Privacy Policy

CloudRx Limited ("we" or "us") provides online pharmacy prescribing services to the private healthcare sector (“our services"). This Privacy Policy explains how we collect, use, and share personal data in the course of providing our services and operating our website.

We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check these pages for the latest version of this

About us (as the data controller)

CloudRx is registered under the Data Protection Act, Registration No. ZA679233, with the General Pharmaceutical Council (“GPhC”) (Registration Number 9011284) and with Companies House (registered company number 12320975, 1 Hawthorn Park, Leeds, United Kingdom, LS14 1PQ).

Our collection and use of personal data

Whose personal data do we collect?

We process personal data about the following persons:

  1. healthcare professionals, who use our services to order prescriptions for their patients;
  2. patients whose prescriptions we process, and who pay us for those prescriptions;
  3. visitors to our website (; and
  4. business partners, including customers and suppliers, whose contact information we process to manage our business relationships.

We collect personal data when you fill in forms on our website – including the account registration form for healthcare professionals, and the order and payment form for patients. If you are a patient, we will obtain some personal data about you in the prescription submitted by your healthcare professional.

Our website automatically collects information about all visitors – see section 9 below for more information.

Unless otherwise indicated, all categories of information on our account registration and order and payment forms are mandatory in order to, respectively, create a prescribing account or complete a patient prescription order. Should you fail to provide us with the information required, we will be unable to proceed with the provision of your medicines.

What do we use personal data for?

In the table below we have provided a description of the different purposes for which we process personal data. For each purpose, we have indicated the legal basis we rely on under data protection law:

Purpose Personal Data Legal Basis
Creating an account for a healthcare professional to use our services Name; contact information; clinic address; password Performance of our Terms of Use
Verifying a healthcare professional’s identity during account creation Professional registration number (e.g., GMC; GDC; GPhC; NMC); UK passport or photo driving licence; details of professional liability / medical indemnity insurance Performance of our Terms of Use
Processing a prescription submitted by a healthcare professional Name; patient date of birth; details of patient’s medical information and prescribed medication Performance of our Terms of Use
The provision of health or social care or treatment or the management of health or social care systems and services
Arranging prescription delivery and payment with a patient Name; delivery address; payment card information; details of repeat prescriptions Performance of our Terms of Use
The provision of health or social care or treatment or the management of health or social care systems and services
Submitting information to our regulators and complying with regulatory audits Details of prescriptions processed Compliance with a legal obligation
To respond to user queries or complaints, as well as medicine returns Name; contact information; details of query or complaint Compliance with a legal obligation
Legitimate interest in providing customer service
To collect information using cookies and similar technologies IP address; device and browser generated information; information about site activity Consent (in relation to non-essential cookies – see below)
Legitimate interest in providing a functioning and secure website (in relation to essential cookies – see below)
To conduct service analytics Contact information; Clinic address; Information about your use of the services Legitimate interest in understanding how our services are used in order to make improvements to them
To manage our commercial relationships with our customers and suppliers Name; business contact information Legitimate interest in conducting our business, including arranging the delivery and receipt of services and payment for those services
Sharing personal data with third parties

Sometimes we use business partners to help us provide our services. Specifically, we use third party payment service providers (e.g., Stripe), to whom we fully outsource the handling and other processing of your payment card information. We also use third party service providers to deliver your prescription orders and provide you with order tracking notifications by email or text. Finally, we also use technology service providers to host our platform and to store your personal data. These providers are subject to contracts which require them to comply with our instructions and to only process your personal data in order to provide the service we have requested.

As well as disclosures to our service providers, we may disclose your personal data to third parties in the following circumstances:

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, court or police request, or in order to enforce or apply our terms of use and other agreements, or to protect the rights, property, or safety of CloudRx, our customers, or others. This includes:
    • exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
    • notifying prescribers where a patient presents a prescription and the pharmacist becomes aware of clinically significant issues arising in connection with that prescription.
International transfers

We are a UK based business, and we store your personal data on servers based in either the UK or the European Economic Area (EEA).

We may engage technology service providers who access your personal data from outside of the UK and EEA, e.g., for support and maintenance purposes. Further, the providers of cookies used on our websites may also process your data overseas, including in the United Stated of America. In these cases, we put in place appropriate safeguards to protect your personal data – such as the standard contractual clauses – unless a relevant exemption applies.


We recognise the importance of keeping your data safe and take appropriate security measures (including physical, electronic and procedural measures) to help safeguard your personal data from unauthorised access and disclosure. More information about the measures we use can be found in our Data Security Policy.

We assume no liability for interception, alteration or misuse of information transmitted over the internet.

Your rights

Subject to certain exemptions, and in some cases dependent upon our legal basis (see section 2 above), you have certain rights in relation to your personal data. These are:

  • To access personal data
  • To rectify / erase personal data
  • To restrict the processing of your personal data
  • To transfer your personal data to another controller (‘data portability’)
  • To object to the processing of personal data
  • To object to how we use your personal data for direct marketing purposes
  • To obtain a copy of personal data safeguards used for transfers outside the UK
  • To lodge a complaint with your local supervisory authority

We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.


You have the right to lodge a complaint in relation to the processing of your data. This can be done by contacting the ICO (

Retention of your personal data

As a basic rule, we will store your personal data for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy.

Regulations applicable to pharmacists require that we retain records of prescriptions – including personal data relating to the prescribing healthcare professional and patient – for a minimum of 2 years.

We may store your personal data for longer periods of time so that we have an accurate record of medications that we have dispensed in the event that any issues arise, and so that we maintain an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

Cookies and similar technologies

Like most websites, we use cookies and similar technologies that obtain information from, or store information on, your device. That information may constitute your personal data, for example where it is associated with you as a registered user or identified patient submitting an order.

Certain cookies that we use are ‘essential’ – meaning that they are necessary to make the website function as intended (e.g., cookies that remember information inputted into a form, or cookies used for load balancing). Other cookies are ‘non-essential’ – meaning that they aren’t necessary for the website to function, but are either used to enhance the functionality of the website, or to help us analyse how the website is used.

Please refer to our Cookie Policy for more information.

Contacting us

Should you have any queries in relation to our use of your personal data, please contact us or our Data Protection Officer directly using the details provided below.

CloudRx can be contacted in writing at (1 Hawthorn Park, Leeds, United Kingdom, LS14 1PQ) or by email ( [email protected]).

Our Data Protection Officer is Daniel Lee and can be contacted in writing at (1 Hawthorn Park, Leeds, United Kingdom, LS14 1PQ) or by email ( [email protected]).

Changes to this Privacy Policy

We may from time to time, make changes to this Privacy Policy. We suggest you check back regularly to check to see if there have been any changes to this Privacy Policy.

This policy was last updated on 09/05/2022

Date Change
21/02/2020 First Version
09/05/2022 Second Version