Privacy Policy

HEBA Online Pharmacy ("HEBA", "we", "us", "our") is committed to protecting and respecting your privacy. This policy explains how we collect, use, store, share, and protect your personal and health information when you visit our website, create an account, use our services, or otherwise interact with us.
We are a UK-registered online pharmacy and a healthcare provider, which means we handle information in line with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• The Privacy and Electronic Communications Regulations (PECR) 2003
• The common law duty of confidentiality
• Caldicott Principles for handling patient-identifiable information
• General Pharmaceutical Council (GPhC) standards for confidentiality
• Human Medicines Regulations 2012

This policy should be read alongside our Terms and Conditions, Cookie Policy, and Medicines Policy.

HEBA Online Pharmacy is the Data Controller for the personal information we collect about you.

Company name: HEBA HEALTHCARE LIMITED Registered address: 29 Langlands Place, Glasgow, G75 0YF Companies House number: SC852375 GPhC premises registration number: 9012957 Superintendent Pharmacist: Ubayd Ali, GPhC number: 2219322 ICO registration number: ZCO94308 Contact email: [email protected] Data Protection Officer (DPO): Ubayd Ali, [email protected]

If you have any questions about this policy, how we handle your data, or you'd like to exercise your rights, please contact our DPO at the address above.

We only collect information that is necessary to provide you with safe, appropriate, and legal pharmacy and prescribing services. The information we collect falls into the following categories.

Information you give us
Identity and contact information:

• Full name, title, date of birth, gender
• Home address, delivery address, billing address
• Email address, mobile and landline numbers
• Proof of identity (for example, a photograph of ID where required for age-verified or high-risk medicines)

Account information:

• Username, password (stored encrypted), account preferences

Health and clinical information (special category data):

• Medical history, current and past medications, allergies
• Symptoms, condition details, and answers to consultation questionnaires
• Measurements such as weight, height, BMI, blood pressure, and blood test results where relevant
• Photographs you upload (for example, for hair loss, skin conditions, or weight verification)
• GP name, GP surgery details, and NHS number (where provided)
• Information about pregnancy, breastfeeding, lifestyle factors (alcohol, smoking, substance use) relevant to safe prescribing

Payment information:

• Cardholder name and billing address. Full card numbers are handled directly by our PCI-DSS compliant payment processor — we do not store full card details on our systems.

Communications:

• Messages, emails, calls, and chat transcripts between you and our pharmacy team, prescribers, or customer support.

Information we collect automatically
When you use our website, we automatically collect:

• IP address, device type, browser, operating system
• Pages viewed, time spent, and navigation patterns
• Referring URL and search terms used to find us
• Cookie and similar tracking technology data (see our Cookie Policy)

Information from third parties
With your consent or where lawfully permitted, we may receive information from:

• Your GP or other healthcare providers
• Identity verification services (for example, for age verification)
• Payment providers (to confirm transaction status)
• Delivery partners (to update tracking and delivery status)

Under UK GDPR, we must have a lawful basis for processing your data, and an additional condition for processing health data. We rely on the following:

For general personal data (Article 6 UK GDPR)

• Contract (Art. 6(1)(b)) — to create your account, process orders, arrange delivery, and provide the services you have requested
• Legal obligation (Art. 6(1)(c)) — to meet our obligations under medicines, pharmacy, tax, and consumer protection law
• Legitimate interests (Art. 6(1)(f)) — to run our business efficiently, improve our services, prevent fraud, and maintain website security, where these are not overridden by your rights
• Consent (Art. 6(1)(a)) — for marketing communications and optional cookies

For health and other special category data (Article 9 UK GDPR)

• Health and social care (Art. 9(2)(h)) — to provide pharmacy services, prescribing, and clinical care, carried out by professionals under a duty of confidentiality
• Explicit consent (Art. 9(2)(a)) — where you give us specific permission (for example, to share information with your GP)
• Public interest in public health (Art. 9(2)(i)) — for pharmacovigilance, adverse-event reporting, and safety monitoring

Specific purposes

We use your information to:

• Verify your identity, age, and eligibility for treatment
• Assess your suitability for prescribed medicines and conduct clinical checks
• Issue private prescriptions and dispense medicines
• Package, ship, and track your delivery
• Communicate with you about your order, treatment, repeat supplies, and reviews
• Maintain a clinical record of your care (required by GPhC standards)
• Report adverse drug reactions via the MHRA Yellow Card scheme
• Share information with your GP where clinically appropriate and with your consent
• Safeguard children and adults at risk, where a concern arises
• Prevent fraud, misuse, diversion, or stockpiling of medicines
• Comply with legal, regulatory, and tax obligations
• Improve our website, services, and patient experience
• Send you service updates and, with your consent, marketing communications

We never sell your personal or health information. We only share information where necessary and lawful. Recipients fall into the following categories:

Within HEBA and our clinical team
Your information is accessible to:

• Pharmacists, prescribers, and dispensing staff involved in your care
• Customer support staff (only to the extent needed to resolve your query)
• Our Superintendent Pharmacist, DPO, and Clinical Governance Lead
• All staff are bound by contractual confidentiality obligations and professional codes of conduct.

Healthcare partners
With your consent, or where permitted under common law and GPhC guidance, we may share information with:

• Your registered NHS GP
• Other treating clinicians, where clinically relevant
• NHS 111 / NHS 24 or emergency services, in a clinical emergency
• Safeguarding authorities, where there is a lawful basis and genuine concern

Regulators and authorities
We may share information where legally required with:

• General Pharmaceutical Council (GPhC) — for inspections, fitness-to-practise investigations
• Care Quality Commission (CQC) / Healthcare Improvement Scotland (HIS)
• Medicines and Healthcare products Regulatory Agency (MHRA) — pharmacovigilance, safety recalls, Yellow Card reporting
• Information Commissioner's Office (ICO)
• HMRC and other tax or law enforcement bodies
• Courts or tribunals, where served with a valid order

Service providers (Data Processors)
We use carefully vetted third-party providers to deliver parts of our service. Each is bound by a written Data Processing Agreement under Art. 28 UK GDPR. Categories include:

• Website hosting and cloud infrastructure
• Clinical software and electronic prescribing platforms
• Payment processing (PCI-DSS compliant)
• Delivery and courier services (for example, Royal Mail, DPD)
• Identity and age-verification services
• Email, SMS, and secure messaging providers
• Analytics and customer-feedback tools
• Pharmacy management and dispensing software
• IT security, backup, and disaster-recovery providers

A current list of subprocessors is available on request from our DPO.

Business transfers
If HEBA is sold, merged, or restructured, your information may be transferred to the new entity, subject to the same protections described in this policy. You will be informed of any such change.

We aim to keep your data in the UK. Where a trusted provider processes data outside the UK, we ensure adequate safeguards are in place, using one or more of:

• UK adequacy regulations for transfers to approved countries
• UK International Data Transfer Agreement (IDTA) or the EU Standard
• Contractual Clauses with the UK Addendum
• Binding corporate rules or other UK GDPR-recognised safeguards

You can request details of the specific transfer mechanism for any of our providers.

We keep your information only for as long as necessary for the purposes set out in this policy, and in line with UK legal and professional retention requirements.

After the retention period, records are securely deleted, anonymised, or destroyed following our data-retention SOP.

