Last updated: March 2024

If you are a merchant using sunday to better manage your business (a “Sunday Merchant” or a “Merchant”) or if you are a waiter or an individual working in an Establishment or associated with a Merchant’s business, we may collect and use your personal information in connection with the provision of our services (the “Services”), including the operation of our back-office platform and our proprietary application Sunday for Staff (“Sunday for Staff”).

We will update this Privacy Policy from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements. We encourage you, as a waiter or an individual working in an Establishment or associated with a Merchant’s business (“you” or a “data subject”), to review this Privacy Policy periodically to keep up to date on how we use your personal data. If we update this Privacy Policy, we will update the effective date at the top of the page.

Certain words and phrases in this Privacy Policy have specific definitions when they start with capital letters. Where a defined term is used, it either has the meaning set out in section 15 below (Definitions) or the meaning given to it in the relevant clause of this Privacy Policy.

Section 1 – Purpose of this Privacy Policy

This Privacy Policy explains our approach to any personal data that we might collect on you or which we have obtained from a third party, and the purposes for which we process such personal data. This Privacy Policy also sets out your rights in respect of our processing of your personal data.

When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.

This Privacy Policy is intended to assist you in making informed decisions when using Sunday for Staff and the Services. Please take a moment to read and understand it.

This Privacy Policy only applies to the use of your personal data obtained by us, whether from data subjects directly or from a third party. It does not apply to personal data collected by third parties during communications with data subjects or during data subjects’ use of their products or services (for example, where they follow links to third party websites over which we have no control, or they purchase goods or services from those third parties).

Section 2 – About us and how to contact us

Sunday for Staff and the Services are made available by various companies in the sunday group of companies (each a “Group Company“). Where this Privacy Policy refers to “sunday”, ” we”, ” us”, “our”, this means one or more of the particular Group Companies that provide the particular product or service to you as a data subject.

Sunday App, Inc PBC is the controller of your personal data. If you have any questions about this Privacy Policy or want to exercise your rights as a data subject set out in this Privacy Policy, you can contact us at

Section 3 – What personal data we collect 

We may collect and process different types of personal data about data subjects for different processing purposes. The types of personal data we collect depends on how you use our back-office platform, Sunday for Staff and the Services and includes the following:

Identity data  First name; last name.
Account creation data  Email address; password; phone number; access rights. 
Account data  Email address; password; profile picture or avatar; contact preferences; performance data. 
Contact data  Email address; phone number.
Transaction data  Payouts of tips. 
Technical data  IP address; browser type and operating system; geolocation; unique token assigned to a device; user interaction with Sunday for Staff (for debugging purposes). 

Section 4 – How we collect and receive personal data 

We collect and receive personal data using different methods:

Personal data data subjects provide to us  You may give us your personal data directly, for example, when you use Sunday for Staff or the Services.
Personal data received from third parties  We may receive personal data about you from third parties. Such third parties may include the Merchant’s point of sale (POS) and third parties that provide technical services to us so that we can provide our website, Sunday for Staff and the Services.

Section 5 – How we use your personal data

Purpose / Activity  Lawful basis for processing including basis of legitimate interest
Provide Merchant and data subjects with the use of our platform and other related services and facilitate the operation of the Establishment (e.g business performance, daily operation, reviews, billing and accounting)  Necessary for our legitimate interests to develop our business and in providing a good service
Facilitate the creation of a user account and provide you a personalised experience through it  Consent or Necessary for our legitimate interests to develop our business and in providing a good service
Provide staff performance insights (e.g. reviews, financial performance) Necessary for our legitimate interests to develop our business and in providing a good service
Provide sunday KPIs emails to Establishments Necessary for our legitimate interests to develop our business and in providing a good service
Tip payout to waiters and staff through payout/payment partners  Contractual Necessity and Necessary for our legitimate interests to develop our business and in providing a good service
Prevent fraudulent use of our Services  Necessary for our legitimate interests to detect or prevent fraudulent activities. 
Provide support and assistance  Necessary for our legitimate interests to develop our business and in providing a good service
sunday CRM Necessary for our legitimate interests to develop our business and in providing a good service
Use data analytics to improve our website, products/services Legitimate Interest. We have a legitimate interest in improving our website and providing a good service
Direct/product marketing Consent or Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation, including by sending direct marketing

We may use your personal data to comply with applicable laws, lawful requests, and legal process ; audit our internal processes for compliance with legal and contractual requirements or our internal policies; and prevent, identify, investigate and deter fraudulent, harmful, unauthorised, unethical or illegal activity, including cyberattacks and identity theft.  

Section 6 – Your customers’ information

As part of providing our Services, we collect and use personal information about your customers. In general, we collect and use this personal information as directed by you, and as further described in our Data Processing Addendum. Legally speaking, we are a “data processor” and a “service provider” as these terms are used in certain applicable privacy laws, including in Europe, the UK, and the US.

Because you decide how the personal information of your customers will be used, you need to make sure your customers understand how you (and how we on your behalf) collect and process their personal information. You should do this by, at a minimum, posting a privacy policy on your store that describes the information you collect, how you use it, and who you share it with.

Section 7 – If you fail to provide your personal data 

If you fail to provide personal data when we request it, we may not be able to provide you the products and services you have requested from us or to process an application to register an account. Please note that the information that we need from you is usually identified by asterisks.

Section 8 – How we obtain your consent

Where our use of your personal data requires consent, you can provide such consent at the time we collect your personal data following the instructions provided, or by informing us using the contact details set out in the “How to Contact Us” section above.

Section 9 – Third-party links

This Privacy Policy only applies to personal data processed by us through your use of the Services and/or in connection with our business operations. However, from time to time, our website or application may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Policy does not apply to your interaction with the relevant third parties.

When you use a link to go to another website or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

Section 10 – Sharing personal data 

When processing your personal data, we may need to share it with third parties (including other entities within our group of companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

Third-party Service Providers  We may share your personal data with third party service providers to: provide you with the Services or to provide technical support.
Payment Service Providers We use third party payment service providers to process payments. These payment service providers may use your payment data in accordance with their privacy policies.
sunday Group Companies We may share some or all of your personal data with our parent company or other Group Companies. 

Transfers outside the European Economic Area (“EEA”) We are located in the EU, UK and USA and maintain servers globally to ensure the resilience of our services. Therefore, when you submit personal data to us, you acknowledge that your personal data will be transferred outside the EEA where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy.

Non-EEA countries do not have the same data protection laws as the EEA and the UK. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.

Section 11 – How long we keep your personal data  

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.   

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.  

Section 12 – Confidentiality and security of your personal data 

We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our website and those who purchase our products and services.

PCI Compliance. To the extent applicable to the Services, we are responsible for providing the Services in a manner that is consistent with the highest certification level (PCI Level 1) provided by the PCI-DSS requirements. sunday’s certification is confirmed annually by a qualified security assessor (QSA).

Section 13 – Automated Decision-Making  

As part of the Services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects. 

Section 14 – Your rights as a data subject

The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.
  • Correct. Update or correct inaccuracies in your personal data.
  • Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.
  • Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.  

Section 15 – Definitions

The following words and phrases have the following meanings in this Privacy Policy:

Establishment any type of venue open to the public in which a Merchant provides to customers food and/or beverage services (e.g. bar, festival, restaurant, food court, stadium, and similar) in which you work.