Privacy Policy
1 Who we are
Healthcare Now Ltd (trading as smartscripts), Landscape House,
Baldonnell Business Park, Baldonnell, Dublin, Dublin 22 D22 P3K7
We are the Data Controller when you use our website.
Questions? Contact our Data-Protection Officer (DPO):
- E-mail: brendan@smartscripts.ie
- Tel: +353876213049
- Postal: DPO, Healthcare Now Ltd, address above.
2 When SmartScripts is Processor vs Controller
Where the Doctor acts as the Data Controller and SmartScript as the Data Processor
In cases where the Doctor is processing Patient Data, they act in full compliance with data protection laws.
As a Data Processor, we will:
- Ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Patient Data and against accidental loss or destruction of, or damage to, Patient Data, as are appropriate.
- Ensure that our staff who have access to and/or process Patient Data are obliged to keep the Patient Data confidential.
- Notify the proper body without undue delay on becoming aware of a Personal Data breach.
- Maintain complete and accurate records and information to demonstrate our compliance with these obligations.
As a Processor we will:
- maintain ISO-27001-aligned technical & organisational measures.
- ensure staff confidentiality.
- log / notify any personal-data breach without undue delay.
- keep audit-ready records (§28 GDPR).
3. What data we collect
| Category | Examples | Source |
|---|---|---|
| Identity | Name, date of birth | You |
| Contact | E-mail, mobile number, address | You |
| Clinical / PHI | Medical history, prescriptions, vital metrics, test results | You |
| Payment | Last-4 card digits, Stripe token | Stripe |
| Technical | IP address, device ID, cookie ID | Browser |
| Usage | Pages visited, actions in app | Analytics |
We never store full card numbers; these are processed directly by Stripe (PCI-DSS).
4 Why we process your data & legal bases
| Purpose | Legal basis (Art 6 + Art 9 GDPR) |
|---|---|
| Provide prescription services | Performance of a contract (Art 6-1-b); provision of healthcare (Art 9-2-h) |
| Secure user account, send service emails/SMS | Legitimate interest (Art 6-1-f) |
| Marketing updates (new services, offers) | Consent (Art 6-1-a) – you may withdraw anytime |
| Clinical audit & anonymised research | Legitimate interest (quality & safety) – data is anonymised |
| Comply with pharmacy regulation, tax & accounting | Legal obligation (Art 6-1-c) |
5 How long we keep data
| Data type | Retention rule |
|---|---|
| Prescription & clinical records | Retained 7 years after last treatment (Irish Pharmacy Act) |
| Account & billing data | 7 years (Revenue Commissioners) |
| Marketing consent logs | While consent is active + 24 months |
| Anonymised analytics | Kept indefinitely (can’t be re-identified) |
We delete or securely anonymise data when the period lapses.
6 Who sees your information
6.1 Internal staff
Authorised clinicians and support staff are bound by confidentiality.
6.2 Sub-processors
| Provider | Service | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services | EU-based hosting | Dublin & Frankfurt | Standard Contractual Clauses not required (EEA) |
| Stripe Payments Europe | Card processing | Dublin | PCI-DSS compliant |
| HealthMail | Encrypted e-mail with GPs | Ireland | HSE-approved |
| Typeform | Questionnaire engine | EU data centre | SCC + DPA |
6.3 Disclosures
With your consent – insurance, employer, solicitor.
Without consent – court order, statutory disease reporting, risk of serious harm.
7 International transfers
All production data is stored in the EEA. If we ever transfer outside the EEA we will use an adequacy decision or SCCs (Art 46 GDPR) and update this notice.
8 Security measures
- TLS 1.2 / HTTPS everywhere
- At-rest AES-256 encryption in AWS EBS & RDS
- Role-based access, MFA on privileged accounts
- Quarterly penetration testing & annual ISO-27001 audit
- Continuous backup; 24 h RPO, 2 h RTO
9 Your rights
| Right | How to exercise |
|---|---|
| Access | E-mail brendan@smartscripts.ie |
| Rectification | Same as above |
| Erasure | If no legal obligation to keep record |
| Restrict / object | We’ll pause processing while we assess |
| Data portability | JSON / PDF export of your record |
| Complain | Data Protection Commission (dataprotection.ie) |
Requests are free unless manifestly unfounded or excessive (Art 12-5).
10 Cookies
We only use essential and analytics cookies. Full list, lifetimes and opt-out instructions are in our Cookies Policy link in the footer.
11 Marketing communications
Tick-box consent at signup. Opt-out anytime via email
12 Policy updates
Material changes will be flagged in-app & by email 7 days before taking effect.
© 2025 Healthcare Now Ltd. All rights reserved.
