Privacy Policy

Plantmed Clinic UK Ltd (Co. no 15642057), trading as "Dispensed"
‍

This Privacy Policy describes how Plantmed Clinic UK Ltd (Company Number 15642057), trading as "Dispensed", and any of its affiliates (collectively, "we", "us", or "our") are legally obligated to collect, protect, and process your personal data in strict compliance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
‍
This Privacy Policy outlines our data collection, processing, storage, and sharing practices concerning personal data obtained through our websites and/or services (collectively, "Services").

This policy applies to all individuals interacting with our services, including patients, healthcare providers, and website visitors. This Privacy Policy does not apply to our employee or contractor records.
‍
If you have any questions or concerns about our use of your personal data, please contact us using the details provided at the bottom of this Privacy Policy.

How We Collect Information

The way in which we collect personal data about you depends on your relationship or interactions with us.

‍Information You Provide Voluntarily

‍Certain parts of our Services may require you to provide personal data voluntarily. For example, we may ask for your contact details in order to:

Book a consultation with us.
Subscribe to marketing communications.
Submit enquiries to us.

The personal data we request, and the reasons for collecting it, will always be clearly explained to you at the time of collection, for ensuring compliance with the principle of transparency under UK GDPR.
‍
When you access our Services online, we may automatically collect certain information from your device. Specifically, this may include:

Your internet protocol (IP) address
Login data
Browser type and version
Time zone setting and location
Other technical information related to your device and connection

We may also collect information about how your device interacts with our Services, including:

Pages accessed
Links clicked

Collecting this information enables us to better understand the users of our Services, where they come from, and what content is of interest to them. We use this information for internal analytics and to improve the quality and relevance of our Services.

Some of this information may be collected using cookies and similar tracking technologies, as explained further under the section "Online Tracking and Your Choices" below.

Information That We Obtain from Third-Party Sources

Where possible, we collect information directly from you. However, in some cases, we may receive information about you from third parties, including:

Your treating healthcare professional (if you are a patient)
Your patient (if you are a healthcare professional)
Third parties with whom we have a relationship

Information We Collect and Why

The table below sets out the types of personal data we collect, why we use it, and, where required under applicable law, the lawful basis for processing that personal data.

Data Subject Category	Data Type	Why We Use This Information	Lawful Basis
Patients	Contact information: such as your name, email, phone number, and location, and where you access our services, more detailed information such as your gender, date of birth, next of kin, insurer’s details, NHS number, national identity or passport number.	To arrange a consultation, treatment, or follow-up	Performance of a contract Our legitimate interests
		Where your healthcare professional has provided your information to us in order to arrange a consultation with us, to contact you for referral purposes	Performance of a contract Our legitimate interests
		To contact you to participate in a survey	Consent
	Medical information: such as your diagnosis and medical health history	To arrange a consultation, treatment or follow up with you	Performance of a contract Our legitimate interests Health or social care (for the provision of healthcare or treatment)
		To carry out analytics and create aggregate statistics for research purposes.	Our legitimate interests Scientific research purposes
	Prescription data: such as such as name, initials, address, date of birth, gender, weight and printed age, indication and clinical justification for the use of the product (e.g. the seriousness of the condition, details of previous treatments including detail on use of therapeutic treatment), product type, dosage and dose form, treating doctor	For identity verification purposes and to arrange to fulfil a product order relating to your prescription from a healthcare professional, including where you have requested products from a dispensing pharmacist.	Our legitimate interests Scientific research purposes
	Payment information: such as your payment	To take payment for our services	Performance of a contract
	Adverse events or special situations: information about any untoward medical occurrence in a patient or clinical trial subject administered a medicinal product, with or without an adverse event	To enable us to contact the reporter, if necessary, to clarify the information received	Performance of a contract
		For submission to regulatory authorities	Legal obligation Health or social care (for the provision of healthcare or treatment)
	Survey information: any information you provide to us as part of your voluntary participation in a survey, which could include sensitive personal data	To carry out analysis on users of our Services	Consent
Guardians/Carers of Patients	Contact information: such as your name, email and phone number	To arrange consultation, treatment, or follow-up for the patient	Performance of a contract Our legitimate interests
Healthcare Professionals	Contact information: such as your name, email and work address (i.e. clinic details)	Where your patient has provided your information to us in order to book a consultation with us, to contact you in relation to the patient’s request	Performance of a contract Our legitimate interests Health or social care purposes (for the provision of healthcare or treatment)
		To participate in surveys provided by us for research purposes	Consent
	Professional information: such as your professional registration number, health practitioner type, your qualification, speciality and clinic details	To verify your details with the relevant regulatory body	Legal obligation Our legitimate interests
Visitors/Users of Services	Contact information: such as name, email, telephone number, address, content of free text	To respond to your queries and requests, to register you, and/or book a consultation	Our legitimate interests
	Technical information: such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform	To understand how you interact with our Services, as well as our content to enable us to improve service and functionality	Our legitimate interests
	Information you disclose to us: any information you disclose to us through your communications with us which may include sensitive personal data	To respond to you including your questions in relation to our products and services	Consent
Job Applicants	Identification data: such as your name, gender, photograph, date of birth, national identifiers	To identify you as the individual applying for a role with us	Performance of a contract Our legitimate interests
	Contact information: such as home address, telephone number, email address	To contact you about your application to us and invite you to participate in any assessments and interviews with respect to the role you have applied for	Performance of a contract Our legitimate interests
	Employment details: such as employment history, application for role, third party references	To assess your job application to us and your suitability for the role	Performance of a contract Our legitimate interests

