Privacy policy

Last updated: 17 July 2026

1. About this Privacy Policy

City Optics Pty Ltd (ABN 69 673 464 947) (City Optics, we, us or our) provides optometry, optical retail and related services. This Privacy Policy explains how we handle personal information when you use services provided by us, including through our website, online store, customer account, checkout, appointment and enquiry channels, telephone and email communications, and City Optics stores.

This policy applies where City Optics Pty Ltd collects or controls the information. Some links or services may be provided by another organisation under its own privacy terms.

We may update this policy when our services, technology, providers or legal obligations change. We will publish the current version on our website and update the date above. If a change is material, we may also provide an additional notice where appropriate.

2. Personal Information We Collect

Depending on how you interact with us, we may collect:

  • identity and contact information, such as your name, date of birth, postal address, email address and telephone number;
  • account and transaction information, such as your customer account, orders, returns, warranties, invoices, delivery details and purchase history;
  • appointment and enquiry information, including your preferred store, appointment details, questions and support requests;
  • payment and claim-related information. Payment providers generally process full card or account details, while we receive transaction status and limited payment information. Where relevant, we may also handle Medicare, health-fund, HICAPS or other claim details;
  • communications, including emails, telephone notes, messages, reviews, feedback and complaint records;
  • marketing preferences, subscription status and information about how you engage with our messages;
  • online and device information, such as IP address, browser and device details, approximate location, referring page, pages viewed, clicks, cart and checkout activity, and cookie or similar identifiers; and
  • health and prescription information described below.

If you apply for work with us, visit our premises, deal with us as a supplier or act for another person, we may collect other information reasonably needed for that relationship.

3. Health and Prescription Information

We may collect sensitive health information where it is reasonably necessary to provide optometry, optical or prescription services. This may include:

  • spectacle and contact-lens prescriptions;
  • prescription photographs, scans and PDF files;
  • prescription values entered online or recorded by staff;
  • pupillary distance, fitting, frame and lens measurements;
  • relevant eye-health, fitting and clinical information;
  • information supplied by an optometrist, ophthalmologist or other healthcare professional where authorised; and
  • information needed to assess prescription validity or suitability and to manufacture, dispense, fit or supply optical products.

We collect and use this information to review and validate prescriptions, assess product or frame suitability, provide optometry and optical services, manufacture and fulfil prescription products, arrange fitting and dispensing, provide ongoing care and order support, and manage remakes, warranties, returns or complaints. We may also keep information where required for clinical, professional, legal or record-keeping purposes.

We may be unable to provide a prescription product or relevant service if required information is not supplied.

We do not use health or prescription information for unrelated advertising personalisation or unrelated direct marketing.

4. How We Collect Information

We usually collect information:

  • directly from you through our website, checkout, customer account, forms, prescription upload or manual-entry tools;
  • when you contact us by email, telephone, message or in person;
  • during appointments, eye examinations, fittings and other in-store services;
  • from a parent, guardian, authorised representative or person acting for you;
  • from an optometrist, ophthalmologist, healthcare professional or previous provider where you authorise it or where collection is otherwise permitted;
  • from Shopify and providers that help us operate our website, process orders, communicate with customers or provide services;
  • from payment, delivery, booking, review, analytics and marketing providers; and
  • automatically through cookies, pixels, server logs and similar technologies.

Where required, we provide a specific collection notice at or near the point where information is collected. This policy does not replace a specific consent or collection notice where one is required.

5. Prescription Uploads and Upload-Lift

When you upload a prescription through our website, the file is processed using Upload-Lift, a service provided by Cloudlift GmbH. The prescription file itself can contain personal and health information.

Upload-Lift stores the uploaded file and, if it is used for an order, associates the order number with the file record. Cloudlift states that temporary uploads are stored for 30 days and then automatically deleted. Depending on the Upload-Lift account plan and configuration, an order-linked copy may also be placed in an archive and retained until it is deleted or until a configured archive-retention period expires.

Cloudlift states that Upload-Lift files are stored using Google Cloud Storage in a United States west-region data centre. Files are therefore processed and stored outside Australia.

City Optics staff who need the prescription to review or fulfil an order can access the upload through Upload-Lift and/or the associated Shopify order. We may also transfer necessary information to an appropriate City Optics order, dispensing or clinical record. Deleting a temporary or archived Upload-Lift copy does not necessarily delete an authoritative order or health record that we are legally or operationally required to retain.

Upload-Lift searches archived files by order number rather than customer name. If you ask us to access or delete an uploaded file, please provide enough information to locate the associated order. Cloudlift states that a deleted Upload-Lift file is ordinarily retained for a further seven days as an accidental-deletion safeguard; immediate removal can be requested from Cloudlift support where appropriate.

6. How We Use Personal Information

We may use personal information to:

  • provide optometry, optical and related health services;
  • arrange appointments and respond to enquiries;
  • review prescriptions and assess product suitability;
  • process, manufacture, dispense, deliver and support orders;
  • manage payments, invoices and, where applicable, Medicare or health-fund administration;
  • provide customer service and manage changes, returns, remakes, warranties and complaints;
  • maintain appropriate clinical, transaction and business records;
  • prevent fraud, misuse and security incidents;
  • operate, maintain, troubleshoot and improve our website and services;
  • understand website performance and customer journeys;
  • request and manage reviews or feedback;
  • send direct marketing where permitted and manage your preferences;
  • comply with legal, professional, taxation, accounting and regulatory requirements; and
  • establish, exercise or defend legal claims.

7. How We Disclose Personal Information

We disclose only the information reasonably needed for the relevant purpose. Depending on the service, recipients may include:

  • Shopify and ecommerce providers that host our store, checkout, customer accounts, orders and related services;
  • Upload-Lift/Cloudlift for prescription and other approved file uploads;
  • lens laboratories, frame, contact-lens and optical suppliers where information is needed to manufacture, verify, dispense or supply an order;
  • payment providers, including providers used for card payments, Shop Pay, PayPal and Afterpay;
  • delivery and logistics providers, including Australia Post, StarTrack and order-tracking providers;
  • booking, communications, email, customer-support and review providers;
  • website hosting, IT, cloud, security, analytics, advertising and service-improvement providers;
  • healthcare professionals, health funds, Medicare or claims providers where you authorise the disclosure or it is otherwise permitted or required;
  • accountants, auditors, insurers, lawyers and other professional advisers;
  • regulators, courts, law-enforcement bodies or other recipients where required or authorised by law; and
  • a buyer or adviser in connection with a proposed or completed sale, restructure or transfer of all or part of our business, subject to appropriate safeguards.

Not every provider receives every category of information. We limit prescription and health information to staff and providers that reasonably need it for an authorised health, clinical, prescription, order-support or legal purpose.

8. Shopify

Our online store is hosted on Shopify. Shopify supports our storefront, checkout, customer accounts, order processing, installed apps, payment features and Shop Pay where enabled. Shopify and apps connected to Shopify may receive customer, order, device and usage information needed to provide their services.

Shopify also provides customer privacy, cookie, analytics, fraud-prevention, personalisation and advertising-related features. The way those features operate depends on our current Shopify settings and the choices available to you. You can read more about Shopify's handling of personal information in the Shopify Consumer Privacy Policy.

9. Overseas Processing and Disclosure

Some providers process or store personal information outside Australia. A currently verified location is:

  • the United States, including Upload-Lift file storage and some services used for analytics, advertising, communications or cloud processing.

Shopify and other providers may process information in additional countries disclosed in their current privacy or subprocessor documentation. Where practicable, we identify likely countries in this policy or in a notice provided when the information is collected. The privacy laws in those countries may differ from Australian law.

When selecting and managing providers, we take steps that are reasonable in the circumstances, having regard to the sensitivity of the information, the purpose of the service and available contractual, technical and organisational safeguards.

10. Cookies, Analytics and Advertising

Our website uses cookies, pixels and similar technologies for purposes including:

  • keeping the site, cart, checkout and security features working;
  • remembering preferences and providing requested functionality;
  • measuring site and campaign performance;
  • understanding how customers use the site and identifying technical or usability issues; and
  • advertising, attribution and personalisation where permitted.

Providers currently used on the storefront include Shopify analytics and customer-event tools, Google Tag Manager and Google advertising services, Meta, Microsoft Clarity, Klaviyo, Judge.me and Shogun. Microsoft Clarity provides heatmaps and reconstructed session recordings; Microsoft states that input boxes and drop-down content are masked in all masking modes. Provider and configuration details may change over time.

Where a cookie banner or privacy-preferences tool is available, you can use it to manage available choices. You can also manage cookies through your browser and use controls offered by Google, Meta, Microsoft and other platforms. Blocking necessary cookies may affect site, cart, account or checkout functions.

Website-behaviour data is different from prescription and health information. We do not use prescription or health information for unrelated advertising personalisation.

11. Direct Marketing

Where permitted, we may send information about City Optics products, services, appointments, offers or events by email, SMS or other channels. We may do this with your consent or as otherwise permitted in connection with an existing customer relationship.

You can unsubscribe using the link in an email, reply STOP to an applicable SMS, adjust available account preferences, or contact us. We may still send necessary transaction, appointment, clinical, safety or order-support communications after you unsubscribe from marketing.

We do not use health or prescription information for unrelated direct marketing unless you have specifically agreed and the use is permitted by law.

12. Security

We use reasonable technical and organisational safeguards appropriate to the information and our services. These may include access controls, role-based staff access, account and device protections, secure transmission where supported, staff procedures, service-provider review, monitoring, backup and secure disposal processes.

Staff and contractors should access personal and health information only where needed for their work. No internet transmission or storage system is completely secure, and we cannot guarantee absolute security.

If we identify a data breach, we will assess and respond to it and make notifications where required by applicable law.

13. Retention and Deletion

We retain personal and health information only for as long as reasonably necessary for the purposes for which it was collected, to provide ongoing care and order support, and to comply with applicable legal, clinical, taxation, accounting and record-keeping requirements.

Where NSW health-record retention requirements apply to us as a private health service provider, health information collected while a person was an adult must generally be retained for seven years from the last health service we provided to that person. Health information collected while a person was under 18 must generally be retained until that person turns 25. Another law or an authorised clinical or legal purpose may require longer retention.

Temporary and duplicate files are not necessarily the authoritative City Optics health, clinical or order record. Upload-Lift temporary uploads are ordinarily stored for 30 days. An Upload-Lift archived copy, if enabled, may be retained for the configured archive period or until deletion. Shopify orders, customer records, clinical or dispensing records, emails, support records, accounting records, marketing records and analytics data may have different retention periods.

When information is no longer required, we take reasonable steps to delete or de-identify it, subject to lawful retention, dispute, fraud-prevention, backup and record-keeping requirements. We may be unable to delete information immediately where we are required or permitted to retain it.

Where applicable health-record law requires it, we also retain a record of the deletion, disposal or transfer of health information, including the details required by that law.

14. Access and Correction

You may ask to access personal or health information that we hold about you or ask us to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading.

Please contact us in writing using the details below and describe the information or order concerned. We may ask for proof of identity and authority before providing access or making a correction. For prescription uploads, an order number and the email, telephone number or other order details may be needed because Upload-Lift does not support searching its archive by customer name.

We will respond within the period required by applicable law. NSW access and amendment requests concerning health information generally require a response within 45 days. In some circumstances, the law permits or requires us to refuse access or correction. If that happens, we will provide a written response and available review or complaint information, unless we are not permitted to do so.

15. Privacy Complaints

If you have a privacy concern or complaint, please contact our Privacy Contact using the details below. Tell us what happened, the information or order involved, the outcome you are seeking and how we can contact you. Please do not send additional prescription or health information unless it is needed for us to investigate.

We will acknowledge and investigate the matter, involve appropriate staff or providers, and respond within a reasonable period having regard to the nature and complexity of the issue.

If you are not satisfied with our response, you may be able to complain to:

16. Children and Minors

Minors may receive optometry and optical services. Depending on the person's age, capacity, the service and applicable law or professional obligations, information may be provided by or disclosed to a parent, guardian or authorised representative.

We consider the young person's capacity, interests and privacy, and verify authority where appropriate. Online orders or account activity by minors may require involvement from a parent or guardian.

17. Changes to This Policy

We will publish the current policy on our website and show the last-updated date. Where appropriate, we may provide additional notice of a material change. We retain backups or historical versions as part of our policy-management process.

18. Contact Us

Privacy Contact
City Optics Pty Ltd
ABN 69 673 464 947
Email: online@cityoptics.com.au
Post: Shop 256, Westfield Penrith, 585 High Street, Penrith NSW 2750, Australia
Telephone: (02) 4721 1402