Eye Photo Logo

Eye.photo Privacy Policy

Your privacy is important to us. It is Eyepic S.L.'s policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including via our service, Eye.photo, and its associated services.

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service.

In the event our service contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our service.

This policy is effective as of 1 February 2025.

Last updated: 14 January 2026

Information We Collect

Information we collect falls into one of two categories: "voluntarily provided" information and "automatically collected" information.

"Voluntarily provided" information refers to any information you knowingly and actively provide us when using our service and its associated services.

"Automatically collected" information refers to any information automatically sent by your device in the course of accessing our service and its associated services.

Log Data

When you access our servers via our website or API, we may automatically log the standard data provided by your device. It may include your device's Internet Protocol (IP) address, your device type and version, your activity within the service, time and date, and other details about your usage.

Additionally, when you encounter certain errors while using the service, we automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem. You may or may not receive notice of such errors, even in the moment they occur, that they have occurred, or what the nature of the error is.

Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.

Country and Language Inference

We automatically infer an approximate country and language for your visit using request data: your IP address (looked up in a local geolocation database on our servers; we do not send your IP to third parties for this purpose) and standard information sent by your browser or network (such as language and region preferences or geo headers from your connection). We use this only to improve our system UX—for example, to set the language and regional settings for your visit and for location-dependent content. We do not send this inferred data to other systems or third parties.

Device Data

Our service may access and collect data via your device's in-built tools, such as:

  • Your identity
  • Location data
  • Browser data
  • Storage, photos and/or media
  • Notifications
  • Mobile data

When you use our service or use your device's tools within the service, we request permission to access this information. The specific data we collect can depend on the individual settings of your device and the permissions you grant when you use the service.

Personal Information

We may ask for personal information — for example, when you submit content to us or when you contact us — which may include one or more of the following:

  • Name
  • Email
  • Phone number

Business Information

We may collect business information from you, which may include:

  • Company name
  • Company email address
  • Company address
  • Tax ID
  • Phone numbers

User-Generated Content

We consider "user-generated content" to be materials (text, image and/or video content) voluntarily supplied to us by our users for the purpose of publication on our platform, website or re-publishing on our social media channels. All user-generated content is associated with the account or email address used to submit the materials.

Please be aware that any content you submit for the purpose of publication will be public after posting (and subsequent review or vetting process). Once published, it may be accessible to third parties not covered under this privacy policy.

API Usage Data

When you access our services through our Application Programming Interface (API), we collect additional information to provide, secure, and improve our API services:

  • API Keys: We generate and store unique API keys associated with your account for authentication and access control.
  • Request Data: We log API requests including timestamps, request parameters, response data, and processing results.
  • Usage Patterns: We monitor API usage patterns, frequency, and volume for billing, security, and service optimization purposes.
  • Technical Information: We collect IP addresses, user agents, and other technical details from API requests.
  • Error Logs: We log API errors and failures to improve service reliability and provide technical support.

This API usage data is collected for the following purposes:

  • Service delivery and API functionality
  • Billing calculations and account management
  • Security monitoring and fraud prevention
  • Performance optimization and troubleshooting
  • Analytics and service improvement
  • Compliance with legal and regulatory requirements

API usage logs may be retained for as long as necessary for business, legal, security, or regulatory purposes. Photos processed through the API are subject to the same processing and retention policies described in the "How We Process Your Photos" section.

How We Process Your Photos

In order to provide the Service, photos and related data uploaded to Eye.photo are transmitted to and processed on our servers and approved service provider infrastructure, including Google Cloud.

When you upload photos or related personal data for your own account, billing, support, or direct interaction with us, we may process that personal data as a data controller for the purposes described in this Privacy Policy.

When a business customer or other user uploads photos or related personal data about third parties to use our services, we generally process that data as a data processor on behalf of that customer, who remains responsible for determining the purposes and legal basis of the processing. In those cases, our processing of that data is governed by our Data Processing Agreement with the customer.

We process uploaded photos and related data to provide the services requested by the customer, including storage, organization, enhancement, rendering, export, delivery, support, security, troubleshooting, and service maintenance.

We do not use personal data that we process on behalf of customers by default to train, test, develop, or improve our artificial intelligence or machine learning models, or for medical research, medical diagnostics, or development of medical diagnostic tools, unless we have entered into a separate explicit written agreement permitting such use and the customer has an appropriate legal basis where required.

We retain uploaded photos and related outputs for as long as necessary to provide the Service and in accordance with the applicable customer account settings, contractual terms, deletion actions taken by users, our retention schedules, and legal obligations.

Where we process personal data on behalf of customers, deletion and return of that data are governed by the applicable Data Processing Agreement and service terms.