‍

Lawful Basis for Processing Your Personal Data

The lawful bases for processing your personal data are as follows:

Consent: Where you have given consent for the processing of your personal data for one or more specific purposes.
Performance of a Contract: Where processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.
Legal Obligation: Where processing is necessary for compliance with our legal obligations.
Legitimate Interests: Where processing is necessary for a legitimate interest, provided that such legitimate interest is not overridden by your interests or fundamental rights and freedoms.

Lawful Basis for Processing Your Sensitive Personal Data

The lawful bases for processing your sensitive personal data are as follows:

Health or Social Care: Where processing is necessary for the provision of healthcare or treatment.
Employment: Where processing is necessary forthe assessment of your working capacity.
Legal Obligation: For regulatory compliance, including pharmacovigilance reporting;
Scientific Research Purposes: Where data is strictly pseudonymised to protect individual identity.

Special Category Data

Some of the information we collect and process may include sensitive personal data, also known as special category data.

‍Special category data is a subset of personal data that is afforded a higher level of privacy protection. This includes:

Health and genetic data
Racial or ethnic origin
Political opinions and membership of a political association
Religious beliefs or affiliations
Philosophical beliefs
Membership of a professional or trade association
Membership of a trade union
Sexual preferences or practices
Criminal record
Certain types of biometric data

We will only collect special category data where it is reasonably necessary for our functions or activities, and where we have a lawful basis to do so under applicable laws, as outlined in the table above.

Scientific Research and Statistical Reporting of Pseudonymised Data

As set out in the table above, we may also use your information for scientific research and statistical reporting. However, we have taken a number of measures to ensure that this data is pseudonymised, meaning it cannot directly identify an individual.

For this purpose, we only have access to medical and treatment data, and we cannot directly identify you from this information.

Online Tracking and Your Choices

Our website uses various tools for data analysis, tracking, and user behaviour monitoring, including cookies, web beacons, and similar tracking technologies. These tools help us gather insights into how you interact with our website. The data collected may include:

Browser type and version
Domain names
Page views and referring/exit pages
IP address
User interactions with our website
Traffic and usage trends

How We Use Cookies and Tracking Technologies

For a more detailed understanding, we use:

Session Cookies: These are temporary and automatically expire when you close your web browser. They help maintain your login status during a website session.
Persistent Cookies: These remain stored in your browser and allow us to recognise you when you revisit our website. They serve various functions, such as:

Preserving your information to prevent repeated data entry
Enhancing our understanding of how you use our services
Diagnosing and resolving technical issues
Improving overall user experience

Additionally, in select email communications, we may use 'click-through URLs' that direct you to specific content on our website. These links are tracked to help us assess the effectiveness of our customer communications.

