Privacy Policy

MyopiaProgression.com ("we," "us," or "our") is an educational health information website dedicated to providing evidence-based resources about myopia (nearsightedness) progression and myopia control for parents, eye care providers, educators, and researchers.

Data Controller:
MyopiaProgression.com
P.O. Box 1587
Hope Mills, NC 28348
United States

Privacy Contact: [email protected]

A. Information You Provide Directly

We collect information that you voluntarily provide when using our services:

• Account registration: Name and email address when you create an account through our authentication provider
• Email subscriptions: Name and email address when you subscribe to newsletters or download resources
• Risk Assessment Tool: Your child's age, vision history, lifestyle factors, family history of myopia, and optionally your child's name and your email address. This information is used to generate a personalized risk report.
• Appointment requests: Parent/guardian name, email, phone number, child's name and age, preferred appointment details, and any message you include
• Provider directory listings: Practice name, credentials, contact information, address, specialties, insurance accepted, and professional biography
• Research submissions: Academic credentials, institutional affiliation, ORCID ID, and uploaded research documents
• Advertiser inquiries: Company name, contact information, advertising goals, and budget range
• Community participation: Poll responses and feedback

B. Information Collected Automatically

When you visit our website, we automatically collect certain information:

• Device and browser information: Browser type and version, operating system, screen resolution
• Usage data: Pages visited, time spent on pages, click patterns, and navigation paths
• Network information: IP address and approximate geographic location (city/region level)
• Referral data: The website or search engine that directed you to our site

C. Information We Do NOT Collect

• We do not collect Social Security numbers, government-issued ID numbers, or financial account numbers
• We do not collect biometric data
• We do not collect precise geolocation data (GPS coordinates) from your device
• We do not collect protected health information (PHI) as defined by HIPAA (see Section 8)
• We do not knowingly collect any personal information from children under 13 years of age without verifiable parental consent

We use the information we collect for the following purposes:

• Service delivery: To provide our educational tools, risk assessments, provider directory, and resource library
• Communication: To send newsletters, appointment confirmations, and respond to your inquiries (only with your consent for marketing communications)
• Provider matching: To connect parents with appropriate myopia control specialists based on location and treatment preferences
• Payment processing: To process provider subscription payments and advertiser billing through our payment processor
• Website improvement: To analyze usage patterns, fix technical issues, and improve our content and user experience
• Security: To detect and prevent fraud, abuse, and unauthorized access
• Legal compliance: To comply with applicable laws, regulations, and legal processes

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Consent: When you opt in to receive marketing emails, submit a risk assessment, or accept analytics cookies
• Contract performance: When processing is necessary to provide services you have requested (e.g., provider subscriptions, appointment requests)
• Legitimate interests: For website security, fraud prevention, and improving our services, where these interests are not overridden by your rights
• Legal obligation: When we are required to process data to comply with applicable law

We do not sell, rent, or trade your personal information to third parties. We share data only with the following categories of service providers who assist us in operating our website:

Each service provider is contractually obligated to use your data only for the purposes described above and to maintain appropriate security measures. We do not permit these providers to use your data for their own marketing purposes.

We use cookies and similar technologies to operate our website. When you first visit, our cookie consent banner allows you to accept or decline non-essential cookies.

Types of Cookies We Use

• Strictly necessary cookies: Required for authentication, security, and basic site functionality. These cannot be disabled. Includes session cookies for logged-in users and CSRF protection tokens.
• Analytics cookies (optional): Plausible Analytics operates without cookies and does not track individual users. Microsoft Clarity uses cookies to record anonymized session replays and heatmaps, only when you consent.
• Preference cookies: Store your theme preference (light/dark mode), cookie consent choice, and sidebar state. These remain on your device until you clear your browser data.

Managing Cookies

You can manage your cookie preferences at any time through the cookie consent banner (click the cookie icon in the bottom-left corner of any page) or through your browser settings. Disabling cookies may affect certain functionality such as staying logged in.

