Toast Privacy Statement

• Merchants: businesses that have expressed interest in using the Services or have contracted with Toast to provide the Services within their restaurants (where this term is used in this Statement in the context of the processing of the personal information of a Merchant, it refers to a Merchant that is an individual);
• Merchant Employees: employees of our Merchants that use the Services; and
• Guests: individuals that use the Services at one of our Merchant’s restaurants, through a business partner or directly through Toast.

• United States (California)
• United States (State Law)
• Canada
• Ireland
• United Kingdom
• Australia
• New Zealand

2. Definitions

• “Toast Payroll and Team Management” refers to a module offered as part of the Services directed to Merchant Employees that includes a number of HR-focused services, including, but not limited to, payroll, benefits administration, card services, scheduling and applicant tracking services.
• Services” refers to services and products (including both hardware and software) developed or administered by us from time-to-time, including:
  • our core point-of-sale (POS) system; payment processing services;
  • our application programming interfaces (“APIs”);
  • associated modules provided as part of our POS system, such as our loyalty, marketing, waitlist and reservations, delivery and Toast Payroll and Team Management modules;
  • other restaurant management services, such as our inventory, invoicing and Bill Pay services;
  • our digital ordering services, such as online ordering, pickup and delivery services, contactless order and pay at the table functionality, gift cards and our mobile application(s);
  • accounts created through our digital ordering services (“Digital Ordering Account(s)”);
  • other mobile application(s) developed as part of the Services, including our Merchant and Merchant Employee-facing mobile applications (e.g., the MyToast and Toast Now mobile applications) and our Guest-facing mobile applications (e.g. Local by Toast);
  • Health, wellness and other benefit products or services developed, or offered, by Toast or its third-party business partners from time to time for Merchant Employees;
  • Insurance-related services; and
  • Merchant financing (including, but not limited to, Toast Capital Loans), card products, such as the Toast Pay Card (as issued by Sutton Bank, Member FDIC, pursuant to license by Mastercard International Incorporated, or any subsequent issuer) and other financial products offered by Toast or its business partners, including, without limitation, banks and other financial institutions.

• “You” and/or “your” is a Merchant, a Merchant Employee, a Guest, a visitor to one of our Websites or other covered data subject.

3. Personal information we collect

• your name;
• address;
• email;
• date of birth;
• phone number
• Tax and national identification numbers; and
• Information you choose to share when using the Services such as when you are communicating through mobile applications or in support tickets.

• your name;
• email;
• phone number;
• employee identification number;
• address;
• date of birth; and
• information relating to your role, such as your job title, wage rates and salary and hours worked.

• your Social Security number or other national identification number;
• banking information as part of payroll;
• your professional and educational history;
• tax documentation such as your W2 and 1095 tax forms;
• your benefit elections;
• driver’s license information;
• gender;
• marital status;
• disability status;
• ethnicity; and
• your dependent and beneficiary information.

• your name;
• contact details such as your phone number and email;
• your address and other general location details;
• your payment card information, such as the brand, card number, security code and expiration date;
• transaction information and order history details (e.g., goods/services ordered, date, payment method and amount of payment);
• your date of birth (if you choose to provide it);
• information about your vehicle (for users of our curbside pickup service);
• account and profile information such as your username and password;
• if you are a member of a Merchant’s loyalty program, information in relation to your points balance and redemptions;
• waitlist or reservation details, including dining preferences, special requests and dietary restrictions; and
• your feedback in relation to your experience at our Merchants’ establishments (if you choose to provide it).
• Information you choose to share when using the Services such as when you are communicating through mobile applications or in support tickets

• your name;
• email; and
• phone number.

• information about your device, such as your device type/model, number and device ID (e.g., MAC address);
• information about your browser, settings (e.g., language) and operating system;
• your internet protocol (IP) address (including, in some instances, your perceived location);
• unique advertising and related identifiers;
• transactional and purchase information; and
• browsing and usage activity, such as the referring domain, what websites/content you have viewed or actions you have taken on a particular website.

