Privacy & Cookies Policies

Privacy Policy

Version 2.0 – 11th September 2023


1. Purpose

To comply with the UK General Data Protection Regulation (GDPR) from 25 May 2018, this privacy policy explains how Alchemy Medical Writing Ltd (Alchemy) processes the personal information we collect from individuals.

2. Scope

This document defines the policies in place at Alchemy relating to data privacy and protection. All employees of Alchemy are responsible for adherence to the policy. It is the responsibility of the Leadership Team to ensure compliance and that the business is operated in accordance with all regulatory requirements.

3. What personal data is collected?

Personal data is defined by the UK GDPR and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

We collect the information necessary to conduct medical writing services. This information includes names and contact details.

4. Where personal data is collected?

The following are the different sources we may collect personal information about potential clients or contacts:

  • Directly from the client.This is information the client provides while searching for medical writing services (for example their email address) and/or when we approach the client regarding possible opportunities. This could be during telephone conversations, face to face, via our website contact form, or via an email exchange. Alchemy will never share personal information with a third party without explicit consent from clients.
  • From an agent/third party acting on the client’s behalf.
  • Through publicly available sources. We use a range of public sources including:
    • LinkedIn
    • Google
    • Company Web sites and social media platforms
    • Professional Organisation websites
    • Conference brochures/delegate lists
  • By reference or word of mouth. For example, clients may be recommended by a friend or former colleague.

5. How is personal data used?

Under the Data Protection Legislation, we must always have a lawful basis for using personal data, the following list describes how we may use an individual’s personal data:

  • To respond to a prospective client’s enquiry about our services when they submit the ‘Contact Us’ form or by any other means, such as email, phone, or social media.
  • To progress an individual’s job application to make a recruitment decision.
  • To place Google Analytics on an individual’s device.
  • To meet our contractual requirements to support us in providing our services to clients.
  • To invoice clients, and to keep track of payments a client makes.
  • To place orders with suppliers for goods and services.
  • To manage our contractual and legal obligations to our employees, such as complete Right to Work checks.

We rely on the following legal basis to process personal data:

  • When processing is necessary for the performance of a contract to which the individual (data subject) is party or to take steps at the request of the data subject to entering into a contract, for example:
    • Providing a quote to a prospective client.
    • To deliver our services to an agreed statement of work.
    • To offer a prospective employee a position in the company on the condition certain criteria is fulfilled, such as suitable references.
  • Where processing is carried out in accordance with a legal obligation to which the controller (Alchemy) is subject, for example:
    • Asylum and Nationality Act 2006 to check employee is legally entitled to work in the UK.
    • Taxes Management Act 1970 for paying employees and deducting tax and national insurance contributions; and to pay supplier invoices.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller, such as:
    • Responding to enquiries from prospective clients.
    • Communicating with previous clients who have not purchased any further services from us to re-convert them to an active client.
    • To exchange business cards/contact details at events we may attend in order to follow-up with the individual.
  • The data subject (individual) has given consent to the processing of his or her personal data for one or more specific purposes, such as:
    • An employee agreeing for their photo to be published on the Company website.
    • An unsuccessful employee agreeing for their CV to be retained on file for 12-months.
    • Consent to Google Analytics cookies being place on an individual’s device when first visiting the website.

6. How long is personal data kept?

Due to the nature of outsourced medical writing services, we expect several clients will reconnect with our organisation periodically. For this reason, we retain personal details for a period of five years from the date of the last contact, at which point the personal data will be deleted. For prospective clients, we retain personal details for a period of two years from the date of initial contact.

We are required by law to retain employment records for six years from the date an employee leaves the organisation, at which point the record will be expunged from our systems.

For unsuccessful job applications, we are required to retain the candidate’s details for six months from the date of interview. Where we have consent, we will retain a copy of their CV on file for up to 12 months.

All financial records are retained for six years from the end of the financial year wherein the transaction took place. Unless required by the HM Revenue and Customs, records will then be deleted.

7. Who do we share personal data with?

We may share client’s personal information with third parties who perform functions on our behalf and who also provide services to us, such as sub-contracted medical writers or IT consultants carrying out testing and development work on our IT systems. These third parties comply with similar and equally stringent undertakings of privacy and confidentiality.

