Call 0203 808 0064 | Mon - Fri 8am to 7pm, Sat 9am to 5pm, Sun 10am to 4pm
Coronavirus: Advice and Guidance | Changes to delivery times

Privacy Notice

Superdrug Online Doctor

We are committed to protecting and respecting your privacy.

This Privacy Notice explains how we collect and use your personal data. Please read it carefully. We ask you not to use our website or purchase our products and services until you’ve understood and are completely satisfied with it. is a website and service operated by HEALTH BRIDGE LIMITED ("we"/"us"). We are registered in England and Wales under company number 07392646 and have our registered office and trading address at 46 Essex Road, London, N1 8LN.

For the purpose of the Data Protection Act 2018 (the “Act”) and within the scope of this notice, the Data Controller (as defined by the Act) is Health Bridge Limited, unless indicated otherwise in this notice.

This Notice explains:
  • What information we may collect from you.
  • Where we store your personal data.
  • How we keep your information secure.
  • What we do with your data.
  • To whom we may disclose your data.
  • Your rights.

Information we may collect from you

In this Notice your "personal data" means information or pieces of information relating to you or that could allow you to be directly or indirectly identified.

We may collect and process the following data about you.
Information you voluntarily provide
You voluntarily provide information to us when you:
  • Register with us and fill in forms and medical questionnaires on our website.
  • Enter a competition or promotion.
  • Contact our customer support team (we make a record of this).
  • Take part in a voluntary research survey.
  • Subscribe to a specific newsletter.
  • Write a review about our service. (Please note that when you write reviews of our service, we might display these reviews on our website, social media or in our emails. For Trustpilot reviews, note that your name will appear as you registered it on Trustpilot.
Information we collect from the device you use to access our website
When you visit our website, we (and our service providers, see section Who do we share your data with?) may collect information about how you use our website in order to improve your experience. Types of information we collect include:
  • The make of device you use (eg, an Apple or a Samsung device).
  • Your unique device identifier (eg, your device's IMEI number or the MAC address of the device's wireless network interface).
  • Network information (eg, the 3 network or BT Broadband).
  • Your operating system (eg, Windows, Mac OS, Linux).
  • Your IP address and HTTP referrer information.
  • Your login information (once you have created your patient account).
  • The browser you’re using and what version it is (eg, Chrome or Safari).
  • Time zone setting (eg, GMT, EST).
  • Your location.
Other information we collect when you visit our website
  • The sites you visit before our website (if you have clicked on a link that directed you to our website), including the date and time of those visits (‘clickstream’).
  • Services you viewed or searched for.
  • Page-response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
  • Phone numbers used to call our customer service.
Information we receive from other sources
We work closely with third parties (eg, suppliers in technical, payment and delivery services, advertising networks, analytics, search information providers, credit reference agencies) which may provide information to us about you.

If you use our test kits service, we will be sent your test results by the laboratory we are working with. You can request a list of suppliers we are working with (see the Contact section below).
Cookies, pixels and other similar technologies
Cookies are small pieces of information that are stored on your computer, mobile phone or other device. We use cookies and other similar tracking technologies such as web beacons and pixels on our website to get to know you better, recognise you and your device and store information about your preferences and past behaviours as well as for marketing purposes. 

You can read all about our use of these technologies in our Cookie Notice.

How do we use your data?

We use your data to:
  • Deliver our medical services to you.
  • Monitor and improve our service.
  • Send you marketing information, promotions and advertising.
  • Research purposes.
  • Security, legal, compliance and regulatory reasons.
Delivering our medical services to you
We do this by:
  • Making the consultation and checking your suitability to your preferred treatment.
  • Recommending a treatment if you have not chosen one.
  • Making recommendations based on the information you’re giving our doctors in the medical questionnaire.
  • Prescribing a treatment (when relevant).
  • Providing laboratory testing services to you.
  • Verifying your identity and accessing your medical data and account (if necessary) when you call our customer service team.
  • Offering advice and useful information about the condition you are coming to see us for.
  • Checking your identity to provide you with our medical services (when applicable).
The collection and use of the above data is based on the performance of the contract, the provision of healthcare services under the supervision of a healthcare professional and our legitimate interests.
Monitoring and improving our services
We use your data to:
  • Provide you with the best experience on our website given the type of device or browser you’re using.
  • Improve our service based on your interests and other visitors’ interests (eg, extending the range of services).
  • Identify and try to meet our patient’s expectations based on your reviews of our service (eg, Trustpilot, Google).
  • Perform analysis based on your use of our service and website.
The above information is processed based on our legitimate interest.
Marketing information, promotions and advertising
Your data are used to:
  • Give you useful information to help you manage your condition.
  • Let you know about our latest products and/or services that might be of your interest based on the information given in the medical assessment.
  • Send you offers and promotions.
  • Send you newsletters.
  • Select display advertising about our service that we think might interest you on third party websites including social media.
If you do receive marketing material from us, please let us know what you think of it.

Note that you can unsubscribe to marketing communications at any time by emailing [email protected] You can also change your preferences in your Account or click the ‘unsubscribe’ link that you will find at the bottom of every marketing email we send to you.

Please note that emails related to your order or to the service you have requested from us cannot be unsubscribed to as they are necessary to provide you with the service (order status, delivery information, etc).

The processing of this data is based on our legitimate interest. For all medical data, if used purely in a marketing context, we will require your explicit consent.

Superdrug Stores Plc might also send you marketing communications about their own services but only if you provide your consent.
Research purposes
We use your data for research purposes to:
  • Analyse individual and collective data.
  • Carry out market research.
  • Send you surveys.
We carry out research to continually get feedback on our services and understand, for example, what you like or dislike or what you’re expecting from an online healthcare provider. The aim of this is to improve our range of services and meet your expectations.

We will always ask for your consent to conduct research and surveys, unless the information we are using is anonymised and so, could in no way identify you (eg, a woman, living in London between 25 and 30 years old).
Legal, compliance and regulatory reasons
We use your data to:
  • Detect and prevent fraud (verifying your identity, fraudulent payment, identity theft, security threats etc).
  • Comply with any applicable law, regulation, legal process or public authorities requests.
  • Defend our rights, property and safety, as required or permitted by law.
This processing is based on our legitimate interest or/and legal obligation.

Who do we share your data with?

In order to deliver the Services to you, we need the help of several suppliers, who:
  • Send our order-related email communications to you.
  • Secure the traffic to and from our website.
  • Store your medical data securely.
  • Provide payment services and act as Data Controller.
  • Perform the laboratory test(s) on the samples you provide with you’re our test kit(s). The laboratory also acts as a Data Controller as it is submitted to strict regulations and your data must be kept in accordance with them.
  • Dispense the medication to you. As per our Delivery and Returns information, your treatment will be dispensed by a Superdrug Pharmacy or store. Superdrug Store Plc acts as a Data Controller for the dispensing of your medication.
We also use third parties to send marketing emails to you.

In order to monitor and understand how our visitors or patients use our service or our website, we are using third parties to:
  • Collect and analyse information about the use of our website.
  • Collect reviews of our products and services.
  • Serve you personalised ads.
This is necessary for our legitimate interest to constantly improve our service, provide you with the best possible experience on our website and to optimize our marketing campaigns.

We might also need to disclose your data for the following legal reasons:
  • In the event that we sell or buy any business or assets, in which case we might need to disclose your personal data to the prospective seller or buyer of such business or assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of Health Bridge Limited, our customers, or partners. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
  • In order to detect, prevent or otherwise address fraud, security or technical issues.
In these cases, we only disclose what is strictly necessary.

With the exception of Superdrug Store Plc and the laboratory who act as a Data Controller, our suppliers or third parties are not authorised to use your personal data in any other way, and they are required to implement technical and operational measures to protect your personal data in accordance with a data processing agreement.

Internally, your data are accessed by our doctors and a limited number of persons at Health Bridge Limited. For instance, our customer service team needs to access your data to assist you.

We will always try to collect your data on an aggregated basis and when not possible, we will only process what is strictly necessary.

You can ask us for a list of the third parties we are using (please see contact at the end of this notice)

How long do we hold your data for?

We only hold your personal data for as long as is necessary. We have an internal retention policy in place which sets out how we use your data (delivery of service, marketing, improvement of our service, etc), which includes the associated retention periods.

For example, for clinical purposes, we abide to the national guidelines which provides that GP records are to be kept until the death of the patient plus ten years or ten years after he/she has left the EU.

We keep anonymous data about our customers for an indefinite period of time as these data could not identify you.

Where we store your personal data

Any medical data you give us is stored safely on a private database. This database is only used by our doctors, customer support team, pharmacy team, and a small number of other employees on a need-to-know basis, such as IT support.

This platform is hosted on our servers or a third-party server (AWS) based in the EU. AWS is ISO 27001 certified which is the international standard that describes best practice for information security management.

Data other than the medical data you’re providing in our medical questionnaires might be transferred and stored outside of the European Economic Area (EEA). Some countries may not offer the same level of personal data protection as in the EEA in which case we will have a specific agreement with our suppliers to ensure adequate safeguards are in place. 

We are aware of the recent ruling from the European Court of Justice regarding transfers to the USA. We are monitoring the guidance from the ICO carefully and will follow their new guidance once issued.

Your data may be seen by some members of our staff from outside the EEA in which case the data they have access to is encrypted and only available via a virtual private network (VPN).

Information security

What we do
We take strict security measures to protect against the unauthorised access to, or the unauthorised alteration, disclosure or destruction of your data. These include appropriate encryption, and physical security measures to guard the systems where we store personal data.

Any payment transactions will be encrypted using SSL technology. We also carry out internal reviews of our data collection, storage, and processing practices.

The suppliers we are using have to abide to privacy undertakings and we will check that their security meets our expectations before using them.
Every staff member has signed a confidentiality agreement and access to your data is on a need-to-know basis.
What we advise you to do
You should not be sharing your password with anyone and should update it on a regular basis. We also advise you to use a strong, unique password that isn’t used for any other site. A strong password must include at least eight characters combining upper and lower case letters, numbers and keyboard symbols.

You can find out about protecting your information, strong passwords and staying safe online here.

Although we do everything we can to protect your personal data, sending information over the internet is never completely secure.

If you know of any security problem, please tell us as soon as possible.

Your rights

Object to the processing of your data
You have the right to ask us not to use your personal data for marketing purposes. We will inform you when collecting your data for this purpose and you can read in this notice if we are disclosing your information to any third party.

You can deny this use of data from the time you register with us and you can also change your mind later by changing your notification preferences in your account under the tab “Settings” or by clicking the unsubscribe link that you will find in every marketing email we send to you. Note that you do not have the option to unsubscribe to service emails as these are necessary to provide you with the service.

You can also exercise the right at any time by contacting us. Our contact details are below.
Correcting your data
If we’ve got something wrong with your information, you can update it quickly and easily in your account. If there’s something you want to change but you can’t, you can also contact us at any time.
Deleting your data
We will delete your data if you ask us to, unless it’s a legal requirement, or we have a valid business reason, not to delete it. For medical and legal reasons, we need to store your medical data as per the national guidelines. Such data cannot therefore be deleted but, if you want to stop using our services, you can suspend your account in the “Settings” section of your account. Your account will stop working immediately and you will no longer be able to access it. Once your account is closed, it cannot be reopened.
Accessing your data
You have the right to see any information we hold about you at any time. Just send your request to us (see the Contact section below). You can also request it by calling us, although you’ll need to confirm your request in writing. Please tell us what information you wish to see and send it along with approved identification documents (eg, a passport or driving licence).

You can also ask the third parties acting as Data Controllers (see Who do we share your data with? above) to know what data they hold about you or to obtain a copy.
Data Portability
You can ask for the data you provided us with in order to transfer them to another provider. We will then provide you with the data in a structured, commonly used and machine-readable format and/or transmit that data directly to the third party of your choice.
Restriction of processing
If you want to restrict the processing of your data, for example because you believe that your data are incorrect or the processing of your data is unlawful, you can ask us to process your data only in a restricted way subject to certain conditions as per the applicable data protection law.

Supplementary Privacy Notice for Covid-19 testing services for Patients

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.

In the context of the pandemic, the Secretary of State has required health organisations amongst other entities to share confidential patient information to respond to the Covid-19 outbreak based on reasons of public interest in the area of public health, and research in the public interest.

Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
Where data is used and shared under these laws your right to have personal data erased will also not apply.

We may share your confidential patient information including, but not limited to, your name, ethnicity, NHS number, test results with health and care organisations and public bodies engaged in disease surveillance for the purposes of protecting public health including the UK government. 

If you are having a blood draw at a Clinic, we will share your name, telephone number, data of birth, address and email address with the clinic in order to perform the blood draw service.

We may also use the details we have to send public health messages to you, either by phone, text or email and /or to follow-up on Covid-19 test you’ve done.

Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. 

We will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Changes to our Notice

Any changes we may make to our Notice will be posted on this page and in case of substantial changes, we will notify you by email.


We have a privacy officer who is responsible for enforcing our Privacy Notice. Any questions, comments and requests regarding this notice are welcome and should be addressed to Health Bridge Limited, 46 Essex Road, London N1 8LN or emailed ([email protected]).

If you have any complaints, you can also contact the ICO (Information Commissioner’s Officer). Our ICO reference number is Z2715245.

Thank you for reading our Privacy Notice.

The latest CQC inspection found this service to be "safe, effective, caring, responsive, and well-led" with a Good rating. This inspection was conducted on 18th April 2019 and the results were published on the 7th June 2019. To find out more about this inspection, please see here.