PRIVACY POLICY APPLICABLE TO SERVERS AND MERCHANT’S PERSONNEL      

 

 

 

Last updated: December 2023

This Privacy Policy (“Privacy Policy”) sets out how Sunday App, Inc PBC and our subsidiaries and affiliated (together “we” or “sunday”) collect, use and disclose information about you in connection with the provision of our services (the “Services”), including the operation of our back-office platform and our proprietary application Sunday for Restaurants (“Sunday for Restaurants”). 

We will update this Privacy Policy from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements. We encourage you, as a server or an individual working in an Establishment (“you” or a “data subject”), to review this Privacy Policy periodically to keep up to date on how we use your personal data. If we update this Privacy Policy, we will update the effective date at the top of the page.

Certain words and phrases in this Privacy Policy have specific definitions when they start with capital letters. Where a defined term is used, it either has the meaning set out in section 15 below (Definitions) or the meaning given to it in the relevant clause of this Privacy Policy.

Section 1 – Purpose of this Privacy Policy

This Privacy Policy explains our approach to any personal data that we might collect on you or which we have obtained from a third party, and the purposes for which we process such personal data. This Privacy Policy also sets out your rights in respect of our processing of your personal data.

When we talk about “personal data”, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance.

This Privacy Policy is intended to assist you in making informed decisions when using Sunday for Restaurants and the Services. Please take a moment to read and understand it.

This Privacy Policy only applies to the use of your personal data obtained by us, whether from data subjects directly or from a third party. It does not apply to personal data collected by third parties during communications with data subjects or during data subjects’ use of their products or services (for example, where they follow links to third party websites over which we have no control, or they purchase goods or services from those third parties).

Section 2 – About Us

Sunday for Restaurants and the Services are made available by various companies in the sunday group of companies (each a “Group Company“). Where this Privacy Policy refers to “sunday”, ” we”, ” us”, “our”, this means one or more of the particular Group Companies that provide the particular product or service to you as a data subject. Except as stated otherwise, sunday is a controller of your personal data. 

Section 3 – How to contact us

If you have any questions about this Privacy Policy or want to exercise your rights as a data subject set out in this Privacy Policy, you can contact us at dataprivacy@sundayapp.com.

Section 4 – What personal data we collect 

We may collect and process different types of personal data about data subjects for different processing purposes. The types of personal data we collect depends on how you use our back-office platform, Sunday for Restaurants and the Services and includes the following:

Identity data  First name; last name.
Account creation data  Email address; password; phone number; access rights. 
Account data  Email address; password; profile picture or avatar; contact preferences; performance data. 
Contact data  Email address; phone number.
Transaction data  Payouts of tips. 
Technical data  IP address; browser type and operating system; geolocation; unique token assigned to a device; user interaction with Sunday for Restaurants (for debugging purposes). 

Section 5 – How we collect and receive personal data 

We collect and receive personal data using different methods:

Personal data data subjects provide to us  You may give us your personal data directly, for example, when you use Sunday for Restaurants or the Services.
Personal data received from third parties  We may receive personal data about you from third parties. Such third parties may include your point of sale (POS) and third parties that provide technical services to us so that we can provide our website, Sunday for Restaurants and the Services.

Section 6 – How we use your personal data

Purpose / Activity  Type of personal data  Lawful basis for processing including basis of legitimate interest
Faciliate the operation of the Establishment (e.g business performance, daily operation, reviews, billing and accounting)  Identity data; contact data; transaction data  Necessary for our legitimate interests to develop our business and in providing a good service
Facilitate the creation of a user account and provide you a personalised experience through it  Identity data; contact data; transaction data Consent or Necessary for our legitimate interests to develop our business and in providing a good service
Provide staff performance insights (e.g. reviews, financial performance) Identity data; contact data; account data; account creation data; transaction data  Necessary for our legitimate interests to develop our business and in providing a good service
Provide sunday KPIs emails to Establishments Identity data; contact data Necessary for our legitimate interests to develop our business and in providing a good service
Tip payout to servers and staff through payout/payment partners  Transaction data  Contractual Necessity and Necessary for our legitimate interests to develop our business and in providing a good service
Provide support and assistance  Identity data; contact data Necessary for our legitimate interests to develop our business and in providing a good service
sunday CRM Identity data; contact data Necessary for our legitimate interests to develop our business and in providing a good service
Use data analytics to improve our website, products/services Technical data  Legitimate Interest. We have a legitimate interest in improving our website and providing a good service
Direct/product marketing Identity data; contact data Consent or Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation, including by sending direct marketing

We may use your personal data to comply with applicable laws, lawful requests, and legal process ; audit our internal processes for compliance with legal and contractual requirements or our internal policies; and prevent, identify, investigate and deter fraudulent, harmful, unauthorised, unethical or illegal activity, including cyberattacks and identity theft.  

Section 7 – If you fail to provide your personal data 

If you fail to provide personal data when we request it, we may not be able to provide you the products and services you have requested from us or to process an application to register an account. Please note that the information that we need from you is usually identified by asterisks.

Section 8 – How we obtain your consent

Where our use of your personal data requires consent, you can provide such consent at the time we collect your personal data following the instructions provided, or by informing us using the contact details set out in the “How to Contact Us” section above.

Section 9 – Third-party links

This Privacy Policy only applies to personal data processed by us through your use of the Services and/or in connection with our business operations. However, from time to time, our website or application may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Policy does not apply to your interaction with the relevant third parties.

When you use a link to go to another website or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

Section 10 – Sharing personal data 

When processing your personal data, we may need to share it with third parties (including other entities within our group of companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

Third-party Service Providers  We may share your personal data with third party service providers to: provide you with the Services, or to provide technical support.
Payment Service Providers We use third party payment service providers to process payments. These payment service providers may use your payment data in accordance with their privacy policies.
sunday Group Companies We may share some or all of your personal data with our parent company or other Group Companies. 

Transfers outside the European Economic Area (“EEA”) We are located in the EU, UK and USA and maintain servers globally to ensure the resilience of our services. Therefore, when you submit personal data to us, you acknowledge that your personal data will be transferred outside the EEA where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy.

Non-EEA countries do not have the same data protection laws as the EEA and the UK. However, when transferring your personal data outside the UK or the EEA, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.

Section 11 – How long we keep your personal data  

We retain personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance purposes.   

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.  

Section 12 – Confidentiality and security of your personal data 

We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our website and those who purchase our products and services.

Section 13 – Automated Decision-Making  

As part of the Services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects. 

Section 14 – Your rights as a data subject

The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:

  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.
  • Correct. Update or correct inaccuracies in your personal data.
  • Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.
  • Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to dataprivacy@sundayapp.com. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.  

Section 15 – Definitions

The following words and phrases have the following meanings in this Privacy Policy:

Establishment any type of venue open to the public in which a merchant provides to customers food and/or beverage services (e.g. bar, festival, restaurant, food court, stadium, and similar) in which you work.