Fully regulated UK pharmacy
Safe & clinically reviewed care
Rated 4.9/5 from over 3,000 reviews
Fast, discreet delivery
This Privacy Policy explains how Apothecare Group Limited trading as Quick Meds ("we", "us", "our") collects, uses, stores, and shares your personal information when you use our website (www.quickmeds.co.uk), purchase products or services from us, or otherwise interact with us.
We are committed to protecting and respecting your privacy. We process your personal data in accordance with the UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018) (UK GDPR), the Data Protection Act 2018 (c. 12), and all other applicable UK data protection legislation.
We do not sell your personal data to third parties and never will. We only share your data where it is necessary for the purposes set out in this policy or where we are required to do so by law.
Please read this policy carefully before using our website or services. By accessing our website, creating an account, or placing an order, you acknowledge that you have read and understood this policy. If you have any questions, please contact us using the details set out in Section 16.
Apothecare Group Limited trading as Quick Meds is the data controller responsible for your personal data.
Company name: Apothecare Group Limited
Trading name: Quick Meds
Company registration number: 11824371 (England and Wales)
Registered address: 320a Stratford Road, Shirley, Solihull, B90 3DN
Trading address: Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ
ICO registration reference: ZA536099
We are registered with the General Pharmaceutical Council (GPhC) to provide pharmacy services in the United Kingdom.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing compliance with this policy and with data protection law.
If you have any questions about this policy, about how we handle your personal data, or if you wish to exercise any of your rights under data protection law, you can contact our Data Protection Officer at:
Email: [email protected]
Telephone: 0121 628 5318
Address: Data Protection Officer, Apothecare Group Limited, Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ
We collect and process different types of personal data depending on how you interact with us. The categories of data we collect are set out below.
When you create an account on our website, we collect your name, email address, telephone number, date of birth, gender, postal address, and account login credentials.
When you complete an online consultation questionnaire, participate in a telephone or video consultation, or communicate with our clinical team, we collect information about your medical history, current medications (including over-the-counter and herbal remedies), known allergies, lifestyle factors, symptoms, and any other health information you provide to us. This may also include photographs submitted for clinical assessment purposes.
Clinical and health data is special category data under Article 9 of the UK GDPR. The lawful basis on which we process this data is set out in Section 5.
We may collect the name and address of your GP practice and, where relevant, details of other healthcare providers involved in your care.
To comply with our regulatory obligations, we are required to verify the identity of patients who place orders with us. We collect your name, date of birth, and address for this purpose. This information is checked against third-party data sources (including credit reference agencies, the telephone directory, and the electoral register) through our identity verification provider, LexisNexis Risk Solutions UK Limited. This is not a credit check and does not affect your credit score.
When you place an order, we collect details of the products and services you have purchased, order history, delivery address, and payment information. Payment card details are transmitted directly to our payment processor, Opayo (Elavon), and are not stored on our systems.
When you contact us by email, telephone, live chat, or any other method, we collect the content of those communications and any personal data contained within them. Telephone calls may be recorded for training and quality assurance purposes; you will be informed of this at the start of the call.
When you visit our website, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device type, referring URL, pages visited, time spent on pages, and other usage data. This information is collected through cookies and similar technologies. Please refer to Section 12 for further details.
Where you have given us your consent, we collect information about your marketing preferences, including whether you have opted in to receive promotional emails, SMS messages, or other marketing communications from us.
Under the UK GDPR, we must have a lawful basis for each processing activity we carry out. The lawful bases we rely on are set out below.
| Processing activity | Lawful basis |
|---|---|
| Creating and managing your account | Performance of a contract (Article 6(1)(b)) |
| Processing and fulfilling your orders, including dispensing and delivery | Performance of a contract (Article 6(1)(b)) |
| Conducting identity verification checks | Legal obligation (Article 6(1)(c)) — we are required by the GPhC and pharmaceutical regulations to verify the identity of patients |
| Communicating with you about your orders, consultations, and treatment | Performance of a contract (Article 6(1)(b)) |
| Processing payments and refunds | Performance of a contract (Article 6(1)(b)) |
| Handling complaints and resolving disputes | Legitimate interests (Article 6(1)(f)) — it is in our legitimate interest and yours to resolve complaints fairly |
| Detecting and preventing fraud and misuse of our services | Legitimate interests (Article 6(1)(f)) — it is in our legitimate interest to protect our business and our patients from fraudulent activity |
| Sending you marketing communications | Consent (Article 6(1)(a)) — we will only send you marketing communications where you have given us your explicit consent to do so |
| Measuring advertising performance and attributing conversions through server-side integrations (Conversions APIs) with advertising platforms | Consent (Article 6(1)(a)) — data is only shared with advertising platforms where you have consented to advertising cookies and tracking through our cookie consent mechanism. No clinical, health, or treatment data is shared with advertising platforms. |
| Improving our website, services, and customer experience through analytics | Legitimate interests (Article 6(1)(f)) — it is in our legitimate interest to understand how our website is used and to improve our services |
| Complying with legal and regulatory obligations, including reporting to the GPhC and MHRA | Legal obligation (Article 6(1)(c)) |
| Retaining records for legal, regulatory, and clinical governance purposes | Legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) |
Your clinical and health data is special category data and requires an additional condition for processing under Article 9 of the UK GDPR.
The primary condition we rely on for processing your health data is Article 9(2)(h) — processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of UK law. This is supplemented by Schedule 1, Part 1, Paragraph 2(2)(f) of the Data Protection Act 2018, which provides for the management of healthcare systems or services.
In practical terms, we need to process your health data in order to carry out clinical consultations, assess your suitability for treatment, issue prescriptions, dispense medication, monitor your ongoing treatment, and fulfil our pharmacovigilance and clinical governance obligations.
We do not rely on consent as the lawful basis for processing your health data. This is because, in a healthcare context, consent cannot be freely given where it is a condition of receiving treatment. Your health data is processed because it is necessary for us to provide you with safe and effective healthcare services.
Where we use your health data for purposes other than the direct provision of healthcare — for example, internal clinical audits or service improvement — we rely on legitimate interests (Article 6(1)(f)), supplemented by Article 9(2)(h) and appropriate safeguards.
We use your personal data for the following purposes:
To create and manage your account on our website.
To carry out clinical consultations and assessments, whether conducted online, by telephone, by video call, or by any other method.
To assess your suitability for treatment and to issue prescriptions where clinically appropriate.
To dispense, pack, and dispatch medication and other products to you.
To verify your identity in accordance with our regulatory obligations.
To process your payments and issue refunds where applicable.
To communicate with you about your orders, consultations, treatment, and any queries or issues you raise with us.
To handle complaints in accordance with our Complaints Procedure.
To monitor your ongoing treatment and contact you regarding follow-up consultations, treatment reviews, or monitoring requirements.
To report adverse events and suspected defective medicines to the Medicines and Healthcare products Regulatory Agency (MHRA) in accordance with our pharmacovigilance obligations under the Human Medicines Regulations 2012 (SI 2012/1916, as amended), Part 15.
To detect, prevent, and investigate fraud, misuse of our services, and other prohibited conduct as set out in our Terms and Conditions.
To comply with our legal and regulatory obligations, including our obligations to the GPhC, the MHRA, the ICO, and any other relevant authority.
To improve our website, services, and customer experience.
To measure the performance of our advertising campaigns and attribute conversions through server-side integrations (Conversions APIs) with advertising platforms, including Meta (Facebook and Instagram) and Google Ads. Where you have consented to advertising tracking through our cookie consent mechanism, limited non-clinical data (such as a hashed email address or telephone number, transaction value, and order confirmation) may be transmitted to these platforms via their respective Conversions APIs. We do not share any clinical, health, treatment, or consultation data with advertising platforms. Data transmitted through Conversions APIs is subject to the same consent requirements as browser-based tracking and will not be sent where you have not consented.
To send you marketing communications where you have given us your consent to do so.
