Morrisons Clinic Privacy Policy

Phlo Technologies Ltd (Phlo), trading as Morrisons Clinic (and also referred to here as "we" or "us"), takes your privacy and the security of your personal information seriously. We are committed to protecting it through our compliance with this policy.

This Privacy Policy describes who we are and how and why we collect, store, use and share your personal information, and highlights your privacy rights within the UK’s Data Protection Act (DPA), Privacy and Electronic Communications Regulations (PECR) and General Data Protection Regulation (GDPR).

Who we are

Phlo Technologies Ltd (Phlo) is a digital healthcare services provider, incorporated in Scotland under company number SC496769 with registered address C/O Gillespie & Anderson, 147 Bath Street, Glasgow G2 4SN.

Phlo has been authorised by Wm Morrison Supermarkets Limited (Morrisons) to use the Morrisons trademark and brand in the provision of the online pharmacy services available on the Morrisons Clinic platform. Phlo is solely responsible for the services provided, with the services including:  

  • Consultations
  • Prescribing
  • Collecting Payment for Orders
  • Preparing Orders
  • Dispatching Orders

Wm Morrison Supermarkets Limited (Morrisons) is a private limited company, incorporated in England and Wales under company number 358949 with registered address Hilmore House, Gain Lane, Bradford, West Yorkshire, BD3 7DL.


If you have any questions or concerns about our personal data practices or policies or wish to exercise your privacy rights our appointed Data Protection Officer can be contacted at dpo@wearephlo.com.

Personal information we collect about you

To provide our healthcare services safely and effectively we collect a range of personal information. If you do not provide personal information we ask for, it may delay or prevent us from providing services to you.

The personal information we may collect about you includes:

  • Name
  • Date of Birth
  • Gender
  • Email address
  • Telephone number
  • Home and delivery addresses.
  • Identity verification details (e.g. NHS Number, NI number)
  • Information about past and present medications.
  • Information about past and present prescription and treatment requests.
  • Information about past and present prescriptions.
  • Information about past and present orders.
  • Information about past and present healthcare services provided.
  • Healthcare records.
  • Treatment specific consultation data (e.g. allergies, family history, blood pressure, photographic evidence).
  • Billing information (Payment transaction data)
  • Information about how you interact with our products and communications.
  • Your communications with us.
  • Your responses to surveys, competitions and promotions.  
  • Audit of logins, password changes and other key security events.  
  • Audit of actions carried out within our products.

As a healthcare provider we are required to collect, store and use your healthcare data as described above. Healthcare data is categorised as “Special Category” data and has higher levels of protection under UK law (ICO: Special Category Data). We use this special category data to comply with our legal obligations and to ensure we can provide our healthcare services to you safely and effectively.

How your personal information is collected

We collect your personal information:

  • Directly from you when you provide it to us in person, by telephone, text or email and/or via our website and apps.
  • Automatically as you use our service through cookies and other technical infrastructure.
  • From third parties with your consent, e.g. your General Practitioner.
  • From public sources, e.g. social media platforms, particularly where you are using those to communicate with us.
  • From other Phlo Technologies Ltd services.

Why we use your personal information

We only use your personal information if we have a legitimate reason for doing so, e.g:

  • To comply with our legal and regulatory obligations.
  • For the performance of our contract with you or to take steps at your request before entering into a contract.
  • For our legitimate interests or those of a third party.
  • Where you have given consent.  

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.  

How we use your personal information

The table below explains how we use your personal information.

To provide our services to you.

For the performance of a contract with you or to take steps at your request before entering a contract.

This covers the processing of personal information required when offering our core services of:

  • Consultations
  • Prescribing
  • Collecting payment for orders
  • Preparing orders
  • Delivering orders

To maintain an accurate user record.

For the performance of a contract with you or to take steps at your request before entering a contract.

To verify your identity.

To comply with our legal and regulatory obligations.

To take payment from you.

For the performance of a contract with you or to take steps at your request before entering a contract.

To prevent, detect and report criminal activity.

For our legitimate interests or those of a third party.

To receive feedback about our services.

For our legitimate interests or those of a third party.

To communicate with you regarding our services.

For our legitimate interests or those of a third party.

To understand how our services have been used.

For our legitimate interests or those of a third party.

To meet requirements of audits, enquiries or investigations by regulatory bodies.

To comply with our legal and regulatory obligations.

To enforce our legal rights.

For our legitimate interests or those of a third party.

To carry out statistical analysis.

For our legitimate interests or those of a third party.

To build lookalike audiences for marketing campaigns.

For our legitimate interests or those of a third party.

To promote our services.

Where you have given consent.

To complete external audits and quality checks.

For our legitimate interests or those of a third party.

To test our platform.

For our legitimate interests or those of a third party.

To support other legitimate interests.

Where you have given consent.



Who we share your personal information with

We routinely share personal information with third parties to provide our services effectively.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.

Your data may be shared with the service providers listed below.

Financial Services Providers

To take payments, issue refunds, send invoices and complete financial reporting.

  • Checkout Ltd, 54 Portland Place, London, W1B 1DY, United Kingdom (Payment Processor)
  • Xero (UK) Ltd, Bank House, 171 Midsummer Boulevard, Milton Keynes, MK9 1EB and our bank, Shawbrook Bank, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex CM13 3BE (Finance management platform)
  • Gillespie & Anderson, 147 Bath St, Glasgow G2 4SN and advisers Johnston Carmichael at 227 W George St, Glasgow G2 2ND (Accountants)
  • Third parties approved by you, e.g. third-party payment providers such as your bank, which may request that you approve payment to us.

Logistics and Delivery Partners

To deliver orders successfully.

  • Royal Mail, 100 Victoria Embankment, London, EC4Y 0HQ. (Delivery Provider)
  • DPDgroup UK Ltd, Roebuck Lane, B66 1BY. (Delivery Provider)
  • Despatch Cloud Ltd, Unit 76 Warfield Road, Kellythorpe Industrial Estate, Driffield, England, YO25 9FQ. (Delivery Booking Platform)
  • IDDQD Limited (Ideal postcodes), International House, 24 Holborn Viaduct, London EC1A 2BN (Address Identification Platform)
  • Other delivery partners we use from time to time.

Website Host

To monitor website usage and track newsletter and waiting list registrations.

  • Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. (Website Host)

Application Hosts

To host our applications and supporting infrastructure.

  • Google Cloud Platform operated by Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland. (Application Infrastructure Host)
  • CloudFlare services operated by Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107. (Application Infrastructure Host)
  • Apple Inc., 10955 N Tantau Ave, Cupertino, CA 95014, United States. (Application Infrastructure Host)

Communication Platforms

To keep in contact with you.

  • Postmark operated by AC PM LLC, 1 North Dearborn St, 5th Floor Chicago, IL 60602 to send transactional emails. (Email Communications)
  • Twilio operated by Twilio, Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105, USA. (SMS Communications)
  • Intercom operated by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland, to provide real-time messaging services. (Helpdesk Platform)
  • Active Campaign operated by AC PM LLC, 1 North Dearborn St, 5th Floor Chicago, IL 60602. (Customer Engagement Platform)
  • 3CX, 4010 Boy Scout Boulevard, Suite 325 33607, Tampa, Florida USA to handle telephone communications. (Helpdesk Platform)
  • Zoho Corporation Pvt. Ltd (Zoho Desk), PLOT No. 140,151, GST ROAD, ESTANCIA IT PARK,VALLANCHERY, GUDUVANCHERY(POST) KANCHEEPURAM TN 603202 IN. (Helpdesk Platform)

Review Platform

To collect feedback on our products.

  • Trustpilot A/S, Pilestræde 58, 5th floor, 1112 Copenhagen K, Denmark. (Review Platform)

Web Application Infrastructure Partners

To track and report on web traffic.

