Privacy Policy

1. Who We Are

Elite Glasgow Limited (trading as GLP1 Direct) is the data controller for personal information you provide when using our service. We are registered in Scotland and registered with the Information Commissioner's Office (ICO). Our contact email is [email protected].

2. What Data We Collect

When you use GLP1 Direct, we collect the following information:

Personal details: name, email address, telephone number, date of birth, address
Health data: medical history, current medications, weight, height, health conditions, allergies, previous weight loss attempts
Payment data: processed by Stripe or PayPal (we do not store your card details)
Consultation data: your responses to the medical questionnaire
Identity and verification images: a photograph of your government-issued ID, a photograph of your weighing scales, and full-body photographs (front and side) used to verify your identity and support the clinical assessment
Communication data: any emails or messages you send us

Health data is classified as special category data under UK GDPR and is processed with enhanced protection and security measures.

3. Why We Collect Your Data

We collect your data for the following purposes:

To process your consultation and assess whether you are eligible for treatment
To issue a prescription if treatment is appropriate
To fulfil and deliver your medication order
To provide aftercare support and monitor your response to treatment
To comply with pharmacy regulation and licensing requirements set by the GPhC
To respond to your queries and provide customer support
To prevent fraud and misuse of our service

4. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR:

Consent: your explicit consent to process health data for consultation and prescription (Article 9)
Contractual necessity: processing required to fulfil the medication order and delivery
Legal obligation: GPhC regulations require us to maintain pharmacy records for prescribed medication
Legitimate interests: preventing fraud and improving our service (balanced against your rights)

For health data, we rely on your explicit consent obtained during the consultation process, as permitted by Article 9 UK GDPR.

5. Who We Share Your Data With

We share your personal and health data with the following third parties:

Prescribing pharmacist: to review your consultation and issue a prescription
Dispensing pharmacy: to fulfil your medication order and provide aftercare
Stripe or PayPal: for payment processing (payment data only, not health data)
Royal Mail or courier: for delivery tracking (delivery address only)
Email provider: for sending aftercare communications and appointment reminders
Cloudflare, Inc: our hosting and secure storage provider. Your consultation answers and verification images are stored in access-controlled cloud storage (Cloudflare R2) so that the prescribing pharmacist and authorised staff can review them

We do not sell your data to third parties. We do not share your data with marketing companies or advertisers. We only share data where necessary to fulfil your order or comply with legal requirements.

6. How We Protect Your Data

We implement the following security measures:

All data in transit is encrypted using TLS/SSL (HTTPS)
Health data is stored on secure servers with access limited to authorised personnel only
Payment data is processed by PCI-DSS compliant providers (Stripe, PayPal)
Staff with access to your data are trained in data protection and confidentiality
Your verification images are held in private, access-controlled storage and can only be viewed by authorised staff after signing in with a username and password. Images are not publicly accessible
We conduct regular security assessments and vulnerability testing

Despite our best efforts, no method of data transmission over the internet is completely secure. We cannot guarantee absolute security, but we comply with UK GDPR data protection principles.

7. How Long We Keep Your Data

We retain your data for the following periods:

Health and prescription data: minimum 2 years (as required by GPhC regulations for private prescriptions)
Payment data: not retained (processed by Stripe/PayPal)
Consultation data: retained for the duration of your treatment plus 2 years
Communication data: retained for 12 months unless required for dispute resolution
Identity and verification images: retained only as long as needed to verify your identity and support your clinical assessment, and securely deleted within 12 months unless a longer period is required by law or for dispute resolution

After this period, we will securely delete your data unless retention is required by law.

8. Your Rights

Under UK GDPR, you have the following rights:

Right of access: you can request a copy of the personal data we hold about you
Right to rectification: you can request that we correct inaccurate data
Right to erasure: you can request deletion of your data (subject to legal retention requirements)
Right to restrict processing: you can ask us to limit how we use your data
Right to portability: you can request your data in a structured, machine-readable format
Right to object: you can object to our processing of your data
Right to withdraw consent: you can withdraw consent at any time (though this will not affect processing already completed)

To exercise any of these rights, please contact [email protected] with full details of your request. We will respond within 30 days (or up to 3 months for complex requests).

9. Cookies

For information about how we use cookies, please see our Cookie Policy (link available in the footer).

10. Contact and Complaints

If you have questions about this privacy policy or how we process your data, please contact [email protected]. If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at www.ico.org.uk or by calling 0303 123 1113.