PRIVACY POLICY APPLICABLE TO WAITERS, MERCHANTS’ PERSONNEL AND USERS OF SUNDAY FOR STAFF
Last updated: 23 April 2026
Section 1 – Purpose of this Privacy Policy
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use Sunday for Staff (“SFS”) and our related services (the “Services”), including our back-office platform. This Privacy Policy applies to you if you are a waiter, a member of staff, or any individual working in an Establishment or otherwise associated with a Merchant’s business (“you” or a “data subject”).
This Privacy Policy is intended to help you understand what personal data we collect, why we collect it, and what we do with it. Please take a moment to read it carefully.
This Privacy Policy does not apply to personal data collected by third parties through their own websites, applications, or services, even where you access those through links on our platform. We encourage you to review the privacy policies of any third-party services you interact with.
Capitalised terms used in this Privacy Policy have the meanings given to them in Section 16 (Definitions) below or where otherwise defined in the relevant clause.
Section 2 – About us and how to contact us
SFS and the Services are provided by companies in the sunday group. Where this Privacy Policy refers to “sunday”, “we”, “us”, or “our”, this means the relevant Group Company responsible for your personal data.
For the purposes of UK data protection law, the data controller is: Sunday App Limited, a company incorporated under the laws of England and Wales (company number 13305830), whose registered office is at 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT. Sunday App Limited is part of the wider sunday group, whose parent company is Sunday App, Inc. (a public benefit corporation incorporated in Delaware, USA).
If you have any questions about this Privacy Policy or wish to exercise your rights as a data subject, you can contact us at: dataprivacy@sundayapp.com.
Section 3 – What personal data we collect
We may collect and process the following categories of personal data, depending on how you interact with SFS and the Services:
| Category | Examples of data | |
| Identity data | First name; last name. | |
| Account creation data | Email address; password; phone number; date of birth ; country of residence; access rights. | |
| Account data | Email address; password; profile picture or avatar; contact preferences; performance data. | |
| Contact data | Email address; phone number. | |
| Performance data | Operational performance metrics derived from the Sunday platform, including guest satisfaction scores, spend per head, table turn times, digital payment adoption metrics, and platform usage indicators. | |
| Transaction data | Tip and gratuity amounts processed through the platform, payout details. | |
| Tronc and tip allocation data | Where the Merchant uses a tronc scheme administered by a third-party tronc administrator: individual tronc allocation amounts, aggregated pool totals, historical allocation summaries, and relevant tronc policy information. This data may be received from the tronc administrator and displayed within SFS for transparency purposes. | |
| Financial data | Bank account number; route transit number; address details. | |
| Technical data | IP address; browser type and operating system; geolocation; unique token assigned to a device; user interaction with Sunday for Staff (for debugging purposes). | |
Section 4 – How we collect and receive personal data
We collect and receive personal data using different methods:
| Source | Description |
| Directly from you | When you create an account on SFS, use the Services, or otherwise interact with our platform. |
| From the Merchant | Your employer or the Merchant at whose Establishment you work may provide us with your personal data (e.g. name, phone number, POS identifier) to enable your access to the Services. |
| From the Merchant’s systems | We may receive data from the Merchant’s point of sale (POS) system or other operational systems integrated with our platform. |
| From tronc administrators | Where the Merchant operates a tronc scheme, we may receive tronc allocation data from the Merchant’s appointed tronc administrator (e.g. WMT Troncmaster Services Limited) for display within SFS. The tronc administrator is a separate data controller and processes your personal data under its own privacy policy. |
| From technical service providers | Third parties that provide technical services to us to enable the operation of our website, SFS, and the Services. |
Section 5 – How we use your personal data
| Purpose / Activity | Lawful basis for processing including basis of legitimate interest |
| Providing the Services. Provide Merchants and staff with access to our platform and facilitate the operation of the Establishment (e.g. business performance, daily operations, reviews, billing, and accounting). | Legitimate interests: developing our business and providing an effective service to Merchants and their staff. |
