GPhC Registered Pharmacy
Login
logo
HomeTreatmentsTravel ClinicOur PrescribersAbout UsContact Us
Login0333 052 7071
Your Data, Your Rights

Privacy Policy

We are committed to protecting your privacy and handling your personal data with care, transparency, and in full compliance with UK data protection law.

Who We Are

Cova Care is an online pharmacy operated by Cloud Care Group Ltd (Company No: 16807851), registered with the General Pharmaceutical Council (GPhC Registration: 9013018).

Our registered address is Unit B1, The Yard, Little Kings Ash Farm, Kings Ash, Great Missenden, Buckinghamshire, HP16 9NP.

For the purposes of data protection legislation, Cloud Care Group Ltd is the data controller responsible for your personal data. If you have questions about this policy or our data practices, contact us at info@covacare.co.uk.

Information We Collect

We collect the following categories of personal data when you use our services:

  • Identity data: full name, date of birth, and gender
  • Contact data: email address, phone number, and delivery address
  • Health data: medical history, current medications, allergies, and consultation questionnaire responses
  • Transaction data: order details, payment references, and delivery records
  • Technical data: IP address, browser type, device information, and cookies
  • Communication data: records of correspondence with our team

How We Use Your Information

We process your personal data on the following lawful bases under UK GDPR:

  • Contractual necessity: to fulfil orders, process prescriptions, and deliver treatments to you
  • Legal obligation: to comply with pharmacy regulations, GPhC requirements, and NHS record-keeping duties
  • Vital interests: where necessary to protect your health or safety
  • Legitimate interests: to improve our services, prevent fraud, and communicate relevant service updates
  • Consent: for optional marketing communications, which you can withdraw at any time

Special Category Data (Health Data)

As a pharmacy, we process health-related data which is classified as special category data under UK GDPR. This data is essential for providing safe, clinician-approved treatments.

We process this data under Article 9(2)(h) of UK GDPR: processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems.

Your health data is only accessible to our qualified clinical team and is never used for marketing purposes.

Who We Share Your Data With

We may share your personal data with the following categories of recipients, only where necessary:

  • Our clinical team: pharmacists and independent prescribers who review your consultations
  • Delivery partners: to fulfil and deliver your orders (name and address only)
  • Payment processors: to securely process transactions
  • Regulatory bodies: including the GPhC, MHRA, and NHS where required by law
  • IT service providers: who help us maintain and secure our systems, under strict data processing agreements

We never sell your personal data to third parties. All third-party processors are bound by contractual obligations to keep your data secure and confidential.

How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Medical and prescription records: retained for a minimum of 8 years in line with NHS and GPhC guidance
  • Transaction records: retained for 7 years for tax and accounting requirements
  • Marketing consent records: retained until you withdraw consent
  • Technical logs: retained for up to 12 months for security purposes

How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel only
  • Regular security assessments and monitoring
  • Staff training on data protection and confidentiality
  • Secure disposal of data when no longer required

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to erasure: request deletion of your data (subject to legal retention requirements)
  • Right to restriction: request we limit how we process your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at info@covacare.co.uk. We will respond within one month. Please note that some rights may be limited where we have a legal obligation to retain data (e.g. medical records).

Cookies

Our website uses cookies to improve your experience. For full details on the cookies we use and how to manage them, please see our Cookie Policy

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any significant changes will be communicated via our website. We encourage you to review this policy periodically.

This policy was last updated on 18 March 2026.

Contact Us

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us:

  • Email: info@covacare.co.uk
  • Address: Unit B1, The Yard, Little Kings Ash Farm, Kings Ash, Great Missenden, Buckinghamshire, HP16 9NP

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.