Privacy policy
Effective 2019 March 1
Our company, Nutikas Vision OÜ and its subsidiaries and affiliated companies collects your personal data for the purpose of selling vision improvement products and services: eyeware (glasses, contact lenses, frames and like) and related services including optometric services. In the document below you will find detailed information what personal data we collect and for which purposes, how it is processed, stored and transferred, what are your rights and how to contact us.
Except as otherwise noted in this Privacy Policy, Nutikas Vision OÜ is the data controller. This term here and below has the same meaning as the one in the EU General Data Protection Regulation, hereinafter - GDPR), and implies that we decide and define how and why the information you provide to us is processed. We may contract other data processors for the purpose of technology platform provision and website hosting.
Types and categories of personal data we may process:
- Name (first name, any given names, last name/surname), birth date, phone number, email;
- Photos provided by you;
- Visual prescription data;
- Purchases data of personal lenses and frames / Order history;
- IP address;
- Personal login parameters when user logs in using Facebook authentication;
- Personal login parameters when user logs in using Google authentication.
- Cookies and other tracking technologies (technical data gathered from website browsing):
| Cookie identifier | Description and purpose | Creation moment | Validity |
|---|---|---|---|
|
connect.sid (our site cookie) |
Session cookie to remember user who was connected and authenticated | After connection and authentication in system | Untill end of browser session or disconnection (logoff) |
|
cookieShown (our site cookie) |
Cookie which records agreement with cookies and privacy policy in website | After agreement with cookies consent message | 10 years after moment of creation |
|
Lang (our site cookie) |
Website language settings choice – identifies which language page is viewed |
On first page visit or after change of language |
10 years after moment of creation |
|
Visited (our site cookie) |
Identifier used to record unique page visit | First visit to webpage | Untill end of browsing session |
|
Google Analytics (third party cookie) |
Group of cookies used to assess your website browsing habits and gather statistic. Detail list and information of those cookies: here | First visit to webpage | Detail info in Google page. Opt out – in here |
|
Google services and advertising cookies group (third party cookie) |
Google marketing cookies records and may impact which online advertisements are shown. Detail info in: here | Until end of browsing session | Detail info in Google page. Opt out – in here |
|
Facebook advertising cookies group (third party cookie) |
Facebook cookies shows advertising accordingly to which pages user visited. Detail info and policies in Facebook page: here | Until end of browsing session | Detail info in Facebook page, opt-out and preferences: here |
|
Fittingbox cookies (third party) |
Fittingbox website component (for virtual try-on) may have their cookies needed for functionality of online shop. | Untill end of browsing session | Detail info in Fittingbox Privacy Policy here |
Additionally, you do have a possibility to review how cookies are managed in most popular browsing platforms. Please note that the information below is provided by respective browser owners and presented here only for informational purposes.
Chrome & Android, also Google browsers in iPhone and iPad: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en-GB
Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
Safari (Mac): https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Age Restrictions:
We do restrict site use to 18 years or younger persons to ensure an appropriate understanding of the products or services purchased and ability to carry out financial transactions.
If it is discovered that unknowingly or due to misinformation we have collected personal data from someone under 18, or any other or unnecessary personal data was submitted, we would delete this information immediately.
How data is collected
Personal data can be collected in several ways:
- directly from you in our online shop or by our employee;
- in the process of product or service purchase online;
- directly or online by our employee – an optometrist, who is obligated to perform an eyesight testing and is not allowed to relate test results to any other personal data;
- from third parties (e.g. Facebook, Google, other publicly accessible advertising engines);
- we may derive new information from the already submitted information by creating our records about your interactions with us.
Personal data collection purposes
We may process personal data for the following purposes:
- selling and otherwise providing products and services to you;
- contacting you;
- providing the agreed advertising services directly related to our products and services;
- analyzing engagement with you as part of audience which uses our products and services;
- observing your browsing and purchase activity in our online shop;
- managing and securing our internal IT systems / financial systems / IT security systems / online shop;
- compliance to applicable laws;
- improving and customizing our services and website usability.
Lawfullness of processing
When processing your personal data for the purposes set in this Privacy Policy, we do rely on the below legal bases:
- Contractual necessity: in case you are entering into a contract with us, your personal data and other information processing may be necessary in order to fulfill the contract;
- Legitimate interests: your personal data may be processed where we have a legitimate interest for the purposes outlined in this Policy and nature of our business, on condition that those interests are not overriding your legitimate interests, fundamental rights or freedoms;
- Compliance to the law: your personal data may be processed when it is required by the applicable law;
Consent: when you have provided a prior expressed and explicit voluntary consent for such processing (the consent can be recalled at any time).
Data transfers to and from other personal data processors or controllers
Personal data can be transferred to and from other personal data controllers in those cases:
- Virtual try-on of glasses: third party application used and some pseudonymised personal data is transferred. Privacy Policy of the FittingBox can be found here: https://www.fittingbox.com/en/legal-information-general-terms-and-conditions#data-privacy . FittingBox Europe (644 Voie l’Occitane, 31670 Labège, France) is a personal data processor as per our agreement. Any cookies collected or other personal data used are stored in Europe by Amazon Web Services. Its declaration of GDPR compliance can be found here: https://aws.amazon.com/compliance/gdpr-center/
- Login using Facebook or Google authentication: those personal data controllers can act as login service providers and transmit personal data to SIA Smart Vision online shop; their applicable privacy policies can be found on their sites. In this case, transfer of the login data is the responsibility of Google and Facebook respectively.
- Facebook authentication to log in to our site: if you choose to authenticate and login to our site through Facebook Connect (login using Facebook account), the process is managed by Facebook and their privacy policy: https://developers.facebook.com/policy . We do receive name, surname, profile picture, e-mail address.
- Google authentication to log-in to the site: if you choose to authenticate and login to our site through Google, the process is managed by Google and their respective privacy policy outlined at https://developers.google.com/terms/api-services-user-data-policy . We do receive name, surname, profile picture, e-mail address, Google ID.
Email newsletter sending (when we have Your consent): we do use MailChimp service to send information to you. Privacy policy of this service can be found https://mailchimp.com/legal/privacy/
How long personal data will be stored?
We collect, store, process, transfer data according to the GDPR and local legal regulations.
- In case of any commercial transaction done through our online shop, we are obliged to keep commercial transaction data for 10 years;
- In case of consent for marketing newsletters we keep personal data for one year, then request new consent or, if consent is not received, delete the data;
- Cookies: detailed information is presented in Chapter above “Types and categories of personal data we may process”.
Your rights and our compliance to the GDPR principles
The GDPR outlines basic principles how to deal with personal data. On the basis of those principles you as a personal data subject can exercise your rights. Please note that data subject rights are not absolute, e.g., the so-called “right to be forgotten” in some cases cannot be fully or immediately exercised as we are require to keep your personal data due to legal requirements.
Lawfulness, fairness and transparency: we do take all possible and reasonable efforts that your personal data is collected, processed, stored and transferred fairly and transparently and accordingly to this Policy. Moreover, we have taken measures that third parties (personal data processors) that we engage comply to GDPR and are technically capable of demonstrating their compliance to GDPR and to the best practices of privacy assurance.
Purpose limitation: we do commit that personal data is used only for those purposes and in circumstances outlined in this Policy and is not transferred, sold or in other ways disclosed to other third parties or used for the purposes not mentioned in this Policy.
Data minimization: where possible we are using minimal sets of personal data, including technical methods as pseudonymization and disintegrating personal data items in order to avoid unnecessary identification where it is not needed for the purposes outlined in this Policy.
Accuracy: we are making reasonable effort to keep your personal data accurate and up-to-date.
Storage limitation: detailed information can be found in Chapter “How long personal data will be stored?”. The information on cookies storing period is available in Chapter “Types and categories of personal data we may process”.
Integrity and confidentiality: personal data is secured using various organizational and technical measures, including encryption of personal data in the database, separation of personal data in different databases; use of physically distributed databases in the EU territory. Additionally, all other best practices of information security used: limited and restricted access to personal data by authorized personnel only, various website security measures and other. Due to the sensitive nature of IT security issues, we do reserve a right not to disclose publicly all the information on security and protection methods.
We do understand and support those data subject rights arising from the implementation of key GDPR principles:
The data subject’s right of access: you have right to know, if your personal data is processed by us.
The data subject’s right to rectification: you have right to request correction of inaccurate information.
Right to erasure or right to be forgotten: this right can be implemented with exeptions where we may be obliged by the law to keep personal data in records of financial transaction.
The data subject right to restriction of processing: you can request limitation or restriction of personal data processing in case it does not override other legal obligations to which we are subject as the officially registered business in Latvia and EU.
The right to data portability: you can request that your personal data is exported in computer readable format. Please note that due to limitation of storage we immediately delete personal data which is not necesary for fulfilling contract or operation of our website.
The data subject right not to be subject to a decision based solely on automated processing: we do not carry out any automated profilings which produce legal effects concerning you as the data subject.
Right to lodge a complaint with a supervisory authority
For any requests regarding personal data and the operation of our online shop, the contact information is below in section “General & contact details”.
According to the GDPR, data subjects have a right to lodge a complaint with a supervisory authority. In case you believe that the way we process your personal data infringes the GDPR and, therefore, public authorities should be involved, please find the list of supervisory authorities in a respective country. The complaint must be lodged with the supervisory authority of the EU member state where the data subject has their habitual residence or place of work, or of the member state where the alleged infringement occurred.
Austria - Österreichische Datenschutzbehörde - http://www.dsb.gv.at/
Belgium - Commission de la protection de la vie privée http://www.privacycommission.be/
Bulgaria - Commission for Personal Data Protection http://www.cpdp.bg/
Croatia - Croatian Personal Data Protection Agency http://www.azop.hr/
Cyprus- Commissioner for Personal Data Protection http://www.dataprotection.gov.cy/
Czech Republic - The Office for Personal Data Protection http://www.uoou.cz/
Denmark - Datatilsynet http://www.datatilsynet.dk/
Estonia - Andmekaitse Inspektsioon http://www.aki.ee/en
Finland - Office of the Data Protection Ombudsman http://www.tietosuoja.fi/en/
France - Commission Nationale de l’Informatique et des Libertés (CNIL) http://www.cnil.fr/
Germany - Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit http://www.bfdi.bund.de/
Greece - Hellenic Data Protection Authority - http://www.dpa.gr/
Hungary - National Authority for Data Protection and Freedom of Information http://www.naih.hu/
Ireland - Data Protection Commissioner http://www.dataprotection.ie/
Italy - Garante per la protezione dei dati personali http://www.garanteprivacy.it/
Latvia - Datu valsts inspekcija (Data State Inspectorate) http://www.dvi.gov.lv/
Lithuania - State Data Protection Inspectorate http://www.ada.lt/
Luxembourg - Commission Nationale pour la Protection des Données http://www.cnpd.lu/
Malta - Office of the Data Protection Commissioner http://www.dataprotection.gov.mt/
Netherlands - Autoriteit Persoonsgegevens https://autoriteitpersoonsgegevens.nl/nl
Poland - The Bureau of the Inspector General for the Protection of Personal Data (GIODO) http://www.giodo.gov.pl/
Portugal - Comissão Nacional de Protecção de Dados http://www.cnpd.pt/
Romania - The National Supervisory Authority for Personal Data Processing http://www.dataprotection.ro/
Slovakia - Office for Personal Data Protection of the Slovak Republic http://www.dataprotection.gov.sk/
Slovenia - Information Commissioner https://www.ip-rs.si/
Spain - Agencia de Protección de Datos https://www.agpd.es/
Sweden - Datainspektionen http://www.datainspektionen.se/
United Kingdom - The Information Commissioner’s Office https://ico.org.uk
General & Contact Details
This Privacy Policy may be revised or edited at any time. Please check this Policy regularly for any changes.
Should you have other questions or concerns about our Privacy Policy and practices, please select the most convenient way to contact us. Please bear in mind that in case of any requests related to your personal data, we will need to identify you before providing any information or taking any action related to your personal data.
Contact information of the data controller representatives:
Nutikas Vision OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Pille tn 7/5-13, 10135