| Account creation and management. Create and manage your SFS user account and provide you with a personalised experience. | Consent (where you voluntarily create an account) or legitimate interests (providing a good service). |
| Service communications. Send emails, WhatsApp and/or push notifications to servers and staff members regarding the Services, including updates and performance information. | Legitimate interests: keeping you informed about services that are relevant to your work. |
| Tip and tronc transparency. Process and display tip payout information. Where the Merchant uses a tronc scheme, display tronc allocation data received from the tronc administrator within SFS to provide you with visibility over your tronc entitlements. | Legitimate interests: promoting transparency and staff engagement regarding tip and tronc distributions. Contractual necessity where applicable (e.g. processing tip payouts). |
| Performance data sharing with tronc administrators. Where the Merchant has instructed us to do so in connection with a tronc scheme, share certain performance data (e.g. guest satisfaction scores, operational metrics) with the Merchant’s tronc administrator to enable the design of tronc allocation methodologies. | Legitimate interests: enabling fair and transparent tronc allocation aligned with the Merchant’s operational objectives. The tronc administrator determines the methodology independently. |
| Fraud prevention. Detect, prevent, and investigate fraudulent or unauthorised use of the Services. | Legitimate interests: protecting our business, our Merchants, and their staff from fraud. |
| support and assistance. Respond to your queries and provide customer support. | Legitimate interests: providing effective support. |
| Analytics and service improvement. Use data analytics to improve our platform, products, and services. | Legitimate interests: improving and developing our services. |
| Direct and product marketing. Send you marketing communications about our products and services. | Consent (for electronic marketing where required by the Privacy and Electronic Communications Regulations 2003) or legitimate interests (promoting our services). You can opt out of marketing at any time by using the unsubscribe link in our communications or by contacting us. |
| Legal and regulatory compliance. Comply with applicable laws, respond to lawful requests and legal process, and enforce our terms. | Legal obligation and legitimate interests (protecting our legal rights). |
Section 6 – If you fail to provide your personal data
Where we need to collect personal data to provide you with access to SFS or the Services, and you do not provide that data when requested, we may not be able to create your account or deliver the relevant Services to you. We will tell you at the point of collection whether the information is mandatory (usually indicated by an asterisk).
Section 7 – Consent
Where we rely on your consent to process your personal data, you may withdraw that consent at any time by contacting us at dataprivacy@sundayapp.com or by adjusting your preferences within SFS. Withdrawal of consent does not affect the lawfulness of processing carried out before you withdraw.
Section 8 – Who we share your personal data with
We may share your personal data with the following categories of recipients:
| Recipient category | Purpose and role |
| Sunday Group Companies | We may share your personal data with our parent company (Sunday App, Inc.) and other Group Companies for internal administration, service delivery, and operational purposes. |
| The Merchant / your employer | We share relevant operational and performance data with the Merchant at whose Establishment you work, to enable them to manage their business. |
| Third-party service providers | We use third-party providers to help us deliver the Services (e.g. hosting, analytics, customer support tools). These providers act as our data processors and process your data only on our instructions. |
| Payment service providers | We use third-party payment providers to process tip payouts. These providers may process your payment data in accordance with their own privacy policies. |
| Tronc administrators | Where the Merchant operates a tronc scheme, we may share certain performance data with the Merchant’s tronc administrator (e.g. WMT Troncmaster Services Limited) for use in designing tronc allocation methodologies. The tronc administrator acts as an independent data controller and is responsible for its own processing of your personal data. We recommend that you review the tronc administrator’s privacy policy, which should be made available to you by the tronc administrator or the Merchant. |
| Legal and regulatory bodies | We may disclose your personal data where required by law, regulation, or court order, or to protect our legal rights. |
Section 9 – International transfers
Sunday operates across the UK, the EU, and the USA. Your personal data may be transferred to, stored in, or accessed from countries outside the United Kingdom.
Where we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK data protection law. These safeguards may include:
- transfers to countries that the UK Secretary of State has determined provide an adequate level of data protection;
- the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
- other appropriate safeguards recognised under UK data protection law.
You may request further information about the safeguards we have put in place by contacting us at dataprivacy@sundayapp.com
Section 10 – How long we keep your personal data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting obligations. As a general guide:
- Account data: retained for the duration of your active use of SFS, and for up to 12 months following account deactivation or last activity, unless longer retention is required by law.
- Performance data: retained for the duration of the Merchant’s use of the Services, and deleted or anonymised within a reasonable period after the Merchant relationship ends.
- Tronc and tip allocation data: displayed within SFS for the duration of the integration with the tronc administrator, and removed promptly upon termination of the relevant integration.
- Transaction data: retained in accordance with applicable tax and accounting requirements (typically 6 years under HMRC guidance).
- Technical data: retained for up to 12 months for debugging and security purposes.
To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the risk of harm from unauthorised use or disclosure, and applicable legal requirements.
Section 11 – Security
We are committed to protecting your personal data. We have implemented appropriate technical and organisational measures designed to safeguard your data against unauthorised access, accidental loss, destruction, or damage.
These measures include:
- access controls and authentication mechanisms;
- encryption of data in transit and at rest;
- regular security testing and monitoring; and
- confidentiality obligations on our employees and contractors.
To the extent applicable, we maintain compliance with PCI DSS Level 1 requirements, the highest certification level. Our certification is confirmed annually by a qualified security assessor (QSA).
Section 12 – Automated Decision-Making
We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you.
Please note that where the Merchant uses a tronc scheme, the tronc administrator may use performance data provided by Sunday (alongside other inputs) to inform tronc allocation methodologies. Sunday does not control or determine these allocations. If you have questions about how tronc allocations are calculated, please contact the tronc administrator or the Merchant directly.
Section 13 – Your rights as a data subject
Under UK data protection law, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete personal data.
- Erasure: request deletion of your personal data where there is no compelling reason for us to continue processing it.
- Restriction: request that we restrict processing of your personal data in certain circumstances (e.g. while we verify its accuracy).
- Data portability: request a copy of your personal data in a structured, commonly used, machine-readable format.
- Objection: object to our processing of your personal data where we rely on legitimate interests, including for direct marketing purposes.
- Withdraw consent: where we rely on your consent, you may withdraw it at any time.
To exercise any of these rights, please contact us at dataprivacy@sundayapp.com. We will respond to your request within one month, or inform you if we need additional time (up to two further months for complex requests).
Right to lodge a complaint. If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
Section 14 – Third-Party Links
Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and encourage you to read their privacy policies before providing any personal data to them.
Section 15 – Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities or applicable law. We will notify you of material changes by updating the date at the top of this page and, where appropriate, through a notification within SFS. We encourage you to review this Privacy Policy periodically.
Section 16 – Definitions
The following words and phrases have the following meanings in this Privacy Policy:
| Term | Meaning |
| Establishment | Any type of venue open to the public in which a Merchant provides food and/or beverage services (e.g. restaurant, bar, hotel, festival, food court, stadium, or similar) in which you work. |
| Group Company | Any company that is a subsidiary or holding company of Sunday App, Inc., or a subsidiary of any such holding company, from time to time. |
| Merchant | Any legal entity that uses sunday’s Services to manage its business, primarily within the hospitality sector. |
| Services | The digital payment, ordering, staff engagement, and business management services provided by sunday, including the operation of SFS and our back-office platform. |
| SFS or Sunday for Staff | The mobile application developed by sunday to serve as the primary digital interface for hospitality employees, including (where applicable) the display of tronc allocation data. |
| Sunday Data | Performance data derived from the Sunday platform, including guest satisfaction metrics, operational performance indicators, and platform usage data. |
| UK GDPR | The UK General Data Protection Regulation, being the retained EU law version of Regulation (EU) 2016/679, as supplemented by the Data Protection Act 2018. |