Our contact details are: EyeBuyDirect, Inc., firstname.lastname@example.org
Our Data Protection Officer is: Stéphane Larriere, DataProtectionOfficer@eyebuydirect.com
Our GDPR representative in the European Union is TNP Consultants. You may contact our representative at: representativeEBD@eyebuydirect.com
1. What information we collect
1.1. Data we collect when you visit our website:
When you access our website, we automatically collect and store some of your data in our server logs and in cookies, which are small files sent to your computer when you visit our website.
This data does not allow us to directly identify you; however, it records data related to your browsing activity on our website, such as:
The pages you accessed, the date and time you accessed them, and your search requests.
Information on your device, such as hardware model, operating system version, unique device identifier, internet protocol address, hardware settings, browser type, and browser language.
The referral URL (in other words, the website that sent you to EyeBuyDirect, if you came to our website through a prior link).
1.2. Data you may provide when you sign up or when you order eyeglasses:
We always aim to deliver the highest level of customer service and experience. Some of the services offered on our website require you to sign up for them. If you want to use these services, we will ask you to provide us with accurate personal information, Personal Identifying Information (PII) or Personal Health Information (PHI), as defined herein, and let us know if your data changes and needs updating. If you do not want to provide this information or any relevant updates, we may not be able to deliver the services you requested.
You may provide the following types of personal data, PII or PHI when you use our services:
your name, telephone number, e-mail address, home address, login and password, photograph, eyeglass prescription, credit card information, HSA debit card information, and date of birth.
Financial data, including your credit or debit card information, is not stored by us except for the last four digits and expiration date. When placing an order, you are redirected to a third-party service provider who handles the payment process.
2. HOW WE USE PERSONAL DATA PROVIDED OR COLLECTED
We only ever use your personal data within the limits authorized by laws and regulations, to deliver and enhance our services and your customer experience. Sometimes, we use your personal data because the laws and regulations require us to do so. We do not make any automated decisions, solely based on the automatic processing of your data, which could affect you.
We may use your personal data for the following purposes:
Fulfill your order(s) for prescription or non-prescription eyeglasses.
Facilitate delivery of your purchases.
Update you on the progress of your order(s).
Send re-stock reminders.
Process automatic re-orders.
Service your account.
To contact you in case of a product recall.
We anonymize your IT data and use it to:
Improve your experience on our website.
Provide the best possible customer service experience.
Help us to identify and report on bugs and issues.
Assess the impact of changes we make on customer behavior.
Analyze and improve the performance of the website.
The payments and refunds are processed through a third-party payment processor.
3. HOW WE SHARE YOUR INFORMATION
At times we may share certain personal information with third parties to provide or improve our products and services, or to send personalized and targeted messages to customers. When we do so, we require those third parties to handle it in accordance with relevant laws.
We may use third-party advertising companies or affiliates to display advertisements on our website. These third-party advertising companies or affiliates may separately place or recognize a cookie file on your browser in the process delivering advertisements to our site. We cannot see the information collected or stored in third party cookies. And we do not provide personal information about you to these third-party advertisers or affiliates, or to any other third party. Still,we seek to protect the integrity of our site and our customers’ privacy, and welcome any feedback about these third-party entities.
4. HOW WE PROTECT YOUR INFORMATION
We have robust measures in place to protect your personal data against unauthorized access, use, or disclosure, including without limitation:
We are required to maintain the privacy of your PHI, to notify you of any breaches of your unsecured PHI, and to provide you with notice of our legal duties and privacy practices with respect to PHI.
We apply sophisticated technical measures to ensure that your personal data is recorded and processed in complete confidentiality and security.
We apply appropriate restrictions on access to your personal data, and monitoring of the access, use, and transfer of personal data.
All our employees who have access to your personal data are required to enter into non-disclosure or similar agreements, which imposes obligations on them to comply with our data privacy and confidentiality requirements.