  • Google (Google Analytics) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. (Web Analytics Platform)
  • Hotjar Ltd (Hotjar), Dragonara Business Centre5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta. (Web Analytics Platform)
  • PostHog Inc (PostHog), 2261 Market Street #4008, San Francisco, CA 94114. (Web Analytics Platform)
  • Functional Software, Inc (Sentry)., 45 Fremont Street, 8th Floor, San Francisco, CA 94105. (Performance Monitoring Platform)
  • Catamorphic, Co. dba LaunchDarkly (LaunchDarkly), 1999 Harrison St Suite 1100, Oakland, CA 94612, United States. (Feature Flag Platform)

Marketing Partners

To promote our services to other people and understand how you discovered us.

  • Google (Google Ads) operates from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. (Advertising Platform)
  • Facebook Ireland, 4 Grand Canal Square, Dublin, Ireland Dublin 2. (Advertising Platform)
  • LinkedIn Ireland, Wilton Place, Dublin, Ireland. (Advertising Platform)
  • Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland. (Advertising Platform)
  • YouTube is a subsidiary of Google with offices at Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland. (Advertising Platform)
  • Taboola Inc, 16 Madison Square West, 7th Floor, New York, New York 10010. (Advertising Platform)
  • Voucherify PSA, Porcelanowa 23, 40-246 Katowice, Poland (Discount Code Platform)
  • DBS Ltd, 24 Station Road, Ossett, West Yorkshire, WF5 8AD. (Direct Mail Campaign Partner)
  • All Response Media Ltd, Sutton Yard, 65 Goswell Rd., London EC1V 7EN. (TV Campaign Partner)
  • Other marketing partners we use from time to time.

Healthcare Service Providers

To support us in providing safe and efficient healthcare services.

  • Invatech Health, 442-450 Stapleton Rd, Easton, Bristol BS5 6NR. System data resides in two locations (1) Phlo Technologies London Pharmacy at Containerville, Unit 13, 35 Corbridge Crescent, London, E2 9EZ and (2) data centres in the Republic of Ireland operated by Amazon Web Services, One Burlington Plaza, Burlington Road, Dublin 4, Ireland.  (Patient Medication Record Platform)
  • Convenet Ltd registered at 3 The Paddocks, Ripley, England, DE5 3QR. (GP Integration Platform – Approved by NHS).
  • OTC Direct Limited, trading as “NWOS”, at Leigh Service Centre Leigh Commerce Park Green Fold Way Leigh, WN7 3XJ. (Supplier of Medical Devices)
  • NHS Digital at 7 and 8 Wellington Place, Leeds, West Yorkshire, LS1 4AP. (NHS Digital Services)
  • GlykkaLLC, trading as Signeasy, at 750 N Saint Paul St Ste 250, PMB 42273, Dallas, Texas 75201. (Digital Signature Platform)
  • LexisNexis, at Lexis House, 30 Farringdon St, London EC4A 4HH. (Identity Verification Platform)
  • Your registered NHS GP Practice.

Regulators and Legal Advisers

To comply with our legal and regulatory obligations.

  • Addleshaw Goddard, Exchange Tower, 19 Canning St, Edinburgh EH3 8EH. (Legal Advisors)
  • General Pharmaceutical Council at 25 Canada Square, Canary Wharf, London E14 5LQ. (Regulator)
  • Information Commissioners Office at Wycliffe House, Water Lane, Wilmslow SK9 5AF. (Regulator)
  • NHS England (known formally as the NHS Commissioning Board) and reachable at NHS England, PO Box 16738, Redditch, B97 9PT. (Regulator)
  • External auditors as appropriate, e.g. in relation to ISO or Investors in People accreditation processes and the audit of our accounts.  
  • Law enforcement agencies and regulatory bodies as appropriate.

Wm Morrison Supermarkets Limited (Morrisons)

To allow Morrisons to enhance their offerings to you across their platforms

  • Morrisons will have access to analytics data to track and report on web traffic on Morrisons Clinic, as part of the wider Morrisons ecosystem.
  • Morrisons will be notified when you have completed registration or completed a transaction so they can understand the performance of Morrisons Clinic acquisition channels, and to tailor offers and promotions to you in the future.
  • Morrisons will be notified of the products and services you have paid for on Morrisons Clinic, to tailor offers and promotions to you in the future. This data will only be shared with Morrisons with your explicit consent via an opt-in agreement.

Other Commercial Partners

To share data where there is a legitimate interest to do so.

  • Third parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, personal information will be redacted but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.  
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of assets.
  • Consumers of our data insights. The data that we collect from you through our applications and systems can help others. We want to share patterns of information on what medicines people take, when, where and for how long. The way in which we do this is by collating data, then removing personal information (names, postal addresses, email addresses, NHS numbers). We analyse the remaining data to identify insights and behaviours so that we can contribute with others to the development of medicines and how treatments are marketed and made available to people. This data can be sold to or shared with to government departments, healthcare professional bodies, the pharmaceutical industry and organisations who want to understand how medicines are used in the real world.
  • Marketing partners to build lookalike audiences and exclude individuals from targeted marketing campaigns.

Other Phlo Technologies Ltd Services

To provide integrated experiences and promote our services.

We operate a set of related healthcare services. In some cases, we may look to use data in an integrated fashion across the business, for instance where a service might be interesting to users of another services.

Where your personal information is held  

Information may be held at our offices and those of our pharmacy, third-party system providers and agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’). Your data is hosted in our pharmacy premises and offices in the United Kingdom and at data centre facilities in the United Kingdom and in the Republic of Ireland, except for Intercom, Webflow and Postmark services, which are hosted in the United States of America under the EU-US Privacy Shield framework.  

Keeping your personal information secure  

We take the security of information very seriously and have established security standards and procedures to prevent unauthorised access to your information. We maintain physical, electronic, and procedural safeguards to comply with applicable standards to ensure your information is always protected. We limit access to your personal information to only those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.  

For detailed information on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.  

How long your personal information is held

We retain your personal information while you actively use our services and for a period of time thereafter. Your information is retained for historical and archiving purposes so we can understand how we serviced you and to meet the requirements of our regulators.

You may exercise your right to have your personal information removed from our systems by contacting us at dpo@wearephlo.com.

 

Your rights  

The UK’s data protection laws provide you with certain rights. These rights include:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right of data portability.
  • Right to object.
  • Right not to be subject to automated individual decision making.

For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.

If you would like to exercise any of those rights, please email us with

  • Your name, address, date of birth and account email address.
  • Details on what right you want to exercise and the information to which your request relates.    

How to complain

We hope that we can resolve any query or concern you may raise about our use of your information.    

Should you be unable to resolve directly with us, the Data Protection Act gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted directly through their site at: https://ico.org.uk/concerns

How to contact us

Please contact us by email or telephone if you have any questions about this privacy policy or the information we hold about you.  

Our contact details are:  

Phlo Technologies Ltd, Clockwise Offices, 77 Renfrew St, G2 3BZ.  

Email: dpo@wearephlo.com  

Telephone: 0141 255 0751  

Changes to this privacy policy  

We keep our privacy policy up to date to ensure you are always aware how we collect and use your personal information. If there is a fundamental change in how we process your data, we'll get in touch by email to inform you.

This privacy policy was last updated on 1st October 2024.

Morrisons Clinic
Unit 1 Fifth Street
Trafford Park
Manchester
England
M17 1JX

Dennis Ouko
MRPharmSGPhC
Registration Number: 2205052
Phlo Technologies Ltd

England only
Service currently available within England only
Morrisons Clinic together with Phlo Digital Pharmacy
Morrisons Clinic is ready when you are
Get started