PharmAnalyser

Privacy Policy

At PharmAnalyser, we are committed to protecting your privacy and personal data. This comprehensive privacy policy explains how we collect, use, store, and protect your information in compliance with UK GDPR and the Data Protection Act 2018.

Last updated: 5 March 2026

Introduction and Summary

At PharmAnalyser, we know that your personal data is important to you. That's why, whenever we use it, we only use what we need to, and we do everything we can to ensure it is appropriately protected. This notice explains the situations where we may process your personal data and the steps we take to protect it.

This privacy policy applies to all users of PharmAnalyser, including visitors, registered users, and subscribers. By using our website, you acknowledge that you have read and understood this privacy policy and agree to the collection, use, and disclosure of your personal data as described herein.

Quick Summary:

  • We collect only the data necessary to provide our services
  • We never sell your personal data to third parties
  • We use industry-standard security measures to protect your data
  • You have full control over your data and can exercise your rights at any time

Who We Are

PharmAnalyser is the trading name for Caledonian Tech LTD (company number SC789615, registered in Scotland). When we say 'we', 'us', or 'our' in this privacy policy, we mean Caledonian Tech LTD.

Company Details

Company Name: Caledonian Tech LTD

Trading Name: PharmAnalyser

Company Number: SC789615

Registered Address:

41 Milnpark Street

Glasgow

Scotland

G41 1BB

UK

How You Can Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal data, please contact us using the following methods:

Email Contact

support@pharmanalyser.co.uk

For general inquiries, data protection requests, or privacy concerns

Postal Address

41 Milnpark Street

Glasgow

Scotland

G41 1BB

UK

Response Times: We aim to respond to all privacy-related inquiries within 30 days, in accordance with UK GDPR requirements. For urgent matters, please mark your email as "URGENT - Data Protection".

Data Controller

Caledonian Tech LTD is the data controller for all personal data collected through PharmAnalyser. This means we are responsible for determining how your personal data is processed and for what purposes.

As the data controller, we are registered with the Information Commissioner's Office (ICO) and comply with all applicable UK data protection legislation, including the UK GDPR and the Data Protection Act 2018.

Information We Collect

We collect different types of information depending on how you interact with our website. The following sections detail the categories of personal data we collect:

1. Account and Registration Information

When you create an account with us, we collect:

  • Email Address: Used for account identification, authentication, and communication
  • Password: Stored as a hashed value using industry-standard bcrypt encryption (we cannot see your actual password)
  • Name: Optional display name for personalisation
  • Business Name: If you register as a business user
  • GPHC Registration Number: Optional, for pharmacy professionals
  • Account Metadata: Timestamps for account creation and updates

2. Subscription and Payment Information

If you subscribe to our services, we collect:

  • Stripe Customer ID: Reference to your payment account with Stripe (our payment processor)
  • Subscription Details: Plan type (Individual or Business), billing interval (monthly or yearly), subscription status, and billing dates
  • Payment History: Records of invoices and payment transactions (processed by Stripe, not stored on our servers)

Important: We do NOT store your credit card details, bank account information, or any other financial payment data. All payment processing is handled securely by Stripe, which is PCI-DSS compliant. Stripe may collect additional payment information in accordance with their own privacy policy.

3. Session and Device Information

To maintain your login sessions and provide security, we collect:

  • Session Tokens: Secure tokens to maintain your login state
  • IP Address: Collected for security, fraud prevention, and to comply with legal obligations. May be hashed for anonymous users
  • User Agent: Browser and device information (e.g., "Chrome on Windows")
  • Device Type: Mobile, tablet, or desktop
  • Browser Information: Browser name and version
  • Operating System: OS name and version
  • Location Data: Approximate geographic location derived from IP address (city/country level, not precise coordinates)

4. Usage and Activity Information

To provide and improve our services, we track:

  • Page Views: Which pages you visit on our website
  • Search Queries: What you search for on our platform
  • Watchlist Activity: Which pharmacies or GP practices you add to your watchlist
  • Feature Usage: Which features of our platform you use most frequently
  • Free Trial Usage: For anonymous users, we track the number of visits using device tokens (see Cookies section)

5. Communication Information

When you contact us or we contact you:

  • Contact Submissions: Messages you send through our contact form, including your name, email, and message content
  • Email Communications: Records of emails we send to you (welcome emails, subscription confirmations, service updates, etc.)
  • Email Preferences: Your preferences for receiving marketing communications

6. Anonymous Device Information (For Non-Registered Users)

For users who visit our website without registering, we use device identification to provide a free trial:

  • Device Token: A unique, anonymous identifier stored in a secure HTTP-only cookie
  • Fingerprint Hash: A hashed value based on browser characteristics (not personally identifiable)
  • Hashed IP Address: Your IP address is hashed using SHA-256 (one-way encryption) for security

Note: These identifiers are anonymous and cannot be used to identify you personally. They are used solely to track your free trial usage and prevent abuse of our free access.

