Privacy Policy

Apothecare Group Limited trading as Quick Meds

Last updated: 24th June 2026 — Version 2.0

1. Introduction

This Privacy Policy explains how Apothecare Group Limited trading as Quick Meds ("we", "us", "our") collects, uses, stores, and shares your personal information when you use our website (www.quickmeds.co.uk), purchase products or services from us, or otherwise interact with us.

We are committed to protecting and respecting your privacy. We process your personal data in accordance with the UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018) (UK GDPR), the Data Protection Act 2018 (c. 12), and all other applicable UK data protection legislation.

We do not sell your personal data to third parties and never will. We only share your data where it is necessary for the purposes set out in this policy or where we are required to do so by law.

Please read this policy carefully before using our website or services. By accessing our website, creating an account, or placing an order, you acknowledge that you have read and understood this policy. If you have any questions, please contact us using the details in Section 17.

2. Who We Are

Apothecare Group Limited trading as Quick Meds is the data controller responsible for your personal data.

Company name: Apothecare Group Limited
Trading name: Quick Meds
Company registration number: 11824371 (England and Wales)
Registered address: 320a Stratford Road, Shirley, Solihull, B90 3DN
Trading address: Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ
ICO registration reference: ZA536099
GPhC registration number: 9012521

We are registered with the General Pharmaceutical Council (GPhC) to provide pharmacy services in the United Kingdom and are regulated by the GPhC and the Medicines and Healthcare products Regulatory Agency (MHRA).

3. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing compliance with this policy and with data protection law.

If you have any questions about this policy, about how we handle your personal data, or if you wish to exercise any of your rights, you can contact our Data Protection Officer at:

Email: [email protected]
Telephone: 0121 628 5318
Address: Data Protection Officer, Apothecare Group Limited, Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ

4. What Personal Data We Collect

We collect and process different types of personal data depending on how you interact with us.

4.1 Account and Registration Data — When you create an account, we collect your name, email address, telephone number, date of birth, gender, postal address, and account login credentials.

4.2 Clinical and Health Data — When you complete an online consultation questionnaire, participate in a telephone or video consultation, or communicate with our clinical team, we collect information about your medical history, current medications (including over-the-counter and herbal remedies), known allergies, lifestyle factors, symptoms, and any other health information you provide. This may also include photographs submitted for clinical assessment. Clinical and health data is special category data under Article 9 of the UK GDPR. The lawful basis is set out in Section 5.

4.3 GP and Healthcare Provider Information — We may collect the name and address of your GP practice and, where relevant, details of other healthcare providers involved in your care.

4.4 Identity Verification Data — To comply with our regulatory obligations, we verify the identity of patients who place orders. We collect your name, date of birth, and address, checked against third-party data sources (credit reference agencies, the telephone directory, and the electoral register) through LexisNexis Risk Solutions UK Limited. This is not a credit check and does not affect your credit score.

4.5 Order and Transaction Data — When you place an order, we collect details of the products and services purchased, order history, delivery address, and payment information. Payment card details are transmitted directly to our payment processor, Opayo (Elavon), and are not stored on our systems.

4.6 Communication Data — When you contact us, we collect the content of those communications and any personal data within them. Telephone calls may be recorded for training and quality assurance; you will be informed at the start of the call.

4.7 Technical and Usage Data — When you visit our website, we automatically collect technical information including your IP address, browser type and version, operating system, device type, referring URL, pages visited, and time spent on pages, collected through cookies and similar technologies (see Section 13).

4.8 Marketing and Preferences Data — Where you have given consent, we collect your marketing preferences, including whether you have opted in to receive promotional emails, SMS, or other marketing.

