10Q RX
HEALTH

Privacy Policy

10Q HOLDINGS LIMITED (Trading as 10QRX)

Effective Date: 9 March 2026Framework: UK GDPR & DPA 2018

1. Who We Are

10Q Holdings Limited (company number 15342137), trading as 10QRX (“Company”, “we”, “us”, “our”), is a private limited company registered in England and Wales with its registered office at 1 Beauchamp Place, 10 Victors Way, Barnet, United Kingdom, EN5 5TZ. We operate the 10QRX platform (the “Platform”), a workflow and documentation infrastructure designed to support UK pharmacies and clinics in delivering regulated clinical services.

For the purposes of data protection law, our role depends on the context:

  • When we process data about our business customers (pharmacies, clinics, and their staff), we are the data controller.
  • When we process patient data on behalf of our customers through the Platform, we are the data processor, acting on the instructions of the customer who is the data controller.

Data Protection Contact: hello@10qrx.com

2. Data We Collect

2.1 Business Customer Data (Controller)

When pharmacies, clinics, or healthcare providers engage with us, we may collect: contact details (name, email, phone, address), business information (company name, registration numbers, regulatory identifiers), financial information (billing details, payment records), usage data (how you interact with the Platform), and communications (emails, demo requests, support queries).

2.2 Patient Data (Processor)

When our customers use the Platform to manage patient journeys, the Platform may process the following categories of patient data on behalf of the customer: identity data (name, date of birth, NHS number where applicable), contact data (address, email, phone), health data (medical history, current medications, blood test results, BMI, weight records, clinical assessments, prescribing records), consent records, and payment data for patient transactions. This data constitutes special category data under UK GDPR Article 9. We process this data solely as a data processor on the instructions of our customers.

2.3 Website Visitor Data

When you visit our website, we may collect: technical data (IP address, browser type, device type, operating system), usage data (pages visited, time spent, referral source), and any data you voluntarily provide through contact forms or demo booking requests.

3. How We Use Data

3.1 Business Customer Data

We use business customer data for: performing and managing your contract with us (Article 6(1)(b) UK GDPR), communicating with you about the Platform and Services, billing and payment processing, providing technical support, improving our Platform and Services (legitimate interests, Article 6(1)(f)), and complying with legal obligations (Article 6(1)(c)).

3.2 Patient Data

We process patient data only on the documented instructions of our business customers and only for the purposes of providing the Platform services, which include: structuring patient intake and assessment workflows, presenting clinical data in structured formats, facilitating blood test ordering and results processing via LML, generating documentation and audit trails, and supporting the customer’s compliance and reporting requirements. We do not use patient data for our own purposes, do not sell patient data, and do not use patient data for marketing, profiling, or automated decision-making.

3.3 Website Visitor Data

We use website visitor data for: operating and improving our website, analysing usage patterns, and responding to your enquiries. Our lawful basis is legitimate interests (Article 6(1)(f)) or consent where required for cookies and similar technologies.

4. Who We Share Data With

We may share data with the following categories of recipients:

  • London Medical Laboratory (LML): For processing blood test orders and results on behalf of our customers. LML operates as a separate data controller for the laboratory services it provides.
  • Payment processors: For handling financial transactions.
  • Cloud hosting providers: Our Platform is hosted on UK-based cloud infrastructure. These providers process data on our behalf under appropriate data processing agreements.
  • Professional advisers: Our legal, accounting, and compliance advisers, as necessary.
  • Regulatory authorities: Where required by law or regulation.
  • Law enforcement: Where required by a court order, subpoena, or other legal obligation.

We do not sell personal data. We do not share personal data for advertising or marketing purposes with third parties.

5. International Data Transfers

We primarily process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs), standard contractual clauses approved by the ICO, or transfers to countries with an adequacy decision from the UK Secretary of State.

6. Data Retention

Business customer data is retained for the duration of the contractual relationship and for a period of six (6) years thereafter to comply with legal and regulatory obligations and to protect our legitimate interests in the event of disputes.

Patient data processed on behalf of customers is retained in accordance with the customer’s instructions and the applicable Data Processing Agreement. Upon termination of the customer relationship, we will delete or return patient data as directed, subject to any legal retention obligations.

Website visitor data is retained for no longer than twenty-four (24) months from the date of collection.

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls and role-based authentication, regular security assessments and vulnerability testing, staff training on data protection and information security, incident response and breach notification procedures, and UK-hosted infrastructure. Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but commit to responding promptly and transparently to any security incident.

8. Your Rights

8.1 Business Customers and Website Visitors

Under UK GDPR, you have the right to: access your personal data (Article 15), rectify inaccurate data (Article 16), erase your data in certain circumstances (Article 17), restrict processing (Article 18), data portability (Article 20), object to processing based on legitimate interests (Article 21), and withdraw consent at any time where consent is the legal basis. To exercise any of these rights, contact us at hello@10qrx.com. We will respond within one month.

8.2 Patients

If you are a patient whose data is processed through our Platform, please note that we process your data on behalf of your pharmacy or clinic. To exercise your data protection rights, you should contact your pharmacy or clinic directly, as they are the data controller. If your pharmacy or clinic directs us to action your request, we will do so promptly.

9. Cookies and Similar Technologies

Our website uses cookies and similar technologies to ensure the website functions properly, analyse how the website is used, and remember your preferences. We obtain your consent for non-essential cookies in accordance with the Privacy and Electronic Communications Regulations 2003. You can manage cookie preferences through your browser settings or through our cookie consent mechanism.

10. Children’s Data

The Platform is designed for use by pharmacies, clinics, and healthcare providers. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental or guardian consent, we will take steps to delete it.

11. Automated Decision-Making

The Platform does not engage in solely automated decision-making that produces legal effects or similarly significant effects on individuals, as defined in Article 22 of UK GDPR. While the Platform structures and presents data in formatted summaries, all clinical decisions are made by qualified healthcare professionals. The Platform’s data structuring is administrative in nature and does not constitute automated decision-making or profiling for data protection purposes.

12. Data Breach Notification

In the event of a personal data breach, we will notify the relevant data controller (our business customer) without undue delay and, where feasible, within 24 hours of becoming aware of the breach. Where we are the data controller and the breach is likely to result in a high risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with Articles 33 and 34 of UK GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to our business customers or through the Platform. The effective date at the top of this document will be updated accordingly. Continued use of the Platform after notification of changes constitutes acceptance of the updated policy.

14. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Telephone: 0303 123 1113.

15. Contact Us

For any questions about this Privacy Policy or our data protection practices:

10Q Holdings Limited (t/a 10QRX)

1 Beauchamp Place, 10 Victors Way, Barnet, United Kingdom, EN5 5TZ

Email: hello@10qrx.com

Last updated: 9 March 2026

10Q Holdings Limited — London, UK — hello@10qrx.com