Last updated: January 2024
When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.
Section 2 – About Us
Section 3 – How to contact us
Section 4 – What personal data we collect
We may collect and process different types of personal data about you for different processing purposes. The types of personal data we collect depends on how you use our website, the Sunday App and the Sunday Solution and includes the following:
|First name; last name; nickname.
|Account creation data
|Email address; password; phone number.
|Account username; password; profile picture or avatar; purchase/order details; food preferences (allergies and intolerances); whether you have participated in any promotions or competitions. When you’ve subscribed to a loyalty program linked to sunday, your loyalty identifier (namely, your phone number or email address) along with details of the tokenized payment card are also linked to your account.
|Email address; phone number. We may also collect your company name; office address (for expense receipt purposes).
|We may collect details about payments made between you and us; details of your orders made through sunday. We may also collect additional (optional) information on your meal if you request an expense receipt, such as the number and name of guests or the business purpose of the meal.
|Tokenized payment card details.
|If you provide us feedback, leave a review or contact us via email or chatbot, we may collect your contact data, your transaction data and any other information necessary to respond to your query.
|IP address; browser type, phone and operating system; geolocation; unique token assigned to a device; user interaction with the Sunday App (for debugging purposes); language settings.
Section 5 – How we collect and receive personal data
We collect and receive personal data using different methods:
|Personal data you provide to us
|You may give us your personal data directly, for example, when you use the Sunday App or the Sunday Solution, complete forms on our website, subscribe to receive marketing communications or provide feedback to us.
|Personal data we collect using cookies and other similar technologies
|Personal data received from third parties
|In certain cases, when you make an online reservation at an Establishment, sunday may collect your name and phone number from the Establishment to send you SMS messages in order to enhance your payment and checkout experience (“Text-to-Pay”).
We may receive personal data about you from other third parties. Such third parties may include analytics providers, third party directories and third parties that provide technical services to us so that we can provide our website and the Sunday Solution.
Section 6 – How we use your personal data
|Purpose / Activity
|Type of personal data
|Lawful basis for processing including basis of legitimate interest
|Provide and maintain the Sunday Solution, including debugging to identify and repair errors.
|Contractual Necessity (performance of the user agreement between you and sunday)
|Process transactions and fulfil orders (e.g. making sure you get your order).
|Identity data; contact data; transaction data
|Contractual Necessity (performance of the user agreement between you and sunday). Legitimate Interests. If Contractual Necessity is not applicable, we have a legitimate interest in providing a good service
|Send you transactional or relationship messages, such as notifications regarding order’s lifecycle, receipts, expense reports and other customer service messages. Your receipt is automatically sent to you over email if you’re paying with ApplePay or GooglePay using our Pay at Table product.
|Identity data; contact data; transaction data ; communication data.
|Legitimate interest in providing relevant information about our services, including your orders from us
|Facilitate the creation of a user account and provide you a personalised experience through it.
|Identity data; contact data; financial data; transaction data
|Consent or Necessary for our legitimate interests to develop our business and improve the customer journey
|Send you a message with a payment link to improve your payment experience (‘Text-to-Pay’).
|Necessary for our legitimate interests to develop our business and improve the customer journey.
|Allow you to open a tab.
|Consent or Necessary for our legitimate interests to develop our business and improve your customer journey.
|Process payments through our PSP partners.
|Detection, investigation and prevention of fraudulent activities.
|Identity data; contact data; transaction data; payment data
|Necessary for our legitimate interests to detect or prevent fraudulent activities.
|Provide the ability for the customer to save their payment method in a secure vault for future use.
|Consent or necessary for our legitimate interest to improve your payment experience.
|Send you a review form; provide a platform to collect your feedback and respond to it.
|Contact data; Communication data
|Consent or necessary for our legitimate interests to collect and manage customer reviews.
|Allow you to subscribe to an Establishment’s loyalty program and to accumulate loyalty points every time you make a sunday payment
|Contact data; Account data; financial data
|Consent or necessary for our legitimate interests to develop our business and improve your experience.
|Allow you to subscribe to sunday’s loyalty program.
|Contact data; Account data
|Use data analytics to improve our website, products/services.
|Legitimate Interest. We have a legitimate interest in improving and developing new services, by exploring ways to further enhance our services and business.
|Monitor and analyse trends, usage, and activities in connection with the Sunday Solution.
|Transaction data; technical data.
|Necessary for our legitimate interest in improving our services and understanding your needs and expectations.
|Personalise your online experience based on your device settings.
|Necessary for our legitimate interest in improving your experience with our services.
We may use your personal data to comply with applicable laws, lawful requests, and legal process ; audit our internal processes for compliance with legal and contractual requirements or our internal policies; and prevent, identify, investigate and deter fraudulent, harmful, unauthorised, unethical or illegal activity, including cyberattacks and identity theft.
Section 7 – If you fail to provide your personal data
If you fail to provide personal data when we request it, we may not be able to provide you the products and services you have requested from us or to process an application to register an account. Please note that the information that we need from you is usually identified by asterisks.
Section 8 – How we obtain your consent
Where our use of your personal data requires consent, you can provide such consent at the time we collect your personal data following the instructions provided, or by informing us using the contact details set out in the “How to Contact Us” section above.
Section 9 – Third-party links
When you use a link to go from our website to another website (even if you don’t leave our website) or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.
Section 10 – Sharing personal data
When processing your personal data, we may need to share it with third parties (including other entities within our group of companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.
|We share some of your personal data, including transaction data and your email address, with the Establishment where you’ve received catering services using the Sunday Solution.
We only share pertinent information with them for specific reasons, including in order for you to receive the services that you’ve requested (for example we share your name with the Establishment to make sure you get your order when you use our Order & Pay product) and in case the Establishment needs to contact you regarding your experience. We also share your reviews with the relevant Establishment which may contain personal information.
sunday will only share the information specified above with the Establishment where you’ve received catering services using the Sunday Solution. Establishments cannot use our services to access information pertaining to other Establishments, except that Establishments with the same corporate ownership may elect to share such information with their corporate group.
Each Establishment is a separate business from sunday. While sunday encourages Establishments to comply with data protection requirements, sunday will not be responsible for their failure to comply with laws applicable to the use of Personal Data.
|Third-party Service Providers
|We may share your personal data with third party service providers to: provide you with the Solution; to provide technical support.
|Payment Service Providers
|We use third party payment service providers to process payments. These payment service providers may use your payment data in accordance with their privacy policies.
|When an Establishment uses a loyalty program partnered with Sunday, in which you have subscribed, we share your loyalty identifier (phone number or email address) with our loyalty partner, along with the amount of your payment (to allow you to accumulate loyalty points).
|sunday Group Companies
|We may share some or all of your personal data with our parent company or other Group Companies.
Non-EEA countries do not have the same data protection laws as the EEA and the UK. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.
Section 11 – How long we keep your personal data
We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Section 12 – Confidentiality and security of your personal data
We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our website and those who purchase our products and services.
Section 13 – Automated Decision-Making
As part of the Sunday Solution, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.
Section 14 – Personal data of minors
We do not intentionally gather personal data from users who are under the age of 18. If we learn that a child under the age of 18 has submitted personal data to sunday, we will attempt to delete such data as soon as possible. If you believe that we might have any personal data from a child under 18, please contact us at firstname.lastname@example.org.
Section 15 – Your rights as a data subject
The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:
- Access. Provide you with information about our processing of your personal data and give you access to your personal data.
- Correct. Update or correct inaccuracies in your personal data.
- Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
- Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
- Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.
- Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.
Exercising These Rights. You may submit these requests by email to email@example.com. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.