Effective date: 01/09/2020
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Our use of any individually identifiable health information you provide is subject to the requirements of applicable data privacy laws and regulations, which may include the United States’ Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the European General Data Protection Regulation 2016/679 (“GDPR”).
If you have questions about our privacy practices, contact our Data Protection Officer at [email protected]
1. Purposes of Data Processing, Legal Bases, Legitimate Interests and Categories of data
We collect, store and process data exclusively in accordance with valid legal stipulations and only as much as this is necessary for the fulfillment of the contract obligations between ourselves and you. This comprises of:
- Identity Data, which includes name, date of birth, gender, and webcam data. The only reason for collecting webcam data during the eye exam is to help us to provide you with accurate results. Through your webcam, we check the conditions of the room, measure your pupillary distance and verify that instructions are followed correctly.
- Contact Data when you create an account, which includes email address, phone number, and home address.
- Health Data, which includes information provided by you regarding your health conditions (e.g. pregnancy, diabetes, and eye surgery) and information collected from your previous glasses and contact lens prescription. When you perform our online eye test, you disclose certain information about yourself by (1) answering a series of questions to determine whether you are eligible to participate in the online eye test (the “Health Questionnaire”), (2) performing a series of tasks to help licensed optometrists or ophthalmologists (each an “Eye Doctor”) determine whether to issue you an updated prescription, and (3) communicating with us or our Eye Doctors in connection with your use of the Services (see more information about health data in section 2.2).
- Financial Data, which includes details about your payment status. We use Stripe as a payment processor and do not store payment information ourselves (stripe is an independent personal data administrator and acts as a payment service provided by Stripe Inc., which allows users to make online payments). Payment processing services enable us to process payments by credit card, bank transfer or other means. To ensure greater security, we only share the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of our services may also enable the sending of timed messages to you, such as emails containing invoices or notifications concerning the payment.
- Technical Data, which includes your internet protocol (IP) address, your login data, browser type, operating system and platform, and other technology on the devices you use to access this website;
- Profile Data, which includes your email address and password for any accounts set up to access our services, purchases or orders made by you and feedback responses;
- Usage Data, which includes information about how you use our website, products and services;
- Marketing and Communication Data, which includes your preferences in receiving marketing from us and our third parties and your communication regarding reminders to finish or redo the test, promotions and informational emails.
All of the above processing of your personal data is conducted on the basis of your consent (Art. 6 Para. 1 lit. a) GDPR). As far as the processing is based on your consent, you have the right to withdraw your consent at any time. To exercise this right you can contact us at any time by email at [email protected]
If you do so, we will no longer use or disclose your personal data for the reasons covered by your consent, but note that we are unable to take back any disclosures we have already made with your consent, and that we are required to retain our records of the care that we’ve provided to you.
1.2 Health information
“Health Information or Personal data concerning health” is information that relates to your past and present health or vision conditions (including medications, ailments, and prescriptions). Health information is collected and derived when you use our online eye test. Some Health Information may be subject to laws and regulations, including HIPAA (for U.S. residents) and GDPR (for individuals in the EU). Your health information is important to us in order to guarantee that you are eligible to undergo the online eye test and to support our Eye Doctor on the decision to whether or not issue a new prescription. Like any other personal data processed by us, the legal basis for processing your health information is Art. 6 Para. 1 lit. a) GDPR as the collection of the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
In order to facilitate your use of our online eye test and to help an Eye Doctor determine your need for an eyewear prescription, we may collect the following information when you use the Service:
- your name, age, email address, username, or other personal information or health information contained in your easee account;
- answers and written information that you submit during the Health Questionnaire.
- your answers to, performance of, and actions taken during the test;
- health Information prepared by an Eye Doctor who provides you Services, such as medical records, prescriptions, treatment decisions, medical advice, examination notes, and any other information prepared by an Eye Doctor about your health or vision;
- any other information that you submit to us in connection with your Health Questionnaire, the test, the prescription check, or the validation service, including information exchanged in emails, texts, chats, or calls between you and easee.
In addition, we may use or disclose your health information to:
- Comply with federal, state, or local laws, if you are a resident of the United States;
- Comply with federal and state health oversight activities, such as fraud investigations, if you are a resident of the United States;
- Comply with public health and safety requirements, such as those related to the prevention or control of disease, injury or disability; to report abuse, neglect, or domestic violence of a child, an elder, or a dependent adult; to report reactions to medications; to notify individuals of recalls of medication or products they may be using; or to notify a person who may have been exposed to a communicable disease or who may be at risk for contracting or spreading a disease or condition;
- If you are a resident of the United States, for the following purposes: (1) to the U.S. Department of Health and Human Services to demonstrate our compliance with HIPAA, (2) for national security and public safety reasons as required by law, (3) to respond to a request by military command authorities, and (4) if you are an inmate or in custody, to a correctional institution;
- Respond to law enforcement officials or to judicial orders, subpoenas, or other process;
- Conduct research (following internal review protocols to ensure the balancing of privacy and research needs);
- Send appointment confirmations and reminders;
- Communicate with individuals, such as friends and family, who are involved in your care or involved in the payment for that care;
- Communicate within and outside of our organization for the following categories of activities :
o Treatment. For example, if you purchase the full version of our vision test, we will share your medical information with an independent licensed optometrist or ophthalmologist who needs this information to provide you with an updated eyewear prescription.
o Payment. For example, easee may use and disclose your medical information to bill you or your insurance company or other third party responsible for payment or to collect payment.
o Health care operations. For example, we may use information about your test to conduct data analyses relating to the quality and efficiency of the services we provide.
We may use your medical information to create de-identified[Loeb8] data, which is stripped of your identifiable data and no longer identifies you. de-identified data may be used or disclosed to third parties for analytics or other purposes.
We may also disclose health information of U.S. residents to a third party (called a “business associate”) to perform certain services for us, such as billing services, payment processing and other services in support of our operations. For example, a third party who sends certain email communications may be a business associate. Business associates must also comply with HIPAA. They are required by contract and law to protect your health information and only use and disclose it as necessary to perform their services for us.
Finally, if we or one of our business associates create, receive, maintain or transmit your health information in an unsecured manner (such as in paper form or in an unencrypted electronic form) and a breach occurs, we will notify you.
- Marketing. Marketing means making a communication about a product or service that encourages you to purchase or use the product or service. Marketing does not include any face-to-face interactions we may have with you. Marketing also does not include case management or care coordination for your treatment or to recommend alternative treatments, therapies, or health care providers for you as long as we do not receive any payment for making these communications.
- Receiving direct or indirect payment in exchange for providing the information. However, the disclosure of your health information to a health insurer in order to receive payment for products or services we provide to you is permissible.
You can revoke your permission for us to use and disclose your health information in writing at any time. If you do so, we will no longer use or disclose your health information for the reasons covered by your written permission, but note that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we’ve provided to you. Lastly, with regard to the health information kept by us, it’s your right to inspect and copy it, and amend it, if you feel that the information is incorrect or incomplete.
Note that if you are a U.S. resident, we will not give you access to health information records created in anticipation of a civil, criminal or administrative action or proceeding. We will also deny your request to inspect and copy health information if a licensed health care professional hired by us has determined that giving you the requested access is reasonably likely to endanger the life or physical safety of you or another individual or to cause substantial harm to you or another individual, or that the record makes references to another person (other than a healthcare provider), and that the requested access would likely cause substantial harm to the other person.
If your request to access health information is denied, you may have that decision reviewed. A different licensed health care professional chosen by us will review the request and denial, and we will comply with the health care professional’s decision.
2. How do we collect your data
2.1 Data uploaded by you
You directly provide us with most of the data we collect. Thereby, all the identity data, contact data, health data, financial data and profile data are uploaded by you (see section 2). We will not process any personal data of yours without first asking for your consent (Art. 6 Para. 1 lit. a) General Data Protection Regulation). We collect data and process data when you:
- Register online or place an order for our services;
- Voluntarily complete a customer survey or provide feedback on our message board or via email;
- Use our online eye test;
- Upload your visual acuity or prescription information manually or through an old prescription.
2.2. Information we automatically collect:
- Information from cookies and other technologies
- Web logs and usage information
We record certain information and store it in log files when you interact with our Services. This information may include device and browser information, operating systems details, device type, internet protocol (IP) address, URLs of referring/exit pages, and search terms.
- Through your computer
We may collect information about your approximate location [Loeb10] [GdPP11] from your IP address. Your location information is necessary to confirm your location while using the Services, so we can be sure that your results are reviewed by an Eye Doctor from your region.
3. How do we protect your data?
We have put in place appropriate technical and organizational security measures to prevent your data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. All online interaction with our services is protected with SSL/TLS.
In order to help secure your personal information, access to your data on our website is password-protected, and sensitive data is protected by encryption when it is exchanged between your web browser and our website. To protect any data you store on our servers, we also regularly audit our system for possible vulnerabilities and attacks.
However, the Internet is not 100% secure, and it is your responsibility to protect the security of your login information. Please note that e-mails and other communications you send to us through our website are not encrypted, and we strongly advise you not to communicate any confidential information (including medical histories or financial information) through these means.
We will keep backups containing your data for at most 90 days. Additionally, we will irretrievably remove any personal information from our systems and keep anonymized log data for statistical and forensic purposes.
4. How do we use your information?
Some ways we may use your information include:
- to provide, personalize, and improve our Service;
- to provide you with the prescription services, administer our websites and Services, and for our internal operations;
- to communicate with you, including to respond to your comments or questions, and to send you updates about your prescription;
- to help us improve the customer experience;
- to provide you information, recommendations, and marketing materials about our products and Services (see section 6 and 7);
- for security purposes, including to protect our company, our customers, our websites, and our Services, as well as to detect and investigate activities that may be illegal or prohibited;
- Images of you: when you submit (or grant us permission to take) a photo, webcam pictures, or other image of you, we don’t share those photos, scans, or images, or any facial data captured, with any third parties, but we may use them to assess the conditions of the room, measure your pupillary distance and verify that instructions are followed correctly.
We may use your health information and personal information to determine the vision correction that you need, and for quality assurance, internal testing and analysis, and to make improvements to the Services. Also, to communicate with you through our customer service, including replying to any questions you might have, we may use your health and personal information. In addition, we may use your health information and personal information to remind you to renew your prescription, or to send your old prescription before we can issue a new one.
If you receive an eyewear prescription as a result of your use of our online eye test, we will email you a copy of the prescription and add the prescription information to your easee account. If the Eye Doctor determines that you are not eligible for an updated eyewear prescription through our online eye test, then we will notify you by email and may include additional notes or recommendations from the Eye Doctor.
We use information as otherwise disclosed or permitted by law, or as we may notify you.
5. Processing of your Data for Advertising and Informational Purposes
In addition to processing your data for the purpose of delivering the service, we also use your data in order to exchange information with you concerning your test, including reminders to redo the test, promotions and informational emails. Also, we might email you with special offers regarding our services and products.
We offer you the possibility of registering for our newsletter. The processing of your electronic contact data for this purpose is thus affected solely on the basis of your consent (Art. 6 Para. 1 lit. a) GDPR).
You may revoke your declared consent at any time with future effect without giving any reasons. For this purpose, you can contact us via [email protected] and we will reply as soon as possible.
As a customer of easee you will receive emails. This way you will remain informed of the service provision and of any new offers and services that might be valuable to you. All communication through this channel will include an option to unsubscribe from this service. Please be aware that if you unsubscribe, we will no longer be able to inform you of your vision status in the future. We will use your information only for the above purposes or a purpose closely linked to this. This way, your information will never be used unexpectedly.
7. Sharing your data with third parties
We make sure that any data shared with our partners remains secure and that you give us your consent before we disclose this information.
We will share your personal data with third parties where required by law, where it is necessary to administer our relationship with you or complete our obligations under a contract with you, or where we have another legitimate interest in doing so, as providing you with a service you have expressed interest in. This is the case, for example, when we share your test results with a partner you are willing to acquire eye accessories from, using, therefore, our services in order to first renew your glasses or contact lens prescription.
All our third-party partners are required to take appropriate security measures to protect your personal information. We only permit third-party service providers to process your personal data for specified purposes and in accordance with our instructions. To the extent reasonably possible, we will ensure all third-party providers that have access to your personal data, will act in accordance with relevant data privacy laws. In any case, if we share your information, we do so only as described below.
- With Eye Doctors: If you decide to purchase a prescription, we will share your health and personal Information with one or more Eye Doctors, who will evaluate the results of your health questionnaire and eye test. Eye Doctors may be any of the following, depending on the country you live: easee’s employees, easee’s independent contractors, employees of a professional corporation, or independent contractors of a professional corporation. In all cases, Eye Doctors are under a contractual and legal obligation to keep your information confidential.
- With our business partners: We may work with business partners such as optical retailers. Therefore, we may provide products or services to you jointly with our business partners. When we do this, we will clearly show you that a business partner is associated with your transaction, and we will only share information with them that is related to your transaction and in accordance with your request to share with that partner.
- For legal purposes: We reserve the right to access, read, preserve, and disclose any information that we reasonably believe is necessary to comply with any applicable law. We may share any or all categories of personal information to respond to a court order or subpoena. We may also share this personal information if a government agency or investigatory body requests it.
- With contractors: we may share your information with contractors that help us to provide you with our services, including, for example, payment processing and website-related services, such as web hosting.
- With healthcare providers: Depending on the country you live, we may share your information with your health insurance in order to process your claim and so that we can complete the payment process.
