NVA Privacy Policy

This Privacy Policy explains how National Vision Administrators, L.L.C. and its subsidiaries (collectively, “NVA,” “we” or “us”) collect, use, and share your information. We are committed to respecting the privacy and security of your information.

This privacy policy applies to all Personal Information collected by us. Personal Information is information that identifies, relates to, describes, and is reasonably capable of being associated with a particular consumer or household. Personal Information does not include de-identified, anonymized, or aggregated consumer information.

You consent to our collection, use, storage, and sharing of your Personal Information as described in this Privacy Policy when you: visit, access, or use our website at www.e-nva.com , and any written agreement(s) executed and in effect in connection with any of our products or services.

If you are a California resident, you may have additional rights as described below in the section entitled “CALIFORNIA PRIVACY RIGHTS.”

If you are outside the United States, by using our website or mobile application or by providing your information to us, you are consenting to having your Personal Information transferred to and stored in the United States.

INFORMATION WE COLLECT

We and our service providers may collect Personal Information and other information from or about you in a few different ways. Specifically, we may collect or receive information: (1) from you through information you provide to us, your employer, or your vision care provider; (2) indirectly from you by observing your actions on our website or mobile application; and (3) from third parties such as commercial information providers. Each of these is discussed in more detail below. Information collected is retained for a minimum of ten (10) years, in accordance with our document retention policy and applicable federal and state law.

Information You Provide

You may provide information to us in a number of ways:

• If you subscribe to vision benefits administered by NVA, you or your employer will typically provide your name, date of birth, gender, address, and preferred language and, if your dependents obtain vision benefits through NVA, you will provide this same information for them along with their relationship to you; you or your employer may also provide your telephone number, social security number, hire date, enrollment date, and termination date.

• If you register for a subscriber account on our website or mobile application, you will provide your card member number, your name, date of birth, zip code, email address, and a password reminder question and answer.

• When you submit a claim for benefits, you or your provider generally will provide: the member’s name, address, telephone number, and employer name; the patient’s name, gender, date of birth, and relationship to the employee; and certain information about the patient’s vision and prescription, if any.

• If you are a vision care provider and you request to join our network, you will typically provide your name, tax identification number (which may also be your social security number), practice name, business address, telephone number, email address, licensure information, CAQH number, and NPI number.

• If you are a vision care provider and you or one of our subscribers submits a claim for benefits, we generally will collect your name, tax identification number, business address, and business telephone number.

• If you are a benefits broker or advisor, we may collect your name, tax identification number, email address, business address, telephone number(s).

• If you are a contact at a client or a prospective client, we may collect your name, employer’s name, business address, telephone number(s), and work email address.

• When you contact us, the email address and/or telephone number you use to communicate with us generally will be collected and any additional information you provide may also be collected.

• If you submit an inquiry through our website, we will generally collect your name, email address, telephone number, and any other information you provide.

• If you post information on our social media pages through sites such as Facebook and LinkedIn, that information may be collected and used by us (as well as other users of those sites and the public generally). Please do not post any information on any site that allows strangers to identify or locate you or that you otherwise do not want to share with the public.

• When you submit a resume or application for employment, any information you provide will be collected and we may also obtain additional information through references, former employers, background checks, and credit reports where permitted by law.

Please note that, if you are visiting our website from a location outside of the United States, you will be connected through and to servers located in the United States. All information you provide will be maintained in our web server(s) and internal systems located in the United States. We do not knowingly transfer or store Personal Information outside the United States.

Information Indirectly Collected from You

Cookies and Other Technologies. We automatically collect information from you using cookies and other technologies on our website and/or our mobile application.

Cookies are small text files offered to your computer or mobile device by servers in order to keep track of your browser as you navigate our website or mobile application. We may use cookies and similar technologies to identify who you are and may use them when you visit our site, click on our ads, or click on links in our emails. Cookies also enable us to remember your user preferences for our website and/or mobile application. Cookies and other technologies may also be used for site maintenance and analysis, performing network communications, authenticating users, site and application development, and protecting against fraud and theft. You can block or remove cookies using your Internet browser’s settings. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. To manage flash cookies, please see Flash Player Help. If you block or remove cookies, you may not be able to perform certain transactions, use certain functionality, and access certain content on our website or mobile application.

We use three primary types of cookies:

• Functional Cookies – These cookies support the use of the website and enable certain features to enhance your experience. For example, functional cookies remember your selections as you move from page to page.

