GDPR Notice

Scope and Controller

This GDPR Notice explains how MedStore Online processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It applies to individuals who visit our website, interact with our tools and services, subscribe to communications, or otherwise communicate with us in the United Kingdom.

Controller Identity and Contact

Controller: MedStore Online (owned by Kestra Walker)

Registered postal address:
IKEA Warrington
910 Europa Boulevard
Westbrook
WARRINGTON
WA5 7TY
United Kingdom

Email: [email protected]

We have not appointed a statutory Data Protection Officer; however, our Data Protection Lead is the Controller named above and can be contacted using the email address provided.

Definitions

“Personal data” means any information relating to an identified or identifiable natural person. “Processing” means any operation performed on personal data. “Special category data” includes data concerning health. “UK GDPR” refers to the data protection regime applicable in the United Kingdom.

Categories of Personal Data We Process

  • Identity and contact data: name, email address, optional profile details, and correspondence.
  • Usage and technical data: IP address, device identifiers, browser type, operating system, referral URLs, pages viewed, time on page, and clickstream data collected via cookies and similar technologies.
  • Communication preferences: subscription status and marketing consent records.
  • Content you provide: inquiries submitted through forms; optional feedback or reviews.
  • Special category data (only if you choose to provide it): health-related information you enter into tools (e.g., pill identification inputs) or that you share in communications.

Sources of Personal Data

  • Directly from you: when you contact us, subscribe, create an optional account, or use interactive tools.
  • Automatically: via cookies, pixels, and similar technologies when you browse our website.
  • From service providers: aggregated analytics or anti-abuse signals generated on our behalf.

Purposes of Processing and Lawful Bases

  • Operating and securing the website, providing content and tools (including the pill identifier), troubleshooting, and preventing abuse or fraud – lawful basis: legitimate interests (ensuring a secure, functional service) and, where applicable, legal obligation.
  • Responding to inquiries, support requests, or feedback – lawful basis: legitimate interests (communication efficiency) or contract where we provide requested services.
  • Sending educational updates and newsletters – lawful basis: consent; you may withdraw consent at any time.
  • Analytics to understand audience engagement and improve content quality – lawful basis: consent for non-essential cookies; legitimate interests for strictly necessary analytics performed without tracking beyond what is essential.
  • Maintaining records necessary for compliance (e.g., consent logs, security logs) – lawful basis: legal obligation and legitimate interests.
  • Processing special category data (health information) that you voluntarily provide for tool functionality or advisory context – lawful basis: your explicit consent. We do not require health data for general browsing, and the service is educational only.

Special Category Data

We do not seek to collect special category data. If you choose to provide health-related information (e.g., to use certain features), we will process it only with your explicit consent for the specified purpose and will implement enhanced safeguards. You may withdraw consent at any time by contacting us; withdrawal does not affect prior lawful processing.

Cookies and Similar Technologies

We use cookies and similar technologies to operate the site, remember preferences, and, with your consent, to measure performance and enhance user experience in compliance with PECR.

Types of Cookies

  • Strictly necessary: required for core functionality and security.
  • Performance/analytics: help us understand how our site is used (set only with consent, unless strictly necessary analytics are deployed in a privacy-preserving manner).
  • Functionality: remember choices to improve your experience.

You can manage cookie preferences via our on-site controls (where available) and your browser settings. Disabling some cookies may affect functionality.

Data Sharing and Recipients

We share personal data only when necessary and subject to appropriate safeguards with:

  • Hosting and infrastructure providers.
  • Security, anti-abuse, and logging service providers.
  • Analytics and measurement partners (for consented analytics only).
  • Professional advisors (legal, compliance, accounting) under confidentiality.
  • Authorities or regulators when required by law.

We require our processors to process data only on our instructions and to implement appropriate security and confidentiality measures.

International Data Transfers

If we transfer personal data outside the UK, we ensure an adequate level of protection through one or more of the following: UK adequacy regulations; the ICO-approved International Data Transfer Agreement (IDTA); the UK Addendum to the EU Standard Contractual Clauses; or other lawful safeguards and supplementary measures as needed. You may request information about applicable transfer safeguards by contacting us.

Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Notice, and to meet legal, accounting, or reporting requirements. Typical retention periods include:

  • Inquiry and support correspondence: up to 24 months after last contact.
  • Account-related data (if an account feature is offered): for the life of the account and up to 24 months after closure, unless longer retention is required by law.
  • Analytics data: up to 26 months, or a shorter period where feasible.
  • Security and access logs: typically 12 months, subject to extension for incident investigation.
  • Consent records and suppression lists: retained as long as necessary to evidence compliance and to honor opt-outs.

Security Measures

We apply technical and organizational measures appropriate to the risk, including: encryption in transit; access controls and least-privilege permissions; secure development and change management practices; regular vulnerability management; logging and monitoring; data minimization and pseudonymization where appropriate; staff confidentiality obligations and training; and vendor due diligence. No internet transmission or storage system is fully secure; we continuously improve our controls.

Direct Marketing

We send electronic marketing communications only with your consent or as otherwise permitted by PECR. You may opt out at any time by using the unsubscribe function in our messages or by contacting us. We will maintain suppression records to respect your choice.

Automated Decision-Making and Profiling

We do not perform automated decision-making that produces legal or similarly significant effects. We may use limited profiling for analytics or content personalization with your consent; you may object or withdraw consent at any time.

Children’s Data

Our services are intended for individuals aged 13 and over. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data, please contact us so we can take appropriate action.

Your Rights

Under the UK GDPR, you have the following rights (subject to conditions and applicable exemptions):

  • Right of access to your personal data.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”).
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests and to object at any time to direct marketing.
  • Right to withdraw consent where processing is based on consent.
  • Right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects.

Exercising Your Rights

To exercise your rights, please contact us at [email protected]. We may need to verify your identity. We will respond without undue delay and within one month of receipt; this period may be extended by up to two further months where requests are complex or numerous, in which case we will inform you of the extension and reasons.

Complaints

If you have concerns about our data processing, please contact us first so we can address them. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the United Kingdom.

Data Breach Notification

In the event of a personal data breach, we will assess the risk and notify the ICO within 72 hours where required, and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

Third-Party Sites and Content

Our website may reference third-party content. We are not responsible for the privacy practices of third parties. We encourage you to review their notices where applicable.

Educational Nature of Services

Our content and tools are provided for educational purposes only and are not a substitute for professional medical advice, diagnosis, or treatment. Please consult a qualified healthcare professional for medical decisions. Avoid submitting unnecessary health information to our website.

Changes to This Notice

We may update this Notice from time to time to reflect changes in our practices, technologies, or legal requirements. We will post the updated version with a revised effective date.

Contact

For any questions about this Notice or our data protection practices, please contact:

Kestra Walker (Controller)
MedStore Online
IKEA Warrington, 910 Europa Boulevard, Westbrook, WARRINGTON, WA5 7TY, United Kingdom
Email: [email protected]

Effective Date

This Notice is effective as of the date of publication and remains in force until superseded.

Categories

Archives

Menu

© 2025. All rights reserved.