Last Updated: April 17, 2023
Introduction
We respect data privacy and want you to be informed about our practices. This Privacy Policy, which is incorporated into our Terms of Use, outlines the privacy practices of Bespoke, Inc., which does business as Topology Eyewear (“Company,” “we,” “us,” “our,” or “Topology”), in connection with your (“you(r)”) use of our services, including our virtual try-on and eyewear fitting and measurement services and recommendations, software, technology, websites, and apps (collectively, the “Service(s)”). By using our Services, you agree to be bound by our terms and policies, including this Privacy Policy.
Who are we?
Topology’s mission is to help individuals see better and feel better in their eyewear. Our Services, including our photo-realistic virtual try-on services and eyewear fitting services, improve user experiences with eyecare and eyewear professionals and retailers and related providers (collectively, “Eye Care Provider(s)”). We act as a business associate and service provider for these third-party Eye Care Providers and only collect and process personal information as necessary for your interaction with your Eye Care Provider(s) and as outlined in this Privacy Policy. Topology does not provide optometric or medical services via the Services, including any medical advice, diagnosis, prescription, or treatment.
What does this Privacy Policy cover?
This Privacy Policy outlines how we collect, use, and disclose information, both online and offline. Please also see our separate Terms of Use, which incorporate by reference this Privacy Policy and which include applicable definitions. Unless otherwise expressly stated, this Privacy Policy does not apply to any third-party practices, websites, or services, including of Eye Care Providers, whether or not referenced in or linked from our Services. Each third party will have its own privacy practices and policies, which you should review before using them.
This Privacy Policy incorporates by reference our HIPAA Notice of Privacy Practices and Biometrics Notice to the extent applicable. Where your personal information is covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), such as for protected health information (“PHI”), other privacy and biometrics laws may not apply, and the HIPAA Notice of Privacy Practices may supersede this Privacy Policy and Biometrics Notice. However, we have outlined our respective privacy practices in this Privacy Policy to keep you informed.
How do we collect and use information?
Data for Eye Care Providers
As a vendor for Eye Care Providers, we only collect and use the below data to perform specific activities for and on behalf of each consumer’s Eye Care Provider(s). In this context, Eye Care Providers may use our Services to collect the following categories of data when you provide it, such as through an iPad app for virtual try-on and eyewear fitting services or by uploading data:
· Health Data. This may include, in certain circumstances, your PHI, such as your provider history, prescription information, and insurance data, as well as biometric data, if provided by you or your provider in connection with your use of the Services. For more information, see below and our HIPAA Notice of Privacy Practices.
· Facial Scans. This may include biometric data, such as facial and pupillary distance scans, and related audio and visual data, such as photos or videos that you upload or otherwise share via the Services (collectively, “Facial Scans”), used by Eye Care Providers. As with other data collected for and used by Eye Care Providers, Facial Scans are used in connection with your use of the Services, such as virtual try-on and eyewear fitting services, as well as potential Eye Care Provider marketing, such as by using our virtual try-on (“VTO”) platform in stores or on websites to serve you and to identify specific products or services that are relevant to you for future purchases. We do not seek to identity you through facial recognition algorithms. Facial Scans may constitute PHI under HIPAA. For more information, see our HIPAA Notice of Privacy Practices and Biometrics Notice. See also your Eye Care Provider terms.
· Contact and Background Information. This may include, in certain circumstances, your name and other identifiers, email address, phone number, address, date of birth, age, information about your transactions, and communications if you provide the data through the Services. In many cases, Eye Care Providers will collect this information directly, without our collection. Where we collect this type of information, we use it for business purposes to assist with your use of the Services, rather than for our marketing.
· Device Data. This may include automatically-collected internet and technical data from first-party cookies, such as to preserve multi-session log-ins. While we do not use any third-party or marketing cookies, each Eye Care Provider will have its own practices and privacy policies. You can change your cookie settings in your internet browser and use settings on your mobile device to manage your privacy controls.
Other Types of Data
· Usage and Transactional Data. When you use the Services, we may collect usage and transactional data, such as information about what products are viewed or purchased. This may also include device data. We do not use this information to uniquely identify any user. Rather, as outlined below, we may use this data in the aggregate, de-identified, or similar form, subject to the legal requirements under applicable laws.
· Eye Care Provider and Business Information. If you use our Services as an Eye Care Provider, including through our sales contact page or by contacting us, we collect the information you provide to consider a potential business relationship and separate contract with you and to fulfill our Services for you. Data may include names and contact information for your business and representatives, store locations, communications, and other information the business provides to us.
· Employment and Education Data. If you provide this information to us, such as if you apply for a job and forward your resume, we may collect your professional, employment, or education history for business purposes, such as reviewing job applications.
· Public Data. If you publicize something about Topology or our Services, we may collect and use it for business purposes, such as reviewing and improving our Services, and commercial purposes, such as sharing a public review posted to social media.
· Aggregate and De-Identified Data. We may collect and use this information as authorized by applicable laws. For example, we may consider aggregate group analytics for business purposes of improving our Services without reasonably identifying you. Where we use data in de-identified form, we will remove all known identifying information and only maintain and use the information in de-identified form; and we will not attempt to re-identify the information (except as strictly required to comply with applicable laws).
Purposes for Collection and Use
To expand on the specifics outlined above, we collect and use information for these purposes:
· As a Vendor. We collect and use information to provide the Services in our capacity as a vendor for Eye Care Providers, which furthers our business purposes, namely, to provide and improve our Services, including to facilitate your finding of eyewear with an Eye Care Provider and to personalize your experience. Eye Care Providers may, in turn, use information to provide goods and services to you, to obtain analytics or reports on usage of the Services or shopping and transactional data, or for their commercial purposes. You should review any separate Eye Care Provider terms.
· Internal and Legal. We collect and use information to provide the Services, as well as to monitor and improve the Services, which furthers our business purposes as a service provider. For example, we may use information for troubleshooting issues, debugging for functionality, auditing interactions, internal training, adding new features, and research subject to applicable laws. We may also use data to comply with applicable laws, for security purposes, and to protect against harmful activity as authorized by law.
· Other. We may collect and use data in the aggregate, de-identified, anonymized, or pseudonymized form, subject to any applicable legal requirements, for business purposes, such as providing and improving the Services, as well as for potential commercial purposes, such as analyzing or selling aggregate data. Moreover, while rare, we may otherwise use data as instructed by you and with your consent.
When do we disclose information?
Generally, we may disclose personal information as follows for business purposes to provide and improve the Services and comply with legal and contractual obligations.
· Eye Care Providers. We share your data with your chosen Eye Care Provider(s) as applicable to provide the Services. For example, if you scan your face using the Services with an Eye Care Provider, that data will be available to your Eye Care Provider.
· Company Parties; Merger or Sale. We may share information with affiliated companies that are related to us under a common ownership where they comply with this Privacy Policy. Such disclosure is for our business purposes, including to provide and improve our Services. Further, we may share information as part of a sale, merger, acquisition, or other change in control or entity status, either in whole or in part, where your data will be subject to substantially the same restrictions as outlined herein. We reserve the right to transfer or assign your information as part of any such transaction or investigation.
· Service Providers. We share information with service providers that allow us to provide and improve the Services. Service providers only use your information for a contracted-business purpose and do not otherwise use the data. Such disclosure is for our business purposes, in particular, to provide you with the Services that you have requested.
· Legal Process and Protection. We may disclose information as necessary to comply with our legal obligations, such as to respond to government or law enforcement requests, legal processes, subpoenas, and court orders. We may disclose information when we believe it is necessary to investigate, prevent, or respond to illegal, fraudulent, or injurious actions or security incidents that may cause harm to us, the Services, or others. We may also disclose information in good faith where necessary to investigate or enforce a violation of this Privacy Policy, our terms, or legal rights.
· Consent. We may disclose information as requested or consented to by you.
Do we sell or share information?
No, we do not sell personal information, including PHI/Facial Scans. We likewise do not “share” personal information for cross-context advertising, such as regulated by California privacy laws.
How do we protect and transfer information?
Consistent with others in our industry, we take efforts to employ technical, administrative, and physical security measures for personal information, taking into account reasonable security procedures and accessible technology. However, no system can be completely secure; and we cannot promise, and you should not expect, that your personal information will always remain secure. Your provision of personal information is at your own risk. The safety and security of your information also depends on you. Take steps to safeguard your passwords and other data and notify us as soon as possible if you believe your relevant security has been breached.
Regarding transfer or personal data, information is processed and stored in the locality where it is collected (e.g., European scans in Europe, American scans in the US, etc.).
How long do we retain information?
We retain personal information for the length of time necessary to fulfill the purposes outlined in this Privacy Policy, unless a different retention period is requested by you or required by applicable laws. For example, we will retain your personal information for as long as it is needed to provide you with the Services or fulfill a legal or contractual obligation. We may also aggregate, de-identify, or anonymize data as applicable for use in analytics, such as to track trends over time without identifying you. For requests to delete data, see below.
We use the following criteria to determine how long we retain personal information: (a) our relationship with you, such as if there is an open contract or account or a pending transaction or request; (b) legal obligations to retain personal information for certain purposes, such as to maintain transaction records, including under HIPAA and state laws; and (c) other obligations or considerations relating to the retention of data, such as contract requirements, such as agreements with Eye Care Providers, litigation holds, investigations, or statutes of limitation. Subject to these criteria, we generally delete unregistered account data after 72 hours and retain registered account data as long as required by your respective Eye Care Provider, which may depend on whether your data constitutes PHI and where you reside. For more information, see our HIPAA Notice of Privacy Practices and Biometrics Notice. If you did not encounter a specific retention period mentioned at the time of taking your scan, the maximum length of time it would be retained is 3 years.
What are your privacy rights?
If you want to make a privacy request or have any questions, please make a request through the respective Eye Care Provider who controlled your transaction. You may also contact us as outlined below with your full name and email address used in connection with the Services so that we can verify your request. If an authorized agent is making a request on your behalf, the agent should provide its name and contact information, such as an email address, in addition to your information. If you are requesting to access or change sensitive data, we may require additional verification. There may be situations where we cannot grant your request, for example, if you make a request and we cannot verify your identity, or if you request deletion of data that we have a legal obligation to keep. Where we deny your request, we will take steps to inform you of the denial and provide an explanation for our actions and reasons for the denial.
Applicable privacy laws have different requirements and depend on various factors, such as where you live and how much revenue or data is at issue. Generally, we adhere to the following set of privacy rights to the extent applicable and subject to any limitations authorized by law.
· Access. You can access and obtain your data and ask us for certain information, including: the categories of personal information collected and used; the categories of the sources of data at issue; the business or commercial purposes for any collecting, selling, or sharing of data; the categories of third parties to whom data is disclosed; and the specific pieces of personal information collected. You also have a similar right to data portability (i.e., the ability to export, back up, and transfer data).
· Amend. You can amend, correct, or rectify your data if it is inaccurate.
· Delete. You can have your data deleted subject to certain legal limitations.
· Limit. You can limit the processing of your data.
· Opt-Out. You have the right to opt-out of certain data practices. For example, you can unsubscribe from marketing communications or data sales if applicable to you.
· Complaints. You have the right to make certain complaints, including for privacy concerns. We value your feedback and seek the opportunity to work with you on any issues. You have the right to no discrimination for asserting your privacy rights.
· Specific State Laws. Several states have enacted privacy laws that may apply to you, depending on the circumstances. For example, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), governs certain privacy practices. Under California’s “Shine the Light” law, California residents may also request certain information regarding sharing of personal information with third parties for direct marketing purposes. Further, if you are a California resident under the age of 18, California Business & Professions Code Section 22581 permits you to request and obtain removal of content you have publicly posted. Please note that such a request does not ensure complete or comprehensive removal of public content.
· International Laws. Generally, residents of the European Economic Area (“EEA”) have the right to access your own information that we hold; to ask that your information be corrected, updated, or erased; and the right to object to, or request that we restrict, certain processing of your information. Our legal basis for collecting and using your personal data is your consent, the fulfillment of our obligations pursuant to the contract created with Topology, or where the collection and use is in our legitimate interests and does not violate your data protection interests or fundamental rights. You may withdraw your consent to our collection and use of your personal data. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your information used in reliance on lawful processing grounds other than consent. Residents of other countries, including Canada, may have similar or additional rights, which we will respect. If you have any questions, or if certain other privacy laws apply to you, please contact us to make a request, and we will strive to comply.
What are our practices regarding special categories of data?
Do we collect data about children?
No, we do not knowingly collect any personal information about children under the age of 13 (or other requisite age if higher), and if we obtain actual knowledge that we have collected such information, we will delete it from our database, including under the Children’s Online Privacy Protection Act (“COPPA”). We do not have actual knowledge of “selling or sharing” the personal information of consumers under the age of 16, including under the CCPA. If you are a parent or legal guardian of a minor child, you may use our Services on behalf of such minor child. If you have questions concerning our information practices with respect to children, or if you believe a child under the requisite age has provided us with personal information, please email us at privacy@topologyeyewear.com. You should also consult with your respective Eye Care Provider for more information about your Eye Care Provider’s terms and privacy practices.
Do we use or disclose sensitive information other than as expected?
No, any use or disclosure of your sensitive data is necessary to provide the Services and reasonably expected by you. Put differently, we do not generally use or disclose sensitive personal information for purposes other than those reasonably necessary and expected. The Services include use and disclosure of certain data that may be sensitive, such as sharing Facial Scans with your selected Eye Care Provider(s). However, the CCPA, for example, provides for the following uses without additional disclosures where the information is reasonably necessary and proportionate to: (a) perform certain services, such as verifying information; (b) verify or maintain the quality or safety of the Services; (c) perform services or provide goods reasonably expected; (d) for short-term use where there is no disclosure or profiling; and (e) resist malicious, fraudulent, or illegal actions or to ensure physical safety.
Do we offer financial incentives for your data?
No, we do not offer consumers incentives related to the collection, retention, or sharing of data. If an Eye Care Provider offers a financial incentive, you will be subject to their separate terms.
Do we respond to DNT signals?
Our Services do not respond to DNT (Do Not Track) requests. DNT is a feature that, when enabled, sends a signal to websites to request that your browsing not be tracked.
How do we update this Privacy Policy?
We will update this Privacy Policy when our privacy practices change or as otherwise required or permitted by law. Each time you use the Services, the current version of this Privacy Policy will apply. Unless we receive your express consent, any materially revised terms will apply only to information collected after the effective date of the revised Privacy Policy.
How can you contact us?
Please contact us with any questions or concerns. We can be reached at:
Bespoke, Inc. dba Topology Eyewear
3260 19th St., San Francisco, CA 94110
https://www.topologyeyewear.com/contact
HIPAA Notice of Privacy Practices
Summary
This HIPAA Notice of Privacy Practices (“Notice”) is a summary of privacy rights and practices under HIPAA. Eye Care Providers, which are separate third parties, may be covered entities under HIPAA, and we may be required to follow certain requirements as a business associate. If applicable, the terms of this Notice shall govern over other privacy notices. This Notice is incorporated by reference into our Privacy Policy, which contains applicable definitions.
Use and Disclosure of PHI
Generally, we use and disclose PHI for the normal business activities of facilitating your eyewear search and purchase with your selected Eye Care Provider, including by allowing you to use our virtual try-on and eyewear fitting services to obtain better fitting eyewear and more precisely designed and manufactured corrective lenses.
We keep records of PHI that you provide through the Services, which may include your Facial Scans, and other related information, for as long as required or allowed under applicable laws, subject to instructions from you and your Eye Care Provider. Your Eye Care Provider may also collect other information, such as your vision insurance plan and prescription information. This information is shared with your Eye Care Provider(s) as directed by you.
To the extent permitted under HIPAA, we may use PHI to improve the Services, to train staff, and for customer support and internal authorized business purposes.
We may also use or disclose your PHI as outlined in our Privacy Policy, such as to comply with legal obligations, such as responding to subpoenas, court orders, and law enforcement requests, or to prevent serious threats, subject to applicable laws; to communicate with Eye Care Providers and other individuals authorized to be included in your care; to communicate within our company to provide the Services to you; to provide information to our service providers and vendors as necessary to perform the Services; and to fulfil your requests or otherwise with your lawful consent as required under applicable privacy laws. Further, we may use aggregate or de-identified data subject to the legal requirements under applicable laws.
Your Eye Care Provider(s) may use and disclose your PHI in additional ways, which they should outline separately to you. Such uses may include facilitating provision of your eyewear and marketing different eyewear to you using information you have provided, both at the time of your virtual try-on and eyewear fitting services or at a later time if agreed to by you.
Responsibilities with Respect to PHI
We are required by HIPAA to:
· Maintain the privacy and security of your PHI
· Provide this Notice about our duties and privacy practices regarding PHI
· Abide by the effective Notice
· Notify you of any covered security breach of PHI
HIPAA Rights for PHI
If we have your PHI, you have the following rights, in addition to those in our Privacy Policy. We will respond to requests within the authorized time required. We may charge a reasonable fee if allowed by law. Your medical power of attorney or legal guardian may exercise your rights.
· Inspect and Amend. You may inspect, copy, and amend certain portions of your PHI. We will provide a copy or a summary. We will inform you of any denial of a request.
· Disclosures. You may request an accounting of the disclosures of your PHI, subject to certain limitations. You may also request restrictions on how we use or disclose your PHI. We will inform you of any denial of a request.
· Communications. You may request that we communicate with you in a specific way, such as by email, and we will comply with reasonable requests.
