Privacy Policy

Introduction & Data Controller

This Privacy Policy explains how Device Optical Aid ("DOA", "we", "us") collects, uses, stores, and protects your personal data when you use our desktop application and website at deviceopticalaid.com.

DOA is operated by Cedric Julien .E, an individual operator based in Douala, Cameroon. For the purposes of the General Data Protection Regulation (GDPR), Cedric Julien .E is the data controller.

We comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable regional regulations. By using DOA, you acknowledge this policy. If you do not agree, please do not use the application.

Data Controller Cedric Julien .E — Douala, Cameroon Data Protection Contact support@deviceopticalaid.com

Information We Collect

2.1 Account Information

Email address and display name when you create an account
Authentication tokens when you sign in via Google, Apple, or email/password
Subscription and payment status (processed by Creem — DOA never receives or stores card details)

2.2 Prescription & Settings Data

Optical prescription values you enter (SPH, CYL, AXIS, ADD) — treated as sensitive health-adjacent data
Visual filter preferences (color blindness mode, correction strength)
App configuration and toggle states

2.3 Usage & Diagnostics

Device and OS information (Windows version, screen resolution, DPI)
Feature usage patterns and session duration for free-tier enforcement
Crash reports and error logs — no screen content is ever included
GPU model and driver version for compatibility purposes

2.4 What We Do Not Collect

Screen content — frames are processed locally and never transmitted
Payment card details, bank information, or billing addresses
Precise geolocation data
Any data from OS-protected windows (login screens, UAC prompts, banking windows)

Legal Basis for Processing (GDPR)

Under GDPR Article 6, we process your personal data only where a lawful basis exists. The following table identifies the basis for each processing activity:

Contract necessity (Art. 6(1)(b)): Account creation, authentication, prescription storage, subscription enforcement, and transactional emails are necessary to provide the service you have agreed to receive.
Legitimate interests (Art. 6(1)(f)): Anonymized usage diagnostics and crash reporting are processed to improve application stability and performance. These interests do not override your rights — you can opt out.
Consent (Art. 6(1)(a)): Anonymized aggregate prescription data collection (Section 07) is only processed where you have given explicit, informed, and withdrawable consent.
Legal obligation (Art. 6(1)(c)): Where required, we may process data to comply with applicable law or a court order.

For prescription data, which is health-adjacent in nature, we apply additional care consistent with the standards of GDPR Article 9 even though it does not constitute medical data in the clinical sense.

Screen Capture & Local Processing

DOA captures your screen in real time to apply visual correction. This is the core technical mechanism of the product. Here is exactly what happens and what does not happen:

Screen frames are captured locally on your device using the Windows Graphics Capture API (WGC)
Frames are processed entirely on your local GPU — they are never uploaded, transmitted, or logged anywhere
DOA does not read, interpret, store, or analyze the content of what is on your screen
The corrected overlay is rendered directly to your display and discarded immediately after each frame
No screen recording, screenshot, or image of your screen is ever created or stored

What DOA never captures: Windows system UI, login screens, UAC (User Account Control) prompts, and certain protected application windows are excluded from capture by the operating system automatically — not merely by policy. These exclusions are enforced at the OS level and cannot be overridden by DOA.

How We Use Your Information

Authenticate your identity and maintain your session across devices
Store and sync your prescription settings and preferences
Enforce free-tier limits (daily usage timer, single monitor restriction)
Verify and manage your premium subscription status with Creem
Send transactional emails (subscription confirmation, renewal reminders, expiry notices)
Improve shader correction accuracy and application stability using anonymized diagnostics
Respond to support requests and account-related queries
Detect and prevent fraud, abuse, or circumvention of usage limits

We do not use your data for advertising, behavioral profiling, or any purpose beyond what is described in this policy.

Data Storage, Security & Breach Response

Storage

Account and prescription data is stored in Firebase (Google Cloud) with encryption at rest and in transit using industry-standard TLS
Usage timers and session state are stored locally on your device and synced to prevent circumvention
Payment records are held exclusively by Creem — DOA has no access to card numbers, bank details, or billing addresses

Access Controls

Access to user data in Firebase is restricted using Firebase Security Rules — users can only access their own data
Administrative access to the database is limited to the operator and protected by multi-factor authentication
No third-party analytics service has access to identifiable user data

Breach Response

In the event of a data breach that affects your personal data, we will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. The notification will describe the nature of the breach, data affected, likely consequences, and steps taken to address it.

Third-Party Services & Processor Roles

DOA uses the following third-party services. Each acts as a data processor on our behalf, processing data only on our instructions and subject to their own data processing agreements:

Firebase (Google LLC) — authentication and Firestore database. Acts as a data processor. Data may be stored in the United States. Governed by Google's Data Processing Terms. Privacy policy →
Creem — subscription and payment processing. Acts as Merchant of Record and independent data controller for payment data. DOA does not receive or store card or billing details. Privacy policy →
Resend — transactional email delivery. Processes email addresses for the purpose of sending account-related notifications only.
Google / Apple OAuth — optional sign-in providers. Only your email and display name are received when you use these sign-in methods.

We do not sell, rent, trade, or share your personal data with advertisers, data brokers, or any third party not listed above. We do not permit any third party to use your data for their own purposes.

Anonymized Aggregate Data

With your explicit opt-in consent, DOA may collect anonymized aggregate data including prescription distribution ranges and correction quality patterns across the user base. This data:

Cannot identify you individually in any way
Is stripped of all account identifiers before aggregation
May be used internally to improve correction algorithms or shared with optometry researchers

You will always be asked clearly before this data is collected. You can withdraw consent and opt out at any time from the app settings. Withdrawing consent does not affect data already aggregated, as it is by then unattributable.

Cookies & Website Tracking

The DOA website (deviceopticalaid.com) does not use tracking cookies, advertising cookies, or third-party analytics scripts that identify individual visitors. The site uses no cookie consent banner because no tracking cookies are set.

Session state for authenticated users on the web interface may use browser localStorage — this is functional only and is not shared with any third party.

If this changes in the future, this section will be updated and a cookie consent mechanism will be introduced before any tracking begins.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your data, subject to certain legal exceptions.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another service.
Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to lodge a complaint: File a complaint with your national data protection authority. For EU residents, you can find your local authority at edpb.europa.eu.

To exercise any of these rights, contact us at support@deviceopticalaid.com. We will respond within 30 days. Account deletion is also available directly within the application.

Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which it is used, and the categories of third parties with whom it is shared.
Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions permitted by law.
Right to opt out of sale: DOA does not sell personal information to third parties. There is nothing to opt out of. We confirm this explicitly: We do not sell your personal data.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. Exercising these rights will not result in denial of service, different pricing, or any other penalty.
Right to correct: You may request correction of inaccurate personal information we hold about you.

Categories of personal information collected: identifiers (email, user ID), commercial information (subscription status), internet or electronic network activity (session duration, feature usage), and inferences drawn to apply visual correction. We do not collect sensitive personal information as defined by CCPA beyond what is described in this policy.

To submit a CCPA request, contact us at support@deviceopticalaid.com with the subject line "CCPA Request". We will respond within 45 days.

International Data Transfers

Your data may be stored and processed in countries other than your own, including the United States, where Firebase and Creem infrastructure operates. For transfers from the EEA to countries without an adequacy decision:

Firebase (Google) participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses (SCCs) for data transfers
Creem maintains its own transfer mechanisms in accordance with applicable law

By using DOA, you acknowledge that your data may be transferred to and processed in these countries under the safeguards described above.

Data Retention

Account and prescription data is retained for as long as your account is active
Upon account deletion, all identifiable personal data is permanently removed within 30 days
Anonymized diagnostic data that cannot be attributed to any individual may be retained indefinitely
Transactional records required for legal or accounting purposes may be retained for up to 7 years as required by applicable law
Backup copies may persist for up to 90 days after deletion before being overwritten in routine backup cycles

Children's Privacy

DOA is not directed at or intended for children under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at support@deviceopticalaid.com and we will delete that data promptly.

Changes to This Policy

We may update this Privacy Policy as the product evolves. When we make significant changes, registered users will be notified by email at least 14 days before the changes take effect. The "Last Updated" date at the top of this page always reflects the most recent revision. Continued use of DOA after changes take effect constitutes acceptance of the revised policy.

We will never make changes that retroactively reduce your privacy rights without explicit re-consent where required by law.

Contact & Complaints

For any questions, requests, or concerns about this Privacy Policy or your personal data:

Email support@deviceopticalaid.com Website deviceopticalaid.com Data Controller Cedric Julien .E · Douala, Cameroon

EU residents also have the right to lodge a complaint directly with their national supervisory authority if they believe their data protection rights have been violated. For legal terms governing use of the application, see our Terms of Service.