https://brewmastersfoodgroup.com/privacy
PRIVACY POLICY

This Privacy Statement describes how: Brewmasters, Inc.; Brewmasters of Goldsboro, LLC; Biscuit Kings, LLC d/b/a Flo’s Kitchen; Ruckus & Redemption, LLC; The Hub of Wilson, LLC; and Landromeda Investments, LLC d/b/a Jack’s and The Ruster at the Mills, individually, but hereinafter referred to collectively as “Brewmasters Food Group”, “BFG”, “we”, “us” and/or “our” collects and manages your personal information (i.e., any information that relates to an identified or identifiable individual) as part of providing our Services (defined below).
1. Scope
This Statement primarily covers:
Guests: individuals that use this mobile application (hereinafter referred to as “the App”) at one of our restaurants. Please note that this app is powered by Toast, Inc.
In addition to the groups above, this Statement also covers individuals that visit our websites, and our third-party business partners. We may also process information from other individuals for additional purposes, including for research purposes, sweepstakes and events-related purposes that might be separately collected from time to time but are covered as part of this Statement.
Please note that certain locations where we operate have laws that require us to share specific privacy information and practices with individuals in those locations. To that end, this Privacy Statement is comprised of two sections – a generally applicable statement and a location-specific addendum. 
2. Definitions
Here are a few other terms we use throughout this Privacy Statement that you should know:
Services refers to services and products (including both hardware and software) developed or administered by us from time-to-time, including:
our digital ordering services, such as online ordering, pickup and delivery services, contactless order and pay at the table functionality, gift cards and our mobile application(s);
accounts created through our digital ordering services (“Digital Ordering Account(s)”);
other mobile application(s) developed as part of the Services specifically this guest-facing mobile application;
 (collectively referred to as the “Services”). Please note that certain Services may be facilitated through our Websites or through our third-party business partners.
“You” and/or “your” is a a Guest, a visitor to one of our Websites or other covered data subject.
3. Personal information we collect
The personal information we collect depends on how you interact with our Services and Websites. This includes information about Guests who transact with or otherwise engage with our Merchants. While some information is collected automatically or from external sources, most is collected when you use our Services or Websites. The sections below outline these collection methods in more detail.
Personal information collected through the Services
Guests
The App is powered by Toast. We collect information through your use of the Services (as provided and updated by us over time), including when you create a Digital Ordering Account, use our online ordering features, mobile applications, or related products such as pickup, delivery, on-premise ordering and payment tools, and waitlist or reservation features. We also collect or receive personal information when you place orders, make purchases (including gift cards), complete transactions with our Merchants, or participate in their loyalty programmes.
Depending on which Service(s) you have used, personal information collected may include:
your name;
contact details such as your phone number and email;
your address and other general location details;
your payment card information, such as the brand, card number, security code and expiration date;
transaction information and order history details (e.g., goods/services ordered, date, payment method and amount of payment);
your date of birth (if you choose to provide it);
information about your vehicle (for users of our curbside pickup service);
account and profile information such as your username and password;
if you are a member of a Merchant’s loyalty program, information in relation to your points balance and redemptions;
waitlist or reservation details, including dining preferences, special requests and dietary restrictions; and
your feedback in relation to your experience at our Merchants’ establishments (if you choose to provide it).
Information you choose to share when using the Services such as when you are communicating through mobile applications or in support tickets
The personal information collected will depend on the specific Services you use. In some cases, information may be linked across Toast Services for example, a Guest’s payment card or contact details may be associated with order history, a Toast account, a loyalty account, or a Merchant-specific profile.
Merchants may also choose to collect dietary or allergy-related information. If a Guest provides dietary preferences or requirements as part of a reservation or dining experience and this information is considered health-related under applicable law, providing it constitutes consent to its use for that purpose. Toast processes this information to provide the Services to the Merchant.
Personal information collected through our Websites
We also collect personal information when you visit our Websites and, for example, request information about our Services, download a white paper, schedule a product demo, or subscribe to our media channels (such as blogs or podcasts). This may include:
your name;
email; and
phone number.
Certain information may also be collected automatically when you visit our Websites. For more information, please see the section of this Statement entitled “Information collected automatically.”
Please note that additional information beyond what is described here will be collected (described in the Merchant section above) as part of our online Merchant application process or through our e-commerce Website.
Personal information collected from other sources
As a Guest, or Website visitor, we may also collect personal information about you from third parties such as business partners, data providers, identity verification services, credit bureaus (where applicable), banks, financial institutions, and payment card companies. We may likewise collect publicly available information, including information you share or interactions you have with us on social media.
Information collected automatically
We automatically collect information when you visit our Websites, use our mobile applications, complete a transaction, or use our online services, such as online ordering. For transactions, this may include personal information such as your name when a payment card is used. Information collected automatically by cookies, web beacons or other similar technologies (described in the “Cookies and other tracking technologies” section) may include:
information about your device, such as your device type/model, number and device ID (e.g., MAC address);
information about your browser, settings (e.g., language) and operating system;
your internet protocol (IP) address (including, in some instances, your perceived location);
unique advertising and related identifiers;
transactional and purchase information; and
browsing and usage activity, such as the referring domain, what websites/content you have viewed or actions you have taken on a particular website.
Depending on the Services you use or the Websites you access, we may collect geolocation information from your device when location settings are enabled. For example, we may use this information to show you nearby restaurants in our mobile applications. Location data may be collected through GPS, Bluetooth, cellular or WiFi technologies. If you do not wish to share this information, you can disable location access in your device or browser settings.
4. How we use personal information
We use your personal information primarily to provide our Services and manage our business operations. This includes communicating with you as part of the Services and, where permitted by law or with your consent, using your information for advertising and marketing. We also use personal information to meet legal, compliance, and security obligations. A detailed breakdown of these uses is provided below.
We use personal information to:
Manage our business and for internal operational purposes, including analyzing the performance of our Services;
workforce and service development;
creating and developing analytics for the benefit of our business and the business of our Merchants;
research purposes, including the development of new products; assessing the effectiveness of Services; and
improving our Services and Websites.
Personalize your experience, including by
Creating a Merchant-specific profile based on your interactions with our Guest-facing Services—such as making a payment, joining a waitlist or reservation, placing a digital order, or participating in a Merchant’s loyalty programme. Guest profiles apply only to the specific Merchant or Merchant management group you interact with.
Using information associated with your Toast account to personalize your experience across our Services;
Using transactional data and order history to offer recommendations within our Services or those of our Merchants;
Using information about your dining experience (including waitlist and reservation details) to enhance current and future dining experiences at our Merchants’ restaurants
Using analytics and profiling technologies to personalize your experience.
Using general location information inferred from your IP address to customize content (for example, to display nearby restaurants). This reflects only an approximate area, not a precise location.
Advertise and market to you, including
sending you marketing communications, either directly or through a third-party service provider, in relation to our existing or new Services that we think might interest you;
displaying advertisements for Toast or third-party services in our digital ordering services and mobile applications; and
Based on instructions from our Merchants or our business partners as applicable, either directly or through a third party, to advertise their products and services to you; and
promoting our Services.
Any communications sent to you pursuant to this section shall either be permitted under the applicable law or with your consent. Please see the “Your rights and choices” section of this Statement for more details on opting out of these communications and updating your preferences.
Communicate with you or provide information you have requested, including providing notifications in relation to your purchases or the Services;
sending you white papers and other materials from our Websites;
providing you with our newsletters, podcasts and other subscription materials;
sending you digital receipts; and
responding to feedback that you have provided in relation to our products or Services or those of our Merchants.
For legal, compliance and security-related purposes, including to
comply with our legal obligations, including under anti-money laundering, know- your-customer or similar laws in any relevant jurisdiction;
secure and protect our network and systems;
identify and protect against fraud and other crimes;
establish, exercise or defend legal claims;
perform our contractual obligations; and
monitor and report compliance issues.
5. How we share personal information
In certain circumstances, we share personal information to provide our Services or to fulfil the purposes described in this Statement. For Guests, this includes sharing information with BFG and Toast, and authorized third-party partners. We also work with third-party service providers and business partners who help us deliver, support, and improve our Services
Toast may share personal information as part of providing the Services and for the purposes outlined in this Statement, including:
With our Merchants and their Employees to provide the Services, fulfil your requests, and support the purposes described in this Statement. For example, when you complete a transaction, place a digital order, join a waitlist, or make a reservation, Toast shares relevant order or reservation details with the Merchant. This may include your name, contact information, and information about your dining experience, such as reservation details, preferences, and special requests. Where a Merchant is part of a larger management group, this information may also be shared with other restaurants in that group to support future dining experiences.
With our third-party business partners in order to provide, maintain, improve and expand our Services;
With third-party integration partners selected by the Merchant or with whom you do business where Toast is instructed to share your information as part of the Services;
With our parent, subsidiary, or affiliate companies, agents (if any) for the purposes outlined in this Privacy Statement;
With third parties that help us provide, maintain, and improve our Services. These service providers may access personal information to perform functions on our behalf or on behalf of our Merchants, such as hosting and IT services, payment processing, identity verification and fraud prevention, marketing and advertising, data analytics and personalization, and customer support. 
in connection with, or during the negotiation of, any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business; or
if we believe it is authorized or necessary to:
protect our rights or property, or the security or integrity of our Services or our Websites;
enforce the terms of our terms of service or other applicable agreements or policies;
protect us, users of our Services or the public from harm or potentially prohibited or illegal activities;
investigate, detect and prevent fraud and security breaches; or
comply with any applicable law, regulation, legal process or governmental request (including, for example, a court order, subpoena, or search warrant).
We may also share aggregated or anonymized information derived from the Services such as device data or information from cookies and log files with third parties for the purposes described in this Statement. This information does not directly identify you..
6. Retention of personal information
We retain personal information as long as reasonably necessary to provide the Services, carry out the purposes described in this Statement or as otherwise required in order to comply with our records retention periods (which reflect the applicable law). For example, we may retain information about users of our Services in order to comply with our legal and regulatory obligations or to protect our interests as part of providing the Services.
7. Cookies and other tracking technologies
Toast and third parties described in this Statement may use cookies, web beacons and other tracking technologies for the purposes described in this Statement. We may use these technologies within our Services and across our Websites, for example to:
 to provide our Services (e.g., authentication within the check-out process); to uniquely identify you and/or your device;
to store your preferences as part of providing the Services;
for personalization, ad measurement and analytics, and targeted advertising purposes (including across your devices and applications);
for security and fraud-prevention purposes;
to analyze and monitor the performance of our Services;  
to improve and develop new Services; and
to understand your use of the Services over time.
Information on how to manage cookies and similar technologies is provided below, along with a more detailed description of how we use them.
A “cookie” is a small text file stored in your browser when you visit our Websites and, in some cases, the websites of our Merchants, business partners, or other third parties. We use session cookies (stored only during a single visit) and persistent cookies (stored beyond a single visit) to provide our Services and for the purposes described in this Statement. Cookies may be set by Toast (first-party cookies) or by third parties acting on our behalf (third-party cookies), such as Google Analytics.
We also use other tracking technologies such as web beacons, pixels, page tags, and embedded scripts—which record interactions with websites, mobile applications, and services. These tools often work alongside cookies or other device identifiers.
Pixels and similar technologies are additionally used in connection with session replay services on certain Websites to help analyze and improve site functionality and user experience.
In some cases, Toast provides Merchants with digital advertising and related services that use cookies, pixels, and similar technologies through integrated third-party tools. Merchants manage their own accounts with these third parties.
You can control or block cookies and related technologies through your browser settings. As each browser is different, please refer to your browser’s help menu. More information on cookies and how to manage them across browsers and devices is available at www.allaboutcookies.org. Please note that disabling cookies may limit your ability to access or use certain features of the Services, depending on the Services you rely on.
Targeted advertising and your choices
In certain cases, we permit third-party advertising partners to use cookies, web beacons, and similar tracking technologies on our Websites, mobile applications, and within our Services to collect information about you and your activities for interest-based advertising or other targeted content. The information collected may be linked to your personal information, or may include personal information gathered over time and across different websites and online services. This information may be shared with ad networks and other content providers
Opting out of interest-based advertising
To opt out of interest-based advertising in your internet browser, please visit www.aboutads.info/choices or www.networkadvertising.org/choices and follow the instructions to place an opt-out cookie on your device.
Opt-out cookies apply only to the browser and device where they are installed. You must opt out separately on each browser and device you use. If you delete cookies, you will need to reapply the opt-out cookie.
To opt out of interest-based advertising in mobile applications, follow the instructions at www.aboutads.info/appchoices or adjust the settings on your mobile device.
Please note that opting out of interest-based advertising does not mean you will stop seeing advertisements from us or on our online services. It simply means that the ads you see should no longer be tailored to your interests. We are not responsible for the effectiveness or compliance of any third party’s opt-out tools or programmes, nor for the accuracy of their statements about those programmes. Third parties may still use cookies to collect information about your use of our online services for purposes such as analytics and fraud prevention.
Do not track
We and certain third parties may use cookies and similar technologies on our Services to collect information about your browsing activities over time and across different websites. Do Not Track (“DNT”) is a browser setting that allows you to indicate your preference regarding such tracking. Except where required under applicable laws such as recognising Global Privacy Control signals noted in our state-specific addendums, we do not currently respond to DNT signals. We may continue to collect information as described in this Privacy Statement from browsers that have enabled DNT or similar mechanisms
8. Your rights and choices
As part of the Services and the processing activities described in this Statement, we recognize that you may wish to update, correct or otherwise manage your personal information, as well as manage how we communicates with you. This includes communications relevant to the Services or fulfilling a particular interaction by law. Depending on your relationship with us, you may be able to manage your personal information directly through the Services or by contacting us.
Managing your information
We aim to provide you with the tools necessary to manage your personal information. We rely on you to ensure your information is accurate, complete, and up to date, and ask that you notify us of any changes. Your ability to update or manage your information will vary depending on your relationship with us and Toast and the specific Services you use. 
In other cases, where applicable, please follow the instructions provided within the relevant Service or contact us using the details in the ‘How to contact us’ section. We may need to verify your identity before updating or correcting your information. In some circumstances, we may be unable to fulfil a request due to legal, contractual, or technical limitations.
Please note that, depending on your status, location, and applicable law, you may have additional rights relating to the processing of your personal information. For details on these rights and where they apply, please refer to the relevant addendums in this Statement.
Managing communications
As part of providing the Services, Toast (directly or through third-party service providers), may send you various types of communications:
Marketing communications: Depending on your relationship with us and the Services you use, we may send marketing or promotional messages about new or existing Services that may be of interest to you. These may include marketing text messages where you have opted in. You can opt out of marketing communications by following the instructions in the message, adjusting your communication preferences in your account or device settings, or submitting a request as noted herein Please note that opting out of one marketing channel does not automatically opt you out of all marketing communications. You may still receive non-marketing communications after opting out. These may include transaction-related messages, loyalty program communications, or account-specific updates. 
Other communications: As part of your interaction with our Services, you may receive various non-marketing communications from Toast that may be sent via email or text message to include:
sending you digital receipts or other messages in relation to Services you engage with; notifications sent by BFG, our business partners and/or third-party service providers as part of our Services, such as order status, delivery or pick up notifications and information pertaining to our reservation and waitlist services;
responding to feedback that you have provided in relation to the Services of BFG or Toast or;
account or program-specific messages as part of your use of the Services (e.g., loyalty accounts with our Merchants or by setting up a Digital Ordering Account); or
messages associated with contests, competitions or promotions that you have elected to participate in.
In certain cases, depending on the nature of your relationship with Toast and the Services being
9. Security
We implement appropriate administrative, physical and technical security measures to reasonably protect your personal information against unauthorized access, disclosure, damage or loss. However, even though we have taken measures to protect your personal information, we cannot guarantee that the collection, transmission and storage of personal information will always be completely secure.
10. Links to other websites
This Privacy Statement only applies to information collected when visiting our Websites or otherwise using our Services. While visiting our Websites or using the Services, you may be directed through links to third-party websites or services that are not operated or controlled by us. For example, the websites of our Merchants or business partners that provide services as part of this Statement. We are not responsible for the privacy practices and policies of these third parties. As a result, we encourage you to review the privacy policies of these third-party websites as their practices may differ from ours.
11. Children
Our Services are not targeted or directed at children under the age of 18, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 18. If you have reason to believe that a child under the age of 13 has provided personal information to us, we encourage the child’s parent or guardian to contact us as described in the “How to Contact Us” section of this Statement to request that we remove the information from our systems. If we learn that any personal information we collected has been provided by a child under the age of 18, we will promptly delete that personal information.
We do, however, process personal information about children when it is necessary for the services we are offering, and you provide it to us. 
12. How to contact us
If you have questions or concerns about our Privacy Statement, our practices or our compliance with applicable privacy laws, you can reach us at: Rhyan@brewmastersnc.com
Additional contact points can be found in the addendums. If you need customer support that is unrelated to Privacy through Toast, please contact the guest support team on this page or navigate to the “Get Help” section of the Local by Toast app.
13. Changes to this Privacy Statement
From time to time, we may update, change, modify or amend this Privacy Statement in order to comply with the applicable law or our changing business practices. Unless we are required by the applicable law to provide a prescribed form of notice and/or obtain consent, updated versions of this Statement may be posted on this website with additional communication. An archived version of our previous Privacy Statement can be found here . Please check this website and this Privacy Statement regularly for updates.
Privacy Statement for residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia (the “States”) as required by the Colorado Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Act Relating to Consumer Data Protection, Kentucky Consumer Data Protection Act, Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, Nebraska Data Privacy Act, New Hampshire Privacy Act, New Jersey New Jersey Data Protection Act, Oregon Consumer Privacy Act, Rhode Island Data Transparency and Privacy Protection Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Privacy Statement for Utah Residents as required by the Utah Consumer Privacy Act, Virginia Residents as required by the Virginia Consumer Data Protection Act, (“Applicable State Law”).
The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of the states and qualify as a “Consumer”, or equivalent term under the applicable state law respectively. This State-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the applicable state law. Any terms defined in the applicable state law or as otherwise defined in our Privacy Statement have the same meaning as used in this Addendum.
When we use the term “personal information” in this Addendum, we mean “personal data”, and equivalent terms used the applicable state law, including information that is linked or reasonably linkable to an identified or identifiable natural person.
Categories of personal information processed
Please refer to the “Personal information we collect” section in the main body of the Statement.
 In addition, the App may collect “sensitive data” as defined by applicable state law (including the TDPSA) as part of our operations and the Services offered to our customers. The following categories of data may be collected from Guests:
-Personal data revealing mental or physical health diagnosis, to the extent that allergy and dietary restrictions are capable of revealing a mental or physical health diagnosis (“Health data”)
 -Precise geolocation data
Purposes of processing the personal information
Please refer to the “How we use personal information” section in the main body of the Statement. In addition, Toast may collect “sensitive data” as defined by the applicable state law (including the TDPSA) for the following purposes:

