Legal · privacy-notice

Working.Experts for Pharmacy — Privacy Notice

Last updated: 13 April 2026 Controller: Fastidious LLP, trading as Working Experts Registered office: 10-11 Great Russell Street, London WC1B 3NH Telephone: 01740 467015 Contact email: legal@working.expert

1. Introduction

This Privacy Notice explains how we collect, use, store, share, and otherwise process personal data when you use the Working.Experts for Pharmacy website, mobile applications, and related services, features, and communications (together, the Platform).

It applies to personal data relating to:

  • visitors to our website
  • registered users
  • job seekers and locums
  • employers, recruiters, and hiring managers
  • suppliers, advertisers, and business customers
  • people who contact us or interact with our support teams
  • people who attend our events, webinars, or marketing activities
  • other individuals whose personal data we process in connection with the Platform

2. Who we are

For the purposes of data protection law, Fastidious LLP, trading as Working Experts, is the controller of the personal data described in this Privacy Notice, except where we expressly state that another party acts as controller.

3. The personal data we collect

The personal data we collect depends on how you use the Platform.

3.1 Information you provide directly

We may collect personal data you provide to us, including:

  • name, title, and contact details
  • username, password, and account credentials
  • profile information, biography, work history, education, qualifications, training, and skills
  • professional registration details, verification information, and supporting documents
  • CVs, cover notes, job application information, and availability details
  • location, work preferences, salary or rate expectations, and shift preferences
  • employer, recruiter, supplier, advertiser, or organisation details
  • listing content, job posts, locum shifts, supplier profiles, directory entries, and advertisements
  • messages, enquiries, support requests, survey responses, and feedback
  • billing, payment, invoicing, subscription, and transaction information
  • event registrations, webinar attendance details, and marketing preferences
  • any other information you choose to submit through the Platform

3.2 Information collected automatically

When you access or use the Platform, we may collect technical and usage information such as:

  • device type, operating system, browser type, and settings
  • IP address and approximate location inferred from IP
  • app, website, and page usage data
  • log data, timestamps, clicks, search activity, referring URLs, and interactions with content or features
  • cookie, pixel, tag, or similar technology data
  • crash reports, diagnostics, and performance information

3.3 Information from third parties

We may receive personal data from third parties, including:

  • employers, recruiters, agencies, or colleagues who invite you to use the Platform
  • identity, payment, analytics, communications, advertising, or verification providers
  • publicly available sources, professional registers, or business directories where lawful
  • social sign-in or authentication providers if you choose to use them
  • organisations that purchase services from us and provide administrator or user contact details

3.4 Special category data and sensitive information

We do not generally need special category personal data for ordinary use of the Platform.

You should not provide special category data unless it is strictly necessary and there is a clear reason to do so. Where we do process special category data, we will do so only where we have a valid legal basis and, where required, an additional condition under data protection law.

4. How we use your personal data and our lawful bases

Depending on the circumstances, we may rely on one or more of the following lawful bases:

  • contract
  • legitimate interests
  • legal obligation
  • consent

4.1 Main purposes

We may use personal data for the following purposes:

| Purpose | Categories of personal data | Lawful basis | |---|---|---| | To create and manage accounts and user profiles | Account, identity, contact, profile, credential, login data | Contract | | To provide Platform functionality, including profile display, networking, search, messaging, listings, jobs, locum shifts, learning, and directory services | Account, profile, content, communications, usage data | Contract; legitimate interests | | To process job applications, locum expressions of interest, and candidate introductions | Profile, CV, application, availability, communications, employer/recruiter details | Contract; legitimate interests | | To verify identities, credentials, registrations, listings, or organisations | Identity, profile, registration, document, verification data | Contract; legitimate interests; legal obligation where applicable | | To administer subscriptions, purchases, invoices, and payments | Identity, contact, billing, transaction, subscription data | Contract; legal obligation | | To respond to support requests, complaints, and enquiries | Contact, account, communications, support data | Contract; legitimate interests; legal obligation where applicable | | To operate, maintain, secure, troubleshoot, and improve the Platform | Technical, usage, log, device, support data | Legitimate interests | | To monitor misuse, prevent fraud, enforce our terms, and protect users and the Platform | Account, technical, log, communications, verification, payment data | Legitimate interests; legal obligation where applicable | | To send service communications, administrative messages, and important notices | Contact, account, transaction, subscription data | Contract; legal obligation; legitimate interests | | To send marketing communications where permitted | Contact, preferences, account, usage data | Consent where required; legitimate interests where lawful | | To run analytics, reporting, business planning, and service development | Usage, device, account, transaction, profile data | Legitimate interests | | To comply with legal, regulatory, tax, accounting, and law enforcement obligations | Relevant account, identity, transaction, audit, and communication data | Legal obligation | | To establish, exercise, or defend legal claims | Relevant records and communications | Legitimate interests; legal obligation where applicable |

5. Profiles, visibility, and search

Depending on the product settings and the nature of your account, information in your profile, listings, posts, or directory entry may be visible to:

  • other registered users
  • employers, recruiters, agencies, and hiring organisations
  • suppliers, advertisers, or business customers using relevant Platform tools
  • visitors to public areas of the Platform
  • search engines where content is publicly accessible and indexing is enabled

6. Jobs, locums, and recruiter access

If you apply for a job, express interest in a locum shift, respond to a listing, or make your profile available for hiring or commercial discovery:

  • we may share relevant profile, application, availability, CV, messaging, and related information with the relevant employer, recruiter, agency, hirer, or other recipient you select or interact with
  • that recipient will usually act as a separate controller of the personal data they receive and use for their own recruitment, hiring, vetting, compliance, and decision-making purposes

We are not responsible for the privacy practices of employers, recruiters, agencies, or other third parties once they receive your personal data as a separate controller.

7. Marketing communications

We may send you service messages that are necessary to administer your account, provide the Platform, fulfil transactions, or inform you about important changes.

We may also send marketing communications about our services, content, events, offers, or relevant opportunities where permitted by law. You can opt out of marketing emails at any time by using the unsubscribe link in the message or by contacting us.

8. Cookies and similar technologies

We use cookies and similar technologies for purposes such as:

  • keeping the Platform secure and functioning properly
  • remembering preferences and settings
  • understanding how the Platform is used
  • measuring performance
  • improving user experience
  • supporting advertising, attribution, and campaign measurement where applicable

Please see our Cookie Notice for more detail, including how to manage your preferences.

9. Who we share personal data with

We may share personal data where appropriate with:

  • employers, recruiters, agencies, hirers, or other users you interact with or choose to share information with
  • service providers who help us operate the Platform, such as hosting, analytics, communications, payment, customer support, security, fraud prevention, and verification providers
  • professional advisers such as lawyers, accountants, auditors, and insurers
  • advertising, attribution, or marketing partners where lawful
  • regulators, law enforcement, courts, public authorities, or other third parties where required by law or reasonably necessary to protect rights, safety, or the Platform
  • prospective buyers, investors, or advisers in connection with a merger, acquisition, restructuring, financing, or sale of all or part of our business, subject to appropriate confidentiality measures

We do not sell personal data in the ordinary sense of selling lists of personal information for money.

9.1 Specific sub-processors

The following named sub-processors operate parts of the Platform on our behalf. Each one is bound by a written data-processing agreement and only processes personal data on our documented instructions. We update this list whenever we add, remove, or replace a processor.

| Processor | Purpose | Personal data processed | Location | |-----------|---------|-------------------------|----------| | Stack Auth | Authentication, session management, social sign-in | Email, name, account identifiers, sign-in events | EU / US | | Mollie B.V. | Card payments for patient bookings and subscription billing | Name, email, payment metadata, transaction id | EU | | GoCardless Ltd | Direct-debit billing for recurring subscriptions | Name, email, billing address, mandate metadata | UK / EU | | Resend / Postmark | Transactional email delivery (booking confirmations, alerts, recap emails) | Email address, recipient name, message body | US | | Sentry | Application error monitoring | Limited request metadata, user id, IP address | EU | | Cloudflare Turnstile | Bot protection on public submission forms | IP address, browser challenge token | Global edge | | postcodes.io (Ideal Postcodes) | UK postcode → coordinate lookup for branch geocoding and "near me" filtering | Postcodes only — never tied to a user identity | UK | | OpenStreetMap Foundation | Map tiles displayed in the shifts and pharmacy map views | None directly; the user's IP is exposed when their browser fetches tiles | EU | | SMS provider | Patient appointment reminders and opt-out handling (provider TBC at general availability — see also section 8 cookies notice) | Phone number, opt-out state, message body | UK / EU | | Hosting provider | Server hosting, encrypted at-rest storage, automated DB backups | All Platform data while at rest | UK / EU |

9.2 Audience and event-driven sharing

We share personal data with the following audiences only when the user's actions cause it:

  • Other users: when you apply for a shift or job, the employer sees the data on your candidate profile and any credentials you've granted to that listing.
  • Patient confirmations: patient bookings made through `/book/{pharmacy}` are shared with the host pharmacy; the pharmacy is a separate controller for that data once received.
  • Admin moderators: access to flagged content and verification submissions is gated by named admin roles with two-factor authentication. See the access-control model in our security documentation.

10. International transfers

Some of our service providers or other recipients may process personal data outside the United Kingdom.

Where we transfer personal data internationally, we will take appropriate steps to ensure that it is protected in accordance with applicable data protection law.

11. How long we keep personal data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Notice, including to provide services, maintain records, comply with legal obligations, resolve disputes, enforce our terms, and protect our legal position.

Retention periods vary depending on the type of data and the context.

12. Security

We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

13. Your rights

Depending on the circumstances, you may have rights under data protection law, including the right to:

  • be informed about how your personal data is used
  • request access to your personal data
  • request correction of inaccurate or incomplete data
  • request deletion of your personal data
  • request restriction of processing
  • object to processing based on legitimate interests
  • object at any time to processing for direct marketing
  • request transfer of certain personal data to you or another provider
  • withdraw consent where processing is based on consent

14. Complaints

If you have concerns about how we handle your personal data, we encourage you to contact us first so that we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO) in the UK.

15. Third-party services and external sites

The Platform may contain links to third-party websites, applications, plug-ins, services, vacancies, suppliers, payment services, learning tools, or other external resources.

We are not responsible for the privacy practices of those third parties.

16. Children

The Platform is intended for users aged 18 and over. We do not knowingly provide the Platform directly to children.

17. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. If we make material changes, we will take reasonable steps to notify you.

18. Contact us

Fastidious LLP trading as Working Experts 10-11 Great Russell Street London WC1B 3NH Telephone: 01740 467015 Email: legal@working.expert