To enhance our services and for comprehensive analytics, we may collect data directly or through third-party analytics tools, such as Google Analytics. This helps us analyse website usage, traffic patterns, and trends to improve our services.

Managing Your Cookie Preferences

Most web browsers are set to accept cookies automatically, but you can modify your browser settings to:

Refuse cookies altogether
Receive prompts before accepting cookies from websites

If you choose to disable cookies, please note that some features of our website may not function correctly.

'Do Not Track' and Opting Out

Some web browsers offer a 'Do Not Track' (DNT) setting, but this may not affect our data collection through cookies or tracking technologies used for analytical and internal purposes.

The only way to fully opt out of data collection through cookies or similar tracking technologies is to actively manage your browser or mobile device settings to delete and disable cookies and other tracking tools.

For comprehensive information on cookies, clear GIFs/web beacons, and related tracking technologies, please visit: www.allaboutcookies.org

‍For more details on how we use cookies and tracking technologies, please refer to our Cookie Policy.

Data Sharing

We may share your personal data with the following categories of recipients:

To your referrer – If you have been referred by another healthcare professional, we may share a summary of your care with your treating healthcare professional who referred you to us. If you do not wish for your data to be shared in this way, please inform us as soon as possible.
To individuals for whom we have your consent – We will only share your personal data with individuals or organisations where you have provided explicit consent.
To our group companies – For the purposes for which we are entitled to process your personal data under this Privacy Policy.
To third-party service providers – We may share your personal data with trusted third-party service providers who assist us in delivering our services and with whom we have a contractual relationship. Your data may also be processed by a third party if this is necessary to fulfil a service you have requested.
To law enforcement, regulators, or government agencies – We may disclose your personal data to a competent law enforcement body, regulatory authority, government agency, court, or other third party where we believe it is necessary:

(i) to comply with applicable laws or regulations;
(ii) to exercise, establish, or defend our legal rights; or
(iii) to protect your vital interests or those of another person.

To an actual or potential buyer – In the event of an actual or proposed purchase, merger, or acquisition of any part of our business, we may share your personal data with the buyer, its agents, and advisors, provided that we inform them that your data must only be used in accordance with this Privacy Policy.

Ensuring Data Protection with Third Parties

We conduct due diligence checks on all third parties with whom we share personal data, ensuring they can provide sufficient guarantees regarding confidentiality and security.

Where required, we will have written contracts in place that provide assurances regarding:

The protections they will apply to your personal data.
Their compliance with our data security standards.
Their adherence to international data transfer restrictions, where applicable.

Third-Party Sites and Features

Our websites may contain links to third-party websites and may include social media features, such as Facebook and Twitter buttons (e.g., "Like," "Tweet," or "Pin").

These third-party sites may collect data about you if you click on a link, and social media platforms may automatically record data about your browsing behaviour every time you visit a website that contains a social media button.

Your interactions with these features are governed by the privacy policy of the company providing the feature, not by this Privacy Policy. We do not control the data that these third parties collect.

Please review your privacy settings on your social media accounts and consider carefully before clicking on links that may direct you to an external website.

Data Security and Retention

Security

‍We take security seriously and are committed to protecting the integrity of your personal data. We use commercially reasonable physical, administrative, and technological safeguards to protect your personal data from:

Accidental or unlawful destruction
Loss or alteration
Unauthorised disclosure or access

The measures we implement are designed to provide a level of security appropriate to the risks associated with processing your personal data. In the event of a data breach involving personal data under our control, we will:

Take reasonable steps to investigate the incident.
Where appropriate, notify affected individuals whose data may have been compromised.
Take further remedial actions, in compliance with applicable laws and regulations.

Data Retention
‍
To ensure we meet our legal data protection and privacy obligations, we will retain your personal data for:

As long as your account remains active
As long as required to provide you with services
As long as necessary to fulfil the purpose for which it was collected (or any related purpose)
As required to comply with legal obligations, resolve disputes, and enforce our agreements

When we no longer have a legitimate business need to process your personal data (as outlined above), we will:

Delete or anonymise it; or
If deletion is not possible (e.g., because your personal data is stored in backup archives), we will securely store it and isolate it from further processing until deletion becomes possible.