As we continue to develop our business, we may sell or purchase assets. If another entity acquires us or merges with us your personal information will be disclosed to such an entity. Also, if any bankruptcy or reorganisation proceeding is brought by or against us, all such information will be considered an asset of ours and as such it is possible, they will be sold or transferred to third parties.

Where required, we share personal information with third parties to comply with a legal obligation; when we believe in good faith that an applicable law requires it; at the request of governmental authorities conducting an investigation; to verify or enforce any applicable policies; to detect and protect against fraud, or any technical or security vulnerabilities; to respond to an emergency; or otherwise to protect the rights, property, safety, or security of third parties, visitors to the our website, our business or the public.

8. How and where do we store or transfer personal data (Information Security)

Alchemy uses:

  • SharePoint to store personal data. Any data hosted by SharePoint is encrypted and benefits from intrusion detection systems and multifactor authentication.
  • WordPress, our website Content Management System, processes personal data captured via the Contact Us form, note the personal data is not stored on WordPress, it is sent (on the fly) to You can find out how WordPress protect personal data here.
  • QuickBooks, our Accounting Software package stores personal data on individual’s including clients, suppliers, and employees. You can find out how QuickBooks protects personal data here.

We may store some of your personal data in countries outside of the UK (e.g., QuickBooks servers are hosted in the US). These are known as “third countries”.  We will take additional steps to ensure that an individual’s personal data is treated as safely and securely as it would be within the UK and under the Data Protection Legislation as follows:

  • We will only store or transfer personal data in or to countries that are deemed to provide an adequate level of protection for personal data. For further information about adequacy decisions and adequacy regulations, please refer to the Information Commissioner’s Office (here)

The security of personal data is essential to us, and to protect an individual’s personal data we take several important measures, including the following:

  • Limiting access to an individual’s personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensure that they are subject to duties of confidentiality.
  • Procedures with dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, an individual’s personal data) including notifying you and/or the Information Commissioner’s Office were we are legally required to do so.

9. What happens if individual’s do not provide us with the data we request or ask that we stop processing their information?

If individual’s do not provide the personal information necessary or withdraw consent for the processing of their personal information, where this information is necessary for us to provide medical writing services, we may not be able to perform these services.

10. What automated decisions do we make concerning personal data?

We do not carry out automated decision-making.

11. What rights do individual’s have?

By law, individual’s (e.g., clients, prospective clients, suppliers, website visitors, and employees) have several rights under GDPR when it comes to their personal information.

Rights and What They Mean
  • The right to be informed:Individuals have the right to be provided with clear, transparent, and easily understandable information about how we use their information and their rights. This policy should tell individuals everything you need to know, but you can always contact us to find out more or to ask any questions to
  • The right of access:Individuals have the right to obtain access to the personal data Alchemy holds about them. An individual can ask for details of our processing activities in relation to their personal data, this request can be made in writing or verbally. There is no charge for such a request, and we will respond within one month of receiving it. If the request is complex, we may require more time (no more than 3-months). We will keep the individual fully informed of our progress with the request.We may charge a reasonable fee to cover our administrative costs of providing the information for:
    • Baseless or excessive/repeated requests
    • Further copies of the same information

Alternatively, we may be entitled to refuse to act on the request.

  • The right to rectification:Individuals are entitled to have their information corrected if it is inaccurate or incomplete.
  • The right to erasure:This is also known as ‘the right to be forgotten’ and, in simple terms, enables individuals to request the deletion or removal of their information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
  • The right to restrict processing:Individuals have rights to ‘block’ or suppress further use of their information. When processing is restricted, we can still store their information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
  • The right to data portability:Individuals have rights to obtain and reuse their personal information for their own purposes across different services. For example, if they decide to switch to a new provider, this enables them to move, copy or transfer their information easily between our IT systems and theirs safely and securely, without affecting its usability.
  • The right to lodge a complaint:Individuals have the right to lodge a complaint about the way we handle or process their personal information with the Information Commissioner’s Office (ICO). Complaints can be submitted to the ICO either in writing, via phone or via the ICO website, the details are as follows:
    • Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
    • Phone: 0303 123 1113
    • Website:

Any complaints received by Alchemy will be responded to in writing within one month of receipt.