 -Health data: a Guest may voluntarily elect to provide this as part of a reservation or their dining experience in the “additional information” section or other free form fields
 -Precise geolocation data: needed for certain digital ordering services and as part of the Services requested by a Guest or with the consent of the individual
iii. Categories of information disclosed to third parties and a description of those third parties
Please refer to the “How we share personal information” section in the main body of the Statement. With respect to sensitive data, we may share precise geolocation data with partners and/or service providers in order to support certain digital ordering services and as part of the App requested by a Guest, or with the consent of the individual.
iii. Categories of third parties with which we share personal information
Please refer to the “How we share personal information” section in the main body of the Statement.
iv. Description of rights available to consumers
A number of individual rights are available to individuals under the applicable state law relating to personal information that we have collected (subject to certain limitations), depending on your State of residence may include:
The right to correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.
The right to deletion: you have the right to delete your personal information you have provided or that has been collected.
The right to obtain a portable copy of your personal information: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another entity.
The right to opt out: you have the right to opt out of (as defined by the Applicable State Law) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
For residents of Delaware & Oregon: The right to be informed of third party disclosures: you have the right to obtain a list of specific third parties, other than natural persons, to which Toast has disclosed personal information.
For residents of Minnesota:
 The right to question the result of profiling: if your personal data is profiled in furtherance of decisions that produce legal effects concerning you, you have the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions you might have taken to secure a different decision and the actions that you might take to secure a different decision in the future. You have the right to review your personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, you have the right to have the data corrected and the profiling decision reevaluated based upon the correct data. 
For Residents of Rhode Island:
 The right to be informed of data sale recipients: you have the right to obtain a list of third parties to whom your personally identifiable information has been or may be sold.
v. How to invoke your rights
We have an established process for handling individual rights requests. Individual rights requests can be sent to us through the following channels:
 By Mail: Brewmasters Food Group Privacy Office
   PO Box 1328
   Wilson, NC 27894
 By E-Mail: Rhyan@brewmastersnc.com
Once an individual rights request has been submitted, We may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of our services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the applicable state law.
Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within the relevant statutory period (typically between 30-90 days from receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). Appeals may be sent to the e-mail address set forth above.
8. Sale of personal information
We do not sell personal information. However, Toast as the company which powers the App may. For more information see: https://pos.toasttab.com/privacy#States-Law
9. Targeted advertising
We will provide limited targeted advertising (as that term is defined by the applicable state law) via cookies and related tracking technologies. You can manage your cookie-based targeted advertising preferences by clicking the “Do not sell or share my personal information” link or the "Cookie Settings" (where applicable) at the bottom of the website you are visiting.
10. Profiling
We do not carry out any profiling (as defined by the applicable state law) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for Applicable State Law purposes.
11. Deidentified information
We may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.
13. Updates to this Statement
We will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification.
Privacy Statement for California Residents as required by the California Consumer Privacy Act of 2018 (including as amended by the California Privacy Rights Act of 2020)(“CCPA”).
The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of California and qualify as a “Consumer” under the CCPA. This California-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the CCPA. Any terms defined in the CCPA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum.
When we use the term “personal information” in this Addendum, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
CCPA personal information table
The below table summarizes:
The categories of personal information collected by Toast in the past 12 months;
The sources of collection of the personal information;
How we use your personal information; and
The categories of personal information disclosed for business purposes by Toast (including to third parties) in the past 12 months.
Please see the generally applicable section of this Privacy Statement for additional information on Toast’s information practices, including more detail on how we use and disclose your personal information.
Identifiers
Collected? Yes.
Examples of personal information collected*:
Merchants: Name, unique personal identifiers, IP address, email address, social security number
Guests: Name, unique personal identifiers, IP address, email address
Merchant Employees: Name, unique personal identifiers, IP address, email address
Categories of sources:
Provided directly to us via utilization of the App.
Commercial or business purpose:
To provide, maintain and support our Services
To manage our business and for internal operational purposes
To advertise and market to you
To personalize your experience
To communicate with you or provide information you have requested
For legal, compliance and security-related purposes
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our business partners
With our service providers
With legal and other regulatory authorities

California Customer Records (Cal. Civ. Code § 1798.80(e))
Collected? Yes.
Examples of personal information collected*:
Merchants: Name, telephone number, bank account number, credit or debit card number, social security number
Guests: Name, telephone number, address, credit or debit card number
Categories of sources:
Provided directly to us partners
Provided to Toast by our service providers
Provided to Toast by our Merchants
Commercial or business purpose:
To provide, maintain and support our Services
To manage our business and for internal operational purposes
To advertise and market to you
To communicate with you or provide information you have requested
For legal, compliance and security-related purposes
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our business partners
With our service providers
With legal and other regulatory authorities

Protected Classification Characteristics
Collected? Yes.
Examples of personal information collected*:
Merchant Employees (using Toast Payroll and Team Management): Race, gender, age
Categories of sources:
Provided directly to Toast
Provided to Toast by us.
Commercial or business purpose:
To provide, maintain and support our Services
For legal, compliance and security-related purposes
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our service providers

Commercial Information
Collected? Yes.
Examples of personal information collected*:
Guests: Records of products or services purchased
Categories of sources:
Provided directly to us by your use.
Commercial or business purpose:
To provide, maintain and support our Services
To manage our business and for internal operational purposes
To personalize your experience
For legal, compliance and security-related purposes
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our business partners
With our service providers
With legal and other regulatory authorities

Biometric Information
Collected? No.
Examples of personal information collected*: N/A
Categories of sources: N/A
Commercial or business purpose: N/A
How we disclose your personal information: N/A

Internet/Network Information
Collected? Yes.
Examples of personal information collected*:
Website browsing activity and interactions, advertisement interactions
Categories of sources:
Provided directly to BFG/Toast
Automatically collected by our service
Commercial or business purpose:
To provide, maintain and support our Services
To manage our business and for internal operational purposes
To personalize your experience
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our service providers

Geolocation Data
Collected? Yes.
Examples of personal information collected*:
Course or precise geolocation information
Categories of sources:
Provided directly to BFG/Toast
Automatically collected by our service
Commercial or business purpose:
To provide, maintain and support our Services
To personalize your experience
To advertise and market to you
For legal, compliance and security-related purposes
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our business partners
With our service providers

Sensory Information
Collected? Yes.
Examples of personal information collected*:
Merchants and Merchant Employees: Audio recordings as part of support services or customer calls
Guests: Audio as part of support services
Categories of sources:
Provided directly to BFG/Toast
Automatically collected by our service
Commercial or business purpose:
To provide, maintain and support our Services
For legal, compliance and security-related purposes
How we disclose your personal information:
With our service providers

Profession/Employment Information
Collected? Yes.
Examples of personal information collected*:
Merchant Employees (using Toast Payroll and Team Management): Employment backgrounds, resumes
Categories of sources:
Provided directly to BFG/Toast
Automatically collected by our service
Commercial or business purpose:
To provide, maintain and support our Services
How we disclose your personal information:
With our Merchants and our Merchant Employees

Non-Public Education Information (20 U.S.C. § 1232g)
Collected? No.
Examples of personal information collected*: N/A
Categories of sources: N/A
Commercial or business purpose: N/A
How we disclose your personal information: N/A

Inferences
Collected? Yes.
Examples of personal information collected*:
Guests: Preferences and behavior as part of using the Services
Categories of sources:
Provided directly to BFG/Toast
Automatically collected by our service
Commercial or business purpose:
To provide, maintain and support our Services
To manage our business and for internal operational purposes
To personalize your experience
How we disclose your personal information:
With our Merchants and our Merchant Employees
With our business partners
With our service providers


*Note that the actual personal information collected will depend on the nature of the individual relationship and the specific Services provided.
B. Categories of personal information sold or shared
While Toast does not “sell” personal information in the traditional sense, we do, however, sell or share personal information for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”), for personalization features and for tracking and analytics purposes. The categories of personal information impacted in the preceding 12 months may include:
Identifiers;
Internet/Network Information; and
Inferences.
Each of the above categories of information may be disclosed to third-parties, which may include our business partners depending on the nature of a user’s interactions. Consumers can exercise their right to opt out of these sales or sharing through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. You may also review our Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising. Toast has no actual knowledge that the “sales” or “sharing” described above include the personal information of individuals under 16 years of age. 

 C. Description of rights available to Consumers 
If you are a resident of the state of California and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights: 
The right to know/access: you have the right to request that an in-scope business that collects personal information from you, disclose the following upon verification of your identity: (i) the categories of personal information collected about you, (ii) the categories of sources where the personal information was collected, (iii) the business or commercial purposes for collecting (or where applicable, selling or sharing) the personal information, (iv) the categories of personal information that we have disclosed to third parties for a business purpose along with the corresponding recipients, (v) the categories of personal information we have sold or shared along with the corresponding recipients, and (vi) the specific pieces of personal information collected about you.
The right of deletion: you have the right to request that an in-scope business delete personal information that it has collected from you, subject to certain exceptions.
The right of correction: you have the right to request that an in-scope business correct inaccurate personal information, subject to certain conditions. 
The right to opt out of the sale or sharing of personal information: you have the right to request that an in-scope business refrain from selling or sharing personal information it has collected about you to third parties now or in the future. If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales or sharing. 
The right to limit the use and disclosure of sensitive personal information: to the extent that we use sensitive personal information for purposes beyond those set forth in subdivision (a) of Section 1798.121, you have the right to limit the use or disclosure of that sensitive personal information subject to the exceptions within the CCPA.
The right of access to and to the ability to opt-out of automated decision-making technology: subject to further regulations being issued, you have the right to access information pertaining to automated decision-making technologies and the ability to opt out.
The right against discrimination and retaliation: you have the right to not be discriminated or retaliated against as a result of exercising any of the above rights. 
However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you with our Services or engage with you in the same manner. In addition, the exercise of the rights described above may result in a different price, rate, or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.
Please note that your ability to invoke the rights above are limited pursuant to the scope and limitations of the CCPA, including any available exceptions. For example, an access request can only be made twice by a Consumer within a 12-month period. 
D. How to invoke your rights
We have established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:
By Mail: Brewmasters Food Group Privacy Office
   PO Box 1328
   Wilson, NC 27894
 By E-Mail: Rhyan@brewmastersnc.com

 Once an individual rights request has been submitted, We may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of our Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. In these instances, we will take steps to verify the authorized agent’s authority to act on your behalf. In order to verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request. Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law in relation to individual rights submissions.   

 To Exercise the Right to Opt Out of the Selling or Sharing of Personal Information 
In certain instances, transfers of data by BFG through Toast (including at the direction of Merchants) to third parties may constitute “selling’/’sales” or “sharing” personal information as defined under Applicable State Law. The purpose of certain transfers is to display targeted advertisements which may be selected based on personal information obtained or inferred over time from an individual’s activities, for personalization features and for tracking and analytics purposes. You can opt-out of these sales as explained below.
If you want to opt out of targeted advertising and “sales” and/or “sharing” of data (as defined under relevant State law) with respect to cookies, pixels and other tracking technologies on websites where such technologies are deployed, this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of websites (such as pos.toasttab.com). Therefore, your opt out will be specific to the device and browser you use when you opt out, and websites will recognize opt-out preference settings only on domains of our websites where any “selling” or “sharing” occurs. You may also review the Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising.
Consumers can also exercise their right to opt out of other sale types these sales by submitting a request via one of the methods described in Section D above. If you share your email address with us as part of your request, we will opt your email address (and other known identifiers) out of targeted advertising and “sales” of data (as defined under Applicable State Law). You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Unless you have exercised your right to opt out of the sale or sharing of personal information, we may “sell” or “share” your personal data to third parties for targeted or cross-context behavioral advertising purposes, for personalization features and for tracking and analytics purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy statements. You do not need to create an account with us to exercise your right to opt out of personal information sales or sharing. However, if applicable, we may ask you to provide additional personal information so that we can properly identify you in our dataset and to track compliance with your opt out request. We will only use personal information provided in an opt out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our systems. 
E. Accessibility
In the event you are a user with a disability, or are supporting an individual with a disability, and are having difficulty navigating this Statement or the information linked within this Statement, please contact us at compliance@toasttab.com for support. 
F. Sensitive Personal Information
As part of our services, Toast collects “sensitive personal information” as defined by the CCPA as part of our operations and the Services offered to our Merchants. The categories of sensitive personal information are described below along with the use case and whether the information is sold or shared. 