To maintain clinical governance records and conduct internal audits.
We share your personal data only where it is necessary for the purposes set out in this policy, or where we are required to do so by law. We do not sell your data to any third party.
The categories of recipients with whom we share your data are set out below.
Your data is accessible to appropriately authorised members of our team, including prescribers, pharmacists, pharmacy technicians, dispensary staff, healthcare assistants, customer service representatives, and IT support staff. All members of our team are bound by professional codes of conduct and internal confidentiality obligations.
We use the following third-party service providers who process personal data on our behalf. Each provider acts as a data processor under a written data processing agreement and is required to process your data only in accordance with our instructions and applicable data protection law.
| Provider | Purpose | Data shared |
|---|---|---|
| Opayo (Elavon Financial Services DAC) | Payment processing and refunds | Payment card details, billing address, transaction amount. Card details are transmitted directly to Opayo and are not stored on our systems. |
| LexisNexis Risk Solutions UK Limited | Identity verification | Name, date of birth, address. Checked against credit reference agencies, telephone directory, and electoral register. This is not a credit check. |
| Royal Mail | Delivery of orders | Name, delivery address, contact telephone number, order reference. |
| The Doctors Laboratory (TDL) | Laboratory testing services | Name, date of birth, clinical information relevant to the test requested. |
| Google Analytics (Google LLC) | Website analytics | Anonymised and pseudonymised usage data, IP address (anonymised), pages visited, session duration, device and browser information. |
| Microsoft Clarity (Microsoft Corporation) | Website analytics, heatmaps, and session replay | Pseudonymised usage data, pages visited, click and scroll behaviour, device and browser information. Microsoft Clarity does not capture keystrokes in form fields containing personal data. |
| Microsoft Advertising (Microsoft Corporation) | Advertising performance measurement | Pseudonymised conversion data, device information. |
| Trustpilot A/S | Customer review collection and display | Name, email address, order reference. Shared only where you have been invited to leave a review. |
| EmailOctopus (Three Creatures Ltd) | Transactional email delivery (order confirmations, dispatch notifications, prescription updates) | Name, email address, order reference, delivery status. |
| Customer.io (Peaberry Software, Inc.) | Marketing email automation, behavioural messaging, and customer engagement journeys | Name, email address, marketing preferences, purchase history, and behavioural data (such as pages visited and engagement with previous communications). Shared only where you have consented to receive marketing. |
| Meta Platforms, Inc. | Advertising performance measurement via Meta Conversions API (server-side) | Where you have consented to advertising tracking: hashed email address, hashed telephone number, transaction value (without product or treatment details), and conversion event type (labelled generically, not by treatment category). No clinical, health, or treatment data is shared. Meta acts as an independent data controller for the data it receives. |
| Google LLC (Google Ads) | Advertising performance measurement via Google Ads Conversions API / Enhanced Conversions (server-side) | Where you have consented to advertising tracking: hashed email address, hashed telephone number, transaction value, and conversion event type. No clinical, health, or treatment data is shared. Google acts as an independent data controller for certain advertising data it receives. |
We may share your personal data with third parties where we are required or permitted to do so by law, including:
The General Pharmaceutical Council (GPhC), in connection with our regulatory obligations, inspections, or investigations.
The Medicines and Healthcare products Regulatory Agency (MHRA), in connection with adverse event reporting, pharmacovigilance obligations, or defective medicines investigations.
NHS Counter Fraud Authority, the Police, or other law enforcement agencies, where we reasonably suspect fraud, criminal activity, or a threat to patient safety.
The Information Commissioner's Office (ICO), in connection with any data protection matter.
Courts, tribunals, or legal advisers, where necessary for the establishment, exercise, or defence of legal claims.
Your GP or other healthcare provider, where we consider it clinically necessary to share information about your treatment, or where you have asked us to do so.
We will only disclose the minimum amount of personal data necessary in each case and will do so in accordance with applicable law.
We are required by the regulations governing online pharmacy services to verify the identity of patients who place orders with us. This verification is carried out by LexisNexis Risk Solutions UK Limited.
