CHARAC PRIVACY NOTICE

Welcome to Charac. We are Charac Limited (“we”, “us” or “our”) and are known as Charac. This privacy notice applies to your use of charac.co.uk and the web browser and mobile application based Charac Platform (our “Services”).Our Platform has been designed to improve the online accessibility of independent pharmacies and their services. Charac enables independent pharmacies to make their appointments, video consultations, prescriptions and other advice/services available to you from the comfort of your own home.At Charac, we are committed to protecting the personal information we process in connection with your use of the Platform. To maintain your trust and the trust of our local pharmacy partners, we aim to be as transparent as possible to ensure that you understand our privacy practices. This includes the information we collect, why we collect it, how it is used and the rights and choices available to you regarding our use of your personal information.

This notice covers the following areas:

1.How does Charac work? who is responsible for my personal information?2. What information does Charac collect about me?3. What cookies and similar technologies does Charac use?4. Why does Charac process my personal information and what are Charac’s legal bases for doing so?5. Who does Charac share your information with and why?6. How does Charac send information outside of my country?7. What are my privacy rights?8. How does Charac protect my personal information?9. How long does Charac retain my personal information?10. Can this Privacy Notice change?11. How can I contact Charac?

1. HOW DOES CHARAC WORK? WHO IS RESPONSIBLE FOR MY PERSONAL INFORMATION?

CharacWe are the operator of the Charac Platform, which has been designed to improve the digitisation of processes and services within community pharmacies. What this means for our users, is that if your local pharmacy has signed up to Charac, then you will be able to book and manage in-store and online appointments, consultations, manage prescriptions with your local pharmacy, as well as providing information ahead of your visit, to improve your instore experience. If you or your pharmacy uses Charac to provide or coordinate your access to pharmaceutical products or services, then we will be the party responsible for the processing of your personal information within the Charac environment (the data controller). Your pharmacyIf your local pharmacy has signed up to Charac, they will be able to coordinate, manage and deliver their products and services through the Platform. Both your pharmacist, and their administrative users will be able to access the Platform, as necessary to coordinate and deliver their services to you. This includes managing your appointments, and prescriptions and adding care notes to your account. The pharmacy will be independently responsible (as a separate and independent data controller) for both their use of the Platform, and their use and collection of your personal information in connection with the delivery of their services. For additional information about how your Pharmacy processes the personal information you provide through Charac, please see the Patient’s Privacy Notice appended at the end of this notice.

2. WHAT INFORMATION DOES CHARAC COLLECT ABOUT ME?

Information you give us

You choose to give us certain information when signing up for and using our Service.

This includes: 
  • Account and contact details: When you create an account, you provide us with at least your login credentials, as well as some basic details necessary for the service to work and to set up your profile. These include your full name, email address, phone number, date of birth, gender, marketing preferences and profile picture.
  • Sensitive personal information: Some of the information you provide whilst using the Platform, may be considered “special” or “sensitive” in certain jurisdictions. These special categories of personal information include information relating to your health, racial or ethnic origins, sexual orientation and religious beliefs. Most applicable to your use of the Platform will be your provision of information relating to your health. When you interact with your Pharmacy on the Platform, for example through booking consultations; or adding notes to your account, the information provided may allow us to infer or identify information relating to your health. By choosing to provide this information, you consent to our processing of that information. Please note as explained in greater detail in section 4 below, you are able to withdraw your consent at any time.
  • Video consultations: if you book a video consultation through the Platform, our processing will be limited to facilitating the video interaction. We will not retain or record the video content of consultation, although both our users and pharmacists will be able to add notes to the account, which will be retained.
  • Billing details: When you make a payment through the Platform, you provide us or our payment service provider with certain information necessary to process your payment, including your debit or credit card number, card holder name, card expiry, CVV and billing address. This information is held by our payment partner Stripe. Please see their privacy policy here: https://stripe.com/gb/privacy
  • Customer service: If you contact our customer service team, we collect the information you give us during the interaction. Sometimes, we monitor or record these interactions for training purposes and to ensure a high quality of service.

Information we receive from others

In addition to the information you provide us directly, we receive information about you from others, including:

  • Your friends and family members: will provide us with your personal information if they create an account, or use the Platform on your behalf.
  • Pharmacy staff: Pharmacy staff may provide information about you as they use our Services. For instance, our Platform may be used when you make an appointment, or order in store. Pharmacy staff are also able to add notes against your account, and individual consultations which may include personal information (and sensitive health information) about you. Pharmacy staff may also share your information with us in order to invite you to the Platform.
  • Other Partners: We may receive info about you from our partners, for instance in relation to advertising we may receive personal information where Charac ads are published on a partner’s websites and platforms (in which case they may pass along details on a campaign’s success).
   Information collected when you use our Services
  • Device information: We collect information from and about the device(s) used to access our Platform, including:
    • hardware and software information such as IP address, device ID and type, device-specific and apps settings and characteristics, app crashes, advertising IDs (such as Google’s AAID and Apple's IDFA, both of which are randomly generated numbers that you can reset by going into your device’ settings), browser type, version and language, operating system, time zones, identifiers associated with cookies or other technologies that may uniquely identify your device or browser (e.g., IMEI/UDID and MAC address);
    • information on your wireless and mobile network connection, like your service provider and signal strength; and
    • information on device sensors such as accelerometers, gyroscopes and compasses.
  • Usage Information: We collect information about your activity on our Platform, for instance how you use and interact with our site/application (e.g., date and time you logged in, features you’ve been using, searches, clicks and pages which have been shown to you, referring webpage address, advertising that you click on) and how you interact with pharmacy staff (e.g., interactions, time and date of your exchanges, number of messages you send and receive).
  • Geolocation: If you give us your consent, we can collect your precise geolocation (latitude and longitude) through various means, depending on the service and device you’re using, including GPS, Bluetooth or Wi-Fi connections. The collection of your geolocation may occur in the background even when you aren’t using the Services if the permission you gave us expressly permits such collection. If you decline permission for us to collect your geolocation, we will not collect it.

3. WHAT COOKIES AND SIMILAR TECHNOLOGIES DOES CHARAC USE ?

We use and may allow others to use cookies and similar technologies (e.g., web beacons, pixels) to recognize you and/or your device(s).

Some of these cookies are essential to our service, for example they ensure the Platform loads properly, they remember your cookie preferences, enable you to use payment functionalities, and enable Charac administrative users to login to the Platform. Others are analytical nature allowing us to better understand how you use our Platform.

You can find more information about the individual cookies we use, the purposes for which we use them, and how you can better control their use in our Cookie Notice.

You can also set your browser to accept or reject all specific cookies. You can set your browser to alert you each time a cookie is presented to your device or opt out of Google Analytics by installing Google’s opt-out browser add-on. You can delete cookies that have been stored on your device, but if you prevent us from placing cookies on your device, or if you subsequently delete a cookie, it may not be possible for you to use our Platform effectively. Please see our Cookie Notice for additional information.

4.WHY DOES CHARAC PROCESS MY PERSONAL INFORMATION AND WHAT ARE CHARAC’S LEGAL BASIS FOR DOING SO?

We will only use your personal data if we have a proper reason to process it and the law allows us to do so.When we process your personal data, this will usually be:

  • To provide our Services/perform our contract
    • We process your personal information when you access our website or use the Platform, in accordance with our website and Platform terms of use, which are applicable to your use of our Services.
    • Legitimate interests
        We may also use your personal information where we have legitimate interests to do so. For example, we rely on our legitimate interests to process personal information about unregistered users, when Pharmacies enter such information into, or invite unregistered users to our Platform. We also rely on legitimate interests to analyse users’ behaviour on our Services to improve our offerings, for targeted advertising and for administrative, and other legal purposes.
      • Legal obligation
          In some cases, applicable laws may require us to process certain information about you.
      • Consent
          We may ask for your consent to use your personal information for certain specific reasons. You may withdraw your consent at any time by contacting us at the address provided at the end of this Privacy Notice.
The table below sets out all the ways in which we plan to use your personal data, which of the legal bases we rely on to do so and, where relevant, what the legitimate business interests are. There may be more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us at dataprotection@charac.co.uk if you want to know which specific legal basis we are relying on where more than one is set out in the table below.

1. To provide our Service
What we use your information for?

This includes:

  • Making our website and Platform available to you;
  • Creating and managing your account;
  • Sharing your information with your chosen Pharmacy;
  • Tailoring our Services and advice to you;
  • Customer support;
  • Communicating with you about our Services, including order management and billing.
What information we actually use ?

As more particularly defined in section 2 (what information does Charac collect about me):

  • Account and contact details;
  • NHS details;
  • Information relating to your health (Platform only – to the extent such information is provided by you, or your pharmacist);
  • Billing details;
  • Customer service information
The reason we use your information
  • To provide our service/perform our contract;
  • Legitimate business interests – to provide, facilitate or coordinate services you have requested, communicate with you, to keep our records up to date;
  • Consent – we ask for your consent when you sign up and or update your details on the platform.

You may withdraw your consent at any time, please see section 7 (What are my privacy rights) for additional information.

2. To manage our relationship with you
What we use your information for?

Including:

  • Notifying you of changes in our terms or privacy policy
  • Asking you to leave a review or take part in a survey
What information we actually use ?

As more particularly defined in section 2 (what information does Charac collect about me):

  • Account and contact details;
  • Customer service information
The reason we use your information
  • To provide our service/perform our contract;
  • To comply with our legal obligations;
  • Our legitimate business interests (keeping our records up-to-date, studying how customers use our products/services)
3. To improve our Services
What we use your information for?
  • To conduct research and analysis of users’ behaviour to improve our Services and content (for instance, we may decide to change the look and feel or even substantially modify a given feature based on users’ behaviour); and
  • To develop new features and services (for example, we may decide to build a new interests-based feature further to requests received from users).
What information we actually use ?

As more particularly defined in section 2 (what information does Charac collect about me):

  • Device, usage and geolocation information.
  • Feedback in your communications with us.
The reason we use your information
  • Consent for the use of analytics cookies and similar technologies to improve your user experience and our Services.
  • For non-cookie derived information our legitimate interests to improve your user experience and our Services.

You may withdraw your consent at any time, please see section 7 (What are my privacy rights) for additional information.

4. To suggest products/services which may be of interest to you
What we use your information for?
  • To suggest products/services which may be of interest to you;
  • To use data analytics to improve our website, products/services, marketing, customer relationships & experiences
What information we actually use ?

As more particularly defined in section 2 (what information does Charac collect about me):

  • Account and contact details;
  • Device, usage and geolocation information.
  • Feedback in your communications with us
The reason we use your information
  • Our legitimate interests (developing our products/services, growing our business)
  • Where required by applicable law and marketing rules, your consent to receive marketing communications.

You may withdraw your consent at any time, please see section 7 (What are my privacy rights) for additional information.

5. To develop anonymised insights applicable to our Services, and the pharmaceutical industry more broadly
What we use your information for?
  • In some circumstances we may anonymise your personal information (so that it can no longer be associated with you). This can be for research or statistical purposes, in which case we may use the anonymised information indefinitely without further notice to you.
What information we actually use ?
  • Any information in section 2 (what information does Charac collect about me), only in so far as necessary to anonymise the information.
The reason we use your information
  • Our legitimate interests to develop insights and statistics as to the use of our Services, and to identify trends within the pharmaceutical industry more broadly.
6. To administer our business and prevent, detect and fight fraud or other illegal or unauthorized activities
What we use your information for?

We perform personal information analysis:

  • to better understand and design countermeasures against these activities and retain personal information related to fraudulent activities to prevent against recurrences.
  • To administer and protect our business, website and Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting & hosting data).
What information we actually use ?

