Privacy Policy

1.

Who We Are

SynovaMed is the trading name of Nihaal Limited, a company registered in England and Wales (company number 15813871, VAT 478403078). Our registered address is 11 Blaby Road, South Wigston, Wigston, LE18 4PA. We are a registered pharmacy (GPhC registration: 9012552). Our Superintendent Pharmacist is Chirag Desai (GPhC: 2079415). We are registered with the Information Commissioner's Office (ICO) as a data controller.

2.

What This Policy Covers

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services. It applies to our website, our patient portal, our app (if applicable), and any clinical or commercial interactions with us.

3.

Data Controller and Data Protection Lead

The data controller is Nihaal Limited, trading as SynovaMed. Our Data Protection Lead is the Superintendent Pharmacist, Chirag Desai. Contact: info@synovamed.co.uk.

4.

What Personal Data We Collect

• Identity data: name, date of birth, gender, photo ID, biometric verification data.
• Contact data: address, email, phone number.
• Health data (Special Category under UK GDPR Article 9): medical history, current medications, allergies, consultation answers, measurements relevant to your treatment (e.g. weight, height, BMI, blood pressure), treatment history, adverse reactions, blood test results (if provided), and photographs where relevant (e.g. hair loss pattern, skin condition).
• Financial data: card details (tokenised we do not store full card numbers), billing address, transaction history.
• Technical data: IP address, browser type, device information, cookies and similar technologies.
• Usage data: how you use our website and patient portal.
• Marketing data: your preferences about receiving marketing communications from us.

5.

Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

• Article 6(1)(b) - Contract: processing is necessary to provide you with the service you have requested.
• Article 6(1)(c) - Legal obligation: for regulatory and tax record-keeping requirements.
• Article 6(1)(f) - Legitimate interests: for security, fraud prevention, service improvement.
• Article 6(1)(a) - Consent: for marketing communications (which you can withdraw at any time).
• Article 9(2)(h) - Provision of health care: for your health data, processed by or under the responsibility of a health professional under professional secrecy.

6.

How We Use Your Data

• To conduct your clinical consultation and decide on prescribing.
• To dispense and deliver your medicine safely.
• To verify your identity and age.
• To provide ongoing monitoring and clinical follow-up.
• To respond to your enquiries and complaints.
• To process your payments and refunds.
• To meet our regulatory and legal obligations (GPhC, MHRA, HMRC, ICO).
• To improve our service through aggregated, anonymised analytics.
• To send you marketing (only if you have consented).
• To detect, prevent, and investigate fraud and diversion.

7.

Who We Share Your Data With

We share your data only where necessary and always under strict confidentiality:

• Contracted Pharmacist Independent Prescribers (PIPs): to review and decide on your consultation.
• Your GP or other healthcare professionals: where you have consented, and to safeguard your care.
• Identity verification provider (Didit or equivalent): to verify your identity and age.
• Payment processor: to process payments (card data is tokenised).
• Courier / delivery partner: for address details only, to deliver your medicine.
• IT service providers: under UK GDPR-compliant Data Processing Agreements.
• Regulators: GPhC, MHRA, ICO - where legally required.
• Emergency services: where there is a serious risk to life.

We do not sell your personal data to anyone. We do not share your health data with third parties for marketing purposes.

8.

International Transfers

Your data is stored primarily in the UK and EEA. If any processor handles your data outside the UK/EEA, we rely on UK GDPR-approved safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO.

9.

How Long We Keep Your Data

See our Data Retention Policy (POL-003). In summary:

• Clinical records: 10 years after your last contact with us.
• Financial records: 6 years + current year.
• Marketing consent: until withdrawn + 1 year.
• Prescription records: 2 years.

10.

Your Rights Under UK GDPR

You have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion (subject to statutory retention requirements for clinical records).
• Restriction: request that we limit processing in specific circumstances.
• Portability: request your data in a machine-readable format.
• Objection: object to processing based on legitimate interests or for marketing.
• Withdraw consent: for any processing based on your consent.
• Not be subject to automated decision-making that produces legal or similarly significant effects.

To exercise any right, contact info@synovamed.co.uk. We will respond within one calendar month. There is no charge (unless a request is manifestly unfounded or excessive).

11.

Automated Decision-Making

We do not make solely automated prescribing decisions. Every consultation is reviewed by a human GPhC-registered prescriber. We do use automated tools for fraud detection, age verification, and clinical red-flag alerting, but these are always followed by human review before any decision affecting you is made.

12.

Cookies

Our website uses cookies. Please see our Cookies Policy (POL-013) for details. You can adjust your cookie preferences at any time.

13.

Data Security

We take data security seriously. Our measures include:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
• Multi-factor authentication for all staff accounts.
• Role-based access control ; only staff who need access have it.
• Access logs reviewed regularly.
• Secure, UK-based cloud hosting.
• Annual penetration testing (planned).
• Cyber Essentials Plus certification (planned).
• Regular staff training on data protection and cyber security.

14.

Data Breaches

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware. If the breach is likely to result in a high risk to you personally, we will contact you directly to explain what happened and what steps to take.

15.

Children

Our service is for adults aged 18 and over. We do not knowingly process personal data of anyone under 18 in connection with our services.

16.

Changes to This Policy

We may update this policy from time to time. We will post the updated policy on our website and, where changes are material, notify you by email.

17.

How to Contact Us

• Data queries: info@synovamed.co.uk
• Post: Data Protection Lead, SynovaMed (trading name of Nihaal Limited), 11 Blaby Road, South Wigston, Wigston, LE18 4PA
• Phone: 07822 002914

18.

Complaints to the ICO

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office:

• Website: www.ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

19.

Policy Review

Reviewed every 2 years. Next review: April 2028.

SynovaMed (trading name of Nihaal Limited) | 11 Blaby Road, South Wigston, Wigston, LE18 4PA | GPhC: 9012552 | 07822 002914 | info@synovamed.co.uk Document Ref: POL-011 | Version 2.0 | Effective: 19 April 2026 | Next Review: April 2028 Superintendent Pharmacist: Chirag Desai (GPhC: 2079415)