International Transfers
‍
We may share data with:

Referring healthcare professionals for continuity of care only with explicit patient consent;
Regulatory bodies when required by law;
Third-party service providers who process data on our behalf under legally binding data protection agreements;
Business partners in the case of mergers or acquisitions, ensuring contractual safeguards for data protection.

‍We will not transfer personal data collected and stored within the UK to any country that does not provide an adequate level of data protection, unless we comply with the relevant legal and regulatory requirements.

Further details on our international transfer safeguards are available upon request.

Your Rights

You have the following data protection rights:

If you wish to access your personal data, you can do so at any time by contacting us using the details provided in the "Contact Us" section below.
If you need to correct or update your personal data, you can do this by using the contact details provided under the "Contact Us" section below.
You may request permanent deletion of your data where legally applicable;
You may limit processing under strictly defined conditions;
You may obtain a machine-readable copy of your data in a commonly used format;
You may withdraw consent for processing where applicable without negative consequences.

Additional Rights Where We Are the Data Controller

‍Where Plantmed Clinic UK Ltd (Company Number 15642057), trading as "Dispensed", is the controller of your personal data, you also have the following additional rights:

You can request deletion of your personal data by contacting us using the details in the "Contact Us" section below.
You can object to the processing of your personal data, request restriction of processing, or request data portability. You can exercise these rights by contacting us using the details provided below.
You can opt out of marketing communications at any time by clicking on the "unsubscribe" or "opt-out" link in our marketing emails. To opt out of other forms of marketing (such as postal or telephone marketing), please contact us using the details provided below.
If we have collected and processed your personal data based on your consent, you can withdraw your consent at any time. This will not affect the lawfulness of any processing carried out prior to your withdrawal, nor will it affect processing based on other lawful grounds.

Right to Complain

You have the right to lodge a complaint with a data protection authority regarding our collection and use of your personal data. In the UK, you can contact the Information Commissioner’s Office (ICO) at:🌐 https://ico.org.uk/make-a-complaint

‍How We Handle Your Requests

‍When you exercise your data protection rights, our response will depend on:

Our role as a data controller or processor
Our legal basis for processing your data
Whether any exemptions apply under UK data protection laws

We respond to all valid requests in accordance with applicable privacy and data protection laws. To comply with a request, we may ask you to confirm your identity. We will only request information to the extent necessary to verify your identity.

You also have the right to remain anonymous where it is lawful and practicable for us to allow it. However, if you choose not to provide personal data when requested, we may be unable to respond to your request or provide the service you are seeking.

Contact Us

If you have a question, comment, or complaint about how we have collected or handled your personal data, please contact our Privacy Officer using the details below and provide relevant information about the incident so that we can investigate it.

If you are making a complaint, we will:

Treat your complaint confidentially.
Conduct an investigation.
Aim to resolve your complaint within a reasonable timeframe (and in any event, within the timeframe required by applicable law).

📧 Email: privacy@dispensed.co.uk
📍 Address: 301-305 High St, Croydon CR0 1QL

Information Commissioner’s Office (ICO)

The Information Commissioner's Office (ICO) is our lead supervisory authority. If you have concerns about our collection and use of your personal data, you have the right to make a complaint to the ICO.

For more information, visit:
🌐 https://ico.org.uk/make-a-complaint

‍ICO Registration No: ZB703280

Changes to This Privacy Policy

We may update this Privacy Policy from time to time in response to legal, technical, or business developments. You can check the "Last Updated" date at the top of this Privacy Policy to see when it was last revised.

We encourage you to frequently review our website for any updates. Unless stated otherwise, the current version of our Privacy Policy applies to all information we hold about you.

Plantmed Clinic UK Ltd (15642057), trading as 'Dispensed', is in partnership with SJLD LTD (13138487), trading as 'Urban Clinic', which is registered and regulated by the CQC.

CQC Location ID: 1-11736605080
CQC Provider ID: 1-10993862536