· Paper copies. You have the right to obtain a paper copy of this Notice at any time.
Notice Changes
We may update the Notice as outlined in our Privacy Policy, and we reserve the right to do so. Your continued use of the Services constitutes your acceptance of the terms of the then-effective Notice. The effective date of this Notice is the same as our effective Privacy Policy.
Complaints
If you believe there has been a HIPAA violation, you may start a complaint by contacting us as outlined below. To file a complaint with the Secretary of Health and Human Services, you can contact them at (877) 696-6775, 200 Independence Avenue SW, Washington, DC 20201, www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you or penalize you for asserting your privacy rights, such as filing a HIPAA complaint.
Contact Us
Please contact us with any questions or to assert your rights. We can be reached at:
Bespoke, Inc. dba Topology Eyewear
3260 19th St., San Francisco, CA 94110
https://www.topologyeyewear.com/contact
Biometrics Notice
Summary
This Biometrics Notice informs you or your authorized representative that a biometric identifier or information may be collected and stored if you use parts of the Services, namely our virtual try-on and eyewear fitting experience to create Facial Scans for eyewear. This Biometrics Notice only applies if certain laws apply to your use of the Services, e.g., it does not apply where HIPAA or GDPR supersedes certain biometrics laws. This Biometrics Notice is incorporated by reference into our Privacy Policy, which contains applicable definitions.
Biometric Data Collected
Facial Scans (i.e., 3D facial and pupillary distance scans) may be collected through the Services, such as when you use the virtual try-on and eyewear fitting features or upload your photographs. For example, with the virtual try-on feature, the user turns their head side to side while the device collects multiple 3D photographs; these photographs are then stitched together via a machine learning algorithm to produce a precise 3D model of the face. The scan quality around the eye provides only enough fidelity to locate the pupils; it cannot be used to diagnose conditions of the eye or for retinal identification. You should always consult your own separate Eye Care Provider for eye care issues, including for eye health, treatment, prescriptions, and diagnosis.
Specific Purposes, Uses, and Disclosures of Biometric Data
Topology only collects biometric data, namely Facial Scans, in its capacity as a service provider or business associate for a given consumer’s third-party Eye Care Provider, i.e., our purpose is to facilitate your interaction and transaction with your Eye Care Provider.
Facial Scans are used in following ways:
We may also use or disclose your Facial Scans to comply with legal obligations, such as responding to subpoenas, court orders, and law enforcement requests, or to prevent serious threats, subject to applicable laws; to communicate with Eye Care Providers and other individuals authorized to be included in your care; to communicate within our company to provide the Services to you; to provide information to our service providers and vendors as necessary to perform the Services; and to fulfil your requests or otherwise with your lawful consent as required under applicable privacy laws. We do not use any facial recognition algorithm against the Facial Scans; and Facial Scans are not sold to any third party or shared with any third party for cross-context advertising purposes.
Your Eye Care Provider(s) may use and disclose your Facial Scans in additional ways, which they should outline separately to you. Such uses may include facilitating provision of your eyewear and marketing different eyewear to you using information you have provided, both at the time of your virtual try-on and eyewear fitting services or at a later time if agreed to by you. You should review your Eye Care Provider(s) terms and privacy policy for more information.
Biometric Data Storage, Retention, and Deletion
Facial Scan data is stored on an Amazon Web Server in the locality where it is collected (European scans in Europe, American scans in the US, etc.). Scans are encrypted in transmission and at rest. Direct access to the 3D scan files is carefully controlled; only those employees who have a legitimate business need at Topology can directly access the Facial Scans, and they are required to follow specific protocols to download data and to delete it consistent with our data retention policy. There may be correspondence tables linking Facial Scans to an individual only as necessary to respond to potential customer requests. Given the ongoing use of Facial Scans for periodic eyewear, you may use Facial Scans for subsequent eyewear fittings and purchases through your Eye Care Provider(s).
Subject to applicable laws, biometric data, if it is not considered PHI subject to HIPAA or otherwise covered by other retention requirements, will be retained for 3 years from the last transaction with a respective customer or when the initial purpose for collecting biometric data has been satisfied, whichever is first, unless a different time is required by law, after which time it will be deleted or only used in an aggregate or de-identified form.
At any time, you have the right to remove your email, contact information, or any other data we have collected about you (including Facial Scans) from our systems by emailing us at privacy@topologyeyewear.com. If we delete your Facial Scan at your request, we will be unable to provide certain Services without you subsequently uploading another scan.
