Privacy Notice for Parents and Guardians
Last Updated: January 18, 2026
Important: This privacy notice explains how Reframify Kids collects, uses, and protects your child's personal and health information when you purchase prescription glasses from us. Please read this carefully before placing an order.
1. Who We Are
Data Controller: Reframify Kids
Registered in: England & Wales
Registered Office: Suite 3, 45 Salisbury Road, Cardiff, CF24 4AB
Contact: support@relensify.co.uk
2. What Information We Collect About Your Child
Personal Information
- Child's date of birth (to calculate age for dispensing compliance)
- Parent/guardian name, email, phone number, relationship to child
- Delivery address
Health Information (Special Category Data)
- Prescription details (sphere, cylinder, axis, prism for each eye)
- Prescription issue date and issuing optometrist
- Pupillary distance (PD) measurements
- Frame and lens selections
Technical Information
- IP address (for fraud prevention and security)
- Browser type and device information
- Order and payment transaction details
3. Why We Need This Information (Legal Basis)
| Purpose | Legal Basis | UK GDPR Article |
|---|---|---|
| Supply custom prescription glasses | Contract performance | Article 6(1)(b) |
| Process health data for dispensing | Health care purposes - UK GDPR + DPA 2018 | Article 9(2)(h) + Schedule 1, Part 1, para 2 |
| Dispensing Optician review (under-16 requirement) | Legal obligation (GOC regulations) | Article 6(1)(c) |
| Financial records (tax, VAT) | Legal obligation (HMRC) | Article 6(1)(c) |
| Email updates about order status | Legitimate interests | Article 6(1)(f) |
4. Who We Share Your Child's Information With
Essential Service Providers
- Partner Dispensing Optician: Supervising DO reviews every under-16 order (GOC requirement). They receive prescription, PD, child age, and frame details.
- Glazing Laboratory: After DO approval, we send prescription and frame details to manufacture the glasses.
- Delivery Courier: Name and delivery address only (no health data).
- Payment Processor (Stripe): Payment details only (no health data).
Legal Requirements
We may disclose information if required by law, court order, or regulatory authority (e.g., GOC investigation, HMRC audit).
We Never
- Sell your child's data to third parties
- Use data for marketing without consent
- Share health data with anyone not essential to dispensing
5. How Long We Keep Information
| Data Type | Retention Period | Reason |
|---|---|---|
| Clinical records (prescription, PD, DO review) | 10 years OR until child's 25th birthday (whichever is later) | GOC professional standards + children's health data protection |
| Financial records (invoices, payments) | 7 years from transaction | HMRC requirement |
| PD verification images (if uploaded) | 90 days | DO review period only |
| Marketing preferences | Until consent withdrawn | Consent-based |
6. Your Rights as a Parent/Guardian
You Have the Right To:
- Access: Request a copy of all data we hold about your child
- Rectification: Correct inaccurate information
- Erasure: Request deletion of data (subject to legal retention requirements below)
- Restriction: Limit how we use the data
- Data Portability: Receive data in a structured format
- Object: Object to processing based on legitimate interests
- Withdraw Consent: For marketing communications
Important Limits on Erasure (Right to be Forgotten)
We Cannot Delete:
- Clinical records before their retention deadline (10 years OR age 25)
- Financial records before 7-year HMRC deadline
We Can Delete: Marketing data, analytics cookies, optional uploads (after 90 days)
Legal Exception: UK GDPR Article 17(3) - retention required for legal obligations and health care purposes
7. Security Measures
- All health data encrypted in transit (TLS/SSL) and at rest
- Access restricted to authorized personnel only
- Regular security audits and penetration testing
- Staff trained in data protection and confidentiality
- Secure deletion of data after retention period
- Two-factor authentication for admin access
8. Children's Rights
Children have the same data protection rights as adults. If a child is able to understand their rights, we will normally respond directly to the child. A parent/guardian may exercise the child's rights on their behalf if the child authorises this, or if it is evident that doing so is in the child's best interests.
We have also created a simplified privacy notice for children to help them understand how we use their information.
9. International Transfers
Your child's health data stays in the UK. Payment processing (Stripe) may involve transfers to the USA under adequacy decision or standard contractual clauses. No health data is transferred internationally.
10. Cookies and Tracking
We use browser storage (localStorage) to remember items in your shopping basket. During payment, our payment provider (Stripe) may set cookies required to complete the transaction securely. We do not use analytics or marketing tracking. See our Cookie Policy for details.
11. Changes to This Notice
We may update this privacy notice. Significant changes will be emailed to you. Always check the "Last Updated" date above.
12. How to Contact Us
Privacy Questions: support@relensify.co.uk
Data Subject Requests: See Data Request or email support@relensify.co.uk
13. Right to Complain
If you're unhappy with how we handle your child's data, you can complain to the Information Commissioner's Office (ICO):
ICO Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF