1. Controller and privacy contact
NOVAPHARM HEALTHCARE LTD (company number 16716501), registered in England and Wales with registered office at Flat 72 Archer Court, 21 High Street, Feltham, England, TW13 4AG, is the controller for the processing described here. Use the contact form and mark the message for the Privacy Lead. NovaPharm has not formally appointed a Data Protection Officer; the website does not represent that one has been appointed.
2. Who and what this notice covers
This notice covers website visitors; business enquirers; account applicants; customers; suppliers; manufacturers and distribution partners; portal users; employees and job applicants; board members; professional advisers; regulatory contacts; email recipients; SharePoint users; uploaded business documents; and security, audit, cookie and device records. It does not invite patient-identifiable data.
3. Business enquiries
The enquiry form collects name, business email, company, role, country, optional telephone number, enquiry type, message, privacy acknowledgement, safety declaration, timestamp and anti-abuse evidence. NovaPharm uses these data to assess and respond to the enquiry, protect the service and preserve an accountable business record. The usual lawful bases are legitimate interests in operating and protecting a B2B pharmaceutical business and, where a person asks NovaPharm to consider a contract, steps requested before entering a contract. Marketing requires a separate choice and is not bundled into the enquiry.
4. Account applications and uploads
Applications collect company and contact details, responsible-person information, addresses, licence and GDP information, credit and trade references, insurance and bank-confirmation status, declarations and uploaded due-diligence records. Processing supports requested pre-contract steps, legal and regulatory duties where applicable, and NovaPharm's legitimate interests in customer due diligence, quality governance, fraud prevention and controlled account creation. Do not upload patient data or unrelated identity records.
5. Other purposes and lawful bases
| Purpose | Typical data | Lawful basis |
|---|---|---|
| Customer, supplier and partner administration | Contacts, contracts, orders, invoices, quality and regulatory records | Contract, legal obligation and legitimate interests in managed B2B operations |
| Portal identity, access and security | Username, role, scopes, sessions, device/network security evidence and audit events | Legitimate interests in secure access and, where relevant, contract and legal obligation |
| Employment, recruitment and governance | Professional, employment, application, training and board records | Contract, pre-contract steps, legal obligation and legitimate interests; special-category conditions would be documented where needed |
| Regulatory, quality and legal work | Professional contacts, licences, approvals, complaints and controlled evidence | Legal obligation, public-interest conditions where applicable, contract and legitimate interests |
| Optional marketing | Contact details and recorded preferences | Consent where required; withdrawal is available at any time |
6. Sources
Data come from the individual, their employer or organisation, authorised representatives, customers and suppliers, public registers such as Companies House and regulatory registers, approved service providers, security logs and records created through NovaPharm's business processes. NovaPharm does not buy patient lists.
7. Recipients and processors
Access is limited by role and business need. Recipients may include approved NovaPharm personnel and advisers; Render for the planned Node hosting service; Microsoft for Microsoft 365, Entra ID and SharePoint when configured; Resend for transactional email when configured; and approved logistics, finance, quality, regulatory or technology providers only when their work requires the relevant data. A named logistics provider is not treated as a recipient until a contract and data flow actually exist. Regulators, courts or public bodies may receive data where lawfully required.
8. International transfers
Some approved providers may process data outside the UK. Before enabling such a flow, NovaPharm will identify the destination and recipient, check whether UK adequacy regulations apply and, where needed, put in place an International Data Transfer Agreement or UK Addendum and a transfer risk assessment. Provider contracts and subprocessor locations remain subject to due diligence.
9. Retention and security
NovaPharm keeps data only while needed for the stated purpose and any applicable company, tax, contractual, regulatory, quality, employment, limitation, security or legal requirement. The internal retention schedule records the owner, trigger, legal or operational rationale and disposal action for each record class; periods that depend on a licence, product, contract or dispute are set only after the relevant obligation is confirmed. Controls include access scopes, password hashing, secure cookies, CSRF protection, audit events, private storage, backups and planned least-privilege SharePoint permissions. No internet service can promise absolute security.
10. Rights
Depending on the circumstances, individuals may request access, rectification, erasure, restriction, portability or objection, and may withdraw consent without affecting earlier lawful processing. Requests can be made through the privacy contact route. Identity and authority may need to be verified. Individuals may complain to the Information Commissioner's Office.
11. Automated decisions, children and patient data
NovaPharm does not currently use solely automated decisions that produce legal or similarly significant effects through this website. Planned AI capabilities are not live decision systems. The B2B website is not directed to children and NovaPharm does not knowingly seek children's data here. The general form must not be used for adverse-event reports, product-quality complaints containing patient data or medical emergencies.
12. Changes
NovaPharm will update the version, effective date and review record when this notice or the underlying data map changes materially. Important changes will be communicated through an appropriate website or direct notice.
Relevant official guidance includes the ICO right-to-be-informed guidance and ICO Data (Use and Access) Act 2025 overview.
