Privacy Policy

Last updated: 7 April 2026

Summary: We do not handle patient data. We process practice-level NHS prescribing data (already publicly available from NHSBSA) and standard account information you provide. We do not sell your data. Ever.

1. Who Is the Data Controller?

RxInsights is operated by RxInsights Ltd. For the purposes of UK GDPR, RxInsights Ltd is the data controller for personal data processed through the platform.

Contact: info@rxinsights.co.uk

2. What Data We Collect

Account Data

When you register, we collect:

  • Name and email address
  • Practice name and ODS code
  • Password (stored as a secure hash — never in plain text)
  • Subscription tier and billing contact information

Prescribing Data

We import prescribing data from NHSBSA on your behalf (EPD / PDPI) or accept CSV uploads from you. This data is:

  • Practice-level aggregate data only — no patient names, DOBs, or identifiers
  • Already publicly available from NHSBSA for practices in England
  • Used solely to generate your analytics

Usage Data

We collect standard web access logs and application usage events (page views, feature usage) to improve the platform and diagnose issues. This data is not shared with third-party analytics services.

Cookies

We use session cookies for authentication (required for the service to function). We do not use tracking or advertising cookies.

3. Cookies

RxInsights uses only essential cookies that are strictly necessary for the service to function. Specifically:

  • Supabase session cookie — maintains your authenticated session so you stay logged in between page loads. This cookie is set when you sign in and removed when you sign out or it expires.
  • Cookie consent preference — a localStorage flag that remembers you have acknowledged this notice, so we don’t show it again.

What we do not use

  • No analytics or tracking cookies (no Google Analytics, no Meta Pixel, etc.).
  • No third-party advertising or remarketing cookies.
  • No cross-site tracking of any kind.

Because we use only strictly necessary cookies, consent is not legally required under PECR Regulation 6. We display a notice for transparency nonetheless.

4. What We Do Not Collect

  • No patient names, NHS numbers, dates of birth, or addresses.
  • No clinical records or special category health data.
  • No payment card data (handled entirely by Stripe).

5. Legal Basis for Processing

  • Contract performance — processing your account and prescribing data to provide the service you signed up for (UK GDPR Art. 6(1)(b)).
  • Legitimate interests — service improvement, security monitoring, and fraud prevention (UK GDPR Art. 6(1)(f)).
  • Legal obligation — retaining financial records as required by HMRC (UK GDPR Art. 6(1)(c)).

6. How We Use Your Data

  • To authenticate your account and enforce practice-level data isolation.
  • To calculate and display your prescribing analytics, profit estimates, and alerts.
  • To send transactional emails (password reset, billing receipts, new data availability alerts) — we do not send marketing emails without your consent.
  • To maintain audit logs for security and dispute resolution.

7. Who We Share Data With

We do not sell your data. We share only with the following processors:

  • Supabase — database hosting (EU-based option selected; data processed under EU SCCs).
  • Vercel — application hosting (US-based; subject to EU SCCs / DPA).
  • Stripe — payment processing (your card details go directly to Stripe; we receive only a token).
  • Resend — transactional email delivery.

All processors operate under data processing agreements that meet UK GDPR requirements.

8. Data Retention

  • Account and prescribing data: retained while your subscription is active + 90 days after cancellation, then deleted.
  • Financial records (invoices, payment history): retained for 7 years as required by HMRC.
  • Server logs: retained for 90 days.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention requirements).
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email info@rxinsights.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

10. Security

We take security seriously. Measures include:

  • All data encrypted in transit (TLS 1.2+) and at rest.
  • Passwords hashed using bcrypt.
  • Row-level security in the database — each practice can only access its own data.
  • Access to production systems restricted to authorised personnel only.

If you believe there has been a security breach affecting your data, please email info@rxinsights.co.uk immediately.

11. Changes to This Policy

We will notify you by email before making material changes to this policy. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

Data protection queries: info@rxinsights.co.uk