Privacy Policy
How we collect, store, and protect your personal and medical information.
Last Updated: March 2026
1. Introduction
Welcome to the My Cosmetic Pharmacy Privacy Policy. We respect your privacy and are committed to protecting your personal data. This policy explains how we look after your personal data when you visit our website (regardless of where you visit it from) and tells you about your privacy rights and how the law protects you.
My Cosmetic Pharmacy Ltd is the "Data Controller" and is responsible for your personal data. We are registered with the UK Information Commissioner's Office (ICO).
2. The Data We Collect About You
Because we provide clinical healthcare services, we collect standard personal data as well as "Special Category Data" (information regarding your health). We may collect, use, store, and transfer different kinds of personal data about you, grouped as follows:
- Identity Data: First name, last name, username, title, date of birth, and gender.
- Contact Data: Billing address, delivery address, email address, and telephone numbers.
- Health & Medical Data (Special Category): Information provided during your online medical consultations, body mass index (BMI), medical history, current medications, allergies, and treatment outcomes.
- Biometric & Verification Data: Government-issued ID (Passport/Driving Licence) and facial verification photos used strictly for legally mandated age and identity checks.
- Financial & Transaction Data: Bank account and payment card details (processed securely by our payment gateway; we do not store full card numbers), and details about payments to and from you.
- Technical Data: Internet protocol (IP) address, your login data, browser type and version, time zone setting, and operating system.
Why do we need your health data?
We rely on the legal basis of "provision of healthcare or treatment" under the UK GDPR. Without your complete and accurate medical history, our prescribers cannot safely assess your suitability for prescription medication.
3. How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To provide clinical care: Our UK-registered prescribers use your Health Data to evaluate your medical consultation and safely issue prescriptions.
- To dispense medication: Our pharmacy team uses your Identity and Health Data to legally dispense and cross-check your medication.
- To verify your identity: To comply with GPhC regulations, we use third-party agencies (such as Stripe Identity or Yoti) to verify your age and identity.
- To deliver your order: We share your Contact Data with secure couriers (e.g., Royal Mail) to deliver your treatments.
- To notify your GP: If you explicitly consent during the checkout process, we will share details of your prescribed treatment with your regular NHS General Practitioner to keep your medical records up to date.
4. Disclosures of Your Personal Data
We treat your medical data with the utmost confidentiality. We do not sell your data to third parties for marketing purposes. We may share your personal data with the following parties for the purposes set out in Section 3:
- Healthcare Professionals: The independent doctors, pharmacist independent prescribers, and dispensing pharmacists who provide your care.
- Service Providers: IT and system administration providers, payment gateways (Stripe), and identity verification platforms (Yoti/Stripe Identity).
- Regulators & Authorities: The General Pharmaceutical Council (GPhC), the Care Quality Commission (CQC), the MHRA, and HM Revenue & Customs, who require reporting of processing activities in certain circumstances.
5. Data Security
We have put in place appropriate, industry-standard security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a clinical or business need to know. They will only process your personal data on our instructions and they are subject to a strict duty of confidentiality.
6. Data Retention (How long we keep your data)
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.
Medical Records: Under UK clinical governance guidelines, we are legally required to retain adult medical records (including consultation answers and prescription details) for a minimum of 8 years after the conclusion of treatment.
7. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:
- Request access: Receive a copy of the personal data we hold about you (a "Subject Access Request").
- Request correction: Have any incomplete or inaccurate data we hold about you corrected.
- Request erasure: Ask us to delete or remove personal data. Please note: Due to our legal obligations as a healthcare provider, we cannot delete clinical or medical records before the mandatory 8-year retention period has expired.
- Object to processing: Object to our processing of your personal data for direct marketing purposes.
8. Contacting Our Data Protection Officer
If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our Data Protection Officer (DPO) using the details below:
- Email: dpo@mycosmeticpharma.co.uk
- Postal Address: Data Protection Officer, My Cosmetic Pharmacy Ltd, 123 Health Street, London, W1 2AB
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.