Privacy Notice

We take our responsibilities in looking after your data very seriously. This privacy notice explains what personal information we collect about you, how we, and our Group may use it and the steps we take to ensure that it is kept secure. We also explain your rights and how to contact us.

We have developed our systems and processes to ensure that we meet or exceed the standards set out both under data protection law and in line with the Caldicott principles.

LloydsDirect keeps its privacy notice under regular review and we may make changes to this notice at any time and will either contact you with the modified terms or by posting a copy of them on our website. Any changes will take effect 3 days after the date on which we post the updated terms. Your continued use of our services after that period expires means that you agree to be bound by the modified notice.

LloydsDirect, a trading name of Metabolic Healthcare Ltd, is part of the Pharmacy2U Group. Following the acquisition in 2023, we have joined forces to combine our expertise and enhance the services we provide to our patients. As we transition into a unified brand under Pharmacy2U, we are committed to leveraging advanced technology and innovation to bring you an even better prescription experience.

We collect information that you give us to process your order and to better understand how our services are used. We’ve outlined the main types of information that we handle below. There are some essential pieces of information that we require in order to process your prescriptions. If you fail to provide this information we will be unable to process your prescriptions for you or the person you are account holder for. If you are an account holder acting on behalf of another patient, you may be providing data on behalf of that patient. Before we can do this we will make sure that we have the right authorisation in place.

References to “your” or “you” in this privacy notice will refer to both you or the patient you are acting on behalf of as relevant.

- Personal information - such as name, address, date of birth and GP details.

- Contact information - including phone number and email address. Your email address will be shared with our live chat platform, Intercom. You can read about Intercom’s security credentials here.

- NHS Number - details will then be verified directly with the NHS Personal Demographic Service or via Titan, our dispensary management system. When details have been successfully verified, your NHS number will be added to your profile.

- Details regarding the medication you require - this includes information about your health that is considered sensitive.

- Exemption details - if you do not pay for your prescriptions.

- Electronic proof of your consent - so that LloydsDirect can request prescriptions on your behalf.

- Payment details - for prescription charges if you pay for your medication. Please note that LloydsDirect does not store your credit/debit card details, which are instead managed by our payment handler Stripe. You can read about Stripe’s security credentials here.

- Preferred delivery address information and contact details - which we pass on to Royal Mail to facilitate delivery. Please note that we will never share any other information with Royal Mail.

- Wider information about your health to deliver additional healthcare services where you have chosen to receive these.

NHS Login is an identity verification service provided by the NHS. As a patient, you are able to use it to login to LloydsDirect. If you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provide to NHS England to get an NHS account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here.

This restriction does not apply to the personal information you provide to us separately. We also collect the following information:

- Your GP’s address - if you choose to turn on your location, location information from your phone will be used to make it easier for you to search for your GP and automatically populate address fields in the app. If you do not choose to turn on your location, you are able to enter your GP address manually.

- Behavioural data - such as when you accessed LloydsDirect and what actions you took within the app. This is to continually improve our service for our users.

- Technical information - such as glitches and crash data so we can understand when things break and improve the service.

We collect your information when you provide it to us through the LloydsDirect app or when you communicate with us in other ways (for example, from your GP when you use a partner app and select for your prescription to be prepared and processed by us, or by using the NHS Login service).

- Personal information - collected upon completing the registration to use LloydsDirect.

- Contact information - collected upon completing the registration to use LloydsDirect.

- NHS Number – obtained from the NHS Personal Demographic Service or using Titan, our dispensary management system upon completing registration.

- Details regarding the medication you require - collected upon completing the registration to use LloydsDirect or from your GP when using a partner app. If details are not entered during registration they will only be collected once the user enters them.

- Your registered GP practice, collected from you and verified against NHS Personal Demographic service when you place orders with us.

- Exemption details - collected upon completing the registration to use LloydsDirect. If details are not entered during registration they will only be collected once the user enters them.

- Electronic proof of your consent - collected upon completing the registration to use LloydsDirect.

- Payment details - collected at the point of payment or when you save your payment details to your account.

- Preferred delivery address information and contact details - collected at the point of the prescription request.

- Your GP’s address - collected upon completing the registration to use LloydsDirect.

- Information about your health, including family history or medical conditions to deliver additional healthcare services where you have agreed to these.

- Behavioural data - collected once you have completed the registration to use LloydsDirect and throughout the time you use LloydsDirect.

- Technical information - collected once you have completed the registration to use LloydsDirect and throughout the time you use LloydsDirect.

In general, we only collect your information to provide you with our services – to help you order and keep track of your prescriptions and to dispense your prescriptions. We take our data protection responsibilities very seriously and will only process your information where we have a lawful basis for doing so. This will be the case if:

- You have given us your consent to process the data.

- We need to process the data to perform our contractual obligations or to take steps to enter a contract (for example, we need certain contact details and details of your prescription in order to provide the service to you).

- We have to process your information to meet our legal obligations as a data controller (such as VAT and tax accounting rules).

- We have a legitimate interest in processing your data (this includes things like improving our service by collecting behavioural information to see what actions are taken within the app, conducting business analytics and business intelligence reporting to better understand and serve our customer base, auditing and investigation of any issues).

We collect and process your information for a variety of purposes, but our main purpose is to provide the services you request. These include:

- Storing your data in databases so that we can create and maintain your account.

- Verifying your identity so that we can complete your registration

- Communicating with GP surgeries and internally so that your orders can be processed and your prescriptions dispensed.

- Auditing and analysis of your data, in particular to help us respond to issues and improve our services.

- Managing returns and confidential waste.

- Communicating to you via in-app messaging services and logging these communications to ensure we give you the best customer experience.

- Communicating to you via email, push alerts and in-app notifications so that you are fully updated with the progress of your order and any related communications.

- On the rare occasion, we may need to contact you; this would only be in relation to your order, a query you have raised, or as part of the service migration process to the Pharmacy2U Group.

- As part of the Pharmacy2U Group, we process your data not only to provide you with our direct services but also to facilitate a cohesive and enhanced service experience across the group. This involves working collaboratively within the group to improve prescription services, streamline our operations, and deliver a seamless patient experience in line with our unified brand strategy. This may include sharing your data within the group entities where necessary to fulfil our service commitments to you and to realise our goal of continuous service improvement. All such processing is grounded in our legitimate interest to optimise our service delivery and in some cases may be based on your consent or as part of our contractual obligation to you.

By using our service, you acknowledge and agree to the terms outlined in our Privacy Notice. This agreement is effective from registration.

We do not sell, trade or rent your information to third parties. We will never share your information with any third parties for marketing or advertising without your consent.

We will share your information to service providers or third parties working on our behalf, or to meet certain other requirements, such as to comply with the law or with our regulators. There are three types of organisations we share with:

SERVICE RELATED: Sharing the minimum information necessary to provide a service to you, for example, we will need to share your address with Royal Mail to get your prescriptions delivered.

MARKETING: Sharing limited information with third parties to target advertising so that they reach the right people, for example with Google Ads.

ANALYTICS: Sharing statistical information to analyse and improve our services, for example with Google Analytics.

In the interest of providing comprehensive and continuous patient care, we may share your personal information within our pharmacy team. This practice is guided by the shared care model, commonly adopted in healthcare settings, which ensures that you receive the highest standard of care, particularly when your primary care pharmacist is not available. This internal sharing is limited to what is necessary for your direct care and is in strict compliance with data protection laws and healthcare regulations.

If you receive an additional healthcare service we may need to share some information with your GP surgery if a referral is needed or with the NHS as required and to receive payment for the service.

By sharing our resources and expertise within the Pharmacy2U Group, we aim to deliver an improved and seamless service that meets the evolving needs of our patients. This means that your data may be managed within the Pharmacy2U Group for the purposes of maintaining and enhancing our service offering. We assure you that any such internal data sharing and processing will adhere to the highest standards of privacy and data protection as we continue to prioritise the security and confidentiality of your personal information.

For further information about who your personal information is shared with, please get in contact with us using the details at the end of this notice.

LloydsDirect recognises the importance of keeping safe and secure the information collected about you. We have put in place effective security features. We use 256-AES SSL encryption to transfer your information between your phone and our servers. Access to this information is restricted to authorised people.

Given the worldwide nature of online communications and services, it is very common for users’ data on sites like ours to be transferred outside of the country in which it was collected. For example, the servers which host our sites could be located abroad. Where we transfer your data to countries outside of the UK to service providers and subcontractors in countries we check whether the data protection laws provide the same level of protection as those in the European Economic Area, such as the USA.

Data transfers within the European Economic Area are covered by an adequacy decision of the European Commission (Article 45 GDPR). Where this is not the case, for example, when it comes to transfers to the USA, any data transfers are based on standard data protection clauses/standard contractual clauses in line with the templates adopted by the European Commission which puts into place the same safeguards as we have within the UK.

The same applies to external service providers who work on behalf of us (for example IT service providers or data centres) or third parties, insofar as they come into contact with your personal data and are based in third countries. Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

We will not store or process your data for any longer than necessary. In general we only retain your data for as long as is necessary so that we can provide you the services you request, meet our legal obligations (such as rules on the retention of medical data) and defend claims made against us. For more information about our retention periods, please contact us at dpo@lloydsdirect.co.uk

If you have given your consent, or decided to ‘opt in’, we may contact you about the products and services we offer. This means, you may occasionally hear from us by email, SMS, push notification or by letter.

If you decide you no longer want to receive communications from us, you can click to unsubscribe on the bottom of any email we have sent you to opt out of marketing emails, or contact our patient care team on help@lloydsdirect.co.uk for any other channels.

We may contact you via email to invite you to review any services you received from us, to collect your feedback and improve our services (the “Purpose”). We use an external company, Trustpilot A/S (“Trustpilot”), to collect your feedback which means that we will share your name, email address and reference number with Trustpilot for the Purpose. If you want to read more about how Trustpilot process your data, you can find their Privacy Policy here.

Cookies may be used to deliver adverts that are more relevant to you as well as to limit the number of times you see a particular advertisement and to measure the effectiveness of advertising campaigns. We may analyse your personal information, including the products you view and buy, your browsing habits and other ways you interact with LloydsDirect. We will do this to evaluate the effectiveness of our advertising and to help us provide you with more relevant offers, advice and information. For further information on cookies please see the next section.

We may also securely share hashed personal data such as email addresses to help target our advertisements to existing or new users. This data will **never** include any personal health data.

We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

At LloydsDirect, part of the Pharmacy2U Group, we're continually looking for ways to improve your experience and the efficiency of the pharmacy services we provide. As part of this ongoing commitment, we're part of a service enhancement initiative within the Pharmacy2U group designed to bring you faster, more reliable access to your medications under a unified Pharmacy2U brand.

Why We're Making Changes

This initiative is about leveraging the strengths within our Pharmacy2U Group to ensure you benefit from the highest standards of service. By optimizing how we dispense and deliver medications, we're aiming to provide you with:

• Quicker access to your prescriptions.

• Enhanced support and care from our clinical team.

• A streamlined service under the Pharmacy2U brand, known for its commitment to patient care and innovation.

How We Use Your Data to Support This Change

To facilitate these improvements without disruption, we're undertaking a careful planning process that involves:

• Evaluating Patient Needs:  Analysing patient records to tailor our services to your specific requirements during and after the transition.

• Keeping You Informed: Utilizing contact information to share updates about service changes and their implications for you.

Your Rights and Our Promises

Your privacy and data security are our top priorities. We are committed to:

• Transparency: Keeping you fully informed about the use of your data through notices like this.

• Control: Ensuring your rights over your data, including access, correction, and objection, are respected and easily exercisable.

• Security: Implementing stringent measures to protect your data throughout this transition.

Detailed Data Processing Activities for Service Enhancement

Our service enhancement involves specific data processing activities aimed at improving our services and ensuring a smooth transition to the Pharmacy2U Group, including:

• Analysis of Data: Planning service improvements by processing your contact details and prescription information under the principle of legitimate interests, ensuring no personal identifiable information is shared without consent.

• Patient Engagement: Informing you about changes and obtaining your consent for service migration, based on both your consent and our legitimate interest in keeping you informed.

• Service Migration & Data Transfer: Migrating your service with your explicit consent to a new Group system as part of our ongoing efforts to improve service delivery. This will be done under the lawful basis of consent and to fulfil our contractual obligations to you as a pharmacy service provider. Additionally, to prepare for a smooth transition, we will conduct an early transfer of selected non-sensitive data into Pharmacy2U Group's Customer Relationship Management system. This early transfer will exclude any special category health data and will be performed under the lawful basis of legitimate interests to ensure continuity and enhancement of service quality.

We guarantee that all internal data sharing and processing comply with the UK GDPR and the Data Protection Act 2018, with a focus on minimizing data sharing, implementing robust access controls, and ensuring data security through encryption and other security protocols.

Transparency and Continuity

Our aim is to enhance your pharmacy service experience continually. We promise to keep you informed about any changes that may affect you, maintaining our commitment to transparency and excellence in service.

Contacting Us

For inquiries about our data handling practices or to exercise your data rights, please reach out to our Data Protection Officer at dpo@lloydsdirect.co.uk. Remember, you have full control over your data; you can request access, corrections, or deletion at any time. For more information on your rights and how to exercise them, please refer to the 'Your Data, Your Choice' section of our communications.

LloydsDirect uses a technology called ‘cookies’ across all of its websites to deliver the best possible user experience. Cookies are files that are stored on your device every time you visit a website and enable us to understand your preferences and habits. Cookies do not contain person-identifiable information such as medical information, credit/debit card or personal contact details.

LloydsDirect uses three types of cookies:

- Session cookies: These enable us to track your movement across our websites and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, without which you would be forced to order each item separately.

- Persistent cookies: These enable us to remember your preferences and settings each time you visit our websites. This makes using the site faster and reduces the need to re-enter data.

- Third party cookies: These enable us to track user activity outside our websites and better optimise marketing campaigns and analytics.

You can change your cookie preferences at any time by clicking "Cookie Preferences" at the bottom of our website. Please note that disabling some cookies will limit the service we can provide.

If you prefer you can deactivate cookies by updating your browser settings, to find out more go to www.aboutcookies.org or www.allaboutcookies.org .

At LloydsDirect, we want to make sure you find it easy to access and amend the data we hold about you. Subject to limitations, you also have certain rights in relation to the data we hold.

The right to be informed: You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. One way we do this by providing you with the information in this Privacy Notice.

Right to make a subject access request: You have the right to obtain a copy of the personal data we hold about you. If you would like to do this you can write to the Data Protection Officer at dpo@lloydsdirect.co.uk or help@lloydsdirect.co.uk. We may ask you to submit proof of your identity.

The right to rectification: You are entitled to have your information corrected if it is inaccurate or incomplete. You can update your profile by going to Setting > Personal information or otherwise by contacting us on help@lloydsdirect.co.uk.

The right to withdraw consent: If you have given your consent to anything we do with your information, you have the right to withdraw that consent at any time. Please note that withdrawing your consent does not make unlawful what we have done with your personal data up to that point (when your consent was active) and you may not be able to benefit from certain features of the services we offer.

The right to restrict processing: You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but will not use it further.

The right to object to processing: You have the right to object to certain types of processing, including processing for direct marketing (like receiving information about products and services which may be of interest to you via email or post).

The right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information that we hold.

The right to data portability: You have the right to obtain and reuse your information for your own purposes across different services. To our best ability we will provide your information in an easily accessible format.

The right to lodge a complaint: We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data so that we can help or put it right. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office, the supervisory authority in the United Kingdom, please visit the ICO website for instructions. https://ico.org.uk

For more information on how to exercise your rights, you can email our Data Protection Officer at dpo@lloydsdirect.co.uk

or by post to:

Data Protection Officer

17 Wadsworth Road

Perivale

UB6 7JD

Exercising your rights is free and we will respond to any request as quickly as we can. Under current law, we have up to a calendar month to respond to any request. If we are not able to meet this, we’ll contact you to explain why and confirm when your request will be processed.

If you have any questions about this privacy notice, please contact us by email at dpo@lloydsdirect.co.uk

You can also contact us by email at help@lloydsdirect.co.uk or in writing at 17 Wadsworth Road, Perivale, UB6 7JD