GDPR & Data Rights
Last updated: 29 April 2026
1. Your Data Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you. Available instantly via Account > Export My Data.
Right to Rectification
Correct any inaccurate personal data. Update your profile directly in your account settings.
Right to Erasure
Request deletion of your personal data. Available via Account > Delete My Account. Data is anonymised within 30 days.
Right to Portability
Export your data in machine-readable format (CSV, JSON). One-click export from your account.
Right to Object
Object to processing based on legitimate interests. Contact privacy@pharmacyonestop.co.uk.
Right to Restrict Processing
Request that we limit how we use your data while a complaint is being investigated.
Right to Withdraw Consent
Withdraw marketing consent at any time. Toggle in Account > Profile > Notification Preferences.
Right Not to Be Subject to Automated Decisions
All clinical decisions are made by qualified human pharmacists/prescribers, never by algorithms alone.
2. How to Exercise Your Rights
Self-Service (Instant)
- Export data: Login > Account > Profile > Export My Data
- Delete account: Login > Account > Profile > Delete My Account
- Update profile: Login > Account > Profile
- Marketing opt-out: Login > Account > Profile > Notification Preferences
By Request
For requests that cannot be handled via self-service, email privacy@pharmacyonestop.co.uk with:
- Your full name and email address associated with your account
- A description of what you are requesting
- Proof of identity (to prevent unauthorised access to your data)
We will respond within 30 calendar days as required by UK GDPR.
3. Data Processing Activities
We maintain a Record of Processing Activities (ROPA) as required by Article 30 of UK GDPR. Key processing activities include:
| Activity | Data Subjects | Legal Basis | Retention |
|---|---|---|---|
| Platform account management | All users | Contract | Active + 30 days |
| Clinical consultations | Patients | Legal obligation | 8 years |
| Identity verification | Online patients | Legal obligation | 12 months |
| Payment processing | Patients, tenants | Contract | 7 years (HMRC) |
| Marketing communications | Opted-in users | Consent | Until withdrawn |
| Audit logging | All users | Legitimate interest | 7 years |
4. Data Protection Impact Assessments
We conduct DPIAs for high-risk processing activities, including:
- Processing of special category health data (clinical consultations)
- Identity verification with biometric liveness checks
- Automated processing of medical questionnaires
5. International Transfers
All personal data is stored in UK-based data centres (AWS eu-west-2, London). We do not transfer personal data outside the UK except where necessary for service delivery (e.g., Stripe processes payments in the EEA under adequate UK GDPR safeguards).
6. Data Breach Notification
In the event of a personal data breach:
- We will notify the ICO within 72 hours if the breach is likely to result in a risk to individuals.
- We will notify affected individuals without undue delay if the breach is likely to result in a high risk.
- We maintain a breach register and conduct post-incident reviews.
7. Data Protection Officer
Email: dpo@pharmacyonestop.co.uk
Our DPO oversees compliance with UK GDPR, handles data subject requests, and advises on data protection impact assessments.
8. Supervisory Authority
The UK's supervisory authority for data protection is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
For the full privacy policy, see our Privacy Policy.