Privacy

Healthxchange Pharmacy UK Ltd (“We”, “Us”, “Our”) Privacy Statement This is Our Privacy Statement which details how We use your personal data (“Personal Data”) when you use Our Website www.healthxchange.com. We take Our data protection responsibilities seriously.

1. Privacy Statement

1.1 This Website is operated by Healthxchange Pharmacy UK Limited (“Healthxchange”) of 1st Floor Sackville House, 143-149 Fenchurch Street, London, EC3M 6BL, registered in England and Wales with Company No. 01999872. Healthxchange’s registration number with the UK Information Commissioner’s Office is ZB137616.
1.2 The UK General Data Protection Regulation and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) (the “Regulations”) set out the responsibilities We have to protect your data.
1.3 This Privacy Statement sets out the way We will obtain and hold your Personal Data. This is known as “Processing”. When read together with Our Terms and Conditions of Use and Cookie Policy, this Privacy Statement covers Our relationship with you in relation to account registration, purchase of Goods, participation in training with Our Academy, use of this Website and other engagement with Our company. By continuing to browse and use this Website, you agree to this Privacy Statement. If you disagree with any part of this Privacy Statement, please do not use Our Website.
1.4 Any questions, comments and requests you may have regarding this Privacy Statement are welcomed and should be emailed to the Data Protection Officer at dpo@healthxchange.com.
1.5 www.healthxchangedevices.com is a separate website URL operated by Healthxchange Pharmacy UK Limited in connection with its medical devices product range. Although it has a different web address, it is owned and operated by the same company as this Website and is covered by this Privacy Statement. If you have submitted an enquiry via www.healthxchangedevices.com or have arrived at this Privacy Statement from that site, your Personal Data is processed by Healthxchange Pharmacy UK Limited as described in this statement. Contact form submissions made via www.healthxchangedevices.com are received directly by Healthxchange Pharmacy UK Limited and handled in accordance with Section 6 of this statement.
1.6 www.healthxchangeacademy.com is a separate website URL operated by Healthxchange Pharmacy UK Limited in connection with its training and education activities (the “Academy”). Although it is a separate site with a different web address, it is owned and operated by the same company as this Website and is covered by this Privacy Statement. The Academy uses the same account log-in credentials as this Website, so where you register for, log in to, or participate in training via www.healthxchangeacademy.com, your Personal Data is processed by Healthxchange Pharmacy UK Limited as described in this statement. Please note that the cookies and similar technologies used on www.healthxchangeacademy.com may differ from those used on this Website; the cookies applicable to the Academy site are described in the cookie information made available on www.healthxchangeacademy.com.

2. Data Protection Regulations

2.1 For the purposes of this Privacy Statement:

  • We determine the purposes for which and the manner in which your personal data is, or is to be processed, and We are known as the data controller (“Data Controller”); and
  • in submitting your data and information to Us to collect, handle and process, you will be the individual who is the subject of the data (the “Data Subject”); and
  • in processing your data and information, any other parties contracted to process data by the Data Controller will be known as (“Data Processors”).


3. What information do We collect and process?

3.1 We may collect and process Personal Data, including the following data and information that you give Us if you fill in the Account Registration Form, nominate a Prescriber, place an order for Goods, participate in training, submit an enquiry via www.healthxchangedevices.com, or otherwise correspond or engage with Us by phone, email, social media or otherwise:

  • name, date of birth and job title;
  • contact information including address, email address and phone number;
  • information necessary for the purposes of submitting a prescriber application, such as medical registration numbers, pin numbers, professional details and an image of your passport or driving licence;
  • patient names and address; prescriber name, and medication prescribed and directions for use;
  • payment card information;
  • the content of emails and messages;
  • call recordings when you contact our customer services team;
  • educational and professional history, details of training undertaken and qualifications achieved.

3.2 We understand that the data collected at 3.1(c) and 3.1(d) is Sensitive Personal Data.

3.3 We will collect and process the following data automatically from your visit to Our Website:

  • technical information, including the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • information about your visit, including the full uniform resource locator (URL), clickstream to, through and from Our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call Our customer service number, and any other anonymised data or metrics that identify user behaviour and the habits of web visitors.

3.4 In some circumstances, We may obtain Personal Data about you from third parties, such as regulatory bodies. In some cases, this data may be available on publicly available registers — for example the GMC register.

3.5 Some of the Personal Data We collect and process is necessary to enter into and perform Our contract with you or for Us to meet Our legal obligations.

4. Cookies

4.1 We use cookies on this Website to distinguish you from other users and to improve your experience. Non-essential cookies (including analytics cookies) will only be placed on your device after you have given your prior, informed consent using the Cookiebot consent tool. Essential cookies, which are strictly necessary for the Website to function, do not require your consent. The use of cookies does not give Us access to your computer or any Personal Data beyond what you choose to share with Us.
4.2 You may choose to accept or decline cookies by using the Cookie Settings tool (accessible via the Cookiebot Privacy Trigger icon in the bottom left-hand corner of the screen) or by modifying your own browser’s settings.
4.3 Further information about the cookies We use and how they work is available in Our Cookie Policy at www.healthxchange.com/cookies.

5. Third party links

5.1 The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that We do not accept any responsibility or liability for these policies or for any Personal Data that may be collected through these websites or services. Please check these policies before you submit any Personal Data to these websites or use these services.

6. How do We use the information?

6.1 We shall use the Personal Data and information you give to Us:

  • to allow you to create an account and nominate prescribers on the Website;
  • to process and analyse your order(s) including dispensing and dispatching the products and processing your payments;
  • to operate Our business (including by using email and other technology platforms);
  • to keep and maintain Our internal business records;
  • to comply with applicable laws and regulations;
  • to manage customer service enquiries, for Our internal training purposes, and for analysis and improvement of Our business;
  • to manage our relationships with industry peers and Key Opinion Leaders (KOLs);
  • if you give Us express consent, to provide you with Our own tailored marketing information that We think may suit your interests and needs;
  • if you give Us express consent, to provide you with marketing and promotional information from carefully restricted third-party pharmaceutical manufacturers that We think may suit your interests and needs.

6.2 Where you provide Us with information for the purposes of account or prescriber registration and orders, We may use such information to verify the information provided, carry out professional bona fide checks, process your application, process payments and fulfil your order. We may also transfer the data to our Data Processors in order to fulfil or analyse your order.

6.3 We reserve the right to anonymise your data to obtain analysis while retaining your privacy.

6.4 We may use automated tools to process your data, for example verifying your credentials against public registers.


7. Legal Basis for Processing

7.1 We will only use your Personal Data when the law allows Us to do so. Most commonly We will use your Personal Data in one or more of the following circumstances:

  • Where you have consented before the processing.
  • Where We need to perform a contract We are about to enter or have entered with you.
  • Where it is necessary for Our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where We need to comply with a legal or regulatory obligation.

7.2.1 Some of the data described at clause 3.1(c) and 3.1(d) — in particular patient names together with the medication prescribed and the directions for its use — concerns health and therefore constitutes Special Category Data (also referred to as Sensitive Personal Data) under Article 9 of the Regulations. This data is subject to additional safeguards.

7.2 Special Category (Sensitive) Personal Data

7.2.2 We rely on the following Article 9 conditions to process this data:

  • Article 9(2)(h) — processing necessary for the provision of health care and treatment and the management of health-care systems and services. This processing is carried out by Us in Our capacity as a registered pharmacy, under the responsibility of Our pharmacy professionals who are subject to the obligation of professional secrecy, and is supported by the associated condition in paragraph 2 of Schedule 1 to the Data Protection Act 2018 (health or social care purposes); and
  • where you provide your own Sensitive Personal Data directly to Us, Article 9(2)(a) — your explicit consent, obtained at the point at which the data is collected.

7.2.3 We process this data only to the extent necessary to verify prescriber credentials, and to process, dispense, fulfil and deliver prescription orders. We will not use it for any other purpose, including marketing, without your further explicit consent. As set out at clause 8.3, your Sensitive Personal Data and Sensitive Personal Data relating to patients will be stored securely and will not be passed on to other third parties except that We will provide patient contact details to Our delivery partner for any “direct to patient” orders.

    8. How do We handle your information?

    8.1 The data and information We collect from you will be transferred to and securely stored by Our third-party hosting providers, including Amazon Web Services (AWS) and Microsoft Azure.
    8.2 We are committed to ensuring that your data and information is secure. In order to prevent unauthorised access or disclosure, We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information We collect online, including:
    8.3 Any Sensitive Personal Data that We collect as described at clause 3.1(c) and 3.1(d) shall be processed in accordance with the Regulations (including the Article 9 conditions set out at clause 7.2) and only to permit Us to process your request or enquiry. Your Sensitive Personal Data and Sensitive Personal Data relating to your patients will be stored securely by Our hosting providers and will not be passed on to other third parties except that We will provide patient contact details to Our delivery partner for any “direct to patient” orders.