5. Lawful Basis for Processing

5.1 General Personal Data (Article 6 UK GDPR)

Processing activity	Lawful basis
Creating and managing your account	Performance of a contract (Art 6(1)(b))
Processing and fulfilling orders, dispensing and delivery	Performance of a contract (Art 6(1)(b))
Identity verification checks	Legal obligation (Art 6(1)(c)) — required by GPhC and pharmaceutical regulations
Communicating about orders, consultations, and treatment	Performance of a contract (Art 6(1)(b))
Processing payments and refunds	Performance of a contract (Art 6(1)(b))
Handling complaints and resolving disputes	Legitimate interests (Art 6(1)(f))
Detecting and preventing fraud and misuse	Legitimate interests (Art 6(1)(f))
Sending marketing communications	Consent (Art 6(1)(a))
Measuring advertising performance via server-side Conversions APIs	Consent (Art 6(1)(a)) — only where you consent to advertising tracking. No clinical, health, or treatment data is shared with advertising platforms.
Improving our website and services through analytics	Legitimate interests (Art 6(1)(f))
Complying with legal and regulatory obligations (GPhC, MHRA)	Legal obligation (Art 6(1)(c))
Retaining records for legal, regulatory, and clinical governance	Legal obligation (Art 6(1)(c)) and legitimate interests (Art 6(1)(f))

5.2 Special Category Data (Article 9 UK GDPR)

Your clinical and health data is special category data requiring an additional condition under Article 9.

The primary condition we rely on is Article 9(2)(h) — processing necessary for preventive or occupational medicine, medical diagnosis, the provision of health care or treatment, or the management of health care systems and services on the basis of UK law. This is supplemented by Schedule 1, Part 1, Paragraph 2(2)(f) of the Data Protection Act 2018.

In practical terms, we process your health data to carry out clinical consultations, assess suitability for treatment, issue prescriptions, dispense medication, monitor ongoing treatment, and fulfil our pharmacovigilance and clinical governance obligations.

We do not rely on consent as the lawful basis for processing health data, because in a healthcare context consent cannot be freely given where it is a condition of receiving treatment. Where we use health data for purposes other than direct care — for example, internal clinical audits or service improvement — we rely on legitimate interests (Article 6(1)(f)), supplemented by Article 9(2)(h) and appropriate safeguards.

6. How We Use Your Personal Data

To create and manage your account.
To carry out clinical consultations and assessments (online, telephone, video, or otherwise).
To assess suitability for treatment and issue prescriptions where clinically appropriate.
To dispense, pack, and dispatch medication and other products.
To verify your identity in accordance with our regulatory obligations.
To process payments and issue refunds.
To communicate with you about orders, consultations, treatment, and any queries.
To handle complaints in accordance with our Complaints Procedure.
To monitor ongoing treatment and contact you about follow-up consultations, reviews, or monitoring.
To report adverse events and suspected defective medicines to the MHRA under the Human Medicines Regulations 2012 (SI 2012/1916, as amended), Part 15.
To detect, prevent, and investigate fraud and misuse.
To comply with our legal and regulatory obligations (GPhC, MHRA, ICO, and other authorities).
To improve our website and services through first-party and third-party analytics.
To measure advertising performance and attribute conversions via server-side Conversions APIs with Meta and Google Ads. Where you have consented, limited non-clinical data (hashed email/telephone, transaction value, generic order confirmation) may be transmitted. We do not share any clinical, health, treatment, or consultation data with advertising platforms.
To send marketing communications where you have consented.
To maintain clinical governance records and conduct internal audits.

7. Who We Share Your Data With

We share your data only where necessary for the purposes in this policy, or where required by law. We do not sell your data.

7.1 Our Team — Your data is accessible to authorised members of our team, including prescribers, pharmacists, pharmacy technicians, dispensary staff, healthcare assistants, customer service representatives, and IT support staff, all bound by professional codes of conduct and internal confidentiality obligations.

7.2 Third-Party Service Providers — Each provider acts as a data processor under a written data processing agreement and processes your data only in accordance with our instructions and applicable law, except where stated otherwise.

Fulfilment, payment, and clinical operations

Provider	Purpose	Data shared
Opayo (Elavon Financial Services DAC)	Payment processing and refunds	Card details, billing address, transaction amount. Card details go directly to Opayo and are not stored on our systems.
LexisNexis Risk Solutions UK Limited	Identity verification	Name, date of birth, address. Checked against credit reference agencies, telephone directory, electoral register. Not a credit check. Also an independent controller for its own fraud-prevention activities (Section 8).
Royal Mail and courier partners	Delivery of orders	Name, delivery address, contact telephone number, order reference.
The Doctors Laboratory (TDL)	Laboratory testing	Name, date of birth, clinical information relevant to the test.

Email and customer communications

Provider	Purpose	Data shared
EmailOctopus (Three Creatures Ltd)	Transactional email (order confirmations, dispatch notifications, prescription updates)	Name, email address, order reference, delivery status.
Customer.io (Peaberry Software, Inc.)	Marketing email automation, behavioural messaging, engagement journeys	Name, email address, marketing preferences, purchase history, behavioural data. Shared only where you consent to marketing. No clinical, health, or treatment data is shared.

Website analytics and performance

Provider	Purpose	Data shared
Google Tag Manager (Google LLC)	Tag and script management	Deploys and governs the analytics and advertising tags on our site. Does not itself collect personal data beyond what the tags it manages collect, each listed separately and governed by our cookie consent mechanism.
Google Analytics (Google LLC)	Website analytics	Anonymised/pseudonymised usage data, IP address (anonymised), pages visited, session duration, device/browser information.
Microsoft Clarity (Microsoft Corporation)	Analytics, heatmaps, session replay	Pseudonymised usage data, click and scroll behaviour, device/browser information. Configured to mask form-field content; does not capture keystrokes in fields containing personal or health data.
atrack (operated by us on our own UK infrastructure)	First-party analytics and conversion attribution	Pseudonymised usage and event data, pages visited, conversion events. Our own first-party system, hosted exclusively in the UK on infrastructure we control. Order events are recorded without revealing the medication, treatment, or health category purchased.
Ahrefs (Ahrefs Pte. Ltd)	Website analytics and SEO performance	Pseudonymised usage data, pages visited, referring sources, technical/device information.
Triple Whale (Triple Whale, Inc.)	E-commerce and marketing analytics	Pseudonymised order, transaction, and attribution data. Configured so that no medication name, treatment category, or health-related product detail is transmitted.

Advertising measurement (server-side Conversions APIs)

Provider	Purpose	Data shared
Microsoft Advertising (Microsoft Corporation)	Advertising performance (incl. Microsoft UET tag)	Pseudonymised conversion data, device information.
Meta Platforms, Inc.	Advertising performance via Meta Pixel and Conversions API (server-side)	With consent: hashed email, hashed telephone, transaction value (no product/treatment details), generic conversion event type. No clinical/health/treatment data. Meta acts as an independent controller for data it receives.
Google LLC (Google Ads)	Advertising performance via Google Ads Conversions API / Enhanced Conversions (server-side)	With consent: hashed email, hashed telephone, transaction value, conversion event type. No clinical/health/treatment data. Google acts as an independent controller for certain advertising data it receives.

7.3 Regulatory and Legal Disclosures — We may share your data where required or permitted by law, including with: the GPhC (regulatory obligations, inspections, investigations); the MHRA (adverse event reporting, pharmacovigilance, defective medicines); the NHS Counter Fraud Authority, Police, or other law enforcement (suspected fraud, criminal activity, or threats to patient safety); the ICO (data protection matters); courts, tribunals, or legal advisers (legal claims); and your GP or other healthcare provider (where clinically necessary or at your request). We disclose only the minimum data necessary in each case.

8. Identity Verification

We are required by the regulations governing online pharmacy services to verify the identity of patients who place orders. This is carried out by LexisNexis Risk Solutions UK Limited.

The information you provide (name, date of birth, address) is checked against consumer credit reference agency records, the telephone directory, and the electoral register. This is an identity verification check only. It is not a credit check and will not affect your credit rating.

We carry out this verification on the basis of our legal obligation (Article 6(1)(c) UK GDPR). Your consent is not required, but if you have concerns please contact us before placing your order.

