Privacy Policy
Oxford Online Pharmacy
General Privacy Notice
Welcome to our Privacy Notice
This notice explains how Oxford Online Pharmacy collects, uses, and shares your personal data, what your legal rights are, and how to exercise them. We have tried to keep it straightforward and free of jargon — please do take a few minutes to read it.
If there is anything here you do not understand, or if you have any questions about how we handle your information, please contact us using the details at the end of this notice. We will always be happy to help.
Who is the Data Controller?
Oxford Online Pharmacy is the trading name under which we provide our pharmacy and prescribing services. The legal entity responsible for your personal data — and your Data Controller for the purposes of UK data protection law — is:
Trading as | Oxford Online Pharmacy |
Legal entity | Frosts Online Ltd |
Company number | 11232746 |
GPhC registration | 9012796 |
ICO registration | ZA477996 |
Address | Unit 2, Apollo Business Park, Ironstone Lane, Banbury, Oxon OX15 6AY |
In this notice, Oxford Online Pharmacy, Frosts Online Ltd, “we”, “us”, and “our” all refer to the same organisation. We are registered with the General Pharmaceutical Council as an internet pharmacy and are subject to inspection by both the GPhC and the Care Quality Commission.
How to contact us
If you have any questions about this notice, want to exercise any of your data protection rights, or wish to make a complaint, you can reach us by any of the following methods:
Telephone | 01295 262925 |
Post | Data Compliance Team, Oxford Online Pharmacy, Unit 2, Apollo Business Park, Ironstone Lane, Banbury, Oxon OX15 6AY |
Our Data Protection Officer
We have appointed an external Data Protection Officer (DPO) to oversee our compliance with data protection law. If you would like to contact our DPO directly — for example, to raise a concern about how we handle your personal data — you can do so as follows:
DPO service | Ametros Group |
Website | |
DPO email |
What kinds of personal data does Oxford Online Pharmacy process?
Oxford Online Pharmacy collects personal data for various purposes. The following table sets out the types of personal data we may collect, either directly from you or from other sources.
Data subject | Types of personal data collected |
Customer / patient | Name, address, date of birth, telephone number, email address, health information, medication history, images submitted as part of a clinical consultation |
Supplier | Name, address, bank details |
Contractor (locums, prescribers) | Insurance certificate, up to three forms of ID (driving licence, passport, bank statement), address, date of birth, phone number, rate of pay, nationality, professional registration number, certificate, referee contact details, training records |
Why does Oxford Online Pharmacy collect personal data?
Legal obligations
We are required by law to process personal data for the following purposes, which relate to our legal and regulatory obligations:
• To maintain financial records and meet our obligations to relevant financial authorities.
• To comply with regulatory requirements, including those of the General Pharmaceutical Council (GPhC), the Care Quality Commission (CQC), and the Medicines and Healthcare products Regulatory Agency (MHRA).
• To cooperate with relevant authorities for reporting criminal activity, or to detect and prevent fraud.
• To investigate any insurance claims or complaints.
Consent
There are some circumstances in which Oxford Online Pharmacy relies on your consent as the lawful basis for processing your personal data. Where we do, we will always make this clear at the point we collect your information.
We may ask for your consent to process your personal data for the following specific purposes:
Marketing communications With your consent, we may contact you by email, SMS, or post to let you know about products, services, treatments, or offers from Oxford Online Pharmacy that we think may be of interest to you. We will only send you marketing communications if you have opted in to receive them, or where we are permitted to do so under the Privacy and Electronic Communications Regulations (PECR). |
A note on notification to your GP Where we prescribe medicines for you, we may notify your GP or regular prescriber as part of our duty to support your ongoing care. We consider this a necessary part of providing safe healthcare and process this information under Article 9(2)(h) of the UK GDPR — processing necessary for the provision of health care — together with Schedule 1, paragraph 2 of the Data Protection Act 2018. This means GP notification is not dependent on your consent and will occur in accordance with our clinical governance obligations. However, we will always ask your consent before routinely sharing this information with your GP. Any other circumstances will generally be exceptional ones. You can ask us more about this by contacting our Superintendent Pharmacist. |
Your right to withdraw consent
Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we carried out before you withdrew it.
To withdraw your consent, please contact us by email at help@oxfordop.co.uk using the subject line “Withdraw consent”, with details of the consent you would like to withdraw or by post to the Data Compliance Team at the address above.
We will act on your request without undue delay and within one calendar month of receiving it. Withdrawing consent is straightforward — we will not ask you to justify your decision, and doing so will never affect the quality or availability of clinical services you receive from us.
For marketing preferences specifically, you can also unsubscribe directly using the link included in any marketing email we send you or email help@oxfordop.co.uk
Legitimate interests
Oxford Online Pharmacy may process personal data for any of the following purposes, which we consider to be within our legitimate business interests. Where we rely on this basis, we have balanced our interests against your rights and concluded that our use is proportionate and does not override your fundamental rights and freedoms.
• To provide goods and services where they have been requested.
• To send notifications of any changes to the goods and services provided that may affect you.
• To improve the quality of the services we offer and to better understand customers’ needs.
• To understand the scale of our customer base; for statistical analysis and market research (using anonymised or aggregated data wherever possible).
• To support and maintain our products and systems.
• To improve our website so that content is delivered more efficiently.
Special Category Personal Data
Personal data that is considered sensitive in nature are given special consideration in when they may be processed.
We may process the following types of special category personal data, under the included lawful basis.
Data Category: | Relating To: | Lawful Basis: |
Data concerning health information | Patients | Provision of health or social care |
Lawful Basis Explained:
Provision of health and social care | It is necessary for the purposes of preventive or occupational medicine, or for the provision of health or social care or management of healthcare systems and services. |
Where does Oxford Online Pharmacy obtain personal data?
We will collect personal data directly from you in various ways. This may include when you complete an online consultation form, create an account, place an order, or contact us directly.
We may also obtain personal data from the following sources:
• Your GP, following a referral or notification of prescribing.
• Your NHS records via the National Care Records System
• Technical functionality that gathers data automatically when you visit our website or use our services (for example, cookies, IP address, and browsing activity — subject to your consent preferences).
• Identity verification providers, where you have submitted identification documents as part of our onboarding or fraud prevention processes.
Who will Oxford Online Pharmacy share your personal data with?
To achieve the above stated purposes for which we process your personal data, we may have to share information with certain third-party organisations. This may include where we are legally required to do so, or where it is strictly necessary in order to deliver a particular product or service.
We will make all reasonable efforts to ensure any third-party with whom we whare personal data is compliant with data protection law.
The kinds of third-parties we may share your information with include: |
· Organisations where it is necessary to provide goods and services or to achieve our business purposes. |
Automated decision making
OOP do not undertake any automated decision making as part of the clinical decision making process.
Where will Oxford Online Pharmacy process your personal data?
As part of our standard business operations, we may transfer your personal data to organisations based outside the United Kingdom, including countries that have not been granted an adequacy decision under UK data protection law.
Where personal data is transferred to such countries, we ensure that appropriate safeguards are in place. These may include:
• Reliance on the UK-US Data Bridge (for transfers to US organisations that are certified under this framework).
• International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs), where the UK-US Data Bridge does not apply.
• Where the transfer is necessary to fulfil a contract between us and yourself.
How long will Oxford Online Pharmacy keep your personal data?
We will keep your personal data only for as long as required to achieve the purposes for which it is gathered.
The following criteria determine the period for which we retain personal data: |
· Until we are no longer required to do so to comply with regulatory requirements or financial obligations. |
· Until we are no longer required to do so by any law we are subject to. |
· Until all purposes for which the data was originally gathered have become irrelevant or obsolete. · Until such time as you request deletion |
Your Data Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights regarding your personal data.
RIGHT | WHAT IT MEANS |
Right of Access Article 15 | You have the right to confirm whether we are processing your personal data, and to receive a copy of that data along with information about how and why it is being used. This is sometimes called a Subject Access Request. |
Right to Rectification Article 16 | If the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it. We will make every effort to respond promptly. |
Right to Erasure Article 17 | You have the right to ask us to delete your personal data. This is not an absolute right — we may need to retain some data to comply with our legal or regulatory obligations. Where we are unable to erase all of your data, we will explain what we can and cannot delete and why. |
Right to Restriction of Processing Article 18
| You have the right to ask us to restrict the processing of your personal data in certain circumstances — for example, if you contest the accuracy of the data we hold, or if you have objected to our processing and we are considering that objection. Restriction means we will continue to store the data but will not otherwise use it without your consent, unless required by law. |
Right to Data Portability Article 20
| Where we process your personal data on the basis of your consent or for the performance of a contract, and that processing is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format. You may also ask us to transmit that data directly to another organisation where technically feasible. |
Right to Object Article 21 | You have the right to object to our processing of your personal data where we rely on legitimate interests as our lawful basis. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. |
Right to Complain | If you are unhappy with how we have handled your personal data, we ask that you first raise your concern with us so we can investigate. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
ICO website: ico.org.uk ICO helpline: 0303 123 1113 ICO post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF |
Changes to this notice
We will update this notice from time to time to reflect changes in our processing activities or in data protection law. When we make significant changes, we will take reasonable steps to let you know — for example by publishing a notice on our website or, where appropriate, contacting you directly.
This notice was last reviewed on 14 March 2026[IF1] .