Last updated: 15 February 2022
At Dispensary Green we aim to be your one-stop-shop for managing your medical cannabis prescriptions. We take pride in the quality of our prescription service and our ability to source and supply medical cannabis products to meet your prescription requirements, quickly and affordably. Our high business standards extend to our privacy practices and the safeguarding of your personal information.
This policy describes the information we collect or you shared with us when you visit our website (regardless of where you visit it from), or use our platform and services to manage your medical cannabis prescriptions, as well as how that data is used, stored and safeguarded, and your choices regarding this information.
1. What this policy covers
This policy outlines how we at Dispensary Green collect and process your personal information through your use of our website (the “Website”), as well as the platform we use to manage your medical cannabis prescriptions, and such other services associated with the management and supply of prescribed medical cannabis (collectively the “Services”), including any data you may provide to us when you create an account, register to use our prescription management services (whether as a Patient, Carer or Doctor), manage your prescriptions through us, or interact with us in any way.
Our Website and Services are intended for use by patients, carers and doctors and only by those over the age of 18; we do not knowingly collect data relating to children.
2. Data controller and contact details
Total Health Midlands Ltd trading as Dispensary Green (“Dispensary Green”, “we”, “us” or “our”) is the ‘data controller’ of the processing of your personal information as described in this policy. As the data controller, we decide why and how your personal information is processed and are responsible to you for that processing under data protection laws.
Our details are as follows:
3. How to contact us about your rights and data
By email at: firstname.lastname@example.org
We are regulated by the Information Commissioner’s Office (“ICO”) and you have the right to make a complaint at any time to them. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
4. Third party links
5. Information collected about you
We have set out below the personal information about you we may collect, use, store and transfer when you interact with us through Dispensary Green. Personal information means any information from which we can identify you, it does not include information we collected on an anonymous basis.
- Identity & Contact Data includes your title, first name, last name, date of birth, email address, home address, telephone number, whether you are a Patient, Carer or Doctor, and in the case of Doctors, the name of your clinic or GP practice, and address. As part of our verification checks, we also collect a copy of your valid ID (passport, driving licence etc.) as well as a scan of your face, using secure facial recognition technology.
- Medical & Prescription Data: as our Services assist you to manage your medical cannabis prescriptions, naturally we collect various information about your medical situation and your prescriptions, including information about your prescription such as its unique ID number and the type, brand and quantity of medication, as well as any other information your Doctor may include on your prescriptions. We will also collect and store the physical copy of your prescription you send to us via the post.
- Financial Data & Transaction Data: includes your payment card details, billing address, as well as details about payments to and from you and other details of any purchases you have made from us.
- Profile Data: includes your username and password, details of your account, information about the prescriptions and orders made by you, your profile and account preferences, and any information provided through direction interactions with us. In addition, if you are a Carer or Doctor we also collect the following information:
- Carers: details about any patients you add to your account (such as their name, date of birth and their address).
- Doctors: your GMC reference number, your field of specialism (e.g., pain, neurology, paediatrics etc.), details on any CQC checks against your clinic or GP practice, details of any patients you add to your account.
- Usage Data: includes information created about you through your use of our Services, such as unique identifiers, activity logs, and your interactions with us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website or Services.
- Marketing & Communications Data includes your preferences in receiving marketing from us and our third parties, other interactions with us, such as feedback to surveys or with our technical support or customer services teams, as well as your communication preferences.
Our Services do involve the collection of certain types of information which we treat particularly sensitively. We refer to this information as “Special Category Data” and it includes:
We have implemented additional safeguards with regards to the collection, use and storage of this data.
How your information is collected
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact, Financial, Medical & Prescription, Profile, Marketing and Communications Data by interacting with us through our Website or Services, filling in forms or completing our registration process, or by corresponding with us. If you are a Carer or Doctor, this will also extend to information about your Patients.
This includes personal information you provide when you:
When using the Services. Through your use of our Services we will collect, process and store your Medical & Prescription Data, Usage Data and Transaction Data, specifically:
Automated technologies or interactions. As you interact with both our Website and Services, we automatically collect various information about you, such as the device you use when you interact with us, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies.
Third parties including publicly available sources. We will receive personal information about you from various third parties as set out below:
- Identity & Contact Data from the following parties:
- Doctors & Carers: when either your Carer or Doctor provides us with your personal information on your behalf.
- Get Address: we utilise the Get Address look-up tool to help you complete your address details. This tool works by cross referencing Ordnance Survey’s complete list of UK postcodes with various other data sources.
- GMC & CQC: for Doctors registering an account with us, we verify both your status as a doctor, as well as that of your clinic or GP practice, with the General Medical Council and Care Quality Commission, respectively.
- Technical Data from the following parties:
- analytics providers;
- advertising networks; and
- search information providers.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services, such as our third-party payment processors, or social media platforms, where you sign up to Dispensary Green through referra from these platforms.
6. How we use your information
We collect, process, store and disclose personal information for a variety of different reasons, but in all cases only to the extent the law allows us to.
Data protection laws require that organisations processing personal information set out the specific legal reason (known as the ‘lawful basis’) on which they rely to process that information.
We rely on the following lawful bases to processing your personal information:
- Consent: we use your consent as a lawful basis for processing your personal information including for the purposes of sending marketing communications to you, in particular, where you register your interest with us through our Website or otherwise. You have the right to withdraw consent at any time by contacting us, including by opting out through any marketing communication we may provide.
- Performance of Contract: where we need to perform the contract we are about to enter into or have entered into with you.
- Legal Obligations: where we need to comply with a legal obligation
- Legitimate Interests: where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We rely on a wide range of legitimate interests as a business:
- for marketing activities (other than where we rely on your consent);
- to correspond or communicate with you;
- to verify the accuracy of data that we hold about you;
- to preserve the integrity of our network and information security and, in particular, for us to take steps to protect your information against loss or damage, theft or unauthorised access;
- for prevention of fraud and other criminal activities;
- to improve our Website, products and Services, in particular through analysing how you interact with us through our Website, products and Services to more generally improve your user experience;
- for the management of queries, complaints, or claims, including when complying with a request from you in connection with the exercise of your data protection rights;
- for the establishment and defence of our legal rights.
Special Category Data
For certain types of information identified in this policy as Special Category Data, we rely on the following lawful bases:
- Medical & Prescription Data: for all health and medical related data you provide to us by uploading your prescriptions, we process this information in order to supply our Services to you (i.e., for the performance of our contract with you), and to deliver health care services to you (i.e., the provision of managed pain relief by fulfilling your prescription). As part of our rigorous standards, all services are provided under the ultimate supervision of a superintendent pharmacist.
- Identity Data: in light of the sensitive nature of prescribed medicines, we want our verification process to be as rigorous as it can be. A key aspect of this process involves our use of facial recognition technology to scan your face against the ID you have submitted. When you scan your face using our verification tool we ask you to confirm that you provide your Explicit Consent to your use of your image for this specific purpose. Our verification process is there to ensure we get the right prescriptions to the right people. However, if you are uncomfortable with providing consent to the use of our facial recognition technology, we can provide alternate means of ensuring your prescriptions reach you.
Summary of how and why we use your information
We have summarised below the various ways we use your personal information and our lawful basis for doing so.
|Purpose / Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register your account for our Services||(a) Identity|
(c) Profile Data
|Performance of a contract|
|To verify your identity and, in the case of Doctors, to verify your credentials and those of your clinic of GP practice.||(a) Identity|
(c) Profile Data
(d) Special Category Data (namely a facial recognition scan)
|Your Explicit Consent and, additionally, in relation to Doctors,|
(a) Performance of a contract; and,
(b) Necessary for our legitimate interests
|To manage and process your prescriptions||(a) Identity|
(c) Special Category Data (namely your Medical & Prescription Data)
|(a) Performance of a contract|
(b) Necessary for our legitimate interests (for running our business, provision of administration, to prevent fraud and for audit purposes) and, for Medical & Prescription Data
(c) For the purpose of providing you with health services (in this case, managed pain relief medication), under the supervision of a superintendent pharmacist.
|To facilitate and process your orders and the delivery of your prescriptions:|
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
|(a) Performance of a contract|
(b) Necessary for our legitimate interests (for our audit purposes and to act as a record that prescriptions have been processed and payment has been made)
|Where you are using our Services to manage prescriptions on behalf of a patient, either as a Carer or Doctor||(a) Identity|
(c) Special Category Data (namely the Medical & Prescription Data of your patient)
|(a) Performance of a contract|
(b) Necessary for our legitimate interests (for our audit purposes) and, for Medical & Prescription Data
(c) For the purpose of providing your patient with health services (in this case, managed pain relief medication).
|To manage our relationship with you which will include:|
(b) Asking you to leave a review or take a survey
(c) Notifying you about new releases, planned downtime and other changes to our products and Services.
(d) Marketing and Communications
|(a) Performance of a contract|
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (for our audit purposes and to understand how customers use our products/services)
|To enable you to participate in a survey or to obtain feedback from you||(a) Identity|
(e) Marketing and Communications
|(a) Performance of a contract|
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
|To administer and protect our business, our network and your data (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity|
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with a legal obligation
|To deliver relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||(a) Identity|
(e) Marketing and Communications
|Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our products and Services, our Website, as well as our marketing, customer relationships and user experiences||(a) Technical|
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about goods or services that may be of interest to you||(a) Identity|
(f) Marketing and Communications
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
7. Cookies and other technologies
Cookies come in a variety of forms but are essentially small data files used to collect and store information about you. We use them on our Website for a variety of different functions:
- for the smooth and safe operation of Dispensary Green and our website;
- to manage your preferences and remember you for future visits;
- to analyse how you use Dispensary Green and our website in order to continually make improvements.
The majority of these cookies are linked to your browser session (session cookies) and disappear once you close your browser. Others remain on your device for a longer period (persistent cookies).
8. Our use of social media
We use social media platforms in a variety of different ways, including by publishing pages through which you can interact, running competitions or advertising to you using information you have provide those platforms or which has been provided by us or collected from our Website. Our legal relationship with each platform will vary with the particular way we are using that platform.
In particular, we process your personal information using social media platforms as follows:
- Pages. We use your personal information when you post content or otherwise interact with us on our official pages on Facebook, Instagram, LinkedIn, Twitter and other social media platforms. We also use the Page Insights service for Facebook, Instagram and LinkedIn to view statistical information and reports regarding your interactions with the pages we administer on those platforms and their content. Where those interactions are recorded and form part of the information we access through the Page Insights services, we and the relevant platform are joint controllers of the processing necessary to provide that service to us.
- Targeted advertising. We use social media platforms (as well as search engines and third party websites and other platforms to deliver targeted advertising to you via those platforms, unless you object. Yo may receive advertising because you have previously interacted with us (such as by visiting one of our websites) or because of your profile on a social media platform on which you have an account. You can find our more by consulting the help pages of the relevant social media platform but in summary we use social media platforms to send targeted advertising using two methods:
- ‘Lookalike audience’ targeting. You may also receive advertising because, at our request, the social media platform has identified you as falling within a group or ‘audience’ whose attributes we have selected, or a group that has similar attributes to you (or a combination of the two).
Information we send using social media cookies
Our relationship with Facebook, LinkedIn and Twitter. As we are joint controllers with these platforms for certain processing, we and each platform have:
- entered into agreements in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;
- agreed that we are responsible for providing to you the information in this privacy statement about our relationship with each platform; and
- agreed that each platform is responsible for responding to you when you exercise your rights under data protection law in relation to that platform’s processing of your personal information as a joint controller.
Facebook, LinkedIn and Twitter may also process, as our processors, personal information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing these platforms carry out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to them. These advertisements may include forms through which we collect contact information you give to us.
Further information. The Facebook company that is a joint controller of your personal information is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The LinkedIn company that is a joint controller of your personal information is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For further information regarding these platforms and their use of your personal information, please see:
- Facebook’s Controller Addendum for Page Insights and Controller Addendum for Business Tools and LinkedIn’s Page Insights Joint Controller Addendum which include information regarding how our and those platforms’ responsibilities to you are allocated as controllers of your personal information;
- Facebook’s help pages regarding its Page Insights and Business Tools and its terms and conditions relating to those tools; and
- LinkedIn’s help pages regarding its Page Insights and its terms and conditions relating to its advertising services, including LinkedIn Insight Tag.
9. Information sharing and disclosure
We share the information we collect or that is provided to us as follows:
Sharing with our Group Company
Dispensary Green is part of the Lyphe Group, a UK-based provider of patient-focused medical cannabis solutions (our “Group Company”).
We share the information we collect and process about you with our Group Company for a variety of reasons. In particular:
- Our Group Company may assist us in the performance of certain processing activities described in this policy. As the controller of your personal information, when we do share your information for these reasons, we decide why and how it is processed.
- If, and to the extent that, your personal information is sent to our Group Company for a processing purpose that is in both our and their interests or where we make decisions together in relation to that particular processing, we will be “joint controllers” with the organisations involved. Where this applies, we and the other organisation will be jointly responsible to you under data protection laws for this processing.
Sharing with our Partners
We may share your personal information with the organisations listed below for the purposes we have identified above:
- Project Twenty21: the international trial into medical cannabis treatment, monitored by Drug Science and with whom we may share aggregated information with (if you are a T21 candidate) for the purpose of them running that trial. This will not identify you.
- The Medical Cannabis Clinics: cross-refer with their database for those patients that are due a follow up appointment or running out of medications and require a repeat prescription.
If you are a Patient, we also share your personal information with Carers and Doctors, as necessary, to fulfil prescription orders.
Sharing with our Suppliers
External Third Parties, who help us provide our Services. Currently, we use the following trusted Partners:
|Recipient / relationship to us||Industry sector (and sub-sector)|
|Advertising, PR, digital and creative agencies||Media (Advertising & PR)|
|Banks, payment processors and financial services providers||Finance (Banking & Payment Processing)|
|CCTV administration and monitoring service providers||Surveillance (CCTV)|
|Cloud software system providers, including database, email and document management providers||IT (Cloud Services)|
|Customer care/services providers||Customer Services (Support)|
|Delivery and mailing services providers||Logistics (Delivery Service)|
|Facilities and technology service providers including scanning and data destruction providers||IT (Data Management)|
|Social media platforms||Media (Social Media)|
|Gift card service providers||Customer Services (Support)|
|Health and safety claims administrators and consultants||Health & Safety (Claims)|
|Insurers and insurance brokers||Insurance (Underwriting & Broking)|
|Legal, security and other professional advisers and consultants||Professional Services (Legal & Accounting)|
|Market and customer research providers||Media (Market Resarch)|
|Website and data analytics platform providers||IT (Data Analytics)|
|Website and App developers||IT (Software Development)|
|Website hosting services providers||IT (Hosting)|
|Wifi and other communication service providers||IT (Telecommunications)|
Some of the information you provide to us may be transferred to countries outside the UK and European Economic Area (“EEA”). These countries may not have similar data protection laws to the UK and EEA.
Where we transfer your information outside of the UK and EEA in this way, we take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected in the ways required by data protection law as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information. Please contact us using the details at the end of this policy for more information about the protections that we put in place and to obtain a copy or access to the relevant documents.
If you use our Services whilst you are outside the UK and EEA, your information may be transferred outside the UK and EEA in order to provide you with those services.
10. How we safeguard your data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. Retention and Deletion
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
As a general rule we retain your personal information for 7 years from the date our relationship with you ends, however we apply shorter/longer retention periods for the following information:
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
- you exercise your right to require us to retain your personal information for a period longer than our stated retention period;
- we bring or defend a legal claim or other proceedings or receive complaints during the period we retain your personal information, in which case we will retain your personal information until those proceedings or complaints have concluded and no further appeals are possible;
- we archive the information, in which case we will delete it in accordance with our routine deletion cycle; or
- in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.
In some circumstances you can ask us to delete your data by contacting us.
In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
12. Your information, your rights
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to verify your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 1 month after we have received this information or, where no such information is required, after we have received full details of your request.
You can enforce your rights by contacting us, or in most cases, by deleting your account and/or by ending your use of our Website, products or Services.
You have the following rights, some of which may only apply in certain circumstances:
- to be informed about the processing of your personal information (this is what this statement sets out to do);
- to have your personal information corrected if it is inaccurate and to have incomplete personal information completed;
- to object to processing of your personal information;
- to withdraw your consent to processing your personal information;
- to restrict processing of your personal information;
- to have your personal information erased;
- to request access to your personal information and information about how we process it;
- to electronically move, copy or transfer your personal information in a standard, machine-readable form; and
- rights relating to automated decision making, including profiling.