Skip to main content
RxSure - Healthcare Compliance & Clinic Management Software UK
  • Features
  • For PharmaciesCommunity & online pharmacies For Private ClinicsGP, aesthetic & specialist practices
    Clinical Documentation SoftwareDigital records management Digital Clinical WorkflowsPaperless clinical records
  • Weight ManagementConsultation workflows Travel HealthVaccinations & travel clinics Multi-Site ManagementManage multiple locations
    Partners & IntegrationsAPI, white-label & referrals
  • Pricing
  • Learn
    BlogClinical insights & guides Case StudiesCustomer success stories Health ToolsFree clinical calculators What's NewLatest updates & features
    Guides
    GPhC RegistrationStep-by-step registration CQC RegistrationOnline GP clinic guide ComplianceStandards & certifications Compare PlatformsSee how RxSure compares
    Support
    Help CentreTutorials & documentation FAQCommon questions answered ContactReach our team About UsOur story & team
Practitioner (opens in new tab) Fulfilment (opens in new tab) Patient (opens in new tab)
Free Trial
Features £ Pricing 1 Month Free
Solutions
For Pharmacies Community & Online For Private Clinics GP, Aesthetic, Specialist Partners & Integrations API & White-label
Services
Weight Management Consultation Workflows Travel Health Vaccinations & Clinics Multi-Site Management Multiple Locations
Learn
Blog Case Studies Health Tools Free calculators What's New NEW
Guides
GPhC Registration CQC Registration Compliance Compare Platforms
Support
Help Centre FAQ Contact About Us
Login
Practitioner Fulfilment Patient
UK Data GDPR GPhC-Aligned

Privacy Policy

Last Updated: 10 April 2026 • Version 3.2 (AI Clause)

1. Introduction

RxSure© ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our pharmacy compliance and private services platform.

We are registered in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy is available as a web page accessible on all devices (desktop, mobile, tablet). Printed copies or alternative formats are available on request by contacting contact@rxsure.co.uk.

2. Data Controller

Company: Qastco Limited (trading as RxSure)
Head Office: 934 Stockport Road, Manchester, M19 3AB, UK
Stoke Office: 9 Howard Place, Shelton, ST1 4NN, UK
Email: contact@rxsure.co.uk
Phone: 01613830950
ICO Registration: ZB261485

3. Our Role: Data Controller & Data Processor

RxSure operates in two capacities depending on the type of data:

  • Data Controller: For information collected directly from pharmacies, practitioners, and website visitors (account details, billing, technical data). We determine the purposes and means of processing this data.
  • Data Processor: For patient data entered by pharmacies and practitioners during consultations, bookings, and clinical records. The pharmacy or practitioner remains the Data Controller for patient data, and we process it on their behalf under a Data Processing Agreement (DPA).

All pharmacies and practitioners using RxSure to process patient data are required to have a Data Processing Agreement in place with us. This DPA sets out the responsibilities of each party in relation to patient data.

3.1 NHS Services — Controller/Processor Roles

For NHS pharmacy services delivered through RxSure:

  • Data Controllers: Individual pharmacy organisations that use RxSure to deliver NHS services act as data controllers. They determine the purposes and means of processing patient data through their use of the platform for clinical consultations.
  • Data Processor: QASTCO LIMITED (trading as RxSure) acts as the data processor, processing personal data on behalf of pharmacy organisations in accordance with data processing agreements. QASTCO LIMITED provides the technical platform and infrastructure but does not determine the purposes of clinical data processing.
  • NHS England: Acts as a data controller for the NHS services (PDS, MESH, CIS2, ODS) that RxSure connects to. NHS England provides the data infrastructure and governs access through the NHS Digital Onboarding process.

QASTCO LIMITED also acts as a data controller for its own operational data, including user accounts, platform administration, and business operations.

4. Information We Collect

3.1 Personal Information

  • Name, email address, phone number
  • Business information (pharmacy name, GPhC registration number)
  • Professional credentials and qualifications
  • Payment and billing information
  • Login credentials

3.2 Patient Data (Processed on behalf of Pharmacies)

  • Patient names and contact details
  • Medical history and health information
  • Clinical service details
  • Consultation records
  • Consent forms

4.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage patterns and analytics

5. NHS Services Integration

RxSure integrates with the following NHS England digital services to deliver pharmacy consultation and clinical services:

  • Personal Demographics Service (PDS): RxSure accesses the NHS Personal Demographics Service to retrieve patient demographic information including name, date of birth, address, NHS number, and registered GP practice. This is used to verify patient identity and auto-populate consultation forms. PDS data is accessed in Healthcare Worker mode, requiring authenticated pharmacist login via CIS2.
  • Care Identity Service 2 (CIS2): Healthcare professionals using RxSure authenticate their identity through NHS CIS2, the national identity service for health and care. CIS2 verifies that the user is a registered healthcare professional authorised to access NHS patient data. Authentication is conducted via secure NHS-approved protocols.
  • MESH (Message Exchange for Social Care and Health): RxSure uses the NHS MESH messaging service to securely send consultation outcomes, clinical documents, and referral information to patients' registered GP practices. This ensures continuity of care by keeping GPs informed of pharmacy consultations.
  • Organisation Data Service (ODS): RxSure accesses the NHS Organisation Data Service to look up registered healthcare organisations including GP practices, pharmacies, and trusts by their ODS code. This is used to identify and verify healthcare organisations within the platform.
  • NHS Spine: RxSure connects to NHS services via the NHS Spine infrastructure, the national messaging backbone that enables secure data exchange between NHS systems.
  • GP Connect: Where available, RxSure may use GP Connect APIs to share structured consultation records with patients' registered GP practices, complementing MESH messaging for continuity of care.
  • FHIR APIs: NHS service integrations use HL7 FHIR (Fast Healthcare Interoperability Resources) standards for structured data exchange, ensuring interoperability with NHS systems.

Data retrieved from NHS services is used solely for the purpose of delivering pharmacy consultation services and is processed in accordance with this privacy policy.

5.1 NHS Number Processing

RxSure processes NHS numbers as a unique patient identifier to:

  • Retrieve patient demographics from the NHS Personal Demographics Service (PDS)
  • Link consultation records to the correct patient
  • Send consultation outcomes to the patient's registered GP via MESH

NHS numbers are retrieved from PDS during patient lookup and stored securely alongside consultation records. NHS numbers are not used for any purpose other than patient identification and NHS service integration.

5.2 Data Sources

In addition to data provided directly by users, RxSure receives personal data from the following NHS England sources:

  • NHS Personal Demographics Service (PDS): Patient demographic data including name, date of birth, address, NHS number, registered GP practice, and contact details.
  • NHS Organisation Data Service (ODS): Organisation details including names, addresses, and service information for GP practices and pharmacies.

This data is provided by NHS England through authorised API access and is used solely for delivering pharmacy clinical services.

6. How We Use Your Information

We use collected information to:

  • Provide and maintain our platform services
  • Process transactions and send related information
  • Facilitate compliance with GPhC requirements
  • Generate audit trails and compliance reports
  • Send administrative information and updates
  • Respond to inquiries and provide customer support
  • Improve our services and develop new features
  • Comply with legal obligations

7. Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract Performance: To provide our services to you
  • Legal Obligation: To comply with healthcare and pharmacy regulations
  • Legitimate Interests: To improve our services and communicate with you
  • Consent: Where specifically required (e.g., marketing communications)

6.1 Special Category Data (Health Data)

Patient health data, consultation records, and clinical service details constitute special category data under Article 9 of UK GDPR. We process this data under the following lawful basis:

  • Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services
  • Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018: Health or social care purposes

All health data processing is carried out by, or under the responsibility of, a health professional bound by professional secrecy obligations.

7.2 NHS Pharmacy Services — Legal Basis

For the processing of personal data and special category health data in connection with NHS pharmacy services, our legal bases are:

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest — specifically the delivery of NHS pharmacy services including Pharmacy First consultations, medicines supply, and related clinical services.
  • GDPR Article 9(2)(h): Processing of special category health data is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services, under the responsibility of a health professional subject to professional secrecy obligations.
  • Data Protection Act 2018, Schedule 1, Part 1, Condition 2: Processing is necessary for health or social care purposes, carried out by or under the responsibility of a health professional.

8. Data Sharing

We may share your information with:

  • Service Providers: Cloud hosting, payment processors, analytics providers
  • Regulatory Bodies: GPhC, CQC, or other authorities when required
  • Professional Advisers: Lawyers, accountants, insurers
  • Business Partners: With your consent, for integrated services

We do not sell personal data to third parties.

8.1 Data Sharing with NHS Systems

RxSure shares data with the following NHS systems as part of clinical service delivery:

  • NHS Personal Demographics Service (PDS): Patient demographic queries are sent to PDS and responses received. No clinical data is shared with PDS.
  • NHS MESH: Consultation outcomes, clinical documents, and referral information are sent to patients' registered GP practices via the MESH secure messaging service. This sharing is necessary for continuity of patient care.
  • GP Practices: Structured consultation records are shared with patients' registered GP practices via MESH, enabling GPs to maintain complete patient records.

All data sharing with NHS systems is conducted over encrypted connections and in compliance with NHS data sharing agreements.

9. Data Storage & International Transfers

Your data is stored on secure servers in the United Kingdom.

If any data needs to be transferred outside the UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA)
  • Adequacy decisions where applicable

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The following retention periods apply:

Data TypeRetention PeriodLegal Basis
Patient consultation records (adults)8 years from date of consultationNHS Records Management Code of Practice 2021
Patient consultation records (children / maternity)Until patient's 25th birthday or 8 years, whichever is longerNHS Records Management Code of Practice 2021
NHS prescription recordsMinimum 2 years; clinical records 8 yearsHuman Medicines Regulations 2012; NHS Records Management Code
NHS MESH messages (clinical documents sent to GPs)8 years from date of transmissionNHS Records Management Code of Practice 2021
Patient demographic data (from NHS PDS)Duration of consultation episode and associated records retention periodNHS PDS Data Sharing Agreement
Account data (pharmacy / practitioner)Duration of subscription plus 7 yearsUK GDPR Art 5(e); HMRC requirement
Financial and billing records7 years from transaction dateHMRC / Companies Act 2006
Audit trail and access logs2 yearsNHS DSPT standard; UK GDPR Art 32
Marketing data (where consent given)Until consent withdrawn or 2 years of inactivity, whichever is earlierUK GDPR Art 6(1)(a)
Technical and system logsUp to 2 yearsLegitimate interest; security monitoring
Data breach records5 years from date of breachICO accountability requirement

At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with ICO guidance. Anonymised aggregate data may be retained indefinitely.

For questions about data retention, contact contact@rxsure.co.uk.

11. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion (subject to legal requirements)
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a portable format
  • Objection: Object to certain processing activities
  • Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at contact@rxsure.co.uk.

12. Data Security

RxSure holds the following security certifications:

  • Cyber Essentials certified
  • NHS Data Security and Protection Toolkit (DSPT) compliant
  • DCB0129 clinical risk management standard — compliant

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS/SSL) and encryption at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication measures
  • Employee training on data protection
  • Incident response procedures

13. Data Breach Notification

In the event of a personal data breach, we will:

  • ICO Notification: Report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware, as required by Article 33 of UK GDPR
  • Data Controller Notification: Where we act as a data processor (for patient data), we will notify the relevant pharmacy or practitioner (data controller) without undue delay upon becoming aware of a breach
  • Individual Notification: Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected individuals without undue delay, as required by Article 34 of UK GDPR

Breach notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.

14. Sub-Processors

We use the following sub-processors to deliver our services. All sub-processors are bound by data processing agreements and are required to implement appropriate security measures:

  • Cloud Hosting Provider — UK-based server hosting and infrastructure (United Kingdom)
  • Website Hosting Provider — Website hosting and domain services (United Kingdom / EU)
  • Stripe, Inc. — Payment processing (data processed in EU/UK under SCCs)
  • PayPal (Europe) S.à r.l. — Payment processing (Luxembourg, EU adequacy)
  • Meta Platforms, Inc. — Marketing analytics on the public website only (Facebook Pixel: _fbp, _fbc cookies). Consent-only — not loaded until user accepts marketing cookies. Not used on clinical portals.
  • TikTok (ByteDance Ltd) — Marketing analytics on the public website only (tt_* cookies). Consent-only — not loaded until user accepts marketing cookies. Not used on clinical portals.
  • Google LLC — Website analytics (Google Analytics). Consent-only for non-essential tracking. Not used on clinical portals.
  • NHS England (MESH infrastructure) — Secure clinical message routing. Consultation outcomes and clinical documents are transmitted to patients' registered GP practices via the NHS MESH (Message Exchange for Social Care and Health) service, operated by NHS England. Data is processed in the United Kingdom under NHS data sharing agreements.

Important: Marketing and analytics trackers (Meta, TikTok, Google Analytics) are used only on the public website (rxsure.co.uk) and are strictly consent-gated. They are not present on the clinical portals (practitioner.rxsure.co.uk, patient.rxsure.co.uk) where patient data is processed.

We will notify existing customers of any changes to sub-processors that may affect the processing of personal data, providing an opportunity to object.

15. Caldicott Principles

As a platform that processes patient health data, we adhere to the Caldicott Principles for handling patient-identifiable information:

  1. Justify the purpose: Every proposed use of patient data is justified
  2. Do not use unless necessary: Patient-identifiable information is not used unless absolutely necessary
  3. Use the minimum necessary: Only the minimum amount of patient data required is used
  4. Access on a need-to-know basis: Access to patient data is restricted to those who need it
  5. Everyone with access is aware of responsibilities: All staff understand their data protection responsibilities
  6. Comply with the law: All use of patient data complies with UK GDPR and the Data Protection Act 2018
  7. The duty to share is as important as the duty to protect: Health data is shared appropriately (e.g., GP notifications) where it supports patient care
  8. Inform patients about how data is used: Patients are informed about how their data will be processed

16. Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted for the RxSure platform in accordance with Article 35 of UK GDPR. The DPIA covers the processing of special category health data through the consultation, clinical service, and patient management workflows.

The DPIA is reviewed and updated whenever there are significant changes to data processing activities, new features involving health data, or changes to the technical infrastructure. A summary of the DPIA findings is available upon request to healthcare organisations considering or using our platform.

17. Automated Decision-Making & AI

RxSure includes an AI Consultation Assistant feature that provides supplementary clinical information during consultations. It is important to understand that:

  • The AI assistant is a clinical support tool only — it does not make clinical decisions
  • All clinical decisions remain the sole responsibility of the qualified practitioner
  • The AI assistant does not produce legally binding outcomes or automated decisions with legal effects
  • Guided clinical consultation workflows provide structured guidance based on evidence-based clinical guidelines, but the practitioner retains full clinical judgement
  • No patient is subject to a decision based solely on automated processing that produces legal or similarly significant effects

17.1 Legal Basis for AI Processing

The legal basis for processing personal data through the AI Consultation Assistant is Article 6(1)(b) of UK GDPR (processing necessary for the performance of a contract) and, where special category health data is involved, Article 9(2)(h) of UK GDPR (healthcare provision), read alongside Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018 (health or social care purposes). Processing is carried out under the responsibility of a health professional bound by professional secrecy obligations.

