to another controller where technically feasible and lawful.
Right to object: to processing based on legitimate interests or for direct marketing.
Right to withdraw consent: where processing is based on consent, you can withdraw it at any time, without affecting prior lawful processing.

We may need to verify your identity before fulfilling a request. We aim to respond within one month, subject to extensions permitted by law for complex requests.

How to Exercise Your Rights and Contact Us

To exercise your rights or ask questions about this notice or our data practices, please contact us:

Email: Email address

Postal address: [Postal address to be supplied]

If we rely on legitimate interests, you may request information about our balancing test. You also have the right to object to processing for direct marketing at any time.

Complaints

If you have concerns about our use of your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113.

Changes to This Notice

We may update this GDPR notice from time to time to reflect changes to our practices or legal requirements. Material changes will be highlighted on this page. Please review it periodically.

Effective date: 18 September 2025.