Last updated: 5 May 2025
1. Who we are
VaxiBook (“we“, “us“, “our“) provides an online appointment‑booking and patient‑relationship management platform used by independent pharmacies and vaccination clinics in the United Kingdom. Our registered office is in the United Kingdom and we host all production data in UK data centres.
For data‑protection purposes we act as Data Controller for visitors to vaxibook.co.uk and as Joint Controller with each pharmacy that uses our platform for patient bookings. The pharmacy you book with remains primarily responsible for the clinical record it creates in your name.
Our appointed Data Protection Officer (DPO) is Michael Azer. You can reach the DPO at mike@alphahealthtech.co.uk
2. Scope of this policy
This policy explains:
- what personal data we collect and why;
- our legal bases under the UK GDPR and Data Protection Act 2018;
- who we share data with;
- how long we keep it;
- your rights and how to exercise them;
- how to contact us or complain to the Information Commissioner’s Office (ICO).
3. The data we collect
| Category | Examples | Purpose |
|---|---|---|
| Identification & contact | Name, postal address, email, phone number, date of birth | To create and manage your account, confirm bookings, send reminders, and issue electronic receipts |
| Appointment details | Chosen service, appointment time, pharmacy name & branch, staff member | To schedule, reschedule, and manage appointments |
| Health & consultation information (special‑category data) | Travel history, vaccination history, medical history, allergies, prescriptions, consultation notes (varies by pharmacy) | To enable pharmacies to provide safe clinical services and meet legal obligations |
| Payment information | Last four digits of card, payment reference, billing postcode (handled by Stripe) | To process payments for private services where applicable |
| Technical data & cookies | IP address, browser type, device ID, referring URL, interaction logs, cookie identifiers | To secure our platform, remember session preferences, and analyse site traffic |
Cookies & analytics
We use essential cookies for platform security and a Google Analytics cookie to understand how visitors use the public site. Our full Cookie Notice (linked in the site footer) lists each cookie name, purpose, and expiry.
4. How and why we use your data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Allow you to register, book or amend appointments, and store a personal history of bookings | Article 6(1)(b) Contract – processing is necessary to deliver the service you request |
| Send appointment confirmations, reminders and follow‑up messages by email (Brevo) or SMS (Twilio) | Article 6(1)(b) Contract; for health‑related safety messages also Article 9(2)(h) (health care provision) |
| Process card payments via Stripe | Article 6(1)(b) Contract |
| Maintain clinical notes, prescriptions, and mandatory vaccination records | Article 9(2)(h) (provision of health care) & applicable NHS regulations |
| Prevent fraud, secure our systems, and maintain logs | Article 6(1)(f) Legitimate interests |
| Analyse aggregated, anonymised usage statistics | Article 6(1)(f) Legitimate interests |
Where we rely on legitimate interests, we have conducted a balancing test to ensure your interests and rights do not override our interests.
5. Who we share your data with
We share data only as needed to run the platform:
| Recipient | Role | Safeguards |
|---|---|---|
| Hosting provider (UK) | Stores platform databases and uploaded files | UK location – no international transfer |
| Brevo | Sends transactional emails | Data processed in EU/US under SCCs |
| Twilio (from 2025) | Sends SMS reminders | Data processed in EU/US under SCCs |
| Stripe Payments Europe | Processes card payments; we do not store full card details | PCI‑DSS compliant; SCCs for any US transfer |
| Google Analytics | Aggregated website analytics | IP anonymisation; SCCs for any US transfer |
| Your chosen pharmacy | Receives booking and health details necessary to provide the service | Joint Controller under UK GDPR |
We never sell personal data.
6. International data transfers
Where service providers are based outside the UK (e.g. Brevo, Twilio, Google, Stripe), we rely on UK Addendum to EU Standard Contractual Clauses (SCCs) and, where relevant, provider certifications under valid transfer mechanisms to ensure equivalent protection.
7. Data retention
| Data set | Retention period |
|---|---|
| Booking & contact details | 8 years after your last appointment (aligns with NHS vaccination record guidance) |
| Clinical consultation records | Same as above, unless a pharmacy’s professional‑body rules require longer |
| Payment records | 7 years for statutory tax/accounting purposes |
| Email/SMS logs | 2 years |
| Analytics & technical logs | 26 months (Google Analytics default) |
If you delete your account, we anonymise or delete personal data unless we must keep it for legal claims or statutory reporting.
8. Your rights
Under the UK GDPR you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure (‘right to be forgotten’) in certain circumstances;
- object to or restrict processing;
- data portability (receive data in a structured, machine‑readable format);
- withdraw consent where processing is based on consent (e.g. marketing emails).
To exercise any right, email privacy@vaxibook.co.uk or contact your pharmacy directly for clinical records. We will respond within one calendar month.
9. Security
We implement technical and organisational measures, including:
- TLS encryption for all data in transit;
- at‑rest encryption of databases and file storage;
- role‑based access controls with MFA for staff and pharmacy users;
- daily encrypted backups stored in a separate UK data centre;
- annual penetration testing and vendor security reviews.
10. Children’s data
Our platform may be used by parents or legal guardians to book vaccinations for children. We do not knowingly allow children under 13 to create their own accounts. All bookings for minors must be made by an adult with parental responsibility.
11. Changes to this policy
If we make material changes we will notify account holders by email and post the updated policy on this page with a new revision date.
12. Contact & complaints
Questions about this policy or our data‑handling practices? Email privacy@vaxibook.co.uk or write to Michael Azer (DPO) at the address above.
If you are unhappy with our response, you can complain to the Information Commissioner’s Office (ICO): ico.org.uk | Tel 0303 123 1113.
© 2025 VaxiBook. All rights reserved.