At Lyphe Dispensary we aim to be your one-stop-shop for managing your medical cannabis prescriptions. We take pride in the quality of our prescription service and our ability to source and supply medical cannabis products to meet your prescription requirements, quickly and affordably. Our high business standards extend to our privacy practices and the safeguarding of your personal information.
This policy describes the information we collect, or you shared with us when you visit our website (regardless of where you visit it from) or use our platform and services to manage your medical cannabis prescriptions, as well as how that data is used, stored and safeguarded, and your choices regarding this information.
This policy outlines how we at Lyphe Dispensary collect and process your personal information through your use of our website (the “Website”), as well as the platform we use to manage your medical cannabis prescriptions, and such other services associated with the management and supply of prescribed medical cannabis (collectively the “Services”), including any data you may provide to us when you create an account, register to use our prescription management services (whether as a Patient, Carer or Doctor), manage your prescriptions through us, or interact with us in any way.
Our Website and Services are intended for use by patients, carers and doctors and only by those over the age of 18; we do not knowingly collect data relating to children.
It is important that you read this privacy policy together with any other policy on data processing or other notices we may provide on specific occasions so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.
Total Health Midlands Ltd trading as Lyphe Dispensary (“Lyphe Dispensary”, “we”, “us” or “our”) is the ‘data controller’ of the processing of your personal information as described in this policy. As the data controller, we decide why and how your personal information is processed and are responsible to you for that processing under data protection laws.
Our details are as follows:
We have appointed Kieron Heath who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us using the details set out below.
By email at: hello@dispensarygreen.com
We are regulated by the Information Commissioner’s Office (“ICO”) and you have the right to make a complaint at any time to them. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. When you leave our website, we encourage you to read the privacy policy of every website you visit, connect with, or are referred to.
We have set out below the personal information about you we may collect, use, store and transfer when you interact with us through Lyphe Dispensary. Personal information means any information from which we can identify you, it does not include information we collected on an anonymous basis.
We also collect, use and share aggregated data about you. This includes statistical or demographic data, which could be derived from your personal information but is not considered personal information in its own right as, on its own, it cannot be linked to you or reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature. We may also use software to analyse your Usage Data and Technical Data in order to improve our Website and our Services. However, if we combine or connect Aggregated Data with your personal information so that it can be linked to you or can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this privacy policy.
Our Services do involve the collection of certain types of information which we treat particularly sensitively. We refer to this information as “Special Category Data” and it includes:
We have implemented additional safeguards with regard to the collection, use and storage of this data.
How your information is collected
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact, Financial, Medical & Prescription, Profile, Marketing and Communications Data by interacting with us through our website or Services, filling in forms or completing our registration process, or by corresponding with us. If you are a Carer or Doctor, this will also extend to information about your Patients.
This includes personal information you provide when you:
When using the Services. Through your use of our Services, we will collect, process and store your Medical & Prescription Data, Usage Data and Transaction Data, specifically:
Automated technologies or interactions. As you interact with both our Website and Services, we automatically collect various information about you, such as the device you use when you interact with us, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies.
Third parties including publicly available sources. We will receive personal information about you from various third parties as set out below:
We collect, process, store and disclose personal information for a variety of different reasons, but in all cases only to the extent the law allows us to.
Data protection laws require that organisations processing personal information set out the specific legal reason (known as the ‘lawful basis’s) on which they rely to process that information.
We rely on the following lawful bases for processing your personal information:
Special Category Data
For certain types of information identified in this policy as Special Category Data, we rely on the following lawful bases:
Summary of how and why we use your information
We have summarised below the various ways we use your personal information and our lawful basis for doing so.
Purpose / Activity |
Type of data |
Lawful basis for processing including basis of legitimate interest |
To register your account for our Services |
(a) Identity |
Performance of a contract |
To verify your identity and, in the case of doctors, to verify your credentials and those of your clinic of GP practice. |
(a) Identity |
Your Explicit Consent and, additionally, in relation to doctors, |
To manage and process your prescriptions |
(a) Identity |
(a) Performance of a contract |
To facilitate and process your orders and the delivery of your prescriptions: |
(a) Identity |
(a) Performance of a contract |
Where you are using our Services to manage prescriptions on behalf of a patient, either as a Carer or Doctor |
(a) Identity |
(a) Performance of a contract |
To manage our relationship with you which will include: |
(a) Identity |
(a) Performance of a contract |
To enable you to participate in a survey or to obtain feedback from you |
(a) Identity |
(a) Performance of a contract |
To administer and protect our business, our network and your data (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Identity |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) |
To deliver relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
(a) Identity |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
To use data analytics to improve our products and Services, our website, as well as our marketing, customer relationships and user experiences |
(a) Technical |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
To make suggestions and recommendations to you about goods or services that may be of interest to you |
(a) Identity |
Necessary for our legitimate interests (to develop our products/services and grow our business) |
Cookies come in a variety of forms but are essentially small data files used to collect and store information about you. We use them on our website for a variety of different functions:
The majority of these cookies are linked to your browser session (session cookies) and disappear once you close your browser. Others remain on your device for a longer period (persistent cookies).
For further information about the cookies we use, please see our Cookie Policy.
We use social media platforms in a variety of different ways, including by publishing pages through which you can interact, running competitions or advertising to you using information you have provide those platforms or which has been provided by us or collected from our website. Our legal relationship with each platform will vary with the particular way we are using that platform.
We process your personal information using social media platforms as follows:
Information we send using social media cookies
We also use cookies and similar technologies to collect and send information to Facebook (who operates the Facebook and Instagram platforms), LinkedIn and Twitter about actions you take on our website or through our Services. In particular:
Our relationship with Facebook, LinkedIn and Twitter. As we are joint controllers with these platforms for certain processing, we and each platform have:
Facebook, LinkedIn and Twitter may also process, as our processors, personal information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing these platforms carry out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to them. These advertisements may include forms through which we collect contact information you give to us.
Further information. The Facebook company that is a joint controller of your personal information is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The LinkedIn company that is a joint controller of your personal information is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For further information regarding these platforms and their use of your personal information, please see:
We share the information we collect or that is provided to us as follows:
Sharing with our Group Company
Lyphe Dispensary is part of the Lyphe Group, a UK-based provider of patient-focused medical cannabis solutions (our “Group Company”).
We share the information we collect and process about you with our Group Company for a variety of reasons. In particular:
Sharing with our Partners
We may share your personal information with the organisations listed below for the purposes we have identified above:
If you are a Patient, we also share your personal information with Carers and Doctors, as necessary, to fulfil prescription orders.
Sharing with our Suppliers
External Third Parties, who help us provide our Services. Currently, we use the following trusted Partners:
Recipient / relationship to us |
Industry sector (and sub-sector) |
Advertising, PR, digital and creative agencies |
Media (Advertising & PR) |
Banks, payment processors and financial services providers |
Finance (Banking & Payment Processing) |
CCTV administration and monitoring service providers |
Surveillance (CCTV) |
Cloud software system providers, including database, email and document management providers |
IT (Cloud Services) |
Customer care/services providers |
Customer Services (Support) |
Delivery and mailing services providers |
Logistics (Delivery Service) |
Facilities and technology service providers including scanning and data destruction providers |
IT (Data Management) |
Social media platforms |
Media (social media) |
Gift card service providers |
Customer Services (Support) |
Health and safety claims administrators and consultants |
Health & Safety (Claims) |
Insurers and insurance brokers |
Insurance (Underwriting & Broking) |
Legal, security and other professional advisers and consultants |
Professional Services (Legal & Accounting) |
Market and customer research providers |
Media (Market Research) |
Website and data analytics platform providers |
IT (Data Analytics) |
Website and App developers |
IT (Software Development) |
Website hosting services providers |
IT (Hosting) |
WIFI and other communication service providers |
IT (Telecommunications) |
International Transfers
Some of the information you provide to us may be transferred to countries outside the UK and European Economic Area (“EEA”). These countries may not have similar data protection laws to the UK and EEA.
Where we transfer your information outside of the UK and EEA in this way, we take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected in the ways required by data protection law as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information. Please contact us using the details at the end of this policy for more information about the protections that we put in place and to obtain a copy or access to the relevant documents.
If you use our Services whilst you are outside the UK and EEA, your information may be transferred outside the UK and EEA in order to provide you with those services.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
As a general rule we retain your personal information for 7 years from the date our relationship with you ends, however we apply shorter/longer retention periods for the following information:
In some circumstances you can ask us to delete your data by contacting us.
In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to verify your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 1 month after we have received this information or, where no such information is required, after we have received full details of your request.
You can enforce your rights by contacting us, or in most cases, by deleting your account and/or by ending your use of our website, products or Services.
You have the following rights, some of which may only apply in certain circumstances:
To find out more about each of your rights, please click the ✓ icon next to each right above. To exercise these rights, please contact us using the details at the end of this policy.
You have the right to lodge a complaint with the UK data protection regulator. The contact details for the ICO, the data protection regulator in the UK, are available on the ICO website, where your personal information has or is being used in a way that you believe does not comply with data, however, we encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have.
As we further enhance our Website, our Services and your user experience, we may make changes to this policy from time to time. If we make any major changes, or any changes which directly affect the services provided to you or the data collected or processed by us, we will notify you of those changes directly. For all other changes and enhancements, we will notify you by posting an updated version on our website. However, we encourage you to periodically review this policy for the most up to date version.