When you place an order, the personal information you provide (name, date of birth, and address) is checked by LexisNexis against the following data sources: consumer credit reference agency records, the telephone directory, and the electoral register. This is an identity verification check only. It is not a credit check and will not affect your credit rating.
We carry out this verification on the basis of our legal obligation to comply with the regulations governing online pharmacy services (Article 6(1)(c) UK GDPR). Your consent is not required for this processing, as it is a regulatory requirement. However, if you have concerns about this process, please contact us before placing your order.
LexisNexis acts as both a data processor (on our behalf) and as an independent data controller (in relation to its own fraud prevention and identity verification activities). You have a right to access your personal records held by LexisNexis. For further information, please refer to the LexisNexis processing notice at https://risk.lexisnexis.com/corporate/processing-notices/idu-app or contact LexisNexis at: LexisNexis Ltd, Lexis House, 30 Farringdon Street, London, EC4A 4HH.
In addition to browser-based tracking (cookies and pixels), we use server-side integrations known as Conversions APIs (CAPI) provided by Meta (for Facebook and Instagram advertising) and Google (for Google Ads). These integrations allow our server to send conversion event data directly to the advertising platform's server, rather than relying solely on browser-based tracking which can be affected by ad blockers, cookie restrictions, and browser privacy settings.
Where you have consented to advertising tracking through our cookie consent mechanism, the following data may be transmitted to Meta and Google via their respective Conversions APIs:
A hashed (one-way encrypted) version of your email address.
A hashed version of your telephone number.
The monetary value of a transaction (without any indication of the product or treatment category purchased).
A generic conversion event identifier (for example, a generalised event confirming that a purchase was completed, without specifying what was purchased).
Technical identifiers such as your IP address, browser user agent, and click identifiers where available.
As an online pharmacy, we are particularly conscious of the sensitivity of the data we hold. We have implemented strict safeguards to ensure that no clinical, health, treatment, or consultation data is ever transmitted to any advertising platform. Specifically, the following categories of data are never shared with Meta, Google, or any other advertising platform:
The name, type, or category of any medication, treatment, or product purchased.
Any information relating to medical conditions, symptoms, or diagnoses.
Any consultation responses, clinical notes, or prescribing information.
Any URL paths or page identifiers that could reveal the health condition or treatment category being viewed or purchased.
Any custom event parameters that could indicate a health-related intent.
Conversion events transmitted via the Conversions APIs are labelled using generic, non-health-specific identifiers that do not reveal the nature of the product or service purchased.
Server-side conversion tracking via Conversions APIs is subject to the same consent requirements as browser-based tracking. Data is only transmitted to advertising platforms where you have given your consent to advertising and marketing cookies through our cookie consent mechanism, in compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, as amended) (PECR) and the UK GDPR.
If you do not consent, or if you withdraw your consent at any time through our cookie settings, no data will be transmitted to Meta or Google via these server-side integrations. You can manage your cookie preferences at any time through the cookie settings on our website.
When data is transmitted to Meta or Google via their Conversions APIs, each platform processes the data it receives as an independent data controller for its own purposes (such as advertising measurement, optimisation, and reporting). We are the data controller for the initial collection and transmission of the data. The processing by Meta and Google after receipt is governed by their own privacy policies and data processing terms. For further information, please refer to Meta's Data Policy (www.facebook.com/privacy/policy) and Google's Privacy Policy (policies.google.com/privacy).
Our advertising accounts are classified by Meta under its health and wellness data restrictions policy. This classification imposes additional platform-level restrictions on the types of data that can be shared and the advertising features that can be used. We comply with all such restrictions and have configured our server-side integrations accordingly. Where Meta or Google restricts or disables certain tracking capabilities for health-classified accounts, we do not attempt to circumvent those restrictions.
Some of our third-party service providers are based outside the United Kingdom. Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with Article 46 of the UK GDPR.
The following transfers take place:
Google LLC (United States) — Google Analytics and Google Ads data (including Enhanced Conversions data) is transferred to the United States. Google participates in the UK Extension to the EU-US Data Privacy Framework, which has been recognised by the UK Government as providing adequate protection for personal data.
Microsoft Corporation (United States) — Microsoft Clarity and Microsoft Advertising data may be transferred to the United States. Microsoft participates in the UK Extension to the EU-US Data Privacy Framework.
Meta Platforms, Inc. (United States) — Data transmitted via the Meta Conversions API is transferred to the United States. Meta participates in the UK Extension to the EU-US Data Privacy Framework.
Customer.io (Peaberry Software, Inc.) (European Union) — Our Customer.io account is configured to use EU-regional data hosting. Marketing automation data is processed and stored within the European Economic Area. Transfers from the UK to the EEA are covered by the UK adequacy decision for the EEA. Customer.io uses sub-processors (including AWS and Google Cloud Platform) with both US and EU infrastructure; our EU configuration ensures customer data remains within the EEA region.
Trustpilot A/S (Denmark) — Trustpilot is based in the European Economic Area. Transfers from the UK to the EEA are covered by the UK adequacy decision for the EEA.
Where any transfer is not covered by an adequacy decision, we rely on standard contractual clauses approved by the ICO, or another appropriate safeguard permitted under the UK GDPR.
Your personal data is stored securely on servers located in the United Kingdom. We implement appropriate technical and organisational measures to protect your data against unauthorised access, accidental loss, destruction, or damage. These measures include:
Encryption of data in transit using industry-standard SSL/TLS protocols.
Access controls that restrict access to personal data to authorised members of our team on a need-to-know basis.
Firewalls and intrusion detection systems to protect our network infrastructure.
Regular security assessments and monitoring.
Staff training on data protection and information security.
Written data processing agreements with all third-party processors, requiring them to implement appropriate security measures.
Payment card details are transmitted directly to our payment processor, Opayo (Elavon), via their secure payment gateway and are not stored on our systems. Opayo is certified to the Payment Card Industry Data Security Standard (PCI DSS).
While we take all reasonable steps to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we are committed to maintaining the highest practicable standards of data security.
We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. The retention periods for different categories of data are set out below.
| Data category | Retention period | Basis |
|---|---|---|
| Medical and clinical records (including consultation records, prescribing records, and dispensing records) | 10 years from the date of the last entry, or in the case of a deceased patient, 10 years from the date of death | NHS Records Management Code of Practice; GPhC guidance |
| Prescription records | 5 years from the date of dispensing | Medicines, Ethics and Practice (MEP) guide |
| Account and registration data | For the duration of your account, plus 7 years after account closure or last activity | Limitation Act 1980 (c. 58) — 6-year limitation period for contract claims, plus 1 year |
| Order and transaction data | 7 years from the date of the transaction | HMRC requirements; Limitation Act 1980 |
| Identity verification records | 5 years from the date of verification | Regulatory requirements |
| Complaints records | 10 years from the date of resolution | NHS Records Management Code of Practice; GPhC guidance |
| Marketing consent records | For the duration of your consent, plus 2 years after withdrawal of consent | ICO guidance; accountability obligations |
| Website analytics data (Google Analytics, Microsoft Clarity) | 14 months from the date of collection (Google Analytics default); 13 months (Microsoft Clarity) | Provider data retention defaults |
| Telephone call recordings | 12 months from the date of the call | Legitimate interests — quality assurance and training |
At the end of the applicable retention period, your data will be securely deleted or anonymised so that it can no longer be associated with you.
Where data is anonymised, it may be retained indefinitely for statistical and analytical purposes, as anonymised data is no longer personal data within the meaning of the UK GDPR.
Our website uses cookies and similar technologies to collect technical and usage data about your visit. A cookie is a small text file that is placed on your device when you visit a website.
We use the following categories of cookies:
Strictly necessary cookies — These cookies are essential for our website to function. They enable core features such as account login, shopping basket functionality, and secure checkout. These cookies cannot be disabled.
Analytical and performance cookies — These cookies collect anonymised information about how visitors use our website, including which pages are visited most often and whether visitors encounter error messages. We use Google Analytics and Microsoft Clarity for this purpose. These cookies help us to improve the way our website works.
Advertising and targeting cookies — These cookies are used to deliver advertisements that are relevant to you and to measure the effectiveness of our advertising campaigns. We use Microsoft Advertising, Meta Pixel (for Facebook and Instagram advertising), and Google Ads tags for this purpose. Where you consent to these cookies, they work in conjunction with the server-side Conversions APIs described in Section 9 to measure and attribute conversions. These cookies are only set where you have given your consent through our cookie consent mechanism.
You can manage your cookie preferences at any time through the cookie settings on our website. You can also configure your browser to refuse some or all cookies, or to alert you when cookies are being set. Please note that if you disable cookies, some parts of our website may not function correctly.
For further information about the cookies we use, please refer to our Cookie Policy, which is available on our website.
Our use of cookies complies with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, as amended) (PECR).
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and are subject to certain exemptions and limitations.
Right of access (Article 15) — You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request. We will respond to your request within one calendar month of receiving it. We may ask you to verify your identity before providing the information.
Right to rectification (Article 16) — You have the right to request that we correct any personal data that is inaccurate or incomplete. You can update some of your information directly through your account settings. For any information that cannot be amended through your account, please contact us.
Right to erasure (Article 17) — You have the right to request that we delete your personal data in certain circumstances, for example where the data is no longer necessary for the purpose for which it was collected, or where you withdraw your consent. Please note that we are unable to delete clinical and medical records where we are required by law or professional regulation to retain them. Where we cannot comply with a deletion request, we will explain the reasons.
Right to restrict processing (Article 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we are verifying the accuracy of your data or considering an objection you have raised.
Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller, where the processing is based on consent or the performance of a contract and is carried out by automated means.
Right to object (Article 21) — You have the right to object to the processing of your personal data where we are relying on legitimate interests as the lawful basis. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests. You also have the right to object to processing for direct marketing purposes at any time.
Right to withdraw consent — Where we rely on your consent as the lawful basis for processing (for example, for marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw your consent by updating your marketing preferences in your account settings, by using the "unsubscribe" link in any marketing email, or by contacting us.
Rights related to automated decision-making (Article 22) — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently carry out any solely automated decision-making of this nature.
To exercise any of these rights, please contact our Data Protection Officer using the details set out in Section 3. We will respond to your request within one calendar month. In exceptional cases, where a request is particularly complex or we receive a large number of requests, we may extend this period by a further two months, but we will notify you of the extension and the reasons for it within the first month.
If you are unhappy with the way we have handled your personal data, you have the right to make a complaint.
In the first instance, we would encourage you to contact our Data Protection Officer using the details in Section 3, so that we can try to resolve the matter directly.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
Website: www.ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you have any questions about this Privacy Policy or about how we handle your personal data, please contact us:
Telephone: 0121 628 5318
Email: [email protected]
Address: Unit 2 Forge Industrial Park, Forge Lane, Sutton Coldfield, Birmingham, B76 1AJ
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Where we make material changes, we will notify you by email (where we have your email address and permission to contact you) and by posting a prominent notice on our website.
We encourage you to review this policy periodically. Continued use of our website and services following any changes constitutes your acceptance of the updated policy.
The following legislation and regulatory instruments are referenced within this policy:
Data Protection Act 2018 (c. 12)
Human Medicines Regulations 2012 (SI 2012/1916, as amended)
Limitation Act 1980 (c. 58)
Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, as amended)
UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018)
The following regulatory standards and guidance are also referenced:
GPhC Standards for Registered Pharmacies (April 2023)
ICO Guidance on Lawful Basis for Processing
NHS Records Management Code of Practice
Payment Card Industry Data Security Standard (PCI DSS)
© 2026 Quick Meds™ All rights reserved. Apothecare Group Limited | Company Registration: 11824371