Privacy Policy

Last Updated: 2 April 2026 • Version 3.1 (NHS Integration + DTAC)

1. Introduction

RxSure© ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our pharmacy compliance and private services platform.

We are registered in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy is available as a web page accessible on all devices (desktop, mobile, tablet). Printed copies or alternative formats are available on request by contacting contact@rxsure.co.uk.

2. Data Controller

Company: Qastco Limited (trading as RxSure)
Head Office: 934 Stockport Rd, Manchester M19 3AB, UK
Stoke Office: 9 Howard Place, Shelton, ST1 4NN, UK
Email: contact@rxsure.co.uk
Phone: +441613830950
ICO Registration: ZB261485

3. Our Role: Data Controller & Data Processor

RxSure operates in two capacities depending on the type of data:

  • Data Controller: For information collected directly from pharmacies, prescribers, and website visitors (account details, billing, technical data). We determine the purposes and means of processing this data.
  • Data Processor: For patient data entered by pharmacies and prescribers during consultations, bookings, and prescriptions. The pharmacy or prescriber remains the Data Controller for patient data, and we process it on their behalf under a Data Processing Agreement (DPA).

All pharmacies and prescribers using RxSure to process patient data are required to have a Data Processing Agreement in place with us. This DPA sets out the responsibilities of each party in relation to patient data.

3.1 NHS Services — Controller/Processor Roles

For NHS pharmacy services delivered through RxSure:

  • Data Controllers: Individual pharmacy organisations that use RxSure to deliver NHS services act as data controllers. They determine the purposes and means of processing patient data through their use of the platform for clinical consultations.
  • Data Processor: QASTCO LIMITED (trading as RxSure) acts as the data processor, processing personal data on behalf of pharmacy organisations in accordance with data processing agreements. QASTCO LIMITED provides the technical platform and infrastructure but does not determine the purposes of clinical data processing.
  • NHS England: Acts as a data controller for the NHS services (PDS, MESH, CIS2, ODS) that RxSure connects to. NHS England provides the data infrastructure and governs access through the NHS Digital Onboarding process.

QASTCO LIMITED also acts as a data controller for its own operational data, including user accounts, platform administration, and business operations.

4. Information We Collect

3.1 Personal Information

  • Name, email address, phone number
  • Business information (pharmacy name, GPhC registration number)
  • Professional credentials and qualifications
  • Payment and billing information
  • Login credentials

3.2 Patient Data (Processed on behalf of Pharmacies)

  • Patient names and contact details
  • Medical history and health information
  • Prescription details
  • Consultation records
  • Consent forms

4.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage patterns and analytics

5. NHS Services Integration

RxSure integrates with the following NHS England digital services to deliver pharmacy consultation and clinical services:

  • Personal Demographics Service (PDS): RxSure accesses the NHS Personal Demographics Service to retrieve patient demographic information including name, date of birth, address, NHS number, and registered GP practice. This is used to verify patient identity and auto-populate consultation forms. PDS data is accessed in Healthcare Worker mode, requiring authenticated pharmacist login via CIS2.
  • Care Identity Service 2 (CIS2): Healthcare professionals using RxSure authenticate their identity through NHS CIS2, the national identity service for health and care. CIS2 verifies that the user is a registered healthcare professional authorised to access NHS patient data. Authentication is conducted via secure NHS-approved protocols.
  • MESH (Message Exchange for Social Care and Health): RxSure uses the NHS MESH messaging service to securely send consultation outcomes, clinical documents, and referral information to patients' registered GP practices. This ensures continuity of care by keeping GPs informed of pharmacy consultations.
  • Organisation Data Service (ODS): RxSure accesses the NHS Organisation Data Service to look up registered healthcare organisations including GP practices, pharmacies, and trusts by their ODS code. This is used to identify and verify healthcare organisations within the platform.
  • NHS Spine: RxSure connects to NHS services via the NHS Spine infrastructure, the national messaging backbone that enables secure data exchange between NHS systems.
  • GP Connect: Where available, RxSure may use GP Connect APIs to share structured consultation records with patients' registered GP practices, complementing MESH messaging for continuity of care.
  • FHIR APIs: NHS service integrations use HL7 FHIR (Fast Healthcare Interoperability Resources) standards for structured data exchange, ensuring interoperability with NHS systems.

Data retrieved from NHS services is used solely for the purpose of delivering pharmacy consultation services and is processed in accordance with this privacy policy.

5.1 NHS Number Processing

RxSure processes NHS numbers as a unique patient identifier to:

  • Retrieve patient demographics from the NHS Personal Demographics Service (PDS)
  • Link consultation records to the correct patient
  • Send consultation outcomes to the patient's registered GP via MESH

NHS numbers are retrieved from PDS during patient lookup and stored securely alongside consultation records. NHS numbers are not used for any purpose other than patient identification and NHS service integration.

