Privacy Notice
Who we are?
Eye Exam Ltd., trading as Opticabase, is a supplier of practice management software for Opticians. Our registered address is: Poppleton House Rose Avenue, Nether Poppleton, York, England, YO26 6RU
We are registered with the Information Commissioners Office as a Data Controller. ICO registration number: ZA902405.
Your Privacy
This Privacy Notice explains how and why we collect and use personal data, how long we keep it and your rights under UK GDPR and the Data Protection Act 2018.
Your privacy matters to us and we are committed to protecting privacy, maintaining confidentiality, and complying with all applicable UK data protection legislation, in line with the UK GDPR principles.
When we act as a data controller
Personal Data We Collect
We collect personal data directly from individuals when they contact us for business purposes. This includes customers and prospective customers, suppliers or contractors and professional contacts. This might be via our website, email, telephone, face to face engagement or through contractual agreements.
Categories of Personal Data
We collect and store only basic business contact information including:
- Name
- Work telephone number(s)
- Work email addresses
- Work addresses
This information is typically stored securely in standard business tools, such as email system and spreadsheets, and is limited to what is necessary to run our business.
When we act as a data processor
We provide patient management software that is installed and hosted locally within our customers’ optical practices. Our customers are the Data Controller for patient data, and we act strictly under our customers’ instructions and in accordance with contractual data processing terms. We do not host, store, or centrally hold patient data.
On occasion, and only with the customer’s knowledge and instruction, we may remotely access their system to provide technical support or maintenance. Any access is for a specific purpose, time limited and restricted to what is necessary.
PURPOSES AND LEGAL BASIS FOR PROCESSING
We collect and process personal data for specific and lawful business purposes and only where we have a valid legal basis under UK GDPR.
The provision of business contact data is necessary in order to enter into, manage, and perform contractual relationships with us, or to take steps at your request prior to entering into a contract. Where such data is not provided, we may be unable to respond to enquiries, provide information, or supply our software and support services.
Lawful bases for processing
We rely on the following legal bases when processing personal data:
- Contract
Where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract. This includes providing our software, technical support, maintenance, and related services.
- Legitimate interests
Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes responding to enquiries, maintaining professional relationships, managing our business operations, ensuring effective customer support, and communicating with contacts in a business context. We ensure that such processing is proportionate and has a minimal impact on individual privacy.
- Legal obligation
Where processing is necessary to comply with our legal or regulatory obligations, including those relating to financial reporting, taxation, employment, and regulatory compliance.
- Consent
We do not generally rely on consent as a lawful basis for processing. Where consent is required by law, it will be obtained explicitly, and individuals will have the right to withdraw that consent at any time.
Sharing of Personal Data
We only share personal data where it is necessary to support the delivery of our services or to operate our business effectively. Personal data may be shared with:
- other companies within our group, where required for internal administration or business operations
- Professional advisers and service providers who support our business, including providers of cloud‑based services such as Microsoft 365
Where we use third‑party service providers, they are required to process personal data only in accordance with our instructions and to apply appropriate technical and organisational security measures.
Some of our service providers may process personal data outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR, including the use of UK International Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses.
In the event of a merger, acquisition, reorganisation, or sale of all or part of our business, personal data may be disclosed to prospective purchasers or advisers strictly where necessary and subject to appropriate confidentiality and data protection obligations.
We may disclose personal data where required to do so by law, regulation, court order, or lawful request from public authorities, including law enforcement or regulatory bodies. Any such disclosure will be limited to the minimum data necessary and will be made in accordance with applicable data protection law.
Data security
We apply appropriate technical and organisational measures to protect personal data, proportionate to the limited nature of the data we process. This includes access controls, secure devices, strong authentication, and staff confidentiality obligations.
In the unlikely event that a data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours. Where the breach has potential to cause harm we will inform affected individuals immediately.
Data Retention
We retain personal data only for as long as it is necessary for the purposes for which it was collected, and in accordance with our legal, contractual, and regulatory obligations.
- Business contact data is retained for the duration of the business relationship and for a limited period thereafter where necessary to manage any ongoing queries, contractual matters, or business records.
- Contractual and financial records are retained for the periods required by applicable tax, accounting, and legal obligations, typically for up to six years after the end of the relevant financial year.
- Processor access to client systems is strictly limited to the term of the relevant support or service arrangement and ends immediately upon contract termination or earlier where access is no longer required.
Your data protection rights
Under UK GDPR, you have the right to:
- Access your personal information
- Request correction or erasure of your personal data
- Object to or restrict processing
- Withdraw consent at any time where processing is based on consent
- Data portability (where applicable)
- Lodge a complaint with the Information Commissioner’s Office
We do not carry out automated decision‑making or profiling, as defined under Article 22 of the UK GDPR.
How to contact us?
To exercise your rights, and for all data protection matters or questions relating to how we manage your data, you can contact our Data Protection Officer:
Data Protection Officer: Clinical DPO
Phone Number: 0203 411 2848
Email: OpticabaseDPO@ClinicalDPO.com
For complaints, please include the following where possible:
- Your name and contact information.
- A description of your concern or the data protection issue.
- Any relevant supporting information.
Complaints will be acknowledged within 30 days. We aim to fully respond and resolve the matter without undue delay. If your issue requires more time or clarification, we will keep you informed throughout.
If you are dissatisfied in how we have handled your complaint, you have the right to complain to the:
Information Commissioner's Office (ICO):
Website: https://ico.org.uk/make-a-complaint/
Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF