Who are we?

Simple Online is registered Company having our Registered Office at 77 Dunn Street, Glasgow, Scotland, G40 3PA
Simple Online takes the issue of security and data protection very seriously, including compliance with the UK General Data Protection Regulation, the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.
We are registered as a data controller with the Information Commissioner’s Office (‘ICO’) and our registered number is ZA146463.
When we refer to ‘our websites’, we are referring to both simpleonlinehealthcare.com and simpleonlinepharmacy.co.uk.

How do we collect information from you?

We obtain information about you in the following ways:

Information you give us directly

We collect information from you:

• when you register an account with us for the provision of our online pharmacy services;
• when you make an enquiry via telephone or via our websites Contact Us forms, pre-purchase assessments, or our live chat, or otherwise provide us with your personal details;
• when you place an order with us, to fulfil that order;
• during visits to our premises;
• when you use our websites, through the use of cookies, tracking and website analytics;
• when you enter any other information on our websites, or attend an online virtual meeting in platforms such as Zoom and Teams; and
• from your use of any of our other online services, websites, social media, etc.

If you apply for a job with us, we collect information about you from your job application.  If you are successful in joining our team, we will also collect information from you in relation to your employment. The personal data we use during your employment with us can be reviewed within our employee privacy notice.
We will also collect contact details from our business partners, suppliers and contractors when we begin our business relationship with you.

Information we receive regarding you indirectly

• Your information may be shared with us by third parties, which might include subcontractors acting on our behalf who provide us with technical, payment or other services, and our business partners;
• we may collect your image and audio from our CCTV cameras which are located on our premises;
• when you visit our websites, we place cookies on your device to run those websites.  For more information about cookies and how we use them please see our respective Cookie Notices;
• we may receive information from other healthcare professionals, such as general practitioners in relation to medical history and records.
• when you interact with us on social media platforms such as Facebook, we may obtain information about you (for example, when you like or post on our Facebook page). The information we receive will depend on the privacy preferences you have set on those types of platforms. You should check any privacy policy / notice provided to you where you give your data to a third party, for example, when you post to our Facebook page;
• during our employment process, we may contact you using your personal data in relation to employee reference checks;
• when you are noted as the emergency contact or next of kin of an employee, we may contact you when a situation arises; and
• when we are contacted by local authorities and law enforcement in relation to ongoing investigations.

What type of information is collected from you?
Why do we need it and how will it be used?

The personal information we collect, store and use, depends on your relationship with us.  We may collect the following information about you:

If you are our customer:

• Name
• Address
• Gender  
• Telephone number
• E-mail address
• Other contact details as deemed appropriate
• Order information
• Invoices
• Payment information
• Employment information
• Online identifiers, such as social media profiles or IP addresses
• Signature
• Bank account details
• CCTV imagery and audio Identification documentation
• Identification documentation
• Photographs and/or photographic evidence

As an employee of the organisation that is our customer or client, we may use your personal data to contact you about the work we are doing for your organisation. This personal data will typically be limited to employee contact details such as name, business telephone number and email address, and job title.
Additionally, if you are a potential customer or client, and have expressed an interest in our services, we may contact you in relation to the services which you have requested information about, and in order to enter into a contract with you or your organisation.  

Information we receive regarding you indirectly

• Your information may be shared with us by third parties, which might include subcontractors acting on our behalf who provide us with technical, payment or other services, and our business partners;
• we may collect your image and audio from our CCTV cameras which are located on our premises;
• when you visit our websites, we place cookies on your device to run those websites.  For more information about cookies and how we use them please see our respective Cookie Notices;
• we may receive information from other healthcare professionals, such as general practitioners in relation to medical history and records.
• when you interact with us on social media platforms such as Facebook, we may obtain information about you (for example, when you like or post on our Facebook page). The information we receive will depend on the privacy preferences you have set on those types of platforms. You should check any privacy policy / notice provided to you where you give your data to a third party, for example, when you post to our Facebook page;
• during our employment process, we may contact you using your personal data in relation to employee reference checks;
• when you are noted as the emergency contact or next of kin of an employee, we may contact you when a situation arises; and
• when we are contacted by local authorities and law enforcement in relation to ongoing investigations.

As an employee of the organisation that is our customer or client, we may use your personal data to contact you about the work we are doing for your organisation. This personal data will typically be limited to employee contact details such as name, business telephone number and email address, and job title.
Additionally, if you are a potential customer or client, and have expressed an interest in our services, we may contact you in relation to the services which you have requested information about, and in order to enter into a contract with you or your organisation.  

We may use this information to:

• to undertake and perform our obligations and duties to you in accordance with the terms of our contract/agreement either with you or another person;
• to enable us to supply you with the services and relevant service information, including processing and fulfilling orders, which you have requested, and manage both billing and order delivery;
• to create and maintain your Simple Online Pharmacy account, including maintaining a record about your orders, treatments and care;
• to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer;
• to contact you and send you details of any changes to our services, or other relevant service notifications, such as product or service unavailability, which might affect you;
• to undertake pre-purchase assessments to determine suitability of orders. This includes when you provide us with identification documentation, or photographs, in relation to, for example, proof of weight, in order for us to fulfil an order and prescribe responsibly;
• to respond to any queries or complaints, and to analyse these further in order to continuously improve our service;
• to undertake marketing related activities in line with UK Laws;
• to contact you for your views on our products and services, for market research purposes. For instance, we may contact you via email to invite you to review any services you received from us, in order to collect your feedback and improve our services. To do this Trustpilot A/S (“Trustpilot”), to collect your feedback, which means that we will share your name, email address and reference number with Trustpilot for this purpose. If you want to read more about how Trustpilot process your data, you can find their Privacy Policy here, and;
• for all other purposes consistent with the proper performance of our operations and business.

If you apply for a job with us:

• your contact details, previous employment history and qualifications
• we may collect details of ethnicity and disability – for equalities monitoring and so that we can make any appropriate adjustments to your workplace
• we may collect references from third parties whose details you have provided

We require this information as part of our recruitment process. If your application is unsuccessful, we will keep your application for six months so that we can contact you if a similar job becomes available.

If you are a business contact, such as a supplier or contractor:

• we may collect your business contact details such as your name, business address and business e-mail and your company’s bank account details.  If you are a sole trader this may be your personal details.

We need these details in order to provide our services, run our business and pay or invoice suppliers and contractors.
If you are a potential business contact, proposing to offer services to us, we may process your personal data in relation to entering into a contract with you or your organisation.  

When you visit our websites:

• if you allow the relevant Cookies, we may collect information about your activities on our websites and about the device used to access it, for instance your IP address and geographical location. For more information, please see our respective Cookie Notices.
• we utilise analytics and tracking tools in order to resolve website issues or make improvements to the usability and layout of our website. To do this, we analyse your interaction with the website, via reviewing user clicks.
• any other personal information shared with us via our website forms, such as our Contact Us page. We will use this information to help provide the services you have requested.

Links to other websites:

Our websites may contain links to other websites run by other organisations. This privacy notice applies only to our websites‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other websites even if you access those using links from our websites.
In addition, if you linked to any of our websites from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the privacy notice of that third party site.

When you visit our premises

• your image and audio may be captured by our CCTV cameras.  Notices are available where the cameras are in operation.

CCTV is be used for security of our staff and customers and to assist with the prevention and detection of crime, or as evidence in a complaint.

If you do not wish to provide your personal data

You have obligations under your contract / potential contract with us to provide us with the necessary data. If you do not provide this information, this may prevent the Association’s ability to enter into or maintain a contract with you.

Who has access to your information?

The information you provide to us will be treated in accordance with data protection law. Depending on your type of contract or other business relationship with us, we may disclose your personal data to any of our employees, officers, contractors, insurers, professional advisors (including legal advisers and our Data Protection Officer), agents, suppliers or subcontractors, selected third parties, government agencies and regulators and healthcare providers for the purposes set out in this notice, or for purposes approved by you, including the following:

• when we share your information with general practitioners in order to understand your medical history and prescribe responsibly;
• if we enter into a joint venture with, or merge with, another business entity;
• if required by law, we will disclose your information to statutory bodies such as auditors or solicitors, or to local authorities and law enforcement;
• we utilise the services of LexisNexis Risk Solutions UK Limited (Company number: 07416642) (https://www.lexisnexis.co.uk/) for ensuring that our patients are genuine. This occurs the first time that you place an order with us, and upon each subsequent order, in order to validate your identity. This is a requirement from the General Pharmaceutical Council, where it is expected that all online pharmacies have systems in place to verify the identity of customers prior to supplying medication. We undertake this processing under the lawful basis of performance of a contract. LexisNexis check three data sources for this: credit agencies, voting register and telephone database. The information you provide will be validated by Lexis Nexis and used for the purpose of identity verification. You have a right of access to your personal records held by LexisNexis. This right is detailed in the LexisNexis Privacy Policy. LexisNexis may be contacted at the following address: LexisNexis Ltd, Lexis House, 30 Farringdon Street, London EC4A 4HH.
• if we are conducting a survey of our products and/ or service, your information may be disclosed to third parties assisting in the compilation and analysis of the survey results; and
• we may pass your information to our third-party service providers, suppliers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example, Software providers and IT Technical services providers).

Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.

Lawful Processing

Data protection law requires us to rely on one or more lawful grounds to process your personal information. We may process your personal data under the following lawful basis:

Performance of a contract

Where we are entering into a contract with you or performing our obligations under it, such as processing your personal data as part of the services contract we have with you.

Consent

Where you have given your explicit consent for us to process your data, for example to receive marketing emails from us.

Legal obligation

Where necessary so that we can comply with a legal or regulatory obligation to which we are subject, for example where we are ordered by a court or regulatory authority like HMRC.

Vital Interests

Where it is necessary to use your data to protect your own, or someone else’s, life.

Legitimate interests

Where it is reasonably necessary to achieve our or others’ legitimate interests (as long as what the information is used for is fair and does not duly impact your rights).
We consider our legitimate interests to be:

• protecting our staff and customers and assisting with the prevention and detection of crime through the use of CCTV recordings;
• enhancing, modifying, personalising or otherwise improving our services / communications for the benefit of our customers;
• better understanding how people interact with our websites;
• sending you direct marketing by email or text, where you have previously shown an interest in our products or services, and where we have provided you with a choice to opt-out; and
• contacting you in relation to applicant reference checks.

When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information where our interests are overridden by the impact on you, for example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).

Processing special category personal data

Special categories of personal data means information about your racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sex life or sexual orientation; criminal convictions, offences or alleged offences; genetic data; or biometric data for the purposes of uniquely identifying you.  
The special categories of personal information require higher levels of protection. We need to meet additional legal requirements for collecting, storing, and using this type of personal information.  
Where we process your special category data, our legal basis for processing this will be one of the following:

• Explicit consent
• Employment, social security and social protection
• Vital interests
• Made public by the data subject
• Legal claims or judicial acts
• Reasons of substantial public interest (with a basis in law) (includes equality of opportunity)
• Preventative and occupational medicine, provision of health and social care
• Public health (with a basis in law)
• Archiving, research, and statistics (with a basis in law)

We will process your special category data in order to provide you with our core pharmacy services, as detailed earlier in this privacy notice.

How long is your information kept for?

We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you. Our full retention schedule is available by contacting our Data Protection Lead. Contact Details are mentioned at the end of this privacy notice.

We review our retention periods on a regular basis.

Where do we keep your data? 

Your information will only be stored within the United Kingdom except where international transfers are authorised by law.

How do we keep your data safe?

When we are provided with personal data, we take steps to make sure that your personal information is kept secure and safe. All data is held in accordance with Simple Online’s data protection policies and procedures. Our systems are password protected, with multi-factor authentication enforced, and all electronic data is stored securely, with encryption enabled during transit and at rest. Additionally, we utilise Microsoft 365 and its associated security features in order to protect your personal data, such as access management controls, data classification controls, and more. All paper files are kept in secure locked cabinets.

Keeping your information up to date

We take reasonable steps to ensure your information is accurate and up to date; however please help us keep our records updated by informing us of any changes to your email address and other contact details.

Your Rights

Under UK data protection law, you have certain rights over the personal information that we hold about you.

Right of access

You have a right to request access to the personal data that we hold about you and to request a copy of it, and we will provide you with this unless legal exceptions apply.  If you want to access your information, please send a description of the information you would like to see to the contact details at the bottom of this privacy notice. We may ask for proof of your identity before proceeding with your request.

Right to have your inaccurate personal information corrected

You have the right to have inaccurate or incomplete information we hold about you corrected.

Right to restrict use

You have a right to ask us to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we're not lawfully allowed to use it.

Right of erasure

You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions; we will do so as far as we are required to.

Right for your personal information to be portable

If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, for example, via you completing a form on our websites, you may ask us to provide it to you or to another service provider in a machine-readable format.

Right for your personal information to be portable

You have the right to object to processing where we are using your personal information (1) based on legitimate interests, (2) for direct marketing or (3) for statistical/research purposes.

If you want to exercise any of the above rights, please contact our Data Protection Lead at the details below.  We may be required to ask for further information and/or evidence of identity.  We will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances.  For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office.

Queries and Complaints

We seek to directly resolve any queries or complaints about how we handle information and would request that they be directed, in the first instance, to dpo@simpleonlinehealthcare.com
Our Data Protection Officer is provided by RGDP LLP and can be contacted either via 0131 222 3239 or info@rgdp.co.uk.  

You also have the right to complain to the Information Commissioner’s Office in relation to our use of your information.  The Information Commissioner’s contact details are noted below:

Telephone: 0303 123 1113 
Online: https://ico.org.uk/make-a-complaint/  

Changes to this privacy notice

Any changes we may make to this Privacy Notice in the future will be posted on our websites, so please check occasionally to ensure that you're happy with any changes. If we make any significant changes to the way we process your personal data, we'll make this clear on our websites.

This Privacy Notice was last updated on 06/03/2025