You may delete photos through the Service where that functionality is available, or request assistance by contacting privacy@eyepic.app.

Exclusion of Google User Data

Photos, images, or data obtained via Google APIs are never used for medical research, medical diagnostics, artificial intelligence training, or research and development purposes.

Any research, AI training, or medical development activities are performed only on non-Google data and only in anonymized and aggregated form.

Regardless of what is stated in other parts of this Privacy Policy:

  • We do not use photos or videos to identify any individual user.
  • We do not use photos or videos for user authentication purposes.
  • We do not share, transfer, sell, or provide photos or videos to data analysis providers, data brokers, data reselling companies, or similar organizations.

Zazzle Integration

When platform users enable our Zazzle integration, they can send their customers emails with links to Zazzle product pages where the customer's eye photo is shown on merchandise (e.g. prints, mugs). To enable product preview and ordering on Zazzle, we make the relevant photo available to Zazzle by providing a URL that Zazzle's servers fetch to display the image on product previews. We only provide this integration capability; we do not sell, ship, or fulfill any products. All sales, payments, shipping, and fulfillment for orders placed on Zazzle are handled by Zazzle and are subject to Zazzle's privacy policy and terms of service.

Google User Data (OAuth & Gmail API)

Google API Data Supremacy Clause

Notwithstanding anything else stated in this Privacy Policy, any data obtained from Google APIs (including Google Sign-In data and Gmail API data) ("Google user data") is used strictly and exclusively to provide the user-requested features within Eye.photo.

Google user data is never used for advertising, marketing, profiling, analytics, market research, data enrichment, artificial intelligence training, medical research, or any purpose unrelated to the explicit functionality enabled by the user.

Google user data is not combined with data from other sources and is not shared with advertising platforms, data brokers, analytics providers, or marketing tools.

For clarity, any "improvement" involving Google user data refers only to improving the specific user-facing Google-connected features the user enabled (e.g., sending email via Gmail), and not to general analytics, marketing, or model training.

Google User Data We Collect

When you connect your Google account to Eye.photo, we collect and process Google user data only to the extent necessary to provide the features you explicitly enable.

Depending on the permissions you grant, this may include:

  • Your Google account email address
  • Basic Google profile information (such as name and profile photo)
  • Gmail data, including email metadata (sender, recipient, subject, timestamps) and email content (message body and attachments), only when you explicitly authorize Gmail access

We do not collect any Google user data beyond the scopes you consent to during Google OAuth authorization.

How We Use Google User Data

We use Google user data strictly to provide the functionality you request, including:

  • Authenticating your account using Google Sign-In
  • Allowing you to send emails through your Gmail account from within Eye.photo
  • Displaying, composing, or managing email messages you choose to access
  • Providing technical support related to Google-connected features
  • Ensuring security, fraud prevention, and service reliability

We do not use Google user data for advertising, marketing, profiling, or analytics purposes.

Sharing, Transfer, and Disclosure of Google User Data

We do not sell, rent, or share Google user data with third parties.

Google user data is only disclosed in the following limited circumstances:

  • To Google APIs as required to provide the authorized functionality
  • To trusted service providers acting as data processors (such as secure cloud infrastructure providers) strictly for operating and maintaining the service, under contractual confidentiality and data protection obligations
  • When required to comply with applicable law, regulation, or legal process

Google user data is never shared with data brokers, advertisers, or reselling entities.

Data Protection and Security

We implement appropriate technical and organizational measures to protect Google user data, including:

  • Encryption in transit using HTTPS/TLS
  • Encryption at rest where data is stored
  • Strict access controls and role-based permissions
  • Ongoing security monitoring and logging

Access to Google user data is restricted to authorized personnel and is limited solely to what is necessary to provide the requested service.

Human Access to Gmail Data: We do not allow humans to read Gmail content except (a) with your explicit request/affirmative consent for a specific support case, (b) when necessary for security/fraud prevention, or (c) to comply with applicable law.

Retention and Deletion of Google User Data

Google user data is retained only for as long as necessary to provide the enabled features.

  • Gmail data is processed in real time and is not stored unless required for the specific functionality you initiate
  • OAuth access tokens are stored securely and can be revoked at any time
  • You may disconnect your Google account at any time, which immediately stops access to Google user data

Upon disconnection or account deletion, any stored Google user data is deleted within a reasonable period unless retention is required by law.

You may also request deletion of Google user data by contacting privacy@eyepic.app.

Google API Services Limited Use Compliance

Eye.photo's use of information received from Google APIs fully complies with the Google API Services User Data Policy and the Limited Use requirements.

Google user data is accessed only when necessary to provide user-initiated features and is processed in real time or retained only for the minimum period required to deliver those features.

