Last Updated: June 18, 2026

1. INTRODUCTION

This U.S. State Privacy Supplement ("U.S. State Privacy Supplement" or "Supplement") supplements the information contained in DITA's Privacy Notice and applies solely to visitors, users, and other natural persons who reside in one of the following states ("consumers," "you" or "your"): Alabama, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia (collectively, the "Applicable States"). If you are not a resident of an Applicable State, this U.S. State Privacy Supplement does not apply to you.

We have adopted this Supplement to comply with the Alabama Personal Data Protection Act ("ALPDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Delaware Personal Data Privacy Act ("DPDPA"), the Indiana Consumer Data Protection Act ("INCDPA"), the Iowa Consumer Data Protection Act ("ICDPA"), the Kentucky Consumer Data Privacy Act ("KCDPA"), the Louisiana Data Privacy Act ("LDPA"), the Maryland Online Data Privacy Act of 2024 ("MODPA"), the Minnesota Consumer Data Privacy Act ("MNCDPA"), the Montana Consumer Data Protection Act ("MCDPA"), the Nebraska Data Privacy Act ("NDPA"), the New Hampshire Consumer Data Privacy Act ("NHCDPA"), the New Jersey Data Protection Act ("NJDPA"), the Oklahoma Consumer Data Privacy Act ("OKCDPA"), the Oregon Consumer Privacy Act ("OCPA"), the Rhode Island Data Transparency and Privacy Protection Act ("RIDPA"), the Tennessee Information Protection Act ("TIPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Utah Consumer Privacy Act ("UCPA"), and the Virginia Consumer Data Protection Act ("VCDPA") (collectively, the "Relevant State Laws"). Please take the time to read and understand this U.S. State Privacy Supplement. Unless otherwise expressly stated, all terms in this Supplement have the same meaning as defined in our Privacy Notice or as otherwise defined by Relevant State Laws.

2. SCOPE OF THIS U.S. STATE PRIVACY SUPPLEMENT

This Supplement applies to most of your Personal Data that we collect on our Website, from your communications with us, as well as through your other online and offline interactions with us, as further described in the Introduction section of our Privacy Notice. However, some Personal Data we collect from or about you may not be covered by this U.S. State Privacy Supplement. The Relevant State Laws contain certain exemptions that do not apply to our collection and processing of your Personal Data. Thus, it is possible that not all Personal Data we collect from or about you is fully covered by the Relevant State Laws and, by extension, this U.S. State Privacy Supplement. Accordingly, this Supplement and/or the privacy rights set out herein may not apply to you or to all of your Personal Data.

For example, this Supplement does not apply to (i) employment-related Personal Data collected from or about our job applicants, current and former employees, personnel, independent contractors, or similar individuals, or (ii) Personal Data reflecting a written or verbal B2B communication or a transaction where the consumer is acting in a B2B setting with DITA (e.g., business contact details of an individual representative of a corporate customer or provider of DITA in connection with a B2B transaction or related communication involving DITA).

If you are a California resident, please see our California Privacy Addendum.

3. PERSONAL DATA WE COLLECT

We may collect and process the following categories of Personal Data about you:

1. Identifiers, including name, postal address (including billing and shipping address), email address, telephone number (including mobile number), IP address, unique identifiers (e.g., advertising and device IDs), and other similar identifiers.
2. Commercial Information, such as records of products purchased, obtained or considered, information associated with your account with us (if one exists), details of transactions you carry out through our Website (and in-person at our retail stores) and of the fulfillment of your order (e.g., order number), as well as any other information as requested to facilitate or complete delivery or to make available and provide ongoing support, repair, or other services related to the product(s) being purchased.
3. Internet or other electronic network activity ("Internet or Network Activity") information, such as (i) browsing history, (ii) search history, (iii) information reflecting your preferences, trends, activity, and/or behavior while using our Website, (iv) information regarding your interaction with our Website, including through watching video content on our Website, and (v) information collected via cookies, pixels, and other technologies deployed on our Website (as further described in the Information We Collect About You and How We Collect It section of our Privacy Notice).
4. Audio, electronic, visual, or similar information, such as audio recordings (and transcripts) of your phone calls with us (including customer service). If you visit one of our retail stores, we may also collect camera surveillance footage of you via CCTV monitors deployed throughout our store for security and operational purposes.
5. Geolocation data, such as your general physical location based on IP address (this cannot be used to precisely locate you). We may also collect your precise geolocation, if you have opted-in to sharing your location with us through a browser prompt.
6. Inferences drawn from any of the other Personal Data listed above to create a profile reflecting your preferences and behavior.
7. Sensitive Data, such as (i) your precise geolocation (if you have opted-in to sharing your location with us through a browser prompt), and (ii) information to fill your prescription/corrective lens order(s) at our U.S. corporate headquarters, which has an on-site optical laboratory (if you, your optician, or other eyecare professional have placed such an order which is then shipped directly to you by us or picked up by you at the flagship store where the order was placed).

