Privacy Policy      

 

Last updated: January 2024

Your privacy is of the utmost importance to us. This Privacy Policy (“Privacy Policy”) sets out how Sunday App, Inc PBC and our subsidiaries and affiliated (together “we” or “sunday”) collect, use, and disclose information about you when you access or use our website https://sundayapp.com/, web-based application Sunday App (“Sunday App”), and other online products  and services (collectively the “Sunday Solution”) and when you engage with us or otherwise interact with us.

We will update this Privacy Policy from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements. We encourage you to review this Privacy Policy periodically to keep up to date on how we use your personal data. If we update this Privacy Policy, we will update the effective date at the top of the page.

Section 1 – Purpose of this Privacy Policy

This Privacy Policy explains our approach to any personal data that we might collect from you or which we have obtained about you from a third party, and the purposes for which we process your personal data. This Privacy Policy also sets out your rights in respect of our processing of your personal data.

When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.

This Privacy Policy is intended to assist you in making informed decisions when using the Sunday App and the Sunday Solution. Please take a moment to read and understand it. It should be read in conjunction with our User Terms of Service and our Cookie Policy.

This Privacy Policy only applies to the use of your personal data obtained by us, whether from you directly or from a third party. It does not apply to personal data collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control, or you purchase goods or services from those third parties).

Section 2 – About Us

The Sunday App and the Sunday Solution are made available by various companies in the sunday group of companies (each a “Group Company“). Where this Privacy Policy refers to ” sunday”, ” we”, ” us”, “our”, this means one or more of the particular Group Companies that provide the particular product or service to you. Except as stated otherwise, sunday is the data controller of the personal data governed by this Privacy Policy.

Section 3 – How to contact us

If you have any questions about this Privacy Policy or want to exercise your rights as a data subject set out in this Privacy Policy, you can contact us at dataprivacy@sundayapp.com.

Section 4 – What personal data we collect 

We may collect and process different types of personal data about you for different processing purposes. The types of personal data we collect depends on how you use our website, the Sunday App and the Sunday Solution and includes the following:

Identity data  First name; last name; nickname.
Account creation data  Email address; password; phone number.
Account data  Account username; password; profile picture or avatar; purchase/order details; food preferences (allergies and intolerances); whether you have participated in any promotions or competitions. When you’ve subscribed to a loyalty program linked to sunday, your loyalty identifier (namely, your phone number or email address) along with details of the tokenized payment card are also linked to your account.
Contact data  Email address; phone number. We may also collect your company name; office address (for expense receipt purposes).
Transaction data  We may collect details about payments made between you and us; details of your orders made through sunday. We may also collect additional (optional) information on your meal if you request an expense receipt, such as the number and name of guests or the business purpose of the meal.
Financial data  Tokenized payment card details.
Communication data  If you provide us feedback, leave a review or contact us via email or chatbot, we may collect your contact data, your transaction data and any other information necessary to respond to your query. 
Technical data  IP address; browser type, phone and operating system; geolocation; unique token assigned to a device; user interaction with the Sunday App (for debugging purposes); language settings.

Section 5 – How we collect and receive personal data 

We collect and receive personal data using different methods:

Personal data you provide to us  You may give us your personal data directly, for example, when you use the Sunday App or the Sunday Solution, complete forms on our website, subscribe to receive marketing communications or provide feedback to us.
Personal data we collect using cookies and other similar technologies When you access and use our website or the Sunday App, we will collect certain Technical Data. We collect this personal data by using cookies and other similar technologies (see our cookie policy). When you use certain payment methods (ApplePay or GooglePay), we may collect your email address if it’s attached to it. 
Personal data received from third parties  In certain cases, when you make an online reservation at an Establishment, sunday may collect your name and phone number from the Establishment to send you SMS messages in order to enhance your payment and checkout experience (“Text-to-Pay”).

We may receive personal data about you from other third parties. Such third parties may include analytics providers, third party directories and third parties that provide technical services to us so that we can provide our website and the Sunday Solution.

Section 6 – How we use your personal data

Purpose / Activity  Type of personal data  Lawful basis for processing including basis of legitimate interest
Provide and maintain the Sunday Solution, including debugging to identify and repair errors. Technical data Contractual Necessity (performance of the user agreement between you and sunday)
Process transactions and fulfil orders (e.g. making sure you get your order). Identity data; contact data; transaction data  Contractual Necessity (performance of the user agreement between you and sunday). Legitimate Interests. If Contractual Necessity is not applicable, we have a legitimate interest in providing a good service
Send you transactional or relationship messages, such as notifications regarding order’s lifecycle, receipts, expense reports and other customer service messages. Your receipt is automatically sent to you over email if you’re paying with ApplePay or GooglePay using our Pay at Table product.  Identity data; contact data; transaction data ; communication data.  Legitimate interest in providing relevant information about our services, including your orders from us
Facilitate the creation of a user account and provide you a personalised experience through it. Identity data; contact data; financial data; transaction data Consent or Necessary for our legitimate interests to develop our business and improve the customer journey
Send you a message with a payment link to improve your payment experience (‘Text-to-Pay’). Contact data  Necessary for our legitimate interests to develop our business and improve the customer journey.
Allow you to open a tab. Financial data Consent or Necessary for our legitimate interests to develop our business and improve your customer journey.
Process payments through our PSP partners.  Financial data Contractual Necessity 
Detection, investigation and prevention of fraudulent activities.  Identity data; contact data; transaction data; payment data Necessary for our legitimate interests to detect or prevent fraudulent activities. 
Provide the ability for the customer to save their payment method in a secure vault for future use.  Financial data  Consent or necessary for our legitimate interest to improve your payment experience.
Send you a review form; provide a platform to collect your feedback and respond to it. Contact data; Communication data Consent or necessary for our legitimate interests to collect and manage customer reviews.
Allow you to subscribe to an Establishment’s loyalty program and to accumulate loyalty points every time you make a sunday payment Contact data; Account data; financial data  Consent or necessary for our legitimate interests to develop our business and improve your experience. 
Allow you to subscribe to sunday’s loyalty program. Contact data; Account data Consent
Use data analytics to improve our website, products/services. Technical data  Legitimate Interest. We have a legitimate interest in improving and developing new services, by exploring ways to further enhance our services and business.
Monitor and analyse trends, usage, and activities in connection with the Sunday Solution.   Transaction data; technical data.  Necessary for our legitimate interest in improving our services and understanding your needs and expectations.
Personalise your online experience based on your device settings.  Technical data  Necessary for our legitimate interest in improving your experience with our services.

We may use your personal data to comply with applicable laws, lawful requests, and legal process ; audit our internal processes for compliance with legal and contractual requirements or our internal policies; and prevent, identify, investigate and deter fraudulent, harmful, unauthorised, unethical or illegal activity, including cyberattacks and identity theft.

Section 7 – If you fail to provide your personal data 

If you fail to provide personal data when we request it, we may not be able to provide you the products and services you have requested from us or to process an application to register an account. Please note that the information that we need from you is usually identified by asterisks.

Section 8 – How we obtain your consent

Where our use of your personal data requires consent, you can provide such consent at the time we collect your personal data following the instructions provided, or by informing us using the contact details set out in the “How to Contact Us” section above.

Section 9 – Third-party links

This Privacy Policy only applies to personal data processed by us through your use of our website and/or in connection with our business operations. However, from time to time, our website may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Policy does not apply to your interaction with the relevant third parties.

When you use a link to go from our website to another website (even if you don’t leave our website) or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

Section 10 – Sharing personal data 

When processing your personal data, we may need to share it with third parties (including other entities within our group of companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

Establishment  We share some of your personal data, including transaction data and your email address, with the Establishment where you’ve received catering services using the Sunday Solution. 

 

We only share pertinent information with them for specific reasons, including in order for you to receive the services that you’ve requested (for example we share your name with the Establishment to make sure you get your order when you use our Order & Pay product) and in case the Establishment needs to contact you regarding your experience. We also share your reviews with the relevant Establishment which may contain personal information. 

 

sunday will only share the information specified above with the Establishment where you’ve received catering services using the Sunday Solution. Establishments cannot use our services to access information pertaining to other Establishments, except that Establishments with the same corporate ownership may elect to share such information with their corporate group.

 

Each Establishment is a separate business from sunday. While sunday encourages Establishments to comply with data protection requirements, sunday will not be responsible for their failure to comply with laws applicable to the use of Personal Data. 

Third-party Service Providers  We may share your personal data with third party service providers to: provide you with the Solution; to provide technical support.
Payment Service Providers We use third party payment service providers to process payments. These payment service providers may use your payment data in accordance with their privacy policies.
Loyalty partners When an Establishment uses a loyalty program partnered with Sunday, in which you have subscribed, we share your loyalty identifier (phone number or email address) with our loyalty partner, along with the amount of your payment (to allow you to accumulate loyalty points).
sunday Group Companies We may share some or all of your personal data with our parent company or other Group Companies. 

Transfers outside the European Economic Area (“EEA”) We are located in the EU, UK and USA and maintain servers globally to ensure the resilience of our services. Therefore, when you submit personal data to us, you acknowledge that your personal data will be transferred outside the EEA where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy.

Non-EEA countries do not have the same data protection laws as the EEA and the UK. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.

Section 11 – How long we keep your personal data  

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Section 12 – Confidentiality and security of your personal data 

We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our website and those who purchase our products and services.

Section 13 – Automated Decision-Making  

As part of the Sunday Solution, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

Section 14 – Personal data of minors 

We do not intentionally gather personal data from users who are under the age of 18. If we learn that a child under the age of 18 has submitted personal data to sunday, we will attempt to delete such data as soon as possible. If you believe that we might have any personal data from a child under 18, please contact us at dataprivacy@sundayapp.com.

Section 15 – Your rights as a data subject

The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.
  • Correct. Update or correct inaccuracies in your personal data.
  • Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.
  • Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to dataprivacy@sundayapp.com. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.