We require any business partners and third-party service providers with whom we may share your personal data to comply with any applicable data privacy and confidentiality requirements.
We provide data privacy training on a regular basis to our employees.
5. PRIVACY PRACTICES RELATING TO YOUR PHI
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY.
EyeBuyDirect will only use and disclose your PHI without your authorization when necessary for:
coordination of your vision care treatment
health care operations, or
as required or permitted by law (please see “Use or Disclosure Required or Permitted by Law” section).
Disclosure To EyeBuyDirect’s Business Associates
EyeBuyDirect will only disclose your PHI to Business Associates who have agreed in writing to maintain the privacy of PHI as required by law.
Use Or Disclosure Requiring Authorization
EyeBuyDirect will not use or disclose your PHI for purposes other than those described in this Notice. If it becomes necessary to disclose any of your PHI for other reasons, EyeBuyDirect will request your written authorization. EyeBuyDirect will obtain your authorization for any sale of PHI, to use or disclose your PHI for marketing. Revoking Authorization: If you provide written authorization, you may revoke it at any time in writing, except to the extent that EyeBuyDirect has relied upon the authorization prior to its being revoked.
Use Or Disclosure Required Or Permitted By Law
EyeBuyDirect may use or disclose your PHI to the extent that the law requires the use or disclosure:
Public Health: For public health activities or as required by the public health authority.
Health Oversight: To a health oversight agency for activities such as audits, investigations and inspections. Oversight agencies include, but are not limited to, government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Legal Proceedings: In response to an order of a court or administrative tribunal, in response to a subpoena, discovery request or other lawful process.
Law Enforcement: For law enforcement purposes, including:
- legal process or as otherwise required by law;
- limited information requests for identification and location;
- use or disclosure related to a victim of a crime;
- suspicion that death has occurred as a result of criminal conduct;
- if a crime occurs on EyeBuyDirect’s premises; or
- in a medical emergency where it is likely that a crime has occurred.
Criminal Activity: As requested by law enforcement authorities, if the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
EyeBuyDirect may disclose your PHI to a person who has legal authority to make health care decisions on your behalf.
Disclosure Requiring Opportunity To Object
EyeBuyDirect may disclose your PHI to a family member, friend, or other person involved in your care or payment if the information is relevant to their involvement and you have agreed or had an opportunity to object.
A person or entity that performs a service for EyeBuyDirect, and creates, maintains, transmits, uses or discloses PHI in the course of performing those services. These services may include, but are not limited to:
bill payment with HSA debit card(s)
Health Care Operations
Activities related to EyeBuyDirect’s operations, including but not limited to:
customer issue resolution
implementing and maintaining compliant privacy and security policies and procedures.
Transmission or processing of claims for services you receive from EyeBuyDirect.
Personal Identifying Information
Information related to an identifiable person.
Protected Health Information
Information relating to a patient-customer’s past, present or future health or condition, the provision of health care to a patient-customer, or payment for the provision of health care to a patient-customer. PHI includes, but is not limited to:
Social Security number/member ID
diagnosis or prescription information
The provision, coordination or management of vision care and related services by one or more vision care providers.
7. Your rights
Under applicable data protection laws and regulations, you have the right:
Of access to, correction of, and/or erasure of your personal data.
To restrict or object to its processing.
To tell us that you do not wish to receive marketing information.
In some circumstances: to require certain parts of your personal data to be transferred to you or a third party.
To the extent our processing of your personal data is based upon your consent: to withdraw your consent, without affecting the lawfulness of our processing based on your consent before its withdrawal.
Your email and full name and last name, as registered with EyeBuyDirect.
Your specific petition (in other words, what rights you want to exercise).
The date of the application and your signature (if you sent your application by postal mail).
