Privacy notice
1. Who we are
Hyde Park Pharmacy is a trading name of Pharmacareuk Ltd, a company registered in England and Wales. We operate as a community pharmacy from 22-24 Woodsley Road, Leeds LS3 1DT.
- Data controller: Pharmacareuk Ltd
- Superintendent pharmacist: Shoyab Umarji (GPhC registration #2065619)
- Pharmacy premises registration: General Pharmaceutical Council #9011727
- Information Commissioner's Office (ICO) registration: Z334106X (current to 5 September 2026)
- Contact for privacy questions: pharmacy.fh186@nhs.net · 0113 244 1551
We are regulated by the General Pharmaceutical Council (GPhC), which sets the professional standards we work to. You can verify our registration on the GPhC public register at pharmacyregulation.org/registers.
2. What information we collect
Information you give us directly
- Identity and contact details — name, date of birth, address, postcode, phone number, email address.
- Order details — products you've added to your basket, delivery preferences, billing address.
- Health information you provide on questionnaires for pharmacy ("P") medicines, weight-management consultations, travel-clinic assessments, or any other consultation service — including symptoms, conditions, current medicines, allergies, lifestyle factors, BMI where relevant.
- NHS number if you provide it for NHS services (repeat prescriptions, New Medicine Service, Pharmacy First, etc.).
- Communication — what you tell us in messages, calls, WhatsApp, in the pharmacy.
Information we generate as part of your care
- Pharmacist's clinical review notes, decisions, recommendations.
- Records of medicines supplied, including batch numbers and expiry where required.
- Records of NHS service interactions (NMS counselling, BP readings, Pharmacy First consultations).
- Outcome of safety checks (e.g. reasons for refusing a supply, signposting to GP).
Information from third parties
- NHS systems — your prescription details from EPS (Electronic Prescription Service), your Summary Care Record (only with your consent and only when needed for your care).
- Your GP — clinical information shared for the purpose of your treatment.
- Stripe (payment processor) — confirmation of payments received. We do not receive your full card number; Stripe handles that on its PCI-DSS-certified systems.
3. Why we use your information, and the legal basis
Under UK GDPR we must have a lawful basis to process your personal data. For health (special-category) data we must also have an Article 9 condition. Here's how that maps to what we actually do:
- To dispense NHS prescriptions and provide NHS services — legal obligation (NHS Pharmaceutical Services contract, Human Medicines Regulations 2012) and provision of health care (Article 9(2)(h)).
- To process online orders for pharmacy / GSL medicines — contract with you (to fulfil your order) and, for any health questions on the questionnaire, provision of health care (Article 9(2)(h)).
- To run private consultations (travel clinic, weight management, vaccinations, blood tests, etc.) — contract with you and provision of health care.
- To meet our regulatory duties as a registered pharmacy — legal obligation (GPhC standards, MHRA, Human Medicines Regulations).
- To prevent fraud, misuse of medicines, and to safeguard people at risk — legitimate interests (medicine safety + safeguarding) and, where health data is involved, public health (Article 9(2)(i)) or vital interests.
- To process payments — contract with you.
- To send you transactional messages (order received, Stripe Payment Link, dispatch confirmation, repeat-prescription ready) — contract with you.
- To send you marketing (newsletters, health updates, service offers) — consent. You can withdraw at any time using the unsubscribe link in any marketing email.
- To improve our service via anonymous analytics — legitimate interests; see section 8.
4. Who we share your information with
We only share your information with people who genuinely need it for your care, our regulatory duties, or to fulfil your order. We never sell your personal data.
- Your GP and other NHS services — when needed for safe continuation of care, with your consent where required.
- NHS Business Services Authority (NHSBSA) — for processing NHS prescriptions and claiming reimbursement (legal obligation).
- Other pharmacy professionals who form part of your care team (e.g. specialist clinical pharmacist for a referred consultation).
- Royal Mail / parcel couriers — name and delivery address only, to deliver your parcel.
- Stripe (Stripe Payments UK, Ltd) — to process card payments. Stripe has its own privacy notice at stripe.com/gb/privacy.
- Order-submission service (Formspree, Inc.) — to deliver your submitted order to our pharmacy inbox while our backend is being built. Formspree's privacy notice: formspree.io/legal/privacy-policy. We will migrate to our own UK-hosted backend in due course.
- Email and SMS providers (e.g. NHSmail for clinical correspondence) — to send transactional messages to you.
- Regulators and law-enforcement — the GPhC, MHRA, CQC, ICO, NHS England, the police, or coroner — where legally required (e.g. controlled-drugs reporting, a court order, safeguarding referral).
- Our professional advisers — accountants, indemnity insurer (currently NPA), solicitors — where strictly necessary and under confidentiality obligations.
5. How long we keep your information
Pharmacy records have statutory minimum retention periods. Where the law sets a minimum, we apply that; where it doesn't, we apply pharmacy-sector good practice from the NHS Records Management Code of Practice.
- Prescription records (NHS and private) — at least 2 years from the date of dispensing, in line with Human Medicines Regulations 2012 and the NHS Records Management Code.
- Controlled drugs records — at least 7 years.