Google user data is processed separately from customer-uploaded eye-photo processing workflows and is not used to train or improve general-purpose models.

Business Uploads and Third-Party Data

Our service allows users, including businesses, to upload and store photos and related personal data concerning their customers, clients, employees, contractors, or other individuals.

Where users upload such data to our service for processing through Eye.photo:

  • the user uploading the data is generally the data controller for that data;
  • Eyepic S.L. generally acts as the data processor for that data;
  • our processing is carried out in accordance with the applicable service agreement and Data Processing Agreement.

Users are responsible for:

  • obtaining any necessary permissions, consents, or other legal basis for collecting and uploading the data;
  • providing notices required by applicable law;
  • responding to requests from individuals regarding their personal data.

If you are an individual whose data was uploaded to Eye.photo by one of our users, you should usually contact that user directly first. If you believe your data has been uploaded unlawfully or without proper authorization, contact us at privacy@eyepic.app.

We do not independently use customer-uploaded personal data for marketing. We will not use such data for AI or model training, medical research, or product development unless separately and explicitly agreed in writing.

Legitimate Reasons for Processing Your Personal Information

We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you.

Collection and Use of Information

We may collect personal information from you when you do any of the following on our website:

  • Register for an account
  • Sign up to receive updates from us via email or social media channels
  • Use a mobile device or web browser to access our content
  • Contact us via email, social media, or on any similar technologies
  • When you mention us on social media

We may collect, hold, use, and disclose personal information for the following purposes:

  • to provide and operate our core services and features
  • to authenticate users and manage accounts
  • to deliver products and services requested by you
  • to communicate with you regarding service-related matters
  • to maintain security, prevent fraud, and ensure service reliability
  • to comply with legal and regulatory obligations

Google user data is excluded from all advertising, marketing, profiling, analytics, and market research activities.

We do not combine Google user data with data obtained from other sources. Google user data is processed in isolation and solely for providing the functionality explicitly requested by the user.

Security of Your Personal Information

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification.

Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure, and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services. For example, ensuring any passwords associated with accessing your personal information and accounts are secure and confidential.

How Long We Keep Your Personal Information

We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this privacy policy. For example, if you have provided us with personal information as part of creating an account with us, we may retain this information for the duration your account exists on our system. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.

However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.

Children's Privacy

We do not aim any of our products or services directly at children under the age of 13, and we do not knowingly collect personal information about children under 13.

Disclosure of Personal Information to Third Parties

Google User Data Sharing Limitation

Google user data is never shared with analytics providers, advertising platforms, marketing services, customer tracking tools, or data brokers.

The third-party services listed below do not receive Google user data, except where strictly required to operate core infrastructure (e.g., secure cloud storage) and only under data-processing agreements.

We may disclose personal information to:

  • a parent, subsidiary, or affiliate of our company
  • third-party service providers for the purpose of enabling them to provide their services, including (without limitation) hosting, storage, infrastructure, communications, customer support, security, analytics for our own business operations, error logging, maintenance, payment processing, and professional advisory services
  • our employees, contractors, and/or related entities
  • our existing or potential agents or business partners
  • credit reporting agencies, courts, tribunals, and regulatory authorities, in the event you fail to pay for goods or services we have provided to you
  • courts, tribunals, regulatory authorities, and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights
  • third parties, including agents or sub-contractors, who assist us in providing information, products, and services (excluding any use of Google user data obtained via Google APIs)
  • an entity that buys, or to which we transfer all or substantially all of our assets and business

Third parties we currently use include:

  • Google Analytics
  • Mixpanel
  • Appsflyer
  • MailChimp
  • Hotjar
  • Mailjet
  • Google Ads
  • Stripe
  • Sentry
  • Google Cloud
  • HubSpot
  • LinkedIn (LinkedIn Insight Tag for advertising and campaign analytics; we may also send server-side conversion events to LinkedIn when you submit the contact form or create an account, using a hashed version of your email and optional name/company for matching, in line with LinkedIn's advertiser terms)
  • Modal.com
  • Zazzle (when the Zazzle integration is used: we provide a URL so Zazzle can display the customer's photo on product previews; Zazzle handles all sales, shipping, and fulfillment)

None of the third parties listed above receive Google user data obtained via Google APIs (including Gmail data), except Google itself as required to provide the authorized functionality and core infrastructure providers strictly for hosting/security under data-processing agreements.

International Transfers of Personal Information

The personal information we collect is stored and/or processed in Spain, or where we or our partners, affiliates, and third-party providers maintain facilities.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

Your Rights and Controlling Your Personal Information

Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our service or the products and/or services offered on or through it.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below. This marketing communication preference does not involve Google user data obtained via Google APIs, which is never used for marketing.

Access: You may request details of the personal information that we hold about you.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.

Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example serving particular content to your device), we will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.

Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.

Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

Unsubscribe: To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided in this privacy policy, or opt-out using the opt-out facilities provided in the communication. We may need to request specific information from you to help us confirm your identity.

Use of Cookies

Our privacy policy covers the use of cookies between your device and our servers. A cookie is a small piece of data that a website may store on your device, typically containing a unique identifier that allows the website servers to recognize your device when you use the website; information about your account, session and/or device; additional data that serves the purpose of the cookie, and any self-maintenance information about the cookie itself.

We use cookies to give your device access to core features of our website, to track website usage and performance, and to tailor your experience based on your preferences.

We do not use Google user data obtained via Google APIs for advertising, marketing, or ad targeting.

Any communication of cookie data between your device and our servers occurs within a secure environment.

Please refer to our Cookie Policy for more information.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy, which they will be required to assume as it is the basis for any ownership or use rights we have over such information.

Limits of Our Policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

Changes to This Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here and on our website.

If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.

If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

Additional Disclosures for Australian Privacy Act Compliance (AU)

International Transfers of Personal Information

Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles in the Privacy Act. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU)

Data Controller / Data Processor

The GDPR distinguishes between organizations that determine the purposes and means of processing personal data ("data controllers") and organizations that process personal data on behalf of controllers ("data processors").

Eyepic S.L. acts as a data controller for personal data relating to:

  • account registration and administration;
  • billing and payment administration;
  • support communications;
  • website and service security;
  • fraud prevention;
  • legal compliance;
  • our own marketing and analytics activities as described in this Privacy Policy.

Eyepic S.L. acts as a data processor where our customers upload or submit personal data to Eye.photo for processing on their behalf in connection with the services we provide to them. In those cases, the customer is the data controller and our processing is governed by the applicable customer contract and Data Processing Agreement.

Legal Bases for Processing Your Personal Information

We will only collect and use your personal information when we have a legal right to do so. In which case, we will collect and use your personal information lawfully, fairly, and in a transparent manner. If we seek your consent to process your personal information, and you are under 16 years of age, we will seek your parent or legal guardian's consent to process your personal information for that specific purpose.

Our lawful bases depend on the services you use and how you use them. This means we only collect and use your information on the following grounds:

Consent From You

Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. You may consent to providing your email address for the purpose of receiving marketing emails from us. While you may unsubscribe at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Performance of a Contract or Transaction

Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, we need technical information about your device in order to provide the essential features of our service.

Our Legitimate Interests

Where permitted by law, we may process personal information on the basis of our legitimate interests, including to operate, secure, troubleshoot, improve, and administer our website and services; prevent fraud and abuse; provide customer support; manage billing and contractual relationships; enforce legal rights; and maintain internal records. Where we rely on legitimate interests, we do so only where those interests are not overridden by the rights and freedoms of the relevant individual.

For clarity, this legitimate interests basis does not apply to customer-uploaded personal data that we process as a processor on behalf of our customers, except to the extent strictly necessary for security, troubleshooting, legal compliance, and operation of the service environment consistent with our processor role.

Compliance with Law

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further enquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.

Your Rights and Controlling Your Personal Information

Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.

Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.

Deletion: You may have a right to request that we delete the personal information we hold about you at any time, and we will take reasonable steps to delete your personal information from our current records. If you ask us to delete your personal information, we will let you know how the deletion affects your use of our website or products and services. There may be exceptions to this right for specific legal reasons which, if applicable, we will set out for you in response to your request. If you terminate or delete your account, we will delete or anonymize your personal information within 60 days, unless a longer retention period is required by law or by our backup and security retention practices. Where we process personal data on behalf of customers, deletion and return of that data are governed by the applicable Data Processing Agreement and service terms. Please be aware that search engines and similar third parties may still retain copies of your personal information that has been made public at least once, like certain profile information and public comments, even after you have deleted the information from our services or deactivated your account.

Additional Disclosures for California Compliance (US)

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.

To make such a request, please contact us using the details provided in this privacy policy with "Request for California privacy information" in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organisations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.

Do Not Track

Some browsers have a "Do Not Track" feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser "Do Not Track" signals.

We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.

Cookies and Pixels

At all times, you may decline cookies from our site if your browser permits. Most browsers allow you to activate settings on your browser to refuse the setting of all or some cookies. Accordingly, your ability to limit cookies is based only on your browser's capabilities. Please refer to the Cookies section of this privacy policy for more information.

CCPA-permitted financial incentives

In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels for the goods or services we provide.