1. Scope This Statement primarily covers:Merchants: businesses that have expressed interest in using the Services or have contracted with Toast to provide the Services within their restaurants (where this term is used in this Statement in the context of the processing of the personal information of a Merchant, it refers to a Merchant that is an individual);Merchant Employees: employees of our Merchants that use the Services; andGuests: individuals that use the Services at one of our Merchant’s restaurants, through a business partner or directly through Toast.In addition to the groups above, this Statement also covers individuals that visit our websites, including https://pos.toasttab.com (referred to generally as our “Websites”) and our third-party business partners. We may also process information from other individuals for additional purposes, including for research purposes, sweepstakes and events-related purposes that might be separately collected from time to time but are covered as part of this Statement.For individuals using our Toast Pay Card and PayOut service, you are authorizing and directing Toast to obtain information (e.g., transaction data) from any Toast Pay Card issuing bank or processor in order for Toast to provide that service to you. We will use and share any information that we collect from you pertaining to that Service in accordance with our Privacy Notice found here or within the MyToast mobile application.Please note that certain locations where we operate have laws that require us to share specific privacy information and practices with individuals in those locations. To that end, this Privacy Statement is comprised of two sections – a generally applicable statement and a location-specific addendum. Where there are variations for a specific location or additional information that is required to be provided under the applicable country or state law, individuals in that location can refer to the applicable addendum. Links to the pertinent sections, can be found below:United States (California)United States (Colorado)United States (Connecticut)United States (Virginia)United States (Utah)CanadaIrelandUnited KingdomPlease note that our Merchants are independent third parties that maintain their own business practices and policies outside of their relationship with Toast and their use of the Services. As a result, unless provided otherwise in this Statement, we are not responsible for the privacy policies or data practices of our Merchants, who may maintain separate policies and practices. If you are a Merchant Employee, your employer is responsible for providing any additional required notices or information to you regarding its privacy practices outside of this Statement.By using the Services and/or providing us with your personal information, you acknowledge that your personal information will be processed and used in the manner set out in this Privacy Statement. We may amend this Statement from time to time in line with the “Changes to this Privacy Statement” section below. 2. DefinitionsHere are a few other terms we use throughout this Privacy Statement that you should know:“Toast Payroll and Team Management” refers to a module offered as part of the Services directed to Merchant Employees that includes a number of HR-focused services, including, but not limited to, payroll, benefits administration, card services, scheduling and applicant tracking services.Services” refers to services and products (including both hardware and software) developed or administered by us from time-to-time, including:our core point-of-sale (POS) system;payment processing services;our application programming interfaces (“APIs”);associated modules provided as part of our POS system, such as our loyalty, marketing, waitlist and reservations, delivery and Toast Payroll and Team Management modules;other restaurant management services, such as our inventory, invoicing and Bill Pay services;our digital ordering services, such as online ordering, pickup and delivery services, contactless order and pay at the table functionality, gift cards and our mobile application(s);accounts created through our digital ordering services (“Digital Ordering Account(s)”);other mobile application(s) developed as part of the Services, including our Merchant and Merchant Employee-facing mobile applications (e.g., the MyToast mobile application);Health, wellness and other benefit products or services developed, or offered, by Toast or its third-party business partners from time to time for Merchant Employees;Insurance-related services; andMerchant financing (including, but not limited to, Toast Capital Loans), card products, such as the Toast Pay Card (as issued by Sutton Bank, Member FDIC, pursuant to license by Mastercard International Incorporated, or any subsequent issuer) and other financial products offered by Toast or its business partners, including, without limitation, banks and other financial institutions.(collectively referred to as the “Services”). Please note that certain Services may be facilitated through our Websites or through our third-party business partners.“You” and/or “your” is a Merchant, a Merchant Employee, a Guest, a visitor to one of our Websites or other covered data subject. 3. Personal information we collectWhat personal information we collect will depend on the nature of your interaction with the Services and our Websites. This includes Merchants that sign up to use our Services as well as Merchant Employees that are involved in the Merchant’s operations. This also includes Guests that may independently use our Services or carry out a transaction or interact with one of our Merchants. While some information is collected automatically or through sources outside of Toast, most is collected when you use our Services or our Websites. A breakdown of the collection has been provided in the sections below. Personal information collected through the ServicesA. MerchantsIf you are a Merchant, we will collect personal information from you in connection with your service agreement and use (or prospective use) of the Services, including, as applicable,your name;address;email;date of birth; andphone number.As part of our application process and agreement to provide the Services, we will also collect additional information, such as your tax identification number, national identification number (e.g. Social Security number or passport number), your drivers’ license details as well as your banking and payment card information.If you are a business partner that is looking to integrate with Toast, we will also collect information, such as your name and contact details, as part of your application to integrate with our Services. B. Merchant EmployeesIf you are a Merchant Employee, we collect personal information about you through your use of the Services. This includes:your name;email;phone number;employee identification number;address;date of birth; andinformation relating to your role, such as your job title, wage rates and salary and hours worked.To the extent you are employed by a Merchant that uses the Toast Payroll and Team Management module, we may also collect:your Social Security number or other national identification number;banking information as part of payroll;your professional and educational history;tax documentation such as your W2 and 1095 tax forms;your benefit elections;driver’s license information;gender;marital status;disability status;ethnicity; andyour dependent and beneficiary information.Please note that the actual personal information collected will depend on the specific Toast Payroll and Team Management services that you or your employer has elected to use. Please contact your employer for additional information. For Merchant Employees using the Toast Pay Card and PayOut Service, in addition to certain information already collected above, Toast will also collect information about your account and transaction history as part of the Service. For more information about this Service, please see the Privacy Notice here or within the MyToast mobile application.C. GuestsWe collect information from you through your use of the Services (as provided and developed by us from time to time), which may include the creation of a Digital Ordering Account, your use of our online ordering features and mobile application(s) and other related products, such as our pickup, delivery and on-premise ordering and payment services, and waitlist and reservation features. We may also collect and/or receive your personal information when you place an order with, make a purchase from (including gift cards), or otherwise complete a transaction with our Merchants or participate in their respective loyalty programs.Depending on which Service(s) you have used, personal information collected may include:your name;contact details such as your phone number and email;your address and other general location details;your payment card information, such as the brand, card number, security code and expiration date;transaction information and order history details (e.g., goods/services ordered, date, payment method and amount of payment);your date of birth (if you choose to provide it);information about your vehicle (for users of our curbside pickup service);account and profile information such as your username and password;if you are a member of a Merchant’s loyalty program, information in relation to your points balance and redemptions;waitlist or reservation details, including dining preferences, special requests and dietary restrictions; andyour feedback in relation to your experience at our Merchants’ establishments (if you choose to provide it).In all cases, the actual personal information collected will vary depending on the Services being used. Depending on the Services being used, personal information may also be linked to your use of the Services across Toast. For example, as a Guest, your payment card or contact information may be linked to an order history, a specific loyalty account or Merchant-specific profile around your interactions with that Merchant or the Merchant’s management group.Toast Merchants may also elect to collect dietary and allergy-related information as part of the Services. To the extent a Guest elects to provide information pertaining to their dietary requirements as part of a reservation or their dining experience that may be found to constitute health or medical-related information under the applicable law, that individual is consenting to having that information used as part of that experience and the Service. In these cases, Toast processes this information to provide the Services to the Merchant.Personal information collected through our WebsitesIn addition to using the Services, we may also collect personal information when you visit our Websites and request information about our Services, download a white paper, schedule a product demo or subscribe to our media channels (e.g., blogs, podcasts, etc.). This personal information may include:your name;email; andphone number.Certain information may also be collected automatically when you visit our Websites. For more information, please see the section of this Statement entitled “Information collected automatically.”Please note that additional information beyond what is described here will be collected (described in the Merchant section above) as part of our online Merchant application process or through our e-commerce Website.Personal information collected from other sourcesDepending on whether you are a Merchant, a Merchant Employee, a Guest or a visitor to one of our Websites, we may also collect personal information about you from third parties including our business partners, data providers, identity verification services, credit bureaus (if applicable), banks and other financial institutions and credit card companies. We may also collect information from you that is publicly available. For example, if you interact with us or share your information through various social media channels.Information collected automaticallyWe collect information automatically when you visit our Websites, use our mobile application(s), complete a transaction, or use our online services, such as online ordering. For transactions, this may include personal information such as your name when a payment card is used. Information collected automatically by cookies, web beacons or other similar technologies (described in the “Cookies and other tracking technologies” section of this Statement) may include:information about your device, such as your device type/model, number and device ID (e.g., MAC address);information about your browser, settings (e.g., language) and operating system;your internet protocol (IP) address (including, in some instances, your perceived location);unique advertising and related identifiers;transactional and purchase information; andbrowsing and usage activity, such as the referring domain, what websites/content you have viewed or actions you have taken on a particular website.Depending on the Services being used or the Websites you access, we may also collect geolocation information through your devices. For example, we may show you what restaurants in your area are available within our mobile application(s). This information may be collected via GPS, Bluetooth, cellular or WiFi technologies. You can adjust your settings at the device or browser level to disable the use of these technologies. 4. How we use personal informationWe use your personal information first and foremost to provide you with our Services and to manage our business operations. This includes communicating with you as part of those Services as well as for advertising and marketing purposes where permitted under the applicable law or where we have your consent. In all cases, information is used to support our adherence to any legal, compliance or security-related obligations. The actual nature of how we use personal information will depend on the nature of the Services provided to you and may vary depending on if you are a Guest, a Merchant, a Merchant Employee or other covered individual under this Statement. A more detailed breakdown of how we use personal information can be found below. We use personal information to:Provide, maintain and support our Services, includingto provide updates, support and training related to the Services;to determine the eligibility of individuals in relation to their use of certain Services;for contracting and agreement purposes;to process transactions and payments through the Services;to enable our Merchants and our Merchants Employees to access and use the Services, including information that you have provided as part of using the Services; and to provide online services, including verifying your identity, as well as diagnosing technical and service issues. Manage our business and for internal operational purposes, includinganalyzing the performance of our Services;workforce and service development;creating and developing analytics for the benefit of our business and the business of our Merchants;research purposes, including the development of new products;assessing the effectiveness of Services; andimproving our Services and Websites.Personalize your experience, includingcreating a Merchant-specific profile based on your interactions across our various Guest-facing Services, including, but not limited to, when you make a payment at one of our Merchant’s restaurants, join a waitlist or make a reservation, complete a digital order or join one of our Merchant’s loyalty programs. Guest profiles are limited to a specific Merchant or a Merchant management group that you have visited or used as part of the Services.using transactional data and order histories to provide recommendations when using our Services or those of our Merchants;using information about your dining experience (including waitlist and reservation information) to personalize your experience at our Merchant’s restaurants (including in relation to your future dining experiences); andusing analytics and profiling technology to personalize your online experience on our Websites.Advertise and market to you, includingsending you marketing communications, either directly or through a third-party service provider, in relation to our existing or new Services that we think might interest you;displaying advertisements for Toast or third-party services in our digital ordering services and mobile applications; andenabling our Merchants or our business partners, either directly or through a third party, to advertise their products and services to you.Any communications sent to you pursuant to this section shall either be permitted under the applicable law or with your consent. Please see the “Your rights and choices” section of this Statement for more details on opting out of these communications and updating your preferences.Communicate with you or provide information you have requested, includingproviding notifications in relation to your purchases or the Services;sending you white papers and other materials from our Websites;providing you with our newsletters, podcasts and other subscription materials;sending you digital receipts; andresponding to feedback that you have provided in relation to our products or Services or those of our Merchants.For legal, compliance and security-related purposes, including tocomply with our legal obligations, including under anti-money laundering, know-your-customer or similar laws in any relevant jurisdiction;secure and protect our network and systems;identify and protect against fraud and other crimes;establish, exercise or defend legal claims;perform our contractual obligations; andmonitor and report compliance issues. 5. How we share personal informationIn certain instances, Toast will share the personal information it collects from you or otherwise processes from you in order to provide our Services or fulfill the other purposes within this Statement. If you are a Guest, this includes sharing personal information with our Merchants and Merchant Employees as well as with third-party partners that are authorized by the Merchant to access your information. We also maintain a number of relationships with third-party service providers as well as business partners that we use to provide, support and improve our Services. Toast may share personal information as part of providing the Services and for the purposes described within this Statement. This includes:with our Merchants and our Merchants’ Employees for the purposes of providing the Services to you, fulfilling your requests and for the other purposes described in this Statement. As part of providing the Services (for example, when you complete a transaction at a Merchant’s restaurant or through our digital ordering services, join a waitlist or complete a reservation), Toast will share your order information or details about your reservation with the Merchant. This may include personal details such as your name, contact information as well as information about your dining experience, including reservation details, dining preferences and special requests. In certain cases, where a Merchant is part of a larger management group, this may include sharing that information with other restaurants within that group as part of your future dining experiences;with our third-party business partners in order to provide, maintain, improve and expand our Services;with third-party integration partners selected by the Merchant or with whom you do business where Toast is instructed to share your information as part of the Services;with our parent, subsidiary, or affiliate companies, agents (if any) for the purposes outlined above;with third parties to provide, maintain and improve our Services, including service providers who access information about you to perform services on our behalf or on behalf of our Merchants, such as hosting and information technology services, payment services, identity verification and fraud prevention services, marketing and advertising services, data analytics and personalization services and customer support services. Please note:If you are a Merchant Employee whose employer is using the Toast Payroll and Team Management module, we will share your information with benefits, payroll and other employment-related service providers.If you are a Merchant that applies for financing through Toast’s platform, we will share your information (including personal information) with the lender. As part of the application, a credit report will also be requested from third-party credit bureaus to determine your eligibility for such financing.in connection with, or during the negotiation of, any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business; orif we believe it is authorized or necessary to:protect our rights or property, or the security or integrity of our Services or our Websites;enforce the terms of our terms of service or other applicable agreements or policies;protect us, users of our Services or the public from harm or potentially prohibited or illegal activities;investigate, detect and prevent fraud and security breaches; orcomply with any applicable law, regulation, legal process or governmental request (including, for example, a court order, subpoena, or search warrant).We may also share aggregated and/or anonymized information derived from the Services that does not directly identify you, including device information and information derived from cookies and log files with third parties for the purposes described in this Statement.For individuals using the Toast Pay Card and PayOut Service, please see our Privacy Notice here or within the MyToast mobile application for information on how we disclose your information for the purposes of providing that Service. 6. Retention of personal informationWe retain personal information as long as reasonably necessary to provide the Services, carry out the purposes described in this Statement or as otherwise required in order to comply with our records retention periods (which reflect the applicable law). For example, we may retain information about users of our Services in order to comply with our legal and regulatory obligations or to protect our interests as part of providing the Services. 7. Cookies and other tracking technologies Toast and third parties described in this Statement may use cookies, web beacons and other tracking technologies as part of providing the Services and for the purposes described in this Statement. We may use these technologies:to provide our Services (e.g., authentication within the check-out process);to uniquely identify you and/or your device;to store your preferences as part of providing the Services;for personalization and targeted advertising purposes (including across your devices and applications);for security and fraud-prevention purposes;to analyze and monitor the performance of our Services;to improve and develop new Services; andto understand your use of the Services over time.Information on how to manage cookies and related technologies within your browser and more generally can be found below along with a more detailed description of how we use these technologies. A “cookie” is a small text file placed and saved in your browser when you access our Websites and potentially the websites of our Merchants, business partners and other third parties. We use both session cookies (i.e., cookies that are stored only for a specific website visit) and persistent cookies (i.e., cookies that are stored beyond a specific website visit) to provide the Services and for the purposes described in this Statement. These cookies may be set by us (first-party cookies) or set by third parties that collect information on our behalf (third-party cookies), such as Google Analytics.There are other tracking technologies, such as web beacons/GIFs, pixels, page tags, embedded scripts, that consist of small transparent image files or other web programming code that record how you interact with websites, mobile applications and services. They are often used in conjunction with web browser cookies or other identifiers associated with your device.As part of using the Services, we use these technologies as well as similar technologies within our Services and across our Websites. Examples include:to provide our Services (e.g., authentication within the check-out process);to uniquely identify you and/or your device;to store your preferences as part of providing the Services;for personalization and targeted advertising purposes (including across your devices and applications);for security and fraud-prevention purposes;to analyze and monitor the performance of our Services;to improve and develop new Services; andto understand your use of the Services over time.In certain instances, Toast may provide our Merchants with digital advertising and related services that involve the collection and use of cookies, pixels and related technologies via integrations. In these cases, Merchants set up independent accounts with these third parties.We also use pixels and related technologies as part of session replay services on certain Websites that are used to understand and improve functionality and an individual’s experience on those sites.There are ways to control and/or reject the setting of cookies and similar technologies within your browser settings. As each browser is different, please consult the “help” menu within your browser. For additional information about cookies and how to control their use on various browsers and devices, you can visit http://www.allaboutcookies.org. Please be aware that depending on the Services being used, restricting cookies may prevent you from accessing and using all or part of the Services.Targeted advertising and your choicesIn certain cases, we allow third-party advertising partners to use cookies, web beacons and other tracking technologies on our Websites, mobile applications and within our Services to collect information about you and your activities for interest-based advertising or other targeted content. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. This information may be shared with ad networks and other content providers.If you want to opt out of receiving online interest-based advertisements on your internet browser, please visit and follow the instructions at www.aboutads.info/choices, or http://www.networkadvertising.org/choices/ to place an opt-out cookie on your device indicating that you do not want to receive interest-based advertisements. Opt-out cookies only work on the specific internet browser and device that they are downloaded onto. If you want to opt out of interest-based advertisements across all your browsers and devices, you will need to opt out on each browser on each device you actively use. If you delete cookies on your device generally, you will need to set the opt-out cookie again on that device. If you want to opt out of receiving online interest-based advertisements on mobile applications, please follow the instructions at http://www.aboutads.info/appchoices or by visiting the settings in your mobile device.Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see should not be tailored to your interests. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, third parties may still use cookies to collect information about your use of our online services, including for analytics and fraud prevention purposes.Do not trackWe may use, and we may allow third-party service providers and other third parties to use, cookies or other technologies on our Services that collect information about your browsing activities over time and across different websites following your use of the Services. Do Not Track (“DNT”) is an optional browser setting that allows you to express your preferences regarding tracking across websites. Outside of certain opt-out preference settings within the browser used to access our Websites such as the Global Privacy Control noted in the state-specific addendums, we currently do not respond to DNT signals and we may continue to collect information in the manner described in this Privacy Statement from web browsers that have enabled DNT signals or similar mechanisms.8. Your rights and choices As part of the Services and other processing described in this Statement, we recognize that you may want to update, correct or otherwise manage your personal information that we process as well as manage how Toast communicates with you. This includes communications relevant to the Services or fulfilling a particular interaction with you as well as marketing communications where we have your consent or as otherwise permitted under the applicable law. Depending on the nature of your relationship with Toast, we may provide you with the capability to manage your personal information directly as part of the Services or by contacting Toast. Managing your informationWe want to ensure