Privacy Policy

Built by CarrotByte, we are a cloud-based Optical Management Software designed for optical stores and eye clinics. CarrotByte processes several categories of your data:

• Customer Account Data: Your personal information as a customer (or potential customer) of CarrotByte's services
• Patient Data: This includes the patient information you enter into your Optical Management Software (OMS) and any related data
• Other Data: Any additional data provided by you on our websites and/or apps

Customer Account Data includes information from both existing and potential customers. When you contact us through our website or request a demo, we collect your data to provide information and services to you. Your privacy is important to us. CarrotByte respects your privacy regarding any information we collect from you across our websites and apps.

We only request personal information when necessary to provide a service to you, and we use it solely for delivering different CarrotByte services. We retain collected information only as long as necessary to provide you with your requested service and fulfill our obligations to you as per our Terms of Service.

As an Optical Management Software, CarrotByte handles Patient Data. Patient privacy is paramount. We do not share personally identifiable information publicly or with third parties except when required by law, when permitted by you, or in compliance with our Terms of Service.

For existing customers, we retain your Patient Data only as long as necessary to provide the requested service and fulfill our obligations as per our Terms of Service. Upon termination of our services, we return all your data and erase all copies on our side as detailed in our Terms of Service.

CarrotByte uses enterprise-grade cloud infrastructure to store and process your data. We implement industry-leading security measures including:

• Encryption: AES-256 encryption for data at rest and TLS/SSL encryption for data in transit
• Compliance: SOC 2 Type 2 certified infrastructure with HIPAA compliance capabilities
• Access Controls: Role-based access control (RBAC) and row-level security policies to ensure users can only access authorized data
• Authentication: Multi-factor authentication (MFA) for enhanced account security
• Backups: Daily automated backups with point-in-time recovery capabilities
• Security Monitoring: Regular security audits, penetration testing, and vulnerability scanning
• DDoS Protection: Enterprise-level DDoS protection and rate limiting to prevent unauthorized access

We protect stored data using commercially acceptable methods to prevent loss, theft, unauthorized access, disclosure, copying, use, or modification. All security measures are regularly reviewed and updated to maintain the highest standards of data protection.

We do not share any personally identifiable information publicly or with third parties except when:

• Required by law
• Permitted by you
• In compliance with our Terms of Service

Our websites may link to external sites not operated by us. Please be aware that we have no control over the content and practices of these sites and cannot accept responsibility for their respective privacy policies.

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Object to processing of your data
• Data portability