Privacy Policy


Privacy Policy (Long-form)

What is the GDPR?

The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It will be enforced from the 25th May 2018.

Currently, the UK relies on the Data Protection Act 1998 (DPA), which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the GDPR from the 25th May 2018. Under the DPA, any company that holds and/or processes personal information about their clients, employees or suppliers, is legally obliged to protect that information.

Since the DPR was enacted before the internet and cloud technology created new and unanticipated ways of processing data, the GDPR has been created by the EU to account for these technological changes. By strengthening data protection legislation and introducing tougher enforcement measures, the EU seeks to better protect people’s personal data. The GDPR will also enable businesses to operate in a simpler legal environment, where the lawful basis for processing personal data is easier to determine.

“Data Controller”

Under the DPA, a “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

As per the terms of the Data Protection Act 1998 and the GDPR, we act as a “data controller” in respect of the personal information that we hold about you. “Phlo” is a trading name of Organised Health Technologies Ltd (SC496769), which is registered at Capella Building (Tenth Floor), 60 York Street, Glasgow, Scotland, G2 8JX. You may contact us at [email protected] with any queries, comments and requests regarding your personal data. We take overall responsibility for managing your data and you can read more about our responsibilities by visiting our page on the Information Commissioner’s Office’s website here.

All our Partner Pharmacies are registered with the General Pharmaceutical Council (GPhC) and are subject to strict standards of data protection. We employ a GPhC-registered pharmacist who is responsible for overseeing how your prescriptions are processed by us. More information on the GPhC can be found here.

Our lawful basis for processing your data.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever a data controller processes personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).

Phlo processes your personal data under the following lawful bases:

Consent: You have given clear consent for us to process your personal data for a specific purpose, i.e. the requesting of, dispensing and delivery of your repeat medicines.

Contract: Our processing of your data is necessary for the contract you have with Phlo, so that Phlo may fulfil your requests for your repeat medicines to be request, dispensed and delivered to you.

Information Gathering & Processing

What information is collected?

We collect two types of information about you while we provide the Services:

Personal information, which is information that identifies you and includes your name, date of birth, address, email address and phone number.

Sensitive personal information, which includes certain personal information defined under the Data Protection Act.

While using the Services, the only form of sensitive personal information we will require will relate to your medical information. We will need to ask you for medical information, so that we can request your repeat prescription from your GP.

We will need to know:

  • what medicines you are taking
  • what you are taking them for
  • the dosage and directions for these medicines
  • any other information related to your medical therapy that is considered relevant by the healthcare professionals who are processing your order.

We also need this information for our pharmacist to manage your medication and answer any questions you may have regarding your medicines. Therefore, it is important that we can obtain all relevant medical information while providing the Services.

We will collect and store details of all medicines that are supplied to you while using the Services. We require this information to request your repeat medicines from your GP surgery either directly, or indirectly by having our Partner Pharmacy request your repeat medicines on your behalf. After you receive your repeat medicines, this information will be stored securely to allow you to conveniently re-order your repeat medicines in due course, by selecting your saved medicines from within the Phlo application.

Our Partner Pharmacies are legally required to keep records of the medicines they have dispensed for you and they will retain separate records that Phlo does not have access to.

We will also store and collect information on any medicines or other products that your GP or your Partner Pharmacy advises that you may be using while you are using the Services – we do this to ensure your medical treatment is clinically appropriate.

How will your information be used?

We collect personal information so that we can successfully complete your order, such as delivering to your chosen location or contacting you during the ordering process. The purpose of such contact will be to schedule exact delivery times, to confirm or request to change particulars of a given delivery, or to advise you of issues that have arisen during the processing of your order. For example, Phlo might contact you to advise that a given medicine is out of stock, and that it will take longer to fulfil your order than previously anticipated.

Our trained healthcare staff may contact you, or your GP, as a matter of routine practice, to ensure the safe and effective supply of your repeat medicines.

We will use location information from your phone to facilitate the ordering and delivery process.

We will request electronic proof of consent from you for us to act on your behalf during the repeat medicines ordering process.

We use a variety of means to communicate with you while providing the Services, such as in-app notifications, emails, texts and phone calls. The purpose of these communications will be directly related to the processing of your order, such as advising you of medicines shortages, or to pass on messages from your GP surgery, e.g. requesting that you attend your GP surgery prior to the re-issue of a prescription for a repeat medicine. These communications may contain personal information and if you object to any of these means of communications, then please do not use this service. You will be able to manage the frequency and nature of these communications from within the Phlo application. Please be aware that, due to the nature of the Services, we must be able to contact you about your repeat medicines order as a matter-of-course.

While we take your payment details when providing the Services, these are not stored by us, but are instead managed by Stripe, a third-party service provider.

We will never pass your information onto any third-party service providers for any purpose other than providing the Services – please see the section “Third-party service providers” for more details.

We will share your information without your consent only if: compelled to do by a UK court or police force; to protect the rights, properties or safety of us, our other customers or third-parties, such as conducting identity checks, preventing fraud or contacting your prescriber if there is a professional concern relating to your medical treatment.

Third-party Service Providers

There may be occasions where we use third-party organisations to assist us in the following aspects of the Services:

  • Delivering your orders from a registered pharmacy premises
  • Providing email or text messages that allow you to track your order
  • Processing payments made by you or by us

If we need to provide these third-party providers with personal information, it would be the absolute minimum required to provide the Services, e.g. we might provide your name and address to a third party, so that your order could be delivered, but we would never disclose your medical information.

Currently, Phlo uses the following third-parties as part of the Services:

Onfleet, a San Francisco based technology company specializing in logistics management software and route optimization for businesses offering last-mile delivery. We use Onfleet’s software to co-ordinate our hand delivery of medicines to you. We only provide Onfleet with your name and chosen delivery address, date and time. No medical information is ever passed to Onfleet at any stage. Onfleet complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Their privacy policy may be found here.

Royal Mail, who we use to post your medicines to you, should this be appropriate. The only information we provide to Royal Mail will be your name and delivery address, along with any special requirements for your order, e.g. it requires a signature on delivery. No medical information is ever passed to Royal Mail at any stage.

Yodel, a courier company who we use to convey your medicines, which have been dispensed by our Partner Pharmacy, to one of our distribution hubs, in advance of final hand-delivery to you.

Stripe, a San Francisco based technology company that allows both private individuals and businesses to accept payments over the Internet. Our use of the Stripe’s service allows them to collect, use and disclose certain Personal Data about you when acting as our service provider. Phlo is responsible for making sure that the Customer’s privacy rights are respected, including ensuring appropriate disclosures about third party data collection and use. To the extent that Stripe are acting as Phlo’s data processor, they will process Personal Data in accordance with the terms of Stripe’s agreement with Phlo and Phlo’s lawful instructions. We only send the minimum personal information required to complete a given payment to Stripe. We will never send your medical information to Stripe, under any circumstances. Their privacy policy may be found here.

These third-parties are prohibited from advertising their services to you using the information provided by us.


We will take all appropriate measures to ensure that your information is kept safe and secure. Access to your information will be restricted to authorised persons or third-party suppliers.

Your information will never be transferred outside the European Economic Area without adequate safe-guards being in place.

We employ bit­­­­ -level of encryption to transfer your information electronically and all electronic devices used to store your personal information are stored securely.

While we will endeavour to maintain the security of your information, we cannot be held accountable if information transferred electronically is compromised.

Your Rights

As per the Data Protection Act 1998 and the GDPR, you have certain legal rights regarding our use of your personal information.

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object Rights in relation to automated decision making and profiling.

Detailed guidance on each of these individual rights may be found at the website of the Information Commissioner’s Office (ICO) here. If at any stage you wish to withdraw from your use of the Services, then you may contact us via phone (0141 255 0751) or email ([email protected]) to that effect.

Your data will not be retained beyond any legally- or professionally-required time-period.

You may request, in writing, a copy of all the personal information that we hold about you. We are legally obliged to respond to your request within 40 calendar days. You will be charged an administrative fee of £10 to receive a printed copy of the information we hold about you. You will need to provide sufficient information for our staff to identify you and adequate ID (e.g. passport, driver’s license etc.) for them to verify your identity.

If you believe the information we have about you is incorrect, please let us know in writing at your earliest convenience. As for processing requests to view your information, we will need to verify your identity to process such requests.

Your rights may vary with changes in relevant legislation, so we advise you to periodically review this section.