Privacy Policy


This Privacy Policy explains how Caledonian Pharma Ltd, trading as Caledonian Pharmacy (“we”, “us”, “our”), collects, uses, and protects your personal information.

We are committed to protecting your privacy and handling your information securely, transparently, and in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the standards of the General Pharmaceutical Council (GPhC).

1. Who we are

Caledonian Pharma Ltd is the data controller for the personal information described in this Policy.

•        Registered company name: Caledonian Pharma Ltd

•        Company number: 12033720

•        Registered office: 4 Capricorn Centre, Cranes Farm Road, Basildon, Essex, SS14 3JJ

•        Pharmacy premises: 486a Caledonian Road, Islington, London N7 9RP

•        GPhC premises registration: 1040353

•        Information Commissioner’s Office (ICO) registration number: ZA727792

•        Data protection contact: info@caledonianpharmacy.co.uk

2. The personal data we collect

We collect different categories of personal data depending on how you interact with us. The categories include:

2.1 Identity and contact data

Your name, date of birth, postal address, email address, telephone number, and emergency contact details, where relevant.

2.2 Health and clinical data

Information about your health, medical history, medications, allergies, lifestyle factors, BMI, blood pressure, vaccination history, NHS number where applicable, GP details, and any other clinical information you share with us during a consultation, on a registration form, or as part of the dispensing process. This is classed as “special category data” under UK GDPR and is given additional protection.

2.3 Booking and appointment data

Records of bookings you make, attendance at appointments, services received, and any associated notes or follow-up correspondence.

2.4 Payment data

Information needed to process your payment. We use a third-party payment processor (Stripe), and we do not store full card numbers on our own systems. We receive limited information, such as the last four digits of the card, the cardholder's name, and the transaction reference.

2.5 Order and delivery data

Where you place an order through our online shop or arrange a prescription delivery, we record the items ordered, delivery address, delivery instructions and tracking information.

2.6 Marketing and communication preferences

If you choose to receive communications from us, we record your contact details, the channels you have consented to (such as email or SMS), and your interests where you have shared them.

2.7 Website and technical data

When you visit our website, we automatically collect technical information such as your IP address, device and browser type, pages viewed, and how you found our site. We also use cookies to support site functionality, analytics and marketing. Please see our Cookie Policy for full details.

3. How we collect your data

•        Directly from you, when you complete a registration form, book a consultation, attend a consultation, place an order, contact us by phone, email or WhatsApp, or interact with us in person.

•        From your GP, NHS records or another healthcare provider, where this is relevant to a service you have asked us to provide and where you have consented to that information being shared.

•        From a prescription you present, whether NHS or private, including details of the prescriber and the medicine prescribed.

•        Automatically, through cookies and similar technologies on our website.

4. The legal basis for processing your data

UK GDPR requires us to identify a legal basis for processing your personal data. Our bases are as follows:

•        Contract: We process your data to provide the services you have asked us to provide, such as fulfilling a consultation, dispensing a prescription, or supplying products you have ordered.

•        Legal obligation: We are required by law and by the GPhC, the MHRA, the NHS and HMRC to keep certain records, including dispensing records, financial records and clinical notes.

•        Legitimate interests: We may process your data to operate our pharmacy efficiently, prevent fraud, ensure the security of our systems, and improve our services. We balance our interests against your rights and freedoms before relying on this basis.

•        Consent: We rely on your consent for marketing communications and for non-essential cookies. You may withdraw consent at any time.

For special category (health) data, we additionally rely on the following bases under UK GDPR Article 9:

•        Provision of health or social care, or treatment, by or under the responsibility of a health professional.

•        Reasons of substantial public interest, including the prevention or detection of unlawful acts, in line with the Data Protection Act 2018.

5. How we use your data

We use your personal data for the following purposes:

•        To provide and deliver the pharmacy and clinical services you have requested.

•        To make and manage bookings and appointments, and to send appointment confirmations and reminders.

•        To dispense prescriptions and supply medicines safely and accurately.