    • all data and information you provide to Us is stored on secure servers;
    • any payment transactions will be encrypted using SSL technology;
    • where We have given you (or where you have chosen) a password which enables you to access certain parts of Our Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone;
    • regular review and updating of Our security procedures.

    9. Data retention

    9.1 We will keep information about you only for as long as required for the purposes for which it was collected, or as required by law.
    9.2 In some circumstances you can ask Us to delete your data: see Section 12 below for further information.
    9.3 In some circumstances We will anonymise your Personal Data (so that it can no longer be associated with you) for analytical purposes, in which case We may use this information indefinitely without further notice to you.

    10. To whom may We disclose your information?

    10.1 In providing Us with data and information, you agree that We may disclose such information, where necessary for the purposes and uses listed in clause 6, to:

    • Our employees, agents, representatives and any Data Processors officially contracted to process the data on Our behalf;
    • selected third parties including:
    • business partners, suppliers and sub-contractors for the operation and development of Our business, including the performance of any contract We enter into with you;
    • analytic and search engine providers that assist Us in the improvement and optimisation of Our Website;
    • payment card merchants who comply with PCI/DSS requirements;
    • any other third parties We are legally obliged to disclose your information to.

    10.2 In providing Us with Personal Data you agree that We may disclose such data and information to carefully restricted third parties for their marketing and promotional purposes. We will always do this under contract and in compliance with the Regulations.

    10.3 We will only disclose your Personal Data to parties who bear sufficient legal responsibility for its protection and who have sufficient privacy and security measures in place to reasonably ensure that it will be protected and handled appropriately.

    10.4 We may disclose your Personal Data to third parties:

    • in the event that We sell or buy any business or assets, in which case We will disclose your Personal Data to the prospective seller or buyer of such business or assets;
    • if Our assets, or substantially all of Our assets, are acquired by any third parties, in which case personal data held by Us about Our customers will be one of the transferred assets;
    • if We are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply Our terms of use; or to protect Our rights, property or safety of Our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

    11. International Transfers

    11.1 Whenever We transfer your Personal Data outside the UK, We ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

    • We transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the UK Government.
    • Where We use certain service providers, We may use Standard Contractual Clauses or a UK International Data Transfer Agreement (IDTA) approved by the Information Commissioner, which give Personal Data the same protection it has in the UK.
      • 11.2 Please contact the DPO at dpo@healthxchange.com if you want further information on the specific mechanism used by Us when transferring your Personal Data outside the UK.

    12. Your rights and how you can control use of your information

    You have the following rights in relation to your Personal Data:

    • Right of access — to obtain a copy of the Personal Data We hold about you.
    • Right to rectification — to have inaccurate or incomplete Personal Data corrected.
    • Right to erasure — to request deletion of your Personal Data in certain circumstances.
    • Right to restrict processing — to request that We limit how We use your Personal Data.
    • Right to data portability — to receive your Personal Data in a structured, commonly used and machine-readable format.
    • Right to object — to object to processing based on Our legitimate interests or for direct marketing purposes.

    12.2 Direct Marketing
    If you have previously agreed to Us using your Personal Data for direct marketing purposes, you may change your mind at any time by emailing the Data Protection Officer at dpo@healthxchange.com.
    12.3 How to Exercise Your Rights
    To exercise any of the rights listed above, please contact:
    Data Protection Officer, Healthxchange Pharmacy UK Limited, 1st Floor Sackville House, 143-149 Fenchurch Street, London, EC3M 6BL
    Email: dpo@healthxchange.com
    Any access request will be free. We will respond within one calendar month. We may ask you to verify your identity before We act on a request.
    12.4 Accuracy
    If you believe that any information We are holding on you is incorrect or incomplete, please write to or email Us as soon as possible at the address above. We will promptly correct any information found to be incorrect.

      13. Changes to Privacy Statement

      13.1 We reserve the right to make changes to this policy from time to time by updating this page. Every time you wish to use Our Website, please check the statement to ensure you understand the terms that apply at that time.
      13.2 This version is effective as of June 2026.

      14. Your right to complain

      14.1 If you believe that your information held by Us is not being handled properly, you have the right to complain to the competent data protection authority:
      UK — Information Commissioner’s Office (ICO): https://ico.org.uk