• Performance Cookies – These cookies collect information needed to support the website and our applications and allow us to identify problems and improve the website – for example, performance cookies may provide us with information about how you came to our website and how you navigate through our website.

• Targeting Cookies – These cookies may be used to collect information from you to help us improve our products and services and to serve you with targeted advertisements that we believe are relevant for you.

Clear GIFs (a.k.a. web beacons, web bugs or pixel tags), are tiny graphics with a unique identifier, similar in function to cookies. Clear GIFs are embedded invisibly on web pages. We may use clear GIFs, in connection with our website to, among other things, track the activities of visitors, help us manage content, and compile statistics about usage of the website. We and our third party service providers also use clear GIFs in HTML emails to our client, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

Some of our communications to you may contain a “click-through URL” which links to content on our website or mobile application. When you click one of these URLs, it passes information through the NVA web server before you arrive at the destination webpage. NVA tracks this click-through data to help determine interest in particular topics and measure the effectiveness of our communications. If you prefer not to be tracked, simply avoid clicking text or graphic links in emails you receive from NVA.

“Do Not Track” is a privacy setting that users can set in certain web browsers. If turned on, this setting requests that website not track information about users. At this time, we do not respond to “Do Not Track” browser settings or signals.

Traffic Data. We automatically track and collect general log information when you visit our website, including your: (a) Internet Protocol (IP) address; (b) domain server; (c) operating system; and (d) type of web browser; and (e) the pages you visit on our website (collectively “Traffic Data“). Traffic Data does not personally identify you. We use the Traffic Data to report aggregated website activity and to better understand the needs of our users so we can make informed decisions regarding the content and design of our website. We may collect Traffic Data through various technologies including, but not limited to, cookies, IP addresses, and clear GIFs (Graphics Interchange Format, a software technology also known as a pixel tag).

Third Party Websites and Social Media Services. Our website may include links to third party websites or social media services where you may be able to post comments, reviews or other information. We may monitor comments and reviews regarding us that you publicly post on social media or customer review sites. In addition, please note that your use of these third party websites or social media services may result in those sites collecting information about you. We are not responsible for these third party websites or social media services and you should review their privacy policies to make sure you understand the information that may be collected, used, and shared by those sites.

Information from Third Parties

Benefits Brokers and Advisors. Benefits brokers and advisors may provide us with information about their client contacts.

Social Media Sites. To the extent you post information on our pages on third party social media sites, we may collect such information. We may also receive Personal Information about you through certain social media sites such as Facebook, Twitter, and LinkedIn.

Commercial Information Providers. We may have access to or receive some Personal Information from commercial information providers, which we use to research potential employer clients.

Third Party Analytics Services. We may work with third party analytics services such as Google Analytics to help us understand how our website and/or mobile application are being used, such as tracking the frequency and duration of use of website and social media pages. These analytics services may use cookies and other technologies to collect information about the content you view, what website you visit immediately prior to and after visiting our website, and your system information and geographic information. The information generated by these technologies about your use of sites may be transmitted to and stored by the applicable analytics services.

Categories of Information Collected

In the 12 months preceding the Last Updated date of this Policy, we have collected or received the following categories of Personal Information about consumers:

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name.	YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, address, telephone number, education, employment. Some personal information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, religion or creed, marital status, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status.	YES
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YES
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, such as DNA sequences, fingerprints, facial geometry, voiceprints, iris or retina scans, and sleep, health or exercise data.	YES
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	YES
G. Geolocation data.	Physical location or movements.	YES
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	YES
I. Professional or employment-related information.	Current or past job history or performance evaluations.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
K. Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	YES
Sensitive Personal Information (Cal. Civ. Code §1798.100 et seq.)	Social Security, driver's license, state identification card, or passport number Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials. Precise geolocation Racial or ethnic origin, religious or philosophical beliefs, or union membership Mail, email, and text messages unless the business is intended recipient Genetic data Biometric information Health information Personal information concerning sex life or sexual orientation	YES

HOW WE USE YOUR INFORMATION

We and our service providers may use Personal Information for the following purposes:

• To confirm eligibility and enroll new vision benefits subscribers.

• To process and pay claims for vision care benefits.

• To process a vision care provider’s request to join our network.

• To manage any contractual relationship between us.

• To market and promote our benefits programs and services.

• To respond to your inquiries.

• To present our website and mobile application.

• To evaluate and make improvements to our website, mobile application, or social media presences.

• To diagnose and fix problems with our website and mobile application.

