Rapix Connect Privacy Policy

Effective Date: 2025 April 28

1. Introduction

Welcome to Rapix Connect. This Privacy Policy explains how RAPIX CONNECT LIMITED ("we," "us," or "our") collects, uses, shares, and protects information in relation to our Rapix Connect software application (the "App"), available via web browser, desktop application, and mobile Progressive Web App (PWA), and our website https://rapixconnect.com (the "Website").

Rapix Connect provides a communication platform designed to facilitate real-time communication between registered General Practitioner (GP) surgeries and Community Pharmacies in the UK regarding medication availability and related queries.

This policy applies to registered users of the App (staff at GP surgeries and Pharmacies) and visitors to our Website.

For the purpose of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

RAPIX CONNECT LIMITED
Registered Office: 55 Manor Road, Stretford, Manchester, England, M32 9HT
Company Number: 16152849

2. Information We Collect

We collect the following types of information:

Information You Provide Directly:

• GP Surgery Users: Full practitioner name, associated GP Surgery name, GP Surgery address, and the practitioner's NHSmail address (used for registration and login verification).
• Community Pharmacy Users: Pharmacy name, Pharmacy address, and the Pharmacy's organisational NHSmail address (used for registration and login verification).
• Medication Request Data: Details of medications being queried (e.g., drug name, strength, form, quantity).
• EPS Barcodes: Electronic Prescription Service (EPS) barcodes associated with specific medication requests. These are used solely as a unique reference identifier within the App to link communications to a specific prescription event between the relevant GP and Pharmacy. We do not use the EPS barcode to access or retrieve patient-identifiable information within Rapix Connect, nor is it intended for use by the receiving party within our App to look up patient details. Its purpose is strictly for reference regarding the communication thread.
• Communication Data: Messages exchanged between GP Surgeries and Pharmacies via the App's chat feature.
• Contact Information: If you contact us directly (e.g., via email or phone), we will receive your contact details and the content of your message or inquiry.

Information Collected Automatically:

• Usage Information: We collect information about how you use the App, such as the types of requests made, frequency of use, and interaction patterns. This data is primarily used to generate aggregate statistics (see Section 3).
• Technical Information: When you access the App or Website, we may automatically receive technical information, such as Internet Protocol (IP) addresses (which may be logged by our servers or sub-processors like Cloudflare and Supabase for security and operational purposes), basic device information, browser type, and details regarding your interaction with our service. We do not actively use this for tracking individual behaviour beyond operational necessities.
• Authentication Tokens: We use JSON Web Tokens (JWTs) to manage authenticated sessions after successful login via NHSmail one-time codes.

3. How We Use Your Information and Legal Basis

We use the information we collect for the following purposes, relying on the specified legal bases under UK GDPR:

• To Provide and Operate the Rapix Connect Service: Processing user details, medication request data, EPS barcodes, and communications to enable the core functionality of the App – connecting GPs and Pharmacies for medication availability queries.
  Legal Basis: Legitimate Interests (to provide the service requested by users) and, for paying GP Surgeries, Performance of a Contract.
• To Authenticate Users: Using NHSmail addresses and one-time codes (via our sub-processor Supabase) to verify user identity and secure access to the App.
  Legal Basis: Legitimate Interests (to ensure the security and integrity of the service and restrict access to authorised healthcare professionals).
• To Communicate With You: Responding to your inquiries, providing support, and sending service-related notifications.
  Legal Basis: Legitimate Interests (to respond to user requests and manage the service relationship).
• For Audit and Service Integrity: Retaining records of completed requests and communications for audit trails and potential dispute resolution.
  Legal Basis: Legitimate Interests (to maintain accurate records of service usage and ensure accountability).
• To Calculate Aggregate Statistics: Processing usage data (which may initially be identifiable) to calculate anonymized, aggregate statistics about service usage (e.g., average number of requests per GP/month, average response times). These statistics do not identify individual users or organisations.
  Legal Basis: Legitimate Interests (to understand service usage patterns, improve the service, and for business intelligence).
• For Security and Protection: Using technical information (like IP addresses processed by Cloudflare) to protect against DDoS attacks, fraud, and other security threats.
  Legal Basis: Legitimate Interests (to protect the security and availability of our service).
• To Comply with Legal Obligations: Processing data where required by applicable law or regulation.
  Legal Basis: Legal Obligation.

4. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Chat Contents: Chat message history within a specific conversation thread is automatically deleted 90 days after the last message was sent in that thread.
• Request Completion Data: Information related to completed medication requests (including medication details and the associated EPS barcode reference) is retained for audit and aggregate analytics purposes. We retain this data for as long as necessary for these purposes, subject to your data protection rights (see Section 8). You can request the deletion of your organisation's data at any time (see Section 8).
• User Account Information: We retain your account information (name, email, organisation details) for as long as your account is active. If an account is deactivated or deleted upon request, we will remove the associated personal data in accordance with our internal procedures, unless retention is required for legal or audit purposes.
• Aggregate Statistics: Data used for aggregate statistics is anonymized and therefore may be kept indefinitely as it no longer constitutes personal data.

5. Data Sharing and Disclosure

We do not sell your personal data. We share information only in the following circumstances:

• Between Registered Users: The core function of the App involves sharing information (practitioner name/organisation name, medication details, EPS barcode reference, messages) between the GP Surgery initiating a request and the Pharmacy(ies) receiving/responding to it, and vice-versa.
• With Service Providers (Sub-processors): We engage third-party companies to help us operate and provide the App. These sub-processors have access to your information only to perform tasks on our behalf and are obligated not to disclose or use it for other purposes. Our key sub-processors include:
  • Supabase: Provides authentication services (processing NHSmail addresses for login). Their privacy policy and data processing terms apply.
  • Cloudflare: Provides security services (DDoS protection, CDN), which involves processing IP addresses. Their privacy policy and data processing terms apply.
  • GitHub Pages: Hosts the desktop application update manifests and files. Minimal data processing (potentially IP logs).
• For Legal Reasons: We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to (a) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (b) enforce our agreements with you; (c) investigate and defend ourselves against any third-party claims or allegations; (d) protect the security or integrity of our Service; or (e) exercise or protect the rights and safety of Rapix Connect, our users, personnel, or others.
• Business Transfers: If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
• Aggregate Data: We may share anonymized, aggregate usage statistics, which cannot reasonably be used to identify you or your organisation.

6. International Data Transfers

Our primary servers are located within the United Kingdom. However, some of our sub-processors (like Supabase and Cloudflare) may process data in locations outside the UK or European Economic Area (EEA). When we transfer personal data outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or the UK GDPR adequacy regulations, to protect your data.

7. Data Security

We implement technical and organisational measures designed to protect your personal data from unauthorised access, use, alteration, or destruction. These measures include:

• Authentication: Secure login using one-time codes sent to verified NHSmail addresses.
• Encryption: Data is encrypted in transit using Transport Layer Security (TLS/HTTPS). Our database data is encrypted at rest.
• Access Controls: Access to personal data within our organisation is restricted to authorised personnel (currently the company founders) who need access to perform their job functions.
• Infrastructure Security: Use of Cloudflare for DDoS protection and network security.
• Signed Updates: Desktop application updates are cryptographically signed to ensure authenticity.

While we strive to protect your personal data, no security system is impenetrable. We cannot guarantee the absolute security of your information.

8. Your Data Protection Rights (UK GDPR)

Under UK data protection law, you have rights including:

• Right to Access: You have the right to request copies of your personal data.
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
• Right to Erasure ('Right to be Forgotten'): You have the right to request that we erase your personal data, under certain conditions.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
• Right to Object to Processing: You have the right to object to our processing of your personal data where we rely on Legitimate Interests as our legal basis, under certain conditions.
• Right to Data Portability: You have the right to request that we transfer the data that we have collected directly from you to another organisation, or directly to you, under certain conditions.

To exercise any of these rights, please contact us using the details in Section 12. We will respond to your request within one month.

9. Children's Privacy

Our Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we take steps to remove that information from our servers.

10. Cookies and Similar Technologies

• Website: Our public-facing Website (https://rapixconnect.com) does not use cookies or other tracking technologies for analytics or advertising.
• App: The Rapix Connect App (web, desktop, PWA) uses essential local storage or similar technologies strictly necessary for its functionality, such as managing your login session (e.g., storing JWTs) and remembering user interface preferences. These are not used for tracking user behaviour across different services.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and potentially through other means (such as email or an in-app notification). We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when they are posted on this page.

12. Contact Us

If you have any questions about this Privacy Policy, your data protection rights, or our data handling practices, please contact us:

• By email: hello@rapixconnect.com
• By phone: +44 7515 058395
• By post: RAPIX CONNECT LIMITED, 55 Manor Road, Stretford, Manchester, England, M32 9HT

Our designated Data Protection Officer is Abdullah Siddiqi available via the contact details above.

13. Complaints

You have the right to lodge a complaint with the UK's supervisory authority for data protection issues, the Information Commissioner's Office (ICO).

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.