At BuySleepTabs, we take the privacy of our customers seriously. We are a leading online pharmacy in the UK and are registered with the General Pharmaceutical Council (GPhC – who regulate pharmacies), Medicines Health Regulatory Authority (MHRA – who regulate online medicine sales) and the Care Quality Commission (CQC – who regulate doctors and other healthcare services). We are registered with the Information Commissioner’s Office (ICO – who uphold data privacy laws).

Taking your privacy seriously

We take your privacy very seriously, and we are committed to protecting and respecting your privacy, and to using technology to enhance your online security. We ask that you read this Privacy Policy (‘the Policy‘) carefully as it contains important information about how we will use your personal data.

By using our website and services, you confirm that you agree to the terms of this Policy. If you do not agree to this Policy, do not use our website or services. You will be asked for explicit consent to this Policy when creating an account on this website.

Information we may collect from you

We collect the following types of information about you:

  • Contact Data includes data such as your email address, telephone number, geographical address, delivery address and billing address
  • Identity Data includes data such as first name, last name, username or similar identifier, date of birth, passport number, driving licence number;
  • Health Data includes GP address, patient notes, consultation notes, and any other information relating to your health and medical status;
  • Financial Data includes details you provide to us so that we can process your payments through our third party payment provider;
  • Transaction Data includes details of products you have purchased and payments made;
  • Technical Data includes data such as internet protocol (IP) address, your login data, browser type and version, cookies, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and any communications we may send to you;
  • Usage Data includes information about how you use our website such as information about your visit to our website, including the full Uniform Resource Locators (URL) clickstream to and through, pages you viewed or searches you made, page response times, download errors, length of visit, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, behavioral metrics, heatmaps, and session replay;
  • Marketing Data includes your preferences in receiving marketing from us.

We do not knowingly collect personal data of children. Please do not provide personal data to us unless you are at least 18 years old.

As we are unable to verify the identity of an individual or obtain patient consent for treatment or data processing, please do not provide to us information about other people.

We may monitor and record communications with you such as telephone conversations and emails for the purpose of training, quality assurance, fraud prevention and compliance.

As part of our commitment to maintaining a secure and trustworthy environment for our patients and staff, we automatically scan all incoming and outgoing email communications for phishing attempts, malware, and other malicious content. This helps us protect both you and our organisation from online threats and fraud.

These scans are automated, conducted using secure, GDPR-compliant technology, and are limited to identifying and neutralising harmful content. They do not involve any manual reading of your messages unless a threat is detected, in which case a review may be conducted for security purposes.

This processing is necessary for our legitimate interests in ensuring the confidentiality, integrity, and availability of our systems and communications, and to comply with legal obligations related to cybersecurity and fraud prevention.

Information you voluntarily provide

You may provide information to us in a number of ways, including the following:

  • You access and interact with our website or with us by telephone, including by filling in forms and medical questionnaires;
  • You create an account on our website;
  • You purchase products on our website;
  • You apply to work with us as an employee or a consultant;
  • You provide feedback or reviews to us;
  • You respond to a survey or questionnaire although you do not have to respond to them.
  • You sign up for our newsletter;
  • You otherwise contact us including with queries, comments or complaints.

We shall process all such personal data in accordance with this Policy. Certain information is mandatory to be provided to us in order that we can fulfil your request, for example to purchase products from us, and we shall make this clear to you at the point of collection of the personal data.

All information that you provide to us must be true, complete and accurate. If you provide us with inaccurate or false data, and we suspect or identify fraud, we will record this and we may also report this to the appropriate authorities.

When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.

Information we collect from the device you use to access our website

When you visit our website or interact with our services, we (and our advertisers and/or other service providers) may use a variety of technologies that automatically or passively collect information about how our site is accessed and used. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimisation, fraud/security purposes, and advertising.

Some of this information is collected using first and third party cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, please see our Cookies Policy.

Information we receive from other sources

We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, ID verification organisations and credit reference agencies) and may receive information about you from them. We may also receive your information from other organisations who sell products on our behalf.

To enable us to make medical decisions about you and for fraud prevention purposes, we use identity verification agents to search the files of credit reference and fraud prevention agencies (who will record the search).

If you provide false or inaccurate information and/or we suspect fraud, we will record this and we will be unable to fulfil your order.

Geocoding via AWS Location Services

We use AWS Location Services to geocode the address you provide. This means we send your address to AWS via a secure API to retrieve its geographic coordinates.

The resulting data is saved in our system and used to help validate that the address is real and deliverable, support fraud prevention and improve delivery logistics.

AWS does not retain or store your personal data; they process it only temporarily to return a geolocation result. All data transmission is encrypted and handled in accordance with UK GDPR requirements. 

Where we store your personal data

We ensure that all of the data that we hold about you is stored within the UK. However, the data that we collect from you may be transferred to, and stored at, a third party in a destination outside the United Kingdom. This will always be the minimum required information to carry out the task required and the data is anonymised. An example of this includes anonymous website browsing data that is aggregated within Google Analytics.