• To secure our website and mobile application, and to prevent or detect criminal, unlawful, or harassing actions or conduct.

• To provide updates, news, and benefits related information to our subscribers and employer clients.

• If you apply for a job, to verify previous employment and to conduct background checks (as permitted by law).

• To provide any required reporting to governmental or regulatory entities.

On other occasions where we ask you for consent, we will use the information for the purposes we provide at that time. You have the right to withdraw your consent at any time; however, we may have other legal grounds for storing and/or using your information, including those identified above.

SHARING AND DISCLOSURE OF PERSONAL INFORMATION

We do not sell your Personal Information. We may share your Personal Information as follows:

• Employer Clients. We may share Personal Information of subscribers and claims-related data with our employer clients that have self-funded benefits plans.

• Insurance Carriers. We share Personal Information of subscribers and patients with insurance carriers.

• Service Providers. We may disclose Personal Information to third party vendors, contractors or agents who perform functions on our behalf or on our employer clients’ behalf (“Service Providers”). For example, we may contract with Service Providers to provide certain services, such as providing data storage and management, analytics services, marketing services, employee benefits services, payroll services, or payment services. We only provide Service Providers with Personal Information necessary for them to perform these services on our behalf. Each Service Provider must agree to use commercially reasonable security procedures and practices, appropriate to the nature of the information involved, to protect your Personal Information from unauthorized acquisition, access, use, or disclosure. Service Providers may only use the Personal Information they obtain from us or collect on our behalf to provide services to us.

• Auditors. We may disclose Personal Information to our auditors or the auditors of our employer clients.

• Affiliates. We may share contact information of our employer clients, benefits brokers, and benefits advisors with our affiliates.

• Business Transfers. If we are acquired by, or merged with, another entity, if substantially all of our assets are transferred to another entity, or as part of a bankruptcy proceeding, or if we are evaluating or in negotiations with respect to any such transaction, we may transfer, or make available, the Personal Information we have collected from you to the other entity or resulting legal entity.

• Legal Process. We also may disclose the Personal Information we collect from you: a government investigation, a judicial proceeding, a court order, or other legal process (such as in response to a subpoena); or to respond to discovery requests or present evidence in a legal proceeding in which we are involved.

• To Protect Us and Others. We also may disclose the Personal Information we collect from you where we believe such disclosure is needed to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, suspected violations of this Privacy Policy, and suspected violations of any applicable terms and conditions.

• Aggregated and De-Identified Information. We may share aggregate or de-identified Personal Information with our service providers and/or affiliated companies for marketing, advertising, research, or similar purposes.

• Regulators. We may disclose the Personal Information we collect to comply with applicable laws and regulations, to provide required reports to regulators, and to respond to inquiries or investigations by regulators.

• Job Applications. If you apply for a job position, some of your Personal Information may be shared with third parties in order to confirm your education, work history, and references, and to obtain background checks and credit reports if permitted by law.

CHILDREN’S PRIVACY

Our website, mobile application, and our services are not directed to children under the age of 13. Further, we do not knowingly collect Personal Information from children under the age of 13 unless they are enrolled in one of our vision benefits programs. If you become aware that your child has provided personally identifiable information without your consent, please contact us at privacyofficer@e-nva.com. We will take commercially reasonable efforts to delete such information from our records.

Please note that emancipated minors and minors who may, under applicable law, obtain health care services or health insurance without the consent of a parent or guardian, are treated the same as adults for purposes of collection and access to health information.

YOUR PRIVACY CHOICES

You may opt-out of receiving email communications and other marketing materials from us (or any third-party email marketing service we may use) via links provided in each email (usually at the bottom of the email).

BIOMETRIC LOG-IN TO OUR NVA VISION BENEFITS MEMBER APP

If you choose to enable biometric log-in to our mobile application, your fingerprint or facial ID information will be collected and used in accordance with Google’s privacy policy if you have an Android device or Apple’s privacy policy if you have an Apple device. We do not collect, receive, or have access to your biometric information as a result of you enabling biometric log-in. In addition, we do not have any control over either Google’s or Apple’s collection or use of your information.

USER-GENERATED CONTENT

You may be able to post content on or through our social media pages, including your comments, photos, or other information. If you post such content on social media pages, all of the information or content that you post may be visible to other visitors or users. Your postings and content may become public and we cannot prevent such information from being used by others in a manner that may violate this Privacy Policy, applicable law, or your personal privacy. Please carefully consider your content before posting. Further, please note that all such content is subject to removal if we determine, in our sole discretion, that it violates any applicable law, poses a security risk, infringes the rights of someone else, or constitutes a threat, defamation, or harassment.

