Privacy Policy

1. Introduction

My Eye Rx (“MyEyeRx,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal and health information you share with us. This Privacy Policy explains what information we collect, how we use and share it, the choices available to you, and the security safeguards we maintain.

This Policy applies to information we collect through myeyerx.net, our intake and prequalification forms, email and SMS communications, our telehealth and scheduling vendors, and any other MyEyeRx-branded service that links to this Policy. It should be read together with our Terms of Service.

If you do not agree with this Policy, please do not use our Services.

2. Scope and Applicability

This Policy describes the practices of MyEyeRx. It does not describe the independent privacy practices of the licensed Providers who perform your Consultation — those Providers are separate covered entities under HIPAA and will give you their own Notice of Privacy Practices. It also does not describe the practices of third-party websites or services that we link to; see Section 34 for details on third-party links.

3. Definitions

• “Personal Information” means information that identifies, relates to, or could reasonably be linked with you — such as your name, contact details, date of birth, payment card, and identifiers.
• “Protected Health Information” or “PHI” means individually identifiable health information covered by the Health Insurance Portability and Accountability Act (“HIPAA”).
• “Sensitive Personal Information” means the subset of Personal Information that certain state and international laws specifically protect (for example, precise geolocation, biometric data, health information, or government IDs).
• “Process” means any operation performed on information, including collection, use, storage, sharing, or deletion.

4. Information We Collect

We collect the following categories of information:

• Identifiers: full name, date of birth, postal address, email address, phone number, driver’s license or state ID number (when required for a Consultation), IP address, and account identifiers.
• Health information: medical history, conditions relevant to window-tint exemption, prior optical prescriptions, symptoms, and any documentation you upload or discuss during a Consultation.
• Payment information: billing name and address, and the last four digits of your payment card plus processor tokens. Full card numbers are handled only by our PCI-compliant payment processor, not by us directly.
• Commercial information: products and services purchased, order history, and prequalification responses.
• Communications: the content of messages you send us by email, SMS, webform, chat, or phone, and our responses.
• Media: photographs, images of identification, or other media you upload as part of a Consultation.

5. Protected Health Information (HIPAA)

Some information collected during or in connection with a Consultation is PHI under HIPAA. PHI is handled under the stricter HIPAA safeguards, including administrative, technical, and physical controls. To the extent we act as a business associate of a licensed Provider, we do so under a written Business Associate Agreement.

Your Provider will give you their own Notice of Privacy Practices describing how they use and disclose your PHI in more detail. Nothing in this Policy limits rights you have under HIPAA or any other law.

6. Sensitive Personal Information

We collect certain Sensitive Personal Information to provide the Services — in particular, health information you share during prequalification or a Consultation, and government identifiers like a driver’s license number when required for medical documentation. We use this Sensitive Personal Information only to provide the Services you request, to comply with law, and to protect against fraud and safety risks. We do not use it to infer characteristics about you for advertising.

7. Information From Third Parties

We may receive information about you from:

• Independent Providers who perform your Consultation (e.g., confirmation of whether Documentation was issued);
• Payment processors (e.g., fraud scores and transaction status);
• Marketing and referral partners you interacted with before reaching us (e.g., which campaign or referrer brought you to the site);
• Publicly available sources and directories (to verify contact information);
• Anti-fraud and identity-verification vendors.

8. Automatically Collected Information

When you visit our site or use our Services, we and our analytics providers automatically collect certain information, including your IP address, device type, browser type and version, operating system, screen size, language, referring URL, pages viewed, time spent, and general location derived from your IP address. We use this information to operate the Services, measure performance, diagnose problems, and improve the site.

9. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Services, including scheduling Consultations, processing payments, and fulfilling orders;
• Connect you with independent licensed Providers;
• Verify your identity and eligibility, and detect and prevent fraud and abuse;
• Communicate with you about your account, appointments, purchases, and important service notices;
• Respond to your questions, complaints, and support requests;
• Measure and improve the performance and usability of the Services;
• Personalize content and offers where you have not opted out;
• Comply with legal obligations and enforce our Terms;
• Protect the rights, property, and safety of MyEyeRx, our users, and the public.

10. Legal Bases for Processing

Where required by law (for example, for users protected by the GDPR or UK GDPR), we process Personal Information under one or more of the following legal bases:

• Performance of a contract — to provide the Services you request;
• Consent — for communications and processing activities you opt into;
• Legitimate interests — to secure our platform, measure performance, and grow our business in ways that do not override your rights;
• Legal obligation — to comply with tax, healthcare, and other laws.

11. How We Share Your Information

We share your information only as described in this Policy. We do not sell your personal or health information. Specifically, we may share information with (a) service providers and vendors (Section 12), (b) licensed Providers (Section 13), (c) payment processors (Section 14), (d) legal, safety, and compliance recipients (Section 15), (e) an acquirer in a business transaction (Section 16), and (f) anyone you direct us to share with (Section 17).

12. Service Providers and Vendors

We rely on carefully chosen service providers to help us operate the Services, including:

• Web hosting, content delivery, and analytics;
• Customer relationship management (CRM) and scheduling;
• Telehealth and video-conferencing platforms;
• Email, SMS, and transactional messaging providers;
• Fraud detection, identity verification, and logging;
• Security, backup, and disaster recovery.

These vendors may process information on our behalf under written agreements that require confidentiality and limit their use of your information to what we authorize.

13. Healthcare Providers

We share the information necessary for a Consultation with the independent licensed Provider who performs it. This may include your intake responses, uploaded records, and contact details. The Provider processes your PHI under HIPAA and their own privacy notice.

14. Payment Processors

Payment card details are collected and processed by our PCI-compliant payment processors. We receive only limited payment information (such as the last four digits of a card and a processor token) — not your full card number. Payment processors process your information under their own privacy policies.

15. Legal, Safety, and Compliance Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with a subpoena, court order, regulatory request, or other legal process; (b) enforce our Terms or other agreements; (c) detect, investigate, or prevent fraud, abuse, or security incidents; (d) protect the rights, property, or safety of MyEyeRx, our users, or the public; or (e) comply with healthcare, tax, or consumer-protection laws.

16. Business Transfers

If MyEyeRx is involved in a merger, acquisition, financing, sale of assets, reorganization, bankruptcy, or similar transaction, Personal Information may be transferred to the counterparty, subject to customary confidentiality and data-protection obligations. We will notify you of any such transfer where required by law.

17. Sharing With Your Consent

We share information in any other manner only if you direct us to or otherwise consent. For example, you might ask us to send a copy of your Documentation to a specific person.

18. Cookies and Similar Technologies

We and our service providers use cookies, pixels, local storage, and similar technologies to operate the site, remember your preferences, measure performance, and support marketing. You can manage cookie preferences in your browser settings. Disabling certain cookies may impair site functionality. Where required by law, we provide a cookie banner or other consent interface.

19. Analytics and Performance Measurement

We use analytics tools (including Vercel Web Analytics and similar privacy-respecting measurement services) to understand how people use the site so we can improve it. These tools collect information such as pages viewed, referring URL, browser/device type, and approximate location derived from IP address. Where we use vendors that may be considered to be “sharing” personal information under certain state laws, we honor opt-out signals as described in Section 23 and Section 33.

20. Advertising and Marketing

We may use your contact information and Services usage to send you marketing messages about MyEyeRx offers, state-law updates, and educational content. You can opt out of marketing messages at any time using the instructions included in each message or by contacting us. Transactional and safety messages (like appointment confirmations) are not marketing and may continue where permitted by law.

21. Email Communications (CAN-SPAM)

Marketing emails from MyEyeRx include a clear unsubscribe mechanism and a physical postal address, consistent with the CAN-SPAM Act. Unsubscribe requests are honored promptly. If you believe you received a marketing email from us in error, please email Tory@myeyerx.net.

22. SMS and Phone Communications (TCPA)

By providing a phone number, you consent to receive transactional and service-related calls and text messages from MyEyeRx and our service partners at that number, including through automated dialing and prerecorded messages where permitted by law. Message and data rates may apply. Consent to marketing calls or texts is not a condition of purchase. You may opt out of marketing texts at any time by replying STOP to a marketing message; reply HELP for help.

23. Do Not Track and Global Privacy Control

Most browsers offer a "Do Not Track" (DNT) signal, and certain browsers and extensions transmit a Global Privacy Control (GPC) signal. Where required by law (such as under the CCPA/CPRA), we treat a GPC signal as a request to opt out of the sale or sharing of Personal Information associated with that browser. We do not otherwise respond to DNT signals because there is no industry standard for how to do so.

24. Data Retention

We retain Personal Information for as long as necessary to provide the Services, comply with legal obligations (including healthcare-records retention requirements), resolve disputes, and enforce our agreements. Retention periods vary by category. We delete or de-identify information that is no longer needed, subject to legal holds.

25. Data Security

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit, access controls, role-based permissions, logging, and vendor security review. No system is 100% secure, however, and we cannot guarantee absolute security. You play an important role in protecting your information by using strong passwords, keeping your contact information current, and contacting us promptly if you suspect a problem.

26. Data Breach Notification

If we experience a data breach that affects your Personal Information or PHI, we will notify you and applicable regulators as required by HIPAA, state breach-notification laws, and other applicable law. Notifications will describe the nature of the breach, the information involved, the steps we are taking in response, and the actions you can take to protect yourself.

27. Children's Privacy (COPPA)

The Services are not directed to children under the age of 13, and we do not knowingly collect Personal Information from children under 13 without verifiable parental consent. If you believe we have collected such information, contact us at Tory@myeyerx.net and we will promptly delete it. Minors age 13–17 should use the Services only with the involvement and authorization of a parent or legal guardian.

28. International Users and Data Transfers

MyEyeRx is based in the United States and the Services are intended for U.S. residents. If you access the Services from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States under U.S. law, which may differ from the laws of your country. Where required, we use appropriate legal transfer mechanisms (such as Standard Contractual Clauses) for cross-border transfers.

29. Your Privacy Rights — Overview

Depending on where you live and the law that applies, you may have one or more of the following rights with respect to your Personal Information:

• Access — to request a copy of the Personal Information we hold about you;
• Correction — to ask us to correct inaccurate or incomplete information;
• Deletion — to request that we delete Personal Information (subject to legal exceptions);
• Portability — to receive your information in a portable, machine-readable format;
• Opt-out of marketing — at any time;
• Opt-out of sale or sharing — where offered by applicable law;
• Limit use of Sensitive Personal Information — where offered by applicable law;
• Withdraw consent — where processing is based on consent, without affecting past processing;
• Appeal — the outcome of a privacy request where offered by applicable law;
• Non-discrimination — we will not discriminate against you for exercising a privacy right.

30. California Privacy Rights (CCPA/CPRA)

California residents have rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”), including the right to:

• Know what Personal Information we have collected about them;
• Delete Personal Information we have collected from them (subject to exceptions);
• Correct inaccurate Personal Information;
• Opt out of the "sale" or "sharing" of Personal Information (we do not sell Personal Information, and we honor GPC signals as a request to opt out of sharing);
• Limit the use and disclosure of Sensitive Personal Information;
• Not receive discriminatory treatment for exercising a CCPA right.

To exercise a California right, see Section 33. Authorized agents may submit requests on your behalf with appropriate written authorization.

31. Other U.S. State Privacy Rights (VA/CO/CT/UT and More)

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have rights similar to those described in Section 29, typically including access, correction, deletion, portability, and opt-outs from targeted advertising and profiling that produces legal or similarly significant effects. To exercise these rights, see Section 33. You may also have the right to appeal our decision on a privacy request; our decision and appeal procedure are described in our response to a request.

32. European Privacy Rights (GDPR / UK GDPR)

If the GDPR or UK GDPR applies to our processing of your Personal Information, you have additional rights, including the right to object to processing based on legitimate interests and the right to lodge a complaint with your local data-protection authority. Our primary lawful bases are listed in Section 10. The Services are intended for U.S. residents, but if you are in the EEA, UK, or Switzerland and have questions, contact us at Tory@myeyerx.net.

33. How to Exercise Your Rights

To exercise any privacy right described in this Policy:

• Email us at Tory@myeyerx.net with "Privacy Request" in the subject line;
• Or mail a written request to My Eye Rx, PO Box 6025, Redford, MI 48239, Attn: Privacy.

Please describe the right you wish to exercise and provide enough information to allow us to verify your identity. We will respond within the time required by applicable law. For marketing opt-outs, you can also use the unsubscribe link in any marketing email or reply STOP to any marketing SMS.

34. Third-Party Links and Integrations

Our site may link to third-party websites (for example, state DMV pages, educational resources, or our social-media profiles) and include third-party integrations (such as payment, scheduling, and video platforms). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before using their services.

35. Changes to This Privacy Policy

We may update this Policy from time to time. The updated Policy will be posted on this page with a new "Last Updated" date. Material changes will be communicated by email or prominent notice on the website where we reasonably can. Your continued use of the Services after the revised Policy becomes effective constitutes acceptance of the revised Policy, to the extent permitted by law.

36. Contact for Privacy Inquiries

If you have questions or concerns about this Privacy Policy or our privacy practices, please reach out:

My Eye Rx
Attn: Privacy — Privacy Policy
PO Box 6025
Redford, MI 48239
Email: Tory@myeyerx.net
Direct Line: 734-338-9453
Office Voicemail: 313-624-6161

For time-sensitive privacy concerns (for example, suspected unauthorized access to your account), please call the direct line first and follow up by email so we have a written record.