If we make any important changes that may affect your rights and interests, we will make sure we bring this to your attention and explain what this means for you. If you have any questions regarding this policy or wish to exercise any of your rights under data protection law, please email [email protected].
1. GENERAL STATEMENT OF PRINCIPLES
We may collect personal data about you when you browse our website and order any products or services from us through our website or in one of our stores. We will never share your email address or personal data with any third parties except as necessary for our internal use and to provide our products and services. We do not purchase personal data from other sources.
2. PERSONAL DATA COLLECTED
Unless someone orders any products or services on your behalf or we receive any correspondence from your optometrist, ophthalmologist, GP or other healthcare professional, we will generally only collect your personal data from you. You may provide and we may collect the following types of personal data about you:
Payment and transaction data: payment card details (although these are encrypted so we cannot read them)
Health data: general health and lifestyle information such as current and past eye conditions, general health conditions, current medication, employment, lifestyle and driving information
Test and prescription data: eye test results, retinal photographs, your prescription (whether we have performed your eye test or you have provided it to us)
Correspondence data: correspondence between you, us and your GP, optician, ophthalmologist or other healthcare professional (as appropriate)
Demographic data: age, gender identity, city, preferences and interests (optional)
Analytical data: how you arrived at our website, how you browser and searched our website, the time and frequency of your visits, the time spent by you on each page, how you interacted with the website, the links you clicked and the content you viewed
Other data: you may provide us with further personal data voluntarily, for example, during the course of an eye test (this data will only be recorded if it is relevant)
3. WHAT WE DO WITH YOUR PERSONAL DATA
We will only use your personal data when the law allows us to do so. We will generally rely on one of four legal grounds for using your personal data:
to enter into and perform a contract with you, for example, to provide an eye test or fulfil a prescription lens order
where the use of your personal data is necessary for our legitimate interests provided those interests do not override your rights and interests
where we need to comply with a legal obligation, for example under tax legislation and legislation that applies to sight testing
in limited circumstances where you have given your consent, for example to receive marketing from us
Health, test and prescription data are regarded as being particularly sensitive and in addition to one of the legal grounds set out above, we must also satisfy a further condition under UK and European data protection law. The further condition we rely upon is that the use of your health data is necessary for the purposes of providing services to you under a contract by a health professional that is bound by an obligation of professional secrecy (which is a requirement of The College of Optometrists and the General Optical Council in the UK).
The following table shows the purpose(s) for which we use your personal data, the relevant type(s) of personal data used in connection with those purposes and the legal ground(s) we rely upon:
Type(s) of personal data
Legal ground(s) for use
Arranging, providing and communicating with you about eye tests and notifying you of your next appointment
Identity data; contact data; health data; test and prescription data; correspondence data
Performing our contract with you; complying with our legal obligations in relation to sight testing
Processing and communicating with you about orders for our products and services
Identity data; contact data; payment and transaction data
Performing of our contract with you; complying with our legal obligations under tax legislation
Dealing with any after-sales queries or refunds
Identity data; contact data; correspondence data
Performing of our contract with you; necessary for our legitimate interests (providing good customer service)
Sending you our email newsletter with details of new collections, event invitations, competitions and other content
Identity data; contact data
Consent (by completing our newsletter sign-up form, ticking the relevant box when ordering online, completing a form in-store or sending us an email with your consent)
Asking you to provide reviews or take part in surveys
Identity data; contact data
Necessary for our legitimate interests (understanding how customers browse our website and view our products and services to inform and develop our business strategy)
Protecting our website
Identity data; contact data; technical data
Necessary for our legitimate interests (ensuring the security of our network, website and data and preventing fraud); complying with our legal obligations
Improving and optimising our website
Technical data; analytics data
Necessary for our legitimate interests (ensuring that we provide a positive website user experience)
Delivering relevant content and advertisements
Identity data; demographic data; technical data; analytical data
Necessary for our legitimate interests (understanding the effectiveness
Ensuring that our premises are secure and that our staff and customers and protected from harm
CCTV footage recorded in-store; Identity data
Necessary for our legitimate interests (preventing and detecting crime, protecting our property and the health and safety of our staff and customers)
4. HOW WE HANDLE YOUR PERSONAL DATA
Who we share your personal data with We do not sell any personal data for commercial purposes. However we need to share your personal data with:
other companies in the Cutler and Gross groups of companies as necessary to provide our products and services to you and the relevant company that has collected your personal data
employees and consultants authorised to manage this website and communicate with you
tax authorities who require reporting of our processing activities in certain circumstances
relevant regulators for the optical professions (e.g. the General Optical Council in the UK)
service providers including our patient management system provider, e-commerce platform, hosting provider, payment services provider, email marketing platform, online survey provider, analytics providers and logistics partners
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where your personal data are stored A number of the service providers we use are based outside the European Economic Area (EEA). If you are based in a country to which the GDPR applies, this means that your personal data may be accessed from or transferred to a country or territory outside the EEA. If we transfer your personal data outside the EEA, we will ensure that a similar degree of protection is applied to your personal data through one of the following safeguards:
only transferring your personal data to a country or territory that is deemed by the European Commission to provide a similar degree of protection for your personal data
entering into a specific contract containing clauses that have been approved by the European Commission as providing a similar degree of protection of your personal data
where a third party is based in the US and they have self-certified under the EU-US Privacy Shield Framework requiring them to provide a similar degree of protection for your personal data
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
How we keep your personal data secure We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those of our employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulators of any breach where we are legally required to do so.
How long we keep your personal data for We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. For example in the UK, HM Revenue & Customs requires us to keep records of transactions for six years and the College of Optometrists advises that it is best practice to keep patient records for up to 10 years.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
As with most servers, our servers log the IP address of any device that accesses our website. We have configured our server logs so that only the first part of the IP address is logged and that IP address logs do not last longer than three days.
You can read more information cookies and how they work at All About Cookies.org and information about how online advertising works at Your Online Choices (these are third party websites that do not control).
The cookies used by our website fall into the following categories:
Strictly necessary cookies: these are required in order for us to provide you with access to the website and any features you have requested
Analytical cookies: these are used to recognise when you visit our website and how you interact with it, so that we can optimise and improve the way our website works
Functionality cookies: these are used to recognise when you visit our website so that we can personalise our content for you and remember your preferences
Targeting cookies: these are used to ensure that the advertising displayed on our website is more relevant to you and your interests and to evaluate the effectiveness of our advertising
Under European law we are required to obtain your consent to all cookies except those that are strictly necessary. You will be asked to confirm your consent when you first visit our website. You can block or delete cookies using your browser settings and for analytical cookies stored by Google, you can install the Google Analytics opt-out extension.
The specific cookies used by our website are as follows:
This is used by the website’s cookie consent tool to record whether you have consented to our website storing cookies on your device.
2hrs, 15 mins
This cookie set by Facebook when a tiny image (called a ‘web beacon’) is loaded by a page. It is used by the Facebook advertising platform to help us measure and optimise the effectiveness of our advertising and retargeting.
Used by Google Universal Analytics to throttle the request rate.
Used by Google Universal Analytics to identify new visits to our website.
After five seconds of inactivity, you will be prompted to sign up to our newsletter via a popup. This cookie is used to prevent this from happening again after 1 year from the date of your visit.
Used to manage your session on our website and to remember the contents of your basket between pages.
Google Tag Manager and third party tracking We work with advertising partners and social media websites including Facebook (Connect and Custom Audiences) and Google (Adwords, Doubleclick and Dynamic Retargeting) who may set cookies on your device when you visit our website to show you products and services based on what you are interested in.
As at the date of this policy, there is no uniform standard for Do Not Track (DNT), a feature offered by some browsers which tells third parties that you do not want to be tracked. Until such time as a standard has been established, this website does not respond to DNT requests.
Email marketing tracking We use Mailchimp to deliver our newsletter to subscribers. The Rocket Science Group LLC which operates Mailchimp has self-certified under the EU-US Privacy Shield Framework.
Emails sent to you from Mailchimp include a tiny invisible graphic, or web beacon, which is downloaded from Mailchimp’s server when you open an email to tell us that you have opened our emails. If your email account is set to view emails in plain text or not display images, this image will not be stored. Where we include any includes in our emails, Mailchimp also adds a tracking reference to the end of each link to tell us that you clicked on it.
6. LINKS TO OTHER WEBSITES