Privacy Policy

1. Who We Are

Heaton Road Pharmacy is operated by S K Pharmacare North East Ltd. We are a GPhC-registered community pharmacy (Registration: 9012272) providing NHS and private healthcare services from 15 Heaton Rd, Newcastle upon Tyne NE6 1SA.

We are the data controller for your personal information, meaning we determine how and why your data is processed. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Personal Data We Collect

We collect different categories of personal data depending on how you interact with our pharmacy and website:

Identity Data

• Full name, title, and date of birth
• NHS number (where provided for pharmacy services)
• Photographic identification (where required for certain medications)

Contact Data

• Email address and telephone number
• Postal address and delivery address
• Emergency contact details (where relevant to care)

Health & Medical Data

• Prescription records and medication history
• Consultation notes and health assessments
• Vaccination records and travel health information
• Weight management programme data
• Allergy and adverse reaction information

Technical Data

• IP address, browser type, and operating system
• Device information and screen resolution
• Pages visited and time spent on site

Usage & Marketing Data

• Communication preferences and consent records
• Newsletter subscription status
• Feedback and survey responses

3. Lawful Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following legal bases:

• Consent (Article 6(1)(a)): For marketing communications, newsletter subscriptions, analytics cookies, and non-essential data collection. You may withdraw consent at any time.
• Contract (Article 6(1)(b)): To fulfil pharmacy services you have requested, process orders, and manage your account on our portal.
• Legal obligation (Article 6(1)(c)): To comply with pharmacy regulations (GPhC), NHS requirements, MHRA reporting, and tax obligations.
• Legitimate interest (Article 6(1)(f)): To improve our services, maintain website security, prevent fraud, and respond to enquiries.
• Vital interests (Article 6(1)(d)): In emergency situations where processing is necessary to protect someone's life.

4. How We Use Your Data

We use your personal data for the following specific purposes:

• Pharmacy services: Dispensing prescriptions, providing consultations, managing medication records, and delivering pharmaceutical care.
• Appointment booking: Scheduling vaccinations, ear care appointments, weight loss consultations, and Pharmacy First assessments.
• Health consultations: Providing clinical advice, health checks, and recommending treatments based on your medical history.
• Online services: Processing orders through our patient portal, managing your account, and fulfilling product purchases.
• Communication: Sending appointment reminders, prescription notifications, service updates, and responding to your enquiries.
• Marketing: Sending newsletters and promotional offers (only with your explicit consent).
• Website improvement: Analysing usage patterns to improve our website content, navigation, and user experience.
• Legal compliance: Maintaining records as required by the GPhC, NHS, and other regulatory bodies.

5. Health & Medical Data (Special Category Data)

Health information is classified as "special category data" under UK GDPR Article 9 and receives additional protection. We process health data only under the following conditions:

• Explicit consent: You provide clear agreement for us to process your health information for specific purposes.
• Healthcare purposes (Article 9(2)(h)): Processing is necessary for preventive or occupational medicine, medical diagnosis, or the provision of health care treatment under the responsibility of a health professional.
• Vital interests: In emergencies where you cannot give consent and processing is necessary to protect your life.
• Public health (Article 9(2)(i)): Where required for public health reasons, such as disease monitoring or reporting adverse drug reactions to the MHRA.

6. Who We Share Your Data With

We may share your personal data with the following categories of recipients, only where necessary and with appropriate safeguards:

• NHS and healthcare providers: For dispensing NHS prescriptions, Pharmacy First referrals, vaccination records (via Pinnacle/NIVS), and continuity of care.
• General Pharmaceutical Council (GPhC): For regulatory compliance, pharmacy inspections, and fitness-to-practise matters.
• RxSure (portal provider): For processing online bookings, orders, and managing your patient portal account.
• Payment processors: Stripe and other payment providers process card transactions securely. We do not store full card details.
• Google: Google Analytics (anonymised usage data, with consent), Google reCAPTCHA (spam protection), and Google Maps (location display).
• MHRA: For reporting adverse drug reactions via the Yellow Card Scheme as legally required.

We never sell your personal data to third parties. We do not share your data for third-party marketing without your explicit consent.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law:

• Pharmacy dispensing records: 8 years from the date of dispensing, in line with GPhC guidance and NHS record retention requirements.
• Vaccination records: Retained indefinitely as part of your medical history and reported to NHS systems.
• Consultation notes: 8 years from the date of consultation, or longer if clinically necessary.
• Marketing consent records: Until you withdraw consent, then deleted within 30 days.
• Website analytics data: 26 months (Google Analytics default retention period).
• Contact form submissions: 2 years from the date of enquiry, unless an ongoing relationship exists.
• Financial records: 7 years as required by HMRC.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data. You can exercise any of these rights by contacting us at contact@heatonroadpharmacy.co.uk:

We will respond to all rights requests within one calendar month. In complex cases, we may extend this by two further months, and will inform you if so. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

9. Cookies

Our website uses cookies and similar technologies to improve your experience, analyse usage, and assist with marketing. For detailed information about the cookies we use, how to manage them, and your choices, please see our Cookie Policy.

10. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. However, some of our third-party service providers may process data outside the UK:

• Google services (Analytics, reCAPTCHA, Maps, Fonts) may transfer data to servers in the United States, covered by Google's Standard Contractual Clauses and UK adequacy provisions.
• Stripe (payment processing) operates internationally but complies with UK GDPR through Standard Contractual Clauses.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or UK adequacy decisions, as required by UK GDPR Chapter V.

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. We will notify you of significant changes by posting a prominent notice on our website and updating the "Last updated" date at the top of this page.

We recommend reviewing this policy periodically. Continued use of our website and services after changes are posted constitutes acceptance of the revised policy.

12. Contact & Complaints

If you have any questions about this privacy policy, wish to exercise your data rights, or want to raise a concern about how we handle your data: