1. INTRODUCTION

Top

1.1 Who are we?

Top

1.2 What does this Privacy Policy apply to?

• EssilorLuxottica and all its Affiliates (as defined below) attach particular importance to the Processing, confidentiality and security of your Personal Data.

  The purpose of this Privacy Policy is to inform you in a clear, simple and complete manner about the Processing carried out on the Personal Data that you provide us with, or that we can collect from the different points of contact that you may have with us (e.g. stores, customer care, websites, events, social networks, etc.), their possible transfer to third parties as well as your privacy rights and the options that you have to control your Personal Data and to protect your privacy, in accordance with the applicable legislation.

  We may update this Privacy Policy at any time, but if we do so we will provide you with an updated copy of this Privacy Policy as soon as reasonably possible as per Section 9 below.

  We may also provide you with different and/or additional privacy policies in connection with certain activities, programs and offerings: in such cases, please refer to the relevant privacy policy governing the activity, program and/or offering you are benefiting to understand more about the Processing of your Personal Data in that specific circumstance.

  Please also note that this Privacy Policy does not apply to the services provided by other companies acting on their own account, such as franchisees and licensees, or when you share information on social networks or other online platforms owned and managed by third companies, even when their links are included on our websites. These other companies have their own privacy policies in place, so remember that the way they use any Personal Data you give them will be subject to their own rules. Oliver Peoples encourages you to review the privacy policies of these third parties before connecting and/or providing them with your Personal Data.

Top

1.3 What is this Privacy Policy about? Key definitions

• Affiliate(s)	Any legal entity that, directly or indirectly, controls, is controlled by, or is under the common control of EssilorLuxottica S.A. (as the ultimate holding company of the EssilorLuxottica Group), where “control” means the ownership, direct or indirect, of at least 50% of the share capital or voting rights in such a legal entity.
  Data Controller	The natural or legal person, department or organisation which, alone or jointly with others, determines the Purposes and means of the Processing of Personal Data.
  Data Processor	The natural or legal person, department or other body which processes Personal Data on behalf of and on the instructions of the Data Controller.
  EssilorLuxottica Group (or, simply, EssilorLuxottica or Group)	EssilorLuxottica as global organization, i.e. jointly EssilorLuxottica (as ultimate holding company) and all its Affiliates.
  GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
  Joint Controller(s)	The party which, together with others, decides about Purposes and means for the Processing of Personal Data (joint controllership).
  Personal Data (or simply Data)	Any information about an individual (Data Subject(s)) from which that person can be identified (e.g., name, contact details, identification number, etc.).
  Personal Data Breach	A breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.
  Processing (of Personal Data)	Any action concerning your Personal Data such as the collection, recording, organization, storage, modification, transfer, deletion, access, consultation, etc.
  Product(s)	Frames, lenses, contact lenses and any other goods provided for sale in our stores or on our websites.
  Purpose(s)	The reasons why Personal Data is collected and processed.
  Service(s)	The services we provide to Data Subjects, both in store and online (e.g., virtual try on, eye exams, etc.).
  Supervisory Authority	An independent public authority established to enforce applicable data protection laws (e.g., CNIL in France, the Irish Data Commission in Ireland, the ICO in the UK, the Garante per la protezione dei dati personali in Italy).

  Likewise, this Privacy Policy applies to the following Data Subjects:

  Clients	Data Subjects who purchase Products or Services offered by Oliver Peoples, whether in store or on www.oliverpeople.com (the “Website”).
  Prospects	Data Subjects who showed an interest in Oliver Peoples Products or Services, but who have not made any purchase yet.
  Web Users	Data Subjects who access the Website.
  Registered Users	Data Subjects who have registered and created a personal account on the Website.
  Eyesight Checks Users	Data Subjects who have undergone an eye exam / eyesight check (where the Service is active).
  Marketing Communication Users	Data Subjects who have subscribed to receive marketing communications from Oliver Peoples (may include Customers and Prospects).
  Social Media Users	Data Subjects who voluntarily follow Oliver Peoples activity on social media.

Top

2. WHERE ARE PERSONAL DATA COLLECTED FROM?

• 1. Provided directly by you

  We collect the Personal Data you provide during registration in our stores, account creation on the Website, purchase orders or joining our programs, contests and events, and when you contact us for requests, feedback or complaints. Customer service calls may be recorded and chat transcripts retained for a limited period for training and quality assurance.

  2. By using automatic tracking systems

  We use technologies (e.g., cookies and automatic tracking systems) that automatically collect certain information about how you use the Website and Services. For more details, please see our Cookie Notice available on the Website.