LexisNexis acts as both a data processor (on our behalf) and an independent data controller (for its own fraud prevention and identity verification activities). You have a right to access your records held by LexisNexis. See the LexisNexis processing notice at https://risk.lexisnexis.com/corporate/processing-notices/idu-app or contact LexisNexis Ltd, Lexis House, 30 Farringdon Street, London, EC4A 4HH.

9. Server-Side Conversion Tracking (Conversions APIs)

In addition to browser-based tracking, we use server-side integrations (Conversions APIs / CAPI) provided by Meta and Google, which allow our server to send conversion event data directly to the advertising platform's server rather than relying solely on browser-based tracking.

9.1 What Data is Shared — Where you have consented to advertising tracking, the following may be transmitted to Meta and Google: a hashed version of your email address; a hashed version of your telephone number; the monetary value of a transaction (without any indication of product or treatment category); a generic conversion event identifier; and technical identifiers such as IP address, browser user agent, and click identifiers where available.

9.2 What Data is Never Shared — As an online pharmacy, we are particularly conscious of the sensitivity of the data we hold. No clinical, health, treatment, or consultation data is ever transmitted to any advertising platform or third-party analytics provider. Specifically, we never share: the name, type, or category of any medication, treatment, or product purchased; any information about medical conditions, symptoms, or diagnoses; any consultation responses, clinical notes, or prescribing information; any URL paths or page identifiers that could reveal the health condition or treatment category; or any custom event parameters indicating health-related intent. Conversion events are labelled with generic, non-health-specific identifiers.

9.3 Consent and Your Choices — Server-side tracking is subject to the same consent requirements as browser-based tracking, in compliance with PECR (SI 2003/2426, as amended) and the UK GDPR. If you do not consent, or withdraw consent through our cookie settings, no data is transmitted via these integrations.

9.4 Controller Relationships — Each platform processes the data it receives as an independent data controller for its own purposes. We are the controller for the initial collection and transmission. See Meta's Privacy Policy (www.facebook.com/privacy/policy) and Google's Privacy Policy (policies.google.com/privacy).

9.5 Healthcare Data Restrictions — Our advertising accounts are classified by Meta under its health and wellness data restrictions policy, imposing additional platform-level restrictions on what can be shared. We comply with all such restrictions and do not attempt to circumvent any tracking capabilities that Meta or Google disable for health-classified accounts.

10. International Data Transfers

Where your personal data is transferred outside the UK, we ensure appropriate safeguards under Article 46 of the UK GDPR.

Google LLC (US) — Google Analytics, Google Tag Manager, and Google Ads data (incl. Enhanced Conversions) transferred to the US. Google participates in the UK Extension to the EU–US Data Privacy Framework.
Microsoft Corporation (US) — Microsoft Clarity and Microsoft Advertising data. Microsoft participates in the UK Extension to the EU–US Data Privacy Framework.
Meta Platforms, Inc. (US) — Data via Meta Pixel and Conversions API. Meta participates in the UK Extension to the EU–US Data Privacy Framework.
Triple Whale, Inc. (US) — E-commerce analytics data, protected by an International Data Transfer Agreement (IDTA) or, where applicable, the UK Extension to the EU–US Data Privacy Framework.
Ahrefs Pte. Ltd (Singapore) — Analytics data, protected by an IDTA or the addendum to the EU Standard Contractual Clauses.
Customer.io (Peaberry Software, Inc.) — Configured for EU-regional hosting; data processed and stored within the EEA. UK→EEA transfers are covered by the UK adequacy decision for the EEA.
Trustpilot A/S (Denmark) — Based in the EEA; UK→EEA transfers covered by the UK adequacy decision.

Our own first-party analytics system (atrack) is hosted exclusively in the United Kingdom on a UK-based DigitalOcean droplet. No international transfer of personal data takes place in respect of atrack.

Where any transfer is not covered by an adequacy decision, we rely on the IDTA or ICO-approved standard contractual clauses, or another appropriate safeguard permitted under the UK GDPR.

11. How We Store and Protect Your Data

Your personal data is stored securely on servers located in the United Kingdom. Our measures include: encryption in transit (SSL/TLS); access controls on a need-to-know basis; firewalls and intrusion detection; regular security assessments and monitoring; staff training; and written data processing agreements with all processors.

Payment card details are transmitted directly to Opayo (Elavon) via their secure gateway and are not stored on our systems. Opayo is PCI DSS certified.

While we take all reasonable steps, no method of internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security.

12. How Long We Keep Your Data

Data category	Retention period	Basis
Medical and clinical records	10 years from last entry (or 10 years from date of death)	NHS Records Management Code of Practice; GPhC guidance
Prescription records	5 years from dispensing	MEP guide
Account and registration data	Duration of account + 7 years after closure/last activity	Limitation Act 1980
Order and transaction data	7 years from transaction	HMRC; Limitation Act 1980
Identity verification records	5 years from verification	Regulatory requirements
Complaints records	10 years from resolution	NHS Records Management Code; GPhC
Marketing consent records	Duration of consent + 2 years after withdrawal	ICO guidance
Website analytics data (Google Analytics, Microsoft Clarity, Ahrefs, Triple Whale, atrack)	Up to 14 months (or provider default, whichever shorter)	Provider defaults; data minimisation
Telephone call recordings	12 months	Legitimate interests — QA and training

At the end of the retention period, data is securely deleted or anonymised. Anonymised data may be retained indefinitely as it is no longer personal data.

13. Cookies and Similar Technologies

Strictly necessary cookies — Essential for the website to function (account login, basket, secure checkout). Cannot be disabled.

Analytical and performance cookies — Collect anonymised/pseudonymised information about how visitors use the site. We use Google Analytics, Microsoft Clarity, Ahrefs, Triple Whale, and our own first-party analytics (atrack), deployed via Google Tag Manager. Set only with your consent.

Advertising and targeting cookies — Used to deliver relevant advertising and measure campaign effectiveness. We use Microsoft Advertising (UET tag), Meta Pixel, and Google Ads tags, working in conjunction with the server-side Conversions APIs in Section 9. Set only with your consent.

You can manage your cookie preferences at any time through the cookie settings on our website, or via your browser. Our use of cookies complies with PECR (SI 2003/2426, as amended). For more, see our separate Cookie Policy.

14. Marketing Communications

We will only send marketing where you have given explicit consent, and we will never use your clinical or health data to send marketing material. You can withdraw consent at any time via your account marketing preferences, the "unsubscribe" link in any marketing email (this will not unsubscribe you from service communications necessary to provide your services), or by contacting us.

15. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the rights of: access (Art 15); rectification (Art 16); erasure (Art 17 — noting we cannot delete clinical records we are legally or professionally required to retain); restriction (Art 18); data portability (Art 20); objection (Art 21, including to direct marketing at any time); withdrawal of consent; and rights related to automated decision-making (Art 22 — we do not carry out solely automated decision-making of this nature).

To exercise any right, contact our DPO (Section 3). We respond within one calendar month, extendable by two further months in complex cases (with notice within the first month).

16. Complaints

If you are unhappy with how we have handled your personal data, please first contact our DPO (Section 3). You also have the right to lodge a complaint with the ICO:

Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

17. Contact Us

Telephone: 0121 628 5318
Email: [email protected]
Address: Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ

18. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Where we make material changes, we will notify you by email (where we have your details and permission) and post a prominent notice on our website. Continued use of our website and services following any changes constitutes your acceptance of the updated policy.

Schedule — Legislation and Regulatory Instruments Referenced: Data Protection Act 2018 (c. 12); Human Medicines Regulations 2012 (SI 2012/1916, as amended); Limitation Act 1980 (c. 58); Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, as amended); UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018). Standards and guidance: GPhC Standards for Registered Pharmacies (April 2023); ICO Guidance on Lawful Basis for Processing; NHS Records Management Code of Practice; PCI DSS.