• The information provided on this website is for educational and informational purposes only and is not a substitute for professional medical advice, diagnosis, or treatment.
• Our Risk Assessment Tool provides general educational guidance based on known risk factors. It does not constitute a medical diagnosis or clinical recommendation.
• We do not access, store, or process protected health information (PHI) from healthcare providers' electronic health record (EHR) systems.
• Information you voluntarily provide (such as your child's age or vision history) is treated as general personal information under applicable privacy laws, not as PHI under HIPAA.
• When you use our appointment request feature, your information is shared with the selected eye care provider. Once that provider receives your information, their own HIPAA obligations apply to how they handle it.
• Always consult a qualified eye care professional for medical advice regarding your child's vision.

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy:

You may request early deletion of your data at any time by contacting us at [email protected].

We implement industry-standard technical and organizational security measures to protect your personal information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS enforced site-wide with HSTS preloading)
• Encryption at rest: Database storage is encrypted at the infrastructure level
• Access controls: Administrative access is restricted and requires authentication
• Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Permissions-Policy headers are enforced
• Rate limiting: API endpoints are protected against brute-force and abuse attacks
• Spam prevention: Forms include honeypot fields and validation to prevent automated abuse
• DDoS protection: Cloudflare provides network-level protection against distributed denial-of-service attacks
• Payment security: All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. We never see, store, or process full credit card numbers.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Prohibited Activities

The following activities are expressly prohibited without prior written authorization from MyopiaProgression.com:

• Web scraping: Using automated tools, scripts, bots, or software to extract data from this website, including but not limited to provider directory listings, contact information, treatment data, and educational content
• Data mining: Systematically collecting, aggregating, or compiling information from this website for commercial or competitive purposes
• Bulk downloading: Downloading substantial portions of the website content through automated or manual means
• API abuse: Accessing our application programming interfaces (APIs) in a manner that exceeds reasonable use, circumvents rate limits, or is intended to extract data in bulk
• Database reconstruction: Attempting to reconstruct, replicate, or create a derivative database from our provider directory or any other structured data on this website
• Circumvention: Bypassing, disabling, or interfering with any technical protection measures, including rate limiting, CAPTCHAs, access controls, or copy protection mechanisms

Technical Enforcement

We employ technical measures to detect and prevent unauthorized automated access, including but not limited to: rate limiting on API endpoints, bot detection, IP blocking, user-agent filtering, and behavioral analysis. We reserve the right to block any IP address, user agent, or access pattern that we reasonably believe constitutes automated or abusive access.

Legal Remedies

Unauthorized automated access may violate the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1201, and applicable state computer crime statutes. We reserve the right to pursue all available legal remedies, including injunctive relief and monetary damages, against any person or entity that engages in prohibited automated access.

Permitted Automated Access

We permit access by major search engine crawlers (Googlebot, Bingbot, DuckDuckBot) for the purpose of indexing publicly available pages, subject to the directives in our robots.txt file. All other automated access requires explicit written permission. To request permission, contact [email protected].

Regardless of your location, you have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Opt-out: Unsubscribe from marketing communications at any time using the link in any email or by contacting us
• Data portability: Request your data in a commonly used, machine-readable format
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email [email protected]. We will verify your identity and respond within 30 days (or 45 days for complex requests, with notice).

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as completing a transaction or complying with legal obligations).

Right to Opt-Out of Sale or Sharing

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access based on exercising your privacy rights.

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of both your identity and the agent's authority before processing such requests.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR):

• Right to restriction of processing: Request that we limit how we use your data in certain circumstances
• Right to object: Object to processing based on legitimate interests, including profiling
• Right to lodge a complaint: File a complaint with your local data protection authority (supervisory authority) if you believe your rights have been violated
• Right not to be subject to automated decision-making: We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you

To exercise these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

14. Do Not Track Signals

Our website respects Do Not Track (DNT) browser signals. When we detect a DNT signal, we limit data collection to essential functionality only. Our primary analytics provider, Plausible Analytics, is privacy-focused by design and does not use cookies or track individual users regardless of DNT settings.

15. International Data Transfers

Our servers and database are located in the United States. If you access our website from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

By using our website, you consent to the transfer of your information to the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) or your explicit consent as the legal mechanism for international data transfers where required by GDPR.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" and "Last reviewed" date at the top of this page
• Post a notice on our website for significant changes
• Send an email notification to registered users for material changes that affect how we handle their data

We encourage you to review this page periodically. Your continued use of our website after changes are posted constitutes your acceptance of the updated policy.