4. How we use personal information

• Provide, maintain and support our Services, including
  • to provide updates, support and training related to the Services;
  • to determine the eligibility of individuals in relation to their use of certain Services; for contracting and agreement purposes;
  • to process transactions and payments through the Services, maintaining an order history of your interactions with Toast;
  • to enable our Merchants and our Merchants Employees to access and use the Services, including information that you have provided as part of using the Services; and
  • to improve, develop, and provide Services, develop, train and deploy algorithms and artificial intelligence (AI) models, used to develop, provide, and personalize our Services, and generate insights to enhance our Services for Merchants and Guests;
  • to provide online services, including verifying your identity, as well as diagnosing technical and service issues.
  • If you are a Merchant Employee, to enable our Merchants to manage their workforce
• Manage our business and for internal operational purposes, including   analyzing the performance of our Services;
  • workforce and service development;
  • creating and developing analytics for the benefit of our business and the business of our Merchants;
  • research purposes, including the development of new products;   assessing the effectiveness of Services; and
  • improving our Services and Websites.
• Personalize your experience, including by
  • Creating a Merchant-specific profile based on your interactions with our Guest-facing Services—such as making a payment, joining a waitlist or reservation, placing a digital order, or participating in a Merchant’s loyalty programme. Guest profiles apply only to the specific Merchant or Merchant management group you interact with.
  • Using information associated with your Toast account to personalize your experience across our Services;
  • Using transactional data and order history to offer recommendations within our Services or those of our Merchants;
  • Using information about your dining experience (including waitlist and reservation details) to enhance current and future dining experiences at our Merchants’ restaurants
  • Using analytics and profiling technologies to personalize your experience.
  • Using general location information inferred from your IP address to customize content (for example, to display nearby restaurants). This reflects only an approximate area, not a precise location.
• Advertise and market to you, including
  • sending you marketing communications, either directly or through a third-party service provider, in relation to our existing or new Services that we think might interest you;
  • displaying advertisements for Toast or third-party services in our digital ordering services and mobile applications; and
  • Based on instructions from our Merchants or our business partners as applicable, either directly or through a third party, to advertise their products and services to you; and
  • promoting our Services.

• Communicate with you or provide information you have requested, including providing notifications in relation to your purchases or the Services;
  • sending you white papers and other materials from our Websites;
  • providing you with our newsletters, podcasts and other subscription materials;
  • sending you digital receipts; and
  • responding to feedback that you have provided in relation to our products or Services or those of our Merchants.
• For legal, compliance and security-related purposes, including to
  • comply with our legal obligations, including under anti-money laundering, know- your-customer or similar laws in any relevant jurisdiction;
  • secure and protect our network and systems;
  • identify and protect against fraud and other crimes;
  • establish, exercise or defend legal claims;
  • perform our contractual obligations; and
  • monitor and report compliance issues.

5. How we share personal information

• With our Merchants and their Employees to provide the Services, fulfil your requests, and support the purposes described in this Statement. For example, when you complete a transaction, place a digital order, join a waitlist, or make a reservation, Toast shares relevant order or reservation details with the Merchant. This may include your name, contact information, and information about your dining experience, such as reservation details, preferences, and special requests. Where a Merchant is part of a larger management group, this information may also be shared with other restaurants in that group to support future dining experiences.
• With our third-party business partners in order to provide, maintain, improve and expand our Services;
• With third-party integration partners selected by the Merchant or with whom you do business where Toast is instructed to share your information as part of the Services;
• With our parent, subsidiary, or affiliate companies, agents (if any) for the purposes outlined in this Privacy Statement;
• With third parties that help us provide, maintain, and improve our Services. These service providers may access personal information to perform functions on our behalf or on behalf of our Merchants, such as hosting and IT services, payment processing, identity verification and fraud prevention, marketing and advertising, data analytics and personalization, and customer support. Please note:
  • If you are a Merchant Employee whose employer use the Toast Payroll and Team Management module, we will share your information with benefits, payroll and other employment-related service providers.
  • If you are a Merchant applying for financing through the Toast platform, we share your information (including personal information) with the lender, and a credit report may be obtained from third-party credit bureaus to assess your eligibility.
• in connection with, or during the negotiation of, any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business; or
• if we believe it is authorized or necessary to:
  • protect our rights or property, or the security or integrity of our Services or our Websites;
  • enforce the terms of our terms of service or other applicable agreements or policies;
  • protect us, users of our Services or the public from harm or potentially prohibited or illegal activities;
  • investigate, detect and prevent fraud and security breaches; or
  • comply with any applicable law, regulation, legal process or governmental request (including, for example, a court order, subpoena, or search warrant).

