Privacy Policy

Pharmsuite ("we", "our", or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our Controlled Drug Register (CDR) platform and related services.

As a UK-based provider of pharmacy management software dealing with controlled substances, we adhere to the highest standards of data protection, including compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant NHS Digital security standards.

We process your data based on the following legal grounds under UK GDPR:

• Contractual necessity (Article 6(1)(b)): To provide our CDR services and platform access
• Legal obligation (Article 6(1)(c)): To comply with pharmacy regulations, controlled drug legislation, and NHS requirements
• Legitimate interests (Article 6(1)(f)): For system security, fraud prevention, and service improvement
• Consent (Article 6(1)(a)): For marketing communications and optional features where explicitly provided

• Provide and maintain the CDR platform and related services
• Ensure regulatory compliance with UK controlled drug legislation
• Generate compliance reports for regulatory authorities when required
• Maintain audit trails and transaction records as legally mandated
• Provide technical support and customer service
• Monitor system security and prevent unauthorised access
• Improve our services and develop new features
• Send service-related communications and updates
• Process payments and manage subscriptions

We may share your information in the following circumstances:

We implement industry-leading security measures to protect your data:

• Encryption: End-to-end encryption for data in transit and at rest using AES-256
• Access controls: Role-based permissions
• Infrastructure: Secure cloud hosting with ISO 27001 certified providers
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Regular encrypted backups with secure off-site storage

We retain different types of data for varying periods based on legal requirements:

• CDR transaction records: Minimum 2 years as required by UK controlled drug regulations
• Account information: For the duration of your subscription plus 6 years for tax purposes
• Audit logs: 7 years to meet regulatory and compliance requirements
• Technical logs: 12 months for security and system maintenance
• Marketing data: Until consent is withdrawn or 3 years of inactivity

When retention periods expire, we securely delete or anonymise your data in accordance with our data retention policy.

You have the following rights regarding your personal data:

We use cookies and similar technologies to:

• Maintain your login session and security
• Remember your preferences and settings
• Analyse usage patterns to improve our services
• Provide customer support and troubleshooting

You can control cookie settings through your browser, though this may affect platform functionality.

Your data is primarily processed within the UK. Where we use international service providers, we ensure:

• Adequate data protection through UK adequacy decisions or standard contractual clauses
• Data processing agreements that meet UK GDPR standards
• Regular audits of international partners' security measures

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will:

• Notify you of material changes via email or platform notification
• Update the "Last updated" date at the top of this policy
• Maintain previous versions for your reference

If you believe we have not handled your personal data in accordance with this policy, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):