  3. During store visits and via other offline technologies

  Where we have stores and you visit them, information may be collected during the purchasing process and eyesight checks (or from prescriptions you provide) for the purchase of our Products. We also use CCTV in our stores for safety, security, fraud and loss prevention, and for operational purposes (see dedicated in-store policy).

  4. From other sources

  We may obtain information about you from data analytics providers, marketing/advertising service providers, fraud prevention providers, vendors acting on our behalf, or publicly available sources. We also create information based on our analysis of the information we have collected from you.

Top

3. WHAT PERSONAL DATA MAY WE PROCESS ABOUT YOU?

3.1 Categories of Personal Data

• CATEGORY OF DATA	TYPES OF DATA	DATA SUBJECT
  Identifiable and contact information	Name and surname, e-mail address, gender, date of birth, country of residence, postal address, phone numbers.	Clients, Prospects, Web Users, Registered Users, Eyesight Checks Users, Marketing Communication Users, Social Media Users.
  Payment information	Data related to your purchasing and payment methods through the Websites and Services (payments via a secure platform with controls including encryption) and details of Products purchased.	Clients and Registered Users.
  Profile and Commercial Data	Account name, password, Personal Data published on your social network, billing/delivery addresses, details of Products/Services purchased (store or online: order, tracking, invoices, amount, type), interests, preferences, feedback and survey responses.	Clients and Registered Users.
  Marketing and Communications Data	Preferences in receiving marketing, communication preferences, and information in correspondence/requests sent by you or asked to you by us.	Clients, Prospects, Registered Users, Marketing Communication Users.
  Health and Medical Data (where applicable)	Ophthalmic prescriptions, eye examinations, measurements (optical correction, pupillary distance, etc.), adaptations and information impacting visual health and eyesight checks.	Clients, Registered Users, Web Users, Eyesight Check Users.
  Data related to your care (where applicable)	Name of the complementary organization/platform, health coverage information.	Clients, Eyesight Check Users.
  Device information	IP address or other unique device code, identification as registered user or not (login Data), technical info (referrer URL, time zone and location, browser and language).	Clients, Prospects, Registered Users, Web Users, Marketing Communication Users, Social Media Users.
  Navigation information	Information on interactions with our Website, Services, emails, Products or ads and related statistics.	Clients, Prospects, Registered Users, Web Users, Marketing Communication Users, Social Media Users.

Top

3.2 Processing of Special Personal Data

• Certain categories of Personal Data we may process are “Special Personal Data” under Article 9 GDPR (e.g., Health/Medical Data and Data related to your care). We process such data only when required or allowed by applicable law, with adequate safeguards in place, and when a condition set out in Article 9 GDPR is fulfilled. Where your explicit consent is required and not provided, certain Products/Services cannot be supplied.

Top

4. WHY DO WE PROCESS YOUR PERSONAL DATA?

• We use your Data for purposes defined by the nature of our relationship. Depending on context, your Data may be used for one or more of the following purposes:

  PURPOSES	DETAILS	LEGAL BASIS
  Follow-up and execution of your orders (store/Website), after-sales and supplementary services	Quotations; manage sales and orders (purchase, delivery, supply of Products/Services); invoicing and warranty; after-sales/customer care (returns, warranty, support); manage care with health insurances and supplementary organizations (where applicable).	Performance of a contract
  Management of payments and potential unpaid invoices	Process payments and invoices; manage incidents related to payments/debts; identify and inform about unpaid amounts and available means to regularize, with possibility to request a review.	Performance of a contract
  Account/Customer creation and management	Register on the Website and in stores (POS profile); provide Services (appointments, cart reminders, etc.); manage your client profile.	Performance of a contract
  Subscriptions management	Join engagement programs (including loyalty, where applicable) and participate in contests/prize competitions/initiatives.	Consent
  Communications and interactions	Send marketing/promotional communications and updates (email, phone, SMS/MMS, WhatsApp, post, etc.), including lookalike/retargeting/exclusion campaigns (with masked email); personalize offers (e.g., birthday); fulfil your requests (info, eye exam booking, “share with a friend”, “back in stock”, store locator).	Consent
  Eye exams / eyesight checks (where applicable)	Schedule appointments/prescriptions; perform measurements; use results/prescriptions for manufacture and delivery of Products.	Consent
  Virtual eyewear trial (where applicable)	Offer virtual try-on services. See the dedicated privacy notice displayed when accessing/using these technologies.	Consent
  Law compliance	Comply with laws/regulations (including medical device laws); implement Public Authority decisions; manage privacy rights requests; ensure product traceability; retain data per accounting/tax obligations; combat fraud (including payment verification and anti-identity theft).	Legal obligation
  Legitimate interest	Send electronic communications on similar products/events/services (opt-out available); exercise/defend rights (ours/Group/Affiliates/representatives/shareholders/officers/directors); enable technical and operational Website/Service functions (issue resolution, tests, updates); prevent/identify fraud/misuse (including against our Group/users); complete corporate transactions (merger/sale/financing); conduct surveys/market research; anonymize data for statistics, device monitoring/enhancement, R&D, AI model training.	Legitimate interest

Top

5. HOW DO WE PROCESS YOUR PERSONAL DATA?

• Processing is carried out electronically and manually, only within the limits necessary to pursue the purposes outlined above.

  We undertake to protect your Personal Data. To better understand how we protect your Personal Data please refer to Section 6 below.

Top

5.1 Do we share your Personal Data with other Affiliates of the Group?

• EssilorLuxottica is a global organization with offices and operations worldwide and most of your Personal Data is stored and processed within a range of global applications used by Group Affiliates. The majority of Processing is carried out through the concentrated services of Essilor International and Luxottica Group S.p.A.

Top

5.2 Is your Personal Data transferred to third parties?

• Your Personal Data is processed by our employees bound by confidentiality and based on specific authorizations and instructions. Your Data may also be communicated to external parties, acting as Data Processors (Article 28 GDPR) or independent Data Controllers (e.g., payment providers). We require strict controls and appropriate security/confidentiality guarantees.

  Sale or merger: In corporate transactions (sale, purchase, merger, acquisition, partnership, asset transfer, bankruptcy), Personal Data may be disclosed to prospective counterparties and may be among transferred assets.

  Social network buttons: Clicking social icons on the Website redirects you to external platforms (subject to their own privacy policies).

  Legal process: We may disclose Personal Data to authorities/courts/authorized third parties (including external legal counsel) where required by law or necessary to protect and defend our rights.

  Other instances: We do not sell, rent or lease your Personal Data. Any further disclosures not covered here will occur only with your explicit consent.

Top

5.3 Is your Personal Data transferred across the border?

• Given the presence of the Group in many countries and to provide personalized services worldwide, some Personal Data may be transferred to, accessible from and/or stored outside your country of residence, including in countries without equivalent data protection laws. Appropriate safeguards are implemented (intra-Group transfer agreements, common Group rules, and contractual protections under Articles 44 et seq. GDPR).

Top

5.4 For how long do we retain your Personal Data?

• We retain Personal Data only for as long as strictly necessary to meet legal/statutory retention requirements, comply with legal/contractual obligations, and carry out the purposes described (including accounting and reporting).

  As a general rule: 10 years for invoicing/accounting; marketing with consent: 10 years from last interaction (customers) and 2 years (prospects). Within the Group, retention and archiving typically do not exceed 10 years from first record/consent renewal/other relevant interaction, except legal holds. We may anonymize Personal Data for statistics, R&D, device monitoring/enhancement and AI training.

Top

6. HOW DO WE PROTECT YOUR PERSONAL DATA?

• Data protection is a priority. We keep Data accurate and up to date, eliminate duplicates, and implement appropriate technical, organizational and security measures (Group Data Protection Policy; Information Security policies; technical IT and physical measures at sites/offices/stores).

  We maintain a policy to deal with suspected Personal Data Breaches and will notify you and the relevant authority where legally required. Access is limited to personnel on a need-to-know basis under strict confidentiality. Staff receive data protection and information security training.

  For the Website specifically: use strong passwords, keep them safe, and log out after use. We use SSL and anti-fraud measures for payments.

Top

7. YOUR RIGHTS

• Under Chapter 3 GDPR you may exercise, subject to identity verification and applicable exceptions, the following rights: access, rectification, restriction, objection (including to direct marketing), erasure, data portability, and withdrawal of consent (where processing is based on consent).

  To exercise your rights, please use our Privacy Form or contact us at privacy@luxottica.com.

  You may also update your Data and communication preferences in your account (Registered Users). If you are not satisfied, you can lodge a complaint with the relevant Supervisory Authority in your country.

Top

8. HOW CAN YOU CONTACT US?

8.1 Contact of the Data Controller

• The Data Controllers are set out in Section 1.1. For questions/comments about this Privacy Policy or Processing, contact us at the postal address in Section 1.1 and/or the email in Section 7 and below.

Top

8.2 Contact of the Data Protection Officer

• Luxottica has appointed a Data Protection Officer, reachable at dpo@luxottica.com.

Top

9. HOW CAN YOU KEEP TRACK OF CHANGES TO THIS PRIVACY POLICY?

• For legal/organizational reasons, this Privacy Policy may change. Please check it regularly and refer to the latest version (we will post the last update date at the top). An updated version will always be available on the Website/Services, and we will provide additional notice if changes materially affect your privacy rights.