The Qufora Group operates globally. For UK residents prescribed Qufora products through the NHS, the data controller is Qufora Ltd (Company Number: SC384441), located at Euro House, Satellite Park, Macmerry, East Lothian, EH33 1RW (“Qufora UK“) and this privacy policy sets out how Qufora UK uses your personal data.
At Qufora UK, we take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
Please use the contact details at the bottom of the page to contact us with any questions regarding our privacy policy.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (“UK GDPR“) and Data Protection Act 2018 (“DPA 2018“) and other related data protection laws that apply in the UK, (together “Data Protection Legislation“).
It would be helpful to start by explaining some key terms used in this policy:
| Term | Definition |
|---|---|
|
We, us, our |
Qufora UK |
|
myqufora |
The support service providing personalised care and guidance with Qufora products, overseen by dedicated Qufora Nurses and operated by Qufora UK. |
|
personal data |
Any information relating to an identified or identifiable individual |
|
special category data |
Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, Genetic data, biometric data (where used for identification purposes), data concerning health, sex life or sexual orientation |
|
data subject |
The individual who the personal data relates to |
|
EEA |
European Economic Area |
|
HCP |
Healthcare Professional (this will include any doctor or nurse involved in your healthcare) |
|
Qufora Nurses |
A qualified healthcare professional licensed with the Nursing and Midwifery Council to provide medical care and support to patients and employed by Qufora to oversee delivery of our patient support services |
This Privacy Policy was updated in September 2025. We may update it from time to time, so we recommend that you check back here occasionally. If we make changes we think may affect you significantly, we’ll draw your attention to those changes.
The personal data we collect about you depends on the particular products and services we provide to you. We use your data for different purposes, and we have split this section up so it is clear what our reason for collecting each category of data is. We will collect and use the following personal data about you:
| Purposes we collect and use your information for | Categories of personal data that we process about you (including special category data) | The legal basis we rely on to process this |
|---|---|---|
|
To register you for myqufora: When your HCP registers you with myqufora, we use personal data from your order to register you for ongoing patient care through the myqufora support service. |
This may include:
|
We rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. We have a legitimate interest in collecting this information to register you for our service and to deliver effective support to you.
For the processing of health-related data, we rely on article 9 (2) (h) of the UK GDPR. This allows us to process health data for the provision the provision of health care, or the management of health care systems and services. |
|
Childrens Data: If we know a data subject is under the age of 16, communications concerning their patient care will not be sent directly to them. These communications will be directed to their parent or guardian, unless we have received consent from the parent or guardian to communicate directly with the data subject. |
This may include:
|
We rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. We have a legitimate interest in using this information to effectively deliver our support services to you.
For the processing of health-related data, we rely on article 9 (2) (h) of the UK GDPR. The allows us to process health data for the provision the provision of health care, or the management of health care systems and services. |
|
For myqufora Support Services: We process personal data about you in order to support you with using our products and providing you with personalised ongoing patient care, product training and general support. This includes being in contact with you to provide personalised care from our Qufora Nurses and product support specialists, including product reviews and communication with your healthcare professional to the extent required for providing you with the appropriate patient care support. |
This may include:
|
We rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. We have a legitimate interest in using this information to effectively deliver our support services to you.
For the processing of health-related data, we rely on article 9 (2) (h) of the UK GDPR. The allows us to process health data for the provision the provision of health care, or the management of health care systems and services. |
|
Legal Purposes: We may process your personal data when required by law, for instance where we need to exercise our legal rights or address any legal claim. |
This may include
|
We rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. We require this information to defend ourselves effectively against any legal claims.
We may use personal data where required to comply with a legal obligation, under Article 6(1)(c) of the UK GDPR. For the processing of the health data for the purpose of defending claims, we rely on Article 9(2)(f) of the UK GDPR. This allows us to process health data for the establishment, exercise, or defence of legal claims, ensuring that we can adequately protect our legal rights. |
|
Research Purposes: we may process personal data in a pseudonymised form, which is then anonymised before being used to improve and develop new products and services, as well as to conduct general scientific research aimed at enhancing our products. This data is always anonymised prior to its use for research purposes. Once anonymised, we use this data to improve our products and services, including staff training, and to monitor and address product complaints and issues.
Pseudonymised data may be shared with our Danish group entity, Qufora A/S (CVR Number 29 41 11 66) and registered address at Gydevang 28-30 3450 Allerød Denmark) for this purpose. Any data shared with other Qufora group entities will be anonymised. |
This may include:
|
For the initial processing of your personal data in a pseudonymised form, we rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. We have a legitimate interest in using this information to effectively develop our products and services and improve the quality of care provided to you.
The process of anonymising data is a form of processing that requires a lawful basis. Once data is anonymised, it ceases to be identifiable and is no longer considered personal data under the UK GDPR. For research activities, we always anonymise your data first. For the activity of anonymising, (specifically when it involves your health data), we determine the scientific research we carry out to be in the public interest. We rely on Article 9(2)(j) of the UK GDPR and the DPA 2018, Schedule 1, Part 1 (4), ensuring that the processing is carried out with appropriate safeguards for protection of data subject’s information. We may occasionally undertake research for the purposes of product development and may from time to time invite you to take part in a survey for this purpose. Completion of surveys is entirely optional and your consent will be requested before you submit any personal data to a survey. |
|
To contact healthcare professionals we work with: we process personal data about healthcare professionals that we work with in order to contact them about our products and provide them information on the services we offer in supporting patients care |
This may include:
|
We rely on the legal basis of “legitimate interests” as outlined in Article 6(1)(f) of the UK GDPR. Our legitimate interests include using this information to efficiently provide our services, ensuring our marketing efforts are relevant to healthcare professionals, and helping grow our business.
