XYZ Pharmacy
Log in

Privacy Policy

Last updated: 10 March 2026

At XYZ Pharmacy, we take your privacy seriously. This policy explains how we collect, use, store, and protect your personal information — including sensitive health data — when you use our platform.

1. Who We Are

XYZ Pharmacy ("we", "us", "our") is a digital health platform connecting patients with registered healthcare professionals. We are committed to protecting your personal data and processing it responsibly.

This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights in relation to it. It applies to all users of our website, mobile application, and related services.

We act as the data controller for the personal data you provide to us. If you have any questions about this policy or how we handle your data, you can contact our Data Protection Officer at privacy@curely.com.

2. What Data We Collect

We collect the following categories of personal data:

  • Identity & contact data: Your name, date of birth, gender, email address, phone number, and postal address.
  • Account data: Login credentials and account preferences.
  • Health & medical data: Information you provide in health assessments, consultations, and questionnaires, including medical history, current medications, allergies, symptoms, lifestyle information, and treatment outcomes.
  • Transaction data: Details of payments and subscriptions, including billing address and payment method details (card payments are processed by our payment provider; we do not store full card details).
  • Usage data: Information about how you use our platform, including pages visited, features used, and time spent.
  • Technical data: IP address, browser type and version, device identifiers, operating system, and cookies.
  • Communications data: Messages you send to our clinical or support team.

3. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: When you register an account, complete a health assessment, place an order, contact us, or otherwise interact with our platform.
  • Automated technologies: As you use our platform, we automatically collect technical and usage data via cookies, server logs, and similar technologies.
  • Third parties: We may receive data from our pharmacy partners, payment processors, and analytics providers where this is necessary to provide our services.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing our services: Processing health assessments, facilitating consultations with clinicians, issuing prescriptions where appropriate, fulfilling medication orders, and managing your account.
  • Clinical care: Enabling our registered healthcare professionals to review your health information and provide safe, personalised clinical recommendations.
  • Payment & subscriptions: Processing payments, managing subscription billing, and handling refunds.
  • Communications: Sending you appointment confirmations, order updates, prescription notifications, and service-related messages.
  • Safety & compliance: Complying with legal and regulatory obligations, preventing fraud, and maintaining records required by healthcare regulations.
  • Improvement & analytics: Understanding how our platform is used so we can improve our services, fix issues, and develop new features.
  • Marketing: Where you have given your consent, sending you information about our services and health content we think may interest you. You can opt out at any time.

5. Legal Basis for Processing

We process your personal data under the following lawful bases:

  • Contract: Processing is necessary to fulfil our contract with you (e.g. providing consultations and dispensing medication).
  • Legal obligation: Processing is required by applicable law or regulation (e.g. maintaining clinical records).
  • Vital interests: Processing is necessary to protect your vital interests or those of another person in emergency situations.
  • Legitimate interests: Processing is necessary for our legitimate business interests (e.g. preventing fraud, improving our services), where these are not overridden by your rights.
  • Consent: Where we rely on consent (e.g. for marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

For special category health data, we additionally rely on Article 9(2)(h) UK GDPR — processing for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care.

6. Sharing Your Data

We may share your personal data with:

  • Healthcare professionals: Registered clinicians on our platform who review your health assessments and provide consultations.
  • Pharmacy partners: Registered pharmacies that dispense prescription medicines on behalf of our clinicians.
  • Payment processors: Third-party payment providers who process your transactions securely.
  • Delivery partners: Courier services used to deliver your medication (limited to the information needed for delivery).
  • IT & infrastructure providers: Cloud hosting, database, and software providers who support the operation of our platform under strict data processing agreements.
  • Regulatory & legal authorities: Where required by law, court order, or regulatory body (e.g. the MHRA, CQC, or ICO).

We do not sell your personal data to third parties. Any third party with whom we share data is required to handle it in accordance with applicable data protection law.

7. International Transfers

Our services are primarily operated within the UK and European Economic Area (EEA). Where we transfer data outside these regions, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations.

Clinical records are retained in line with NHS and regulatory guidance — typically a minimum of 8 years for adults and until age 25 for records created when you were a child.

If you close your account, we will delete or anonymise your non-clinical personal data within 90 days, subject to any legal retention requirements.

9. Cookies

We use cookies and similar tracking technologies to operate our platform, remember your preferences, and analyse usage. You can control cookies through your browser settings.

Essential cookies are necessary for the platform to function and cannot be disabled. Analytics and marketing cookies are only set with your consent, which you can manage via our cookie banner.

10. Your Rights

Under UK GDPR you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data where there is no lawful reason for us to continue processing it.
  • Right to restriction: Ask us to restrict processing of your data in certain circumstances.
  • Right to portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@curely.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit and at rest, access controls, and regular security assessments.

No method of transmission over the internet is completely secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

12. Children

Our services are not directed at children under the age of 18 and we do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on our platform before the changes take effect.

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

Email: privacy@curely.com

We aim to respond to all enquiries within 5 business days.

By using XYZ Pharmacy, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle your data, please discontinue use of our services and contact us to close your account.