INDEX / DIRECTORY / SUPERDRUG / DIGITAL

Superdrug DIGITAL

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-06-16
Digital Score 0.00 /10 E Superdrug - BDS-1000 0
Digital 0.00

Evidence-only forensic audit. Scoring happens downstream - see the main dossier for the composite assessment.

Digital Audit: Superdrug Stores plc

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Superdrug Stores plc (Companies House no. 00807043) Parent / Ultimate Owner: AS Watson (Health & Beauty UK) Limited, part of the A.S. Watson Group, majority-owned by CK Hutchison Holdings Ltd (Hong Kong), with a minority stake held by Temasek Holdings (Singapore) Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor case studies and press releases, trade and technology press, NGO/civil-society research, regulatory and biometric-policy reporting, and Superdrug’s own published privacy notices. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Superdrug procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ backgrounds, or a parent group’s separate activities are not attributed to Superdrug. US-entity relationships (e.g. Microsoft, Amazon Web Services, Google Cloud, Salesforce) are not Israeli-origin and are noted only for completeness. Cyberattacks committed against Superdrug are recorded as digital context, not as provision.

Enterprise Technology Stack & Vendor Relationships

Core Commerce, Marketing, and Operations Platforms (Direction: Superdrug as customer)

Superdrug’s publicly documented marketing-technology relationship is with Movable Ink, a US-headquartered content-personalisation vendor. A Movable Ink case study documents Superdrug using its platform across email, mobile push, and in-store/location-based messaging - including campaigns highlighting each customer’s nearest Pharmacy First store and personalised fragrance promotions.1 The same case study references Movable Ink’s integration with Salesforce Marketing Cloud as the broader personalisation ecosystem, though the Superdrug-specific page names only Movable Ink directly.1 Salesforce is a US-headquartered entity; this is not an Israeli-origin vendor relationship and is recorded for completeness only.

Superdrug won a 2024 DataIQ Award (Most Effective Stakeholder Engagement), reflecting an internal data/analytics function, but the award listing does not disclose specific technology vendors.2 No public, vendor-confirmed case study independently corroborating earlier trade-press attributions of SAP Commerce Cloud, Informatica, Aptos, or Manhattan Associates to Superdrug was located in this review; those engagements are not relied upon here as confirmed.

Israeli-Origin Software and Services (Direction: Superdrug as customer)

No public evidence identified of a direct licensing, subscription, or integration relationship between Superdrug and any Israeli-origin software, analytics, or cybersecurity vendor. No vendor case study, press release, procurement record, trade-press report, or regulatory filing reviewed identifies Superdrug as a customer of any Israeli-founded firm such as Check Point, Wiz, SentinelOne, CyberArk, NICE Systems, Verint Systems, or Claroty. No public evidence identified.

Parent-Group Technology Governance

A.S. Watson Group and CK Hutchison Holdings address group-level technology governance at a consolidated level in corporate reporting; CK Hutchison disclosed in early 2026 that it was preparing a possible listing of the A.S. Watson health-and-beauty business (which operates Watsons and Superdrug).34 Group-level disclosures do not disaggregate technology-vendor relationships to the Superdrug operating-company level, so Superdrug-specific cybersecurity, infrastructure, or software vendors are not confirmable from group filings alone. No Israeli-origin vendor is identified at group level in the sources reviewed.

Cybersecurity Vendor Stack - Evidentiary Gap

Superdrug does not publicly disclose its endpoint-security, SIEM, firewall, or network-monitoring vendors. No reviewed source names a cybersecurity supplier - Israeli-origin or otherwise. Whether Superdrug relies on a managed security services provider whose own platform embeds Israeli-origin components is not determinable from public sources. No public evidence identified.

Surveillance, Biometrics & Retail Technology

Live Facial Recognition - In-Store Deployment

Superdrug publishes a dedicated Facial Recognition Privacy Notice confirming that live facial recognition technology is in operation within selected Superdrug stores, with signage displayed.5 Per that notice, an AI-powered CCTV camera in each participating store generates a biometric template of every individual in its field of view; Superdrug’s security team extracts facial images of persons who have recently committed unlawful acts, which are reviewed and approved by a Superdrug Regional Security Manager before being submitted to a third-party facial-recognition provider for matching.5 Superdrug states the stated purpose is colleague/customer safety and crime reduction.5

The third-party provider is not named in Superdrug’s published privacy notice, and no reviewed source independently confirms the vendor’s identity. The dominant UK retail live-FR vendor is Facewatch, a London-based company founded in 2010 by Simon Gordon; Facewatch is documented as serving 125-plus UK retailers (including Sainsbury’s, Frasers Group, Home Bargains, Sports Direct) and announced a 2026 “PharmacyProtect” push into the pharmacy sector.678 Facewatch is a UK-origin vendor with no Israel nexus identified in the sources reviewed.69 No public source reviewed in this audit positively confirms Facewatch (or any other named vendor) as Superdrug’s specific provider; the vendor identity is therefore recorded as an evidentiary gap.5

Israeli-Origin Surveillance / Biometric Vendors

No public evidence identified that Superdrug deploys facial-recognition, biometric, gait-analysis, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax). Israeli retail-tech firms such as Trigo are documented with other European clients but are not linked to Superdrug in any reviewed source. No public evidence identified.

Police Data-Sharing Schemes (Project Pegasus)

Project Pegasus is a UK Home Office / police retail-crime data-sharing scheme under which participating retailers submit CCTV imagery to be run against the Police National Database using retrospective facial recognition.1011 Reporting names participating retailers including the Co-op, Tesco, Sainsbury’s, John Lewis, Waitrose, and Next; the reviewed sources do not name Superdrug as a confirmed Pegasus member.1011 Project Pegasus is a UK domestic law-enforcement programme with no Israel nexus, and the matching is performed by police, not by an Israeli-origin vendor.1011 No public evidence identified linking Superdrug to Pegasus.

Predictive Analytics, Workforce Surveillance, and Social-Media Monitoring

No public evidence identified of Superdrug deploying Israeli-origin predictive-analytics, social-media-monitoring, or workforce-surveillance tools. Superdrug’s disclosed analytics use is consumer-facing personalisation via the Movable Ink/Salesforce ecosystem.1

In-Store Loss-Prevention Technology - Evidentiary Gap

Beyond the published live-FR notice, Superdrug does not disclose the suppliers of its broader in-store camera, analytics, or loss-prevention technology. The identity of those vendors - and whether any embeds Israeli-origin technology - cannot be confirmed from public sources. No public evidence identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Cloud Platform and Data-Centre Footprint

Superdrug’s clinical arm, Superdrug Online Doctor, is operated on behalf of Superdrug Stores plc by Zava (Health Bridge Limited), which stores medical information in Amazon Web Services servers located in the EU and holds Cyber Essentials Plus certification.1213 AWS is a US-domiciled provider. No data-centre operations in Israel are disclosed by Superdrug, A.S. Watson, or CK Hutchison in any reviewed corporate source.34 A.S. Watson’s Middle East retail footprint covers GCC markets (UAE, Saudi Arabia, Qatar, Bahrain) via the Watsons fascia; no Israeli operation, data centre, or cloud region is referenced.14

Government Cloud Programmes - Project Nimbus and Equivalents

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; Superdrug is neither a participant nor a sub-provider. Superdrug is a retail technology consumer, not a cloud-services vendor. No public evidence identified of Superdrug involvement in any Israeli state-backed digital-infrastructure programme.

Sovereign Cloud and Data-Residency Services to State Institutions

No public evidence identified of Superdrug providing technology services, data infrastructure, or cloud capabilities to any state institution of any jurisdiction - Israeli, UK, or otherwise. Superdrug’s technology function is inward-facing, serving retail operations, e-commerce, loyalty, and the Online Doctor clinical service.

Data Sub-Processor Disclosures - Evidentiary Gap

Superdrug’s retail and Online Doctor privacy notices reference third-party data processors but do not publish a full, itemised sub-processor list.513 The complete set of data sub-processors - which might reveal indirect exposure to Israeli-origin cloud or analytics infrastructure - cannot be determined from published documents. No public evidence identified of any Israeli-origin sub-processor.

Defence, Intelligence & Security Sector Technology Relationships

Military and Intelligence Contracts

No public evidence identified. Superdrug is a high-street health-and-beauty retailer with no disclosed contract, partnership, or service agreement with any defence, intelligence, or military body in any jurisdiction, including the Israeli Ministry of Defence, the IDF, or Israeli intelligence agencies.

Provision of Technology / Data to the Israeli State or Military

No public evidence identified of Superdrug providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence identified. Superdrug does not develop, manufacture, or export technology products; it is a retail consumer of technology. No export-licensing activity, dual-use-goods registration, or defence-procurement record was identified in any reviewed filing.

Offensive Cyber Capability

No public evidence identified. Superdrug does not develop, license, or sell offensive cyber capability. In August 2018 Superdrug was itself the target of a credential-stuffing-based extortion attempt: an attacker claimed to hold the data of up to 20,000 online customers (names, addresses, dates of birth, phone numbers, loyalty-point balances; no payment data), which Superdrug attributed to credentials reused from breaches of other websites rather than a compromise of its own systems; the ICO, police, and Action Fraud were notified.1516 This incident was done to Superdrug and has no nexus to the provision of technology to Israel; it is recorded here as digital context only.

Group-Level Technology Subsidiaries - Evidentiary Gap

CK Hutchison’s group includes telecommunications operators with their own infrastructure. Whether any group-level cybersecurity or cloud contract - potentially involving Israeli-origin technology - extends to Superdrug’s IT estate through shared-services arrangements is not publicly disclosed.34 This is an evidence gap, not a positive finding. No public evidence identified.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified of Superdrug developing, marketing, or selling AI or machine-learning platforms, models, or services to any external party, including Israeli state, military, or security bodies. Superdrug is a technology consumer, not an AI vendor.

Consumer-Facing and Operational AI Use

Superdrug operates a consumer-facing online Skin & Age Analyser (“Skin Analysis”) tool on its website,17 and applies data-driven personalisation through the Movable Ink/Salesforce ecosystem (US-origin platforms).1 No public evidence identified that any data set originating in Israel or the occupied territories has been incorporated into Superdrug’s AI development or model training. No Israeli-origin AI vendor is identified in Superdrug’s disclosed stack.

Training Data & Model Development Involving Israeli Population Data

No public evidence identified of Superdrug contributing to, commissioning, or benefiting from AI model development involving Israeli population datasets.

Autonomous Systems and Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within Superdrug’s business domain.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence identified that Superdrug operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. A.S. Watson’s and CK Hutchison’s disclosed footprints reference no Israeli operation.314

Acquisitions & Investments in Israeli Technology Companies

No public evidence identified of Superdrug acquiring, or taking a corporate-venture stake in, any Israeli technology company. No Israeli technology-company acquisition is disclosed in relation to Superdrug’s technology operations in the reviewed group reporting.34

Patents & IP Co-Development with Israeli Institutions

No public evidence identified of patent portfolios, licensing, or co-development arrangements between Superdrug and Israeli-domiciled entities or research institutions (Technion, Hebrew University, Weizmann Institute). Superdrug is a retailer, not a technology R&D company.

Health-Clinic Technology and Patient Data

Superdrug Online Doctor is operated by Zava (Health Bridge Ltd), regulated by the Care Quality Commission and General Pharmaceutical Council, with patient data stored in AWS EU data centres.1213 No Israeli-origin clinical technology, electronic-health-record system, or health-data-processing partnership is identified in any reviewed document relating to Superdrug Online Doctor. No public evidence identified.

Supplier Code of Conduct - Technology Supply-Chain Provisions

Superdrug publishes a Modern Slavery Act transparency statement addressing labour standards in its physical product supply chain; the reviewed disclosures do not contain provisions governing the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers. No technology-supply-chain due-diligence framework specific to vendor geopolitical exposure is publicly documented by Superdrug. No public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence identified of an NGO investigation, academic study, or UN report addressing Superdrug’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. Civil-society attention on UK retail live facial recognition (e.g. Big Brother Watch, Privacy International) has centred on the technology category and named vendors such as Facewatch generally, not on any Israel nexus to Superdrug.69

BDS and Boycott Campaigns

No public evidence identified of an organised boycott, divestment, or sanctions campaign specifically targeting Superdrug in relation to technology provision to Israeli state entities or operations in occupied territories. Reviewed BDS/Palestine Solidarity Campaign material from 2025 focuses on other companies (e.g. Co-op sourcing decisions, Coca-Cola, Teva) and does not name Superdrug’s technology relationships.1819 No public evidence identified of a BDS campaign specifically targeting Superdrug’s technology relationships.