Record type	Retention period
Adult clinical records (consultations, prescriptions, dispensing records)	10 years from the last interaction (in line with NHS and RPS guidance)
Child clinical records (under 18 at time of care)	Until the patient's 25th birthday, or 26th if last record was at age 17
Controlled Drug records	7 years (Misuse of Drugs Regulations 2001)
Private prescription records	2 years minimum (Human Medicines Regulations 2012)
Accounting and tax records	6 years (HMRC)
Account and order information	7 years from account closure
Marketing consent records	Until consent is withdrawn, plus 2 years as evidence of consent
CCTV (where operated)	31 days
Website analytics and cookies	See our Cookie Policy

You have the following rights over your personal information:

• Right to be informed — through this policy and our other privacy notices
• Right of access — to obtain a copy of your information (a "Subject Access Request")
• Right to rectification — to correct inaccurate or incomplete information
• Right to erasure ("right to be forgotten") — subject to our legal and clinical retention duties
• Right to restrict processing — in specific circumstances
• Right to data portability — to receive your data in a machine-readable format
• Right to object — to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where we rely on consent, at any time
• Rights relating to automated decision-making — we do not use fully automated decision-making that produces legal or similarly significant effects; a prescriber always reviews your consultation before treatment is issued
• To exercise any right, contact our DPO at [email protected]. We will respond within one calendar month. There is no fee, unless your request is manifestly unfounded or excessive. We may ask you to verify your identity before processing your request.

Right to complain to the ICO
If you are unhappy with how we have handled your data, you can complain to the Information Commissioner's Office:

ICO Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113 Website: ico.org.uk

We would appreciate the chance to address your concerns before you contact the ICO.

We take information security seriously and use a combination of organisational, physical, and technical measures, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls — information is accessed on a strict need-to-know basis, with role-based permissions and audit logging
• Authentication — multi-factor authentication for staff access to clinical and administrative systems
• Secure hosting in UK-based, ISO 27001 / Cyber Essentials Plus-aligned data centres
• Regular security testing, including penetration testing and vulnerability scans
• Staff training — all staff complete annual information governance, UK GDPR, and confidentiality training
• Incident response — a documented data-breach response plan and 72-hour ICO notification process
• Data minimisation and pseudonymisation where feasible
• Secure destruction of physical and electronic records.

Despite our controls, no system can be 100% secure. If we identify a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, notify you directly.

We use cookies and similar technologies on our website to make it function, improve performance, and (with your consent) personalise content and analyse traffic. Full details — including categories, purposes, durations, and how to control them — are in our separate Cookie Policy.

You can adjust cookie preferences at any time through the cookie banner or your browser settings. Essential cookies cannot be disabled as they are required for the site to function.

We will only send you marketing communications (for example, newsletters, offers, health tips) where you have given your explicit, opt-in consent, or where you are an existing customer and we are offering similar services under the "soft opt-in" rules in PECR.

You can unsubscribe at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Replying STOP to any marketing SMS
• Updating your preferences in your HEBA account
• Contacting us at [email protected]
• Unsubscribing from marketing will not affect transactional or clinical communications about your order, treatment, or account.

We do not advertise prescription-only medicines to the public, in line with the Human Medicines Regulations 2012 and the CAP Code.

HEBA's services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18 unless a specific service has been designed and risk-assessed for under-18s (in which case separate arrangements for consent and safeguarding apply). If you believe we hold information about a child without appropriate authorisation, please contact our DPO and we will investigate promptly.

We do not make decisions about prescribing medicines through fully automated means. Our online consultation uses structured questionnaires and may flag answers for clinical review, but a UK-registered prescriber always reviews your consultation and makes the final decision on whether to issue a prescription.

We may use limited profiling for fraud prevention, website personalisation, and clinical risk flags — none of which produces legal or similarly significant effects without human review.

We review this Privacy Policy at least annually, and sooner if:

• The law, regulator guidance, or our services change materially
• We identify a gap during internal audit or following an incident

Where changes are significant, we'll notify you by email or through your account before they take effect.

For any privacy-related question or to exercise your rights:

Data Protection Officer HEBA Online Pharmacy 29 Langlands Place, Glasgow, G75 0YF Email: [email protected] Phone: 0141 337 3000

For clinical questions about your treatment, please contact our pharmacy team through your HEBA account.

In a medical emergency, call 999 (or 112 from a mobile). For urgent non-emergency advice, call NHS 111 (or NHS 24 on 111 in Scotland).