How We Use Your Personal Data

We use your personal data for the following purposes, based on different legal bases under UK GDPR:

1. Contractual Necessity (Performance of a Contract)

We process your data to fulfill our contract with you:

  • Creating and managing your user account
  • Providing access to our platform and services
  • Processing and managing your subscription
  • Sending subscription confirmations and invoices
  • Maintaining your watchlists and saved preferences
  • Responding to your inquiries and support requests

2. Legitimate Interests

We process your data based on our legitimate business interests:

  • Security and Fraud Prevention:Monitoring login sessions, detecting suspicious activity, and preventing unauthorized access
  • Service Improvement: Analysing usage patterns to improve our website, features, and user experience
  • Business Analytics: Understanding how users interact with our platform to make informed business decisions
  • Free Trial Management: Tracking anonymous usage to provide and limit free trial access
  • Legal Compliance: Maintaining records for tax, accounting, and legal purposes

3. Consent

With your explicit consent, we may:

  • Send you marketing communications about our products and services
  • Use your data to create personalised marketing profiles
  • Send you newsletters and promotional offers

You can withdraw your consent at any time by updating your email preferences in your account settings or by contacting us directly.

4. Legal Obligation

We may process your data to comply with legal obligations:

  • Responding to requests from law enforcement agencies
  • Complying with court orders and legal processes
  • Maintaining financial records for tax and accounting purposes
  • Protecting our legal rights and defending against legal claims

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, maintain, and improve our services. This section explains what cookies we use and why.

What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners.

Types of Cookies We Use

Essential Cookies (Strictly Necessary)

These cookies are essential for the website to function properly. They cannot be disabled:

  • Session Cookies: Maintain your login state and session security (e.g., NextAuth session tokens)
  • Device Token Cookies: For anonymous users, we use a secure HTTP-only cookie to track free trial usage (__Secure-device-token)
  • Security Cookies: Protect against cross-site request forgery (CSRF) attacks

Functional Cookies

These cookies enhance functionality and personalisation:

  • Preference Cookies: Remember your settings and preferences (e.g., theme preferences, language settings)

Analytics and Performance Tracking

We use analytics services to understand how users interact with our website and measure performance. We use two types of analytics:

Vercel Analytics (Privacy-First): We use Vercel Analytics which is privacy-focused and GDPR-compliant by default. It does NOT use cookies and collects anonymized page view data and web vitals for performance monitoring.

Vercel Speed Insights: Measures website performance and Core Web Vitals to help us optimize page load times. Also does not use cookies.

We also use Google Analytics 4 (GA4) which uses cookies. These cookies are only set if you consent to analytics cookies via our cookie consent banner. Analytics cookies are used to:

  • Track page views and user interactions
  • Understand user behaviour and improve our services
  • Analyse search patterns and feature usage
  • Measure conversion rates and user engagement

Google Analytics: We use Google Analytics 4 with Consent Mode v2, which is GDPR-compliant. When you consent to analytics cookies, Google Analytics may set the following cookies:

  • _ga: Used to distinguish users (expires after 2 years)
  • _gid: Used to distinguish users (expires after 24 hours)
  • _gat: Used to throttle request rate (expires after 1 minute)

Your Control: You can withdraw your consent at any time by clearing your cookies or using our cookie consent banner. When consent is denied, Google Analytics will only collect anonymous, cookieless data for modeling purposes (in compliance with GDPR).

Data Processing: Google Analytics data is processed by Google LLC. Your IP address is anonymized before being sent to Google. For more information, see Google's Privacy Policy.

Cookie Duration

  • Session Cookies: Expire when you close your browser
  • Persistent Cookies: Remain on your device for up to 24 months (device tokens) or until you log out (session tokens)

Managing Cookies

You can control and manage cookies in various ways:

  • Cookie Consent Banner: When you first visit our website, you'll see a cookie consent banner. You can accept or decline analytics cookies. Your choice is saved for 1 year.
  • Browser Settings: Most browsers allow you to refuse or delete cookies. However, disabling essential cookies may affect website functionality
  • Account Settings: You can manage some preferences through your account settings on our website

Warning: Disabling essential cookies (such as session cookies) will prevent you from logging in and using our services. We recommend keeping essential cookies enabled.

Who We Share Your Data With

We do not sell, rent, or trade your personal data. We only share your data with trusted third parties when necessary to provide our services or comply with legal obligations. The following categories of third parties may receive your data:

1. Service Providers and Data Processors

We use trusted third-party service providers to help us operate our business. These providers are contractually obligated to protect your data and only use it for specified purposes:

  • Stripe (Payment Processing):
    • Processes subscription payments and manages billing
    • Stores payment method information (we do not have access to this)
    • PCI-DSS compliant and certified
    • Privacy Policy: stripe.com/gb/privacy
  • Resend (Email Services):
    • Sends transactional emails (welcome emails, subscription confirmations, etc.)
    • May process your email address and name for email delivery
    • Privacy Policy: resend.com/legal/privacy-policy
  • Vercel (Hosting, Infrastructure, and Analytics):
    • Hosts our website and application infrastructure
    • May process server logs and IP addresses for security and performance
    • Vercel Analytics: Provides privacy-first web analytics (does not use cookies, GDPR-compliant by default)
    • Vercel Speed Insights: Measures website performance and Core Web Vitals (does not use cookies)
    • Privacy Policy: vercel.com/legal/privacy-policy
  • Google Analytics (Website Analytics):
    • Provides website analytics and user behaviour insights (only with your consent)
    • Processes anonymized usage data including page views, search queries, and user interactions
    • Uses Consent Mode v2 for GDPR compliance - only collects data when you consent
    • IP addresses are anonymized before being sent to Google
    • Privacy Policy: policies.google.com/privacy
  • Google Analytics (Website Analytics):
    • Provides website analytics and user behaviour insights (only with your consent)
    • Processes anonymized usage data including page views, search queries, and user interactions
    • Uses Consent Mode v2 for GDPR compliance - only collects data when you consent
    • IP addresses are anonymized before being sent to Google
    • Privacy Policy: policies.google.com/privacy
  • Database Providers:
    • Stores your account data, subscriptions, and usage records
    • All data is encrypted in transit and at rest

2. Law Enforcement and Legal Authorities

We may disclose your personal data to law enforcement agencies, regulatory bodies, or other authorities when:

  • Required by law, court order, or legal process
  • Necessary to detect, prevent, or address fraud, security, or technical issues
  • Necessary to protect our rights, property, or safety, or that of our users
  • Required to comply with regulatory or legal obligations

3. Business Transfers

In the event of a merger, acquisition, sale of assets, or other business transfer, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and ensure that your data continues to be protected in accordance with this privacy policy.

Our Commitment:

We only share the minimum amount of personal data necessary for each purpose. All third parties are contractually bound to protect your data and use it only for the specified purposes. We regularly review our third-party relationships to ensure they continue to meet our data protection standards.

International Data Transfers

Some of our service providers may be located outside the UK and European Economic Area (EEA). When we transfer your personal data outside the UK/EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses: We use EU-approved standard contractual clauses with our service providers
  • Adequacy Decisions: We only transfer to countries with adequate data protection laws or appropriate safeguards
  • Transfer Risk Assessments: We conduct regular assessments to ensure data transfers are safe and compliant
  • Data Processing Agreements: All international transfers are governed by strict data processing agreements

We stay up to date with changes in UK and EU data protection legislation and adjust our transfer mechanisms accordingly. If you have questions about specific international transfers, please contact us.

Data Security

We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction:

Technical Measures

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Secure password hashing (bcrypt)
  • HTTP-only and secure cookies
  • Regular security updates and patches
  • Firewall and intrusion detection

Organisational Measures

  • Limited access to personal data (need-to-know basis)
  • Staff training on data protection
  • Regular security audits and assessments
  • Incident response procedures
  • Data backup and recovery systems
  • Vendor security assessments

Important: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability. If you become aware of any security vulnerability, please contact us immediately at support@pharmanalyser.co.uk.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law:

Retention Periods

  • Account Data: Retained while your account is active and for 7 years after account closure (for tax and legal compliance)
  • Subscription Data: Retained for the duration of your subscription and 7 years after cancellation (for financial record-keeping)
  • Session Data: Retained for the duration of the session and up to 30 days after logout (for security purposes)
  • Usage Records: Retained for 2 years (for service improvement and analytics)
  • Device Tokens (Anonymous Users):Retained for 24 months (for free trial management)
  • Contact Submissions: Retained for 2 years after last contact (for customer service purposes)
  • Email Logs: Retained for 1 year (for delivery confirmation and troubleshooting)

Deletion of Data

When data is no longer needed, we securely delete or anonymise it:

  • Personal data is permanently deleted from our active systems
  • Backup copies are deleted in accordance with our backup retention policy
  • Some data may be anonymised (removing personal identifiers) for statistical or research purposes

If you request deletion of your data (see "Your Privacy Rights" section), we will process your request within 30 days, subject to any legal or contractual obligations that require us to retain certain data.

Your Privacy Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

1. Right of Access (Subject Access Request)

You have the right to request a copy of all personal data we hold about you. This is commonly known as a "Subject Access Request" (SAR).

How to exercise: Contact us at support@pharmanalyser.co.uk with the subject line "Subject Access Request". We will respond within 30 days and provide your data in a commonly used, machine-readable format.

2. Right to Rectification

You have the right to have inaccurate or incomplete personal data corrected or completed.

How to exercise: Update your information in your account settings, or contact us to request corrections.

3. Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate interests
  • The data has been processed unlawfully

Note: We may be required to retain some data for legal or contractual reasons (e.g., financial records for tax purposes).

4. Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

This right applies to data you have provided to us and which we process based on consent or contractual necessity.

6. Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Marketing: You can opt out of marketing communications at any time by updating your email preferences or clicking unsubscribe links in our emails.

7. Rights Related to Automated Decision-Making

We do not currently use automated decision-making (including profiling) that produces legal effects or significantly affects you. If we introduce such processing in the future, you will have the right to object and request human intervention.

Exercising Your Rights:

  • All requests are free of charge (unless the request is manifestly unfounded or excessive)
  • We will respond within 30 days (may be extended by 2 months for complex requests)
  • We may need to verify your identity before processing requests
  • Contact us at support@pharmanalyser.co.uk or use your account settings

Right to Complain: If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). Visit ico.org.uk/make-a-complaint for more information.

Children's Data and Safeguarding

PharmAnalyser is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16 without appropriate parental consent.

Our Approach to Children's Data

  • We do not knowingly collect personal data from children under 16
  • If we become aware that we have collected data from a child under 16 without consent, we will delete it immediately
  • Parents or guardians who believe we have collected data from their child should contact us immediately

Safeguarding

In rare circumstances, we may process personal data related to children for safeguarding purposes:

  • Where welfare or safeguarding concerns are raised, we may liaise with local authorities to ensure protection
  • Such processing would be based on vital interests or substantial public interest legal bases
  • We have a responsibility to safeguard adults who lack mental capacity under the Mental Capacity Act (2005)

Marketing and Communications

We may send you marketing communications if you have given consent or if we have a legitimate interest (for existing customers). You can opt out at any time.

Types of Communications

  • Transactional Emails: Subscription confirmations, invoices, account updates (sent regardless of marketing preferences)
  • Marketing Emails: Product updates, promotional offers, newsletters (only with consent or legitimate interest)
  • Service Updates: Important changes to terms, privacy policy, or service features

Personalised Marketing

We may personalise marketing communications based on your usage patterns, subscription type, and preferences. You can object to this profiling and receive non-personalised marketing instead.

To opt out of marketing or personalisation, update your email preferences in your account settings or contact us directly.

Unsubscribe: Every marketing email includes an unsubscribe link. You can also manage your preferences in your account settings or by contacting us at support@pharmanalyser.co.uk.

Updates to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of any material changes:

  • Email Notification: For significant changes, we will email you at the address associated with your account
  • Website Notice: We will post a notice on our website for material changes
  • Effective Date: The "Last updated" date at the top of this policy indicates when changes take effect

We encourage you to review this privacy policy periodically to stay informed about how we protect your data. Continued use of our services after changes constitutes acceptance of the updated policy.

Contact Us About Privacy

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal data, please contact us:

Postal Address

41 Milnpark Street

Glasgow

Scotland

G41 1BB

UK

Important Notice

This privacy policy is effective as of the date listed above. By usingPharmAnalyser, you acknowledge that you have read, understood, and agree to this privacy policy. If you do not agree with any part of this policy, please do not use our services.

For questions about our Terms of Service, please visit our terms page.