This Web “Service” is provided for by 2ML
2ML and “Data” Protection
This policy applies to all websites that we own, operate or provide and to all “Services” we provide, including our Online Repeats Service and in addition all bespoke online applications developed on behalf of our customers but maintained by 2ML.
To make it easy for you to understand, unless otherwise stated we’ll just call everything we do our “Services”.
When we refer to “we” (or “our” or “us”), we refer to 2ML Ltd operating under any of its Trading names which include “2ML”, “2MLCloud”, “2MLPharmacare”, “2 Minute Learning” and “2ML Online Repeats”.
When we say “Data” we mean information about you which is personal, such as your name, email, address, telephone number, bank account details (if you are a paying customer), payment information, patient information (if you are an online repeats user),support queries, subscription details, web pages you may have visited. The exact type of personal “Data” we collect will be dependant on which of our “Services” you use and how you use them.
For residents of the EU, our Policy is provided in accordance with the requirements of EU General Data Protection Regulation (GDPR) as defined May 2018.
For European Union GDPR purposes 2ML acts as a Data Controller for the “Services” we provide directly to end users and we also act as a Data Processor for “Services” we have developed and which we maintain for our customers who now operate or provide these “Services” to their own end users. These clients or customers are separate legal entities to 2ML from a “Data” Protection perspective and act as Data Controllers in their own right and will have their own “Data” protection policies in place.
The principles we use to guide us in our approach to “Data” Protection are the same guiding principles we use to direct our approach to business in general and are built upon the following core values.
- Openness …………… our ethos is to be open, honest and transparent in all our business dealings.
- Responsibility …………. we acknowledge the responsibility we have to protect the interests of all the people whose lives we “touch” as we conduct our business affairs. Put simply we treat others as we would like to be treated ourselves.
- Awareness ……………. we recognise that “online” can be a dangerous space and we take both our own security and the security of those who engage with us “online” very seriously. In security terms nothing surprises us and we take nothing for granted.
- Fairness ………….. in everything we do and to everyone with whom we engage.
Who is 2ML
2ML.Ltd is a small technology business incorporated in 2008 and based in Northern Ireland (presently within the EU and part of the UK). Our Company is registered with Companies House (Reg No NI 069530) and our registered address is 7 Lisburn Street Hillsborough Co Down N.Ireland BT26 6AB.
We are registered with the United Kingdom Information Commissioner and our “Data” Protection Registration details are :
Organisation name: 2ML LTD – Registration reference: Z2212884
What 2ML do
2ML specialise in the Retail Pharmacy sector and provide websites and online “Services” such as our Online Repeats Service to our Pharmacy customers primarily across the UK and Ireland.
Additionally we provide bespoke websites to our customers outside the Retail Pharmacy sector and develop and maintain high quality bespoke online software applications.
Whilst we are considered a micro business entity, 2ML conduct our business affairs globally with business partners in many different countries made possible by our innovative use of Cloud based technologies.
We trade as :
- 2MLPharmacare – providing Website and online “Services” to Retail Pharmacies
- 2ML Online Repeats – allowing Pharmacies and their Customers manage repeats medications online
- 2minutelearning – building online e-learning courses
- 2MLCloud – developing & maintaining bespoke websites and cloud based software applications and providing consultancy “Services”
Why 2ML collect “Data” & how we process it
2ML only ever collect and process personal “Data” where there is a legal basis for us to do so and for one of the following reasons (the Why)
- We have legitimate business interests to process personal “Data” and where our interest to process is not overridden by your individual rights
- In order to perform a contract with you
- Where we have a legal obligation to process the “Data”, to exercise or to defend legal claims, or to assist in criminal investigations of a crime
- Where necessary in the public interest
- With your consent
The way we collect “Data” broadly falls into three categories (the How)
- “Data” you provide to us during some form of direct contact between ourselves
- “Data” we collect automatically when you use our “Services”
- “Data” from third party sources which is available publically or which we get from third parties
“Data” you provide to us
We draw your attention to the following examples of this category of “Data”
- Information that you volunteer to us so that you can use one of the “Services” we provide
- Information you provide when you subscribe as a customer to one or more of our “Services”
- Information you give us so we can provide you with information about our “Services”.
- Information in support of potential or actual employment
- Information when you contact us with questions or request support
………… and of course this list of examples is not exhaustive, there will be other examples during the legitimate course of our business where we will be provided with “Data” on a voluntary basis.
“Data” we collect automatically
When we collect “Data” automatically this “Data” is collected by using cookies and similar tracking technologies, and is collected when you visit or use our “Services” online.
