Privacy Policy

Chobham Pharmacy · Last updated: 30 April 2026

1. Who We Are
   Chobham Pharmacy is a trading name of FitPharm Limited, a family-owned independent community pharmacy located at 32 Chertsey Rd, Chobham, Woking, GU24 8PQ. We provide NHS pharmaceutical services and a comprehensive range of private healthcare services including earwax removal, private consultations, weight management, aesthetics, travel vaccinations, blood tests, men’s and women’s health services, minor surgical procedures, and joint and soft-tissue injections.

For the purposes of UK data protection law, FitPharm Limited (trading as Chobham Pharmacy) is the data controller responsible for your personal data collected through this website (www.chobhampharmacy.co.uk).

Registered Company Details

Registered name: FitPharm Limited
Registered address: 2nd Floor Grove House, 55 Lowlands Road, Harrow, HA1 3AW
ICO Registration Number: ZC094800

Contact Us

Address: 32 Chertsey Rd, Chobham, Woking, GU24 8PQ
Email: [email protected]

If you have any questions about this policy or how we handle your data, please contact us using the details above.

2. What Personal Data We Collect
   2.1 Contact Form
   When you send us a message via the contact form on our website, we collect:
   • First name and last name
   • Email address
   • Subject of your enquiry
   • The content of your message

2.2 Appointment Booking
When you book an appointment through our online booking system (powered by Wisebee), we collect:
• Name and email address
• The service you are booking
• Your preferred date and time
• Any additional health or clinical information you provide relevant to your appointment

2.3 Health and Clinical Information (Special Category Data)
Because we are a healthcare provider, some of the personal data we handle is classified as special category data under UK GDPR — specifically, health data. This includes information you share with us when:
• Booking or attending a private consultation
• Enquiring about or receiving weight management support
• Booking or attending for earwax removal
• Booking or receiving aesthetic treatments (e.g. anti-wrinkle injections or dermal fillers)
• Requesting travel vaccinations or receiving travel health advice
• Undergoing blood tests or receiving results
• Accessing men’s or women’s health services
• Booking or attending for a minor surgical procedure
• Receiving joint or soft-tissue injections
• Requesting NHS prescription dispensing or delivery

We handle this data with the highest level of care and only process it to the extent necessary to provide you with safe, appropriate clinical care.
2.4 Website Usage Data (Cookies and Analytics)
When you visit our website, we automatically collect certain technical information through cookies and analytics tools, including:
• Your IP address (anonymised where possible)
• Browser type and version
• Device type and operating system
• Pages visited and time spent on each page
• Referring website or search terms used to find us

This is collected via Google Tag Manager and Google Analytics. Please see Section 6 (Cookies) for more detail.
2.5 reCAPTCHA
Our contact form uses Google reCAPTCHA to help prevent automated spam submissions. This collects interaction data (such as mouse movements and timing) to assess whether a submission is made by a human. This data is processed by Google in accordance with their privacy policy.
2.6 Payment Information
When you make a payment for a product or service, your financial data is processed securely by our third-party payment provider (Stripe). We do not store your full card details on our systems.
The financial data processed during a transaction may include:
• Cardholder name
• Billing address
• Card type and last four digits (retained for reference purposes only)
• Transaction amount and date

All payment processing is handled in accordance with Payment Card Industry Data Security Standards (PCI DSS) by Stripe. For full details of how your financial data is handled, please refer to the Stripe Privacy Policy at stripe.com/gb/privacy.
2.7 Marketing, Remarketing and Advertising
Email marketing: If you choose to sign up to receive news, health tips, or promotional communications from us, we collect your name and email address. We will only send you marketing emails if you have given us your explicit consent to do so. You can withdraw that consent and unsubscribe at any time by clicking the unsubscribe link in any email we send, or by contacting us at [email protected].

Remarketing and retargeting: We may use remarketing services to show relevant advertisements to users who have previously visited our website. This works by placing cookies on your device, which allow advertising platforms to identify your browser and show you our ads on other websites, apps, and social media platforms. The platforms we may use for this purpose include:
• Google Ads — which may display our advertisements across Google’s network and partner websites
• Meta (Facebook and Instagram) — which may display our advertisements on Facebook and Instagram

You can opt out of interest-based advertising at any time via Google’s Ad Settings (adssettings.google.com), Meta’s Ad Preferences (facebook.com/adpreferences), or www.youronlinechoices.com.

3. How We Use Your Personal Data

Purpose Data Used Legal Basis
Responding to your contact form enquiry Name, email, message Legitimate interests (Article 6(1)(f))
Processing and managing your appointment booking Name, email, service, date/time Performance of a contract (Article 6(1)(b))
Providing clinical healthcare services Health and clinical information Healthcare purposes (Article 9(2)(h)); Substantial public interest (Schedule 1, DPA 2018)
Processing payments for products and services Financial/payment data (via payment provider) Performance of a contract (Article 6(1)(b))
Complying with NHS and regulatory obligations Prescription and dispensing data Legal obligation (Article 6(1)(c))
Sending marketing and promotional emails Name, email address Consent (Article 6(1)(a))
Remarketing and advertising to previous website visitors Website visit data (via cookies) Consent (Article 6(1)(a))
Improving our website and visitor behaviour Analytics and usage data Legitimate interests (Article 6(1)(f)); Consent for non-essential cookies (Article 6(1)(a))
Preventing spam via reCAPTCHA Interaction data Legitimate interests (Article 6(1)(f))

We do not use your personal data for automated decision-making or profiling.