  • The right to object to processing:Individuals have the right to object to certain types of processing, including processing for direct marketing (ie, if they no longer want to be contacted).Further information about your rights can be obtained from the ICO (here) or your local Citizen’s Advice Bureau.If an individual has any cause for complaint about our uses of their personal data, we would welcome the opportunity to resolve the concerns, so please contact us at:

12. How we contact individuals

We may contact individual’s (e.g., clients, prospective clients, suppliers etc.) by phone, email, or social media.

13. How Individual’s contact Alchemy Medical Writing Ltd

An individual may contact us by phone, email, or social media. Data Protection questions and concerns can be sent to

Cookies Policy

Version 1.0 – 22nd August 2023

1. Introduction

This Cookies policy explains how Alchemy Medical Writing Ltd (“we”, “us”, or “our”) uses cookies and similar tracking technologies on our website (“Our Site”). Your acceptance of our Cookies policy is deemed to occur when you select your preferred cookie options in our cookie pop-up.

2. What are cookies?

Cookies are small text files that are placed on your device (e.g., computer, smartphone, or tablet) when you visit our website. They are widely used to make websites work more efficiently and provide a better user experience. Cookies also enable us to gather information about your use of our website.

Our Site’s use of cookies complies with the Privacy and Electronic Communications (EC Directive) Regulations 2003, and, where applicable, the UK General Data Protection Regulation.

3. Types of cookies we use

Our Site may place and access certain first‑party cookies on your computer or device. First‑party cookies are those placed directly by Us and are used only by Us. We use cookies to facilitate and improve your experience of Our Site and to provide and improve Our Services. We have carefully chosen these cookies and have taken steps to ensure that your privacy and personal data is protected and always respected.

We may use the following types of cookies on our website:

  • Strictly Necessary Cookies: These cookies are necessary for the operation of Our Site and enable you to navigate and use its features. Without these cookies, certain functionality may be unavailable.
  • Analytics Cookies: These cookies help us understand how visitors interact with Our Site by collecting and reporting anonymous information. This information allows us to analyse trends, track user movements, and improve our website’s performance.
  • Functional Cookies: Enable us to provide additional features to you on Our Site such as personalisation and remembering your save preferences. Some functionality cookies may also be strictly necessary cookies, but not all fall into that category.
  • Targeting Cookies: It is important for Us to know when and how often you visit Our Site, and which parts of it you have used (including which pages you have visited, and which links you have visited). As with analytics cookies, this information helps us to better understand you and, in turn, to make Our Site and advertising more relevant to your interests.
  • Third Party Cookies: These cookies are not placed by Us; instead, they are placed by third parties that provide services to Us and/or to you. Third party cookies may be used by advertising services to serve up tailored advertising to you on Our Site, or by third parties providing analytics services to Us (these cookies will work in the same way as analytics cookies described above).
  • Persistent Cookies: Any of the above types of cookies may be a persistent cookie. Persistent cookies are those which remain on your computer or device for a predetermined period and are activated each time you visit Our Site.
  • Session Cookies: Any of the above types of cookies may be a session cookie. Session cookies are temporary and only remain on your computer or device from the point at which you visit Our Site until you close your browser. Session cookies are deleted when you close your browser.

The table below provides a list of the first-party cookies which may be placed on your computer or device.

The table below provides a list of the third-party Cookies which may be placed on your computer or device.

4. How do I change my cookie settings?

Before cookies are placed on your computer or device, you will be shown a cookie banner pop-up at the bottom of the page requesting your consent to set those cookies. By giving your consent to the placing of cookies you are enabling Us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of cookies unless those cookies are strictly necessary; however, certain features of Our Site may not function fully or as intended.

In addition to the controls that We provide, you can choose to enable or disable cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third-party cookies. By default, most internet browsers accept cookies, but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.

The links below provide instructions on how to control cookies in all mainstream browsers:

5. Changes to this cookie policy

We reserve the right to modify this policy at any time. Any changes we make will be posted on this page, and the revised policy will take effect immediately upon posting.

6. Contact us

If you have any questions or concerns about our use of cookies, please contact us at