Healthcare professionals can choose to opt-out of receiving marketing communications from us at any point. To do so, please contact us using the details provided in Section 14, ‘How to Contact Us’. |
We collect and use this personal data for the purposes described in the table above. If you do not provide personal data we ask for, it may delay or prevent us from providing products and services to you.
Cookies are small text files stored on your device when you access our website through your browser. We use cookies to enhance your experience and improve your interactions with our website. Some cookies may collect personal data, such as your IP address or browsing behaviour. For more information about the categories of cookies we use (including third-party cookies) and how to manage your cookie preferences, please refer to our Cookie Policy.
We will retain your personal data for as long as necessary to fulfil the purposes for which it is used.
In general, the maximum time we will retain your personal data is ten years, unless applicable laws or regulations requires us to retain it for a longer period of time.
We collect personal data from the following sources:
To distribute prescriptions of our Qufora UK products, we use our wholly owned subsidiary, Rapidcare (company number: 08440010), an NHS licensed Dispensing Appliance Contractor (“DAC“) (operating as “Qufora Direct“). Qufora Direct, as a separate data controller, processes your personal data to fulfil your prescription order in line with its DAC obligations and complies with Data Protection Legislation. The Qufora Direct privacy policy can be found here.
When your HCP registers you for Qufora products and you choose to receive myqufora follow-up support, Qufora Direct shares your personal data with us in order for the myqufora support team to provide ongoing patient care and support.
The personal data shared includes your registration details, order information, and health data necessary for the myqufora team to deliver the support services. Qufora Direct will also update us with repeat order details to keep your prescription information current. We have implemented appropriate security measures with Qufora Direct to safeguard patient personal data when shared.
Qufora Direct, may contact you to remind you of your next prescription if you opted in to this reminder service during the initial welcome call. If you wish to stop receiving communications from Qufora Direct about repeat prescriptions, you can either tell Qufora Direct or contact Qufora UK using the contact details below and we will update your communication preferences with Qufora Direct.
If you choose to stop receiving the myqufora support at any time, this will not affect the provision of your Qufora Direct services, but it will not be possible for you to receive the myqufora support.
For further enquiries on data sharing between Qufora UK and Qufora Direct, please see the ‘How to contact us’ at section 14.
In addition to the data sharing with Qufora Direct, we share your personal information with third parties that provide services on our behalf. We always take steps to ensure these third parties give your information the same level of care and security we do. If your information is to be sent outside of the UK or EEA, we make sure it will be subject to standards of protection and security that are as high as those here in the UK.
Examples of the functions that may be carried out by external companies:
We have appropriate security measures to prevent personal data from being lost accidentally, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality. We continually test our systems and are ISO 27001 certified, which means we follow top industry standards for information security.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Your personal data is stored safely and securely within the UK and EEA. Should there be a need to transfer your personal data outside the UK and/or EEA, we will conduct a review of the processes, procedures, and data storage solutions of the party we transfer it to. We will ensure your data receives adequate protection when transferred outside of the UK and/or EEA, including implementing contractual safeguards where required by data protection laws.
You have certain rights with respect to your personal data, including those set out in the table below. To submit a request to exercise any of these rights, or to ask for more information, please email us at: dpo.uk@qufora.com
Some of the rights below apply only in specific circumstances. In other situations, we may not be able to fully comply with your request, for example if it would be impossible or would involve a disproportionate effort; or if it jeopardises the rights of others; but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include personal data, if necessary to verify your identity and the nature of your request.
| Your Right | What this means for you |
|---|---|
|
Access |
The right to be provided with a copy of your personal data |
|
Rectification |
The right to require us to correct any mistakes in your personal data |
|
Erasure (also known as the right to be forgotten) |
The right to require us to delete your personal data in certain situations |
|
Restriction of processing |
The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data |
|
Data portability |
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations |
|
To object |
You can contact us to let us know that you object to the further use or disclosure of your personal data for certain purposes, such as for direct marketing purposes. |
|
Not to be subject to automated individual decision making |
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you |
|
The right to withdraw consent |
Where we rely on your consent as our lawful basis for processing, you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn. |
For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below at section 14) or see the Guidance from the UK Information Commissioner’s Office (ICO)
If you would like to exercise any of those rights, please:
Please contact us if you have any queries or concerns about our use of your personal data (see below ‘How to contact us’ at section 14). We hope we will be able to resolve any issues you may have. You may also have the right to lodge a complaint with the Information Commissioner (the UK data protection regulator). Please contact us if you would like further information.
We take reasonable steps to ensure your personal data remains accurate and up to date. To help us with this, please let us know if any of the personal data you have provided to us has changed, eg your surname or address – see below ‘How to contact us’ at section 14.
You can contact us email if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are shown below:
© 2025 Qufora Ltd. All Rights Reserved.
