Data Protection

Last updated: 22 June 2026

This page sets out how Routly approaches data protection in more detail than our Privacy Policy, particularly around the patient data your pharmacy stores in the platform.

1. Controller and processor roles

As explained in our Privacy Policy, your pharmacy is the data controller for any patient information you enter into Routly — you decide what's collected and why. Routly acts as your data processor, handling that information only on your instructions and solely to provide the delivery management service.

For your pharmacy's own account and billing information, Routly (via PharmGrowth) acts as the data controller.

2. Data Processing Agreement

If your pharmacy needs a signed Data Processing Agreement (DPA) for your own compliance records — for example, to satisfy your obligations under UK GDPR as a controller of patient data — we're happy to provide one. Email support@pharmgrowth.co to request a copy.

3. Sub-processors

We use a small, fixed set of infrastructure sub-processors to run Routly, each bound by their own data protection terms:

Supabase — database storage (UK region), with row-level security ensuring each pharmacy can only access its own data
Railway — backend hosting (UK region)
Netlify — frontend hosting (global content delivery network; serves the application interface only, not stored patient data)
Stripe — payment processing (PCI-DSS compliant; global service; billing data only, never patient data; we never see full card details)
Google Maps Platform — geocoding, live tracking and route optimisation (global service; processes addresses transiently, not as part of a stored patient record)

We don't add new sub-processors without ensuring they meet an equivalent standard of data protection.

4. Security measures

All traffic between your browser, the driver app and our servers is encrypted (HTTPS).
Database access is enforced with row-level security, so one pharmacy's data is never visible to another.
Staff and driver accounts use role-based permissions — drivers can only see their own assigned stops, and restricted areas of the staff dashboard can be password-protected per pharmacy.
Controlled drug deliveries require a captured witness signature, stored securely against the delivery record.

5. Data subject requests relating to patients

If a patient asks your pharmacy to access, correct or delete their delivery information, your pharmacy — as the data controller — should action this directly through the dashboard wherever possible (editing or deleting a patient record, or exporting their delivery history). If you need our help completing a request, contact support@pharmgrowth.co and we'll assist promptly.

6. Where data is stored

Patient and delivery data — the core data your pharmacy processes through Routly — is stored and processed entirely on UK-region infrastructure. Our database (Supabase) and backend (Railway) are both configured to the UK region, so this data does not leave the UK in the ordinary course of providing the service.

Stripe (billing data only) and Google Maps Platform (transient geocoding and route data) are global services and may process limited, non-patient data outside the UK as part of their normal operation. Where this happens, appropriate safeguards are in place, such as the UK International Data Transfer Addendum or equivalent Standard Contractual Clauses.

7. Questions

For any data protection query, including DPA requests, email support@pharmgrowth.co.