ICO and Regulatory Record

Superdrug is a registered UK data controller and maintains GDPR-compliant privacy notices for its retail operations, facial-recognition deployment, and Online Doctor service.513 The 2018 credential-stuffing extortion attempt was notified to the ICO.1516 No public evidence identified of an ICO enforcement notice, monetary-penalty notice, or formal undertaking against Superdrug relating to surveillance technology, Israeli data flows, or biometric data processing.

Export Controls & Sanctions Authorities

No public evidence identified of any action by UK export-control authorities, HMRC, the Office of Financial Sanctions Implementation (OFSI), or any equivalent body relating to Superdrug technology sales, services, or data transfers to Israeli state entities. No public evidence identified.

Evidence Gaps

  1. Live-FR vendor identity (high priority) - Superdrug confirms it operates live facial recognition in selected stores via an unnamed third-party provider; the specific vendor (and thus any country-of-origin assessment of that vendor) is not publicly confirmed. The leading UK vendor, Facewatch, is UK-origin, but its engagement by Superdrug is not independently confirmed.
  2. Full IT and cybersecurity vendor stack - As a private operating company, Superdrug does not disclose its sub-strategic IT, cloud, and security-product vendors; Israeli-origin exposure cannot be positively excluded on public evidence.
  3. Enterprise-platform attributions - Earlier trade-press attributions (SAP Commerce Cloud, Informatica, Aptos, Manhattan Associates, Google Cloud) were not independently re-confirmed via vendor case studies in this review and are not relied upon here as established.
  4. Data sub-processors - Neither the retail nor the Online Doctor privacy notice publishes a full itemised sub-processor list, leaving indirect Israeli-origin cloud/analytics exposure unassessable.
  5. Group shared-services overlap - Whether CK Hutchison group-level technology contracts reach Superdrug’s IT estate is not publicly disclosed.

End Notes

Footnotes

  1. https://movableink.com/case-studies/superdrug-case-study 2 3 4

  2. https://www.dataiq.global/award-winner/2024-dataiq-awards-most-effective-stakeholder-engagement/

  3. https://www.businessoffashion.com/news/beauty/ck-hutchison-superdrug-watsons-ipo/ 2 3 4 5

  4. https://uk.fashionnetwork.com/news/Superdrug-owner-plots-london-stock-exchange-ipo,1796732.html 2 3 4

  5. https://www.superdrug.com/privacy-policy/facial-recognition 2 3 4 5 6

  6. https://www.crunchbase.com/organization/facewatch 2 3

  7. https://www.biometricupdate.com/202606/facewatch-wants-to-bring-live-facial-recognition-to-uk-pharmacies

  8. https://www.facewatch.co.uk/pharmacyprotect/

  9. https://privacyinternational.org/long-read/4216/facewatch-reality-behind-marketing-discourse 2

  10. https://www.biometricupdate.com/202309/uk-police-retailers-partner-to-fight-shoplifting-with-biometrics 2 3

  11. https://www.computerweekly.com/news/366580438/Facial-recognition-to-play-key-role-in-UK-shoplifting-crackdown 2 3

  12. https://onlinedoctor.superdrug.com/about.html 2

  13. https://www.zavamed.com/uk/about-us.html 2 3 4

  14. https://www.aswatson.com/markets/middle-east/ 2

  15. https://www.retailgazette.co.uk/blog/2018/08/superdrug-hit-hackers-claim-20000-customers-details-risk/ 2

  16. https://www.huffingtonpost.co.uk/entry/superdrug-customer-data-breach-hackers_uk_5b7d277ce4b07295150e497a 2

  17. https://www.superdrug.com/skin-analysis

  18. https://palestinecampaign.org/campaigns/bds-2/

  19. https://bdsmovement.net/Guide-to-BDS-Boycott