8. VIRTUAL TRY-ON POLICY AND CONSENT
EyeBuyDirect gives you the opportunity to virtually try on EyeBuyDirect eyeglasses prior to purchase by using its Virtual Try-On (VTO) tool. You can use your device’s live camera feed or upload a photograph to see what EyeBuyDirect’s eyeglasses look like in real-time – on your own device. When you use the VTO, it downloads to your personal device and runs and processes data only on your device. Only you see these real-time images on your device. They exist only in the moment when you are using the VTO and are immediately deleted from your device when your use of the VTO ends.
There is no external transfer of VTO data or images from your device to EyeBuyDirect except for eyeglass SKU numbers, Google Analytics click tracking data, and any photographs you uploaded to the VTO after creating an EyeBuyDirect account.
If you created an EyeBuyDirect account, EyeBuyDirect will store your uploaded photographs for one year for your convenience for future VTO use only and then will promptly destroy them. You may also delete your uploaded photographs from the VTO at any time. EyeBuyDirect does not collect any biometric data from your uploaded photographs and does not use your uploaded photographs to identify you.
This policy and consent is intended to comply with laws such as the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq., the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code Ann. §503.001, the Washington Biometric Privacy Law, Wash. Rev. Code Ann. §19.375 et seq., the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and other applicable laws and supplements prior communications, policies and practices that relate to this subject.
EyeBuyDirect does not collect, store or possess any biometric identifiers or biometric information identifiable to you, as defined by the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. A “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” “Biometric information” is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10. Biometric identifiers and biometric information do not include “photographs” or “information captured from a patient in a health care setting, or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id.
10. Mutual Arbitration Agreement With Class Action and Class Arbitration Waiver
Section 10.1. Informal Dispute Resolution.
Section 10.2. Agreement to Binding Arbitration.
If we do not reach an agreed upon solution within a period of thirty (30) days from the time informal dispute resolution is pursued pursuant to Section 9.1 above, then either EyeBuyDirect or you may initiate binding arbitration. EyeBuyDirect and you agree that all legal disputes and claims between you shall be determined exclusively by final and binding arbitration. Claims subject to this Agreement shall include claims against EyeBuyDirect’s parents, subsidiaries, affiliates, brands, clients, customers, alleged agents, alleged joint ventures, and their respective directors, officers, employees, and agents, whether current, former, or future. The only legal disputes and claims excluded from this Agreement are claims: (a) to enforce this Agreement, compel arbitration, or enforce, modify, or vacate an arbitrator’s award; (b) asserted by you prior to your execution or deemed acceptance of this Agreement; and (c) asserted on your behalf by another individual if and only if such a claim was filed prior to your execution or deemed acceptance of this Agreement.
The arbitration shall be administered on a confidential basis by JAMS, in accordance with JAMS Streamlined Arbitration Rules and Procedures, excluding any rules or procedures governing or permitting class arbitration, and Federal Rule of Civil Procedure 68 (“Offer of Judgment”). Each party will have the right to use legal counsel in connection with arbitration at his, her or its own expense. The parties shall select a single neutral arbitrator in accordance with JAMS Streamlined Arbitration Rules and Procedures. The arbitration may be held virtually or in (or near) the city in which you resided when you used EyeBuyDirect’s Site or services.
Except as noted in Section 9.3, the arbitrator, and not any federal, state or local court or agency, shall have exclusive authority to resolve any dispute relating to the interpretation, applicability, enforceability or formation of this Agreement, including without limitation any claim that it is void or voidable. If any provision of this Agreement is deemed invalid or unenforceable, such provision shall be modified automatically to the minimum extent necessary to render this Agreement valid and enforceable for individual arbitration.
The arbitrator shall be empowered to grant whatever relief would be available in a court under law or in equity. The arbitrator’s award shall be in writing and provide a statement of the essential findings and conclusions, shall be binding on the parties and may be entered as a judgment in any court of competent jurisdiction. The interpretation and enforcement of this Agreement shall be subject to the Federal Arbitration Act.
