mVT App - Privacy Notice v1.1 - Oct 2023

US English


Version 1.1, last revised on November 8, 2023

Effective Date. This Privacy Notice (“Notice”) is effective as of November 8, 2023.


If you are participating in a clinical trial or study that requires you to use this App, you will also be required to sign an informed consent form, which will be provided to you by your study site or the clinical trial administrator. In the event of a conflict between the terms of this Notice and the informed consent form, the terms of the informed consent form will supersede the provisions of this Notice. We would still like to invite you to study this Notice carefully as it provides you with general details on the protection of Personal Data relating to you. You will need to agree to this notice as this is technically required for the implementation of the App. Please note that either your clinical trial / study site or the respective sponsor may serve as the data controller, and not the healthcare provider (HCP) as stated in the Notice.


Roche, including our Affiliates, is committed to protecting your Personal Information. This Notice and the myVisionTrack® Mobile App Terms and Conditions of Use (together – the “Terms”) outline the types of Personal Information Roche may collect; the means by which Roche may collect, use, or share your Personal Information; steps Roche takes to protect your Personal Information; and choices you are provided with respect to the use of your Personal Information. Please be aware that Roche will primarily act as a Data Processor to your healthcare provider (hereafter HCP), but also as a Data Controller for certain Processing activities; for details around this concept, please have a look at the definitions section below. To the extent that this Notice provides you with information on Roche’s activities as a Data Processor, this document complements the information provided by your HCP. In case of a conflict between information provided by your HCP as a Controller and this Notice, the information provided by your HCP shall supersede the information provided in this notice.  

Please read this Notice carefully. We respect your privacy and we want you to understand how your HCP and we as Roche manage the information you provide to us and the measures we take to protect it.

Roche is the provider of the myVisionTrack® Mobile App, or in more legal terms, it serves as the distributor of the App, with the partner BrightInsight, Inc. (hereafter BI) acting as the so-called “Legal Manufacturer” of myVisionTrack®. We need to know certain Personal Information about you in order to facilitate your use of myVisionTrack®, as prescribed by the HCP to you, and to perform the services requested by you and your HCP. Please note: if you choose not to provide your Personal Information, it may not be possible for you to use myVisionTrack®.

By registering to use the myVisionTrack® App (“myVisionTrack” or the “App”), you acknowledge that you have read, understood and agree to the App’s Notice, and that you are aware that the collection, use, processing and disclosure of your Personal Information, as outlined below, is required for you to use myVisionTrack® and in compliance with the Terms and applicable laws and privacy regulations.

Depending on your country of residence, you may have additional privacy rights under your local law.

This is particularly the case if you are residing in Australia or APEC regions, Brazil, Canada, UK, a Member Country of the European Union (EU) or a Member State of the European Economic Area (EEA) , and the United States of America. Those rights as well as the appropriate channels for contacting Roche with questions, requests, and inquiries in scope of such applicable privacy laws are outlined for you below. To the extent your HCP is controlling the data relating to you, we invite you to review your privacy rights with your HCP.

If you are a User in the EU/EEA, you will have the rights as a data subject as stipulated by the EU

General Data Protection Regulation EU 2016/679 and any applicable ePrivacy framework. If you are a

User in the UK, data protection is governed by the UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') and the Data Protection Act 2018. For US residents, please see the specific section further below.

If you are participating in a clinical trial or study that requires you to use this App, and as stated before in the specific section on clinical trials, you will also be required to sign an informed consent form, which will be provided to you by your healthcare provider or the clinical trial administrator. This Notice only applies to your use of this App. This Notice does not apply to any third party apps or websites linked to or accessible from the App. Roche is not responsible for the privacy practices, the content or any Processing activities of any third parties, sites or apps.


myVisionTrack® App” or myVisionTrackor mVTor the “App” is an application which allows patients to remotely monitor their vision through the mVT App. Healthcare providers can prescribe myVisionTrack® to new patients and monitor them through the myVisionTrack® Portal. Please note: mVT ‘product’ or ‘application’ includes both the mVT app and mVT Portal is a synonym for mVT


User” or “you” means you, the individual, who has been prescribed the use of the App by the Roche Customer, or otherwise using the App.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including, but not limited to, your name, address, e-mail address, telephone number and/or certain categories of sensitive personal information (such as health data you may choose to share with us).

“Data Controller” determines the purpose and means of personal data processing; this is a regulatory concept developed under the EU/UK GDPR. In more lay terms, the data controller decides about the “why” and the “how” of the data processing.

“Data Processor” processes personal data only on behalf of the Data Controller, as determined in an agreement between the parties. The data processor is often a third party to the Data Controller (e.g. Roche to your HCP), but in the case of Roche Group, one legal entity of Roche may act as processor for another legal entity of Roche.

“Business Associate” (US HIPAA) is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to a

HIPAA covered entity.

“Legal Manufacturer” means any natural or legal person who designs, manufactures, fabricates, assembles, or processes a finished device. The Legal Manufacturer of the myVisionTrack® application is BrightInsight, Inc., residing at 6201 America Center, San Jose, CA, USA (hereafter BI).

Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Roche Customer” means any institution, corporation or individual, which subscribed to use myVisionTrack in order to be able to prescribe the use of this App to you. This includes your healthcare provider (HCP) and/or your healthcare institution who prescribed this App to you.

“Roche Group” means F.         Hoffmann-La      Roche AG,       a           Swiss multinational

 healthcare company, together with all the corporations through which it operates around the globe. You can learn more about Roche Group and Roche Affiliates worldwide by  visiting:

Roche” or “we” or “us” means (i) when in relation to the App’s enabler or distributor: a company-member of Roche Group that operates in the country where the App is made available to you (“Roche Affiliate”); and (ii) when in relation to Roche a service provider: Legal Manufacturer acting on behalf of Roche or any Roche Affiliate that is providing services that are requested by you in relation to the App.

Roche may act as a Data Controller or Data Processor, as defined by the EU or UK GDPR, as applicable.

The EU representative of F. Hoffmann-La Roche, Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D79639 Grenzach-Wyhlen, Germany. The UK representative of F. Hoffmann-La Roche Ltd is Roche Products Limited, 6 Falcon Way, Shire Park, Welwyn Garden City, Hertfordshire AL7 1TW, United Kingdom.

What Information Does Roche Collect via myVisionTrack®? myVisionTrack does not collect information from your HCP medical history file, or other sensitive Personal Information held by your HCP, such as treatment plans or previously collected diagnostic information. In order to facilitate your use of the App, your HCP will collect consent from you first and then add to the myVisionTrack® Healthcare Provider portal, the following information:

 Your first and last name;

 Your email address (to be used as your username for the app);

 Your date of birth (to verify that you are over the age of 18);

 Your mobile phone number (to send you the code for the activation of this App);

 Limited health information, specifically the eye(s) to be tested;

 Optional: Chart number; also known as medical record or health record number (which allows your healthcare provider to link your myVisionTrack® profile with the medical health record)

After the activation of the myVisionTrack® App, You will be able to perform vision activities, and such activities will imply the processing of the following categories of personal data:

 Vision Activity Data (to share the results with your healthcare provider)

 Background Data (optional, for improving the myVisionTrack® App product)

 Your IP address (for authentication and security monitoring only - we do not collect location data)

Regarding the optional Background Data: The camera is used during an activity to measure the ambient light and the distance between the device and the user's face. Please note: The app does NOT take any pictures and does NOT access your photos.

Due to the nature of the App, the system also generates certain types of event data (such as system logs) that may qualify as Personal Information in certain jurisdictions. For example, if the User is conducting one of the vision activities in the myVisionTrack App, the system will record the results of the vision activity and also the fact itself that the vision activity was successfully completed (in terms of a timestamp of the completion of the vision activity). This information is required to provide the service to your HCP. Furthermore it allows Roche to understand how myVisionTrack® is being used to inform how we can improve the App and the myVisionTrack® service.

US Users only: Except as otherwise permitted or required by law, Roche collects, uses, and discloses any individually identifiable health information consistent with the terms of applicable HIPAA business associate agreements with HCPs/Roche Customers. Please note that BI as the legal manufacturer may use certain information regarding the use of the App, such as to monitor the security of the App in compliance with their obligations as a HIPAA sub-Business Associate. US users are invited to consult the Roche US Privacy Notice as a supplement to this Privacy Notice:

Non-Personal Information. Roche, assisted by BI as the Legal Manufacturer, collects and retains certain non-Personal Information to help improve the myVisionTrack® product and services. This information may include, and is not limited to, your feedback about your use of the App, aggregated data, technical analytics (such as what brand, type and model of device you are using), and other technical, non-Personal Information resulting from your use of the App. This information collected and used by Roche will not personally identify you and will therefore not fall under applicable data protection laws and regulations.

Legal Basis for Processing of Personal Information. You may only register to use and access the

App if your HCP has prescribed the use of this App to you. Therefore, Roche processes your Personal Information primarily to facilitate your use of the App, on behalf of and as requested by your healthcare provider (HCP), a Roche Customer.

Roche may process your Personal Information also as a Data Controller to:

 take an action expressly permitted or authorized by you;

 improve the myVisionTrack® product and services as described in this Notice, including security practices, improvement of user experience and vision algorithms, and other functional improvements;

 perform additional services requested by you; and/or ● comply with applicable laws and regulations.

For the avoidance of doubt, to the extent we process data relating to data subjects in the EU/EEA or UK as a Data Controller - including Processing activities that ensure the security of Processing, the improvement of the myVisionTrack® product and services, Processing activities that aim to secure the integrity and availability of the myVisionTrack® application, the adherence to legitimate requests from governmental or regulatory institutions or courts, and other compliance related activities - these are based on our legitimate interests as defined in Art 6 1) f) GDPR. For US users, please note that we are required under applicable data privacy legislation, such as HIPAA, to ensure and maintain the security and compliance of the myVisionTrack® application, together with BI as the legal manufacturer of the application.

How Will Roche Use my Personal Information? Any Personal Information we collect and process on behalf of you or the Roche Customer shall be used solely for the following purposes:

 Facilitate your use of the App, as requested by you, for your own purposes, as may be requested by the HCP/Roche Customer on your behalf, or if you agreed to use the App within a clinical study;

 Verify your identity and maintain your account, settings, and preferences;

 Provide general and technical support, when requested by you; and

 Personalize and provide content, experiences, and communications to improve the use of the App as instructed by your HCP.

As stated before, Roche will act as a Data Controller for certain Processing activities, in particular activities related to security, integrity and availability of the myVisionTrack® services, BI’s adherence to regulatory requirements as the Legal Manufacturer, the improvement of the myVisionTrack® product and services, compliance related matters and legitimate requests from authorities, courts and other governmental institutions. Roche will use identifiable data whenever needed to serve your HCP, for product improvement activities, or to fulfill its contractual, legal or regulatory obligations. Roche may use aggregated, de-identified or anonymized data (e.g. identifiers such as name and email removed) for additional research activities and the development of new or materially different products/services. Roche will not re-identify or attempt to re-identify you from such aggregated, de-identified or anonymized data .

Will Roche Use My Personal Information for Marketing Purposes? We will not use, sell or transfer your Personal Information for marketing purposes unless we obtain your express consent for this in accordance with applicable laws. We will still send you important information about the App, any updates or changes in functionality that may affect your use of the App, as well as legal and regulatory notices, when required.

How Will Roche Share My Personal Information with Others? We do not sell your Personal

Information. Roche shall only share your Personal Information with your healthcare institution as a Roche Customer, with Roche Affiliates involved in the provision of services, with BI as the Legal Manufacturer and with our Roche third-party service provider(s), for legal reasons, to facilitate your use of the App, or as requested by you. To the extent we, or BI as the Legal Manufacturer, rely on third-party service providers for the processing of myVisionTrack® data, we will only do so after signing relevant agreements that ensure full compliance with applicable data protection laws and regulations (e.g., such as Business Associate Agreement under US HIPAA, or a Data Protection Agreement under EU GDPR and UK GDPR). The following sections explain in more detail when and why we share your information.

Roche Will Share Your Personal Information with Your Healthcare Provider. Next to the information your Healthcare Provider (HCP) is providing to the myVisionTrack® Portal when adding you as a user, he/she will also be able to see your vision activity results. Your Personal Information, your data, including your vision activity results, will be available to your HCP via the myVisionTrack® Portal, and your HCP will act as the primary Data Controller in relation to such data.

Roche May Need to Share Your Personal Information for Legal Reasons. We may share your Personal Information in response to a legal obligation, or if we have determined that sharing your Personal Information is necessary to:

 Respond to legitimate requests of government authorities, or where required by applicable laws, court orders, or government regulations;

 Enforce our Terms and Conditions of Use including investigation of any potential violations thereof;

 Detect, prevent, or otherwise address fraud, security, or technical issues;

 Exercise or defend legal claims or protect against harm to the rights, property, or safety of Roche, its users, or the public as required or permitted by law; or

 Where needed for corporate audits or to investigate or respond to a complaint or security threat.

In case we share your Personal Information for Legal Reasons, Roche may act as the Data Controller unless a request, legally binding order, court order or government regulation is enforceable against your HCP, and if your HCP then instructs us to share your Personal Information. Similar obligations apply regarding BI, as it may be subject to requests in its role as the Legal Manufacturer.

How Does Roche Protect My Personal Information? Roche and its Affiliates, as well as BI and other Roche third-party service providers, strive to use adequate physical, technical, and administrative safeguards (such as firewalls, encryption, identity management, and intrusion prevention and detection) to protect the information you share through the App from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. All data uploaded into the App is encrypted in transit and at rest. However, Roche and BI cannot guarantee the absolute security of your Personal Information, as no data transmission over the Internet or data storage system is guaranteed to be 100% secure. We recommend that you take any available precautions to protect Personal Information you submit via the App. If you have reason to believe that the use of the App is no longer secure (for example, if you feel that the security of your App account might have been compromised), please contact the mVT Customer Service & Support immediately. You may also elect to contact your HCP directly.

Separately, please also note that in the event of a notifiable data breach, it will be dealt with in accordance with the applicable data privacy / data breach laws and regulations of the relevant jurisdiction.

For How Long Does Roche Keep My Personal Information? Regarding the retention of the data relating to you, we would like to distinguish between different Processing activities. In the case of data related to your use of the App, Roche will keep your information for as long as you maintain a registered User account, until we obtain an instruction from your HCP to delete data relating to you, until we process a direct request by you to delete your information, or until your HCP ceases to provide the App, whichever is sooner. Please note: deleting the App from your device does not delete your account; however, you may delete your account via the App settings.

For our own purposes, and as a Data Controller, we may retain your Personal Information for a longer period of time if so required by applicable law (for example, if legally required, we will retain user support emails and associated information to ensure that we can perform legitimate business functions such as accounting for tax obligations, legal and compliance obligations or audits for security purposes). The retention period will depend on the applicable law and Roche policies, and you may contact Roche at any time for further details on such data retention. Please be informed that BI is subject to specific retention requirements, as BI is the Legal Manufacturer of the myVisionTrack® application.

Will Roche Transfer My Personal Information Across International Borders? Based on the instructions of your HCP, and subject to a Processing agreement between your HCP and Roche, your personal data may be transferred cross-border as permitted by applicable data protection laws. Where Roche is processing data as a Data Controller, it may also transfer your Personal Information as deemed necessary by Roche, in particular to Roche Affiliates or third party-service providers that are involved in the provision of myVisionTrack® services. Such transfers are based on intra-company agreements between the different Roche legal entities, or in the case of a third party through a data Processing agreement that includes a transfer mechanism as required by applicable law (e.g., the EU SCC and additional safeguards as required for the EU/EEA/UK). For United States Residents, myVisionTrack® is hosted within the United States. For Residents outside of the United States, myVisionTrack® is hosted within the European Union. Please note that further data transfers across borders may occur based on the instructions provided by your HCP as a Data Controller; in this case, your HCP will provide you with all the relevant information regarding the specific data transfer. The countries, in which data is processed, may impose different privacy obligations than your country of origin. In transferring your Personal Information, we will rely on available data privacy mechanisms and applicable privacy laws and regulations to ensure a high level of protection for your Personal Information.

What Rights Do I Have with Regards to My Personal Information? You may exercise your statutory data subject rights against the Data Controller, so either your HCP or Roche. If you are unsure about the entity that serves as the Data Controller for a specific Processing activity, please do not hesitate to reach out to your HCP, or to Roche. We will be here to assist you and to direct you accordingly. Roche enables you to access, control and delete your Personal Information. To the extent Roche acts as the relevant Data Controller, Roche will, as a baseline, always adhere to the data subject rights provided by the EU GDPR/ UK GDPR. In the event that applicable laws and regulations foresee stricter or structurally different data subject rights, Roche will honor such rights in all countries in which we as Roche actively market the myVisionTrack® services. This section explains the ways you may exercise these rights in accordance with applicable laws and regulations:

(i)   All Users in the United States. The information below applies to all users of the App in the United States:

Profile Information. You can review certain account information that was provided by your HCP by logging in to your registered account and navigating to your account settings (“My Account”).

Deleting Your Account. If you would like to delete your myVisionTrack® account, please access the App Settings within the App, which will instruct you how to do this. You may also contact the HCP who enabled your access to the App. In some cases, we will be unable to delete your account, such as if there is an issue with your account related to trust, safety, or fraud. When we delete your account, we may retain certain information .for legitimate business purposes, or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes. As stated before, US users are also invited to consult the US Privacy Notice as a supplement to this Privacy Notice for further details:


(ii)  European Union / Switzerland / UK Users

Provided GDPR, the UK GDPR or the Swiss Data Protection Act covers your personal data, please note that you have the right to request from Roche access to and rectification of your personal data as well as the right to data portability, if applicable, or erasure or restriction of processing of your personal data. Erasure or restriction of Processing is only possible if and to the extent the Processing of personal data is based on consent or legitimate interest. If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. To exercise your right to withdraw consent, or to object to the processing of personal data, or to exercise any of Your other rights as a data subject, please see contact details below.

In the event you have the impression that our data Processing is non-compliant with GDPR, you are entitled to lodge a complaint with the responsible supervisory authority.

Can Roche Make Changes to this Notice? We may change this Notice from time to time. Such updates may reflect the continuous development of the App, but it may also be triggered by regulatory requirements or user feedback. When changes are made, we will make the revised Notice available to you via the App under the section Legal Documents in the Menu. Any time we make material and significant changes to the Notice, we will ask for re-consent. If you do not agree to the changes after receiving notice of such changes, you should stop using the App. To delete your myVisionTrack account when you don’t re-consent, please contact the mVT Customer Service & Support.

Important Note about Children’s Privacy. The App is not intended to be, and may not be, accessed or used by anyone who has not reached the age of majority in their location. If you are a parent or guardian and you become aware that your child has provided us with Personal Information, please contact us so that appropriate measures may be taken.

Your Privacy Related Requests. You can access some of your Personal Information in the App settings at any time. For the Processing activities for which your HCP acts as the Data Controller, to file a concern, a complaint, or a request for correction,a request for deletion of your Personal Information, or to opt-out of any particular programs, please contact the HCP that prescribed this App to you and follow their instructions.

In the event you contact Roche directly for any of the above, Roche will promptly notify your HCP, and will assist the institution in executing your privacy related request. Please also make sure you are provided with the contact details of the data protection / data privacy responsible for your HCP.

Where Roche acts as a Data Controller for certain Processing activities, please reach out to us as described in the following Contact Us section.

Contact Us.

For general inquiries related to myVisionTrack, please contact the mVT Customer Service & Support. Contact details specific to your country can be found in the mVT App > Menu > Support.

If you would like to contact Roche regarding this Notice or if you would like to exercise any of the rights afforded to you by applicable law, please contact us as follows:

For United States Residents:

Please contact us by email

For EU /EEA/Switzerland/ UK / All other Countries:

Please contact us by email

Please note that email communications are not always secure. Please do not include health information or other sensitive information in your email to us.