Privacy Policy

Last updated March 2026

This privacy policy is provided as a framework. GLP1 Direct recommends obtaining professional legal review before final publication, particularly regarding special category health data processing under UK GDPR.

1. Who We Are

Elite Glasgow Limited (trading as GLP1 Direct) is the data controller for personal information you provide when using our service. We are registered in Scotland and registered with the Information Commissioner's Office (ICO). Our contact email is hello@glp1direct.co.uk.

2. What Data We Collect

When you use GLP1 Direct, we collect the following information:

  • Personal details: name, email address, telephone number, date of birth, address
  • Health data: medical history, current medications, weight, height, health conditions, allergies, previous weight loss attempts
  • Payment data: processed by Stripe or PayPal (we do not store your card details)
  • Consultation data: your responses to the medical questionnaire
  • Communication data: any emails or messages you send us

Health data is classified as special category data under UK GDPR and is processed with enhanced protection and security measures.

3. Why We Collect Your Data

We collect your data for the following purposes:

  • To process your consultation and assess whether you are eligible for treatment
  • To issue a prescription if treatment is appropriate
  • To fulfil and deliver your medication order
  • To provide aftercare support and monitor your response to treatment
  • To comply with pharmacy regulation and licensing requirements set by the GPhC
  • To respond to your queries and provide customer support
  • To prevent fraud and misuse of our service

4. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR:

  • Consent: your explicit consent to process health data for consultation and prescription (Article 9)
  • Contractual necessity: processing required to fulfil the medication order and delivery
  • Legal obligation: GPhC regulations require us to maintain pharmacy records for prescribed medication
  • Legitimate interests: preventing fraud and improving our service (balanced against your rights)

For health data, we rely on your explicit consent obtained during the consultation process, as permitted by Article 9 UK GDPR.

5. Who We Share Your Data With

We share your personal and health data with the following third parties:

  • Independent prescribing pharmacist: to review your consultation and issue a prescription
  • Dispensing pharmacy: to fulfil your medication order and provide aftercare
  • Stripe or PayPal: for payment processing (payment data only, not health data)
  • Royal Mail or courier: for delivery tracking (delivery address only)
  • Email provider: for sending aftercare communications and appointment reminders

We do not sell your data to third parties. We do not share your data with marketing companies or advertisers. We only share data where necessary to fulfil your order or comply with legal requirements.

6. How We Protect Your Data

We implement the following security measures:

  • All data in transit is encrypted using TLS/SSL (HTTPS)
  • Health data is stored on secure servers with access limited to authorised personnel only
  • Payment data is processed by PCI-DSS compliant providers (Stripe, PayPal)
  • Staff with access to your data are trained in data protection and confidentiality
  • We conduct regular security assessments and vulnerability testing

Despite our best efforts, no method of data transmission over the internet is completely secure. We cannot guarantee absolute security, but we comply with UK GDPR data protection principles.

7. How Long We Keep Your Data

We retain your data for the following periods:

  • Health and prescription data: minimum 2 years (as required by GPhC regulations for private prescriptions)
  • Payment data: not retained (processed by Stripe/PayPal)
  • Consultation data: retained for the duration of your treatment plus 2 years
  • Communication data: retained for 12 months unless required for dispute resolution

After this period, we will securely delete your data unless retention is required by law.

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access: you can request a copy of the personal data we hold about you
  • Right to rectification: you can request that we correct inaccurate data
  • Right to erasure: you can request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing: you can ask us to limit how we use your data
  • Right to portability: you can request your data in a structured, machine-readable format
  • Right to object: you can object to our processing of your data
  • Right to withdraw consent: you can withdraw consent at any time (though this will not affect processing already completed)

To exercise any of these rights, please contact hello@glp1direct.co.uk with full details of your request. We will respond within 30 days (or up to 3 months for complex requests).

9. Cookies

For information about how we use cookies, please see our Cookie Policy (link available in the footer).

10. Contact and Complaints

If you have questions about this privacy policy or how we process your data, please contact hello@glp1direct.co.uk. If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at www.ico.org.uk or by calling 0303 123 1113.