This policy was last updated on 17/12/2018.
If we make any important changes that may affect your rights and interests, we will make sure we bring this to your attention and explain what this means for you. If you have any questions regarding this policy or wish to exercise any of your rights under data protection law, please email firstname.lastname@example.org.
1. GENERAL STATEMENT OF PRINCIPLES
We may collect personal data about you when you browse our website and order any products or services from us through our website or in one of our stores. We will never share your email address or personal data with any third parties except as necessary for our internal use and to provide our products and services. We do not purchase personal data from other sources.
2. PERSONAL DATA COLLECTED
Unless someone orders any products or services on your behalf or we receive any correspondence from your optometrist, ophthalmologist, GP or other healthcare professional, we will generally only collect your personal data from you.
You may provide and we may collect the following types of personal data about you:
- Identity data: full name(s) and date of birth
- Contact data: billing address, shipping address, email-address, telephone numbers
- Payment and transaction data: payment card details (although these are encrypted so we cannot read them)
- Health data: general health and lifestyle information such as current and past eye conditions, general health conditions, current medication, employment, lifestyle and driving information
- Test and prescription data: eye test results, retinal photographs, your prescription (whether we have performed your eye test or you have provided it to us)
- Correspondence data: correspondence between you, us and your GP, optician, ophthalmologist or other healthcare professional (as appropriate)
- Demographic data: age, gender identity, city, preferences and interests (optional)
- Analytical data: how you arrived at our website, how you browser and searched our website, the time and frequency of your visits, the time spent by you on each page, how you interacted with the website, the links you clicked and the content you viewed
- Other data: you may provide us with further personal data voluntarily, for example, during the course of an eye test (this data will only be recorded if it is relevant)
3. WHAT WE DO WITH YOUR PERSONAL DATA
We will only use your personal data when the law allows us to do so. We will generally rely on one of four legal grounds for using your personal data:
- to enter into and perform a contract with you, for example, to provide an eye test or fulfil a prescription lens order
- where the use of your personal data is necessary for our legitimate interests provided those interests do not override your rights and interests
- where we need to comply with a legal obligation, for example under tax legislation and legislation that applies to sight testing
- in limited circumstances where you have given your consent, for example to receive marketing from us
Health, test and prescription data are regarded as being particularly sensitive and in addition to one of the legal grounds set out above, we must also satisfy a further condition under UK and European data protection law. The further condition we rely upon is that the use of your health data is necessary for the purposes of providing services to you under a contract by a health professional that is bound by an obligation of professional secrecy (which is a requirement of The College of Optometrists and the General Optical Council in the UK).
The following table shows the purpose(s) for which we use your personal data, the relevant type(s) of personal data used in connection with those purposes and the legal ground(s) we rely upon:
|Purpose(s)||Type(s) of personal data||Legal ground(s) for use|
|Arranging, providing and communicating with you about eye tests and notifying you of your next appointment||Identity data; contact data; health data; test and prescription data; correspondence data||Performing our contract with you; complying with our legal obligations in relation to sight testing|
|Processing and communicating with you about orders for our products and services||Identity data; contact data; payment and transaction data||Performing of our contract with you; complying with our legal obligations under tax legislation|
|Dealing with any after-sales queries or refunds||Identity data; contact data; correspondence data||Performing of our contract with you; necessary for our legitimate interests (providing good customer service)|
|Sending you our email newsletter with details of new collections, event invitations, competitions and other content||Identity data; contact data||Consent (by completing our newsletter sign-up form, ticking the relevant box when ordering online, completing a form in-store or sending us an email with your consent)|
|Asking you to provide reviews or take part in surveys||Identity data; contact data||Necessary for our legitimate interests (understanding how customers browse our website and view our products and services to inform and develop our business strategy)|
|Protecting our website||Identity data; contact data; technical data||Necessary for our legitimate interests (ensuring the security of our network, website and data and preventing fraud); complying with our legal obligations|
|Improving and optimising our website||Technical data; analytics data||Necessary for our legitimate interests (ensuring that we provide a positive website user experience)|
|Delivering relevant content and advertisements||Identity data; demographic data; technical data; analytical data||Necessary for our legitimate interests (understanding the effectiveness|
|Ensuring that our premises are secure and that our staff and customers and protected from harm||CCTV footage recorded in-store; Identity data||Necessary for our legitimate interests (preventing and detecting crime, protecting our property and the health and safety of our staff and customers)|
4. HOW WE HANDLE YOUR PERSONAL DATA
Who we share your personal data with
We do not sell any personal data for commercial purposes. However we need to share your personal data with:
- other companies in the Cutler and Gross groups of companies as necessary to provide our products and services to you and the relevant company that has collected your personal data
- employees and consultants authorised to manage this website and communicate with you
- tax authorities who require reporting of our processing activities in certain circumstances
- relevant regulators for the optical professions (e.g. the General Optical Council in the UK)
- service providers including our patient management system provider, e-commerce platform, hosting provider, payment services provider, email marketing platform, online survey provider, analytics providers and logistics partners
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where your personal data are stored
A number of the service providers we use are based outside the European Economic Area (EEA). If you are based in a country to which the GDPR applies, this means that your personal data may be accessed from or transferred to a country or territory outside the EEA. If we transfer your personal data outside the EEA, we will ensure that a similar degree of protection is applied to your personal data through one of the following safeguards:
- only transferring your personal data to a country or territory that is deemed by the European Commission to provide a similar degree of protection for your personal data
- entering into a specific contract containing clauses that have been approved by the European Commission as providing a similar degree of protection of your personal data
- where a third party is based in the US and they have self-certified under the EU-US Privacy Shield Framework requiring them to provide a similar degree of protection for your personal data
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
How we keep your personal data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulators of any breach where we are legally required to do so.
How long we keep your personal data for
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. For example in the UK, HM Revenue & Customs requires us to keep records of transactions for six years and the College of Optometrists advises that it is best practice to keep patient records for up to 10 years.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
As with most servers, our servers log the IP address of any device that accesses our website. We have configured our server logs so that only the first part of the IP address is logged and that IP address logs do not last longer than three days.
You can read more information cookies and how they work at All About Cookies.org and information about how online advertising works at Your Online Choices (these are third party websites that do not control).
The cookies used by our website fall into the following categories:
- Strictly necessary cookies: these are required in order for us to provide you with access to the website and any features you have requested
- Analytical cookies: these are used to recognise when you visit our website and how you interact with it, so that we can optimise and improve the way our website works
- Functionality cookies: these are used to recognise when you visit our website so that we can personalise our content for you and remember your preferences
- Targeting cookies: these are used to ensure that the advertising displayed on our website is more relevant to you and your interests and to evaluate the effectiveness of our advertising
Under European law we are required to obtain your consent to all cookies except those that are strictly necessary. You will be asked to confirm your consent when you first visit our website. You can block or delete cookies using your browser settings and for analytical cookies stored by Google, you can install the Google Analytics opt-out extension.
The specific cookies used by our website are as follows:
|Cookie identifier||Type||Duration||Further details|
|cookieconsent_status||Strictly necessary||1yr||This is used by the website’s cookie consent tool to record whether you have consented to our website storing cookies on your device.|
|_fbp||Analytical; targeting||2hrs, 15 mins||This cookie set by Facebook when a tiny image (called a ‘web beacon’) is loaded by a page. It is used by the Facebook advertising platform to help us measure and optimise the effectiveness of our advertising and retargeting.|
|_gat||Analytical||1min||Used by Google Universal Analytics to throttle the request rate.|
|_gid||Analytical||24hrs||Used by Google Universal Analytics to identify new visits to our website.|
|newsletter||Functionality||1 year||After five seconds of inactivity, you will be prompted to sign up to our newsletter via a popup. This cookie is used to prevent this from happening again after 1 year from the date of your visit.|
|PHPSESSID||Strictly necessary||Session only||Used to manage your session on our website and to remember the contents of your basket between pages.|
Google Tag Manager and third party tracking
We work with advertising partners and social media websites including Facebook (Connect and Custom Audiences) and Google (Adwords, Doubleclick and Dynamic Retargeting) who may set cookies on your device when you visit our website to show you products and services based on what you are interested in.
If you would like to opt-out of tracking for advertising purposes, you can do so using the Network Advertising Initiative opt-out or Your Online Choices. However neither of these services can ensure that you do not receive any internet advertising based on your browsing activity.
As at the date of this policy, there is no uniform standard for Do Not Track (DNT), a feature offered by some browsers which tells third parties that you do not want to be tracked. Until such time as a standard has been established, this website does not respond to DNT requests.
Email marketing tracking
We use Mailchimp to deliver our newsletter to subscribers. The Rocket Science Group LLC which operates Mailchimp has self-certified under the EU-US Privacy Shield Framework.
Emails sent to you from Mailchimp include a tiny invisible graphic, or web beacon, which is downloaded from Mailchimp’s server when you open an email to tell us that you have opened our emails. If your email account is set to view emails in plain text or not display images, this image will not be stored. Where we include any includes in our emails, Mailchimp also adds a tracking reference to the end of each link to tell us that you clicked on it.
6. LINKS TO OTHER WEBSITES