This Privacy Notice explains how we collect, use, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Further information about your data privacy rights can be found on the Information Commissioner’s Office (ICO) website: www.ico.org.uk.

1. Who We Are and Our Role

Hampstead Heath Pharmacy, Travel Health & Vaccination Clinic (Preentree Ltd) is the data controller for the personal data we collect and use in the course of providing our pharmacy, travel clinic, vaccination, and other healthcare services.

If you have any questions about this notice, or about how we use your information, you can contact us using the details above.

2. The Information We Process

We process personal data so that we can provide you with safe and effective healthcare services. This includes:

• Basic details such as your name, date of birth, address, email address, and telephone number.
• Details of your prescription medicines and medicines supplied to you, including NHS and private prescriptions.
• Information about the services we provide to you, such as: NHS and private pharmacy services, travel health consultations, vaccination and immunisation services, blood tests and other clinic services, and any advice or information given.
• Relevant health information you provide or that is shared with us by other healthcare professionals (for example, medical history relevant to your medicines, allergies, vaccination history, and test results).
• CCTV footage and images captured for security and crime prevention purposes when you visit our pharmacy.

Much of the information we process is classed as special category data, because it relates to your health.

3. How We Obtain Your Information

We receive information about you in several ways, including:

• Directly from you, for example when you visit the pharmacy, use our travel clinic or vaccination services, or contact us by phone or email.
• From your GP practice and other NHS organisations, when this is necessary for your care.
• By accessing your NHS Summary Care Record (SCR) or local shared care records, with your permission, to ensure the medicines or treatments we provide are safe for you.
• From third parties involved in your care, such as other healthcare professionals, laboratories, and commissioners or organisations who have arranged health services for you.
• From our website (for example, if you use online forms or booking systems) and any online services we provide.

4. Why We Process Your Data (Legal Bases)

We process your personal data for the following purposes and on the following legal bases:

4.1 Provision of Healthcare and Pharmacy Services

For NHS pharmacy services, we process your personal data because it is necessary to perform a task in the public interest and in the exercise of official authority (providing NHS healthcare services), and to comply with our legal obligations.

For private services (such as our travel health and vaccination clinics, private prescriptions, and private tests), we process your data because it is necessary for the performance of a contract with you or to take steps at your request before entering into such a contract, and for our legitimate interests in running a safe and effective healthcare service where these interests are not overridden by your rights.

When we process information about your health (special category data), we rely on the condition that processing is necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment, or the management of health or social care systems and services, in accordance with UK GDPR Article 9(2)(h) and the Data Protection Act 2018.

4.2 Communications and Queries

If you contact us with a query, we will use your contact details and any information you provide so that we can respond. This is usually based on our legitimate interests in providing you with information about our services and dealing with your request.

4.3 Healthcare Reminders and Updates

We may use your contact details (such as email or SMS) to send you health-related reminders, including notifications when your prescription is ready for collection, or when a travel vaccination booster is due. With your consent, we may also send you information about our seasonal clinics, such as our flu and COVID-19 vaccination services. You can opt out of these communications at any time by following the unsubscribe link in our messages or speaking to our team.

4.4 Management, Governance and Regulatory Requirements

We also process limited information to manage and improve our services, meet our regulatory obligations, and demonstrate that we provide safe and effective care. This includes:

• Audit, quality improvement, and clinical governance activities.
• Responding to complaints, incidents, and safeguarding concerns.
• Meeting legal and regulatory requirements set by bodies such as the NHS, GPhC, MHRA, and the ICO.
• Maintaining security and preventing or detecting crime (for example, through the use of CCTV on our premises).

5. How We Use and Share Your Information

We use your information to:

• Provide pharmacy and clinical care to you.
• Dispense your medicines and provide advice on their safe and effective use.
• Deliver travel health assessments, vaccinations, and other clinic services.
• Arrange and report on tests and investigations where these are part of your care.

Where appropriate and necessary for your care, we may share information with:

• Your GP practice and other NHS or private healthcare professionals involved in your care.
• NHS organisations such as NHS England and the NHS Business Services Authority, and Local Authorities where required.
• Delivery drivers or courier services, strictly limited to the information necessary to deliver your medicines or products safely to your home.
• External laboratories and clinical service providers when they carry out tests or services you have agreed to, and who act as independent controllers or processors under appropriate agreements.
• Our IT system suppliers and service providers (for example, patient medication record systems, secure email providers, booking platforms, and AI documentation providers) who act as data processors on our behalf under written contracts, and who are required to keep your information secure.
• Auditors, regulators, and other official bodies where we are required to share information by law.

We will never pass, sell, or share your personally identifiable data with third parties for their own marketing purposes. We only share your information when it is necessary for your care, required by law, or where you have specifically given us your consent to do so.

6. AI-Assisted Documentation

To help our clinicians focus on you during your consultation, we may use AI-assisted documentation tools, such as Tandem Health, to help draft consultation notes.

When this is used, and with your agreement at the start of the consultation, audio from the consultation is processed securely to create a written summary for your record. The clinician always reviews and confirms the final notes.

The legal basis for this processing is the same as for your care: it is necessary for the provision of health care and the management of health services, and for processing special category data under Article 9(2)(h) UK GDPR.

Our AI provider processes data under strict contractual terms and healthcare-grade security standards. Patient data is processed and stored within secure European data centres, audio is not retained longer than necessary to create the written notes, and your data is not used to train AI models.

You can opt out of AI-assisted documentation at any time by telling your pharmacist or clinician, and this will not affect the care you receive. In that case, we will make notes using our usual manual processes instead.

7. International Transfers

If we ever need to transfer your personal data outside the UK (for example, where one of our IT or technology providers is based overseas), we will ensure that appropriate safeguards are in place in accordance with data protection law, such as adequacy regulations or approved standard contractual clauses. You can contact us for more information about these safeguards.

8. Data Retention and Security

We keep your information for as long as is necessary for the purposes described in this notice and in line with applicable NHS and professional records management and retention guidelines.

Different types of records are kept for different periods (for example, prescription and dispensing records, vaccination records, and clinic records). Further details of our retention periods are available on request.

We take the security and confidentiality of your information very seriously. Access to your information is restricted to staff and contractors who need it to perform their roles and who are subject to confidentiality obligations.

If you email us, please be aware that while we take steps to keep our systems secure, no data transmission over the internet can be guaranteed as 100% secure. You transmit information to us at your own risk.

10. NHS National Data Opt-Out

You may choose to opt out of the NHS using your confidential patient data for wider planning and research purposes. You can manage your choices and access this service via the NHS National Data Opt-out programme: https://digital.nhs.uk/services/national-data-opt-out.

11. Cookies and Our Website

Our website may use cookies and similar technologies to make the site work, to understand how it is used, and (where applicable) to improve our services. Some cookies are essential for the site to function; others are optional.

For more information about the cookies we use and how to manage your preferences, please see our separate Cookie Policy.

12. Automated Decision-Making

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects or similarly significant effects for you. If this ever changes, we will update this notice and explain your rights in relation to such processing.

13. Contact and Complaints

If you have any questions or concerns about how we use your information, or if you wish to exercise your rights, please speak to us in the pharmacy or contact us using the details above.

Our designated Data Protection Officer is:

Kamlesh Patel
Hampstead Heath Pharmacy, Travel Health & Vaccination Clinic (Preentree Ltd)
35 South End Road, London, NW3 2PY

If you remain unsatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk

Last Updated: April 2026