Privacy Policy

Last updated: 29 April 2026

1. Introduction

Pharmacy One Stop ("we", "our", "us") is a UK-based B2B healthcare enablement platform operated by TSP. We are committed to protecting the privacy and security of your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains how we collect, use, store, and share personal data when you use our platform — whether you are a pharmacy owner (tenant), pharmacy staff member, patient, or visitor.

2. Data Controller

Controller: Pharmacy One Stop (TSP)
Contact: privacy@pharmacyonestop.co.uk
Data Protection Officer: dpo@pharmacyonestop.co.uk

For patient data processed through pharmacy storefronts, the relevant pharmacy (tenant) is the data controller and Pharmacy One Stop acts as the data processor.

3. Data We Collect

3.1 Account Data

  • Name, email address, phone number
  • Pharmacy name, GPhC registration number, company details
  • Staff role, GPhC/GMC registration numbers
  • Login credentials (passwords stored as bcrypt hashes, never in plain text)

3.2 Patient Data (processed on behalf of pharmacy tenants)

  • Name, date of birth, gender, address, contact details
  • NHS number (optional), GP practice details
  • Medical questionnaire responses and clinical consultation records
  • Identity verification documents (passport, driving licence) and selfie images
  • Prescription and dispensing records
  • Payment information (processed by Stripe — we do not store card numbers)
  • Booking and order history

3.3 Technical Data

  • IP address, browser type, device information
  • Pages visited, actions taken (audit logs)
  • Cookies and similar tracking technologies

4. How We Use Your Data

PurposeLegal Basis
Providing the platform serviceContract performance
Processing clinical consultations and prescriptionsLegitimate interests / Legal obligation (healthcare)
Identity verification for POM productsLegal obligation (MHRA requirements)
Sending booking confirmations and remindersContract performance
Processing payments via StripeContract performance
Marketing communications (optional)Consent
Platform improvement and analyticsLegitimate interests
Complying with GPhC, MHRA, CQC requirementsLegal obligation
Fraud prevention and securityLegitimate interests

5. Data Storage and Security

  • UK Data Residency: All production data is stored in UK-based data centres (AWS eu-west-2, London).
  • Encryption: AES-256 encryption at rest, TLS 1.2+ in transit. Field-level encryption for clinical notes and ID documents.
  • Access Control: Role-based access control (RBAC) with 10 distinct roles. MFA available for all users.
  • Audit Trail: All access to production data is logged, justified, and time-boxed.
  • Backups: Automated daily backups with 30-day retention.

6. Data Sharing

We share data only with:

  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • Twilio: SMS delivery (booking reminders, order updates)
  • Onfido/Yoti: Identity verification for online POM orders
  • Courier partners: Delivery name and address only (Royal Mail, DPD, Evri)
  • AWS: Cloud infrastructure hosting (data processing agreement in place)

We do not sell personal data to third parties. We do not share patient data with GPs unless the patient explicitly consents.

7. Data Retention

  • Clinical records: Retained per GPhC/CQC requirements (typically 8 years for adults)
  • Identity verification documents: Retained for the validity window (default 12 months), then auto-purged
  • Account data: Retained while account is active + 30 days after deletion request
  • Audit logs: Retained for 7 years
  • Marketing consent records: Retained indefinitely as proof of consent

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data (available via Account > Export My Data)
  • Rectification: Correct inaccurate data via your profile settings
  • Erasure: Request deletion of your data (Account > Delete My Account)
  • Portability: Export your data in CSV/JSON format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw marketing consent at any time

To exercise these rights, email privacy@pharmacyonestop.co.uk or use the self-service options in your account.

9. Children

Our platform is not directed at children under 16. Patient services may be available to those 16+ depending on the clinical service and PGD requirements.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or platform notification. The "last updated" date at the top indicates the latest revision.

11. Complaints

If you have concerns about how your data is handled, please contact us at privacy@pharmacyonestop.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.