17.2 Right to Human Review

In accordance with Article 22 of UK GDPR, no clinical or patient-care decision is made solely on the basis of automated processing. The AI Consultation Assistant is always subject to review and override by the qualified healthcare professional conducting the consultation. Patients and practitioners have the right to request that any AI-assisted suggestion be reviewed or overridden by a qualified human professional. To exercise this right, contact dpo@qastco.com.

17.3 Anonymised Data for AI Improvement

Anonymised, aggregated platform usage data may be used to improve the accuracy and performance of AI-assisted features. No personally identifiable patient data is used for model training, development, or improvement purposes. All data used in this way is de-identified and aggregated in accordance with ICO anonymisation guidance and NHS DSPT standards. You may opt out of contributing anonymised data to AI improvement by contacting contact@rxsure.co.uk — this will not affect your access to AI features.

The full terms governing AI-assisted features, including liability limits and practitioner obligations, are set out in Section 18 of the Terms of Service. If you have concerns about how AI is used within the platform, contact contact@rxsure.co.uk.

18. Clinical Safety & Intended Use

RxSure is designed as a practice management and clinical workflow support tool for qualified pharmacist independent prescribers and healthcare professionals. It is not classified as a medical device.

  • RxSure does not diagnose, treat, or recommend treatment for any medical condition
  • All clinical decisions are made by the qualified healthcare professional using their own clinical judgement
  • The platform facilitates compliant record-keeping, audit trails, and workflow management
  • Clinical safety is managed through a risk management process compliant with DCB0129
  • Clinical Safety Officer: Navid-Ul-Khurram Kaleem, Pharmacist Independent Prescriber (GPhC: 2064676)

RxSure maintains a clinical risk management process and hazard log. For enquiries about clinical safety, contact contact@rxsure.co.uk.

19. Cookies

We use cookies and similar technologies. For detailed information, please see our Cookie Policy.

20. Children's Privacy

Our platform is designed for healthcare professionals and is not intended for use by individuals under 18 years of age.

21. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

22. Complaints

If you have concerns about our data practices, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

23. Contact Us

For any questions about this Privacy Policy or our data practices:

Email: contact@rxsure.co.uk
Phone: 01613830950
Address: 934 Stockport Road, Manchester, M19 3AB

Data Protection Officer

QASTCO LIMITED has appointed a Data Protection Officer (DPO) as required under GDPR:

Name: Tanweer Ahmed
Email: dpo@qastco.com
Organisation: QASTCO LIMITED
ICO Registration: ZB261485

You may contact the DPO regarding any data protection concerns or to exercise your rights under GDPR.

RxSure - Healthcare Compliance & Clinic Management Software UK

Clinical services software for pharmacies and private clinics. Manage bookings, consultations, records, compliance and payments in one secure platform.

Manchester: 934 Stockport Road, Manchester, M19 3AB

Stoke: 9 Howard Place, Shelton, ST1 4NN

Phone: 01613830950

Email: contact@rxsure.co.uk

Product

  • Features
  • Pricing
  • For Pharmacies
  • For Clinics

Solutions

  • Clinic Management Software
  • Clinical Workflow Software
  • Electronic Clinical Records
  • Consultation Software
  • Partners & Integrations

Support

  • Help Centre
  • Blog
  • FAQ
  • Contact Us

Company

  • About Us
  • Compliance
  • Start 1 Month Free Trial
  • Book a Demo

Stay Updated with RxSure

Get the latest compliance tips, software updates, and healthcare insights delivered to your inbox.

RxSure is a software platform only. RxSure does not sell, dispense, supply, or deliver medicines. RxSure does not provide patient consultations or clinical treatments. Clinical decisions remain the responsibility of registered healthcare professionals using the platform.

© 2026 RxSure. All Rights Reserved. RxSure is a trademark of Qastco Limited. ICO Registration: ZB261485 v1.0.417

Privacy Terms Accessibility Complaints Security

Book a Demo

You've Already Requested a Demo

Our team will be in touch with you shortly. If you haven't heard from us, please check your email or contact us directly.

Contact Us
+44
Protected by reCAPTCHA. Privacy & Terms.
Do not click