- your use of our website [https://optica.africa/] (for example, when you sign up for any of the Optica services, sign up as a customer through our website, or otherwise use our website);
- any information you may provide to a member of the Optica team in our branches/stores when using any of the services provided by Optica as a customer;
- information provided by suppliers, and other third parties engaged by Optica;
- information provided to Optica when you purchase a product or service both online and, in our branches, /stores; and
- data provided to Optica when you take part in any of our marketing campaigns, promotions, loyalty programmes and competitions.
This Policy has been prepared in accordance with the Kenya Data Protection Act 2019 (‘the DPA’).
We do not knowingly collect personally identifiable information from anyone under the age of 18. Before we collect Personal Data of persons under the age of 18 for provision of the Optica Services mentioned above, we will always request the parent/guardian to sign off and consent to such collection of a minor’s Personal Data. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental or guardian consent, we will take steps to remove that information from our servers and files/records.
We will only keep your information for as long as we are either required to by law or as is relevant for the purposes for which it was collected.
You can visit our website and browse without having to provide personal details. During your visit to the website you remain anonymous and at no time can we identify you unless you have an account on the website and log on with your user name and password.
Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and you do not provide that Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or our Optica Services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
Data that we collect and how we use it
We may collect various pieces of information if you seek to place an order for a product or service with us at our branches/stores and on the website so that we can providing the Optica Services.
We collect, store and process your data for processing your purchase on the website and in-store and any possible later claims, and to provide you with our Optica Services. We may collect personal information including, but not limited to, the data groups set out below;
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Health Data includes data related to the state of physical or mental health of the customers and includes records regarding the past, present, or future state of the general health, optometrist tests and diagnoses, data collected in the course of registration for, or provision of the Optica Services specifically, optometrist services.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical and Location Data
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, products and Optica Services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We use different methods to collect data from and about you including through;
Direct interactions: You may give us your Personal Data with your express consent by filling in forms at our branches/stores or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you;
- purchase or use our products or any of the Optica Services;
- create an account on our website or at our stores/branches;
- subscribe to our service or publications;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us feedback or contact us.
How we use your Personal Data and the lawful bases for using your Personal Data
We will use your Personal Data in the following circumstances:
- where we need to perform the Optica Services (i.e., performance of the contract), we are about to enter into or have entered into with you;
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
- where we need to comply with a legal obligation.
We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your Personal Data where more than one ground has been set out in the table below.
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new customer both online and in our branches/stores.
(a) Health Data
Performance of a contract with you
To process and deliver your order including:
(a) Manage payments, fees, and charges
(b) Collect and recover money owed to us
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us and to comply with - the Proceeds of Crime and Anti-Money Laundering Act, No. 9 of 2009 as amended from time to time)
To manage our relationship with you which will include:
(a) Regular check-ups and follow up appointments
(b) Asking you to leave a review or take a survey
(b) Health Data
(c) Profile and Contact
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, our loyalty programme, any competition or complete a survey
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation under consumer protection law and cybersecurity law.
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(e) Marketing and Communications
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(f) Marketing and Communications
Necessary for our legitimate interests (to develop our products/services and grow our business)
We will use the information you provide to enable us to process your orders and to provide you with the Optica Services and information offered through our Optica Services offering and which you request. We will use your Personal Data as set out above under the legal basis for processing Personal Data under the DPA, 2019, where processing is in our legitimate interests, and it’s not overridden by your rights provided you have indicated that you have not objected to being contacted for these purposes.
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. We have established a One Time Password (OTP link) mechanism and a signature box where you can view and make certain decisions about your Personal Data use. The OTP will also contain a link https://optica.africa/pages/privacy-policy where you can view how we use your Personal Data. The OTP will be sent to you via short messaging service (SMS) upon receipt of your consent and signature; and fits within the standard160 character limit for 1 SMS. Subject to obtaining your express consent, we may contact you with details of other products and services. If you prefer not to receive any marketing communications from us, you can opt out at any time as described below.
Promotional offers from us
We may use your identity, contact, technical, usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased goods or Optica Services from us and you have not opted out of receiving that marketing.
When you consent and opt-in to receiving our information, we may also send you other information about us, the website, our products, sales promotions, our newsletters, anything relating to other companies in our group or our business partners. If you would prefer not to receive any of this additional information as detailed in this paragraph (or any part of it) please click the ‘unsubscribe’ or opt-out and OTP link in any email/communication that we send to you (further described below). You may choose to call us or send us an email to firstname.lastname@example.org to opt-out of receiving such communication. Within 7 working days (days which are neither (i) a Sunday, nor (ii) a public holiday anywhere in Kenya during which banks are closed for business) of receipt of your instruction we will cease sending you the information as requested. If your instruction is unclear, we will contact you for clarification.
We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.
You can ask us or any third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message/e-mail sent to you with an OTP or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of signing up for Optica product/Service purchase, warranty registration, and product/service experience.
We may pass your name and address on to a third party in order to make delivery of the product to you (for example to our courier or supplier).
You must only submit to us the information which is accurate and not misleading and you must keep it up to date and inform us of any changes.
Your actual order details may be stored with us but for security reasons cannot be retrieved directly by us. However, you may access this information by logging into your account on the website or requesting our Data Protection Officer or our staff at our stores for your records and data. Thereafter you will be able to view the details of your orders that have been completed, those which are open and those which are shortly to be dispatched and administer your address details, bank details (for refund purposes) and any newsletter to which you may have subscribed. You undertake to treat the personal access data confidentially and not make it available to unauthorized third parties. We cannot assume any liability for misuse of passwords unless this misuse is our fault.
Transfer of Data
Where we transfer your Personal Data out of Kenya, we ensure a similar degree of protection is afforded to it by ensuring that there are appropriate safeguards in place with respect to the security and protection of your Personal Data. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Kenya.
Other uses of your personal information
We may use your personal information for opinion and market research. Your details are anonymous and will only be used for statistical purposes. You can choose to opt out of this at any time by notification to us. Any answers to surveys or opinion polls we may ask you to complete will not be forwarded on to third parties. Disclosing your email address is only necessary if you would like to take part in competitions. We save the answers to our surveys separately from your email address.
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may further anonymize data about users of the Optica Services and website generally and use it for various purposes, including ascertaining the general location of the users and usage of certain aspects of the websiteor a link contained in an email to those registered to receive them, and supplying that anonymized data to third parties such as publishers. However, that anonymized data will not be capable of identifying you personally. We may also collect information how the website is accessed and used (“Usage Data” defined above). This Usage Data constitutes Personal Data.
We have in place appropriate technical and security measures to prevent unauthorized or unlawful access to or accidental loss of or destruction or damage to your information. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
When we collect data through the website, we collect your personal details on a secure server. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you. You are responsible for protecting against unauthorized access to your password and to your computer. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your rights as a data subject
You have the right to:
Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
- If you want us to establish the data's accuracy.
- Where our use of the data is unlawful, but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform our contract with you.
Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
At any stage you also have the right to ask us to stop using your personal data for direct marketing purposes and withdraw your consent by notification to us through the contact details provided below. Note that some of these rights are limited by other rights to data protection. You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights).
SECTION 1 - WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing (if applicable): With your consent (when you opt-in) and permission, we may send you emails about our store, promotions, new products and other updates.
SECTION 2 - CONSENT
We lawfully process your Personal Data after obtaining your express consent in accordance with the provisions of the DPA, 2019 as amended from time to time.
At the point of signing up/registration at any of our physical stores, we will request for your express consent to use your Personal Data by signing the name box/OTP (One Time Password) Box provided in the registration form which our staff will explain to you and assist you to fill and complete. The OTP code and message will contain a link redirecting you to this Policy describing how we use your Personal Data. Once you receive and accept the OTP code, you will be deemed to have authorized us to use your Personal Data for contacting you, to fulfill our legitimate interests and commercial purposes.
If you are accessing our services at our branches/stores, online, or via the website, then we will always request for your consent through the name box/OTP Box provided in the registration form. The registration form will also briefly summarize our reasons for collecting and processing your Personal Data as well as the categories of Personal Data to be collected. This registration form will also contain checkboxes presenting you with the option of opting-in to receive marketing communications and to be signed up for the loyalty points programme. The opt-in and opt-out requests will always be processed through a push-button which sends an OTP code, and you will receive an OTP on your device (mobile, laptop, tablet or such other device) confirming whether you would like to opt-in or opt-out depending on what you are subscribing for.
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your express consent, or provide you with an opportunity to say no through the opt-in or opt-out process.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting our Data Protection Officer at email@example.com or contacting us through the mobile numbers provided.
SECTION 3 - DISCLOSURE
We may disclose your personal information if we are required by law to do so, if it is in the public interest or for security purposes, or if you violate our Terms of Service.
SECTION 4 - SHOPIFY
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
SECTION 5 - THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. These third parties are obligated to not share or use any of the information other than for the purposes provided.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Kenya and your transaction is processed by a payment gateway located in the Uganda, then your personal information used in completing that transaction may be subject to disclosure under Uganda legislation.
We may employ third party companies and individuals to facilitate the provision of Optica Services to you as well as maintenance of our website (“Service Providers”), and to provide the website on our behalf, to perform website -related services or to assist us in analysing how our website is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
SECTION 6 - LINKS
SECTION 7 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.
SECTION 8 - AGE OF CONSENT
By using this website, you represent that you are at least the age of majority in your jurisdiction; or that you have given us your consent to process the Personal Data of your minor dependents and to allow any of your minor dependents to use this website.
SECTION 9 - GOVERNING LAW
By visiting our website or purchasing our products and services, you hereby consent to the exclusive application of Kenyan laws.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Data Protection Officer at firstname.lastname@example.org
We have appointed a Data Protection Officer (“DPO”) ]. If you have any questions about this Policy, please contact us/them using the details set out below:
Our full details are:
- Full name of legal entity: Optica Limited
- Customer Service Manager
- Email address: email@example.com
If you are not satisfied with the response that you receive from Optica, you may, where applicable, contact the relevant data protection regulator in your jurisdiction.
Optica will provide information on the manner in which complaints to regulators may be made, if requested to do so.