Social Security Number
Use/Purpose:
Merchants - required as part of the sign up to the Services
Merchant Employees - required for Payroll and Team Management services
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Driver’s license number or state ID
Use/Purpose:
Merchants - required as part of the sign up to the Services
Merchant Employees - required for Payroll and Team Management services
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Account log-in details plus password or credentials
Use/Purpose:
Merchants - needed to access the Merchant’s Toast account
Merchant Employees – needed to access the Toast services or Payroll and Team Management services
Guests – needed for Toast Digital Account purposes
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Precise geolocation
Use/Purpose:
Guests - needed for certain digital ordering services and as part of the Services requested by a Guest or with the consent of the individual
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Race or ethnic origin
Use/Purpose:
Merchant Employees – collected with the consent of the individual by the Merchant as part of the Payroll & Team Management services
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Health data
Use/Purpose:
Guests – to the extent that allergy and dietary restrictions qualify as “health data”, the Guest may voluntarily elect to provide this as part of a reservation or their dining experience in the “additional information” section or other free form fields
Is the sensitive personal information sold? X
Is the sensitive personal information shared? X

Presently, we do not use or disclose an individual’s sensitive personal information for purposes other than those specified in subdivision (a) of section 1798.121 of the CCPA and as a result, has not included a Notice of Right to Limit.
 G. Retention
We retain personal information as long as reasonably necessary to provide the Services and carry out the purposes described in this Statement. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire, or for instances where we are required to do so in accordance with legal, tax and accounting requirements set by a legislature, regulator or other government authority.  
To determine the appropriate duration of the retention of personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting and other applicable obligations. 
 As to each of the categories of personal information collected, the retention period will vary depending on our relationship. For example,
For Merchants and Merchant Employees, we will generally retain their personal information for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. 
For Guests that have Digital Ordering Accounts, Toast will generally maintain these accounts for the duration of the individual’s use of service plus a period of inactivity.
In other cases, Guest information that is collected by the Merchant but stored by Toast will be retained for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. 
Information pertaining to support calls are generally retained for one (1) year but may be retained for longer based on the nature of the relationship between Toast and the individual. 
 In all cases, the retention will be subject to any additional legal, regulatory, tax, accounting or other applicable obligations. 
Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or de-identify the personal information or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store the personal information and isolate it from further processing until deletion or deidentification is possible.
H. Notice of Financial Incentives and loyalty programs
We may offer or enable Merchants to offer various programs, promotions, or features that may be considered a "financial incentive" under privacy laws such as the CCPA.
Toast Programs: These include discounts, special offers, or other benefits we provide directly in exchange for certain actions such as using Toast services or providing information.
Valuation of Personal Information: We do not assign a precise monetary value to the personal information collected through these programs. The value is derived from the increased customer engagement and loyalty that helps us improve our services. The value may differ based on the customer and their usage of the relevant Toast and Merchant programs.
Right to Withdraw: You have the right to withdraw from any Toast-offered financial incentive program at any time. To withdraw from a Toast-offered program, please submit a request should be submitted via the portal (available here), and include the phrase "Financial Incentive Program Withdrawal” in the body of your request. To withdraw from a Merchant program, please contact the Merchant directly.
I. Deidentified information 
We may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.
J. Updates to this Statement
We will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification.
California “Shine the Light” disclosure
California residents that have an established business relationship with us have a right to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law (Civ. Code § 1798.83). Please contact us through any of the communication channels within the “How to contact us” section in the main body of this Statement to invoke these rights.