We will not collect additional categories of Personal Data without providing you notice. As described further below, we may "sell" for valuable, non-monetary consideration and/or process for targeted advertising purposes the following categories of Personal Data to or with internet cookie recipients, advertising and marketing partners (including ad targeting and advertising cooperatives), online advertising and marketing platforms, and social advertising networks that use such information to provide us with targeted advertising, lookalike audience generation, analytics, ad tracking, measurement and improvement, advertising delivery, customization and personalization, and campaign performance services: (i) Identifiers; (ii) Commercial information; (iii) Internet or Network Activity information; and (iv) Geolocation data (excluding precise geolocation). For more details, see Disclosures of Personal Data and Sale of Personal Data and Processing of Personal Data for Targeted Advertising.

4. CONSENT REGARDING OUR PROCESSING OF YOUR SENSITIVE DATA

We will only process your Sensitive Data for specific purposes with your explicit, affirmative consent. You may withdraw your consent at any time by contacting us at the Contact Information below, however we may not be able to provide you with our products and services if you refuse to provide or otherwise withdraw your consent.

[For Iowa and Utah Residents Only: We will only process your Sensitive Data after giving you clear notice and opportunity to opt-out of the processing.]

5. SOURCES OF PERSONAL DATA

We collect Personal Data about you from those sources described in our Privacy Notice.

6. USES OF PERSONAL DATA

We only use your Personal Data for the purposes described in our Privacy Notice. We will not use the Personal Data we collected for materially different, unrelated, or incompatible purposes without providing you notice.

In addition, we do not use your Personal Data with any automated processing, including to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (otherwise known as "profiling"), which may produce a legal effect concerning you or similarly significantly affect you.

[For Connecticut Residents: We may collect or use your Personal Data for the purpose of training large language models, as further described in the How We Use The Information We Collect section of our Privacy Notice.]

7. DISCLOSURES OF PERSONAL DATA

DITA may disclose, sell, or otherwise process for targeted advertising your Personal Data to or with certain third parties for the purposes described in our Privacy Notice. To learn more about our data disclosure practices, including (i) the categories of Personal Data that we have disclosed, sold, and processed for targeted advertising, (ii) the corresponding recipients of such Personal Data, and (iii) the relevant purpose for such disclosure, sale, or targeted advertising processing activity, please see the table below. For more information regarding our "sales" of Personal Data and the processing of your Personal Data for "targeted advertising," see Sale of Personal Data and Processing Personal Data for Targeted Advertising.

In addition, please also note the following:

• We do not disclose, sell, or otherwise process for targeted advertising purposes any Sensitive Data we collect from or about you to or with any third parties.
• We may also disclose any or all categories of Personal Data we collect from or about you (i) at your direction or upon your request, or (ii) to another third party (including government entities and/or law enforcement entities) as described in the Disclosure of Your Information section of our Privacy Notice.
• We retain your Personal Data in the same manner described in the Data Retention section of our Privacy Notice.

Category of Personal Data	Disclosed to Whom and for What Business Purpose?	Sold or Processed for Targeted Advertising? (If Yes, To Whom and For What Purpose?)
Identifiers	Affiliated entities within DITA Group in furtherance of our business operations. Service Providers/Processors who need access to your Personal Data to help us provide our e-Commerce services to you or that we otherwise use to support our business operations, such as: Website and data hosting provider (Shopify); Fraud protection and prevention platform (Signifyd); Returns and exchanges (Loop); Customer service platform (Zendesk); Tax compliance (Avalara); Internal data pipelines (FiveTran, Airbyte); Enterprise Resource Planning ("ERP") integration (NetSuite/Celigo); Consent management (OneTrust); Internal business intelligence (Domo); Internal workflow automation (Zapier); Internal data management (Matrixify); Post-purchase survey collection and marketing attribution insights (Fairing); Landing page builder (Shogun); Embedded video or media services (Vimeo, YouTube) (if used).	Internet Cookie Recipients / Advertising & Marketing Partners (Google, Meta Platforms) Sold? Yes Processed for Targeted Advertising? Yes Purpose: Targeted advertising, lookalike audience generation, analytics, and marketing measurement. GA4 analytics and Google Ads conversion tracking regarding consumers' use of and interaction with our Website. Ad Targeting Partner (Dstillery) Sold? Yes Processed for Targeted Advertising? Yes Purpose: (i) Analyzing consumer trends and behaviors which are used to build "lookalike" or similar audience models, allowing us to reach new, prospective customers who share characteristics with our existing user base, and (ii) measuring the success, performance and reach of our digital advertising campaigns. Advertising Cooperative (Shopify Audiences) Sold? Yes Processed for Targeted Advertising? Yes Purpose: Targeted advertising and cross-merchant lookalike audience building, which is then routed downstream to Meta and Google (see above). Online Ad Platform (Trade Desk) Sold? Yes Processed for Targeted Advertising? Yes Purpose: Programmatic advertising (helps us target ads to relevant audiences). Social Advertising Network (Pinterest) Sold? Yes Shared? No Purpose: Ad tracking and conversion measurement. Marketing Automation Platform (Klaviyo) Sold? Yes Processed for Targeted Advertising? No Purpose: Email marketing.
Commercial information	Affiliated entities within DITA Group. Service Providers/Processors who may need access to your Personal Data to help us provide our e-Commerce service to you or that we otherwise use to support our business operations, such as: Fraud protection and prevention platform (Signifyd); Returns and exchanges (Loop); Internal data pipelines (FiveTran, Airbyte); Customer service platform (Zendesk); Tax compliance (Avalara); Post-purchase survey collection and marketing attribution insights (Fairing).	Same as above (Identifiers row)
Internet or Network Activity information	Affiliated entities within DITA Group. Service Providers/Processors who may need access to your Personal Data to help us provide our e-Commerce service to you or that we otherwise use to support our business operations, such as: Customer service and consent management platforms (Zendesk, OneTrust); Post-purchase survey collection and marketing attribution insights (Fairing); Embedded video or media services (Vimeo, YouTube) (if used); Landing page builder (Shogun).	Same as above (Identifiers row)
Audio, electronic, visual, or similar information	Affiliated entities within DITA Group. Service Providers/Processors who need access to your Personal Data to help us provide our e-Commerce services to you or that we otherwise use to support our business operations, such as a customer service management platform (Zendesk).	N/A – Not Sold or Processed for Targeted Advertising
Geolocation data (excludes precise geolocation)	Service Providers/Processors who need access to your Personal Data to help us provide our e-Commerce services to you or that we otherwise use to support our business operations, such as: A customer service management platform (Zendesk); Technology providers that help us manage and automate the use of the data we collect; ERP integration (NetSuite/Celigo); Consent management (OneTrust).	Same as above (Identifiers row)
Inferences drawn from the information listed above to create a profile about a consumer reflecting their preferences and behavior	Affiliated entities within DITA Group. Vendors who may need access to your Personal Data to help us provide our e-Commerce service to you or that we otherwise use to support our business operations, such as: Fraud protection and prevention platform (Signifyd).	N/A – Not Sold or Processed for Targeted Advertising
Sensitive Data	N/A – We do not disclose any of your Sensitive Data to service providers, processors, or other third parties.	N/A – Not Sold or Processed for Targeted Advertising

8. SALE OF PERSONAL DATA AND PROCESSING PERSONAL DATA FOR TARGETED ADVERTISING

"Sales" of Personal Data for Monetary or Other Valuable Consideration

As noted in our Privacy Notice, we do not sell Personal Data as the term "sell" is commonly understood to require an exchange for money. However, the use of third-party analytics and advertising cookies on or for our Website, along with our disclosure of certain Personal Data about you to third parties for the purposes described in the table above is considered a "sale" of Personal Data under Relevant State Laws, as the term "sale" is broadly defined under certain Relevant State Laws to include both monetary and other valuable consideration.

Using this broad definition, our "sale" is limited to making certain categories of Personal Data (listed in the table above) available to third-party internet cookie information recipients, advertising and marketing partners (including ad targeting and advertising cooperatives), online advertising and marketing platforms, and social advertising networks that use such information to provide us with targeted advertising, lookalike audience generation, analytics, measurement and improvement, ad tracking and delivery, customization and personalization, and campaign performance services. For more information regarding our "sale" of your "Personal Data," please refer to the table above in the Disclosures of Personal Data section above.

Our "sale" of your Personal Data in this context is subject to your right to opt-out of those sales (see Opt-Out Rights for Sales and Processing for Targeted Advertising Purposes). Please note that we may provide Personal Data to our processors that perform services for us pursuant to a contract; the right to opt-out does not limit our ability to provide Personal Data to these processors. We have no actual knowledge that we "sell" any Personal Data of consumers under the age of 18 for monetary or other valuable consideration.

Processing Personal Data for Targeted Advertising

We may also process your Personal Data for the purpose of displaying advertisements to you that are selected based on Personal Data obtained over time from your activities across nonaffiliated websites or online applications to predict your preferences or interests (otherwise known as "targeted advertising"), subject to your right to opt-out of our processing for cross-context behavioral (targeted) advertising purposes and/or any related sales resulting therefrom (see Opt-Out Rights for Sales and Processing for Targeted Advertising Purposes). Our processing for targeted advertising purposes is described further in the table above (see Disclosures of Personal Data).

When the recipients of your Personal Data disclosed for the purpose of targeted advertising are also permitted to use your Personal Data to provide advertising to others, we also consider this disclosure as a "sale" for monetary or other valuable consideration under Relevant State Laws. Please note, however, we have no actual knowledge that we process any Personal Data of consumers under the age of 18 for "targeted advertising" purposes.

9. PROFILING

We do not process your Personal Data by automated means to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements ("profiling"), which may produce a legal effect concerning you or similarly significantly affect you (e.g., decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water).

10. YOUR PRIVACY RIGHTS

Relevant State Laws provide residents of the Applicable States with specific rights regarding their Personal Data. This section describes your rights under applicable law and explains how to exercise those rights. In some Applicable States, you may exercise one or more of these rights yourself or through your Authorized Agent. For more information on how you or your Authorized Agent (as defined below) can exercise these rights, please see the How to Exercise Your State Privacy Law Rights section below.

• Right to Know. You have the right to request that DITA confirm that it is processing Personal Data about you and disclose certain information to you about our collection, use, processing, and disclosure of your Personal Data (a "Right to Know" Consumer Request). [For residents of Minnesota and Rhode Island, you may also request to obtain a list of the specific third parties to whom we have disclosed or sold your Personal Data.] You must specifically describe if you are making a Right to Know request or a Data Portability request (defined below) and, if you would like to make both a Right to Know request and a Data Portability request you must make both requests clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. You may make a Right to Know or a Data Portability Consumer Request a total of 2 times within a 12-month period at no charge.
• Access to Specific Pieces of Information (Data Portability). You also have the right to request that DITA provide you with a copy of the specific pieces of Personal Data that we have collected about you, including any Personal Data that we have created or otherwise received from a third-party about you (a "Data Portability" Consumer Request). If you make a Data Portability Consumer Request electronically, we will provide you with a copy of your Personal Data in a portable and, to the extent technically feasible, readily reusable format that allows you to transmit the Personal Data to another third party. You must specifically describe if you are making a Right to Know request or a Data Portability request and, if you would like to make both a Right to Know request and a Data Portability request you must make both requests clear in your request. If it is not reasonably clear from your request, we will only process your request as a Right to Know request. In response to a Data Portability Consumer Request, we will not disclose information provided to us to fill your prescription/corrective lens order(s). We will also not provide information if the disclosure would create a substantial, articulable, and unreasonable risk to your Personal Data or the security of our systems or networks. In addition, we will not disclose any Personal Data that may be subject to another exception under Relevant State Laws. If we are unable to disclose certain pieces of your Personal Data, we will describe generally the types of Personal Data that we were unable to disclose and provide you a description of the reason we are unable to disclose it. You may make a Right to Know or a Data Portability Consumer Request (or a combined request) a total of 2 times within a 12-month period at no charge.
• Right to Correction. You have the right to request that we correct any incorrect Personal Data about you to ensure that it is complete, accurate, and as current as possible. You may review and correct some Personal Data about yourself by logging into the Website and visiting your "Account" page. You may also request that we correct the Personal Data we have about you as described below. In some cases, we may require you to provide reasonable documentation to show that the Personal Data we have about you is incorrect and what the correct Personal Data may be. We may also not be able to accommodate your request (i) if we believe it would violate any law or legal requirement or cause the information to be incorrect, or (ii) if the Personal Data is subject to another exception under Relevant State Laws.
• Right to Deletion. You have the right to request that we delete any of your Personal Data that we collected from or about you and retained, subject to certain exceptions. Once we receive and confirm your Consumer Request (see How to Exercise Your State Privacy Law Rights), we will delete (and direct our service providers to delete) your Personal Data from our records, unless an exception applies pursuant to Relevant State Laws. Some exceptions to your right to delete may include, but are not limited to, if we are required to retain your Personal Data to complete the transaction or provide you the goods and services for which we collected the Personal Data or otherwise perform under our contract with you, and to comply with legal obligations.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your state privacy rights. Unless permitted by the applicable state privacy law, we will not do any of the following as a result of you exercising your state privacy rights: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (iii) provide you a different level or quality of goods or services.
• Right to Opt-Out of Certain Processing. To the extent provided by the Relevant State Laws, you have the right to opt-out of our processing of your Personal Data for the purposes of: (i) targeted advertising; (ii) the sale of your Personal Data; or (iii) profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer. We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects.
• Withdrawing Consent for DITA to Process Your Sensitive Data. You may withdraw your consent for us to continue processing your Sensitive Data at any time by contacting us using the information provided below, however we may not be able to provide you with our products and services if you refuse to provide or otherwise withdraw your consent.

11. HOW TO EXERCISE YOUR STATE PRIVACY LAW RIGHTS

Opt-Out Rights for Sales and Processing for Targeted Advertising Purposes: If applicable under Relevant State Laws, you may exercise your right to opt-out of the "sale" (exchange of your Personal Data for monetary or other valuable consideration) and the processing of your Personal Data for "targeted advertising" by: (i) configuring your web browser to transmit the Global Privacy Control signal (for more information, please see https://globalprivacycontrol.org/); (ii) submitting your opt-out request using our online webform here; or (iii) emailing us at privacy@dita.com. We will only use Personal Data provided in an opt-out request to review and comply with the request.

All Other Rights under Relevant State Laws: To exercise any of your other rights described above, please submit a request (a "Consumer Request") to us by:

• Calling us toll-free at: (888) 245-2202;
• Emailing privacy@dita.com; and/or
• Filling out our online webform here.

If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.

Authorized Agents

If applicable under the Relevant State Laws, you may be permitted to authorize a person to exercise some or all of your rights under the Relevant State Laws on your behalf (an "Authorized Agent"). Unless prohibited by the Relevant State Laws, we may (i) request that your Authorized Agent submit proof of identity and that they have been authorized to exercise your rights on your behalf, and (ii) deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights. To submit a request to DITA on behalf of another consumer as an Authorized Agent, please submit a request to us here, call (888) 245-2202, or email us at privacy@dita.com.

Verifying Your Requests

Only you (or, if permitted by the Relevant State Laws, your Authorized Agent) may make a Consumer Request related to your Personal Data. You may also make a Consumer Request on behalf of your minor consumer. All Consumer Requests must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized agent of such a person. This may include providing an email address, postal address, and order information.
• Be described with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm which Personal Data relates to you or the individual for whom you are making the request as their authorized agent.

Making a Consumer Request does not require you to create an account with us. We will only use Personal Data provided in a Consumer Request to verify the requestor's identity or authority to make the request.

Responding to Your Requests

We aim to promptly authenticate and respond to your requests within 45 days of receipt but may require a total of up to 90 days to respond to your requests. If we require additional time beyond the initial 45 days after we receive your request, we will let you know within the first 45 days.

We do not ordinarily charge a fee for our response to your requests. However, we may do so to the extent your request(s) are excessive, repetitive, or manifestly unfounded. If we determine that charging a fee is warranted, as permitted by the Relevant State Laws, we will let you know and will provide you with an estimate of the associated costs of responding to your request(s).

Appeals Process

If we determine that we cannot or will not take the action that you requested, we will inform you of our reasons for doing so and any rights you may have to appeal the decision. If applicable under Relevant State Laws, you may appeal a refusal by us to take action on your request to exercise any of the above rights within a reasonable period of time after we provide you notice of such refusal by contacting us at privacy@dita.com or 1-888-245-2202.

Within 45 days after we receive your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including any explanations for the reasons for the decision. If your appeal is denied, you may lodge a complaint with your State Attorney General through their official website.

12. CHANGES TO OUR U.S. STATE PRIVACY SUPPLEMENT

From time to time, DITA may update or revise this U.S. State Privacy Supplement. If there are changes to the terms of this Supplement, an updated version will be posted to the Website, along with the updated Supplement's effective date. If we make material changes to how we treat our consumers' Personal Data, we will notify you by email to the email address we have on file for you, through the posting of a notice on the home page of our Website, or by using a similar method. The date this U.S. State Privacy Supplement was last updated is identified at the top of the first page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this U.S. State Privacy Supplement to check for any changes. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

13. CONTACT INFORMATION

If you have any questions or comments about this U.S. State Privacy Supplement, please contact us at:

Dita, Inc.
Attn: Legal Department
1 Columbia
Aliso Viejo, CA 92656, USA
Phone: (888) 245-2202
Email: privacy@dita.com