8. No information from children
If you are under the age of 16, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from a child under the age of 16, we will promptly delete that information. If you are a parent or legal guardian and think your child has given us information, you can contact us at [email protected]
9. EU citizens: what are your personal data protection rights?
- The right to access – You have the right to request copies of your personal data from us. Therefore, we will provide the information once a year, free of charge, on whether personal data concerning you is being processed or not, and if so, what information is being processed.
- The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
- The right to erasure – You have the right to request that we erase your personal data,
- The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
- The right to object to processing – You have the right to object to our company’s processing of your personal data, under certain conditions.
- The right to data portability – You have the right to request that our company transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email [email protected]
10. Ads and Cookies
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our website, we may collect information from you automatically through cookies or similar technology.
10.1. What type of cookies do we use?
- Functional cookies – we use these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and your approximate location. A mix of first-party and third-party cookies are used.
- Advertising cookies – We use these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. We sometimes share some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
10.2. How to manage cookies?
You can set your browser to not accept cookies, and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Do Not Track Policy. Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. If you block cookies, certain features on our site may not work. If you block or reject cookies, not all of the tracking described here will stop.
Options you select are browser, website and device specific. If you clear your cookies or your browser’s cache, you will need to set your preferences again.
11. Privacy policies of other websites
12. Where do we store your data
If you provide us with personal information, your data will be stored in Europe, regardless of the country you live in. Therefore, by using and accessing our Services, users who reside or are located in countries outside of the European Union agree and consent to the transfer and processing of personal information on servers located outside of the country where they reside.
13. California residents: your privacy rights
If you are a California resident, this section, which summarizes your rights under California law, applies too. Note that our use of any individually identifiable health information [Loeb23] you provide may be subject to the requirements of HIPAA rather than California law.
- For purposes of California residents exercising rights outlined in this section, please note the following regarding the information we collect from you, use, and share, including in the previous 12 months:
· Your rights:
o Access – You can request that we disclose to you the following: (i) the categories of personal information that we have collected about you; (ii) the categories of sources from which we have collected personal information about you; (iii) the business or commercial purpose for collecting or selling your personal information; (iv) the categories of personal information that we have sold about you and the categories of outside parties to whom the personal information was sold; (v) the categories of personal information that we have disclosed about you for our business purposes and the categories of vendors to whom the personal information was disclosed; and (vi) the specific pieces of personal information that we have collected about you over the past 12 months.
Deletion – You can request that we delete the personal information that we maintain about you, subject to certain exceptions.
o Non-discrimination – We will not discriminate against you because you exercised any of these rights.
· A California resident can exercise these rights online by emailing [email protected] Please note the following:
o We may deny certain requests, or fulfill a request only in part, based on our legal rights and obligations. For example, we may retain personal information as permitted by law, such as for tax or other record keeping purposes, to maintain an active account, and to process transactions and facilitate customer requests. Note that for purposes of these rights, personal information does not include information about job applicants, employees and other of our personnel or information about employees and other representatives of third-party entities we may interact with.
o We will take reasonable steps to verify your identity prior to responding to certain of your requests. The verification steps will vary depending on the sensitivity of the personal information and whether you have an account with us.
o You may designate an authorized agent to make a request on your behalf. When submitting the request, please ensure the authorized agent is identified as an authorized agent.
“Shine the light” law: If you’re a resident of California, you can request a notice identifying the categories of personal information, we share with our affiliates and/or third parties for their direct marketing purposes and the contact information for such affiliates and/or third parties. Please submit a written request to [email protected]
Sale of personal information: We do not and don’t intend to sell any information that could identify you, such as your email address or your name.
Residents under 18 years of age: Under Chapter 22.1 (Privacy Rights for California Minors in the Digital World) of the California Business and Professions Code, California residents under the age of eighteen (18) have a right to remove content or information they have personally posted to the Site. If applicable to you, you can request the removal of content or information you have posted to the Site by sending an email message to [email protected]
14. Rights of U.S. Residents under HIPAA
This section explains your rights under HIPAA as a U.S. resident and some of our responsibilities to help you.
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
o We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
- You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.
o We may say “no” to your request, but we’ll tell you why in writing within 60 days.
- You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
o We will say “yes” to all reasonable requests.
- You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
o If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
- You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will make sure the person has this authority and can act for you before we take any action.
- You can complain if you feel we have violated your rights by contacting us using the information at the top of this notice.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.
- We will not retaliate against you for filing a complaint.
16. How to contact us
© 2020 easee Inc. All rights reserved.