Privacy

18 Sep

Data Controller and Contact Information

This Privacy Policy explains how First Pharmacy UK (the "Website", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit or use firstpharmacyuk.com. We act as the data controller for the personal data processed through this Website.

Data Controller: First Pharmacy UK, United Kingdom.

Primary contact email for privacy matters: [email protected].

If you make a request, we may ask you to verify your identity before responding, to protect your data.

Scope

This Privacy Policy applies to personal data processed in connection with your use of our Website and related communications. It does not apply to third-party websites, services, or applications that we do not own or control.

Definitions

"Personal data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion. "UK GDPR" means the UK General Data Protection Regulation as retained in UK law, supplemented by the Data Protection Act 2018. "PECR" means the Privacy and Electronic Communications Regulations.

Personal Data We Collect

Data you provide to us

Contact and identity data: name, email address, telephone number, and postal address (if you provide it).
Account and profile data: username, password, preferences (if account features are offered).
Communications: inquiries, requests, feedback, survey responses, reviews, or other content you submit.
Marketing preferences: your choices about receiving updates, newsletters, or promotional messages.
Special category data (only if you choose to provide it): information about health or medical conditions included in messages or forms. We do not require this information to use the Website and ask that you avoid sharing sensitive data unless necessary.

Data collected automatically

Technical data: IP address, device identifiers, browser type and version, operating system, time zone, and language settings.
Usage data: pages viewed, links clicked, referring/exit pages, session duration, and similar diagnostic data.
Cookie and similar technologies data: identifiers and information from cookies, pixels, tags, or local storage (see Cookies and Similar Technologies).

Data from third parties

Analytics and measurement providers supplying aggregated or pseudonymised insights about Website performance and audience.
Service providers assisting with hosting, security, email delivery, customer support, or fraud prevention.

Special category data

If you voluntarily share information about your health or similar special category data, we will only process it with your explicit consent or where another lawful basis applies under UK law. We will limit access, use it only for the purpose you provided it, and will not use it for marketing.

Purposes and Legal Bases for Processing

We process personal data for the purposes and under the legal bases set out below:

Providing and operating the Website, content, and features; ensuring availability and functionality (legal basis: legitimate interests and, where applicable, contract).
Responding to inquiries, providing support, and communicating with you (legal basis: legitimate interests or contract, as applicable).
Personalising content and improving the user experience; measuring performance and understanding audience engagement (legal basis: legitimate interests; for non-essential cookies/technologies, consent under PECR/UK GDPR).
Sending service communications, policy updates, and security notices (legal basis: legitimate interests or legal obligation).
Direct marketing via email or similar channels, where permitted by PECR and UK GDPR (legal basis: consent or soft opt-in for existing customers; you may opt out at any time).
Security, fraud prevention, debugging, and protecting rights and property (legal basis: legitimate interests and/or legal obligation).
Compliance with legal and regulatory obligations and responding to lawful requests (legal basis: legal obligation).
Processing special category data you provide (legal basis: explicit consent, or other conditions as permitted by law).

Cookies and Similar Technologies

We use cookies and similar technologies to operate the Website, remember your preferences, analyse usage, and, where applicable, support marketing. Under PECR, we will seek your consent for non-essential cookies. You can manage your choices via our cookie banner or through your browser settings. Disabling certain cookies may affect site functionality.

Strictly necessary cookies: required for core functionality (no consent required).
Performance/analytics cookies: help us understand how the Website is used (consent-based).
Functional cookies: remember preferences and enhance features (consent-based where not strictly necessary).
Advertising/targeting cookies: used, if applicable, to deliver and measure ads (consent-based).

You may withdraw cookie consent at any time via the cookie settings available on the Website. Browser controls can also block or delete cookies, but this may limit your experience.

Disclosures and Recipients of Personal Data

We may share personal data with:

Service providers acting as processors (e.g., hosting, email delivery, analytics, security, support) under written contracts and subject to confidentiality and security obligations.
Professional advisers (e.g., legal, compliance, accounting) under duties of confidentiality.
Authorities and regulators where required by law or to protect rights, safety, or property.
Business transferees in connection with a merger, acquisition, restructuring, or sale of assets, in which case safeguards will be applied and you will be notified where required by law.

We do not sell your personal data.

International Data Transfers

Where personal data is transferred outside the UK (and, if applicable, the EEA), we will ensure appropriate safeguards are in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses, and supplementary security measures as needed. You may contact us for more information about these safeguards.

Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, including to meet legal, regulatory, accounting, or reporting requirements. Retention periods are determined by the nature of the data and our purposes for processing. We will anonymise or securely delete data when it is no longer needed. If you withdraw consent or request erasure, we will delete your data unless we must retain it for legal obligations or to establish, exercise, or defend legal claims.

Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. No internet transmission or storage system can be guaranteed to be 100% secure; we regularly review and improve our safeguards.

Your Rights Under UK Data Protection Law

Subject to conditions and exemptions in the UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of access: obtain confirmation and a copy of your personal data.
Right to rectification: have inaccurate or incomplete data corrected.
Right to erasure: request deletion of your personal data in certain circumstances.
Right to restriction: request we limit processing in certain cases.
Right to data portability: receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
Right to object: object to processing based on legitimate interests, and to direct marketing at any time.
Rights related to consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
Rights relating to automated decision-making: the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not engage in such decision-making.

How to Exercise Your Rights

To exercise your rights or make a privacy-related request, contact us at [email protected]. We will respond without undue delay and within one month, subject to permitted extensions for complex requests. We may need to verify your identity before acting on your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your rights have been infringed. We encourage you to contact us first so we can address your concerns.

Direct Marketing

We may send you marketing communications where permitted by PECR and UK GDPR, including with your consent or under the soft opt-in for existing customers. You can opt out at any time by using the unsubscribe link in our emails or by contacting us at [email protected]. We will not send marketing messages after you opt out, though we may still send service or transactional communications.

Children's Privacy

Our Website is intended for a general audience and is not directed to children. If you are under 16, please do not submit personal data without consent from a parent or guardian. If we learn we have collected personal data from a child contrary to law, we will delete it promptly.

Third-Party Links and Services

The Website may contain links to third-party websites, content, or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices before providing personal data.

Automated Decision-Making and Profiling

We do not perform automated decision-making that produces legal or similarly significant effects. We may use limited profiling (e.g., analytics or content personalisation) to improve the Website and user experience, based on your consent for non-essential cookies and our legitimate interests.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, or our practices. The updated version will be indicated by an updated "Last updated" date and will be effective when posted. Where required by law, we will notify you of material changes and, if necessary, request your consent.

Last updated: 18 September 2025.