6. Retention of personal information

7. Cookies and other tracking technologies

•  to provide our Services (e.g., authentication within the check-out process);   to uniquely identify you and/or your device;
• to store your preferences as part of providing the Services;
• for personalization, ad measurement and analytics, and targeted advertising purposes (including across your devices and applications);
• for security and fraud-prevention purposes;
• to analyze and monitor the performance of our Services;  
• to improve and develop new Services; and
• to understand your use of the Services over time.

Targeted advertising and your choices

• To opt out of interest-based advertising in your internet browser, please visit www.aboutads.info/choices or www.networkadvertising.org/choices and follow the instructions to place an opt-out cookie on your device.
• Opt-out cookies apply only to the browser and device where they are installed. You must opt out separately on each browser and device you use. If you delete cookies, you will need to reapply the opt-out cookie.
• To opt out of interest-based advertising in mobile applications, follow the instructions at www.aboutads.info/appchoices or adjust the settings on your mobile device.

Do not track

8. Your rights and choices

• As a Merchant, for certain services, you may access, change or correct certain account information at any time by logging into your account. In other instances, please contact our customer success team.
• As a Merchant Employee using the Toast Payroll and Team Management module or other Merchant Employee-facing Services, you have the ability in many cases to access and update your information through the Services. In other instances, please reach out to your Merchant Employer. As a Guest, depending on the Services you use, you may be able to access, change and update your information through an account created as part of the Services (e.g., a Digital Ordering Account). If you are a Guest and have questions about your Digital Ordering Account or need customer support, please contact the guest support team on this page or navigate to the “Get Help” section of the Local by Toast app. In certain cases (e.g., Local by Toast), you can also submit a request for deletion of your Digital Ordering Account from directly within the mobile application.

Managing communications

• Marketing communications: Depending on your relationship with us and the Services you use, we may send marketing or promotional messages about new or existing Services that may be of interest to you. These may include marketing text messages where you have opted in. You can opt out of marketing communications by following the instructions in the message, adjusting your communication preferences in your account or device settings, or submitting a request through our Individual Rights Portal. Please note that opting out of one marketing channel does not automatically opt you out of all marketing communications. You may still receive non-marketing communications after opting out. These may include transaction-related messages, loyalty programme communications, or account-specific updates. If you are located outside the United
  States, we will not send you direct marketing communications without your opt-in consent or as otherwise permitted under the applicable law.
  

• Other communications: As part of your interaction with our Services, you may receive various non-marketing communications from Toast that may be sent via email or text message. These include:
• For Guests:
  • sending you digital receipts or other messages in relation to Services you engage with; notifications sent by Merchants, our business partners and/or third-party service providers as part of our Services, such as order status, delivery or pick up notifications and information pertaining to our reservation and waitlist services;
  • responding to feedback that you have provided in relation to the Services of Toast or one of our Merchants;
  • account or program-specific messages as part of your use of the Services (e.g., loyalty accounts with our Merchants or by setting up a Digital Ordering Account); or
  • messages associated with contests, competitions or promotions that you have elected to participate in.
• For Merchants and Merchant Employees:
  • messages relating to Toast’s services and demo requests (for prospective Merchants); on-boarding related messages pertaining to setting up the Services; or
  • messages pertaining to Services that you are using or are under your account.

9. Security

10. Links to other websites

11. Children

12. How to contact us

• Individual Rights Portal
• By post: Attn:
  Toast Privacy Office
  Toast, Inc.
  333 Summer St. Boston, MA 02210
• By phone: (866) 226-4484

13. Changes to this Privacy Statement

Addendum A – United States (California)

1. CCPA personal information table
   The below table summarizes:
   • The categories of personal information collected by Toast in the past 12 months;
   • The sources of collection of the personal information;
   • How we use your personal information; and
   • The categories of personal information disclosed for business purposes by Toast (including to third parties) in the past 12 months.
   • Please see the generally applicable section of this Privacy Statement for additional information on Toast’s information practices, including more detail on how we use and disclose your personal information.

• Identifiers;
• Internet/Network Information; and
• Inferences.