4. Who We Share Your Data With
   We do not sell your personal data. We may share it with the following trusted third-party service providers who process data on our behalf:
   • Wisebee — our online appointment booking platform. They process booking details and appointment records.
   • Our payment provider (e.g. Stripe or Square) — processes payment card data securely when you make a purchase. We do not store full card details on our own systems. All transactions are handled in compliance with PCI DSS.
   • Google (Analytics / Tag Manager / reCAPTCHA / Google Ads) — website analytics, form protection, and remarketing.
   • Meta (Facebook / Instagram) — advertising and remarketing to previous website visitors.
   • Our email marketing platform — used to send newsletters and promotional communications to subscribers who have opted in. We only share your name and email address with this provider, and only if you have consented to receive marketing from us.
   • Fluent Forms (WordPress) — the plugin powering our contact form. Submitted data is stored securely on our website server.

We may also share your data where we are legally required to do so, for example:
• With the NHS or other healthcare bodies as part of our regulated pharmacy obligations
• With regulators such as the General Pharmaceutical Council (GPhC) if required
• With law enforcement agencies if compelled by court order

All third parties are required to process your data securely and in accordance with applicable data protection law.

5. How Long We Keep Your Data
   We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law or professional regulatory standards.

Data Type Retention Period
Contact form enquiries 12 months from date of submission
Appointment booking records 8 years (in line with NHS and clinical records guidance)
Health and clinical records (adults) 8 years from last contact
Health and clinical records (minors) Until the patient’s 25th birthday, or 8 years from last contact — whichever is later
Payment transaction records 7 years (for legal and accounting purposes)
Marketing email subscriptions Until you unsubscribe, or 2 years from your last engagement — whichever comes first
Website analytics data Up to 26 months (as configured in Google Analytics)

After these periods, data will be securely deleted or anonymised.

6. Cookies
   Our website uses cookies to help it function correctly, to understand how visitors use it, and to support our marketing activities. Cookies are small text files stored on your device. This privacy policy covers all cookie-related disclosures — there is no separate cookie policy.

Essential cookies — these are necessary for the website to work and cannot be disabled.
Analytics cookies — we use Google Analytics (via Google Tag Manager) to collect anonymised data about how visitors use our website. This helps us improve our content and user experience. These cookies are only placed with your consent.
Marketing and advertising cookies — we may use cookies placed by Google Ads and Meta (Facebook/Instagram) to show relevant advertisements to people who have previously visited our website. These remarketing cookies allow our advertising partners to identify your browser and serve our ads on other platforms. These are only placed with your consent.
You can manage your cookie preferences at any time by adjusting your browser settings, or via the cookie preferences tool on our website. You can also opt out of interest-based advertising via Google’s Ad Settings (adssettings.google.com), Meta’s Ad Preferences (facebook.com/adpreferences), or www.youronlinechoices.com.
For more information about cookies and how to control them, visit www.aboutcookies.org.

7. Your Rights Under UK GDPR
   As a UK resident, you have the following rights regarding your personal data:
   • Right to access — you can request a copy of the personal data we hold about you (a “Subject Access Request”).
   • Right to rectification — you can ask us to correct any inaccurate or incomplete data.
   • Right to erasure — you can ask us to delete your data in certain circumstances (sometimes called the “right to be forgotten”).
   • Right to restriction — you can ask us to limit how we use your data in certain circumstances.
   • Right to data portability — you can ask us to provide your data in a structured, machine-readable format.
   • Right to object — you can object to us processing your data where we rely on legitimate interests.
   • Right to withdraw consent — where we rely on your consent (e.g. for marketing emails or analytics cookies), you can withdraw it at any time without affecting the lawfulness of any processing carried out before withdrawal.
   • Rights related to automated decision-making — you have the right not to be subject to decisions made solely by automated means. We do not currently use automated decision-making.

To exercise any of these rights, please contact us at:

Email: [email protected]
Post: Chobham Pharmacy, 32 Chertsey Rd, Chobham, Woking, GU24 8PQ

We will respond to your request within one calendar month. We may need to verify your identity before processing your request.

8. Data Security
   We take the security of your personal data seriously. Our website uses HTTPS encryption, and we implement appropriate technical and organisational measures to protect your data from unauthorised access, disclosure, alteration, or destruction.
   Our third-party processors (Wisebee, Google, Meta, and our payment provider) are all reputable providers with robust security practices and appropriate data processing agreements in place. Payment data is handled in compliance with PCI DSS standards.
9. International Data Transfers
   Some of our third-party providers — including Google, Meta, and our payment provider — may process data outside the UK or European Economic Area. Where this occurs, we ensure that appropriate safeguards are in place, such as the use of UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs), in accordance with UK GDPR requirements.
10. Children’s Privacy
    Our website is not directed at children under the age of 13, and we do not knowingly collect personal data from children without parental consent. If you are a parent or guardian and believe your child has submitted personal data to us, please contact us and we will promptly delete it.
    For clinical records relating to children, we follow NHS retention guidance — retaining records until the patient’s 25th birthday, or for 8 years from last contact, whichever is later.
11. Links to Other Websites
    Our website may contain links to external websites. This privacy policy applies only to www.chobhampharmacy.co.uk. We are not responsible for the privacy practices of any third-party websites and encourage you to read their privacy policies before submitting any personal data.
12. Changes to This Policy
    We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will update the “Last updated” date at the top of this page.
    We encourage you to review this policy periodically.
13. How to Complain
    If you are unhappy with how we have handled your personal data, please contact us in the first instance at [email protected] and we will do our best to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator:

Website: www.ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF