Nelson's privacy notice
Last updated: 26/09/2023
We want you to feel comfortable using our website (our site). At Nelsons, we are deeply committed to protecting your privacy.
This Privacy Notice describes the types of personal data we collect about you, the purposes for which we use it, and your data protection rights.
Please see the section titled ‘Useful words and phrases’ at the end of this Privacy Notice for explanations of the defined terms used in this Privacy Notice.
If you have any queries about how we handle your data, please contact us by email at email@example.com .
We mainly process your personal data to:
- Provide you with information, products or services that you request from us
- Enable our Pharmacy or authorised third party logistics partner, CPG Logistics, to fulfil your order using your name, address, telephone number and email address as provided by you.
- To process your order from both our third party warehouse, CPG Logistics (CPG) and from our Pharmacy with your name, address, telephone number and email address to enable order fulfilment.
- To notify you of deliveries for your orders
- Carry out our obligations under any contract entered into between you and us
- Send you information about our products or services we believe will be of interest (if you consent to us doing so)
- Allow you to participate in our interactive features (when you choose to do so)
- Enable you to participate in, and for us to manage, any competition or prize draw you have entered
- To use agency fraud detection to screen credit card details prior to accepting payments for goods
- Carry out research if you have responded to one of our surveys
- Ensure that content from our site is presented in the most effective manner for you and for your device
- For public relation purposes if you are a journalist or social media influencer
- Notify you about changes to our service
- Comply with a legal or regulatory obligation
About us and this privacy notice
This Privacy Notice is provided by Nelson Pharmacies Limited ( "we", "us", “Nelsons”, or "our"), a company incorporated in England under number 01698162 with registered office at Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP, which is a controller for the purposes of European and UK Data Protection Laws and registered with the ICO with registration number Z849714X.
This Privacy Notice applies to website users, customers, Nelsons' patients, suppliers, participants who enter into competitions or respond to surveys, journalists and social influencers.
We are responsible for looking after the personal data you give to us and take your privacy very seriously. We ask that you read this Privacy Notice carefully as it contains important information about our processing and your rights.
How to contact us:
If you need to contact us about this Privacy Notice, please use the details below:
- Our Data Protection Officer is currently Olivia Blackwood
- Address: Nelsons House, 83 Parkside, Wimbledon, London, SW19 5LP
- Telephone number: +44(0)20 8780 4200
- Email: firstname.lastname@example.org
If you would like this Privacy Notice in another format (for example: audio, large print, braille), please contact us.
What personal data do we process?
We collect, use, store, share and otherwise process the following personal data about you:
The personal data we process about you might include the country you are based in, account credentials, your first and last name, shipping address, cart contents, the products you order, credit card details, payment and purchase history, delivery/pick choices made for orders, e-mail address, telephone number, competitions / prize draws, and other promotional activities you take part in, opinions and any other information you share with us or others share with us about you.
We will process the personal data you provide to us, for example, when you use our website. We will also process personal data about you that others share with us, for example, when someone calls us about an order they placed on your behalf.
We will automatically remove your personal data from our systems if you have not purchased from us in the prior two years. If you have registered to receive marketing communications from us and no longer wish to receive such communications, please click the unsubscribe link included in the footer of every email we send.
We will process the information you provide to us when you use our website, purchase a product, contact us for any reason, to subscribe to any of our services, post material on social media, request further services, or if you enter a competition or promotion run by us, respond to a survey or report a problem with our site. We will also process information you provide when you sign up to receive marketing communications from us and when we contact you or when you contact us, via email or phone.
We will process the information you provide to us via the ‘special instructions’ box when you complete an order on our website and any information you share via email or phone including any opinions you provide and any personal data you put in emails. We will also process any information you provide through our ‘Speak to an expert’ page, including any personal data you include in the message box.
If you or other individuals share data in a way that makes the data publicly available, for example, via a post on social media, this information will also be available to others who visit the website or use the same social media platform.
If you are a journalist/social influencer, we also process your place of work, interests, and social media managers.
If you are a supplier or a business partner or work for one of our suppliers or business partners, we will process business contact details about you such as your name, position, email and phone number and any other personal data about you provided via email or phone by you or the organization you work for.
We also collect details of your visits to our site, including pages you visit on the site, device settings and location data.
Special categories of data
We might process such data about you including data related to your health conditions, medical records and prescriptions. We will also process any special categories of data you provide to us or another person provides to us about you.
Personal information provided by third parties
All the information we process about you has been provided by you, or by a third party, for example, a member of your family acting on your behalf.
If you are a journalist, or a social influencer, we do collect data from third parties such as Sprout Social who will provide us publicly available information about you.
If information about you has been provided to us by another person, we will generally process your personal data on the basis of our legitimate interests in running our business, including the commercial benefits in providing our services and products. If the information provided to us by another person includes health data, we will process that health data for health care purposes under the health and social care purposes lawful basis and conditions, as a registered pharmacist (GPhC registration number: 1106255).
Personal information about other individuals
If you provide us with information about other individuals (e.g. a member of your family), please make sure you have informed them and they are comfortable with you sharing the relevant information about them with us.
Sources of personal data
We might receive personal data about you from you, or when others provide this data to us. We might also receive personal data about you when you or others make such information publicly available.
We may also process personal data we receive or collect from other organisations, including those listed in the section titled “Who will have access to your personal data?” below.
We may also collect your personal data through Instagram and LinkedIn when you use tools to tag us and mention us in your posts and comments through your accounts on these platforms, and when you provide us with your personal data on our accounts on these platforms, e.g. when you comment on one of our posts on Instagram.
If you are a supplier or a business partner or work for one of our suppliers or business partners, we will process personal data about you which you provide to us or that the organization you work for provides to us or that any other third party provides to us.
Why do we process your personal data?
Please see below for the purposes for which we use your personal data and the lawful bases we rely on.
Lawful basis for processing
To allow you to use and interact with our website
Our legitimate interests in making our website available to the public, including the promotional benefits for our business
To process and deliver your order including to manage payments, fees and charges
In order to take steps prior to entering into a contract with you and/or for the performance of a contract with you
To manage our relationship with you which will include notifying you about changes to our service, terms or privacy notice
(a) Performance of a contract with you
(b) When we are legally required to notify you of a change, we will notify you because it is necessary for us to comply with the relevant legal obligation
To run our everyday operations, for example, enable communications between members of our team and different suppliers in connection with the provision of our products and sharing data with service suppliers that aid the operation of our business
Our legitimate interests in running our business, including our commercial and financial benefits
To aggregate information about you so that the aggregated information can be shared with members of our group, associated companies and marketing partners
The legitimate interests of the data recipients including the facilitation of their business development efforts
To comply with our legal obligations, for example, in connection with requirements relating to invoicing, tax and financial accounts
To comply with a legal obligation we are subject to
To respond to communications, including customer support queries from individual customers
Our legitimate interests in creating and maintaining our customer relationships, including our commercial interests in these relationships
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
Our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)
To investigate and report on potential personal data breaches or fraudulent use of our systems or services (including product delivery and return services)
To comply with our legal obligations
To deliver marketing communications to you
To use data analytics to improve our website, services, customer relationships and experiences
(b) Our legitimate interests in improving our website and services, when the processing relates to other activities involving analytics
To establish, exercise or defend legal claims or to otherwise interact with courts and other authorities
a) Compliance with a legal obligation we are subject to
b) Our legitimate interests in establishing, exercising or defending legal claims or in otherwise interacting with courts and other authorities, including following their instructions
To administer an investment in, sale or possible investment in or sale of the whole of or part of our business or the restructuring of our business
Our legitimate interests in facilitating any such possible or actual transaction or restructuring, including our commercial interests
To facilitate our relationship with you as a supplier, business partner, journalist or influencer or if you work for a corporate supplier or business partner including an advertising partner, to facilitate our relationship with that organisation
Our legitimate interests in facilitating our relationship with you or the organisation you work for
We will also provide members of our group and any associated companies and marketing partners with aggregate information about our users (for example, we might inform them that 500 men aged under 30 clicked on a particular link on any given day). We will also use such aggregate information to help members of our group, associated companies and marketing partners reach the kind of audience they want to target (for example, women in SW1).
We may also process your personal data for additional purposes if such purposes are compatible with those listed above and if we believe that the same lawful basis applies.
In certain circumstances, you may be obliged to provide us with your personal data under a statutory or contractual requirement. This might include, but is not limited to, personal data we require to enter into an agreement with you or the organisation you work for; for tax and accounting purposes; and to enable us to fulfil our compliance and other obligations under relevant legislation or regulation. Failure to provide us with personal data required under a statutory or contractual requirement may prevent us from entering into or performing our obligations under a contract with you or your business.
Marketing - We include an ‘unsubscribe’ option in all our marketing communications which you can use if you would like to stop receiving marketing emails from us.
Special categories of data
We are allowed to process your special categories of personal data for the following legal bases:
Health care services – As a registered pharmacist (GPhC registration number: 1106255) under the Pharmacy Order 2010 (S.I. 2010/231) for the provision of health care under the health or social care basis, and under the health or social care purposes condition of the Data Protection Act 2018.
In limited circumstances, if we need to process your data to provide you with health care services, pursuant to a contract with one of our practitioners, who, according to law, is subject to a duty of secrecy or is a registered health professional.
Consent – You have given your explicit consent.
Legal claims – We need to process your personal data if we are required to process your personal data to defend or establish a legal claim or within the scope of the courts acting in their judicial capacity.
Vital interests – When the processing is necessary to protect your vital interests or those of another person, when you or another person are incapable of giving consent.
Scientific, statistical or historical research purposes – When the processing is necessary for archiving purpose in the public interest, for scientific purposes or statistical purposes based in an act of law.
Who will have access to your personal data?
We may share your personal data with third parties.
The section below lists some of our key service providers that act as our processors who, if necessary, will have access to your personal data (including special categories of data). If you would like to know the names of our other service providers (e.g. IT service providers), please contact us using the details at the start of this Privacy Notice.
Who is information shared with: processors
- Birchman provides enterprise resource planning system support on behalf of A Nelson & Co Limited.
- Sage Pay provides secure payments for online purchases.
- Shopify hosts the website: www.nelsonspharmacy.com
- Mailchimp as a data processor for the Nelsons' Pharmacy newsletter
- EposNow provides till system services.
- Retail Merchant Service provide Payment System and Payment Clearance services.
- Sprout Social as a provider of software for social media management, social advocacy, social analytics, and social listening.
- CPG as the third party warehouse are provided with your name, delivery address and telephone number to enable order fulfilment.
Who is information shared with: controllers
In addition, we share your personal data with the following entities who act as separate controllers of your personal data and, for example, with any member of our group (our subsidiaries or ultimate holding company and its subsidiaries), and associated companies and marketing partners.
We will also need to disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we would disclose your personal data to the prospective seller or buyer of such business or assets.
- If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
- We will also share your personal data with the police, other law enforcements or regulators where we are required by law to do so.
- Freelancers operating our social media accounts
- Analytics agencies like Anders Analytics, Google analytics, Facebook analytics and 7stars.
- Independent practitioners offer a range of therapies at Nelsons’ London Pharmacy and are responsible for the processing of a patient / customer’s personal data from the moment the patient / customer has been in contract with the independent practitioner.
Transfers of your personal data outside the UK and EEA
The data that we collect from you might be transferred, and stored outside the European Economic Area ("EEA") and/or the UK, for example,:
- when it is necessary to be processed by staff operating outside the UK and/or EEA who work for us,
- because we have suppliers who are multinational companies, or are located out of the UK and/or EEA, or have staff working from different locations.
This is mainly because they are engaged in the fulfilment of your order, the processing of your payment details and the provision of support services.
We are under an obligation to ensure that your personal data is only shared as permitted under European and UK Data Protection Laws. In most of the cases we have agreements in place which are approved by the UK government (for example, the international transfer addendum) and/or European Commission (the standard contractual clauses). If you want to know more about how data is transferred, please contact us using the details in the section above.