• The right to know/access: you have the right to request that an in-scope business that collects personal information from you, disclose the following upon verification of your identity: (i) the categories of personal information collected about you, (ii) the categories of sources where the personal information was collected, (iii) the business or commercial purposes for collecting (or where applicable, selling or sharing) the personal information, (iv) the categories of personal information that we have disclosed to third parties for a business purpose along with the corresponding recipients, (v) the categories of personal information we have sold or shared along with the corresponding recipients, and (vi) the specific pieces of personal information collected about you.
• The right of deletion: you have the right to request that an in-scope business delete personal information that it has collected from you, subject to certain exceptions.
• The right of correction: you have the right to request that an in-scope business correct inaccurate personal information, subject to certain conditions. 
• The right to opt out of the sale or sharing of personal information: you have the right to request that an in-scope business refrain from selling or sharing personal information it has collected about you to third parties now or in the future. If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales or sharing. 
• The right to limit the use and disclosure of sensitive personal information: to the extent that we use sensitive personal information for purposes beyond those set forth in subdivision (a) of Section 1798.121, you have the right to limit the use or disclosure of that sensitive personal information subject to the exceptions within the CCPA.
• The right of access to and to the ability to opt-out of automated decision-making technology: subject to further regulations being issued, you have the right to access information pertaining to automated decision-making technologies and the ability to opt out.
• The right against discrimination and retaliation: you have the right to not be discriminated or retaliated against as a result of exercising any of the above rights. 

• Web portal: Individual Rights Portal
• By post:     Attn: Toast Privacy Office

• By phone (toll-free): (866) 226-4484

• For Merchants and Merchant Employees, we will generally retain their personal information for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. 
• For Guests that have Toast Digital Ordering Accounts, Toast will generally maintain these accounts for the duration of the individual’s use of service plus a period of inactivity.
• In other cases, Guest information that is collected by the Merchant but stored by Toast will be retained for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. 
• Information pertaining to support calls are generally retained for one (1) year but may be retained for longer based on the nature of the relationship between Toast and the individual. 

1. California “Shine the Light” disclosure

Addendum B – United States (State Law)

• The right to correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.
• The right to deletion: you have the right to delete your personal information you have provided or that has been collected.
• The right to obtain a portable copy of your personal information: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another entity.
• The right to opt out: you have the right to opt out of (as defined by the Applicable State Law) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
• For residents of Delaware & Oregon: The right to be informed of third party disclosures: you have the right to obtain a list of specific third parties, other than natural persons, to which Toast has disclosed personal information.
• For residents of Minnesota:
  The right to question the result of profiling: if your personal data is profiled in furtherance of decisions that produce legal effects concerning you, you have the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions you might have taken to secure a different decision and the actions that you might take to secure a different decision in the future. You have the right to review your personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, you have the right to have the data corrected and the profiling decision reevaluated based upon the correct data. 
• For Residents of Rhode Island:
  The right to be informed of data sale recipients: you have the right to obtain a list of third parties to whom your personally identifiable information has been or may be sold.

• Web portal:
  Individual Rights Portal
  *If you do not see the State where you reside listed in the portal but this addendum applies, please contact us using one of the other methods listed here (e.g. post or phone).
• By post:
  Attn: Toast Privacy Office
  Toast, Inc.
  333 Summer St. Boston, MA 02210
• By phone (toll-free): (866) 226-4484

Addendum C – Canada

1. Consent
   By using our Services and accessing our Websites, you accept the terms of this Privacy Statement and consent to the collection, use, processing, disclosure and retention of your information as described in this Privacy Statement. Typically, we will provide notice of the purpose for collecting your personal information and/or seek your consent (which may be express or implied, depending on the nature and sensitivity of the personal information) in line with applicable law at the time that we collect your personal information. In certain circumstances, we may collect non-sensitive personal information automatically. In general, you may change or withdraw your consent at any time subject to legal or contractual obligations and providing reasonable notice. Your withdrawal of consent may impact the ability of Toast to provide you with some or all of the Services. Upon receiving notice that you would like to withdraw your consent, we will inform you of the likely consequences of your withdrawal of consent.
   Toast will not collect, use, or disclose your personal information except for the purposes we have identified for collection (including those listed in section 4 of the Toast Privacy Statement above and/or identified at the time of collection), unless we have received your consent (which may be express or implied, depending on the nature and sensitivity of the personal information) or the processing is authorized without consent.
2. Accessing and correcting your personal information
   If you are located in Canada, you have the right to request access to and to correct the personal information that we hold about you, subject to certain conditions and limitations. Subject to the applicable law and the nature of your relationship with Toast, this may include a right to review, correct, update, suppress, delete or otherwise limit our use of your personal information that has been previously provided to us. You may also have the right to access information about the ways in which your personal information is or has been used and the names of individuals and/or organizations to which your information has been disclosed.
   Toast has established an individual rights portal for the purposes of submitting such individual rights requests. The link to Toast’s individual rights portal can be found here. Individual rights requests can also be submitted to Toast through the below channels:
   • By email:
     privacy@toasttab.com
   • By post:
     Attn: Toast Privacy Office
     Toast, Inc.
     333 Summer St. Boston, MA 02210
     United States of America
     
   In your request, please specify what information you would like to access or have corrected. We will respond to your request as soon as reasonably practicable, and within the time period required by law. The exercise of these rights is free of charge. Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services or Websites.
   If we correct your information, we will also send the corrected information to organizations to which we disclosed the information during the year before the date the correction was made.
   Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. If we cannot provide you with access to your personal information or are unable to correct your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions, and outline further steps available to you. If we refuse to act on a request to correct your personal information, we will nonetheless annotate the information, noting the correction that was requested but not made.
   In certain cases, depending on the nature of your request, there may also be residual information that will remain within our databases and other records, which, due to applicable law or as part of Services that are in the process of being carried out, will not be removed or changed. We will also retain information relating to your request for recordkeeping and compliance purposes.
3. Cross-border transfers
   We may process, store, and transfer your personal information in and to a foreign jurisdiction, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that jurisdiction may be able to obtain access to your personal information through the laws of the foreign jurisdiction.
   Specifically, the personal information collected as part of the Services or as otherwise contemplated by this Statement is primarily processed and stored in the United States. However, as Toast is an international organization with business processes, offices and third parties around the world, your information may be sent to any other jurisdiction in the world where we do business or maintain third-party relationships. When you provide personal information to us through the Services and as part of this Statement, you consent to the transfer of your information and the processing of your information in this manner. Any international transfers made will be in accordance with this Statement and the applicable law.
   We also impose appropriate safeguards for the transfer of personal information among our affiliates and to third-party service providers in various jurisdictions, and have implemented appropriate contractual arrangements or other measures for such purposes.
   To obtain a current list of the jurisdictions where personal information subject to this Statement is collected, used, disclosed and/or stored, including with our service providers, please visit Toast’s sub-processor page.
4. Right to challenge compliance and file a complaint
   If you believe any privacy laws relating to the protection of your personal information or the practices described in this Statement have not been respected, you may file a complaint with our Assistant General Counsel, Privacy at the address listed below:
   • By post:
     Attn: Assistant General Counsel, Privacy
     Toast, Inc.
     333 Summer St. Boston, MA 02210
     United States of America
   • By phone (toll-free): +1 (866) 226-4484
     
   Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your complaint.
   We will investigate all complaints. If, after an investigation, your complaint is deemed justified, Toast will take appropriate steps to correct the situation, including, if necessary, amending our policies and practices. If you are not satisfied with the results of the investigation or the corrective measures taken by Toast, you may exercise the remedies available under law by contacting the Office of the Privacy Commissioner of Canada at the address below:
   Office of the Privacy Commissioner of Canada
   30 Victoria Street
   Gatineau, Quebec
   K1A 1H3
   https://www.priv.gc.ca
   If you reside in the Province of Alberta, you may also contact the Office of the Information and Privacy Commissioner of Alberta at the address below:
   Office of the Information and Privacy Commissioner of Alberta
   #410, 9925 - 109 Street NW
   Edmonton, Alberta
   T5K 2J8
   https://www.oipc.ab.ca/
   If you reside in the Province of British Columbia, you may also contact the Office of the Information and Privacy Commissioner for British Columbia at the address below:
   Office of the Information and Privacy Commissioner for British Columbia
   PO Box 9038 Stn. Prov. Govt.
   Victoria B.C.
   V8W 9A4
   https://www.oipc.bc.ca/

• The categories of personal information collected by Toast in the past 12 months;
• The sources of collection of the personal information; 
• How we use your personal information; and
• The categories of personal information disclosed for business purposes by Toast (including to third parties) in the past 12 months.

Addendum D – Ireland

• Toasttab Ireland Limited (“Toast Ireland”)
  124 St Stephen’s Green
  Dublin 2
  Ireland
  D02 C628
• Toast, Inc. (“Toast US”)
  333 Summer St.
  Boston, MA 02210
  United States of America
• Toast US is primarily responsible for ensuring that personal information is collected and processed pursuant to the applicable law. These obligations include (a) the implementation of appropriate data protection policies, (b) the management and notification of security incidents involving personal information, (c) the completion of data protection impact assessments (where appropriate) and (d) the implementation of appropriate technical and organizational security measures. Toast US is also responsible for managing any requests that you may make to exercise your rights under the GDPR or other applicable data protection legislation, on behalf of both Toast Ireland and Toast US.
• Toast Ireland is responsible for managing aspects of the processing that are within its control as part of the joint controller relationship. This includes support and management pertaining to the provision of the Services, obtaining consents from data subjects (where applicable) as well as support with providing notice to data subjects. Where Toast Ireland receives a data subject request under the GDPR, Toast Ireland will promptly notify Toast US of the request. As a data controller, we are free to rely on “data processors” (as defined within the GDPR) and have engaged various third-party service providers in order to provide the Services as well as for other purposes described in the main body of the Privacy Statement. For more information, see the “How we share personal information” section of the Privacy Statement.

• Contractual commitments requiring the recipient to process personal data only on documented instructions and in compliance with the GDPR’s core principles.
• Obligations regarding confidentiality and security, including requirements to implement appropriate technical and organisational measures to protect the data.
• Restrictions on onward transfers, ensuring that data can only be shared with further third parties if they are subject to equivalent protection.
• Transparency requirements, enabling data subjects to understand how their data is handled when transferred internationally.
• Data minimisation and purpose limitation, ensuring that data is used only for the specific purposes for which it was provided.
• Mechanisms for data subject rights, including requirements on the recipient to assist us in responding to requests to access, delete or correct personal data.
• Requirements to assess and document risks, including conducting transfer impact assessments (TIAs) where relevant.
• Commitments relating to government access requests, including notifying us (where legally permitted) and challenging disproportionate or unlawful requests.

• request access to and obtain a copy of your personal information;
• request the transfer of your personal information you have provided to us to you or another company in a structured, commonly used and machine-readable format;
• request rectification of your personal information when it is inaccurate or incomplete;
• request erasure of your personal information where permitted under the applicable law, such as where the information is no longer necessary or lawful for us to store or where your information is outdated;
• restrict or object to the processing of your personal information (as applicable), including to object to the processing of personal information for direct marketing purposes; and
• withdraw your consent at any time where this is the legal basis on which we are processing your personal information. If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.
• Please note that if you choose to withdraw your consent, you may not be able to participate in or benefit from the programs, services and initiatives for which you provided consent to the processing of your personal information. Your rights will in each case be subject to the restrictions set out in applicable data protection laws.
  

• Merchants: Merchant account and ownership information will generally be maintained for seven (7) years following the termination of the relationship absent a legal or regulatory obligation to retain longer;
• Merchant Employees: Merchant employee information will generally be maintained for seven (7) years following the termination of the relationship with the Merchant unless removed sooner by the Merchant; and
• Guests: Digital ordering accounts created by our Guests will be maintained for the duration of their use of the service and removed following five (5) years of inactivity. Transactional information and other Guest information held by our Merchants as part of their operations will be retained for the duration of our relationship with the Merchant plus a period of seven (7) years.
• Other periods are set out within Toast’s records retention policy and schedule. Our retention periods are also subject to any rights of individuals or other requirements that might dictate a shorter retention period (e.g., deletion requests). In certain cases, Toast may also maintain information for a longer period of time, such as in cases where the information is subject to a legal claim or complaint. Following those periods and other determinations on the duration of the processing of personal information by Toast, we will delete or take measures to anonymize your personal information.

Addendum E – United Kingdom (“UK”)

• Toasttab UK Limited (“Toast UK”)
  3^rd Floor, 1 Ashley Road
  Altrincham
  Cheshire
  WA14 2DT
  United Kingdom
• Toast, Inc. (“Toast US”)
  333 Summer St.
  Boston, MA 02210
  United States of America
• Toast US is primarily responsible for ensuring that personal information is collected and processed pursuant to UK Data Protection Law. These obligations include (a) the implementation of appropriate data protection policies, (b) the management and notification of security incidents involving personal information, (c) the completion of data protection impact assessments (where appropriate) and (d) the implementation of appropriate technical and organizational security measures. Toast US is also responsible for managing any requests that you may make to exercise your rights under UK Data Protection Law, on behalf of both Toast UK and Toast US.
  

• request access to and obtain a copy of your personal information;
• request the transfer of your personal information you have provided to us to you or another company in a structured, commonly used and machine-readable format;
• request rectification of your personal information when it is inaccurate or incomplete;
• request erasure of your personal information where permitted under the applicable law, such as where the information is no longer necessary or lawful for us to store or where your information is outdated;
• restrict or object to the processing of your personal information (as applicable), including to object to the processing of personal information for direct marketing purposes; and
• withdraw your consent at any time where this is the legal basis on which we are processing your personal information. If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.
• Please note that if you choose to withdraw your consent, you may not be able to participate in or benefit from the programs, services and initiatives for which you provided consent to the processing of your personal information. Your rights will in each case be subject to the restrictions set out in UK Data Protection Law.
  

• Merchants: Merchant account and ownership information will generally be maintained for seven (7) years following the termination of the relationship absent a legal or regulatory obligation to retain longer;
• Merchant Employees: Merchant employee information will generally be maintained for seven (7) years following the termination of the relationship with the Merchant unless removed sooner by the Merchant; and
• Guests: Digital ordering accounts created by our Guests will be maintained for the duration of their use of the service and removed following five (5) years of inactivity. Transactional information and other Guest information held by our Merchants as part of their operations will be retained for the duration of our relationship with the Merchant plus a period of seven (7) years.
• Other periods are set out within Toast’s records retention policy and schedule. Our retention periods are also subject to any rights of individuals or other requirements that might dictate a shorter retention period (e.g., deletion requests). In certain cases, Toast may also maintain information for a longer period of time, such as in cases where the information is subject to a legal claim or complaint. Following those periods and other determinations on the duration of the processing of personal information by Toast, we will delete or take measures to anonymize your personal information.
• Cookies and other technologies
  In addition to the information found in the section of the main body of the Statement titled “Cookies and other tracking technologies”, Toast’s Cookie Policy can be found here and provides some supplemental information for users in the EU/EEA and UK.
• Children
  Our Services are not targeted or directed at children under the age of 18, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 18. If you have reason to believe that a child under the age of 18 has provided personal information to us, we encourage the child’s parent or guardian to contact us as described in the “How to contact us” section within main body of the Privacy Statement to request that we remove the information from our systems. If we learn that any personal information we collected has been provided by a child under the age of 18, we will promptly delete that personal information.
• How to contact Toast UK
  If you have data protection questions specific to Toast UK, you can reach us at:
  Attn: Toast UK Data Protection Office
  3^rd Floor, 1 Ashley Road
  Altrincham
  Cheshire
  WA14 2DT
  United Kingdom
• Lodging a complaint
  If you are not satisfied with the processing of your personal information, you have the right to lodge a complaint with the UK Information Commissioner’s Office (https://ico.org.uk/).

Addendum F – Australia

• use your information to create anonymised, de-identified and/or aggregated data. For example, we may do this to help protect your privacy in the context of the conduct of analytics by us or third parties; and
• otherwise use and disclose your information for secondary purposes where permitted by applicable law.

• Web portal: Individual Rights Portal
• By post: Attn: Assistant General Counsel, Privacy
  Toast, Inc.
  333 Summer St. Boston, MA 02210
  United States of America
• By phone: (toll-free): +1 (866) 226-4484

Addendum G – New Zealand

1. if you are a Merchant Employee, we will collect information about you from your employer, the Merchant; and
2. if you are a Guest, we will collect information about you from the relevant Merchant and your interaction with them, as well as your interaction directly with Toast.