MediPAL Privacy Policy

Your Personal Information

Why do we collect your personal information?

The 'Supplier' collects your information for the following:
'Purchaser' information to process, despatch and inform the 'Purchaser' on 'Supplier' products and service. We take 'Purchaser' privacy very seriously and, in order for us to keep you informed about your order status and products and service, we request to hold your personal data. If you do not allow us to do this, we would be unable to inform you of your order status or of any important changes to our products or service and therefore would be unable to take your order.

What information do we collect?
Typically, we collect:
• Name, address, telephone number, email address of purchaser
• Despatch address
• MediPAL member name, date of birth, emergency contact name and telephone number
• Current medication
• Brief medical history - could include NHS number and blood group
• GP contact details

What will we do with your personal information?
MediPAL recognises and appreciates the importance of responsible use of information collected through the MediPAL website or paper orders.
We will use information in accordance with the EU General Data Protection Regulation (GDPR) 2016 and any other laws or regulations currently in force in the United Kingdom (the "Data Protection Legislation").

We are registered through ICO as a data controller under the EU General Data Protection Regulation (GDPR) 2016.
The information we collect, hold and process will be used for the purpose of providing you with MediPAL services and developing our business which shall include (without limitation):
a. fulfilment of a 'Purchaser' order
b. occasionally we may contact customers by email or telephone using details as provided at the time of registration or order placement. Customers are able to unsubscribe from receiving notifications from MediPAL, by contacting us at or using one of the "Unsubscribe" links on our emails.
Using your information to keep in touch with you
In addition to our typical processing we may use the information we hold about you in order to contact you in the following circumstances:
a. to advise you of changes to our website or products
b. to advise you of changes to our terms
c. to advise you of any security concerns
d. to comply with our legal and regulatory obligations
e. where permitted by law

How long do we hold it for?
We do not store your information for longer than is necessary to provide the service, and to ensure that we have appropriate auditable records for business purposes.

Whenever we collect or process your personal data, we'll only keep it for as long as is necessary for the purpose for which it was collected. At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

Orders - When you place an order, we'll keep the personal data you give us for 10 years so we can comply with our legal and contractual obligations.
Third Party Suppliers - MediPAL do not share your personal information with any 'Third Parties'

Secure collection and storing of your information
Security is probably one of the most significant concerns for both the shopper and the retailer during an online transaction. In reality, an online transaction is probably more secure than a card transaction in a shop or conducted over the telephone or by fax, as the information transmitted online is strongly encrypted using complicated logarithmic algorithms.

For your security and payment protection, we use an internationally recognised, third-party secure on-line payment providers. As soon as you enter the payment process, every bit of information that is transferred between you and us is encrypted using SSL encryption. Even if data could be intercepted over the Internet it would be useless.

Data Storage
Data is stored on PayPal or WorldPay systems, and the communication between PayPal or WorldPay and the worldwide banking networks, is regularly audited by the banking authorities to ensure a secure transaction environment. We also ensure that we stay up-to-date with the latest versions of any third-party code we use, and continually review our own proprietary code.

For more information on our secure transaction partners please visit or

All personal information that you provide to us, or we collect about you is stored on our secure servers. We understand that this includes confidential information and we have put in place a range of suitable physical, electronic and managerial procedures to safeguard and secure your information.
Our staff has the minimum required access to your data, and are trained to ensure that it is protected, and kept secure. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We do not store your information for longer than is necessary to provide the service, and to ensure that we have appropriate auditable records for business purposes.

We employ security measures to protect customer information and personal data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. However, while we take all reasonable steps to protect customer information, customers accept that no Internet data transmission can be guaranteed to be secure from access by unintended recipients and customers will not hold us liable for any breach of security unless this is due to our negligence.

Utilisation of cookies
In order to improve our site, we may use 'cookies' to track customer visits and to process orders. A cookie is a small amount of data that is transferred to the customer's browser by a Web server and can only be read by the server that gave it to the customer. Most browsers are initially set to accept cookies. Customers can set their browser to notify them when they receive a cookie, giving them the chance to decide whether or not to accept it - please refer to the "help" menu on your browser or to the information that came with your browser software.

Your rights
You have the right to request from us access to your own personal information. This is sometimes known as a 'subject access request'. Additionally, you have the right to request from us:
a. that any inaccurate information we hold about you is corrected
b. that information about you is deleted in certain situations
c. that we stop using your personal information for certain purposes
d. that your 'user' and 'user account' information is provided to you in a portable format
e. that decisions about you are not made by wholly automated means
Many of the rights listed above are limited to certain defined circumstances and we may not always be able to comply with your request. We will tell you if this is the case.

You also have the right to ask us not to process your personal data for direct marketing. We will inform you if we intend to use your information for this purpose. You can exercise your right to prevent us using your information in this way by contacting us by email
If you choose to make a request to us to exercise any of these rights, we will aim to respond to you as soon as we reasonably can but no later than one month. We will not charge a fee for dealing with any reasonable request.

If you are unhappy with how we are using your personal information or if you wish to complain about how we have handled a request, then please contact Christopher Pinkerton, Director and we will try to resolve your concerns.

You also have the right to complain to your local Data Protection Authority and a full list can be found here

Changes to this privacy notice
Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy.

Law and Jurisdiction
This privacy information notice is subject to the laws of England, and the non-exclusive jurisdiction of the English Courts. If you are domiciled in Scotland, Wales or Northern Ireland it can be enforced in your local court system.

Get in touch


MediPAL Data Protection Policy

1. Data protection principles
MediPAL is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

2. General provisions
a. This policy applies to all personal data processed by MediPAL.
b. MediPAL shall take responsibility for the companies' ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
d. MediPAL is registered with the Information Commissioner's Office as an organisation that processes personal data.

3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, MediPAL shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to MediPAL shall be dealt with in a timely manner.

4. Lawful purposes
a. All data processed by MediPAL must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
b. MediPAL shall note the appropriate lawful basis in the Register of Systems.
c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the MediPAL's systems.

5. Data minimisation
a. MediPAL shall ensure that all personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy
a. It is the responsibility of the MediPAL member to keep MediPAL up to date with personal data toensure it is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

7. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, MediPAL shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b. The archiving policy shall consider what data should/must be retained, for how long, and why.

8. Security
a. MediPAL shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
c. When personal data is deleted this should be done safely such that the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, MediPAL shall promptly assess the risk to people's rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).