User Privacy Policy      

 

Last updated: 12 May 2025

Your privacy is of the utmost importance to us. This User Privacy Policy (“Privacy Policy”) sets out how Sunday App, Inc PBC and our subsidiaries and affiliated (together “we” or “sunday”) collect, receive, use, and disclose information about you when you engage or interact with the User Services as defined in the User Terms of Services available at https://sundayapp.com/user-terms-of-service/, including while ordering and receiving catering or hospitality services from a merchant that uses sunday (a “Merchant”).

We will update this Privacy Policy from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements. We encourage you to review this Privacy Policy periodically to keep up to date on how we use your personal data. If we update this Privacy Policy, we will update the effective date at the top of the page.

Section 1 – Purpose of this Privacy Policy

This Privacy Policy explains our approach to any personal data that we might receive, use, and disclose about you, whether we collect it from you or obtain it from a third party, and the purposes for which we process your personal data. This Privacy Policy also sets out your rights in respect of our processing of your personal data.

When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.

This Privacy Policy is intended to assist you in making informed decisions when using the User Services. Please take a moment to read and understand it. It should be read in conjunction with our User Terms of Service.

This Privacy Policy only applies to the use of your personal data obtained by us, whether from you directly or from a third party. It does not apply to personal data collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control, or you purchase goods or services from those third parties).

Section 2 – About us and how to reach us

The User Services are made available by various companies in the sunday group of companies (each a “Group Company“). Where this Privacy Policy refers to “sunday”, “we”, ” us”, “our”, this means one or more of the particular Group Companies that provide the particular product or service to you.

If you live in the United States and are a user of the User Services, Sunday App, Inc PBC is the controller of your personal data. If you have any questions about this Privacy Policy or want to exercise your rights as a data subject set out in this Privacy Policy, you can contact us at dataprivacy@sundayapp.com

Section 3 – What personal data we receive 

We may collect and process different types of personal data about you for different processing purposes. The types of personal data we collect depends on how you use the User Services and includes the following:

Profile and Contact Information  We receive contact or other profile information when you sign up for or interact with the User Services, which may include name, email address, profile picture, or other information you choose to provide us. We may link this information to the different devices or accounts you use when you interact with the User Services.
Device Information We receive information about the phones and other devices you use when you use or interact with the User Services, including IP address (which may be used to determine general location), device identifiers, cookie IDs, the browser you use, your network connection, or other unique identifiers or device information.
Payment information  We receive payment information (your tokenized payment card details) when you make a purchase using the Sunday Solution.
Use of the User Services We receive information regarding your use of or interactions with the Sunday App and the Sunday Solution, whether or not you are logged in to sunday, such as your orders with the Merchants, the products you view and visit, the product reviews and ratings you post and share your order history.
Settings and Privacy Preferences We receive information about your settings and preferences, as well as information about your browser and device privacy settings.
Communication with sunday  We receive information, including message and email content, when you communicate with sunday (such as for customer support inquiries, taking surveys, participating in promotions or research).

Section 4 – How we collect and receive personal data 

We collect and receive personal data using different methods:

Personal data you provide to us  You may give us your personal data directly, for example, when you use the User Services, complete forms on our website or provide feedback to us.
Personal data we collect using cookies and other similar technologies When you access and use the User Services, we will collect certain personal data. We collect this personal data by using cookies and other similar technologies (see our cookie policy). When you use certain payment methods (ApplePay or GooglePay), we may collect your email address if it’s attached to it. 
Personal data received from third parties  We may receive personal data about you from other third parties. Such third parties may include analytics providers, third party directories and third parties that provide technical services to us so that we can provide the User Services

Section 5 – How we use your personal data

Purpose / Activity  Lawful basis for processing including basis of legitimate interest
Provision, improvement, and personalization of the User Services and your experience: To provide you with a personalized experience, including displaying your order history, offering easy payment options, recommending products, Merchants, or Establishments, and customizing the products highlighted for you, as well as improving the User Services, including based on your use of the User Services and your activity with Merchants. Contractual Necessity (performance of the user agreement between you and sunday)

Legitimate Interests. If Contractual Necessity is not applicable, we have a legitimate interest in providing a good service

Perform product research and development. To develop, test, and improve the User Services, including troubleshooting our products and services, developing or improving the User Services, and analyzing your use of and interactions with the User Services Necessary for our legitimate interests to develop our business and improve the customer journey.
Advertise, market and promote sunday: To market, advertise, and promote sunday services, including for personalized communications or advertisements relating to the sunday services. Consent or Necessary for our legitimate interests to develop our business and improve the customer journey
Communicate with you. To communicate with you about the User Services, including about product updates, your account, and changes to our policies and terms. We also use your information to respond to you when you contact us. Consent or Necessary for our legitimate interests to develop our business and improve the customer journey
Authentication, Integrity, Security, and Safety. To authenticate your account, provide a secure payment and user experience, and to detect, investigate, and prevent malicious conduct, fraudulent activity or unsafe experiences, address security threats, protect public safety, and secure the User Services for you and the Merchants. Necessary for our legitimate interests to detect or prevent fraudulent activities. 
Legal reasons. To comply with applicable law or respond to valid legal process, including requests from law enforcement or government agencies, to investigate or participate in civil discovery, litigation, or other adversarial legal proceedings, and to enforce or investigate potential violations of our terms or policies. Legal obligations 

 

sunday may also aggregate, de-identify, and/or anonymize any information collected through the User Services in such a way that we cannot reasonably link information to you or your device. We may use such aggregated, de-identified, or anonymous information for any purpose, including, for example, to improve the User Services.

Section 6 – How we process your personal data on behalf of the Merchants

sunday also processes your personal data while you’re getting catering and hospitality services from Merchants using sunday. When sunday processes personal data in this way, we are acting at the direction of the Merchant, and the Merchants’ terms of service and privacy policy apply—not sunday’s. For more information about how Merchants collect and use personal information when they provide catering services in their Establishments, review the Merchant’s terms and privacy policy.

Section 7 – If you fail to provide your personal data 

If you fail to provide personal data when we request it, we may not be able to provide you the products and services you have requested from us or to process an application to register an account. Please note that the information that we need from you is usually identified by asterisks.

Section 8 – How we obtain your consent

Where our use of your personal data requires consent, you can provide such consent at the time we collect your personal data following the instructions provided, or by informing us using the contact details set out in the “How to Contact Us” section above.

Section 9 – Third-party links

This Privacy Policy only applies to personal data processed by us through your use of our website and/or in connection with our business operations. However, from time to time, our website may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Policy does not apply to your interaction with the relevant third parties.

When you use a link to go from our website to another website (even if you don’t leave our website) or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

Section 10 – Sharing personal data 

When processing your personal data, we may need to share it with third parties (including other entities within our group of companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

Third-party Service Providers  We may share your personal data with third party service providers to: provide you with the User Services; to provide technical support.
Payment Service Providers We use third party payment service providers to process payments. These payment service providers may use your payment data in accordance with their privacy policies.
Loyalty partners When an Establishment uses a loyalty program partnered with Sunday, in which you have subscribed, we share your loyalty identifier (phone number or email address) with our loyalty partner, along with the amount of your payment (to allow you to accumulate loyalty points).
sunday Group Companies We may share some or all of your personal data with our parent company or other Group Companies. 

Transfers outside the European Economic Area (“EEA”) We are located in the EU, UK and USA and maintain servers globally to ensure the resilience of our services. Therefore, when you submit personal data to us, you acknowledge that your personal data will be transferred outside the EEA where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy.

Non-EEA countries do not have the same data protection laws as the EEA and the UK. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.

Section 11 – How long we keep your personal data  

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Section 12 – Confidentiality and security of your personal data 

We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our website and those who purchase our products and services.

PCI Compliance. To the extent applicable to the User Services, we are responsible for providing the User Services in a manner that is consistent with the highest certification level (PCI Level 1) provided by the PCI-DSS requirements. sunday’s certification is confirmed annually by a qualified security assessor (QSA).

Section 13 – Recommendation Algorithms  

We use advanced technologies to analyze user data and enhance our services. These tools help us gain deeper insights into your preferences and behaviors, allowing us to provide a more tailored experience by offering personalized content, such as customized tip suggestions.

Section 14 – Personal data of minors 

We do not intentionally gather personal data from users who are under the age of 18. If we learn that a child under the age of 18 has submitted personal data to sunday, we will attempt to delete such data as soon as possible. If you believe that we might have any personal data from a child under 18, please contact us at dataprivacy@sundayapp.com.

Section 15 – Your rights as a data subject

The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.
  • Correct. Update or correct inaccuracies in your personal data.
  • Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.
  • Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to dataprivacy@sundayapp.com. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.