LINKS TO THIRD PARTY WEBSITES OR PLATFORMS

Our website may contain links to third party websites or platforms. These links are provided for your convenience. We are not responsible for and have no control over the content on these other websites or platforms. The inclusion of a link on our website is not an endorsement. Please note that when you click on one of these links, you will leave our website and will be subject to the policies and privacy practices of the other website or platform, which may differ significantly from our Privacy Policy. Please review such third parties’ privacy policies before providing any Personal Information to them.

We make no representations or warranties, express or implied, regarding the content of any of these linked websites or platforms. WE EXPRESSLY DISCLAIM ANY AND ALL LIABILITY FOR YOUR INTERACTION WITH SUCH THIRD PARTY WEBSITES OR PLATFORMS.

SECURITY OF YOUR INFORMATION

We use commercially reasonable security safeguards to help protect Personal Information from unauthorized access, alteration, loss, or disclosure. Despite these efforts, please understand that no system is perfect and we cannot guarantee that unauthorized access, theft, or loss of data will not occur. Please exercise caution when transferring any Personal Information over the internet.

Please advise us immediately at privacyofficer@e-nva.com of any incident involving Personal Information in our custody or control. If your communication contains sensitive information and you would prefer not to submit this information online, please contact us at (800) 672-7723, TTY: 711.

CHANGES TO YOUR INFORMATION

Subscribers can review and change Personal Information by contacting their employer’s benefits or human resources department. You may update your email address or username by logging into your NVA account and visiting the My Profile page, or by contacting us at service@e-nva.com or (800) 672-7723, TTY: 711.

Providers may correct or update Personal Information by logging onto their provider account and visiting the Demographic Information page. Providers may also contact us at providers@e-nva.com or (888) 682-2020.

CHANGES TO THIS POLICY

NVA may update this Privacy Policy and the Platform to reflect material changes in how we collect, use, share, or store your information, to satisfy legal requirements, or for other business purposes. You should review this Privacy Policy when you visit the Platform to understand our current practices. The date at the top of the page shows when this Privacy Policy was last updated.

We encourage you to refer to this Privacy Policy on an ongoing basis so that you understand our current practices. You consent to any changes we make to this Privacy Policy if you continue to use the Platform after receiving a notice of the change or upon our posting of the new Privacy Policy on the Platform.

SEVERABILITY

The provisions of this Privacy Policy are intended to be severable. If for any reason any provision of this Privacy Policy shall be held invalid or unenforceable in whole or in part in any jurisdiction, such provision shall, as to such jurisdiction, be ineffective to the extent of such invalidity or unenforceability without in any manner affecting the validity or enforceability thereof in any other jurisdiction or the remaining provisions hereof in any jurisdiction.

CHOICE OF LAW, JURISDICTION, AND VENUE

This Privacy Policy and our collection and use of your Personal Information shall be governed by and interpreted in accordance with the applicable laws of the United States and the State of New Jersey without giving effect to any choice of law or conflict of law provision or rule. By accessing or using our website or mobile application or otherwise providing information to us, any visitors from outside of the United States acknowledge that their access and/or use is subject to the laws and regulations of the United States and the State of New Jersey and waive any claims that may arise under other laws.

Any disputes arising from this Privacy Policy or your access to or use of our website or mobile application shall be subject to the exclusive jurisdiction of the state and federal courts of the State of New Jersey and venue shall lie in Passaic County. By accessing or using our website or mobile application or by providing your Personal Information to us, you consent and submit to the personal jurisdiction of such courts for such purposes and waive any and all objections as to jurisdiction or venue in such courts.

CALIFORNIA PRIVACY RIGHTS

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (effective Jan. 1, 2023), California’s “Shine the Light” law, and the California Online Privacy Protection Act provide consumers who are California residents with specific rights regarding their Personal Information. If you are a California resident, this section describes your rights and explains how to exercise those rights.

Right to Information. Subject to certain limits, you may ask us to provide the following information for the 12-month period preceding your request:

• (1) The categories of Personal Information we collected about you;

• (2) The categories of sources from which the Personal Information was collected;

• (3) The business or commercial purpose for collecting the Personal Information;

• (4) The categories of third parties with whom we shared the Personal Information;

• (5) If we disclosed Personal Information for a business purpose, a list of the disclosures including the Personal Information categories that each category of recipient received; and

• (6) The specific pieces of Personal Information we collected about you.

