๐Ÿ“ 250 Stockport Road, Timperley, Altrincham
Altrincham Travel Clinic

Privacy Policy

Last updated: 14 June 2026

This Privacy Policy explains how we collect, use, store and protect your personal information when you visit our website, contact us, book an appointment, or receive care from our travel clinic and pharmacy. It also tells you about your rights under data protection law and how to exercise them. Please read it carefully. If anything is unclear, you are welcome to contact us using the details in section 1.

This policy works alongside our Terms and Conditions. It covers our website at https://altrinchamtravelclinic.co.uk and the clinical and pharmacy services we provide.

1. Who we are: the data controller and how to contact us

The "data controller" is the organisation responsible for deciding how and why your personal data is used. For the purposes of UK data protection law, the data controller is:

  • U-Chem Private Limited, trading as Altrincham Travel Clinic.
  • We operate the registered pharmacy Timperley Late Night Pharmacy (NHS/ODS code FJJ51).
  • Premises and registered pharmacy address: 250 Stockport Road, Timperley, Altrincham, Greater Manchester, WA15 7UN, United Kingdom.
  • Registered office address: 250 Stockport Road, Timperley, Altrincham, Greater Manchester, WA15 7UN, United Kingdom (the same as the premises address above).
  • Company registration number: 07955115 (registered in England and Wales).
  • Phone: +44 161 948 5066
  • Email: info@altrinchamtravelclinic.co.uk
  • Website: https://altrinchamtravelclinic.co.uk

If you have any questions about this policy, about how we use your personal data, or if you want to exercise any of your rights, please contact us using the details above and mark your enquiry for the attention of the Superintendent Pharmacist (data protection). As a single small company we are not required to appoint a Data Protection Officer, but the Superintendent Pharmacist is our named contact point for all data protection matters.

Our regulator

We are regulated by the General Pharmaceutical Council (GPhC), the independent regulator for pharmacy in Great Britain.

  • GPhC pharmacy (premises) registration number: 1118728
  • Superintendent Pharmacist: Muhammad Adnan, GPhC registration number 2073652

You can verify our registration on the GPhC register at https://www.pharmacyregulation.org/registers.

2. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data.

Identity and contact data: your name, date of birth, home address, telephone number and email address.

Appointment and booking data: details of the appointments you book, the service requested, your communications with us, and your booking history.

Health data (special category data): information about your health that we need to provide safe care. This includes your travel itinerary and travel history, medical history, allergies, current medications, previous and current vaccinations, vaccines we administer, consultation and clinical notes, yellow fever vaccination records and International Certificate of Vaccination or Prophylaxis (ICVP) details, and fitness-to-travel information. Health data is treated as a "special category" of personal data under data protection law and attracts extra legal protection. We explain how we are allowed to use it in sections 4 and 5.

Payment data: information needed to take and record payment for private services. Card payments are handled through our payment provider; we do not store full card numbers.

Corporate and occupational clinic data: where an employer arranges and pays for a group clinic (for example, workplace flu or travel vaccination), we may receive limited employee details from the employer for booking and billing, while the clinical record remains confidential to the individual.

Website and technical data: when you use our website we may collect your IP address, device and browser information, cookie identifiers, and analytics data about how you use the site. See section 8 for more detail on cookies.

AI chat assistant messages: our website offers an AI travel-health assistant for general information only. If you use it, the questions you type and the answers given may be retained for a limited period for quality and safety review by our pharmacy team (see section 9). The chat asks you not to enter personal details such as your name, contact information or medical history; conversations are not stored with your identity or IP address, and email addresses and long numbers are automatically removed before anything is retained. The assistant does not provide personal medical advice, and nothing you type into it forms part of any clinical record.

3. The purposes for which we use your personal data

We use your personal data for the following purposes:

  • providing travel health risk assessments and clinical consultations;
  • supplying and administering vaccines and prescription-only medicines (POMs), including under a Patient Group Direction (PGD) or private prescription following a clinical assessment;
  • providing yellow fever vaccination and issuing the International Certificate of Vaccination or Prophylaxis (ICVP);
  • supplying antimalarial medicines and providing our other private services, including vitamin B12 injections, period delay, altitude sickness tablets, travellers' diarrhoea kits, needle-phobia/oral options, university and occupational vaccines, and Hajj and Umrah packages;
  • providing general community pharmacy services through Timperley Late Night Pharmacy;
  • managing your bookings and taking payment;
  • arranging and administering corporate and occupational clinics that are billed to an employer;
  • keeping accurate clinical and safety records and meeting our clinical governance responsibilities;
  • meeting our legal, regulatory and professional indemnity obligations;
  • operating, securing and improving our website, including basic analytics;
  • operating our website's AI travel-health chat assistant and reviewing its conversations for quality and safety; and
  • sending you marketing communications where you have agreed to receive them.

4. Our lawful basis under Article 6 of the UK GDPR

Data protection law requires us to have a "lawful basis" for using your personal data. The basis we rely on depends on the purpose:

  • Performance of a contract โ€” Article 6(1)(b): to administer your booking and to take and process payment for the private service you have asked us to provide. The clinical assessment, treatment and the keeping of clinical records do not rest on contract; they rest on our legal obligations under Article 6(1)(c) and the health-care condition in Article 9(2)(h) explained in section 5.
  • Legal obligation โ€” Article 6(1)(c): to comply with medicines law, mandatory clinical record-keeping requirements, and tax and accounting obligations.
  • Legitimate interests โ€” Article 6(1)(f): for the day-to-day administration of the clinic, the security of our website, defending or bringing legal claims, and basic service-improvement analytics. Our legitimate interests here are running our clinic safely and efficiently, protecting our systems and patients, protecting our legal position, and understanding how our website is used so we can improve it. We balance these interests against your rights and only rely on this basis where it does not override your interests.
  • Consent โ€” Article 6(1)(a): for optional processing such as marketing communications, and the basis we would rely on for non-essential cookies once a consent mechanism is in place (see section 8).

The Data (Use and Access) Act 2025 introduced a separate "recognised legitimate interests" basis. We are not required to rely on it and do not currently do so.

5. Our condition for processing health (special category) data under Article 9

Because health data is a special category, we must also satisfy a condition under Article 9 of the UK GDPR. For the routine clinical care we provide, we rely primarily on:

  • Article 9(2)(h) โ€” provision of health care and treatment and the management of health-care services. This processing is carried out by, or under the responsibility of, a health professional (the pharmacist) who is subject to the obligation of professional secrecy. This is paired with the corresponding condition in the Data Protection Act 2018, Schedule 1, Part 1, paragraph 2 (health or social care purposes) and the confidentiality safeguard in Article 9(3) of the UK GDPR and sections 10โ€“11 of the Data Protection Act 2018.

In addition, we rely on the following conditions where appropriate:

  • Article 9(2)(a) โ€” explicit consent: for certain optional services or where we share your health data in circumstances that call for your explicit agreement.
  • Article 9(2)(c) โ€” vital interests: where processing is necessary to protect someone's life in an emergency, for example where they cannot give consent.
  • Article 9(2)(f) โ€” legal claims: where processing is necessary to establish, exercise or defend legal claims.

We do not rely on consent as the main basis for routine clinical record-keeping. This is important: it means that withdrawing consent does not require us to delete clinical records that we are legally and professionally obliged to keep (see section 9).

6. Our common-law duty of confidentiality

In addition to data protection law, we and our pharmacists owe you a common-law duty of confidentiality and follow the GPhC's standards and guidance on confidentiality. This means we will only use or disclose information you give us in confidence with your consent, or where there is a clear legal basis or an overriding public interest in doing so. This duty is separate from, and additional to, our obligations under the UK GDPR. You can read more about the GPhC's standards at https://www.pharmacyregulation.org.

7. Who we share your data with

We do not sell your personal data. We share it only where necessary, and we put appropriate contracts in place with the suppliers ("processors") who handle data on our behalf.

Suppliers who process data on our behalf

  • Semble (online-booking.semble.io) โ€” our online appointment-booking and clinical record-management system. Semble is a UK-based clinical software provider that stores booking and clinical records.
  • Card payment provider โ€” if you pay by card for a private service, your card payment is processed through our card payment provider; we do not store full card numbers.
  • Google Analytics 4 (measurement ID G-VJNTRHZ1NT) โ€” website analytics; sets analytics cookies. Provided by Google.
  • Google Ads conversion tracking (ID AW-931180410) โ€” measures booking-page conversions from our advertising; sets advertising cookies. Provided by Google.
  • Google Maps โ€” an embedded map on our contact page; provided by Google. It sets cookies when the map loads.
  • Web3Forms (api.web3forms.com) โ€” delivers submissions from our website contact form to us by email.
  • Resend โ€” a transactional email delivery service used for sending certain emails.
  • Anthropic (api.anthropic.com) โ€” the AI provider that generates the answers in our website chat assistant. Messages typed into the chat are sent to Anthropic to produce a reply, and are handled under Anthropic's commercial API data-protection terms.
  • Netlify, Inc. โ€” our website hosting provider, which also stores retained chat-assistant conversations for the review period described in section 9. Netlify Identity is used only for staff and content-management (CMS) administrator access; it is not used by patients.

Our website fonts are self-hosted at build time (using Next.js next/font); the site does not call Google Fonts at runtime.

Other recipients

We may also disclose information, where appropriate and lawful, to:

  • NHS bodies and other clinicians involved in your care;
  • any professional indemnity insurer and our legal advisers (where applicable), where needed to obtain advice or to handle a claim;
  • our regulators, including the GPhC and the Information Commissioner's Office (ICO); and
  • other authorities, courts or agencies where we are required or permitted by law to do so.

8. Cookies and similar technologies

Cookies are small files placed on your device when you visit a website. We use the following categories of cookies and similar technologies:

  • Strictly necessary cookies: needed for the website to function and to keep it secure, such as those required for hosting and security. These do not require your consent.
  • Analytics cookies: set by Google Analytics 4 to understand how visitors use the site.
  • Advertising/conversion cookies: set by Google Ads to measure conversions from our advertising.
  • Embedded content cookies: set by the Google Maps map embedded on our contact page when that map loads.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), non-essential cookies โ€” which here means the analytics, advertising and Google Maps cookies โ€” require your prior, informed consent, and consent is the lawful basis we would rely on for them.

Please note, in the interests of honesty: our website does not currently display a cookie-consent banner, and the analytics, advertising and Google Maps cookies described above currently load when you visit the relevant pages. We are not claiming that we obtain your prior consent for these cookies at present. We are working to introduce a compliant consent mechanism.

In the meantime, the most reliable way to control or block these cookies is through your browser settings. Most browsers let you refuse or delete cookies and warn you before one is set; the "Help" function of your browser will explain how. Blocking some cookies may affect how parts of the site work. Google also offers a browser add-on relating to Google Analytics at https://tools.google.com/dlpage/gaoptout, although it does not cover all versions of Google Analytics, so we recommend relying on your browser controls. For general information about cookies and your choices, see the ICO's guidance at https://ico.org.uk/for-the-public/online/cookies/.

9. How long we keep your data (retention)

We keep personal data only for as long as necessary. For clinical and health records, the periods below are the minimums set by the NHS Records Management Code of Practice and supported by pharmacy and professional indemnity guidance. We may keep records longer where there is a lawful reason to do so, for example an ongoing or potential legal claim.

  • Clinical and health records โ€” adults: retained for at least 8 years after the last entry or last patient contact. This covers consultation, vaccination, PGD and patient-specific records.
  • Clinical and health records โ€” children and young people: retained until the patient's 25th birthday, or until their 26th birthday if the young person was 17 when treatment ended, or for 8 years after death if that is sooner.
  • Financial and tax records: retained for approximately 6 years, in line with HMRC requirements.
  • Non-clinical and administrative data (such as booking administration, marketing consent records, and website/analytics data): kept only for as long as necessary for the purpose and then deleted or anonymised.
  • AI chat assistant conversations: retained for up to 90 days for quality and safety review, then deleted automatically.

You can find the NHS Records Management Code of Practice at https://digital.nhs.uk/data-and-information/information-governance/guidance/records-management-code-of-practice.

10. How we protect your information

We take the security of your personal data seriously, particularly your health information. We use appropriate technical and organisational measures to protect it, including:

  • a duty of confidentiality on all our pharmacists and staff, supported by training and the GPhC's confidentiality standards;
  • use of a secure clinical records system (Semble) to hold booking and clinical records;
  • access to personal data restricted on a need-to-know basis to those involved in your care or in running the service;
  • encryption of personal data in transit (for example, when it travels over the internet); and
  • procedures to identify, contain and investigate any personal-data breach.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner's Office (ICO) without undue delay where required, and we will tell you if the breach is likely to result in a high risk to you.

11. International transfers and safeguards

Some of our suppliers are headquartered outside the UK. In particular, Google, Netlify and Resend are US-headquartered, so some personal data may be transferred to or processed outside the United Kingdom. Semble and Web3Forms process data to support our booking, records and contact-form services; where any processing takes place outside the UK, the same safeguards described below apply.

Where personal data is transferred outside the UK, we rely on appropriate safeguards under Chapter V of the UK GDPR. These may include transfers to countries covered by UK adequacy regulations, transfers made under the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or other appropriate safeguards permitted by law. You can ask us for more detail, or a copy of the relevant safeguard, using the contact details in section 1. You can read more about international transfers in the ICO's guidance at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/.

12. Children and young people

We provide services to children and young people (for example, travel, university and occupational vaccinations, and family Hajj and Umrah packages), so we sometimes process their personal and health data.

Online services. Under UK data protection law, a child can give their own consent to "information-society services" (such as online services offered directly to them) from the age of 13. Where a child under 13 needs to provide personal data through our website, we expect a parent or guardian to do so or to give consent on the child's behalf.

Clinical care of under-16s. Before we assess, vaccinate or treat a child, we obtain consent from a person with parental responsibility, or we rely on the child's own consent where they are assessed by the pharmacist as having sufficient understanding to make the decision (sometimes called "Gillick competence"). A parent or guardian is normally involved in booking and in the consultation.

Extra care. We treat children's data with particular care, and the enhanced retention rules for children and young people set out in section 9 apply to their clinical records.

13. Your data protection rights

Under UK data protection law you have the following rights, which you can exercise free of charge and which we will normally respond to within one month:

  • The right to be informed about how we use your data โ€” which is the purpose of this policy.
  • The right of access โ€” to request a copy of the personal data we hold about you (a "subject access request").
  • The right to rectification โ€” to have inaccurate data corrected and incomplete data completed.
  • The right to erasure ("the right to be forgotten") โ€” to ask us to delete your data, subject to the limits explained below.
  • The right to restrict processing โ€” to ask us to limit how we use your data in certain circumstances.
  • The right to data portability โ€” to receive certain data you have provided in a portable format, where this right applies.
  • The right to object โ€” including an absolute right to object to direct marketing at any time, and a right to object to processing based on our legitimate interests.
  • Rights related to automated decision-making and profiling โ€” see section 15.
  • The right to withdraw consent at any time, where we rely on consent. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew it.

Important limits for clinical records: the rights to erasure and to data portability do not apply without limit to your clinical and health records. We are required by medicines law, the NHS Records Management Code of Practice retention minimums (section 9) and our professional indemnity duties to retain these records, so we may not be able to delete or port them on request. We will always explain our reasons if we cannot fully meet a request.

To exercise any of these rights, please contact us using the details in section 1.

14. Your right to complain

If you are unhappy with how we have handled your personal data, we would like the chance to put it right, so please contact us first using the details in section 1. Under the Data (Use and Access) Act 2025 you have a right to complain directly to us, and we have a duty to facilitate and respond to your complaint. You can make a data-protection complaint to the Superintendent Pharmacist (data protection) using the contact details in section 1. We will acknowledge your complaint within 30 days and respond without undue delay.

You also have the right to complain to the data protection regulator. The regulator is the Information Commissioner's Office (ICO), which is being renamed the Information Commission under the Data (Use and Access) Act 2025 but continues to operate as the ICO. You can contact the ICO at:

Complaining to us first does not affect your right to complain to the ICO.

15. Source of data, automated decisions, and whether you must provide data

Where your data comes from. We usually collect personal data directly from you. In some cases we receive it from someone else โ€” for example, from an employer who arranges and pays for a corporate or occupational clinic (we may receive employee identity and contact details for booking and billing), or from a referring clinician. The categories of data we receive from these sources are identity, contact, appointment and, where relevant, limited clinical information needed to provide the service safely.

Whether you have to provide your data. Providing certain personal data โ€” particularly your identity, contact and relevant health information โ€” is necessary for us to enter into and perform our contract with you and to meet our legal obligations under medicines law. If you do not provide the information we need, we may not be able to safely assess, vaccinate or treat you, or to issue documents such as the ICVP.

Automated decision-making. We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Tools on our website, such as the yellow fever certificate checker, provide information to help you and our clinicians, but they do not make clinical decisions about you. All clinical decisions are made by a qualified pharmacist.

16. ICO registration and the data protection fee

As required by law, we are registered with the ICO and pay the annual data protection fee under the Data Protection (Charges and Information) Regulations 2018. Our ICO registration number is 00014387152. The fee is set in tiers based on an organisation's size and turnover; a small pharmacy of our size typically falls within the lower tiers. Fee amounts may change, so please check the current figures on the ICO's website. You can read more about the fee at https://ico.org.uk/for-organisations/data-protection-fee/.

17. Changes to this policy

We may update this policy from time to time to reflect changes in our services, technology or the law. When we do, we will revise the "Last updated" date at the top of this page. Please check back periodically.

18. How to contact us

For any privacy question, to exercise your rights, or to raise a concern, please contact the Superintendent Pharmacist (data protection) at U-Chem Private Limited, 250 Stockport Road, Timperley, Altrincham, Greater Manchester, WA15 7UN, by phone on +44 161 948 5066, or by email at info@altrinchamtravelclinic.co.uk. You can also reach us via our contact page.