RestWell Pharmacy

Privacy policy

How we look after your personal and health information.

Last reviewed by our Superintendent Pharmacist: Jane Doe MRPharmS, April 2026

RestWell Pharmacy Ltd ("we", "us", "our") is the data controller for the personal information you share with us. We are registered with the Information Commissioner's Office (ICO) under registration number ZA000000.

What information we collect

  • Identity & contact details (name, date of birth, address, email, phone).
  • Health information you give us during a clinical consultation (symptoms, medical history, current medication, allergies).
  • GP details and, where you consent, copies of your GP medical records.
  • Order and payment information (we do not store full card details — payments are processed by our PCI-DSS compliant payment provider).
  • Technical information (IP address, device, browser) and cookie data — see our Cookie policy.

Why we use it (lawful basis)

  • Provision of healthcare — Article 9(2)(h) UK GDPR (provision of health and social care) and Article 6(1)(b) (contract).
  • Patient safety & clinical governance — Article 9(2)(i) (public interest in public health).
  • Legal & regulatory obligations — Article 6(1)(c) (Human Medicines Regulations 2012, Misuse of Drugs Regulations 2001, GPhC standards).

Sharing your information

We may share your information with:

  • Your GP — where you have provided GP details and not opted out of GP notification, particularly for high-risk Prescription Only Medicines and controlled drugs.
  • The MHRA — for suspected adverse drug reactions reported via the Yellow Card scheme.
  • The GPhC and other regulators where legally required.
  • Our delivery partners — name, delivery address and a signature confirmation only.

We never sell your personal or health data and do not use it for marketing without your explicit opt-in.

How long we keep it

Clinical consultation and dispensing records are retained for a minimum of 10 years from the date of supply, in line with NHS and GPhC record-keeping requirements. Controlled drug records are retained for at least 7 years. Marketing preferences and account information are kept until you delete your account.

Your rights

Under UK GDPR you have the right to access, rectify, erase (where applicable), restrict or object to processing, and data portability. To exercise any of these rights, contact our Data Protection Officer at dpo@restwellpharmacy.co.uk. You also have the right to complain to the ICO at ico.org.uk or on 0303 123 1113.

Security

Our systems use TLS encryption, role-based access controls and audit logging. Clinical staff access patient records on a strict need-to-know basis under the supervision of the Superintendent Pharmacist.

Site analytics

We measure how our site is used so we can improve it. Our analytics are privacy-first and cookie-free:

  • We do not use cookies, localStorage tracking, or any third-party analytics service such as Google Analytics.
  • To count unique visitors, we create a one-way daily-rotating salted hash of your IP address and browser (user agent). The salt changes every 24 hours, so the same visitor on two different days is counted as two different anonymous visitors. We never store your raw IP address.
  • We record page views and key actions (e.g. starting or submitting a clinical assessment, adding an item to the basket) so we can understand which clinical information is most useful and where the site can be improved.
  • When you are signed in, an event may also be linked to your user account so we can support you with your consultations and orders. This is covered by the lawful bases above (provision of healthcare and contract).