Phlo Clinic Privacy Policy
Phlo Technologies Ltd (Phlo), trading as Phlo Clinic, (and also referred to here as "we" or "us"), takes your privacy and the security of your personal information seriously. We are committed to protecting it through our compliance with this policy.
This Privacy Policy describes who we are and how and why we collect, store, use and share your personal information, and highlights your privacy rights within the UK’s Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) and General Data Protection Regulation (GDPR).
Who we are
Phlo Technologies Ltd is a digital healthcare services provider, incorporated in Scotland under company number SC496769 with registered address C/O Gillespie & Anderson, 147 Bath Street, Glasgow G2 4SN.
If you have any questions or concerns about our personal data practices or policies or wish to exercise your privacy rights our appointed Data Protection Officer can be contacted at dpo@wearephlo.com.
Personal information we collect about you
To provide our healthcare services safely and effectively we collect a range of personal information. If you do not provide personal information we ask for, it may delay or prevent us from providing services to you.
The personal information we may collect about you includes:
- Name
- Date of Birth
- Gender
- Email address
- Telephone number
- Home and delivery addresses.
- Identity verification details (e.g. NHS Number, NI number)
- NHS exemption details (NHS services only)
- Information about past and present medications.
- Information about past and present prescription and treatment requests.
- Information about past and present prescriptions.
- Information about past and present orders.
- Information about past and present healthcare services provided.
- Healthcare records.
- Treatment specific consultation data (e.g. allergies, family history, blood pressure, photographic evidence).
- Billing information (Payment transaction data)
- Information about how you interact with our products and communications.
- Your communications with us.
- Your responses to surveys, competitions and promotions.
- Audit of logins, password changes and other key security events.
- Audit of actions carried out within our products.
As a healthcare provider we are required to collect, store and use your healthcare data as described above. Healthcare data is categorised as “Special Category” data and has higher levels of protection under UK law (ICO - Special Category Data). We use this special category data to comply with our legal obligations and to ensure we can provide our healthcare services to you safely and effectively.
How your personal information is collected
We collect your personal information:
- Directly from you when you provide it to us in person, by telephone, text or email and/or via our website and apps.
- Automatically as you use our service through cookies and other technical infrastructure.
- From third parties with your consent, e.g. your General Practitioner.
- From public sources, e.g. social media platforms, particularly where you are using those to communicate with us.
- Other Phlo Technologies Ltd services.
Why we use your personal information
We only use your personal information if we have a legitimate reason for doing so, e.g:
- To comply with our legal and regulatory obligations.
- For the performance of our contract with you or to take steps at your request before entering into a contract.
- For our legitimate interests or those of a third party.
- Where you have given consent.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
How we use your personal information
The table below explains how we use your personal information.
To provide our services to you.
|
For the performance of a contract with you or to take steps at your request before entering a contract.
This covers the processing of personal information required when offering our core services of:
· Consultations
· Prescribing
· Collecting payment for orders
· Preparing orders
· Delivering orders
|
To maintain an accurate user record.
|
For our legitimate interests or those of a third party.
|
To verify your identity.
|
To comply with our legal and regulatory obligations.
|
To take payment from you.
|
For the performance of a contract with you or to take steps at your request before entering a contract.
|
To prevent, detect and report criminal activity.
|
For our legitimate interests or those of a third party.
|
To receive feedback about our services.
|
For our legitimate interests or those of a third party.
|
To communicate with you regarding our services.
|
For our legitimate interests or those of a third party.
|
To understand how our services have been used.
|
For our legitimate interests or those of a third party.
|
To meet requirements of audits, enquiries or investigations by regulatory bodies.
|
To comply with our legal and regulatory obligations.
|
To enforce our legal rights.
|
For our legitimate interests or those of a third party.
|
To carry out statistical analysis.
|
For our legitimate interests or those of a third party
|
To build lookalike audiences for marketing campaigns
|
For our legitimate interests or those of a third party
|
To promote our services.
|
Where you have given consent.
|
To complete external audits and quality checks.
|
For our legitimate interests or those of a third party
|
To test our platform.
|
For our legitimate interests or those of a third party.
|
To support other legitimate interests
|
Where you have given consent.
|
Who we share your personal information with
We routinely share personal information with third parties to provide our services effectively.
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
Your data may be shared with the service providers listed below.
Financial Services Providers
To take payments, issue refunds, send invoices and complete financial reporting.
- Checkout Ltd, 54 Portland Place, London, W1B1DY, United Kingdom (Payment Processor)
- Xero (UK) Ltd, Bank House, 171 Midsummer Boulevard, Milton Keynes, MK9 1EB and our bank, Shawbrook Bank, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex CM13 3BE (Finance management platform)
- Gillespie & Anderson, 147 Bath St, Glasgow G2 4SN and advisers Johnston Carmichael at 227 W George St, Glasgow G2 2ND (Accountants)
- Third parties approved by you, e.g. third-party payment providers such as your bank, which may request that you approve payment to us.
Logistics and Delivery Partners
To deliver orders successfully.
- Gophr Ltd, PO Box 501, The Nexus Building Broadway, Letchworth Garden City, Herfordshire, SG6 9BL. (Delivery Provider)
- Royal Mail, 100 Victoria Embankment, London, EC4Y 0HQ. (Delivery Provider)
- DPDgroup UK Ltd, Roebuck Lane, B66 1BY. (Delivery Provider)
- Packfleet Ltd, 14 - 16 Verney Road, London, England, SE16 3DH. (Delivery Provider)
- Despatch Cloud Ltd, Unit 76 Warfield Road, Kellythorpe Industrial Estate, Driffield, England, YO25 9FQ. (Delivery Booking Platform)
- IDDQD Limited (Ideal postcodes), International House, 24 Holborn Viaduct, London EC1A 2BN (Address Identification Platform)
- Other delivery partners we use from time to time
Website Host
To monitor website usage and track newsletter and waiting list registrations.
- Webflow Inc, 398 11th Street, 2nd Floor, SanFrancisco, CA 94103. (Website Host)
Application Hosts
To host our applications and supporting infrastructure.
- Google Cloud Platform operated by Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland. (Application Infrastructure Host)
- CloudFlare services operated by Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107. (Application Infrastructure Host)
- Apple Inc., 10955 N Tantau Ave, Cupertino, CA95014, United States. (Application Infrastructure Host)
Communication Platforms
To keep in contact with you.
- Postmark operated by AC PM LLC, 1 North Dearborn St, 5th Floor Chicago, IL 60602 to send transactional emails. (Email Communications)
- Twilio operated by Twilio, Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105, USA. (SMS Communications)
- Intercom operated by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland, to provide real-time messaging services. (Email Communications)
- Active Campaign operated by AC PM LLC, 1 NorthDearborn St, 5th Floor Chicago, IL 60602. (Email Communications)
- 3CX, 4010 Boy Scout Boulevard, Suite 325 33607, Tampa, Florida USA to handle telephone communications. (Helpdesk Platform)
- Zoho Corporation Pvt. Ltd (Zoho Desk), PLOT No.140,151, GST ROAD, ESTANCIA IT PARK, VALLANCHERY, GUDUVANCHERY(POST) KANCHEEPURAM TN 603202 IN. (Helpdesk Platform)
Review Platform
To collect feedback on our products.
- Trustpilot A/S, Pilestræde 58, 5th floor, 1112Copenhagen K, Denmark. (Review Platform)
Web Application Infrastructure Partners
To track and report on web traffic.
- Google (Google Analytics) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. (Web Analytics Platform)
- Hotjar Ltd (Hotjar), Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta. (Web Analytics Platform)
- PostHog Inc (PostHog), 2261 Market Street #4008, San Francisco, CA 94114. (Web Analytics Platform)
- Functional Software, Inc (Sentry)., 45 Fremont Street, 8th Floor, San Francisco, CA 94105. (Performance Monitoring Platform)
- Catamorphic, Co. dba LaunchDarkly (LaunchDarkly), 1999 Harrison St Suite 1100, Oakland, CA 94612, United States. (Feature Flag Platform)
- TYPEFORM SL, C/ Can Rabia 3-5, 4th floor, 08017 – Barcelona. (Orlistat consultation form)
Marketing Partners
To promote our services to other people and understand how you discovered us.
- Google (Google Ads) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. (Advertising Platform)
- Facebook Ireland, 4 Grand Canal Square, Dublin, Ireland Dublin 2. (Advertising Platform)
- LinkedIn Ireland, Wilton Place, Dublin, Ireland.(Advertising Platform)
- Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland. (Advertising Platform)
- YouTube is a subsidiary of Google with offices at Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin, Ireland. (Advertising Platform)
- Taboola Inc, 16 Madison Square West, 7th Floor, New York, New York 10010. (Advertising Platform)
- Voucherify PSA, Porcelanowa 23, 40-246 Katowice, Poland (Discount Code Platform)
- DBS Ltd, 24 Station Road, Ossett, West Yorkshire, WF5 8AD. (Direct Mail Campaign Partner)
- All Response Media Ltd, Sutton Yard, 65 Goswell Rd., London EC1V 7EN. (TV Campaign Partner)
- Mention-Me Ltd, 20-22 Wenlock Road, London, N1 7GU. (Refer-a-friend Platform)
- Other marketing partners we use from time to time.
Healthcare Service Providers
To support us in providing safe and efficient healthcare services.
- Invatech Health, 442-450 Stapleton Rd, Easton, Bristol BS5 6NR. System data resides in two locations (1) Phlo Technologies London Pharmacy at Containerville, Unit 13, 35 Corbridge Crescent, London, E29EZ and (2) data centres in the Republic of Ireland operated by Amazon Web Services, One Burlington Plaza, Burlington Road, Dublin 4, Ireland. (Patient Medication Record Platform)
- Convenet Ltd registered at 3 The Paddocks, Ripley, England, DE5 3QR. (GP Integration Platform – Approved by NHS).
- OTC Direct Limited, trading as “NWOS”, at LeighService Centre Leigh Commerce Park Green Fold Way Leigh, WN7 3XJ. (Supplier of Medical Devices)
- NHS Digital at 7 and 8 Wellington Place, Leeds, West Yorkshire, LS1 4AP. (NHS Digital Services)
- GlykkaLLC, trading as Signeasy, at 750 N Saint Paul St Ste 250, PMB 42273, Dallas, Texas 75201. (Digital Signature Platform)
- LexisNexis, at Lexis House, 30 Farringdon St, London EC4A 4HH. (Identity Verification Platform)
- Your registered NHS GP Practice
Regulators and Legal Advisers
To comply with our legal and regulatory obligations.
- Addleshaw Goddard, Exchange Tower, 19 Canning St, Edinburgh EH3 8EH. (Legal Advisors)
- General Pharmaceutical Council at 25 Canada Square, Canary Wharf, London E14 5LQ. (Regulator)
- Information Commissioners Office at Wycliffe House, Water Lane, Wilmslow SK9 5AF. (Regulator)
- NHS England (known formally as the NHS Commissioning Board) and reachable at NHS England, PO Box 16738, Redditch, B979PT. (Regulator)
- External auditors as appropriate, e.g. in relation to ISO or Investors in People accreditation processes and the audit of our accounts.
- Law enforcement agencies and regulatory bodies as appropriate.
Other Commercial Partners
To share data where there is a legitimate interest to do so.
- Third parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, personal information will be redacted but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of assets.
- Consumers of our data insights. The data that we collect from you through our applications and systems can help others. We want to share patterns of information on what medicines people take, when, where and for how long. The way in which we do this is by collating data, then removing personal information (names, postal addresses, email addresses, NHS numbers). We analyse the remaining data to identify insights and behaviours so that we can contribute with others to the development of medicines and how treatments are marketed and made available to people. This data can be sold to or shared with to government departments, healthcare professional bodies, the pharmaceutical industry and organisations who want to understand how medicines are used in the real world.
NHS Platforms
To provide NHS services.
Where we provide you with NHS services, we utilise NHS Digital platforms to provide an elevated healthcare experience.
- NHS Login
If you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the“controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
- NHS Personal Demographics Service (PDS)
If you are not a patient accessing our service using your NHS login details, your NHS number is accessed through an NHS Digital service called the Personal Demographics Service (PDS). We send basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in our patient management system. Your NHS number is used as a unique patient identifier to connect your Phlo patient record with your patient record in other healthcare systems.
We also use the PDS to track your NHS nominated pharmacy. We will notify you if your nominated pharmacy changes to another pharmacy and Phlo will no longer receive your EPS prescriptions. You will have the ability to renominate Phlo as your pharmacy of choice at any time.
Other Phlo Technologies Ltd Services
To provide integrated experiences and promote our services.
We operate a set of related healthcare services. In some cases, we may look to use data in an integrated fashion across the business, for instance where a service might be interesting to users of another services.
Where your personal information is held
Information may be held at our offices and those of our pharmacy, third-party system providers and agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’). Your data is hosted in our pharmacy premises and offices in the United Kingdom and at data centre facilities in the United Kingdom and in the Republic of Ireland, except for Intercom, Webflow and Postmark services, which are hosted in the United States of America under the EU-US Privacy Shield framework.
Keeping your personal information secure
We take the security of information very seriously and have established security standards and procedures to prevent unauthorised access to your information. We maintain physical, electronic, and procedural safeguards to comply with applicable standards to ensure your information is always protected. We limit access to your personal information to only those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
For detailed information on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How long your personal information is held
We retain your personal information while you actively use our services and for a period of time thereafter. Your information is retained for historical and archiving purposes so we can understand how we serviced you and to meet the requirements of our regulators.
You may exercise your right to have your personal information removed from our systems by contacting us at dpo@wearephlo.com.
Your rights
The UK’s data protection laws provide you with certain rights. These rights include:
- Right to be informed.
- Right of access.
- Right to rectification.
- Right to erasure.
- Right to restrict processing.
- Right of data portability.
- Right to object.
- Right not to be subject to automated individual decision making.
For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.
If you would like to exercise any of those rights, please email us with
- Your name, address, date of birth and account email address.
- Details on what right you want to exercise and the information to which your request relates.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your information.
Should you be unable to resolve directly with us, the Data Protection Act gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted directly through their site at: https://ico.org.uk/concerns.
How to contact us
Please contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.
Our contact details are:
Phlo Technologies Ltd, Clockwise Offices, 77 Renfrew St, G23BZ.
Email: dpo@wearephlo.com
Telephone: 0141 255 0751
Changes to this privacy policy
We keep our privacy policy up to date to ensure you are always aware how we collect and use your personal information. If there is a fundamental change in how we process your data, we'll get in touch by email to inform you.
This privacy policy was last updated on 11th January 2024.