We collect, use and are responsible for certain personal information about you. When we do so we are subject to the UK’s Data Protection Act, its Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation, which applies across the European Union. We are responsible as ‘controller’ of that personal information for the purposes of those laws.
We have an up-to-date registration for the NHS Data Security and Protection Security Toolkit.
We operate an ISO27001-aligned Information Security Management System.
Personal information we collect about you
We may collect and use the following personal information about you:
your name and contact information, including postal address, email address and telephone number;
information to enable us to check and verify your identity, e.g. your date of birth, scanned images of your exemption certificates, driving licence or passport;
your gender information;
your NHS number;
information about your medicines, and the medicines you have been prescribed currently and in the past;
your billing information, transaction and payment card information;
your contact history, purchase history and saved items;
information about how you use our website, information technology (IT), communication and other systems; and
your responses to surveys, competitions and promotions.
Personal information is required to provide our services to you. If you do not provide personal information we ask for, it may delay or prevent us from providing services to you.
How your personal information is collected
We collect most of this personal information directly from you—in person, by telephone, text or email and/or via our website and apps. However, we may also collect information:
from a third party with your consent, e.g. your General Practitioner or the NHS Spine system, which is the main database of your medical history with the NHS;
via our IT systems, e.g. automated monitoring of our websites and other technical systems, such as our computer networks and connections.
How and why we use your personal information
Under data protection laws, we can only use your personal information if we have a proper reason for doing so, e.g.:
to comply with our legal and regulatory obligations;
for the performance of our contract with you or to take steps at your request before entering into a contract;
for our legitimate interests or those of a third party; or
where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and our reasons for doing so:
When you register with Phlo, request that your password is reset, request that we fulfil your prescriptions or when you place an order for your prescription, we will send notification emails to your registered email address to fulfil our service obligations.
When you place an order for your prescription, you will also receive email notifications about its delivery from our partner, Gophr.
Special Category Personal Data
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
We will collect information about your health, including any medical condition, medication or health and/or sickness records. This data is special category data.
Special protection is given to this special category of personal data. We use this special category personal data primarily to comply with our legal obligations (including verifying your identity and ensuring that the correct medicines are dispensed to you).
We handle your special category data with extra care. For example, we will not provide special category data to our delivery drivers.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
You control how we use your data
Phlo operates its Consent Management System so that our registered and verified customers can control how their data is used. This functionality is found in the Settings section of your account’s home page.
You can tell us how you want data used by setting the tick boxes to match your preferences. When you first create your account, your data preferences and marketing preferences are not ticked, meaning that you are opted out of each of the preferences. Your preferences are respected in subsequent processing activities.
It is Phlo's legitimate business interest to analyse and enrich its customer data to improve its performance and operations. This includes commissioning third parties such as analytics, marketing, logistics and operations partners to work on Phlo's datasets.
We may use your personal information to send you updates by email about our services, including exclusive offers, promotions or new services.
We have a legitimate interest in processing your personal information for operational purposes.
We request your consent by accepting our cookie notices and if a registered customer, using our consent management system, for us to process your data for statistical, analytical, marketing and promotional purposes (see above ‘How and why we use your personal information’).
You have the right to opt-out of receiving promotional communications at any time by:
contacting us at [email protected]
We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
Who we share your personal information with
We routinely share personal information with:
third parties we use to help deliver your orders to you, e.g. our payment service provider and delivery company;
Our payment services providers are:
Checkout Ltd, 54 Portland Place, London, W1B 1DY, United Kingdom.
Worldpay (UK) Limited, The Walbrook Building, 25 Walbrook, London, EC4N 8AF, United Kindgdom.
Our logistics and delivery partners are:
Gophr Ltd, PO Box 501, The Nexus Building Broadway, Letchworth Garden City, Herfordshire, SG6 9BL.
Royal Mail, 100 Victoria Embankment, London, EC4Y 0HQ.
UPS, Forest Road, Feltham, Middlesex, TW13 7DY
DPDgroup UK Ltd, Roebuck Lane, B66 1BY
DX UK, Ditton Park Riding Court Road Datchet Slough SL3 9LL
Our IT and Network management partner is:
Digital Orchard IT, 10 York Place, Edinburgh, EH1 3EP
Other third parties we use to help us run our business, e.g. website hosts:
Our marketing web site and newsletter subscription database is hosted by Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103.
Our web analytics partner, Google (for Google Analytics) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Our online marketing partners use their systems to record you clicking on our adverts on their sites, leaving their domains and arriving at Phlo’s:
Facebook Ireland, 4 Grand Canal Square, Dublin, Ireland Dublin 2.
LinkedIn Ireland, Wilton Place, Dublin, Ireland.
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.
YouTube is a subsidiary of Google with offices at Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland.
Taboola Inc, 16 Madison Square West, 7th Floor, New York, New York 10010.
Our application services are hosted on Google Cloud Platform operated by Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland.
We use CloudFlare services operated by Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107 to route network traffic.
We use Apple Inc. services, 10955 N Tantau Ave, Cupertino, CA 95014, United States, to provide mobile app services.
We use Postmark operated by WildBit, 225 Chestnut Street, Philadelphia, PA, 19106 to send transactional emails.
We use Intercom operated by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland, to provide real-time messaging services.
We use Trulioo Information Services Inc., 1200-1055 West Hastings Street, Vancouver, BC V6E 2E9, Canada to verify identity data.
We use Trustpilot A/S, Pilestræde 58, 5th floor, 1112 Copenhagen K, Denmark to provide review services.
We use Patient Medication Record systems provided by:
Invatech Health, 442-450 Stapleton Rd, Easton, Bristol BS5 6NR. System data resides in two locations (1) Phlo Technologies London Pharmacy at Containerville, Unit 13, 35 Corbridge Crescent, London, E2 9EZ and (2) data centres in the Republic of Ireland operated by Amazon Web Services, One Burlington Plaza, Burlington Road, Dublin 4, Ireland.
Third parties approved by you, e.g. third-party payment providers such as your bank, which may request that you approve payment to us.
Our financial transaction management host, Xero (UK) Ltd, Bank House, 171 Midsummer Boulevard, Milton Keynes, MK9 1EB and our bank, Shawbrook Bank, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex CM13 3BE.
Our financial accountants, Gillespie & Anderson, 147 Bath St, Glasgow G2 4SN and advisers Johnston Carmichael at 227 W George St, Glasgow G2 2ND.
Our legal advisers, Addleshaw Goddard, Exchange Tower, 19 Canning St, Edinburgh EH3 8EH.
Our regulators, the General Pharmaceutical Council at 25 Canada Square, Canary Wharf, London E14 5LQ and the Information Commissioners Office at Wycliffe House, Water Lane, Wilmslow SK9 5AF.
NHS England (known formally as the NHS Commissioning Board) and reachable at NHS England, PO Box 16738, Redditch, B97 9PT.
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g. in relation to ISO or Investors in People accreditation processes and the audit of our accounts.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
The data that we collect from you through our applications and systems can help others. We want to share patterns of information on what medicines people take, when, where and for how long. The way in which we do this is by collating data, then removing personal information (names, postal addresses, email addresses, NHS numbers). We analyse the remaining data to identify insights and behaviours so that we can contribute with others to the development of medicines and how treatments are marketed and made available to people. This data can be sold to or shared with to government departments, healthcare professional bodies, the pharmaceutical industry and organisations who want to understand how medicines are used in the real world. Using our consent management functionality, you can tell us that you are comfortable with your medical data being used this way.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, personal information will be redacted but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Where your personal information is held
Information may be held at our offices and those of our pharmacy, third-party system providers and agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’). Your data is hosted in our pharmacy premises and offices in the United Kingdom and at data centre facilities in the United Kingdom and in the Republic of Ireland, except for Intercom, Webflow and Postmark services, which are hosted in the United States of America under the EU-US Privacy Shield framework.
How long your personal information will be kept
We will keep your personal information while you have an account with us or we are providing services to you. Thereafter, we will retain your personal information:
to respond to any questions, complaints or claims made by you or on your behalf;
to show that we treated you fairly; and
to keep records required by law.
We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.
To navigate data retention requires us to define the roles people can have when using Phlo’s applications and systems. We call these Data Subject roles:
PhloApp Users: people who have begun Phlo’s application registration process but not completed it, or an application that has not been verified by our pharmacy team.
PhloApp Customers: people who have completed Phlo’s application registration process and have a Phlo account that has been verified by our pharmacy team. Customers can be thought of as fully registered and verified Users.
Active Customers are people who are customers and used the Phlo service at least once in the last 365 days, or who have an account with Phlo and have opened or interacted with Phlo's marketing emails at least once in the last 365 days.
Lapsed Customers are people who have not logged into their Phlo account for more than 1095 days or have not opened a marketing email in the same timescale.
Workphlo Users: Phlo employees or contract staff who have logged into our internal WorkPhlo application.
Phlo’s data retention periods across its systems are:
Data retention periods are enforced using automated housekeeping jobs with manual oversight. Transactional data, such as prescription orders and financial payment records, will be retained for as long as needed.
If a patient hasn’t already invoked their Right To Be Forgotten under Data Protection Act 2018, and if they fall into one of the data retention appropriate rulesets, then their data is deleted.
You have the following rights, which you can exercise free of charge:
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the Data Protection Act.
If you would like to exercise any of those rights, please:
email, call or write to us - see below: ‘How to contact us’; and
let us have enough information to identify you (eg your full name, address and user or reference number);
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request relates.
Keeping your personal information secure
We have appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your information.
Should you be unable to resolve directly with us, the Data Protection Act gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted directly at https://ico.org.uk/concerns or telephone: 0303 123 1113.
This privacy notice was updated on 12th January 2021.
How to contact us
Our contact details are:
Address: Phlo Technologies Ltd, Clockwise Offices, 77 Renfrew St, G2 3BZ.
Registered office at c/o Gillespie & Anderson, 147 Bath Street, Glasgow, G2 4SN.
Email: [email protected]
Telephone: 0141 255 0751