Last updated: 27 January 2026
1. Who we are
VaxiBook (“we“, “us“, “our“) provides an online appointment‑booking and patient‑relationship management platform used by independent pharmacies and vaccination clinics in the United Kingdom. Our registered office is in the United Kingdom and we host all production data in UK data centres.
For data‑protection purposes we act as Data Controller for visitors to vaxibook.co.uk and as Joint Controller with each pharmacy that uses our platform for patient bookings. The pharmacy you book with remains primarily responsible for the clinical record it creates in your name.
Our appointed Data Protection Officer (DPO) is Michael Azer. You can reach the DPO at mike@alphahealthtech.co.uk
2. Scope of this policy
This policy explains:
- what personal data we collect and why;
- our legal bases under the UK GDPR and Data Protection Act 2018;
- who we share data with;
- how long we keep it;
- your rights and how to exercise them;
- how to contact us or complain to the Information Commissioner’s Office (ICO).
3. The data we collect
| Category | Examples | Purpose |
|---|---|---|
| Identification & contact | Name, postal address, email, phone number, date of birth | To create and manage your account, confirm bookings, send reminders, and issue electronic receipts |
| Appointment details | Chosen service, appointment time, pharmacy name & branch, staff member | To schedule, reschedule, and manage appointments |
| Health & consultation information (special‑category data) | Travel history, vaccination history, medical history, allergies, prescriptions, consultation notes (varies by pharmacy) | To enable pharmacies to provide safe clinical services and meet legal obligations |
| Payment information | Last four digits of card, payment reference, billing postcode (handled by Stripe) | To process payments for private services where applicable |
| Technical data & cookies | IP address, browser type, device ID, referring URL, interaction logs, cookie identifiers | To secure our platform, remember session preferences, and analyse site traffic |
Cookies & analytics
We use essential cookies for platform security and a Google Analytics cookie to understand how visitors use the public site. Our full Cookie Notice (linked in the site footer) lists each cookie name, purpose, and expiry.
4. How and why we use your data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Allow you to register, book or amend appointments, and store a personal history of bookings | Article 6(1)(b) Contract – processing is necessary to deliver the service you request |
| Send appointment confirmations, reminders and follow‑up messages by email (Brevo) or SMS (Twilio) | Article 6(1)(b) Contract; for health‑related safety messages also Article 9(2)(h) (health care provision) |
| Process card payments via Stripe | Article 6(1)(b) Contract |
| Maintain clinical notes, prescriptions, and mandatory vaccination records | Article 9(2)(h) (provision of health care) & applicable NHS regulations |
| Prevent fraud, secure our systems, and maintain logs | Article 6(1)(f) Legitimate interests |
| Analyse aggregated, anonymised usage statistics | Article 6(1)(f) Legitimate interests |
| Create Google Calendar events and Google Meet links for pharmacy staff when bookings are confirmed (requires pharmacy to connect their Google account) | Article 6(1)(b) Contract – necessary to deliver the booking management service to pharmacy clients |
Where we rely on legitimate interests, we have conducted a balancing test to ensure your interests and rights do not override our interests.
5. Who we share your data with
We share data only as needed to run the platform:
| Recipient | Role | Safeguards |
|---|---|---|
| Hosting provider (UK) | Stores platform databases and uploaded files | UK location – no international transfer |
| Brevo | Sends transactional emails | Data processed in EU/US under SCCs |
| Twilio (from 2025) | Sends SMS reminders | Data processed in EU/US under SCCs |
| Stripe Payments Europe | Processes card payments; we do not store full card details | PCI‑DSS compliant; SCCs for any US transfer |
| Google Analytics | Aggregated website analytics | IP anonymisation; SCCs for any US transfer |
| Google Calendar API | When a pharmacy connects its Google account, VaxiBook creates calendar events for confirmed bookings on the pharmacy staff’s Google Calendar; for video‑consultation services a Google Meet link is also generated | OAuth 2.0 with explicit pharmacy staff consent; access and refresh tokens stored encrypted in our UK database; only the pharmacy’s own calendar is accessed; no patient Google account data is accessed |
| Your chosen pharmacy | Receives booking and health details necessary to provide the service | Joint Controller under UK GDPR |
We never sell personal data.
6. International data transfers
Where service providers are based outside the UK (e.g. Brevo, Twilio, Google, Stripe), we rely on UK Addendum to EU Standard Contractual Clauses (SCCs) and, where relevant, provider certifications under valid transfer mechanisms to ensure equivalent protection.
7. Data retention
| Data set | Retention period |
|---|---|
| Booking & contact details | 8 years after your last appointment (aligns with NHS vaccination record guidance) |
| Clinical consultation records | Same as above, unless a pharmacy’s professional‑body rules require longer |
| Payment records | 7 years for statutory tax/accounting purposes |
| Email/SMS logs | 2 years |
| Analytics & technical logs | 26 months (Google Analytics default) |
If you delete your account, we anonymise or delete personal data unless we must keep it for legal claims or statutory reporting.
8. Your rights
Under the UK GDPR you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure (‘right to be forgotten’) in certain circumstances;
- object to or restrict processing;
- data portability (receive data in a structured, machine‑readable format);
- withdraw consent where processing is based on consent (e.g. marketing emails).
To exercise any right, email privacy@vaxibook.co.uk or contact your pharmacy directly for clinical records. We will respond within one calendar month.
9. Security
We implement technical and organisational measures, including:
- TLS encryption for all data in transit;
- at‑rest encryption of databases and file storage;
- role‑based access controls with MFA for staff and pharmacy users;
- daily encrypted backups stored in a separate UK data centre;
- annual penetration testing and vendor security reviews.
10. Children’s data
Our platform may be used by parents or legal guardians to book vaccinations for children. We do not knowingly allow children under 13 to create their own accounts. All bookings for minors must be made by an adult with parental responsibility.
11. Changes to this policy
If we make material changes we will notify account holders by email and post the updated policy on this page with a new revision date.
12. Contact & complaints
Questions about this policy or our data‑handling practices? Email privacy@vaxibook.co.uk or write to Michael Azer (DPO) at the address above.
If you are unhappy with our response, you can complain to the Information Commissioner’s Office (ICO): ico.org.uk | Tel 0303 123 1113.
13. Google API Services – Limited Use Disclosure
VaxiBook uses Google API Services to allow pharmacy staff to connect their Google account and synchronise confirmed bookings to their Google Calendar. For video-consultation services, a Google Meet conference link is also generated via the Google Calendar API.
Scopes requested:
https://www.googleapis.com/auth/calendar– to create, read and manage calendar events on the connected pharmacy staff member’s Google Calendar.https://www.googleapis.com/auth/userinfo.profileandhttps://www.googleapis.com/auth/userinfo.email– to identify the connected Google account and display the account name and email on the integration settings page.
How we use data obtained from Google APIs:
- We create calendar events containing the pharmacy name, service name, and appointment date/time on the pharmacy staff member’s primary Google Calendar.
- We store the Google account name, email address, OAuth access token, and refresh token in our encrypted UK database solely to maintain the calendar integration.
- We do not access, store or share any other data from the connected Google account (e.g. existing calendar events, contacts, or email).
- We do not use Google user data for advertising, data mining, or any purpose unrelated to providing the VaxiBook booking service.
- Pharmacy staff may disconnect their Google account at any time from the VaxiBook integrations page, which revokes our access and deletes stored tokens.
VaxiBook’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
© 2025 VaxiBook. All rights reserved.