ID Checks & Identity Verification

When we verify your identity

• Before supplying some prescription-only or higher-risk medicines, or medicines liable to misuse.
• Before or during online consultations and remote prescribing (telehealth/telemedicine).
• When we must confirm age, prevent fraud, or resolve risk signals (e.g., mismatched details).

Our approach aligns with current UK guidance for pharmacies delivering services at a distance (including online) and requires appropriate identity checks, especially for higher-risk supplies. See the Sources for details.

What personal data is processed

Depending on the check and the risk profile, the following may be collected and verified via Real ID:

• Identity document images and extracted fields (e.g., name, date of birth, address, issuing country/authority, document number, expiry date).
• Optional biometric headshot/selfie for face-match against the document photo (only where enabled for higher-risk checks).
• Proof of address and e-signature (where required for clinical or legal reasons).
• Technical and order context (e.g., IP address, device and browser metadata, phone and email used for the check, order/customer identifiers).

Our lawful basis (UK GDPR)

We process identity information because it is necessary for one or more of the following:

We always assess the least intrusive way to achieve the purpose (data minimisation) and conduct Data Protection Impact Assessments (DPIAs) where required.

Who is who (controller/processor)

Chemist Doctor is the data controller for patient identity checks related to our services. Real ID (Verdict, LLC) acts as our data processor, processing identity data strictly under our instructions to verify your identity and return a pass/fail score and related evidence.

• We do not store ID images or extracted ID fields on our e-commerce platform. Instead, Real ID stores them securely in its own environment and provides us with a short-lived view link and a non-identifying reference token.
• We maintain written terms with Real ID covering UK GDPR controller–processor requirements.

Who we share data with

• Real ID, solely to perform identity verification on our behalf.
• Payment, anti-fraud and logistics partners, where necessary to prevent fraud or fulfil regulated supply.
• Healthcare professionals involved in your care (for example, sharing verification status in your clinical record where appropriate and lawful).
• Regulators or law enforcement if we are legally required to do so.

Real ID does not sell your personal information. It may use sub-processors for hosting and security services under contractual safeguards.

Where data is processed & international transfers

• Real ID hosts merchant and customer data on Amazon Web Services (AWS) in the United States (regions us-east-1 and us-east-2).
• Because this involves a transfer outside the UK/EEA, we put appropriate safeguards in place (e.g., the UK International Data Transfer Agreement or EU Standard Contractual Clauses with the UK Addendum), plus transfer risk assessments.

How data is protected

• Encryption: TLS in transit; AES-256 at rest in Real ID’s secure vaults. Patient-visible image links in our dashboard expire quickly (e.g., ~15 minutes).
• Hosting & perimeter: AWS infrastructure; Cloudflare web application firewall (WAF) with zero-trust principles.
• Operational security: MFA, strong passwords/keys, role-based staff permissions, audit logs, monitoring and access logging.
• Backups & resilience: Daily backups across physical regions within the cloud provider; expired snapshots are deleted in line with policy.
• Platform integrations: Real ID integrates with Shopify/WooCommerce without storing PII on those platforms—only status and a token are written back.

Automated decisions & human review

Real ID uses computer vision and AI models to assist document and face-match checks and returns a confidence-based result. Chemist Doctor can override any automated result and perform manual review. If you would prefer manual verification, contact us and we will provide an alternative route where feasible.

Retention & deletion

We keep identity verification data only for as long as needed for safety, fraud prevention, clinical governance, and regulatory requirements, then we delete it. Real ID supports configurable retention windows (granularity from days to years) and automated deletion.

• You may request earlier deletion unless we need to retain the data to comply with law or defend legal claims.
• Uninstalling Real ID from a platform triggers deletion of associated merchant and customer data by Real ID within a defined timeframe.

Your rights

Under UK data protection law you can request access to your data, ask for corrections, object to certain processing, or request deletion. For identity checks performed for Chemist Doctor, please contact us first (details below). We will liaise with Real ID as needed to fulfil your request. Where biometric verification was used, you can withdraw consent; we will offer a non-biometric verification route where appropriate.

Children & vulnerable people

Identity checks are generally designed for adults. If you are under 18 or acting on behalf of a patient who may need adjustments, please contact us so we can provide an appropriate verification route (for example, involving a parent/guardian or an in-person alternative).

Contact & complaints

Changes to this page

We’ll update this page if our verification processes or providers change, or if the law requires updates. We will indicate the “Last updated” date at the top.