We collect, use and are responsible for certain personal information about you. When we do so we are subject to the UK’s Data Protection Act, its Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation, which applies across the European Union. We are responsible as ‘controller’ of that personal information for the purposes of those laws.
We have an up-to-date registration for the NHS Data Security and Protection Security Toolkit.
We operate an ISO27001-aligned Information Security Management System.
We, us, our
Phlo Technologies Ltd., a company incorporated in Scotland under company number SC496769 whose registered address is C/O Gillespie & Anderson, 147 Bath Street, Glasgow G2 4SN.
Our data protection officer
Email: [email protected]
Any information relating to an identified or identifiable individual.
Special category personal information
Personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership.
Genetic and biometric data.
Data concerning health, sex life or sexual orientation.
Personal information we collect about you
We may collect and use the following personal information about you:
your name and contact information, including postal address, email address and telephone number;
information to enable us to check and verify your identity, e.g. your date of birth, scanned images of your exemption certificates, driving licence or passport;
your gender information;
your NHS number;
information about your medicines, and the medicines you have been prescribed currently and in the past;
your billing information, transaction and payment card information;
your contact history, purchase history and saved items;
information about how you use our website, information technology (IT), communication and other systems; and
your responses to surveys, competitions and promotions.
Personal information is required to provide our services to you. If you do not provide personal information we ask for, it may delay or prevent us from providing services to you.
How your personal information is collected
We collect most of this personal information directly from you—in person, by telephone, text or email and/or via our website and apps. However, we may also collect information:
from a third party with your consent, e.g. your General Practitioner or the NHS Spine system, which is the main database of your medical history with the NHS;
via our IT systems, e.g. automated monitoring of our websites and other technical systems, such as our computer networks and connections.
How and why we use your personal information
Under data protection laws, we can only use your personal information if we have a proper reason for doing so, e.g.:
to comply with our legal and regulatory obligations;
for the performance of our contract with you or to take steps at your request before entering into a contract;
for our legitimate interests or those of a third party; or
where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and our reasons for doing so:
Testing our platform
We anonymise your data and use it to test our platform. The anonymised data remains in the same secure environment as your real data.
When you register with Phlo, request that your password is reset, request that we fulfil your prescriptions or when you place an order for your prescription, we will send notification emails to your registered email address to fulfil our service obligations.
When you place an order for your prescription, you will also receive email notifications about its delivery from our partner, Gophr.
Special Category Personal Data
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
We will collect information about your health, including any medical condition, medication or health and/or sickness records. This data is special category data.
Special protection is given to this special category of personal data. We use this special category personal data primarily to comply with our legal obligations (including verifying your identity and ensuring that the correct medicines are dispensed to you).
We handle your special category data with extra care. For example, we will not provide special category data to our delivery drivers.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
NHS Personal Demographics Service (PDS)
If you are not a patient accessing our service using your NHS login details, your NHS number is accessed through an NHS Digital service called the Personal Demographics Service (PDS). We send basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in our patient management system. Your NHS number is used as a unique patient identifier to connect your Phlo patient record with your patient record in other healthcare systems.
We also use the PDS to track your NHS nominated pharmacy. We will notify you if your nominated pharmacy changes to another pharmacy and Phlo will no longer receive your EPS prescriptions. You will have the ability to renominate Phlo as your pharmacy of choice at any time.
You control how we use your data
Phlo operates its Consent Management System so that our registered and verified customers can control how their data is used. This functionality is found in the Settings section of your account’s home page.
You can tell us how you want data used by setting the tick boxes to match your preferences. When you first create your account, your data preferences and marketing preferences are not ticked, meaning that you are opted out of each of the preferences. Your preferences are respected in subsequent processing activities.
In the case that Phlo has a legitimate business interest to process customer data this will take precedence over the provided data preferences.
We may use your personal information to send you updates by email about our services, including exclusive offers, promotions or new services.
We have a legitimate interest in processing your personal information for operational purposes.
We request your consent by accepting our cookie notices and if a registered customer, using our consent management system, for us to process your data for statistical, analytical, marketing and promotional purposes (see above ‘How and why we use your personal information’).
You have the right to opt-out of receiving promotional communications at any time by:
contacting us at [email protected]
We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
Who we share your personal information with
We routinely share personal information with third parties to provide Phlo's services. These third parties are detailed below along with how they use information provided to the,.
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
Financial Services Providers
Processing financial transactions.
Checkout Ltd, 54 Portland Place, London, W1B 1DY, United Kingdom.
Our financial transaction management host, Xero (UK) Ltd, Bank House, 171 Midsummer Boulevard, Milton Keynes, MK9 1EB and our bank, Shawbrook Bank, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex CM13 3BE.
Our financial accountants, Gillespie & Anderson, 147 Bath St, Glasgow G2 4SN and advisers Johnston Carmichael at 227 W George St, Glasgow G2 2ND.
Third parties approved by you, e.g. third-party payment providers such as your bank, which may request that you approve payment to us.
Logistics and Delivery Partners
Gophr Ltd, PO Box 501, The Nexus Building Broadway, Letchworth Garden City, Herfordshire, SG6 9BL.
Royal Mail, 100 Victoria Embankment, London, EC4Y 0HQ.
DPDgroup UK Ltd, Roebuck Lane, B66 1BY
Packfleet Ltd, 14 - 16 Verney Road, London, England, SE16 3DH
Despatch Cloud Ltd, Unit 76 Warfield Road, Kellythorpe Industrial Estate, Driffield, England, YO25 9FQ.
IDDQD Limited (Ideal postcodes), International House, 24 Holborn Viaduct, London EC1A 2BN.
Hosting newsletter subscriptions.
Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103.
Web Analytics Partners
Tracking and reporting on web traffic.
Google (Google Analytics) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Hotjar Ltd (Hotjar), Dragonara Business Centre5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta.
Tracking visits to Phlo. Building lookalike audiences to promote Phlo's services to other people.
Google (Google Ads) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Facebook Ireland, 4 Grand Canal Square, Dublin, Ireland Dublin 2.
LinkedIn Ireland, Wilton Place, Dublin, Ireland.
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.
YouTube is a subsidiary of Google with offices at Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland.
Taboola Inc, 16 Madison Square West, 7th Floor, New York, New York 10010.
Making the Phlo app available.
Our application services are hosted on Google Cloud Platform operated by Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland.
We use CloudFlare services operated by Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107 to route network traffic.
We use Apple Inc. services, 10955 N Tantau Ave, Cupertino, CA 95014, United States, to provide mobile app services.
Postmark operated by AC PM LLC, 1 North Dearborn St, 5th Floor Chicago, IL 60602 to send transactional emails.
Twilio operated by Twilio, Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105, USA to send transactional SMS.
We use Intercom operated by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland, to provide real-time messaging services.
Active Campaign operated by AC PM LLC, 1 North Dearborn St, 5th Floor Chicago, IL 60602 to send email campaigns.
3CX, 4010 Boy Scout Boulevard, Suite 325 33607, Tampa, Florida USA to handle telephone communications.
Zoho Corporation Pvt. Ltd (Zoho Desk), PLOT No. 140,151, GST ROAD, ESTANCIA IT PARK,VALLANCHERY, GUDUVANCHERY(POST) KANCHEEPURAM TN 603202 IN to handle support emails
Trustpilot A/S, Pilestræde 58, 5th floor, 1112 Copenhagen K, Denmark to provide review services.
Healthcare Service Providers
Providing Phlo's pharmacy services.
Patient Medication Record - Invatech Health, 442-450 Stapleton Rd, Easton, Bristol BS5 6NR. System data resides in two locations (1) Phlo Technologies London Pharmacy at Containerville, Unit 13, 35 Corbridge Crescent, London, E2 9EZ and (2) data centres in the Republic of Ireland operated by Amazon Web Services, One Burlington Plaza, Burlington Road, Dublin 4, Ireland.
Regulators and Legal Advisers
Complying with our legal and regulatory obligations.
Our legal advisers, Addleshaw Goddard, Exchange Tower, 19 Canning St, Edinburgh EH3 8EH.
Our regulators, the General Pharmaceutical Council at 25 Canada Square, Canary Wharf, London E14 5LQ and the Information Commissioners Office at Wycliffe House, Water Lane, Wilmslow SK9 5AF.
NHS England (known formally as the NHS Commissioning Board) and reachable at NHS England, PO Box 16738, Redditch, B97 9PT.
External auditors as appropriate, e.g. in relation to ISO or Investors in People accreditation processes and the audit of our accounts.
Law enforcement agencies and regulatory bodies as appropriate.
Other Commercial Partners
Third parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, personal information will be redacted but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Consumers of our data insights. The data that we collect from you through our applications and systems can help others. We want to share patterns of information on what medicines people take, when, where and for how long. The way in which we do this is by collating data, then removing personal information (names, postal addresses, email addresses, NHS numbers). We analyse the remaining data to identify insights and behaviours so that we can contribute with others to the development of medicines and how treatments are marketed and made available to people. This data can be sold to or shared with to government departments, healthcare professional bodies, the pharmaceutical industry and organisations who want to understand how medicines are used in the real world. Using our consent management functionality, you can tell us that you are comfortable with your medical data being used this way.
Where your personal information is held
Information may be held at our offices and those of our pharmacy, third-party system providers and agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’). Your data is hosted in our pharmacy premises and offices in the United Kingdom and at data centre facilities in the United Kingdom and in the Republic of Ireland, except for Intercom, Webflow and Postmark services, which are hosted in the United States of America under the EU-US Privacy Shield framework.
How long your personal information will be kept
We will keep your personal information while you have an account with us or we are providing services to you. Thereafter, we will retain your personal information:
to respond to any questions, complaints or claims made by you or on your behalf;
to show that we treated you fairly; and
to keep records required by law.
We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.
To navigate data retention requires us to define the roles people can have when using Phlo’s applications and systems. We call these Data Subject roles:
PhloApp Users: people who have begun Phlo’s application registration process but not completed it, or an application that has not been verified by our pharmacy team.
PhloApp Customers: people who have completed Phlo’s application registration process and have a Phlo account that has been verified by our pharmacy team. Customers can be thought of as fully registered and verified Users.
Active Customers are people who are customers and used the Phlo service at least once in the last 365 days, or who have an account with Phlo and have opened or interacted with Phlo's marketing emails at least once in the last 365 days.
Lapsed Customers are people who have not logged into their Phlo account for more than 1095 days or have not opened a marketing email in the same timescale.
Workphlo Users: Phlo employees or contract staff who have logged into our internal WorkPhlo application.
Phlo’s data retention periods across its systems are:
Why we retain data
For analysis of data to define, target and refine marketing segments and campaigns, and to recognise previous visits and interactions.
For analysis of data to define, target and refine marketing segments and campaigns, and to recognise previous visits and interactions.
To fulfil service obligations.
Date stamp of last system interaction + 1095 days or date last opened email + 1095 days.
To fulfil obligations should the Customer use the service again.
Up to 30 years
Operational logs and data must be stored to support regulatory auditing processes
Data retention periods are enforced using automated housekeeping jobs with manual oversight. Transactional data, such as prescription orders and financial payment records, will be retained for as long as needed.
If a patient hasn’t already invoked their Right To Be Forgotten under Data Protection Act 2018, and if they fall into one of the data retention appropriate rulesets, then their data is deleted.
You have the following rights, which you can exercise free of charge:
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the Data Protection Act.
If you would like to exercise any of those rights, please:
email, call or write to us - see below: ‘How to contact us’; and
let us have enough information to identify you (eg your full name, address and user or reference number);
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request relates.
Keeping your personal information secure
We have appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your information.
Should you be unable to resolve directly with us, the Data Protection Act gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted directly at https://ico.org.uk/concerns or telephone: 0303 123 1113.
This privacy notice was updated on 18th January 2022.
How to contact us
Our contact details are:
Address: Phlo Technologies Ltd, Clockwise Offices, 77 Renfrew St, G2 3BZ.
Registered office at c/o Gillespie & Anderson, 147 Bath Street, Glasgow, G2 4SN.
Email: [email protected]
Telephone: 0141 255 0751