As more particularly defined in section 2 (what information does Charac collect about me):

  • Account and contact details
  • Device, usage and geolocation information.
The reason we use your information
  • Where required by applicable laws, and as necessary to ensure legal compliance, or to assist law enforcement; or
  • Our legitimate business interests to prevent fraud or other illegal activities in line with industry best practice.
  • Our legitimate business interests (running our business, providing admin & IT services, network security, for a business reorganisation or group restructuring)
7.  To ensure legal compliance
What we use your information for?
  • To comply with legal requirements, assist law enforcement and enforce or exercise our rights, for example our terms and conditions.
What information we actually use ?
  • Any information in section 2, only to the extent it is strictly necessary.
The reason we use your information
  • Processing is necessary for compliance with a legal obligation to which we are subject;
  • Our legitimate business interests to establish, exercise or defend legal claims.

Automated Decision Making

In order to comply with our legal obligations and industry best practice, we use our user’s date of birth to determine their eligibility for features and content on the platform.If you would like further information about this assessment, including asking for a person to review a decision please contact us at dataprotection@charac.co.uk.Please note you also have a right to object to profiling, and solely automated decision making as detailed below in section 7 (Privacy Rights).

5. WHO DOES CHARAC SHARE YOUR INFORMATION WITH AND WHY?

With our service providersWe use third parties to help us operate and improve our Services. These third parties assist us with various tasks, including personal information hosting and maintenance, analytics, customer care, marketing, advertising, payment processing and security operations.We may also provide aggregated (anonymised) information to third parties as detailed below.A list of these third parties is available on request.

With your chosen pharmacyAs further detailed in section 1 (How does Charac work?) Charac provides a platform through which you are able to access services from local pharmacies who have signed up to our Platform. When you use the Platform you will be asked to select your chosen Pharmacy. The selections you make in relation to their services, will be shared with the Pharmacy as necessary for their coordination, management, and delivery of services/products requested by you through the Platform.Please see the privacy notice available through your pharmacist’s website for additional information.

In corporate transactionsWe may transfer your personal information if we are involved, whether in whole or in part, in a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy or other change of ownership or control.

When required by lawWe may disclose your personal information if reasonably necessary: (i) to comply with a legal process, such as a court order, subpoena or search warrant, government / law enforcement investigation or other legal requirements; (ii) to assist in the prevention or detection of crime (subject in each case to applicable law); or (iii) to protect the safety of any person.

To enforce legal rightsWe may also share information: (i) if disclosure would mitigate our liability in an actual or threatened lawsuit; (ii) as necessary to protect our legal rights and legal rights of our users, business partners or other interested parties; (iii) to enforce our agreements with you; and (iv) to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing.

With your consent or at your requestWe may ask for your consent to share your personal information with third parties. In any such case, we will make it clear why we want to share the information.

Anonymised dataWe may use and share anonymised data (meaning information that, by itself, does not identify who you are such as device information, general demographics, general behavioural personal information, geolocation in de-identified form), as well as personal information in an aggregated, hashed, non-human readable form, under any of the above circumstances. We may combine this information with additional anonymised data or personal information in hashed, non-human readable form collected from other sources.

6. HOW DOES CHARAC SEND INFORMATION OUTSIDE OF MY COUNTRY?

All personal information processed as part of the Services, is held securely by our information hosting provider AWS on servers in the UK..We do not routinely transfer personal information outside the UK. However in the event we need to transfer your personal information outside the UK or European Economic Area (“EEA”) we will ensure we have in place adequate safeguards to do so. These can include standard contract clauses approved by the UK or European Commission or other suitable safeguards to permit personal information transfers from the UK and European Economic Area (“EEA”) to other countries.

7. WHAT ARE MY PRIVACY RIGHTS?

In certain circumstances, as a UK or EEA resident, you may exercise the rights available to you under the GDPR and the Data Protection Act 2018, these can include:If you wish to access, correct, update or request deletion of your personal information.