Right of Correction. You have the right to ask us to correct inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Right to Limit Use and Disclosure. You have the right to direct that, if we collect sensitive personal information, we limit use of your sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by you and/or necessary for business purposes.

Right to Nondiscrimination or Retaliation. We will not discriminate or retaliate against you if you exercise your privacy rights under California law, including by:

• Denying you goods or services.

• Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

• Providing you a different level or quality of goods or services.

• Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, the CCPA permits us to offer you certain financial incentives that can result in different prices, rates, or quality levels, which are related to your Personal Information’s value. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. At this time, we do not offer any financial incentives in exchange for Personal Information.

Submission of Requests for Information or to Delete, Correct, or Limit Use and Disclosure. If you are a California resident, you may submit a request by:

Calling us at 800-672-7723, TTY: 711 and ask to speak with the privacy officer.

Emailing us at privacyofficer@e-nva.com – please provide your name, telephone number, and type of request (that is, a request for categories of information, a request for specific pieces of information, and/or a request to delete, correct, or limit use and disclosure).

To protect your privacy and security, we will also take reasonable steps to verify your identity before providing your Personal Information and before deleting your information. Only you or someone legally authorized to act on your behalf may make a verifiable request related to your Personal Information. If you want to authorize someone else to make a request on your behalf, please contact us at privacyofficer@e-nva.com and provide your name, telephone number, the name of the person you want to authorize to make a request, and the type of request the person is authorized to make (that is, a request for categories of information, a request for specific pieces of information, and/or a request to delete). We will contact you if we need more information.

Responses to Requests. We do not charge a fee to respond to your request unless it is repetitive (more than twice in a 12-month period) or excessive. We generally will respond to your request within 45 days of its receipt. If we need more time to respond, we will inform you of the reason and we may take up to an additional 45 days to respond.

WASHINGTON CONSUMER HEALTH DATA PRIVACY RIGHTS

Pursuant to the Washington My Health My Data Act (MHMDA), effective March 31, 2024, Washington state residents have specific rights regarding their health data privacy. This section outlines these rights and explains how to exercise them.

Right to Information. As a Washington resident, you have the right to request the following information, which our company has collected about you in the 12 months preceding your request:

• (1) Categories of Consumer Health Data Collected: The types of consumer health data we have collected about you.

• (2) Categories of Data Sources: The sources from which we collected your health data.

• (3) Purpose of Data Collection: The business or commercial purposes for collecting your health data.

• (4) Third-Party Data Sharing: The categories of third parties with whom we have shared your health data.

• (5) Specific Pieces of Collected Data: The specific pieces of consumer health data we have collected about you.

Right to Correction. You have the right to request correction of inaccurate consumer health data we have about you, considering the nature of the data and the purposes for which we process it.

Right to Delete. You can ask us to delete any consumer health data that we have collected about you, subject to certain limitations under the MHMDA. We may deny your deletion request in specific instances where the data is necessary for us or our service providers to fulfill a service, comply with a legal obligation, or for other purposes as permitted under the Act.

Right to Limit Use and Disclosure. You have the right to limit the use and disclosure of your sensitive health data to necessary purposes as expected in the provision of our services or for legitimate business purposes.

Right to Nondiscrimination. We will not discriminate against you for exercising any of your privacy rights under Washington law. This includes, but is not limited to:

• Denying you services.

• Charging different prices or rates for services.

• Providing different levels or quality of services.

• Suggesting that you may receive a different price, rate, or quality of services.

Right to Revoke Authorization. You have the right to revoke any valid authorization you have provided for the use or disclosure of your personal health information at any time.

Exercise Your Rights. To exercise any of these rights, please contact us by Calling us at 800-672-7723, TTY: 711 and ask to speak with the privacy officer.

Emailing us at privacyofficer@e-nva.com – please provide your name, telephone number, and type of request (that is, a request for categories of information, a request for specific pieces of information, and/or a request to delete, correct, revoke, or limit use and disclosure).

We will respond to your request in accordance with the MHMDA’s guidelines.

Response and Timing. We will respond to your requests free of charge, up to twice annually. Additional requests may incur a reasonable fee. We will comply with your requests without undue delay, but no later than 45 days from receipt of the request. This period may be extended once for an additional 45 days when necessary, with prior notice to you.

CONTACT US

If you have any questions or comments about this Privacy Policy, please contact us at: