Our Privacy Notice describes the categories of personal data we process and for what purposes.
Introduction and summary
At Bestway Medhub we know that your personal information is important to you. That’s why whenever we process it, we only use what we need to, and we do everything we can to ensure it is appropriately protected.
This notice explains the situations where we may process your personal data and the steps we take to protect it. In summary:
- most of the personal information we collect is provided directly by you and is necessary to deliver the service you have requested. We only ask for the information that we absolutely need.
- we do collect some personal information automatically – such as IP addresses, pages viewed on our website and links you’ve clicked on. This is predominantly through the placement of cookies which are explained in detail later.
- we may acquire some personal information from commercially available data sources (e.g. the electoral roll) to keep your data accurate and help us better understand your needs.
- if you have given us appropriate permission to do so, we may send you information about products and services we offer. We will never sell your details to third parties for their own marketing purposes.
- to help you get the most out of our marketing, we may sometimes tailor it to you using your personal information. We will do this by building a profile about you, for example, to understand what services you currently use, or may have a future need for. You can object to this (explained later) and receive non-personalised marketing instead.
- we may share your information within our wider group of companies (explained later) where there is a legal need, or justified business need, to do so.
- we use selected third parties to provide some of our services (e.g. courier companies to deliver orders) and will share the minimum personal data necessary with them to do so.
Like most organisations, we use third parties to support the running of our business (e.g. using an application) and, in certain circumstances, these third parties may have access to your data. This may be from outside of the European Union. Where this is the case, we have appropriate protective measures in place to ensure your information is appropriately protected.
Updating this notice
Bestway Medhub keeps its privacy notice under regular review and we may make changes to this notice at any time and will either contact you with the modified terms or by posting a copy of them on our website. Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on the website, whichever is the earlier. Your continued use of our services after that period expires means that you agree to be bound by the modified policy.
This privacy notice was last updated on 1st May 2018
Who are we?
Bestway Medhub is the trading name for our Wholesale business and is part of the Bestway Group Limited. When we say ‘we’ or ‘us’ we mean these companies.
These companies are part of the wider Bestway Group of companies. When we say ‘Group’ in this notice, we mean other members of our group of companies, including trading and subsidiary companies.
How can you contact us?
By post to:
Data Protection Officer
If you specifically want to contact our Data Protection Officer, you can do so by emailing DPO@bestwaymedhub.co.uk
What if you need to complain about how we have used your personal information?
You can make a complaint about how we have used your personal information to us by contacting our Data Protection Officer (using the details above).
You are also entitled to complain to the Data Protection Supervisory Authority – which in the UK is the Information Commissioners Office (ICO). You can find their contact details at https://ico.org.uk
What are your privacy rights and how can you exercise them?
Under law, you have the following rights:
- Right of Access: you have the right to know how we process your personal information (as explained in this notice) and also a right to receive a copy of your personal information.
- Right of Rectification: you can ask us to change or complete any inaccurate or incomplete personal information held about you.
- Right to Object: you have the right to object, in certain circumstances, to us processing your personal information. For example, you can object to us sending you marketing material or using your personal information to create a profile about you.
- Right to Erasure: in certain circumstances, you can ask us to delete your personal information. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
- Right of Portability: you have the right to ask us to send a copy of certain elements of your personal information (predominantly information you have shared directly with us) to another company.
- Right to Restrict: you can ask us to restrict the personal information we use about you where you have asked for it to be erased (and the erasure has not taken place or we were unable to erase the data when we should have) or where you have objected to our use of it.
To exercise the Right of Access, email our DPO at email@example.com or by post to:
To exercise any other right, email our DPO at firstname.lastname@example.org or by post to:
Data Protection Officer
Exercising your rights is free and we will respond to any request as quickly as we can. Under current law, we have up to a calendar month to respond to any request. We will endeavour to meet this. If we can’t, we’ll contact you to explain why and confirm when your request will be processed.
What personal information do we collect and how is it used?
What we collect and how we use it varies depends on how you interact with us and the specific services you’ve requested. This is outlined below.
- We process your bank details to provide the services or products you have requested. For any orders of products or services made by you online via our website, via a cascade order or Telesales team or if you opt to have your details stored for future payments, our third Party Processing Agency securely holds your payment card details and provides us with a unique token that represents that particular card; this token is only valid for payment to us.
- If you interact with us online (for example, when you use our website), we will indirectly collect information about you. We collect certain usage information when you utilise our website such as Internet Protocol (“IP”) addresses, log files, unique device identifiers, pages viewed, browser type, any links you click on to leave or interact with our website and the products and services we offer, and other usage information collected from cookies and other tracking technologies. For example, we collect IP addresses to track and aggregate non-personal information, such as using IP addresses to monitor the regions from which users navigate our website. We collect this information for our own legitimate business interests to enable us to understand how digital services are used and how we can improve them.
- If you have an account with us and use our online ordering portal online, we may collect your IP addresses as part of the log in process. This is a security feature to protect your account.
- If you have an account with us, we will purchase commercially available data about you from sources like the electoral roll and companies that collate and update data. We’ll consolidate the information we hold about you across the companies in our Group and the different channels you use to interact with us (e.g. in a by phone or cascade orders). We do this as part of our legitimate business interests to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers, both individually and as a group. By understanding you better we can offer you the best and most personalised service we can, but don’t worry – we will only send you marketing material if you have agreed that we can.
- If you call us, we may record or monitor the call. We do this for regulatory purposes, for training, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. Doing so is a legal obligation. Where we analyse calls to improve our service, we do so as a legitimate business interest.
- If you enter one of our premises, we may capture you on CCTV. We use CCTV to ensure the safety and security of our staff and customers. The images captured may be used to prevent and detect crime, and therefore may be shared with law enforcement. We carry out this processing activity either for our own legitimate interest or for the wider public interest (e.g. where it is shared with law enforcement).
- As part of delivering our service to you, we may use your personal information to contact you. For example, to send your reminders (e.g. about payments due) or to notify you of a change (e.g. you’re your point of contact has changed). We may also provide your telephone number to third party delivery services to allow them to contact you about your specific delivery. This could be, for example, to let you know of any urgent delivery issues, or that we are unable to safely approach the pharmacy. Where we do so, we ensure the third party only uses the information for this specific purpose and processes it in accordance with an established legal contract.
- If you visit one of our offices as a guest (contractors, suppliers, guests, other non-customer individuals) on a one-time/ad-hoc basis or as part of a long-term agreement, your first name, surname, organisation/company name and vehicle registration will need to be recorded in our visitor system the purposes of site security and health and safety.
Who do we share your personal information with?
In the previous section we described particular instances where we share your personal information with others. There are also other third parties that we use to deliver services to you. In this section, we have summarised the categories of third parties who we may share your data with.
- Postal services and couriers – for typical business purposes, to deliver orders
- Third party content processors – for example, to deliver our health advice and information about our products and services to you (e.g. an ordering platform)
- Law Enforcement Agencies (LEA) – where we are required to do so by law, we will release personal data to LEA’s (e.g. the police). This will most likely be for the detection or prevention of crime, or to exercise or defend a legal claim.
Where do we process your personal data from?
We may need to transfer your information outside the UK to service providers, agents and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA.
In the case of the USA, we use the EU Commission approved EU-US Privacy Shield (for so long as it remains applicable to the United Kingdom). The EU-US Privacy shield provides a framework for the exchange of personal data between countries in the EU and the USA. This framework ensures that those companies who use the EU-US Privacy shield have adequate protections in place for the exchange of personal data.
How long will we keep your personal information?
We will retain your personal information for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. The exact retention period varies depending on the type information and purpose for use, if you require any further information on retention periods please contact us at DPO@bestwaymedhub.co.uk
Marketing and profiling
If you have given your consent, we will, from time to time, contact you about the products and services we offer.
We will send these communications to you by either email, post or both depending on what you signed up to. Every marketing communication we send will include instructions on how to opt-out. At any time, you can change your marketing preferences by emailing DPO@bestwaymedhub.co.uk or sending a letter to:
Data Protection Officer
The marketing we send to you may be tailored to make it more relevant. This is done by analysing the data we hold on you (e.g. services previously used, age, address, previously stated health and wellbeing interests) to create a profile. If you want to receive marketing from us, but do not want this to be tailored then you can object to the profiling as described under "What are your privacy rights and how can you exercise them?". Alternatively, unsubscribing from marketing will also cease the profiling activity we conduct.
Keeping you up to date
In order to deliver our services to you, it is necessary to contact you using the contact mechanisms you have given us. This may be by issuing an email to confirm your order, sending an SMS message to confirm a delivery slot, calling you to discuss an issue with your order or for other similar reasons. These communications are necessary, and we will use whichever communication method we can to ensure we provide you with the information you need. You can inform us of particular communication preferences (e.g. email rather than phone call) and we will endeavour to follow your preferred mechanism. However, we reserve the right to use any contact information we have to deliver necessary information to you.