5.2 Data Sources

In addition to data provided directly by users, RxSure receives personal data from the following NHS England sources:

  • NHS Personal Demographics Service (PDS): Patient demographic data including name, date of birth, address, NHS number, registered GP practice, and contact details.
  • NHS Organisation Data Service (ODS): Organisation details including names, addresses, and service information for GP practices and pharmacies.

This data is provided by NHS England through authorised API access and is used solely for delivering pharmacy clinical services.

6. How We Use Your Information

We use collected information to:

  • Provide and maintain our platform services
  • Process transactions and send related information
  • Facilitate compliance with GPhC requirements
  • Generate audit trails and compliance reports
  • Send administrative information and updates
  • Respond to inquiries and provide customer support
  • Improve our services and develop new features
  • Comply with legal obligations

7. Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract Performance: To provide our services to you
  • Legal Obligation: To comply with healthcare and pharmacy regulations
  • Legitimate Interests: To improve our services and communicate with you
  • Consent: Where specifically required (e.g., marketing communications)

6.1 Special Category Data (Health Data)

Patient health data, consultation records, and prescription details constitute special category data under Article 9 of UK GDPR. We process this data under the following lawful basis:

  • Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services
  • Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018: Health or social care purposes

All health data processing is carried out by, or under the responsibility of, a health professional bound by professional secrecy obligations.

7.2 NHS Pharmacy Services — Legal Basis

For the processing of personal data and special category health data in connection with NHS pharmacy services, our legal bases are:

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest — specifically the delivery of NHS pharmacy services including Pharmacy First consultations, medicines supply, and related clinical services.
  • GDPR Article 9(2)(h): Processing of special category health data is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services, under the responsibility of a health professional subject to professional secrecy obligations.
  • Data Protection Act 2018, Schedule 1, Part 1, Condition 2: Processing is necessary for health or social care purposes, carried out by or under the responsibility of a health professional.

8. Data Sharing

We may share your information with:

  • Service Providers: Cloud hosting, payment processors, analytics providers
  • Regulatory Bodies: GPhC, CQC, or other authorities when required
  • Professional Advisers: Lawyers, accountants, insurers
  • Business Partners: With your consent, for integrated services

We do not sell personal data to third parties.

8.1 Data Sharing with NHS Systems

RxSure shares data with the following NHS systems as part of clinical service delivery:

  • NHS Personal Demographics Service (PDS): Patient demographic queries are sent to PDS and responses received. No clinical data is shared with PDS.
  • NHS MESH: Consultation outcomes, clinical documents, and referral information are sent to patients' registered GP practices via the MESH secure messaging service. This sharing is necessary for continuity of patient care.
  • GP Practices: Structured consultation records are shared with patients' registered GP practices via MESH, enabling GPs to maintain complete patient records.

All data sharing with NHS systems is conducted over encrypted connections and in compliance with NHS data sharing agreements.

9. Data Storage & International Transfers

Your data is stored on secure servers located in the United Kingdom. Our data centre operates to high security standards with redundant power supply, multiple independent fibre connections, CCTV monitoring, physical access controls, and on-site personnel available year-round. All data remains within the UK and complies with UK data protection requirements.

If any data needs to be transferred outside the UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA)
  • Adequacy decisions where applicable

10. Data Retention

We retain your data for:

  • Account Data: Duration of your subscription plus 7 years
  • Patient Records: As required by pharmacy regulations (typically 10 years)
  • Financial Records: 7 years as required by HMRC
  • Technical Logs: Up to 2 years

11. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion (subject to legal requirements)
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a portable format
  • Objection: Object to certain processing activities
  • Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at contact@rxsure.co.uk.

12. Data Security

RxSure holds the following security certifications:

  • Cyber Essentials certified
  • NHS Data Security and Protection Toolkit (DSPT) compliant
  • DCB0129 clinical risk management standard — compliant

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS/SSL) and encryption at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication measures
  • Employee training on data protection
  • Incident response procedures

13. Data Breach Notification

In the event of a personal data breach, we will:

  • ICO Notification: Report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware, as required by Article 33 of UK GDPR
  • Data Controller Notification: Where we act as a data processor (for patient data), we will notify the relevant pharmacy or prescriber (data controller) without undue delay upon becoming aware of a breach
  • Individual Notification: Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected individuals without undue delay, as required by Article 34 of UK GDPR

Breach notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.

14. Sub-Processors

We use the following sub-processors to deliver our services. All sub-processors are bound by data processing agreements and are required to implement appropriate security measures:

  • Cloud Hosting Provider — UK-based server hosting and infrastructure (United Kingdom)
  • Website Hosting Provider — Website hosting and domain services (United Kingdom / EU)
  • Stripe, Inc. — Payment processing (data processed in EU/UK under SCCs)
  • PayPal (Europe) S.à r.l. — Payment processing (Luxembourg, EU adequacy)
  • Meta Platforms, Inc. — Marketing analytics on the public website only (Facebook Pixel: _fbp, _fbc cookies). Consent-only — not loaded until user accepts marketing cookies. Not used on clinical portals.
  • TikTok (ByteDance Ltd) — Marketing analytics on the public website only (tt_* cookies). Consent-only — not loaded until user accepts marketing cookies. Not used on clinical portals.
  • Google LLC — Website analytics (Google Analytics). Consent-only for non-essential tracking. Not used on clinical portals.

Important: Marketing and analytics trackers (Meta, TikTok, Google Analytics) are used only on the public website (rxsure.co.uk) and are strictly consent-gated. They are not present on the clinical portals (practitioner.rxsure.co.uk, patient.rxsure.co.uk) where patient data is processed.

We will notify existing customers of any changes to sub-processors that may affect the processing of personal data, providing an opportunity to object.

15. Caldicott Principles

As a platform that processes patient health data, we adhere to the Caldicott Principles for handling patient-identifiable information:

  1. Justify the purpose: Every proposed use of patient data is justified
  2. Do not use unless necessary: Patient-identifiable information is not used unless absolutely necessary
  3. Use the minimum necessary: Only the minimum amount of patient data required is used
  4. Access on a need-to-know basis: Access to patient data is restricted to those who need it
  5. Everyone with access is aware of responsibilities: All staff understand their data protection responsibilities
  6. Comply with the law: All use of patient data complies with UK GDPR and the Data Protection Act 2018
  7. The duty to share is as important as the duty to protect: Health data is shared appropriately (e.g., GP notifications) where it supports patient care
  8. Inform patients about how data is used: Patients are informed about how their data will be processed

16. NHS Data Security Standards

RxSure is committed to meeting the requirements of the NHS Data Security and Protection Toolkit (DSPT). Our approach aligns with the 10 National Data Guardian standards:

  • Personal confidential data is only accessed by authorised staff who need it
  • Staff understand their responsibilities under the National Data Guardian's Data Security Standards
  • Staff complete appropriate annual data security training
  • Personal confidential data can only be accessed on secure systems
  • Processes are in place to manage data access and prevent unauthorised access
  • Cyber attacks against services are identified and resisted
  • Plans are in place to respond to and recover from data security threats
  • IT suppliers are held to account via contracts requiring data protection compliance

17. Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted for the RxSure platform in accordance with Article 35 of UK GDPR. The DPIA covers the processing of special category health data through the consultation, prescribing, and patient management workflows.

The DPIA is reviewed and updated whenever there are significant changes to data processing activities, new features involving health data, or changes to the technical infrastructure. A summary of the DPIA findings is available upon request to healthcare organisations considering or using our platform.

18. Automated Decision-Making & AI

RxSure includes an AI Consultation Assistant feature that provides supplementary clinical information during consultations. It is important to understand that:

  • The AI assistant is a clinical support tool only — it does not make clinical decisions
  • All clinical decisions remain the sole responsibility of the qualified prescriber
  • The AI assistant does not produce legally binding outcomes or automated decisions with legal effects
  • SmPC-guided consultation workflows provide structured guidance based on published Summary of Product Characteristics, but the prescriber retains full clinical judgement
  • No patient is subject to a decision based solely on automated processing that produces legal or similarly significant effects

If you have concerns about how AI is used within the platform, please contact us at contact@rxsure.co.uk.

19. Clinical Safety & Intended Use

RxSure is designed as a practice management and clinical workflow support tool for qualified pharmacist independent prescribers and healthcare professionals. It is not classified as a medical device.

  • RxSure does not diagnose, treat, or recommend treatment for any medical condition
  • All prescribing decisions are made by the qualified healthcare professional using their own clinical judgement
  • The platform facilitates compliant record-keeping, audit trails, and workflow management
  • Clinical safety is managed through a risk management process compliant with DCB0129
  • Clinical Safety Officer: Navid-Ul-Khurram Kaleem, Pharmacist Independent Prescriber (GPhC: 2064676)

RxSure maintains a clinical risk management process and hazard log. For enquiries about clinical safety, contact contact@rxsure.co.uk.

20. Cookies

We use cookies and similar technologies. For detailed information, please see our Cookie Policy.

21. Children's Privacy

Our platform is designed for healthcare professionals and is not intended for use by individuals under 18 years of age.

22. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

23. Complaints

If you have concerns about our data practices, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

24. Contact Us

For any questions about this Privacy Policy or our data practices:

Email: contact@rxsure.co.uk
Phone: +441613830950
Address: 934 Stockport Rd, Manchester M19 3AB, UK

Data Protection Officer

QASTCO LIMITED has appointed a Data Protection Officer (DPO) as required under GDPR:

Name: Tanweer Ahmed
Email: tanweer@qastco.com
Organisation: QASTCO LIMITED
ICO Registration: ZB261485

You may contact the DPO regarding any data protection concerns or to exercise your rights under GDPR.

Start Free Trial