The JAMS rules governing the arbitration may be accessed at https://www.jamsadr.com/adr-rules-procedures. If you initiate arbitration, to the extent the filing fee for the arbitration exceeds Three Hundred U.S. Dollars ($300), EyeBuyDirect will pay the additional cost. EyeBuyDirect will also be responsible for paying all other arbitration costs arising in connection with the arbitration, except as determined by the arbitrator. Each party shall pay its own attorneys’ fees, except as provided in Federal Rule of Civil Procedure 68 or as determined by the arbitrator in accordance with applicable legal standards. The arbitrator may award reasonable fees and costs or any portion thereof to the prevailing party to the same extent a court would be entitled to do so, in accordance with applicable law.
Section 10.3. Waiver of Class Action and Class Arbitration.
EyeBuyDirect and you each agree that any arbitration shall be conducted only on an individual basis and not as a class, collective, consolidated, joint, or representative action (“Class Action”). EyeBuyDirect and you each expressly waive any right to file or seek relief in a Class Action. Any dispute concerning the scope or validity of this Class Action waiver shall be decided by a court of competent jurisdiction and not the arbitrator. If any court determines that the Class Action waiver in this paragraph is void or unenforceable for any reason or that an arbitration can proceed on a class, collective, consolidated, joint, or representative basis, then the parties waive any right to arbitration of a Class Action and instead agree and stipulate that such Class Action will be heard only in court. If for any reason a claim proceeds in court rather than in arbitration, you and the Company each waive any right to a jury trial.
If eight (8) or more demands for arbitration involving substantially similar claims are filed against EyeBuyDirect and remain pending, (a) JAMS shall determine phases for such proceedings as needed for the efficient administration of all such proceedings, including the determination of a schedule for the selection of arbitrators and payment of arbitration fees and costs in phases, and (b) any party shall be authorized to designate and rely on written discovery responses or deposition testimony from one such proceeding in other such proceedings in lieu of responding to substantially similar discovery requests in substantially similar proceedings.
Section 10.4. Exception – Small Claims Court.
Notwithstanding the parties’ agreement to resolve all disputes through arbitration, EyeBuyDirect or you may seek relief in a small claims court for disputes or claims within the scope of that court’s jurisdiction.
Section 10.5. Knowing and Voluntary Waiver.
Both parties understand that, absent this mandatory arbitration provision, they would have the right to sue in court and have a jury trial. They further understand that, in some instances, the costs of arbitration could exceed the costs of litigation and the right to discovery may be more limited in arbitration than in court.
You have read and understand this Agreement. You further understand that you may consult with an attorney of your choosing regarding the Agreement’s effect to the extent you deem necessary. YOU ARE KNOWINGLY AND VOLUNTARILY WAIVING THE RIGHT TO FILE A LAWSUIT AGAINST THE COMPANY OR PROCEED IN FRONT OF A JUDGE OR JURY, EXCEPT AS DESCRIBED ABOVE.
11. CALIFORNIA CONSUMER PRIVACY ACT DISCLOSURES
11.1. Personal Information Collected, by Category:
The personal information that EyeBuyDirect collects, or has collected, from consumers in the 12 months prior to the effective date of this Disclosure, fall into the following categories established by the California Consumer Privacy Act, depending on which EyeBuyDirect Service is used:
Identifiers such as your name, alias, address, phone numbers, or IP address.
Age, gender, or other protected classifications.
Commercial information, such as purchase.
Geolocation data, such as the location of your device or computer.
Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with our website.
Audio or visual information.
Inference data, such as information about your purchase preferences.
11.2. Personal Information Disclosed for a Business Purpose, by Category:
The personal information that EyeBuyDirect disclosed about consumers for a business purpose in the 12 months prior to the effective date of this Disclosure fall into the following categories established by the California Consumer Privacy Act, depending on which EyeBuyDirect Service is used:
Identifiers such as your name, address, phone numbers, or IP address. Your age, gender, or other protected classifications.
Commercial information, such as the details of a product you purchased if a third-party service provider is assisting to provide that product to you.
Audio or visual information.