- Pharmacy First / NMS / DMS / clinical-consultation records — at least 8 years from the last contact (or until age 25 if the patient was under 18 at last contact), in line with NHS Records Management Code.
- Order and transactional records — 6 years for HMRC and consumer-rights purposes.
- Marketing preferences and consent records — for as long as you remain subscribed, plus a short period to evidence withdrawal.
- Website analytics — anonymised data retained for up to 14 months (then automatically deleted by Google Analytics).
- CCTV in the pharmacy — 30 days, unless required for an investigation.
After the retention period ends, your information is either securely destroyed or fully anonymised so that it can no longer be linked to you.
6. How we protect your information
- Pharmacy clinical systems are accessed only by registered pharmacy professionals and trained staff, under a duty of confidentiality.
- NHSmail is used for clinical correspondence and is end-to-end secured to NHS Digital standards.
- Card payment data never touches our systems — Stripe handles card numbers on PCI-DSS-certified infrastructure.
- The website uses HTTPS (TLS) end-to-end.
- Paper records (where any exist) are stored in a locked area accessible only to authorised staff.
- We carry out regular staff training on confidentiality and information security.
- We notify the ICO within 72 hours of becoming aware of any personal-data breach that poses a risk to you.
7. Your rights under UK GDPR
You have the following rights over your personal data. We'll respond to any request within one calendar month (extendable to three months for complex requests, with notice to you).
| Right | What it means in practice |
|---|---|
| Access | Ask for a copy of the personal data we hold about you. Free of charge for the first request. |
| Rectification | Ask us to correct anything that's inaccurate or incomplete. |
| Erasure ("right to be forgotten") | Ask us to delete data. Note: we can't erase records we're legally required to keep (e.g. dispensing records, controlled-drug records). We'll explain what we can and can't delete. |
| Restriction | Ask us to pause processing while a query is resolved (e.g. while we check accuracy). |
| Portability | Receive a copy of certain data in a machine-readable format, or have it sent to another service. |
| Object | Object to processing based on legitimate interests, including direct marketing. |
| Withdraw consent | Where we rely on consent (e.g. marketing), withdraw it at any time. Withdrawal doesn't affect the lawfulness of processing carried out before withdrawal. |
| Complain to the ICO | If you're unhappy with how we've handled your data, raise it with us first — but you can always complain to the Information Commissioner's Office. See section 12. |
To exercise any of these rights: email pharmacy.fh186@nhs.net or write to Pharmacareuk Ltd, 22-24 Woodsley Road, Leeds LS3 1DT. We may need to verify your identity before responding to certain requests, to protect your information.
8. Cookies and analytics
We use only essential and functional cookies on this website. Specifically:
- Cart cookie (`hpp_cart_v1`) — a localStorage entry that holds your basket between visits. Removed when you clear browser data or after 90 days of inactivity.
- Last-order reference (`hpp_last_order_id`) — used only to display your reference on the order-confirmation page.
- Analytics — we use Google Analytics 4 with IP anonymisation enabled and ad personalisation disabled. We do not use Analytics for any individual profiling or advertising. You can opt out at any time using the Google Analytics opt-out browser add-on.
We do not use advertising trackers, social-media pixels, or behavioural advertising cookies. See our full cookies notice for the technical detail.
9. Children and young people
Our online shop and consultations are intended for adults (16+). Children's medicines that we sell are intended to be bought by a parent or carer on behalf of a child. Where a service has a stricter age limit (e.g. some P-medicines require the user to be 18+), this is enforced via the questionnaire.
NHS services (e.g. Pharmacy Contraception Service, Pharmacy First) follow their own NHS-defined eligibility, which may include young people under 16 with appropriate consent and Gillick-competence assessment by the pharmacist.
10. International transfers
We aim to keep your data in the UK and EEA. Where a third-party service (e.g. Stripe) processes some data outside the UK/EEA, transfers are made under the UK International Data Transfer Agreement or the EU Standard Contractual Clauses plus a UK addendum, both recognised by the ICO. We do not transfer data to jurisdictions without adequate protection.
11. Changes to this notice
If we change this notice, we'll update the "Last updated" date at the top. For material changes that affect how we use your data, we'll notify you directly (by email if we have one on file) and, where appropriate, ask for your consent again. Previous versions are kept on file and can be requested.
12. Contact us / complaints
For privacy questions, subject-access requests, or to exercise any of your rights:
- Email: pharmacy.fh186@nhs.net
- Phone: 0113 244 1551
- Post: Privacy Lead, Pharmacareuk Ltd, 22-24 Woodsley Road, Leeds LS3 1DT
For complaints about how we've handled your data:
Please raise the complaint with us first — we'll always try to resolve it. If you're not satisfied, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
For complaints about pharmacy services or professional conduct:
You can raise concerns with the General Pharmaceutical Council (GPhC) at pharmacyregulation.org/raising-concerns.
This notice is intended to be plain-English. The legal terms behind it are: UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Human Medicines Regulations 2012, and the standards published by the General Pharmaceutical Council. If you'd like a copy of any internal policy referenced here (data-retention schedule, breach plan, etc.), please ask.