  • You can object to processing of your personal information, profiling and use of solely automated decision making, ask us to restrict processing of your personal information or request portability of your personal information.
  • If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. This may mean your access to certain services is restricted or denied as a result. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

8. HOW DOES CHARAC PROTECT MY PERSONAL INFORMATION?

We have implemented, and will maintain current, reasonable physical, technical, and organizational security measures to protect your personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Service, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.Unfortunately, the transmission of information via the internet is not completely secure. Although we have security measures in place to protect your personal information, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk.

9. HOW LONG DOES CHARAC RETAIN MY PERSONAL INFORMATION?

Your personal information will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this policy or as otherwise required by applicable law. Unless we are required to retain your personal data by law, or to provide you with the Service, we will aim to keep your data for no more than seven years.

10. CAN THIS PRIVACY NOTICE CHANGE?

This Notice may be amended from time to time. We will post any changes we may make on this page and, where appropriate, notify you via e-mail. When amendments are made, we will update the "last updated" date at the top of this Notice.

11. HOW CAN I CONTACT CHARAC?

If you have any questions or comments, please contact us at dataprotection@charac.co.uk .

Annex 1

How pharmacies use the personal information in connection with your use of Charac

The following section of this notice details how pharmacies use the information associated with your use of the Charac platform. The Pharmacies are independently responsible for their compliance with this annex, and for providing you with any additional information associated with their use of your personal data. Please contact your chosen Pharmacy is you have any questions, queries or rights you wish to exercise in respect of their use of your information.

Patient’s Privacy Notice

1.Welcome

This Privacy Notice (“Notice”) has been prepared by Charac Limited for the benefit of its customers, such as local pharmacies, and in connection with the online pharmacy services provided through the Charac platform. The purpose of this Notice is to explain how local pharmacies Charac engages with typically handle personal data about you and outline the rights that you have under the applicable data protection laws.Note that “you” and “your” include any users or patients that may be registered to Charac’s platforms.Your local pharmacy may be referred to in this Notice as “they” or “them”.Your local pharmacy will be the controller of your personal data. Please note that you can access the services provided by your local pharmacy via online (including booking appointments and video consultation, among others) through the Charac platform. You can consult Charac Limited privacy notice atprivacy-policy

2.What information does your local pharmacy collect about you?

Your local pharmacy may collect and process your personal data in accordance with applicable laws to pursue its business activities.Your local pharmacy may collect and process information about you including:

  • Contact details such as your name, address, telephone number and email address, gender.
  • Health Data such as the information related to any disease you may be suffering, any specific diagnosis or medical treatment you may receive.
 You may decide not to provide your personal data to your local pharmacy. However, if you do not provide it, your local pharmacy may not be able to provide you with their services.

3. How does your local pharmacy obtain your personal data?

Your local pharmacy may collect your information:

  • Directly from you through your interactions with them, such as when you book an appointment with them or when they have video consultations with you; or
  • From third party sources, such as Charac Limited as the owner of the Charac platform in which you are registered and where you upload your personal data, as well as from your relatives, where you cannot provide your personal data directly.

4. Why does your local pharmacy process your personal data for and what are the legal bases they rely on?

Your local pharmacy may process your personal data for the purposes below and based on the following legal bases:i. They shall rely on the compliance with applicable laws and regulations for the following purposes:

  • To establish, exercise or defend legal claims in suspected or actual legal proceedings or to exercise or perform any right or obligation which is conferred or imposed by law on them.
  •  Where they are legally required to process personal data in connection with health and safety legislation and other legal or tax related obligations.
ii. They shall rely on the performance of their obligations arising from the service contract or arrangement in place with you for the following purposes:
  • Performance of Service which includes making appointments, video consultations, prescriptions and other advice/services, available to you.
iii. They shall rely on your explicit consent, for the following purposes:
  • Processing your health data in case they need to collect and process it for the provision of their services.
 They shall notify you of any material changes to personal data they collect or to the purposes for which they collect and process it.

5. How does your local pharmacy keep your personal data safe?

Your local pharmacy implements appropriate technical, physical, and organizational measures which are intended to safeguard any information you provide to them, and to protect it from unauthorised access, loss, misuse, alteration or destruction.

