Last Updated: 29/10/2023
MedBud™ takes user privacy and data protection seriously. We seek to comply with all applicable data protection requirements, which in the UK currently includes the inheritance of the European Union’s General Data Protection Regulation (GDPR).
Why are we here?
In December 2021, Cannapedia.org.uk was shut down, the main patient resource that at the time provided insight into the full cannabis formulary available to UK patients.
MedBud™ was founded in January 2022 by Ralph Leonardo MacMurray, a patient struggling to access information on their prescribed cannabis-based medications. Today we provide essential comparative metrics between prescription cannabis medications; clinics prescribing; pharmacies dispensing; and the producers/brands supplying CBPMs.
We’re depended upon by the majority of patients, clinicians and pharmacists as the only frequently maintained, independent and unbiased resource detailing all options currently available to patients.
We are currently 100% volunteer-led, we plan to incorporate as a non-profit organisation, and have been running a fundraiser since ‘4/20’ in 2023 to facilitate this. In the meantime, we publish all donations and expenses on our Public Accounts Ledger in the interest of full transparency. We do not allow companies to advertise, and will not accept funding in return for favour/influence/bias. We pride ourselves on impartiality.
Our postal address is: MedBud, 71-75 Shelton St, Covent Garden, London, WC2H 9JQ
In April 2023 we were first contacted by MHRA due to complaint over claimed unlawful advertising of controlled medications. After 6 months of legal negotiations, backed by a multi-national legal firm 'pro bono', MedBud has been required to restrict the amount of public information provided - in particular to ensure legitimate need to access information related to medication pricing, current stock levels, and dispensing pharmacies.
In order to continue providing the same level of information to patients, clinicians and pharmacists alike - MedBud has needed to devise an accounts and validation system to ensure we can confirm legitimate need to access protected information.
While setting up this system MedBud has decided to further build on its public statistics reporting and provide further anonymised public stats based on our user base. We're in a unique perspective to provide insight into an industry whereby few official stats are available, and attempt to do so in public interest. Most data is provided optionally via user profile fields, though by default we always report based on age group, region, and current length of time as a patient.
We collect some biographical data
When signing up for an account at MedBud™, we collect some limited biographical data in order to later facilitate publishing indiscriminate public statistics based on various personal attributes.
We record your name, general region (not address), and date of birth by default during registration - with some additional fields that can be optionally updated later in each user’s profile. While this information is attached to individual patient accounts, any statistics published based on this will always be entirely anonymised. We have to collect names and date of birth to ensure legal compliance, but do not publish this information.
Some data is collected for republication so that we can help ensure fair and equal treatment for all patients, whereby others are able to look for discrepancies in treatment between different genders, age groups, regions etc. based on statistics provided.
We collect data from your interactions with us
If you interact with us, we will automatically record some details of those interactions. For example, we will naturally collect details of email correspondence, and hard copy correspondence should be automatically scanned by our virtual office provider.
When you interact with us online we will automatically collect data about your use of our services, including data on the type of device you’re using, its IP address, your browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. Most of this data is collected by Google Analytics or Cloudflare.
In addition our servers, logs and other technologies automatically collect certain information to help us administer, protect and improve our services, analyse usage and improve users’ experiences.
For further information see our cookies policies below.
We may access or amend your personal data when we have legitimate interests in doing so
At times we will need to access or amend your data as part of daily operations, for example for administrative purposes, to provide information to you, to operate, evaluate, maintain, develop and improve our websites and services or to maintain their security. We will not process your data on a legitimate interest basis where the impact of the processing on your interests and rights outweigh our legitimate interests.
We will process the following personal data on the basis of our legitimate interests:
- data about how you use our website and services for the purpose of analysing the use of the website and services;
- data relating to your account (including your name and email address) for the purpose of operating our websites, providing our services, ensuring the security of our website and services, and maintaining our backups of your data bases;
- data included in your personal profile on our website for the purpose of enabling and monitoring your use of our website and services;
- data you submit to us relating to an enquiry about our website or services.
If you do not want us to process your personal data on the basis of our legitimate interests, let us know and we will double check to make sure that our interests in processing your personal data don’t outweigh your interests and rights.
We will process your personal data to comply with our legal and regulatory obligations
We may need to use your information to comply with legal and regulatory obligations; including complying with your information rights; with reporting obligations; and with court orders if ever received. We may also need to process your personal data to protect your vital interests or those of another person.
We must verify your date of birth in line with the expected Online Safety Act 2023, and we must verify your legitimate need to access information on controlled drugs - with stringent legislation/guidelines surrounding its publication:
- For patients, we verify accounts by checking (and then permanently deleting) a prescription copy. We may need to reverify at a future date.
- For medical professionals, we check public registers such as GPhC, GP Register, NMC Register to ensure details provided match.
- For general clinic/pharmacy staff, or companies otherwise, we validate based on email domain - but may have to provide limited access based on company/position, and your genuine need to access information held.
We need your consent to process special category data
Under the GDPR, personal data is considered to be special category data where it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a data subject's sex life or sexual orientation.
We process your special category data as part of our verification process to ensure you have legitimate and lawful need to access controlled information on controlled medications. It is additionally processed for: archiving purposes in the public interest; for scientific or historical research purposes; and statistic purposes. Please see 'How long do we keep your personal data' for details on when accounts are automatically anonymised and archived by MedBud. You can remove consent for sharing special category data at any time, this will require us to deactivate and archive your account, as we're no longer able to meet our regulatory commitment to provide account verification for accessing any controlled information.
You can ask for access to the information we hold on you
You have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you in writing, we must give you access to everything we’ve recorded about you as well as details of the processing, the categories of personal data concerned and the recipients of the personal data.
We will provide the first copy of your personal data free of charge, and hope to automate the Subject Access Request procedure to ensure it's useable without charge at all times. There is otherwise meant to be a statutory £10 fee for processing a Subject Access Request, in most circumstances this will be waived, though we reserve the right to charge if we feel there is an unwarranted abuse of our free SAR procedure.
We cannot provide access to a copy of any data that would adversely affect the rights and freedoms of others - for example if this contains another’s personal information.
You can ask to change information you think is inaccurate
You should let us know if you disagree with something included in your personal data.
Most user data held is freely updatable by editing your account profile, exceptions are made when we must hold validated information to evidence your legitimate need to access protected information. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it, if ever necessary.
You can ask to delete information (your right to be forgotten)
In some circumstances you can ask for your personal information to be deleted, for example, where:
- your personal information is no longer needed for the reason that it was collected in the first place;
- you have removed your consent for us to use your information (where there is no other legal reason us to use it);
- there is no legal reason for the use of your information;
- deleting the information is a legal requirement.
Please note that we can’t delete your information where:
- we’re required to have it by law or regulation;
- it is used for freedom of expression;
- it is used for public health purposes;
- it is for scientific or historical research or statistical purposes where deleting the data would make it difficult of impossible to achieve the objectives of the processing;
- it is necessary for legal claims.
You can ask us to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal data for where:
- you have identified inaccurate information, and have told us of it;
- where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether.
When personal data is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal data.
You have the right to ask us to stop using your personal data for any of our services. Where possible we’ll seek to comply with your request, but we may need to hold or use data because we are required to by law. You should also be aware that If your request is approved this may cause delays or prevent us delivering that service.
Transfers outside the UK & EEA
MedBud operates server and technology infrastructure hosted in the United States, which may require the duplication and holding of your data (including special category) outside of the UK or EU, to ensure the website can continue to operate as otherwise outlined in this document.
We may transfer your data to our headquarters which we intend to base in the US - with MedBud planned to operate in multiple legal jurisdictions. Where necessary, we ensure the safety of your personal data through the adoption of Standard Contractual Clauses. We rely on the Standard Contractual Clauses under Article 46.2 of the GDPR.
We do not provide your personalised special category data to 3rd parties, and this policy does not vary between international jurisdictions. Your privacy and the security of your special category data are of paramount importance to us, and we strictly adhere to the regulations outlined in the GDPR to protect your information.
We seek explicit consent for the transfer of any special category data during our sign-up process.
How long do we keep your personal data
We will retain data about your use of our websites, products and services and data indefinitely where it is utilised for the purposes of providing public statistics, in public interest.
In some circumstances it is not possible for us to specify in advance the period for which we will retain your personal data. In such cases we will determine the appropriate retention period based on balancing your rights against our legitimate interests. We anonymise, archive and mark accounts as inaccessible when requested - or by default after a period of account inactivity lasting longer than a year.
We will always retain your personal data where this is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or those of another person.
We update and test our security technology on an ongoing basis. We restrict access to your personal data to staff who need to have access to it to provide services or benefits to you. We also train our volunteers about the importance of confidentiality and maintaining the privacy and security of your information, with a Non-Disclosure Agreement signed.
We will post any changes on the website and when doing so will change the updated date at the top of this privacy notice. Please make sure to check the date when you use our services to see if there have been any changes since you last used those services. If you are not happy with any changes that we have made you should cease using our services.
In some cases we may provide you with additional notice of changes to this privacy statement, such as via email. We will always provide you with such additional notice well in advance of the changes taking effect where we consider the changes to be material.
Cookies may be either “persistent” cookies or “session” cookies:
- a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date;
- a session cookie will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Cookies help us improve the products and services that we offer you. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
- identify you when you visit our website and as you navigate our website (authentication cookies);
- help us to determine if you are logged into our website and to facilitate single sign on
- store information about your preferences and to personalize the website for you
- help us to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally
- help us to analyse the use and performance of our website and services; and
To ensure that an opt-out is maintained in respect of a particular browser, you may wish to consider using the Google browser plug-ins.
Cloudflare uses various cookies to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
- Cookie Settings for Mozilla Firefox
- Cookie Settings for Google Chrome
- Cookie Settings for Apple Safari
- Cookie Settings for Microsoft Edge
- Cookie Settings for Microsoft Internet Explorer
- Cookie Settings for Opera
Blocking all cookies will have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use all the features on our websites, products and services.
Most browsers allow you to refuse to accept cookies, and to delete cookies.
Our Contact Details
- by post, using the postal address given above;
- using our website contact form;
- by email, using the email address: firstname.lastname@example.org