Privacy Policy

§

Who we are

Prescriptify is the trading name of ACRE Pharmacy Ltd., a UK-registered online pharmacy regulated by the General Pharmaceutical Council (GPhC registration 9011661). Our registered premises are at Unit 7B, Unit 5–7 Tintagel Way, Westgate Park Industrial Estate, Walsall WS9 8ER.

We are the data controller for the personal information described in this policy. Our superintendent pharmacist is Dalbir Singh Aujla, MRPharmS (GPhC 2085686). Our Data Protection Officer can be contacted at info@prescriptify.co.uk.

§

What we collect and why

To provide our service we collect:

• Identity and contact data (name, date of birth, email, phone, delivery address) — necessary to verify your eligibility and to dispense and deliver your medicine.
• Health data, including your assessment responses, prescription history, and any messages you exchange with our pharmacists — necessary to make a safe clinical decision and to supervise your treatment.
• Payment data (card details are processed by Stripe; we never see or store your full card number) — necessary to take payment.
• Technical data (IP address, browser type, login activity) — necessary to keep your account secure and to improve our service.

§

The legal basis for processing your data

We process your identity, contact, payment, and technical data on the basis of contract — without it we cannot provide our service.

We process your health data on the basis of explicit consent given when you submit your assessment and on Article 9(2)(h) UK GDPR — the provision of healthcare by a regulated health professional. You may withdraw consent at any time; doing so will mean we can no longer provide treatment. We will keep your medical record as required by GPhC retention guidance even after you withdraw.

§

Who we share your data with

We share the minimum information necessary with:

• Stripe Payments Europe Ltd (payment processing, ISO 27001 certified)
• Resend, Inc. (transactional email delivery)
• Our nominated couriers (delivery — they receive name, address, phone)
• Your GP (only if you ask us to in your assessment)
• Our cloud infrastructure providers, all UK or EEA hosted

We never sell your data. We never share it with insurers, advertisers, data brokers, or social media networks.

§

How long we keep your data

We keep your medical record for at least 2 years after your last contact with us, in line with GPhC retention guidance. For prescriptions involving controlled drugs we retain for 5 years. Identity, payment, and technical data are retained for 7 years for accounting and audit purposes, then deleted. Marketing consent records are deleted on opt-out.

§

International transfers

Our primary data hosting is in the UK. Our email provider (Resend) processes data in the United States under the EU-US Data Privacy Framework. Stripe processes payment data in the EU/UK. No data is transferred to jurisdictions without an adequacy decision or appropriate safeguards.

§

Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct any data that is inaccurate.
• Request that we delete your data (subject to retention obligations).
• Object to or restrict processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent for processing based on consent.

To exercise any of these rights, email info@prescriptify.co.uk. We will respond within one calendar month.

§

Complaints

If you are unhappy with how we have handled your data, please contact us first at info@prescriptify.co.uk so we can try to resolve the issue. You also have the right to complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.

§

Changes to this policy

We will notify you of material changes to this policy by email and will update the “last updated” date at the top.