Privacy

Privacy & Cookies Notice

Last updated: 25th August 2025

About this notice

This notice explains what data we collect, how we use it, who’s responsible for it, and your rights. It applies when you use Script Assist in the British Islands (the United Kingdom, the Channel Islands and the Isle of Man).

Read this with our App Terms or, if you order prescribed medicines for dispensing/delivery through Script Assist via Phlo Technologies Ltd, our Orders Terms. For software topics, the EULA governs.

1) Who we are

Script Assist is provided by Sana Life Science Ltd (trading as Script Assist). Contact: privacy@scriptassist.co.uk

Who’s responsible for your data

It depends on the data and the service you use.

  • Care data (your medical information). Your Clinic/Pharmacy or Prescriber is the controller. We handle this data on their behalf as a processor.
  • Platform data (accounts, security and logs). Script Assist is the controller so we can run and protect the service.
  • Orders & fulfilment (non-clinical). The party that runs fulfilment (typically the Dispensing Pharmacy or your Clinic/Pharmacy) is the controller for those records. Where we mirror order status updates, we act as a processor.
  • Payments. We process payment and transaction information needed to take and reconcile payments. The Merchant of Record (the party shown at checkout) is the controller for payment records. Where Script Assist is the Merchant of Record for certain orders, we control our payment records. Card and Open Banking providers are separate controllers.

For Care data, your care provider’s own privacy information is definitive. Where our agreement with them allocates responsibilities differently, that allocation applies and we act accordingly.

What data we use

Note on examples. Example fields are illustrative. We may not collect every example for every user or journey.

1) Enquiries & feedback (non-support)

Data we collect (examples): name, contact details, your message, survey answers.
Purpose: respond to you and improve our services.
Lawful basis: legitimate interests.
Who’s responsible: Script Assist (controller).
Retention: for as long as needed to handle your enquiry or feedback and for a short period afterwards.

2) Accounts & access (Platform data)

Data we collect (examples): account identifiers, authentication and security events, device/OS and app version, IP and time zone, audit logs, optional professional profile.
Purpose: register and administer accounts, authenticate access, apply permissions, protect the service, show professional profiles if enabled.
Lawful basis: contract / steps before contract; legitimate interests.
Who’s responsible: Script Assist (controller).
Retention: for as long as needed to run and secure accounts and the service.

3) Using the app for care (Care data)

Data we collect (examples): clinical intake, consultation notes, diagnoses, treatment plans, prescriptions, appointments, uploaded clinical documents, GP details, required clinical fields, symptom tracking used in care.
Purpose: host and route Care data for your care provider.
Lawful basis: determined by your care provider (see Health data & lawful bases).
Who’s responsible: your Clinic/Pharmacy or Prescriber (controller); Script Assist acts on their behalf as processor.
Retention: set by your care provider’s policies and law.

4) Orders & fulfilment (non-clinical)

Data we collect (examples): routing details to send a prescription to a pharmacy available in the App; non-clinical order lifecycle data (IDs, timestamps, statuses, pricing/taxes/charges; fulfilment method); delivery details and courier events.
Purpose: manage order progress and delivery.
Lawful basis: contract and/or legitimate interests (as applicable to the fulfilment controller).
Who’s responsible: the party that runs fulfilment (typically the Dispensing Pharmacy or your Clinic/Pharmacy). Script Assist may act as processor where we mirror status updates.
Retention: set by the fulfilment controller and applicable law.

5) Payments (cards and Open Banking)

Data we collect (examples): payment and transaction information needed to take and reconcile payments (for example identifiers, provider references, amount/currency, outcome, timestamps). We do not store full card numbers or CVV.
Purpose: take payments, reconcile transactions, meet tax/accounting duties, manage chargebacks/fraud.
Lawful basis: contract / legal obligation / legitimate interests.
Who’s responsible: the Merchant of Record shown at checkout controls payment records. Where Script Assist is the Merchant of Record for certain orders, we control our payment records. Card and Open Banking providers are separate controllers.
Retention: as required by law and to handle chargebacks/fraud prevention.

6) Product ratings

Data we collect (examples): star ratings.
Purpose: display aggregates and improve quality.
Lawful basis: legitimate interests.
Who’s responsible: Script Assist (controller).
Retention: for as long as needed to show ratings and improve quality.

7) Cookies, analytics and similar technologies

We may use cookies on the website and, in the app, similar technologies (for example analytics tools or pixels/SDKs).
Essential tools run only to provide sign-in, security and core features.
Non-essential tools (for example analytics or marketing measurement) only run if you consent. We will ask before enabling them, and you can change or withdraw consent at any time.
See the live Cookie & SDK List for the current tools and purposes here.

We update that list from time to time.

8) Sharing your data

We share data only as needed:

  • Care providers and pharmacies: your Clinic/Pharmacy, Prescriber and Dispensing Pharmacy (each independent controllers for their records).
  • Suppliers: hosting, support, security, analytics, payments/Open Banking, and couriers—under contracts requiring appropriate safeguards.
  • Legal and regulatory: if required by law or to establish, exercise or defend legal claims; to prevent fraud or crime.
  • Corporate group/transactions: where necessary to provide/support services, or if we reorganise—subject to appropriate protections.
9) International transfers & safeguards

Primary hosting is in the United Kingdom. Some support/engineering access may occur from outside the UK (including India). When that happens, we use UK-approved safeguards (for example, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) plus appropriate technical and organisational measures.
See our live Sub-processor List for each provider’s name, role, country/region, transfer basis and a short summary of controls: Sub-processor List.

10) Health data & lawful bases (special-category)

Much of the Care data above is health data. Controllers must meet an Article 6 basis and an Article 9 condition. Controllers commonly rely on Art. 9(2)(h) with Art. 6(1)(b)/(c)/(e) as applicable; Art. 9(2)(i)/(g) where relevant; and Art. 9(2)(f) for legal claims. Script Assist does not decide the lawful basis for Care data because we are not its controller. Erasure may be limited where medical/dispensing records must be kept by law.

11) Your choices & rights

You can: access your data; correct it; delete it (in some cases); object to or restrict processing; and ask for portability. You can object to direct marketing at any time.
When erasure doesn’t apply. Some records can’t be deleted where the law requires retention (for example medical/dispensing and certain accounting records).
Care records: your Clinic/Pharmacy or Prescriber (controller).
Payment records: the Merchant of Record shown at checkout.
Data we control (for example, accounts/security logs and, where applicable, our payment records when we are Merchant of Record): privacy@scriptassist.co.uk.

12) Who to contact
  • Care data: your Clinic/Pharmacy or Prescriber.
  • Dispensing records: the Dispensing Pharmacy.
  • Payment records: the Merchant of Record shown at checkout.
  • Data we control (for example, accounts/security logs and, where applicable, our payment records when we are Merchant of Record; ratings): privacy@scriptassist.co.uk.

We may ask for ID information. We aim to respond within one month (we may extend by up to two months for complex requests). You can complain to the Information Commissioner’s Office (ICO) at any time.

13) Children

Use by under-18s is enabled only where your Clinic/Pharmacy or Prescriber confirms appropriate consent/authority and configures access.

14) Updates to this notice

We may update this notice. We will date-stamp the latest version and may highlight changes in-app, on our website, by push notification or by email. If we plan to use personal data for a new purpose or in a materially different way, we will provide the information required by law before that further processing.