When will we delete your data?
Our main rule is not to keep your data for longer than we need to in order to meet all the purposes we included in the section "Why do we process your personal data?”.
For most purposes and legal obligations, we have a retention period of 7 years.
In general, we have set out that the following categories of personal data and special categories of data will be kept for the following periods.
Personal data/special categories of data
Contact details of users will be retained for up to two years after the last purchase.
Contact details of customers/patients - retention period = as long as it is required by law
Medical records - retention period = as long as it is required by law
As a data subject, you have the following rights under the Data Protection Laws:
- the right to object to processing of your personal data;
- the right of access to personal data relating to you (known as data subject access request);
- the right to correct any mistakes in your information;
- the right to ask us to stop contacting you with direct marketing;
- the right to restrict the processing of your personal data ;
- the right to have your personal data ported to another controller;
- the right to withdraw your consent; and
- the right to erasure.
These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see "How to contact us").
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months but will let you know that we are extending the response deadline and explain why.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.
Right to object to processing of your personal data
You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.
If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so.
Right to access personal data relating to you
You may ask to see what personal data we hold about you and be provided with, confirmation that we process your personal data and a copy of such personal data. We may also refer you to this Privacy Notice for supplementary information.
To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
Right to correct any mistakes in your information
You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
Right to restrict processing of personal data
You may have the right to request that we stop processing your personal data temporarily if:
- you do not think that your data is accurate and we are verifying the accuracy of the data. We might start processing again once we have checked whether or not it is accurate;
- the processing is unlawful and you do not want us to erase your data;
- we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing because you believe that your interests should override our legitimate interests.
Right to data portability
You may have the right to ask for an electronic copy of your personal data which we hold electronically and which we process for purposes of a contract with you or on the basis of your consent. You can also ask us to provide this data directly to another party.
Right to withdraw consent
If the lawful basis we rely on for processing your data is consent, you may withdraw your consent at any time. This means that we will not be able to carry out any processing which requires use of that personal data. Please email us at email@example.com to withdraw consent for the processing of your personal data.
Right to erasure
You can ask us to erase your personal data where:
- you do not believe that we need your data in order to process it for the purposes for which it was originally collected or processed;
- you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
- you object to our processing and there is no overriding legitimate interest for us to continue process your data;
- we have to erase your personal data to comply with a legal obligation; or
- your data has been processed unlawfully.
Complaints to the regulator
It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. You have a right to complain to your supervisory authority. In the UK this is the ICO. Information about how to do this is available on the ICO website at /global/contact-us/
Useful words and phrases
Please familiarise yourself with the following words and phrases (used in bold) as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:
This means any person who determines the purposes for which, and the manner in which, any personal data is processed.
Criminal offence data
This means any information relating to criminal convictions and offences committed or allegedly committed.
Data Protection Laws
This means the laws that govern the handling of personal data. This includes the General Data Protection Regulation (EU) 2016/679 and any other national laws implementing that Regulation or related to data protection.
The person to whom the personal data relates.
This means the UK Information Commissioner's Office, which is responsible for implementing, overseeing and enforcing Data Protection Laws.
This means any information from which a living individual can be identified.
This includes information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings. It also includes expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions).
It also covers information that, on its own, does not identify someone but would if put together with other information which we have or are likely to have in the future.
This covers virtually anything anyone can do with personal data, including:
- obtaining, recording, retrieving, consulting or holding it
- organising, adapting or altering it
- disclosing, disseminating or otherwise making it available
- aligning, blocking, erasing or destroying it
This means any person who processes personal data on behalf of the controller.
Special categories of data
This means any information relating to:
- racial or ethnic political opinions
- religious beliefs or beliefs of a similar nature
- trade union membership;
- past, current or future physical or mental health status or condition
- sexual life
- genetic data or biometric data for the purpose of uniquely identifying you
Changes to this Privacy Notice
The latest version of this privacy notice can always be found by clicking the Privacy Notice link in our website footer.
We may change this Privacy Notice from time to time. We will alert you by posting a new privacy notice on our website when changes are made.