11.3. Rights to Your Personal Information.
Under the California Consumer Privacy Act, you may have the right to request access to or the deletion of your personal information, along with information about the collection of your personal information, by EyeBuyDirect. To exercise your right to know, your right to delete, or your right to opt out of the sale of your personal information, email email@example.com or click here for our interactive webform.
Depending on your data choices, certain services may be limited or unavailable.
To protect the security of your personal information, we will require you to provide us with identifying information for you or your household such as email address, telephone number, a description of the product or service you purchased or inquired about, and/or other information that we can match with the personal information we have collected about you or your household to verify your identities.
You may use an authorized agent to request access to or deletion of your personal information or the personal information of your household. We will require your authorized agent to provide us with either (1) a power of attorney authorizing the authorized agent to act on your behalf or (2) your written authorization permitting the authorized agent to request access to your personal information on behalf of you or your household. Further, we will require you or your authorized agent to provide us with identifying information to verify your identity and/or the identities or your household members.
Once we receive and confirm your verifiable consumer request to delete, we will delete the personal information that we hold about you (to the extent provided by law) as of the date of your request from our records. However, please know that a business is not required to comply with a request to delete if it is necessary for the business to maintain the personal information in order to, for example, complete a transaction, detect security incidents, comply with a legal obligation, or otherwise use the personal information, internally, in a lawful manner that is compatible within the context in which the consumer provided the information.
Once submitted, you will receive an email within 10 days that we will use to verify your identity and provide confirmation of your request. We will respond to your request to access or request to delete your information within 45 days from the day we receive the request. If necessary, we may extend the time period to a maximum total of 90 days from the day we receive the request. In this case, you will receive an email notifying you of the extension and explaining the reason for the extension.
We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such a decision and provide you with a cost estimate before further processing your request.
Individual California residents also have the right under the California Online Privacy Protection Act (CalOPPA) to request information about our disclosures of certain categories of personal information to our affiliates or third parties for their direct marketing purposes. We will provide a list of the categories of personal information disclosed to third parties or our affiliates for their direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties or affiliates. This request may be made no more than once per calendar year. Individual California Users must submit their requests to us either by email at: firstname.lastname@example.org or write us at the mailing address in the Contact Us section below. We reserve our right not to respond to requests submitted other than to the email or mailing addresses specified in this section.
11.4. Right to Opt-Out of Sale of Personal Information.
Right to Opt-Out
The California Consumer Privacy Act defines "sell" to mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a California resident’s personal information to another business or a third party for monetary or other valuable consideration.
How to Submit a Request to Opt-Out
How We Process a Request to Opt-Out
We will act upon your request to opt-out within 15 days from the date that you submit the request. However, we may deny the request if we have a good-faith, reasonable, and documented belief that the request is fraudulent. If we deny the request on this basis, we will notify the requesting party and provide an explanation of why we believe the request is fraudulent.
11.5. No Discrimination.
EyeBuyDirect will not discriminate against any consumer for exercising their rights under the California Consumer Privacy Act.
12. CHILDREN’S PRIVACY
We are especially sensitive about children’s information. We do not knowingly collect Personal Information from children under 13. If you are a parent or legal guardian and think your child under the age of 13 has given us information, you can contact us to remove the information. In addition, California minors (under 18 years of age) may in certain circumstances request and obtain removal of content or information. If you are a California minor, you may contact us to make a removal request.
13. EU RESIDENTS AND INFORMATION STORED IN THE UNITED STATES
The Services do not apply to residents of the European Union (EU). If you input your personal information on our website, please understand that your data will be stored in the United States whose privacy laws do not provide equal levels of protection as those of the EU Users who live in, or access our services from countries outside of the United States, thereby agree and consent to their personal information being collected and stored on servers located outside of their country of residence, and acknowledge that protection of this information is not guaranteed to match that level of protection assured to them under the laws of their country of residence or location.
Last updated: 2022-01-13.49829202.1