6. Who is your personal data disclosed to?

Your local pharmacy will only disclose your personal data in accordance with the applicable laws and for the above-stated purposes, to the following parties:

  • Third-party service providers for the provision of services to your local pharmacy such as third parties supporting them with their IT systems and third parties providing external legal advice or litigation support. Your local pharmacy has appropriate contracts in place that define the legitimate use and sharing of personal data in accordance with this Notice and oblige such service providers to only process personal data that is necessary for the performance of the contract or are required by applicable laws.
  • Regulatory authorities and other public bodies, for the purposes of, including but without limitation, responding to official requests or inquiries, complying with a court order, administrative or judicial process, or when the disclosure is otherwise required by applicable laws and regulations.
  • Parties including prospective or actual buyers or sellers in the event of a merger, acquisition, or other reorganization or sale or disposition of all or any portion of your local pharmacy business and/or assets.
Some of these third parties may be located in a country outside the European Economic Area (“EEA”), where the applicable laws may not afford your personal data the same level of protection as your own country. Where your personal data is transferred abroad, your local pharmacy will ensure that adequate safeguards are in place (e.g. for residents of the EEA this includes the use of European Commission approved standard contractual clauses) and that all applicable laws and regulations are complied with. You may contact your local pharmacy for a copy of the safeguards which they have put in place to protect your personal data in these circumstances.

7. What are your rights?

You have rights in relation to your personal data arising from the applicable data protection legislation. These include the right to:

  • Access, rectify and erase your personal data: You may have the right to request access to information that your local pharmacy holds about you; request corrections or updates to your personal data; or, in some cases, ask your local pharmacy to erase your personal data except to the extent that they are required or permitted to retain it by law.
  • Restriction of processing: You may have the right to request the restriction of processing of your personal data, in which case, your personal data will only be processed for certain purposes.
  • Data portability: You may you have the right to receive the personal data which you have provided to your local pharmacy in a structured, commonly used and machine-readable format and you may have the right to transmit the personal data to another entity without hindrance from them.
  • Object: Where your local pharmacy relies on legitimate interests as a legal basis for processing personal data, you have the right to object, on grounds relating to your situation, at any time to the processing of your personal data by them and they are required to no longer process your personal data. If you exercise this right, your personal data will no longer be processed for such purposes unless otherwise authorised by law.
  • Consent withdrawal: You have the right to withdraw any consent you may have provided at any time without being penalised.
If you wish to exercise one of the above-mentioned rights, please refer to Section 9 “Who do I contact to ask questions about this Notice” below.Any request to exercise one of these rights will be assessed by your local pharmacy on a case by case basis. There may be circumstances in which your local pharmacy is not legally required to comply with your request or because of relevant legal exemptions provided for in applicable data protection legislation.

8.How long will your local pharmacy retain your personal data?

Your local pharmacy generally retains personal data for as long as needed for the specific purpose(s) for which it was collected. In some cases, they may be required to retain your personal data for a longer period where applicable laws or regulations require or allow them to do so.Where possible, your local pharmacy aims to anonymise the information or remove unnecessary identifiers from records that they may need to keep for longer periods beyond the specified retention period.

9. Who do I contact to ask questions about this Notice?

If you have any queries or concerns about this Notice or you wish to exercise your rights and/or make complaints concerning the handling of your personal data, please contact your local pharmacy.If you are still dissatisfied, you have the right to complain to your data protection authority. The relevant national data protection authority is responsible for overseeing compliance of the privacy laws in each EEA country. You may contact your local data protection authority for more information about your rights, or if you are not able to resolve a problem directly with your local pharmacy and wish to make a complaint. A list of European data protection authorities is available here:http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

10. Can this Notice be updated?

This Notice is kept under regular review in order to reflect changes in the law, regulatory guidance or data privacy practices in compliance with the law. When this happens and where required by law, you shall be provided with a new or an updated Notice detailing how the use of your personal data is changing.