The following are examples of this category of “Data”
- When an email is opened or read
- Visitor’s ip addresses and device types
- Pages visited, when they were visited and for how long
Typically this “Data” is not personally identifiable but if you have voluntarily provided us with particular forms of personal information we may be able to directly associate this online activity to you.
For example if at your request we email you information about our “Services” and you then click links within the email that are tracked, we will know the email has been received as intended, opened and which links have been clicked by you.
You can configure your browser to reject cookies and disable tracking technology, or reject cookies when using our “Services” but doing so may result in a reduced user experience when accessing our “Services” and in some cases may prevent you from using the service at all.
“Data” from third party sources
2ML use “Data” from third party sources to supplement or enhance our understanding of other existing “Data”.
- You may have already supplied us with your address and we may use Map vendors to show us your location on a map, involving the use of map coordinates.
- You may provide us with your postcode and from that “Data” by using Postcode mapping vendors we can determine your street address or your general location
- You may provide us with your email address and using an email verifying service we can verify that we have correctly notated the email address and that it is a valid address
- We may use search engines to identify businesses of a particular type in a specific location
- We may use “Data” published on websites or publically available on social media accounts
- We may use publicly available professional registers to establish your personal registration details
- We may use credit reference agencies
The “Data” we process includes
- All the “Data” (aforementioned) that we collect in the legitimate course of our business and in addition
- “Data” we process but which is collected by those customers acting in their own right as Data Controllers or Data Controllers in common when using 2ML subscription “Services” or operating “bespoke “Services”” which are maintained by 2ML
“Data” collected by third parties & how they process it
2ML may at times embed content from third parties into web pages within some of the “Services” we offer and the third party may collect “Data” when you visit one of these embedded pages.
This type of “Data” broadly falls into two categories
- “Data” you provide to the third party during some form of direct contact between you and the third party
- “Data” collected automatically by the third party when you visit a page which has their content embedded within it.
“Data” you provide to the third party
- You may fill and submit an online form – for example a customer survey
- You may download and return a form – for example a job application
2ML do not collect or process this type of third party “Data”. It will be clear from the form (should you submit or return it) it who the third party is and you must contact the third party “Data” Controller directly when exercising your rights in respect of this “Data”
“Data” collected automatically by the third party
- You may visit a page with embedded social media content and as a result a “cookie” may be downloaded with the purpose of collecting “Data”
- You may visit a page with embedded health information and as a result a “cookie” may be downloaded with the purpose of collecting “Data”
If you do not agree you must not use the “Service”
How 2ML use the “Data” we collect
2ML use the information we hold to assist us when we operate, improve, secure, understand, tailor, support, develop, market or sell the “Services” we provide.
Primarily we use personal “Data” to operate the “Services” we provide and to manage our relationship with subscribing customers.
Additionally we may use personal “Data” when we communicate directly with existing or potential customers, provide or respond to requests for information, give support to users of our “Services”, request feedback, analyse web traffic, conduct market research, market our “Services”.
How 2ML Share and Transfer “Data”
When we refer to “sharing “Data”” we mean giving Third Party access to “Data” we collect or process.
We will never share “Data” with organisations seeking to market third party “Services” directly to you. No one welcomes spam or other unauthorised contact and therefore we will never sell or rent your “Data” to third parties for such purposes, and we will only share it with a third party for the legitimate business purposes described in this policy.
We may share “Data” with Third party service providers where they support delivery of or otherwise provide functionality for users of our “Services”, or to market or promote our goods and “Services” to you and in such cases only with your consent. All Third party service providers are contractually required under their terms and conditions to only use the “Data” they process on our behalf to provide their service to us, and are contractually prohibited from using it for any other purposes.
We may share “Data” in connection with parties involved in any business reorganisation or restructuring such as a sale, merger or acquisition of all or part of our business. You will be kept fully informed of any business reorganisation and you will be entitled to (within your rights) to request that your “Data” is deleted after any such business reorganisation.
We may share “Data” where it is reasonably necessary to; respond to a legal request or comply with a statutory or legal obligation; facilitate ourselves or a third party when detecting, preventing or investigating illegal activity; mitigate the adverse effects of security or technical issues; protect our intellectual rights or property or to protect our commercial rights.
We may share aggregated “Data” which has been compiled from individual “Data” sets (after any personal “Data” has been obfuscated), with Government Agencies and Third Parties we do business with.
When we refer to “transferring “Data”” we mean sending or processing “Data” in a country outside of the United Kingdom or outside the jurisdiction of the European Union.
2ML will always where possible process “Data” within Data Centers located in the European Economic Area (EEA).
Where, for legitimate business purposes, “Data” is transferred and processed outside the EEA, it will only be transferred to countries that have been identified by the EU as providing adequate protection for EEA “Data” and in accordance with EU “Data” protection law or to a third party which is Privacy Shield certified (for transfers to US-based third parties).
2ML will never transfer personal “Data” other than permitted by law, and will take all appropriate steps intended to ensure all “Data” is fully protected whilst being processed outside of the EEA.
Your Rights and Options
If you don’t have a direct relationship with us, but believe that a 2ML subscriber to one of our “Services” has entered your personal “Data” into one of our “Services”, for example the 2ML Online Repeats service, you will need to contact the subscriber (Pharmacy) for any questions you have about your personal “Data” including any request to delete your personal “Data”.
For “Data” that 2ML controls you have rights, for example to
Know what personal “Data” we hold about you
Ensure “Data” is accurate
Request a copy of personal “Data”
Restrict what “Data” we process and the way we process it
Delete your “Data”
The full rights you are entitled to are regulated and defined by the GDPR Regulations.
We aim to action any reasonable request concerning the personal “Data” we hold about you within a reasonable timeframe not exceeding 30 days.
As a technology company we can best ensure a prompt response to a request when the request is made by email to firstname.lastname@example.org.
As an environmentally aware business we only fulfil “Data” information requests in an electronic format.
Most of the “Data” we hold is based upon legitimate interests for holding the “Data”, for legal reasons or in the public interest however you can still object to this processing in certain circumstances. Unless we have compelling legitimate grounds to continue processing we shall cease processing at your request.
Where we hold your “Data” for direct marketing purposes, you can remove consent by using the unsubscribe link in such communications or changing your account settings.
After making a “Data” Protection request of us, if you believe we have not actioned your reasonable request in a appropriate manner please advise us by email explaining how you feel we could have acted differently or better served your needs, and we will investigate your complaint accordingly.
If you feel we have not responded to your request or have not handled your “Data” in accordance with GDPR Regulations, you can make a formal complaint to the Information Commissioner, whose contact details along with advice on how to voice your concern can be found on the Information Commissioner’s Office Website here.
The length of time we keep your “Data” in our server logs, our Databases, our records and within the third party “Services” we use to administer our business or which are essential to the provision of our “Services”, depends on what the “Data” is and whether we have an ongoing business requirement to retain it.
If we don’t have a legitimate business reason to retain your “Data” we will destroy or delete it as soon as it is no longer required.
If we have a legitimate business reason to retain your “Data” such as legal, accounting or for other statutory requirements, we are compelled to retain the “Data” beyond our business relationship, until such times as we are no longer required to do so, at which point we will make sure the “Data” is destroyed or deleted.
Security of all the “Data” we collect and process, both your “Data” and our own “Data” is an absolute priority for 2ML.
For obvious security reasons we cannot detail the technical and organisational measures we have in place to protect the “Data” but in general terms we widely use the following measures
- Physical Security (Intruder detection, cameras, high security locks)
- “Data” Encryption
- Complex Encrypted Passwords
- Restricted Password Distribution
- Logins restricted by IP
- Intrusion Detection
- 2 Factor Authentication
- Forced HTTPS
Whilst it is our responsibility to protect the integrity of our overall systems, users accessing our “Services” remain responsible for the security of their individual accounts. Please ensure that you keep your password safe, that it is unique and not used on any other online application and do not share it with anyone.
For “Data” protection purposes, where we hold your “Data” as a result of a direct relationship with you we can only fulfill “Data” protection requests originating from an email address that is linked to your account with us.
For “Data” protection purposes, where we hold your “Data” but where there is no direct relationship with you we can only fulfill “Data” protection requests once we are able to verify the identity of the person making the request. Dependant upon the “Data” requested we will take reasonable steps to validate the legitimacy of the request including asking for proof of identity to be provided to us before we release any “Data” or provide details of any “Data” held.
These security policies are necessarily in place to prevent impersonation resulting in a “Data” breach.
When you use our “Services” you may come across links to websites and services operated by other organisations. These third parties have their own privacy policies, which will apply to you when you click on the link and access their website or service.
We cannot accept responsibility or liability for such external sites’ privacy and security practices.
We may need to update this policy on occasions. Where a change is material, we’ll make sure we let you know in a manner appropriate to the particular “Service” you are using.
It’s always good to talk. If you have a question or comment to make regarding this notice or any of the “Services” we provide, please get in touch.
As a technology company, email is best for us as this ensures that you’re put in contact with the right person, first time.
Please get in touch at email@example.com for Privacy or “Data” Protection issues.
For all other enquiries firstname.lastname@example.org .