Privacy Policy | Curo Pharmacy

1. Introduction

This Privacy Policy explains how Curo Pharmacy ("we", "us", "our") collects, uses, stores, and protects information about you when you visit our website at www.curopharmacy.com or use any of our pharmacy services.

This policy should be read alongside our Terms & Conditions, Cookies Policy, and Medical Disclaimer.

We are committed to protecting your privacy and handling your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable healthcare regulations under the General Pharmaceutical Council (GPhC).

Quick summary: We collect personal and health information only to deliver our pharmacy services to you. We do not sell your data. We share it only with parties who legitimately need it (your GP, the NHS, our IT providers, and the services you use). You have full rights over your data under UK GDPR — explained in section 9 below.

2. Who we are

Curo Pharmacy is the data controller responsible for your personal data.

Curo Pharmacy St. Georges Surgery, 62 Haslingden Road,
Blackburn, BB2 3HS
Telephone: 01254 660473
Email: curopharmacy@awap.co.uk
NHS Email: pharmacy.fgd84@nhs.net
Superintendent Pharmacist: Abid Malluk (GPhC Reg: 2065670)
Premises GPhC Number: 1091896

3. What information we collect

We may collect the following categories of information about you:

Contact and identification details

Full name, date of birth, gender
Email address, mailing address, telephone number
NHS number
GP surgery details

Health and medical information

Medical history and current health conditions
Medication history and current prescriptions
Allergies and adverse reactions
Consultation notes from services we provide (e.g. NHS Pharmacy First, Cryopen, Weight Management)
Vaccination records

Service preferences

Order history
Communication preferences (e.g. text alerts, email reminders)
Marketing preferences
Reviews and feedback you provide

Payment information

Payment card details for private services (processed securely via PCI-compliant third-party providers — we do not store full card numbers)
Billing address

Technical information (automatic)

IP address, browser type, device type
Pages visited and how you use our website
Cookie data (see our Cookies Policy)

We aim to collect only the information needed to provide the service you've requested. Sensitive health information is collected only when necessary for clinical care.

4. How we use your information

We use your information to:

Dispense prescriptions and deliver pharmaceutical care
Process Electronic Prescription Service (EPS) nominations and repeat prescription requests (which involves sharing your details with your GP surgery)
Provide consultations, vaccinations, and private clinical services
Send appointment reminders, prescription-ready alerts, and service notifications
Process payments for private services
Respond to your queries, comments, and complaints
Improve the quality of our services and website
Comply with our legal, regulatory, and clinical governance obligations
Detect and prevent fraud or abuse of our services
Send marketing or newsletter communications — only with your explicit consent

5. Legal bases for processing your data

Under UK GDPR, we must have a lawful basis for processing your data. The bases we rely on are:

Consent: When you register, sign up for a service, or opt-in to communications.
Contract: When processing is necessary to fulfil a service you've requested (e.g. dispensing a prescription).
Legal obligation: When we are required by law to keep records (e.g. NHS prescription records, controlled drug logs).
Vital interests: When processing is necessary to protect someone's life or safety.
Public interest / public task: For NHS-commissioned services (e.g. Pharmacy First, vaccinations).
Legitimate interests: For routine business activities such as website improvement, where your rights are not overridden.

For special category health data, we additionally rely on:

Explicit consent for direct clinical care, or
Provision of health or social care by a regulated health professional (Article 9(2)(h) UK GDPR)

6. Who we share your data with

We share your information only with parties who legitimately need it to provide your care. We never sell your personal data to anyone.

Healthcare partners

Your GP surgery — for EPS nominations, repeat prescription requests, and clinical communications
NHS Business Services Authority — for NHS prescription processing and remuneration
NHS England and integrated care systems — for NHS-commissioned services
Other healthcare professionals — when necessary for your safe and continuous care

Service providers

PharmAppy (our digital pharmacy partner) — if you use the app to order prescriptions or manage communications. PharmAppy has its own privacy policy.
Authorised IT and hosting providers — for website and database operations
Payment processors — for handling card payments (PCI-DSS compliant)
Delivery and courier services — for medication deliveries
Google Maps — when you view the embedded map on our website (subject to Google's privacy policy)

Regulatory and legal bodies

The General Pharmaceutical Council (GPhC) — our regulator
Other regulatory or law-enforcement bodies — when required by law

7. How long we keep your data

We retain your data only as long as necessary:

Patient medical records: Typically retained for at least 8 years after the last entry for adults, and until the patient's 25th birthday for paediatric records, in line with NHS records management guidance.
Controlled drug records: Retained for at least 7 years as required by law.
Financial and transaction records: Retained for 6 years for tax and accounting purposes.
Marketing preferences: Retained until you withdraw consent.
Website analytics and cookies: See our Cookies Policy.

You can request deletion of your data at any time (see Section 9), but legal retention requirements may apply.

8. How we protect your data

We take the security of your data seriously and use industry-standard measures including:

SSL/TLS encryption for all data transmitted between your device and our systems
Encrypted storage on secured UK-based servers
Strict access controls — only authorised staff can access patient records
Regular backups (at least monthly) stored securely in the UK
PCI-DSS Level 1 compliant payment processing — we do not store full card details
Staff data-protection training and confidentiality agreements
Monitoring for unusual access patterns or breaches

Despite our best efforts, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but commit to acting promptly if a data breach is detected, including notifying the Information Commissioner's Office (ICO) where required.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right to be informed — what we collect and why (this policy)
Right of access — request a copy of the personal data we hold about you (a "Subject Access Request")
Right to rectification — ask us to correct inaccurate or incomplete data
Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
Right to restrict processing — limit how we use your data
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests or for direct marketing
Right to withdraw consent — at any time, for any processing based on consent
Rights regarding automated decision-making — we do not currently make decisions about you using automated processes alone

To exercise any of these rights, contact us using the details in Section 13. We will respond within one calendar month as required by UK GDPR.

10. Cookies and tracking

Our website uses cookies to improve your experience. Some cookies are essential for the site to function; others are used for analytics or personalisation. You can control cookies via your browser settings.

For full details, see our Cookies Policy.

11. Third-party websites

Our website may contain links to other websites — including NHS.uk, PharmAppy, and others. Each has its own privacy policy. We are not responsible for their privacy practices. Please read their policies before submitting any personal information.

12. Children's privacy

We provide services to people of all ages, including children, where clinically appropriate. Where a child is under 16, we will normally process data with the consent or involvement of a parent or guardian. We handle children's data with the same — or higher — standard of care.

13. Changes to this Privacy Policy

We may update this policy from time to time to reflect changes in our practices, services, or legal requirements. Any changes will be posted on this page with a revised "Last updated" date. We encourage you to review it periodically.

14. How to contact us about your data

For any questions, comments, requests, or to exercise your rights, please contact us:

Curo Pharmacy — Data Protection Enquiries St. Georges Surgery, 62 Haslingden Road, Blackburn, BB2 3HS
Telephone: 01254 660473
Email: curopharmacy@awap.co.uk

15. Complaints to the regulator

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK's data protection authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

We would, however, appreciate the chance to address your concerns directly before you contact the ICO — please get in touch with us first.