California Privacy Addendum

Last Updated: June 18, 2026

1. INTRODUCTION

This addendum to the Privacy Notice for California Residents (the "California Privacy Addendum") supplements the information contained in DITA's Privacy Notice and applies solely to all visitors, users, customers, and others who reside in the State of California ("consumers," "you," or "your"). We adopt this California Privacy Addendum to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CPRA"). Unless otherwise expressly stated, all terms in this California Privacy Addendum have the same meaning as defined in our Privacy Notice or as otherwise defined by the CPRA.

2. SCOPE OF THIS CALIFORNIA PRIVACY ADDENDUM

This California Privacy Addendum applies to information that we collect through your use of our Website and through other online and offline sources as described in our Privacy Notice that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household ("Personal Information"). Personal Information also includes "Sensitive Personal Information" (or "SPI"), as defined below.

However, this California Privacy Addendum does not apply to:

  • publicly available information lawfully made available to the general public from government records or widely distributed media or otherwise by you;
  • deidentified, aggregated, or anonymized information that is maintained in a form not capable of being associated with or linked to you;
  • employment-related Personal Information collected from our California-based employees, job applicants, contractors, or similar individuals ("Personnel"). Please contact your local human resources department if you are part of our California Personnel and would like additional information about how we process your Personal Information; or
  • other information excluded from the scope of the CPRA.

3. INFORMATION WE COLLECT ABOUT YOU

The type of Personal Information we collect may vary depending upon your relationship with us – i.e., as a user of our Website, a retail customer visiting one of our stores in-person, or a corporate representative of a current or prospective customer, vendor, or business partner of DITA. For this reason, we collect, and over the prior 12 months have collected, the following categories of Personal Information from consumers:

  1. Identifiers, such as name, postal address (including billing and shipping address), email address, telephone number (including mobile number), IP address, device and advertising IDs (along with other similar identifiers), advertising ID, and job title and/or business contact information (if you are a consumer who is a corporate representative of a current or prospective customer, vendor, or business partner of DITA).
  2. Personal information described in California's Customer Records law, such as name, postal address (including billing and shipping address), telephone number (including mobile number), and employment information (e.g., job title and/or business contact information).
  3. Commercial information, such as information associated with your account with us (if one exists), details of transactions you carry out through our Website (and in-person at our retail stores) and of the fulfillment of your order (e.g., order number), as well as any other information as requested to facilitate or complete delivery or to make available and provide ongoing support, repair, or other services related to the product(s) being purchased.
  4. Internet or other electronic network activity ("Internet or Network Activity") information, such as (i) browsing history, (ii) search history, (iii) information reflecting your preferences, trends, activity, and/or behavior while using our Website, (iv) information regarding your interaction with our Website, including through watching video content on our Website, and (v) information collected via cookies, pixels, and other technologies deployed on our Website (as further described in the Information We Collect About You and How We Collect It section of our Privacy Notice).
  5. Geolocation data, such as your general physical location based on IP address (this cannot be used to precisely locate you). We may also collect your precise geolocation, if you have opted-in to sharing your location with us through a browser prompt.
  6. Audio, electronic, visual, or similar information, such as audio recordings (and transcripts) of your phone calls with us (including customer service). If you visit one of our retail stores, we may also collect camera surveillance footage of you via CCTV monitors deployed throughout our store for security and operational purposes.
  7. Professional or employment-related information, such as job title and business contact information, if you are a corporate representative of a current or prospective customer, vendor, or business partner of ours.
  8. Inferences drawn from any of the other Personal Information listed above to create a profile reflecting your preferences, interests, and behavior.
  9. Sensitive Personal Information, such as (i) your precise geolocation (if you have opted-in to sharing your location with us through a browser prompt), and (ii) information to fill your prescription/corrective lens order(s) at our U.S. corporate headquarters, which has an on-site optical laboratory (if you, your optician, or other eyecare professional have placed such an order which is then shipped directly to you by us or picked up by you at the flagship store where the order was placed).

We will not collect additional categories of Personal Information without providing you notice. As described further below, we may "sell" for valuable, non-monetary consideration and/or process for cross-context behavioral (targeted) advertising purposes the following categories of Personal Information to or with third-party internet cookie information recipients, advertising and marketing partners (including ad targeting and advertising cooperatives), online advertising and marketing platforms, and social advertising networks that use such information to provide us with targeted advertising, lookalike audience generation, analytics, ad tracking, measurement and improvement, advertising delivery, customization and personalization, and campaign performance services: (i) Identifiers; (ii) Commercial information; (iii) Internet or Network Activity information; and (iv) Geolocation data (excluding precise geolocation). For more details, see "Sales and Sharing of Personal Information."

4. SOURCES OF PERSONAL INFORMATION

We collect the categories of Personal Information listed above from those sources described in our Privacy Notice.

5. PERSONAL INFORMATION RETENTION PERIODS

We retain your Personal Information in the same manner described in our Privacy Notice (see Data Retention).

6. USES OF PERSONAL INFORMATION (INCLUDING SENSITIVE PERSONAL INFORMATION)

We only use your Personal Information for the purposes described in our Privacy Notice. We will not use the Personal Information we collect for materially different, unrelated, or incompatible purposes without providing you notice.

In addition, we use certain SPI only for the purposes expressly permitted under the CPRA, including (i) performing the services or providing the goods reasonably expected by an average consumer who requests those services or goods, (ii) resisting malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions, and (iii) disclosing this information to service providers to perform services on our behalf, as further described in the Disclosures of Personal Information for Business Purposes section of this California Privacy Addendum.

7. DISCLOSURES OF PERSONAL INFORMATION FOR BUSINESS PURPOSES

As described in the Disclosure of Your Information section of our Privacy Notice, we may disclose Personal Information with third parties for one or more business purposes (as that term is defined by the CPRA). In the preceding 12 months, DITA has disclosed the following categories of Personal Information for one or more of the business purposes described below to the following categories of third parties:

Category of Personal Information Categories of Third-Party Recipients
Identifiers
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations – e.g.: Website and data hosting provider; Fraud protection and prevention platform; Returns and exchanges; Customer service platform; Tax compliance; Internal data pipelines; Enterprise Resource Planning (ERP) integration; Consent management; Internal business intelligence; Internal workflow automation; Internal data management; Post-purchase survey collection and marketing attribution insights; Landing page builder; Technology providers that help us manage and automate the use of the data we collect; Embedded video or media services (if used).
Personal information described in California's Customer Records law
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations – e.g.: Website and data hosting provider; Fraud protection and prevention platform; Returns and exchanges; Customer service platform; Tax compliance; Internal data pipelines; ERP integration; Consent management; Technology providers that help us manage and automate the use of the data we collect; Internal business intelligence; Internal workflow automation; Internal data management; Post-purchase survey collection and marketing attribution insights; Landing page builder; Embedded video or media services (if used).
Commercial information
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations – e.g.: Fraud protection and prevention; Returns and exchanges; Customer service platform; Internal business intelligence; Tax compliance; ERP integration; Post-purchase survey collection and marketing attribution insights.
Internet or Network Activity information
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations – e.g.: Customer service and consent management platforms; Post-purchase survey collection and marketing attribution insights; Embedded video or media services (if used); Landing page builder; Technology providers that help us manage and automate the use of the data we collect.
Audio, electronic, visual, or similar information
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce services to you or that we otherwise use to support our business operations, such as a customer service management platform.
Geolocation data (excludes precise geolocation)
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations – e.g.: A customer service management platform; ERP integration; Consent management; Technology providers that help us manage and automate the use of the data we collect.
Professional or employment-related information
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations.
Inferences drawn from the information listed above to create a profile about a consumer reflecting their preferences and behavior
  • Affiliated entities within DITA Group.
  • Vendors who may need access to your Personal Information to help us provide our e-Commerce service to you or that we otherwise use to support our business operations, such as: Fraud protection and prevention platform.

Category of Sensitive Personal Information Categories of Third-Party Recipients
Precise geolocation We do not disclose this type of Sensitive Personal Information.
Information to fill your prescription/corrective lens order(s) at our U.S. corporate headquarters, which has an on-site optical laboratory (if you, your optician, or other eyecare professional have placed such an order which is then shipped directly to you by us or picked up by you at the flagship store where the order was placed) [In-Store Only] We do not disclose this type of Sensitive Personal Information.

We disclose your Personal Information to the categories of third parties listed above for the following business purposes:

  • To help maintain the safety, security, and integrity of our Website, products, databases and other technological assets, and business, including, but not limited to detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
  • To perform services on behalf of DITA, including maintaining or servicing accounts, customer support, processing or fulfilling orders and transactions, verifying customer information, providing financing, processing payments, providing analytic services, and providing similar services on behalf of the business (as further described in the Disclosure of Your Information section of our Privacy Notice).
  • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
  • Providing advertising and marketing services, except for cross-context behavioral advertising, to consumers.
  • Undertaking internal research for technological development and demonstration.

In addition to the above, we may disclose any or all categories of Personal Information (i) at your direction or upon your request, or (ii) to another third party (including government entities and/or law enforcement entities) as described in the Disclosure of Your Information section of our Privacy Notice.

8. SALES AND SHARING OF PERSONAL INFORMATION

"Sales" of Personal Information for Monetary or Other Valuable Consideration

As noted in our Privacy Notice, we do not sell Personal Information as the term "sell" is commonly understood to require an exchange for money. However, the use of third-party analytics and advertising cookies on or for our Website, along with our disclosure of certain Personal Information about you to third parties for the purposes described in the table below is considered a "sale" of Personal Information under Relevant State Laws, as the term "sale" is broadly defined under the CPRA to include both monetary and other valuable consideration. Using this broad definition, our "sale" is limited to making certain categories of Personal Information available to third-party internet cookie information recipients, advertising and marketing partners (including ad targeting and advertising cooperatives), online advertising and marketing platforms, and social advertising networks that use such information to provide us with targeted advertising, lookalike audience generation, analytics, ad tracking and delivery, measurement and improvement, customization and personalization, and campaign performance services. For more information regarding our "sale" of your "Personal Information," please refer to the table below.

Our "sale" of your Personal Information in this context is subject to your right to opt-out of those sales (see Opt-Out Rights for Sales and Processing for Targeted Advertising Purposes). Please note that we may provide Personal Information to our processors that perform services for us pursuant to a contract; the right to opt-out does not limit our ability to provide Personal Information to these processors. We have no actual knowledge that we "sell" any Personal Information of consumers under the age of 18 for monetary or other valuable consideration.

"Sharing" Personal Information for Cross-Context Behavioral Advertising

We may also process your Personal Information for the purpose of cross-context behavioral (targeted) advertising, subject to your right to opt-out of our processing for cross-context behavioral (targeted) advertising purposes and/or any related sales resulting therefrom (see Your Choices Regarding our "Sale" of Personal Information and Processing for Purposes of Targeted Advertising). Our processing for the purpose of cross-context behavioral (targeted) advertising is more fully described in the table below and is limited to the recipients' use in providing you cross-context behavioral (targeted) advertising (i.e., displaying targeted ads to you on other mediums based on your browsing history and other patterns gathered across different, unaffiliated websites, applications, or services). When the recipients of your Personal Information disclosed for the purpose of cross-context behavioral advertising are also permitted to use your Personal Information to provide advertising to others, we also consider this disclosure as a "sale" for monetary or other valuable consideration under the CPRA.

In the last 12 months, we may have "sold" and/or "shared" the following categories of Personal Information with the categories of third-party recipients listed below. However, we have no actual knowledge that we "sell" or "share" any Personal Information of consumers under the age of 18.

Category of Personal Information "Sold" and/or "Shared" Categories of Third-Party Recipients
Identifiers
  • Internet Cookie Recipients / Advertising & Marketing Partners (Google, Meta Platforms)
    • Sold? Yes
    • Processed for Targeted Advertising? Yes
    • Purpose: Targeted advertising, lookalike audience generation, analytics, and marketing measurement. GA4 analytics and Google Ads conversion tracking regarding consumers' use of and interaction with our Website.
  • Ad Targeting Partner (Dstillery)
    • Sold? Yes
    • Processed for Targeted Advertising? Yes
    • Purpose: (i) Analyzing consumer trends and behaviors which are used to build "lookalike" or similar audience models, allowing us to reach new, prospective customers who share characteristics with our existing user base, and (ii) measuring the success, performance and reach of our digital advertising campaigns.
  • Advertising Cooperative (Shopify Audiences)
    • Sold? Yes
    • Processed for Targeted Advertising? Yes
    • Purpose: Targeted advertising and cross-merchant lookalike audience building, which is then routed downstream to Meta and Google (see above).
  • Online Ad Platform (Trade Desk)
    • Sold? Yes
    • Processed for Targeted Advertising? Yes
    • Purpose: Programmatic advertising (helping us target ads to relevant audiences).
  • Social Advertising Network (Pinterest)
    • Sold? Yes
    • Shared? No
    • Purpose: Ad tracking and conversion measurement.
  • Marketing Automation Platform (Klaviyo)
    • Sold? Yes
    • Processed for Targeted Advertising? No
    • Purpose: Email marketing.
Commercial information Same as above
Internet or Network Activity information Same as above
Geolocation information (excludes precise geolocation) Same as above

9. YOUR CALIFORNIA CONSUMER RIGHTS

The CPRA provides you with specific rights regarding your Personal Information. This section describes your CPRA rights and explains how to exercise those rights. You may exercise these rights yourself or through your authorized representative (as defined below). For more information on how you or your authorized representative can exercise your rights, please see Exercising Your CPRA Privacy Rights.

  • Right to Know. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months (a "Right to Know" request). This includes: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources from which that Personal Information is collected; (iii) our business or commercial purposes for collecting, selling, or sharing this Personal Information (as applicable); (iv) the categories of Personal Information we have disclosed for a business purpose and third parties to whom we have disclosed your Personal Information for a business purpose; (v) the categories of Personal Information we have sold to or shared with and the categories of third parties to (or with) whom such information has been sold or shared (if applicable); and (vi) the specific pieces of Personal Information we have collected about you. You must specifically describe whether you are making a Right to Know request or a Data Portability request (defined below). If you would like to make both such requests, you must make them clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. You may make a Right to Know request a total of 2 times within a 12-month period at no charge.
  • Access to Specific Pieces of Information. You also have the right to request that we provide you with a copy of the specific pieces of Personal Information that we have collected about you, including any Personal Information that we have created or otherwise received from a third party about you (a "Data Portability" request). If you make a Data Portability request electronically, we will provide you with a copy of your Personal Information in a portable and, to the extent technically feasible, readily reusable format that allows you to transmit the Personal Information to another third party. You must specifically describe if you are making a Right to Know or Data Portability request. If you would like to make both such requests, you must make them clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. To the extent applicable, we will not disclose information provided to us to fill your prescription/corrective lens order(s) in response to a Data Portability request. We will also not provide information if the disclosure would create a substantial, articulable, and unreasonable risk to your Personal Information or the security of our systems or networks. In addition, we will not disclose any Personal Information that may be subject to another exception under the CPRA. If we are unable to disclose certain pieces of your Personal Information, we will describe generally the types of Personal Information that we were unable to disclose and provide you with a description of the reason we are unable to disclose it. You may make a Data Portability request a total of 2 times within a 12-month period at no charge.
  • Correction. You have the right to request that we correct any incorrect Personal Information about you to ensure that it is complete, accurate, and as current as possible. You may request that we correct the Personal Information we have about you as described below under Exercising Your CPRA Privacy Rights. In some cases, we may require you to provide reasonable documentation to show that the Personal Information we have about you is incorrect and what the correct Personal Information may be. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect, or the Personal Information at issue is subject to another exception under the CPRA.
  • Deletion. You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your Consumer Request (see Exercising Your CPRA Privacy Rights), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies pursuant to the CPRA. Some exceptions to your right to delete include, but are not limited to, if we are required to retain your Personal Information to complete the transaction for which we collected the Personal Information, provide a good or service requested by you, or otherwise perform under our contract with you and to comply with our legal obligations.
  • Automated Decision-Making Technology ("ADMT"). When a business uses ADMT to make significant decisions about you, you may have rights to (i) obtain certain information about how the business uses ADMT, that is specific to you, and (ii) opt-out of the ADMT use unless the business provides you with a method to appeal the decision to a human reviewer with the authority to overturn the decision or another exception applies. ADMTs are technologies that process Personal Information and use computation to execute a decision and either replace or substantially replace human decision-making, resulting in decisions made without human involvement. Decisions are significant when they result in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Advertising is not a significant decision. DITA does not currently use ADMT to make significant decisions about consumers, so we do not provide ADMT access, opt-out, or appeal rights. Should this change in the future, we will update this California Privacy Addendum and provide you with methods to exercise access, opt-out, or appeal rights.
  • Limiting Our Uses and Disclosures of SPI. You have the right to request that we limit our use and disclosure of your SPI to only those purposes specifically enumerated in the CPRA. Currently, we do not use or disclose your SPI for purposes other than those expressly permitted by the CPRA. Should this change in the future, we will update this California Privacy Addendum and provide you with methods to limit the use and disclosure of SPI.
  • Non-Discrimination. We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not do any of the following as a result of you exercising your CPRA rights: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (iii) provide you with a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Exercising Your CPRA Privacy Rights

Sale/Sharing: For instructions on exercising sale and sharing opt-out rights (as applicable), please see How You May Opt Out of the Sale or Sharing of Your Personal Information.

All Other CPRA Rights: To exercise any of your other rights described above, please submit a request (a "Consumer Request") to us by:

  • Calling us toll-free at: 1-888-245-2202;
  • Filling out our online webform here; or
  • Emailing us at privacy@dita.com.

If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.

Only you, or someone that you have authorized to act on your behalf (an "authorized representative"), may make a Consumer Request related to your Personal Information. You may also make a Consumer Request on behalf of your minor consumer. All Consumer Requests must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative of such a person. This may include providing an email address, postal address, and order information.
  • Be described with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm which Personal Information relates to you or the individual for whom you are making the request as their authorized representative.

Making a Consumer Request does not require you to create an account with us. We will only use Personal Information provided in a Consumer Request to verify the requestor's identity or authority to make the request.

10. HOW YOU MAY OPT OUT OF THE SALE OR SHARING OF YOUR PERSONAL INFORMATION

You have the right to direct us to not sell your Personal Information for monetary or other valuable consideration at any time. You also have the right to direct us to not share your Personal Information for the purposes of cross-context behavioral advertising.

You (or your authorized representative) may exercise the right to opt-out of the "sale" or "sharing" of your Personal Information by: (i) visiting the Do Not Sell or Share My Personal Information link in the footer of our Website; (ii) configuring your web browser to transmit a Global Privacy Control signal (for more information, please see https://globalprivacycontrol.org/); or (iii) emailing us at privacy@dita.com. When we receive such a signal, we will opt you out of any further "sale" or "sharing" of your Personal Information when you interact with our Website through that browser and on that device. We will only be able to propagate your choice to opt-out to your account if you are currently logged in when we receive the privacy control signal from your browser. When we are able to propagate your choice to your account, you will be opted out of "sale" or "sharing" of your Personal Information on all browsers and devices on which you are logged in, and for both online and offline "sales" and "sharing." In addition, you may also set your browser to refuse all or some cookies, or to alert you when cookies are being sent.

Once you make an opt-out request, we will wait at least 12 months before asking you to reauthorize our "sale" or "sharing" of your Personal Information. (Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences.) However, you may change your mind and opt back into the "sale" and "sharing" of Personal Information at any time by adjusting your cookie preferences to accept all or certain cookies.

In the event you have affirmatively opted-in to our "sale" and "sharing" of your Personal Information as described above and we receive a privacy control signal from your browser, we will request further instructions from you before you are opted out of any further "sale" or "sharing."

11. CHANGES TO THIS CALIFORNIA PRIVACY ADDENDUM

DITA reserves the right to amend this California Privacy Addendum at its discretion and at any time. When we make changes to this California Privacy Addendum, we will post the updated addendum on our Website and update the addendum's effective date. If we make material changes to how we treat our consumers' Personal Information, we will notify you by email to the email address we have on file for you, through the posting of a notice on the home page of our Website, or by using a similar method. The date this California Privacy Addendum was last updated is identified at the top of the first page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this California Privacy Addendum to check for any changes. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

12. CONTACT INFORMATION

If you have any questions about this California Privacy Addendum, please contact us at:

Dita, Inc.
Attn: Legal Department
1 Columbia
Aliso Viejo, CA 92656, USA
Phone: (888) 245-2202
Email: privacy@dita.com