Privacy Policy — Pharmassist

1. Who we are

Pharmassist is a product of Aven Systems Ltd, a company registered in England and Wales (Company Number: 17156019). Our registered office address is in London, England.

When we say "Pharmassist", "we", "us" or "our" in this policy, we mean Aven Systems Ltd.

Email: hello@pharmassist.co.uk

2. What this policy covers

This privacy policy explains how we collect, use, store and protect personal data when you:

Visit our website at pharmassist.co.uk
Use the Pharmassist application at app.pharmassist.co.uk
Sign up as a pharmacy customer
Are a patient whose pharmacy uses Pharmassist to send you follow-up communications

3. Our role in data protection

Pharmassist operates as a data processor on behalf of pharmacies who use our platform. The pharmacy is the data controller — they decide what patient data to add to Pharmassist and are responsible for ensuring they have a lawful basis to contact their patients.

When pharmacies sign up to Pharmassist, we act as a data controller for the pharmacy's own account information (business name, contact details, login credentials).

When you visit our website, we act as a data controller for any information you provide (such as your email address when signing up for updates).

4. What data we collect

4.1 Pharmacy account data (we are the controller)

When a pharmacy signs up, we collect:

Pharmacy name, address and postcode
Contact email address and phone number
Staff names and email addresses (for login)
Pharmacy logo (if uploaded)
Booking link URL
Services offered

4.2 Patient data (the pharmacy is the controller, we are the processor)

When a pharmacy logs a service, the following patient data is stored in Pharmassist:

Patient first name and last name
Patient email address
Patient phone number (if provided)
Details of the service received (e.g. flu vaccination, blood pressure check)
Date of service
Any notes added by the pharmacy
Communication history (emails sent, delivery status)
Opt-in/opt-out status

We do not collect any clinical data, medical records, prescriptions, diagnosis information or NHS numbers.

4.3 Website visitor data (we are the controller)

When you visit pharmassist.co.uk, we may collect:

Email address (if you sign up for updates)
Basic analytics data (pages visited, time on site) if analytics tools are enabled

5. Why we process data and our lawful basis

5.1 Pharmacy account data

Purpose	Lawful basis
Providing the Pharmassist service	Performance of a contract (GDPR Article 6(1)(b))
Sending you service updates and support	Legitimate interests (GDPR Article 6(1)(f))
Sending you marketing about Pharmassist features	Consent (GDPR Article 6(1)(a))

5.2 Patient data

Purpose	Lawful basis (pharmacy's responsibility)
Sending automated follow-up emails on behalf of the pharmacy	Legitimate interests of the pharmacy in patient care continuity and service retention (GDPR Article 6(1)(f))
Recording service history	Legitimate interests of the pharmacy

The pharmacy, as data controller, is responsible for ensuring they have a lawful basis to contact their patients through Pharmassist. We process patient data only on the documented instructions of the pharmacy, as set out in our Data Processing Agreement.

5.3 Website visitors

Purpose	Lawful basis
Sending updates to people who sign up	Consent (GDPR Article 6(1)(a))
Website analytics	Legitimate interests (GDPR Article 6(1)(f))

6. How we use patient data

We use patient data solely to send automated follow-up communications on behalf of the pharmacy. This includes:

Thank you messages after a service
Follow-up check-ins (e.g. NMS day 7, 14, 21 follow-ups)
Rebooking reminders (e.g. annual flu jab, 3-monthly blood pressure check)

We do not:

Use patient data for our own marketing purposes
Sell patient data to any third party
Share patient data with anyone other than the pharmacy it belongs to
Use patient data to build profiles or for automated decision-making
Contact patients on our own behalf

7. Who we share data with

We share personal data with the following categories of recipients, who act as our sub-processors:

Sub-processor	Purpose	Location
Email service provider (e.g. Resend or similar)	Sending emails to patients on behalf of pharmacies	EU/UK
Supabase	Database hosting and storage	EU/UK
Hosting provider (e.g. Railway or similar)	Application hosting	EU/UK

We require all sub-processors to have appropriate data protection agreements in place. A current list of sub-processors is available on request.

We will not share personal data with any other third party unless:

Required by law or regulation
Necessary to protect our legal rights
With the explicit consent of the data controller (pharmacy)

8. International data transfers

We aim to keep all personal data within the UK and European Economic Area (EEA). If any data is transferred outside the UK/EEA, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.

9. How long we keep data

Pharmacy account data

We retain pharmacy account data for as long as the pharmacy has an active Pharmassist account. If a pharmacy cancels their account, we will delete their data within 30 days of the cancellation date, unless we are required by law to retain it for longer.

Patient data

We retain patient data for as long as the pharmacy's account is active. If a pharmacy cancels, all associated patient data is deleted within 30 days. If a patient opts out (unsubscribes), we retain a minimal record (email address and opt-out status only) to ensure we do not contact them again.

Website visitor data

We retain email addresses of website subscribers until they unsubscribe. We retain analytics data for a maximum of 26 months.

10. Data security

We take the security of personal data seriously. Our security measures include:

All data is encrypted in transit using TLS/HTTPS
Database is encrypted at rest
Access to personal data is restricted to authorised personnel only
User passwords are hashed and cannot be viewed in plain text
API keys and credentials are stored as environment variables, not in source code
We use two-factor authentication on all administrative accounts
We conduct regular reviews of our security measures

11. Your rights

Under UK GDPR, you have the following rights:

If you are a pharmacy customer (we are the controller):

Right of access — request a copy of the data we hold about you
Right to rectification — ask us to correct inaccurate data
Right to erasure — ask us to delete your data (subject to legal obligations)
Right to restrict processing — ask us to limit how we use your data
Right to data portability — request your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where we process data based on consent, you can withdraw it at any time

If you are a patient:

Because the pharmacy is the data controller for patient data, you should direct any data rights requests to your pharmacy in the first instance. If you contact us directly, we will forward your request to the relevant pharmacy and assist them in responding within the required timeframe.

To unsubscribe from automated emails, click the unsubscribe link at the bottom of any email you receive through Pharmassist.

12. How to contact us

For any questions about this privacy policy or to exercise your data rights:

Email: hello@pharmassist.co.uk

Aven Systems Ltd
Company Number: 17156019
London, England

13. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

14. Changes to this policy

We may update this privacy policy from time to time. We will notify pharmacy customers of any material changes by email. The latest version will always be available at pharmassist.co.uk/privacy.html.