•        To process payments and manage refunds.

•        To deliver products and prescriptions to you.

•        To keep clinical and dispensing records as required by law and professional standards.

•        To respond to your enquiries and complaints.

•        To send you marketing communications, where you have consented.

•        To improve our services, train our team, and ensure the quality and safety of care.

•        To comply with our legal, regulatory and professional obligations.

6. Who we share your data with

We share your personal data only where it is necessary for us to provide our services or to meet a legal obligation. The categories of recipients include:

•        NHS bodies: where you have presented an NHS prescription or used an NHS service, we share required information with NHS England, NHS Business Services Authority and other NHS bodies.

•        Your GP and other healthcare professionals: where appropriate to your care and where you have consented to that sharing.

•        Prescribers and clinicians working with us: for private prescribing services, our partner prescribers may access relevant clinical information to issue prescriptions safely.

•        Suppliers and service providers: including Stripe (payments), Squarespace (website hosting and booking), Acuity Scheduling (appointment system), email and messaging providers, courier companies, IT support providers, and our pharmacy management system.

•        Regulators: the GPhC, MHRA, ICO, and other authorities where required by law.

•        Professional advisers: such as our accountants and legal advisers, in confidence and only as needed.

We do not sell your personal data. We do not share your data for any third-party marketing purpose.

7. International transfers

Some of our suppliers (for example, certain cloud-based service providers) may process data outside the United Kingdom. Where this is the case, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfer to a country covered by UK adequacy regulations.

8. How long we keep your data

We keep your personal data only for as long as is necessary for the purposes we collected it for, and to meet our legal and regulatory obligations. Indicative retention periods are:

•        Dispensing records and clinical notes: at least 8 years for adults, and until the patient turns 25 (or 26 for the last entry) for children, in line with NHS retention guidance.

•        Controlled drugs registers: a minimum of 2 years from the date of the last entry.

•        Financial and tax records: 6 years.

•        Booking and appointment records (where they include health information): in line with clinical record retention.

•        Marketing data: until you withdraw your consent or we conclude the data is no longer needed.

•        Website and analytics data: typically up to 26 months.

Once retention periods expire, we securely delete or anonymize your data.

9. Your rights

Under UK GDPR, you have rights over your personal data:

•        The right to be informed about how your data is used.

•        The right of access to a copy of the personal data we hold about you.

•        The right to rectification of inaccurate data.

•        The right to erasure of your data, subject to exceptions where we are required by law to keep it.

•        The right to restrict processing in certain circumstances.

•        The right to data portability.

•        The right to object to processing based on legitimate interests, including direct marketing.

•        The right to withdraw consent at any time, where we rely on consent.

•        The right not to be subject to automated decision-making that produces legal or similarly significant effects.

To exercise any of these rights, please contact info@caledonianpharmacy.co.uk. We will respond within one calendar month. We may need to verify your identity before we act on a request.

10. Complaints to the ICO

If you are unhappy with how we have handled your personal data, please tell us first so that we can try to put things right. You also have the right to complain to the Information Commissioner’s Office:

•        Website: ico.org.uk

•        Helpline: 0303 123 1113

•        Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Security

We take appropriate technical and organizational measures to keep your personal data secure, including access controls, encryption in transit, secure storage of paper records, staff training, and contracts with our suppliers requiring them to protect your data.

Despite our best efforts, no method of transmission over the internet or storage is completely secure. If you have any reason to suspect a security issue, please contact us immediately.

12. Children’s data

We provide some services to children and young people, including vaccinations and certain consultations. Where we collect data about children, we do so with the consent of a parent or guardian (where required), and we treat this data with the same care and protection as adult data.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The current version will always be available on our website, and the date at the top will show when it was last updated. We encourage you to review this Policy periodically.

14. Contact us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

•        Email: info@caledonianpharmacy.co.uk

•        Telephone: 020 7609 0798

•        Post: Caledonian Pharmacy, 486a Caledonian Road, Islington, London N7 9RP

Last updated: April 2026.