All personal data processed by us, is handled in strict compliance with the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
The data controller who processes all of the personal data we process is:
Ace and Tate Holding B.V., located in (1097 BA) Amsterdam at Stephensonstraat 19, the Netherlands and registered at the Chamber of Commerce in the Netherlands with the number 56577710 and its group companies.
If you have any questions, please contact our customer experience department at (firstname.lastname@example.org).
Personal Data Collected
Registration or information requests through our website
We process information from visitors of our stores and Website, including but not limited to when you register an account to buy products, use our Services or receive information from us through either the form on our Website or by email with your request for information. We process personal data based on: consent according to art. 6(1)(a) GDPR, contract according to art. 6(1)(b) GDPR, compliance with a legal obligation according to art. 6(1)(c) GDPR and legitimate interests according to art. 6(1)(f) GDPR.
In the form on our Website we may ask you to provide any of the following personal data:
First and last name
Date of birth
Medical data (eg. eye test prescription data and medical history);
3D facial scans (see 2.3 below); and
Payment card data (e.g. bank account number/credit card details).
You may contact us at any time through email to request information. If you send us such an email, we may process the personal data and information provided in your email.
We may combine the information you have provided with other information we have processed about you, both online and in person (including but not limited to your purchase history, your address, prescription details and/or purchase date), along with information that we receive from public information sources and external parties (e.g. Google, Facebook or Weather.org).
Automatically generated data
When you use our Website, we may process and register your IP address. Your IP address will be stored in a temporary log file. We may share information regarding your use of our Website with our trusted subsidiaries, affiliates, and partners, as described further in Articles 3.2 and 3.3 below.
As part of the Fitting Room Service, an optional service that customers may elect to participate in to receive frame recommendations, we collect a 3D facial scan of customers using the TrueDepth sensor on compatible iPhone or iPad devices. The user turns their head side to side, while the device collects multiple 3D photographs; these photographs are then stitched together via a machine learning algorithm to produce a precise 3D model of the face. The scan quality around the eye provides only enough fidelity to locate the pupils; it cannot be used to diagnose conditions of the eye or for retinal identification.
The 3D facial scan is stored on an Amazon Web Server in the locality where it is collected (European scans in Europe, American scans in the US, etc.). Scans are encrypted in transmission and encrypted at rest. Direct access to the 3D scan files is carefully controlled: only those employees who have a legitimate business need at Ace & Tate and its Data Processor can directly access the facial scans, and even they have to follow specific protocols to download a scan directly and delete it immediately after a legitimate business use.
While the facial scans are not stored with personal data, the data processor maintains correspondence tables linking facial scans to user log-in / email addresses. This is necessary so that customer service employees are able to respond to customer requests, for example to generate VTO images and/or lens measurements based on a facial scan, or to delete the facial scan upon a customer’s request. Biometric data retention follows the same policy as all personal data, please see section 5 (Data Retention) below.
3D facial scans are used in the following ways:
To recommend which frames would fit a particular customer’s facial anatomy and/or preferences.
To drive a photo-realistic Virtual Try-On experience, which a customer can access on the Ace & Tate website, in an Ace & Tate retail store, on a live virtual appointment with an optician, or in email communications between Ace & Tate and the customer.
To generate precise lens measurements (including Near and Far Monocular Pupillary Distance, Monocular Pupillary Height, Vertex Distance, Pantoscopic Tilt, and Wrap Angle) for accurate dispensing of prescription eyewear to a customer, consistent with the best standard of care in the industry.
To generate frame adjustment guides which Ace & Tate staff can use to pre-adjust a frame to fit a customer’s face, before shipping the frame to the customer.
R&D for improvement of the services mentioned above.
Measurements derived from de-identified and aggregated facial scan data is used to generate population statistics to better understand how various frame designs would fit various segments of the population.
Under NO circumstances will any facial recognition algorithm being run against these 3D facial scans. The 3D scans will never be shared with a 3rd party, or used in any way not enumerated above.
Purpose of Data Processing
We process your personal data, as described in Article 2.1, for the following purposes:
to fulfil our obligations to provide you with our Services and/or products (such as shipping and invoicing) or other requests you may make (such as online eye tests and contacting opticians) (based on contract according to art. 6(1)(b) GDPR);
to contact you regarding follow-up Services (such as communicating the results of an online eye test, virtual try-on, and fitting-room email follow up), to answer your questions, and provide requested information or advice (based on consent according to art. 6(1)(a) GDPR);
to secure your account and order information (based on contract according to art. 6(1)(b) GDPR);
to secure our business goals (based on legitimate interest according to art. 6(1)(f) GDPR):
for data analysis to improve the efficiency of our Services;
for audits to check whether our internal processes function as intended and to comply with legal or contractual requirements;
for fraud and security checks, such as to detect and prevent identity theft or cyberattacks;
for the development of new products and services and to consider where to open new stores in the future;
to supplement, improve or change our Website, products, and services;
to identify trends in the use of Services, to get insight on which parts of our Services are most interesting for our users; and
to determine the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users;
analysis of personal data (e.g. purchase history, prescription details, shipping country and/or city, language) to provide personalised services offers (based on consent and legitimate interest according to art. 6(1)(a) and (f) GDPR):
to remind you that you need a new eye test 360 days after you have had your last eye test;
to understand you better so that we can personalise our interactions with you and provide you with information and / or offers that are tailored to your interests; and
to better understand your preferences so that we can deliver content through the Services that we believe will be relevant and interesting to you.
to send you our weekly email newsletter with offers and information about similar products and Services, only if you have specifically opted in for this. Please note that you can always object to such use, via the ‘unsubscribe’ link in our email newsletters or to unsubscribe from your account page after logging in via
(based on consent according to art. 6(1)(a) GDPR);
to comply with various legal obligations, including tax obligations (based on compliance with a legal obligation according to art. 6(1)(c) GDPR; and
if you respond to an action or contest, we use the information to carry out the action, to announce the prize winner(s), and to measure the response to our marketing campaigns (based on contract according to art. 6(1)(b) GDPR).
We may provide your personal data, as described in Article 2.1, to our subsidiaries, affiliates, and partners, including our retail stores located in your region, in connection with marketing and promotional materials related to our products and Services. As such, you may be contacted by our local retail stores with such materials. If you would prefer to opt out of any such communications, please send an email to our customer experience department at (email@example.com).
We will only make personal data available to third parties that are involved in the execution of your order (i.e. for virtual try-on). These third parties process personal data according to our instructions and any such use shall be under our responsibility. Any such data made available is recorded, and if required, any such third parties are also made parties to data processing agreements. We do not pass on your personal data to other third parties unless we are legally obliged to do so.
We use the automatically generated information, as described in Article 2.2, and your company data and personal data, as described in Article 2.1, to conduct aggregated analyses for internal research and statistical and strategic purposes ("Aggregated Information"). This Aggregated Information does not identify you or your company. We use the Aggregated Information to optimize our Website, Services and products and learn more about the use of our Website and products so we can improve them.
Use by Minors
We shall process the personal data for a period of two (2) years after your last order, or for as long as legally required or necessary and allowed for the purpose(s) for which it was obtained. Immediately after these period, we will destroy the personal data and/or anonymise them.
The criteria used to determine our retention periods include, but may not be limited to: (i) the duration of our ongoing relationship with you and the Services we offer you; (ii) whether or not we are subject to any legal obligation(s); and (iii) any other legal necessity (such as applicable limitation period(s), litigation, or internal or external investigations).
Notwithstanding Article 5.1, we may process the personal data for a longer period (i) if you ask us to retain data for another two (2) year period, (ii) in order to comply with statutory retention periods (such as those required by tax legislation), or (iii) in order to prove compliance with applicable statutory obligations (such as the GDPR or email marketing legislation).
If you request deletion of your personal information by contacting us through the process described in Article 8, all of your personal information processed through our Website shall be deleted, as required by applicable law, unless we are obligated to retain such information, whether by law, to complete the transaction for which the information was processed, or for internal use.
Any personal information we process is treated as confidential. As such, we shall take appropriate technical and organizational measures to safeguard and protect the personal data against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access or against any other unlawful or unauthorized processing of such personal data. These measures guarantee an appropriate level of security given the risks related to processing and the nature of the data. For example, we use Security Socket Layer encryptions during your order process and completion of our registration form.
Sharing the Personal Data
Without prejudice to Articles 3, 7.1, and 7.2, we don’t transfer any personal information or personal data to any third party without your explicit permission, unless we are obliged to do so under applicable legislation or by order of the competent supervisory authority.
However, please note that we may transfer your personal data and the information to our local retail stores, as set out in Article 3.2.
You have the right to obtain our confirmation as to whether or not we process your personal data, on request. The personal details you provide when registering with us can be viewed and altered at anytime by yourself through your account on the Website. You are also entitled to send our Customer Experience department (firstname.lastname@example.org) a request to receive such information. Furthermore, you are entitled to send our Customer Experience department at (email@example.com) a request to access, receive, transfer, rectify, erase or completely withdraw your consent for processing your personal data. We will process your request in accordance with the GDPR and we will send you a response without undue delay, at least within one (1) month after the receipt of your written request.
Under California law, customers of Ace & Tate who are residents of California may request certain information about our disclosure of personal information during the prior calendar year to third parties for their direct marketing purposes. To make such a request, please contact our customer experience department at firstname.lastname@example.org.
You are entitled to object to our processing of your personal data at any time. Upon any such objection, we shall no longer process your personal data, unless we demonstrate i) compelling legitimate grounds for the processing which override your interests, rights and freedoms or ii) to establish, exercise, or defend any legal claim(s). We will send you a response without undue delay, not to exceed one month after the receipt of your written request.
If you have any complaints regarding our data processing or your previous requests, you can contact our Customer Experience department at email@example.com. You also have the right to file a complaint with the relevant Data Protection Authority.
If you have any further questions or comments, please contact our customer experience department at firstname.lastname@example.org.
Because Ace & Tate is a global company, your personal data may be stored and processed in every country where we have facilities or service providers. By using our Services or by giving us permission (where required by law), you hereby agree that your information may be transferred to countries other than the country where you live, where other data protection laws may apply than in your own country. Appropriate contractual and other measures have been taken to protect personal data when sent to our subsidiaries or third parties in other countries.
Some countries outside the European Economic Area (EEA) are recognized by the European Commission as countries where an appropriate level of data protection applies according to the EEA standards (the full list of these countries is available here). For transfers from the EEA to countries that in the opinion of the European Commission do not offer sufficient protection, we have ensured that adequate measures have been taken, among other things by ensuring that the recipient is bound to EU standard data protection provisions (i.e. Standard Contractual Clauses) or an EU-approved code of conduct or certification to protect your personal data. You may receive a copy of these measures by contacting our customer experience department at email@example.com, as explained in Article 8 above.
easee — "Vision Screener". Ace & Tate offers the service called "Vision Screener" in partnership with easee (Easee B.V., Weteringschans 165C, 1017 XD, Amsterdam). This service is now available in The Netherlands, Belgium and Germany. Easee is a third party software provider which will receive email addresses from Ace & Tate, based on agreement by the user in order to make use of the service. Easee processes email addresses to deliver the best user experience possible. Ace & Tate does not store email addresses for a longer period (i.e. 7 days) but only processes them for internal analytical purposes. Please note that if you as a user do not agree with the above, you should not continue with the service and starting the Vision Screener.
Amsterdam, The Netherlands, May 2022