Where your personal data is transferred outside the United Kingdom or the EEA, it will only be transferred to countries that have been identified as providing adequate protection for personal data or to a third party where we have approved transfer mechanisms in place to protect your personal data.

Information security

We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Where you have chosen a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Uses made of your data

We will only use your personal data where we have a lawful basis to do so. The lawful purposes that we rely on under this Privacy Policy are:

  • consent (where you choose to provide it);
  • performance of a contract with you;
  • compliance with legal requirements; and
  • legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests.
PURPOSE/ACTIVITYTYPE OF DATALAWFUL BASIS FOR PROCESSING INCLUDING BASIS OF LEGITIMATE INTEREST
To register you as a customer and/or create your account(a) Contact
(b) Identity		Performance of a contract with you
To manage your account and orders for products including considering prescriptions and managing payments, cancellations, returns and refunds(a) Contact
(b) Identity(c) Financial
(d) Transaction(e) Health		Performance of a contract with you
Legitimate interests (fraud-checking)
To manage our relationship with you such as notifying you about changes to our terms or this Privacy Policy(a) Contact
(b) Identity		Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests
To administer and protect our business and this website (including improving and fixing our service, analysis, testing, system maintenance, support, reporting)(c) TechnicalNecessary for our legitimate interests (for running our business and site securely, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure and understand the effectiveness of the advertising we serve to you(a) Contact
(b) Identity
(d) Usage
(d) Marketing(e) Technical		Necessary for our legitimate interests (to analyse how customers use our website and manage our business accordingly)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences(a) Technical
(b) Usage		Necessary for our legitimate interests (to define types of customers for our products and services, to keep our site updated and relevant, to develop our business and to inform our marketing strategy)

Marketing

For our legitimate business interests, if you have purchased goods from us or you otherwise request or consent to marketing communications from us, we may use your personal data to send to you marketing communications about our goods and services that are relevant to you. We shall therefore retain your personal data in our records for marketing purposes until you unsubscribe from marketing communications. Please note, even if you do unsubscribe from marketing communications, we will still contact you for our legitimate interests in relation to your account and any products you order from us. We will also retain your personal data in our systems to ensure that we do not send you marketing communications. You acknowledge that it may take a few days for us to update your preferences on our system if you do unsubscribe.

Disclosure of your information

We check that all of our third-party suppliers are GDPR compliant before we engage their services to ensure any data is handled responsibly. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy. In addition, we shall provide our sub-contractors and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.

For our legitimate interests if we choose to merge, sell assets, consolidate or restructure, finance, or sell all or a portion of our business into another company then the new owners may use your personal data in the same way that we do as set out in this Policy.

We may also disclose or share your personal data if we are under a duty to do so in order to comply with any legal obligation, or in order to enforce or apply our Terms & Conditions and other agreements; or to protect the rights, property, or safety of ABSM Healthcare Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection, security issues, technical risks and credit risk reduction.

For ID verification purposes, we share your personal data with our ID verification partner. This is only done the first time you order or if you update your personal details. This check may appear on your credit record, however, will not affect your credit score. If you are alerted that a check has been performed by a credit agency, please contact us and we will be happy to help.

Your rights

You have a number of rights under applicable data protection legislation. Some of these rights are complex, and not all of the details have been included below. Further information can be foundĀ here

  • Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.
  • Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete or out of date.
  • Right to portability: You can request that we transfer your personal data to another service provider if you initially provided consent for us to use the personal data or where we used the personal data to perform a contract with you.
  • Right to restrict or object to processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information. If you believe our processing impacts on your fundamental rights and freedoms. However, we may demonstrate that we have legitimate grounds to process your personal data not withstanding your rights and freedoms.
  • Right to be forgotten: If you would like to discontinue BuySleepTabs as a patient you can email us and we will suspend your account. Your account will become inactive with immediate effect and you will not be able to access your account. This action cannot be undone. You acknowledge and agree that BuySleepTabs is required by law to archive electronic patient records including your personal information, communication and treatments for a minimum of 10 years.
  • Right to stop receiving marketing information: You can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your account, if you have one.

We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive, and we may ask for identification from you before we can fully respond to your request..

If you have any complaints in relation to this Privacy Policy or otherwise in relation to our processing of your personal data, please tell us. We shall review and investigate your complaint and try to get back to you within a reasonable time.

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Retention of data

We will retain personal data in accordance with applicable laws.

We may also be required to retain personal data for a particular period of time to comply with legal, auditory or statutory requirements, including requirements of HMRC in respect of financial documents and in order to deal with any dispute you might raise. To determine the appropriate retention period for personal data, we consider the type of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.

In particular, as noted above, you acknowledge and agree that BuySleepTabs is required by law to archive electronic patient records including your personal information, communication and treatments for a minimum of 10 years.

Where we have no legal basis for continuing to process your personal data, we shall either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

For the avoidance of doubt, we may use anonymous data, such as usage data for research or statistical purposes indefinitely without further notice to you.