that you have the necessary tools at your disposal to manage your personal information. We rely on you to ensure that your information is accurate, complete and up to date and ask that you notify us of any changes to your personal information. Your ability to update and manage your personal information will differ depending on your relationship with Toast and what Services you use. For example,As a Merchant, for certain services, you may access, change or correct certain account information at any time by logging into your account. In other instances, please contact our customer success team.As a Merchant Employee using the Toast Payroll and Team Management module or other Merchant Employee-facing Services, you have the ability in many cases to access and update your information through the Services. In other instances, please reach out to your Merchant Employer.As a Guest, depending on the Services you use, you may be able to access, change and update your information through an account created as part of the Services (e.g., a Digital Ordering Account). If you are a Guest and would like to have your account deleted or have other questions about your Digital Ordering Account, please contact support@toasttakeout.zendesk.com. In certain cases (e.g., Toast Takeout), you can also submit a request for deletion of your Digital Ordering Account from directly within the mobile application.In other instances, if applicable, see the instructions provided as part of the Services or contact us as described in the “How to contact us” section of this Statement. We may need to verify your identity before changing or correcting your information. In certain instances, we may not be able to make the correction or accommodate the request due to legal, contractual or technical restrictions.Please note that depending on your status, location and applicable law, you may be entitled to additional information rights in relation to the processing of your personal information. For more information regarding these rights, and the locations/circumstances where these rights are available, please see the applicable addendums in this Statement.Managing communicationsAs part of providing the Services, Toast (whether directly or through a third-party service provider), may send you:Marketing communications: Depending on the nature of our relationship and the Services being used, we may send you marketing and other promotional communications for new or existing Services that we think you might be interested in. These marketing communications may include marketing text messages if you have opted in to receiving them. You can opt out of or unsubscribe from any marketing communications by following the instructions in those messages, by changing your communications preferences within your account or through your device. You can also opt out by contacting us at privacy@toasttab.com. Opting out of one communication will not necessarily opt you out of all marketing communications. Please note that you may still receive certain non-marketing communications after opting out. These messages may include transaction-specific communications, messages as part of a loyalty program or account-specific communications. If you are located outside the United States, we will not send you direct marketing communications without your opt-in consent or as otherwise permitted under the applicable law. In certain cases, our Merchants (including those within a Merchant’s management group) may also send you marketing and promotional communications as part of the Services, including when you visit a Merchant using Toast or join a Merchant-specific loyalty program. In these instances, please follow the instructions within those messages to opt out or reach out to the Merchant directly.Other communications: As part of your interaction with our Services, you may receive various non-marketing communications from Toast that may be sent via email or text message. These include:For Guests:sending you digital receipts or other messages in relation to Services you engage with;notifications sent by Merchants, our business partners and/or third-party service providers as part of our Services, such as order status, delivery or pick up notifications and information pertaining to our reservation and waitlist services;responding to feedback that you have provided in relation to the Services of Toast or one of our Merchants;account or program-specific messages as part of your use of the Services (e.g., loyalty accounts with our Merchants or by setting up a Digital Ordering Account); ormessages associated with contests, competitions or promotions that you have elected to participate in.For Merchants and Merchant Employees:messages relating to Toast’s services and demo requests (for prospective Merchants);on-boarding related messages pertaining to setting up the Services; ormessages pertaining to Services that you are using or are under your account.In certain cases, depending on the nature of your relationship with Toast and the Services being used, you may also receive messages from third-party service providers and business partners.For additional information about how we communicate with you, please contact us at privacy@toasttab.com. 9. SecurityWe implement appropriate administrative, physical and technical security measures to reasonably protect your personal information against unauthorized access, disclosure, damage or loss. However, even though we have taken measures to protect your personal information, we cannot guarantee that the collection, transmission and storage of personal information will always be completely secure. 10. Links to other websitesThis Privacy Statement only applies to information collected when visiting our Websites or otherwise using our Services. While visiting our Websites or using the Services, you may be directed through links to third-party websites or services that are not operated or controlled by us. For example, the websites of our Merchants or business partners that provide services as part of this Statement. We are not responsible for the privacy practices and policies of these third parties. As a result, we encourage you to review the privacy policies of these third-party websites as their practices may differ from ours. 11. ChildrenOur Services are not targeted or directed at children under the age of 13, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 13. If you have reason to believe that a child under the age of 13 has provided personal information to us, we encourage the child’s parent or guardian to contact us as described in the “How to Contact Us” section of this Statement to request that we remove the information from our systems. If we learn that any personal information we collected has been provided by a child under the age of 13, we will promptly delete that personal information.We do, however, process personal information about children when it is necessary for the services we are offering, and you provide it to us. For example, if you are a Merchant Employee, we may collect information relating to children if your employer is using the Toast Payroll and Team Management module and you add them as dependents under your benefits policies. 12. How to contact us If you have questions or concerns about our Privacy Statement, our practices or our compliance with applicable privacy laws, you can reach us at: By email: privacy@toasttab.com By post: Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210 By phone: (866) 226-4484Additional contact points can be found in the addendums.A downloadable version of this Statement can be found here.13. Changes to this Privacy StatementFrom time to time, we may update, change, modify or amend this Privacy Statement in order to comply with the applicable law or our changing business practices. Unless we are required by the applicable law to provide a prescribed form of notice and/or obtain consent, updated versions of this Statement may be posted on this website with additional communication. An archived version of our previous Privacy Statement can be found here . Please check this website and this Privacy Statement regularly for updates. Addendum A – United States (California)Last updated: July 1, 20241. Privacy Statement for California Residents as required by the California Consumer Privacy Act of 2018 (including as amended by the California Privacy Rights Act of 2020)(“CCPA”). The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of California and qualify as a “Consumer” under the CCPA. This California-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the CCPA. Any terms defined in the CCPA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum. When we use the term “personal information” in this Addendum, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA personal information tableThe below table summarizes:The categories of personal information collected by Toast in the past 12 months;The sources of collection of the personal information; How we use your personal information; andThe categories of personal information disclosed for business purposes by Toast (including to third parties) in the past 12 months.Please see the generally applicable section of this Privacy Statement for additional information on Toast’s information practices, including more detail on how we use and disclose your personal information. Category of personal informationCollected?Examples of personal information collected*Categories of sourcesCommercial or business purposeHow we disclose your personal informationIdentifiersYesMerchants: Name, unique personal identifiers, IP address, email address, social security numberGuests: Name, unique personal identifiers, IP address, email addressMerchant Employees: Name, unique personal identifiers, IP address, email addressProvided directly to ToastAutomatically collectedProvided to Toast by our business partnersProvided to Toast by our service providersProvided to Toast by our MerchantsTo provide, maintain and support our Services To manage our business and for internal operational purposesTo advertise and market to youTo personalize your experienceTo communicate with you or provide information you have requested For legal, compliance and security-related purposesWith our Merchants and our Merchant Employees With our business partnersWith our service providersWith legal and other regulatory authoritiesCalifornia Customer Records (Cal. Civ. Code § 1798.80(e))YesMerchants: Name, telephone number, bank account number, credit or debit card number, social security numberGuests: Name, telephone number, address, credit or debit card numberProvided directly to ToastProvided to Toast by our business partnersProvided to Toast by our service providersProvided to Toast by our MerchantsTo provide, maintain and support our Services To manage our business and for internal operational purposesTo advertise and market to youTo communicate with you or provide information you have requested For legal, compliance and security-related purposesWith our Merchants and our Merchant EmployeesWith our business partnersWith our service providersWith legal and other regulatory authoritiesProtected Classification CharacteristicsYesMerchant Employees: (using Toast Payroll and Team Management): Race, gender, ageProvided directly to ToastProvided to Toast by our MerchantsTo provide, maintain and support our ServicesFor legal, compliance and security-related purposesWith our Merchants and our Merchant EmployeesWith our service providersCommercial InformationYesMerchants: Records of products or services purchasedGuests: Records of products or services purchasedProvided directly to ToastProvided to Toast by our business partnersProvided to Toast by our service providersProvided to Toast by our MerchantsTo provide, maintain and support our Services To manage our business and for internal operational purposesTo personalize your experienceFor legal, compliance and security-related purposesWith our Merchants and our Merchant EmployeesWith our business partnersWith our service providersWith legal and other regulatory authoritiesBiometric InformationNoN/AN/AN/AN/AInternet/Network InformationYesWebsite browsing activity and interactions, advertisement interactionsProvided directly to ToastAutomatically collectedProvided to Toast by our service providersTo provide, maintain and support our Services To manage our business and for internal operational purposesTo personalize your experienceTo advertise and market to youWith our Merchants and our Merchant EmployeesWith our service providersGeolocation DataYesCourse or precise geolocation informationProvided directly to ToastAutomatically collectedProvided to Toast by our service providersTo provide, maintain and support our Services To personalize your experienceTo advertise and market to youFor legal, compliance and security-related purposesWith our Merchants and our Merchant EmployeesWith our business partnersWith our service providersSensory InformationYesMerchants and Merchant Employees: Audio recordings as part of support services or customer callsGuests: Audio as part of support servicesProvided directly to ToastProvided to Toast by our service providersTo provide, maintain and support our Services For legal, compliance and security-related purposesWith our service providersProfession/Employment InformationYesMerchant Employees (using Toast Payroll and Team Management): Employment backgrounds, resumesProvided directly to ToastTo provide, maintain and support our ServicesWith our Merchants and our Merchant EmployeesWith our service providersNon-Public Education Information (20 U.S.C. § 1232g, 34 C.F.R. Part 99)NoN/AN/AN/AN/AInferencesYesGuests: Preferences and behavior as part of using the ServicesProvided directly to ToastProvided to Toast by our business partnersProvided to Toast by our service providersProvided to Toast by our MerchantsTo provide, maintain and support our Services To manage our business and for internal operational purposesTo personalize your experienceTo advertise and market to youWith our Merchants and our Merchant EmployeesWith our business partnersWith our service providers*Note that the actual personal information collected will depend on the nature of the individual relationship and the specific Services provided. Categories of personal information sold or sharedWhile Toast does not “sell” personal information in the traditional sense, we do, however, sell or share personal information for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”), for personalization features and for tracking and analytics purposes. The categories of personal information impacted in the preceding 12 months may include:Identifiers;Internet/Network Information; andInferences.Each of the above categories of information may be disclosed to third-parties, which may include our business partners depending on the nature of a user’s interactions.Consumers can exercise their right to opt out of these sales or sharing through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. You may also review our Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising. Toast has no actual knowledge that the “sales” or “sharing” described above include the personal information of individuals under 16 years of age.Description of rights available to Consumers If you are a resident of the state of California and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights: The right to know/access: you have the right to request that an in-scope business that collects personal information from you, disclose the following upon verification of your identity: (i) the categories of personal information collected about you, (ii) the categories of sources where the personal information was collected, (iii) the business or commercial purposes for collecting (or where applicable, selling or sharing) the personal information, (iv) the categories of personal information that we have disclosed to third parties for a business purpose along with the corresponding recipients, (v) the categories of personal information we have sold or shared along with the corresponding recipients, and (vi) the specific pieces of personal information collected about you. The right of deletion: you have the right to request that an in-scope business delete personal information that it has collected from you, subject to certain exceptions.The right of correction: you have the right to request that an in-scope business correct inaccurate personal information, subject to certain conditions. The right to opt out of the sale or sharing of personal information: you have the right to request that an in-scope business refrain from selling or sharing personal information it has collected about you to third parties now or in the future. If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales or sharing. The right to limit the use and disclosure of sensitive personal information: to the extent that we use sensitive personal information for purposes beyond those set forth in subdivision (a) of Section 1798.121, you have the right to limit the use or disclosure of that sensitive personal information subject to the exceptions within the CCPA.The right of access to and to the ability to opt-out of automated decision-making technology: subject to further regulations being issued, you have the right to access information pertaining to automated decision-making technologies and the ability to opt out.The right against discrimination and retaliation: you have the right to not be discriminated or retaliated against as a result of exercising any of the above rights. However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you with our Services or engage with you in the same manner. In addition, the exercise of the rights described above may result in a different price, rate, or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.Please note that your ability to invoke the rights above are limited pursuant to the scope and limitations of the CCPA, including any available exceptions. For example, an access request can only be made twice by a Consumer within a 12-month period. How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post: Attn: Toast Privacy Office Toast, Inc. 333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. In these instances, we will take steps to verify the authorized agent’s authority to act on your behalf. In order to verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request. Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law in relation to individual rights submissions.To Exercise the Right to Opt Out of the Selling or Sharing of Personal Information Unless you have exercised your right to opt out of the sale or sharing of personal information, we may “sell” or “share” your personal data to third parties for targeted or cross-context behavioral advertising purposes, for personalization features and for tracking and analytics purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy statements. In these instances, the right to opt out of the sale of personal information can be invoked through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. Although Toast does not currently engage in other practices at this time that may constitute a “sale” or “sharing” beyond these instances and the methods above are the most effective methods to manage your preferences, you may also submit your right to opt out of any sales or sharing by clicking here or in instances where you would like additional support. You do not need to create an account with us to exercise your right to opt out of personal information sales or sharing. However, if applicable, we may ask you to provide additional personal information so that we can properly identify you in our dataset and to track compliance with your opt out request. We will only use personal information provided in an opt out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our systems. Once you make an opt-out request, you may change your mind and opt back in to future personal information sales at any time by contacting us at privacy@toasttab.com or by managing your preferences within the cookie management tool.AccessibilityIn the event you are a user with a disability, or are supporting an individual with a disability, and are having difficulty navigating this Statement or the information linked within this Statement, please contact us at privacy@toasttab.com for support. Sensitive Personal InformationAs part of our services, Toast collects “sensitive personal information” as defined by the CCPA as part of our operations and the Services offered to our Merchants. The categories of sensitive personal information are described below along with the use case and whether the information is sold or shared. Category of sensitive personal informationUse/PurposeIs the sensitive personal information sold?Is the sensitive personal information shared?Social Security NumberMerchants - required as part of the sign up to the Services Merchant Employees - required for Payroll and Team Management servicesNoNoDriver’s license number or state IDMerchants - required as part of the sign up to the ServicesMerchant Employees - required for Payroll and Team Management servicesNoNoAccount log-in details plus password or credentialsMerchants - needed to access the Merchant’s Toast accountMerchant Employees – needed to access the Toast services or Payroll and Team Management servicesGuests – needed for Toast Digital Account purposesNoNoPrecise geolocationGuests - needed for certain digital ordering services and as part of the Services requested by a Guest or with the consent of the individualNoNoRace or ethnic originMerchant Employees – collected with the consent of the individual by the Merchant as part of the Payroll & Team Management servicesNoNoHealth dataGuests – to the extent that allergy and dietary restrictions qualify as “health data”, the Guest may voluntarily elect to provide this as part of a reservation or their dining experience in the “additional information” section or other free form fieldsNoNoPresently, Toast does not use or discloses an individual’s sensitive personal information for purposes other than those specified in subdivision (a) of section 1798.121 of the CCPA and as a result, has not included a Notice of Right to Limit. RetentionWe retain personal information as long as reasonably necessary to provide the Services and carry out the purposes described in this Statement. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire, or for instances where we are required to do so in accordance with legal, tax and accounting requirements set by a legislature, regulator or other government authority. To determine the appropriate duration of the retention of personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting and other applicable obligations. As to each of the categories of personal information collected, the retention period will vary depending on our relationship. For example,For Merchants and Merchant Employees, we will generally retain their personal information for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. For Guests that have Toast Digital Ordering Accounts, Toast will generally maintain these accounts for the duration of the individual’s use of service plus a period of inactivity.In other cases, Guest information that is collected by the Merchant but stored by Toast will be retained for the duration of our agreement with the Merchant plus a period following termination as provided for in our retention schedules. Information pertaining to support calls are generally retained for one (1) year but may be retained for longer based on the nature of the relationship between Toast and the individual. In all cases, the retention will be subject to any additional legal, regulatory, tax, accounting or other applicable obligations.Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or de-identify the personal information or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store the personal information and isolate it from further processing until deletion or deidentification is possible.Notice of Financial Incentives and loyalty programsA core part of our business involves the design and implementation of programs and other offerings intended to provide benefits to eligible participants that are managed by our Merchants. One example of that is that as part of our Services, we provide our Merchants with the ability to provide a loyalty program to its restaurant customers. To the extent that a Merchant is required to provide a notice of financial incentive pursuant to the CCPA, this obligation is the responsibility of the Merchant as part of the set up and administration of its program. Please refer to the terms and privacy notice of the Merchant with which you have a relationship for information regarding any financial incentives they may offer through those loyalty services.Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification.2. California “Shine the Light” disclosureCalifornia residents that have an established business relationship with us have a right to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law (Civ. Code § 1798.83). Please contact us through any of the communication channels within the “How to contact us” section in the main body of this Statement to invoke these rights. Addendum B – United States (Colorado)Last updated: July 1, 20241. Privacy Statement for Colorado residents as required by the Colorado Privacy Act (“CPA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Colorado and qualify as a “Consumer” under the CPA. This Colorado-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the CPA. Any terms defined in the CPA or as otherwise defined in our Privacy Statement have the same meaning as used in this Addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the CPA, including information that is linked or reasonably linkable to an identified or identifiable natural person. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement.Purposes of processing the personal informationPlease refer to the “How we use personal information” section in the main body of the StatementCategories of information disclosed to third parties and a description of those third parties Please refer to the “How we share personal information” section in the main body of the Statement.Description of rights available to consumersA number of individual rights are available to individuals under the CPA relating to personal information that we have collected (subject to certain limitations at law), including: The right to access: you have the right to confirm whether a controller is processing your personal information and to access such information.The right to correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.The right to deletion: you have the right to delete your personal information you have provided or that has been collected.The right to portability: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another entity.The right to opt out: you have the right to opt out of (as defined by the CPA) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the CPA.Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within 45 days of receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). All appeal requests should be submitted by emailing us at privacy@toasttab.com with the subject line, “Colorado Privacy Request Appeal”.Sale of personal information While Toast does not “sell” personal information in the traditional sense, we do, however, sell personal information for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”), for personalization features and for tracking and analytics purposes. The categories of personal information may include:Identifiers;Internet/network information; andInferencesEach of the above categories of information may be disclosed to third-parties, which may include our business partners depending on the nature of a user’s interactions.Consumers can exercise their right to opt out of these sales through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. You may also review our Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising. Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the CPA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com.ProfilingPresently, Toast does not carry out any profiling (as defined by the CPA) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for CPA purposes.Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum C – United States (Connecticut)Last updated: July 1, 20241. Privacy Statement for Connecticut residents as required by the Connecticut Data Privacy Act (“CTDPA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Connecticut and qualify as a “Consumer” under the CTDPA. This Connecticut-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the CTDPA. Any terms defined in the CTDPA or as otherwise defined in our Privacy Statement have the same meaning as used in this Addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the CTDPA, including information that is linked or reasonably linkable to an identified or identifiable natural person. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement.Purposes of processing the personal informationPlease refer to the “How we use personal information” section in the main body of the Statement.Categories of information disclosed to third parties and a description of those third parties Please refer to the “How we share personal information” section in the main body of the Statement.Description of rights available to consumersA number of individual rights are available to individuals under the CTDPA relating to personal information that we have collected (subject to certain limitations at law), including: The right to access: you have the right to confirm whether a controller is processing your personal information and to access such information.The right to correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.The right to deletion: you have the right to delete your personal information you have provided or that has been collected.The right to obtain a copy of your personal information: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another entity.The right to opt out: you have the right to opt out of (as defined by the CTDPA) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the CTDPA.Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within 45 days of receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). All appeal requests should be submitted by emailing us at privacy@toasttab.com with the subject line, “Connecticut Privacy Request Appeal”.Sale of personal information While Toast does not “sell” personal information in the traditional sense, we do, however, sell personal information for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”), for personalization features and for tracking and analytics purposes. Consumers can exercise their right to opt out of these sales through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. You may also review our Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising. Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the CTDPA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com.ProfilingPresently, Toast does not carry out any profiling (as defined by the CTDPA) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for CTDPA purposes.Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum D – United States (Oregon)Last updated: July 1, 20241. Privacy Statement for Oregon Residents as required by the Oregon Consumer Privacy Act (“OCPA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Oregon and qualify as a “Consumer” under the OCPA. This Oregon-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the OCPA. Any terms defined in the OCPA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the OCPA, including information that is linked or reasonably linkable to an identified or identifiable natural person. A. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement. In addition, Toast may collect precise geolocation data which is “sensitive data” as defined by the OCPA as part of our operations and the Services offered to our Merchants. B. Purposes of collecting and processing the personal informationPlease refer to the “How we use personal information” section in the main body of the Statement. C. Categories of information disclosed to third partiesPlease refer to the “How we share personal information” section in the main body of the Statement. With respect to sensitive data, Toast may share precise geolocation data with partners and/or service providers in order to support certain digital ordering services and as part of the Services requested by a Guest, or with the consent of the individual.D. Categories of third parties with which we share personal informationPlease refer to the “How we share personal information” section in the main body of the Statement. E. Description of rights available to consumersA number of individual rights are available to individuals under the OCPA relating to personal information that we have collected (subject to certain limitations at law), including: The right of access to confirm processing: you have the right to confirm whether a controller is processing your personal information, and if so which categories of personal information, and to access such information.The right to be informed of third party disclosures: you have the right to obtain a list of specific third parties, other than natural persons, to which Toast has disclosed personal information.Right to access: you have the right to obtain a copy of all of the personal data that Toast has processed.The right of correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.The right of deletion: you have the right to delete your personal information you have provided or that has been collected.The right of portability: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another controller where the processing is carried out by automated means. The right to opt out: you have the right to opt out of (as defined by the OCPA) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.F. How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the OCPA. Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within 45 days of receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). All appeal requests should be submitted by emailing us at privacy@toasttab.com with the subject line, “Oregon Privacy Request Appeal”.G. Sale of personal information Presently, Toast does not carry out any “sales” of personal information as defined by the OCPA.H. Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the OCPA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com.I. ProfilingPresently, Toast does not carry out any profiling (as defined by the OCPA) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for OCPA purposes.J. Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.K. Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum E – United States (Texas)Last updated: July 1, 20241. Privacy Statement for Texas Residents as required by the Texas Data Privacy and Security Act (“TDPSA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Texas and qualify as a “Consumer” under the TDPSA. This Texas-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the TDPSA. Any terms defined in the TDPSA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the TDPSA, including information that is linked or reasonably linkable to an identified or identifiable natural person. A. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement. In addition, Toast may collect “sensitive data” as defined by the TDPSA as part of our operations and the Services offered to our Merchants. The following categories of data may be collected from Guests Personal data revealing mental or physical health diagnosis, to the extent that allergy and dietary restrictions are capable of revealing a mental or physical health diagnosis (“Health data”)Precise geolocation dataB. Purposes of processing the personal informationPlease refer to the “How we use personal information” section in the main body of the Statement. In addition, Toast may collect “sensitive data” as defined by the TDPSA for the following purposes Health data: a Guest may voluntarily elect to provide this as part of a reservation or their dining experience in the “additional information” section or other free form fieldsPrecise geolocation data: needed for certain digital ordering services and as part of the Services requested by a Guest or with the consent of the individualC. Categories of information disclosed to third partiesPlease refer to the “How we share personal information” section in the main body of the Statement. D. Categories of third parties with whom we share dataPlease refer to “How we share personal information section in the main body of the Statement.E. Description of rights available to consumersA number of individual rights are available to individuals under the TDPSA relating to personal information that we have collected (subject to certain limitations at law), including: The right of access: you have the right to confirm whether a controller is processing your personal information and to access such information.The right of correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.The right of deletion: you have the right to delete your personal information you have provided or that has been collected.The right of portability: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another controller where the processing is carried out by automated means.The right to opt out: you have the right to opt out of (as defined by the VCDPATDPSA) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.F. How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the TDPSA. Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within 45 days of receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). All appeal requests should be submitted by emailing us at privacy@toasttab.com with the subject line, “Texas Privacy Request Appeal”.G. Sale of personal information Presently, Toast does not carry out any “sales” of personal information as defined by theTDPSA.While Toast does not “sell” personal information in the traditional sense, we do, however, sell personal information for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”), for personalization features and for tracking and analytics purposes. Consumers can exercise their right to opt out of these sales through our cookie management tool that can be accessed by clicking on our “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. You can also opt out of the “sale” of personal information or “sharing” for targeted advertising purposes by enabling the Global Privacy Control or a similar opt-out preference setting within the browser you use to access our Websites. Please note that your opt out will be specific to the device and browser you use when you opt out, and our Websites will recognize opt-out preference settings only on domains of our Websites where any “selling” or “sharing” occurs. You may also review our Privacy Statement section titled “Cookies and other tracking technologies” for more information on how Toast uses cookies, analytics and personalized advertising. Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the TDPSA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com. ProfilingPresently, Toast does not carry out any profiling (as defined by the TDPSA) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for TDPSA purposes.H. Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.I. Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum F – United States (Virginia)Last updated: July 1, 20241. Privacy Statement for Virginia Residents as required by the Virginia Consumer Data Protection Act (“VCDPA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Virginia and qualify as a “Consumer” under the VCDPA. This Virginia-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the VCDPA. Any terms defined in the VCDPA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the VCDPA, including information that is linked or reasonably linkable to an identified or identifiable natural person. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement.Purposes of processing the personal informationPlease refer to the “How we use personal information” section in the main body of the Statement.Categories of information disclosed to third partiesPlease refer to the “How we share personal information” section in the main body of the Statement.Description of rights available to consumersA number of individual rights are available to individuals under the VCDPA relating to personal information that we have collected (subject to certain limitations at law), including:The right of access: you have the right to confirm whether a controller is processing your personal information and to access such information.The right of correction: you have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and purposes of the processing.The right of deletion: you have the right to delete your personal information you have provided or that has been collected.The right of portability: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another controller where the processing is carried out by automated means.The right to opt out: you have the right to opt out of (as defined by the VCDPA) (i) targeted advertising, (ii) the sale of personal information and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the VCDPA. Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. In the event we decline to take action on a request, we will notify you within 45 days of receipt of the original request with our justification for declining to take action and how you may appeal that decision (including an overview of the appeals process and how you can initiate an appeal). All appeal requests should be submitted by emailing us at privacy@toasttab.com with the subject line, “Virginia Privacy Request Appeal”.Sale of personal information Presently, Toast does not carry out any “sales” of personal information as defined by the VCDPA.Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the VCDPA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com.ProfilingPresently, Toast does not carry out any profiling (as defined by the VCDPA) in furtherance of decisions that produce legal or similarly significant effects concerning consumers that are presently in scope for VCDPA purposes.Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum G – United States (Utah)Last updated: July 1, 2024Privacy Statement for Utah Residents as required by the Utah Consumer Privacy Act (“UCPA”).The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Utah and qualify as a “Consumer” under the UCPA. This Utah-specific Statement provides additional information about how we collect, use, disclose and otherwise process the personal information of these individuals, either online or offline, within the scope of the UCPA. Any terms defined in the UCPA or as otherwise defined in our Privacy Statement have the same meaning as used in this addendum. When we use the term “personal information” in this Addendum, we mean “personal data” pursuant to the UCPA, including information that is linked or reasonably linkable to an identified or identifiable natural person. A. Categories of personal information processed Please refer to the “Personal information we collect” section in the main body of the Statement.B. Purposes of processing the personal informationPlease refer to the “How we use personal information” section in the main body of the Statement.C. Categories of information disclosed to third partiesPlease refer to the “How we share personal information” section in the main body of the Statement.D. Description of rights available to consumersA number of individual rights are available to individuals under the UCPA relating to personal information that we have collected (subject to certain limitations at law), including: The right of access: you have the right to confirm whether a controller is processing your personal information and to access such information.The right of deletion: you have the right to delete your personal information you have provided or that has been collected.The right of portability: you have the right to obtain a copy of your personal information that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another controller where the processing is carried out by automated means.The right to opt out: you have the right to opt out of (as defined by the UCPA) (i) targeted advertising and (ii) the sale of personal information.E. How to invoke your rightsToast has established an individual rights portal as well as other channels for the purposes of submitting the individual rights requests above, including the right of access and deletion. Individual rights requests can be submitted to Toast through the below channels:Web portal: Individual Rights PortalBy email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210By phone (toll-free): (866) 226-4484Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services. Where applicable, these requests can be submitted by an authorized agent through the channels described above in accordance with the applicable law. These include requests made on behalf of a minor by the individual’s parent or legal guardian can also be made via the individual rights portal above. In these cases, in order to verify the authorized agent’s authority, we generally require evidence of that individual’s authority to act on behalf of the individual. All individual rights requests will be managed in line with the requirements set out in the UCPA.F. Sale of personal information Presently, Toast does not carry out any “sales” of personal information as defined by the UCPA.G. Targeted advertisingToast carries out limited targeted advertising (as that term is defined by the UCPA) via cookies and related tracking technologies. You will only be served with targeted advertising when you visit https://pos.toasttab.com and this can be managed by clicking the “Do not sell or share my personal information” link at the bottom of https://pos.toasttab.com.H. Deidentified informationWe may at times receive, or process personal information to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.I. Updates to this StatementWe will update this Statement from time to time. When we make changes to this Statement, we will change the "Last updated" date at the beginning of this Statement. All changes shall be effective from the date of publication unless otherwise provided in the notification. Addendum H – CanadaLast updated: July 1, 20241. Privacy addendum for individuals located in CanadaThe provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and apply solely to individuals that are residents of Canada or are otherwise covered under any applicable Canadian federal or provincial privacy laws or regulations, including but not limited to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act. Toast is committed to collecting, using, and disclosing your personal information in accordance with applicable laws and regulations. ConsentBy using our Services and accessing our Websites, you accept the terms of this Privacy Statement and consent to the collection, use, processing, disclosure and retention of your information as described in this Privacy Statement. Typically, we will provide notice of the purpose for collecting your personal information and/or seek your consent (which may be express or implied, depending on the nature and sensitivity of the personal information) in line with applicable law at the time that we collect your personal information. In certain circumstances, we may collect non-sensitive personal information automatically. In general, you may change or withdraw your consent at any time subject to legal or contractual obligations and providing reasonable notice. Your withdrawal of consent may impact the ability of Toast to provide you with some or all of the Services. Upon receiving notice that you would like to withdraw your consent, we will inform you of the likely consequences of your withdrawal of consent. Toast will not collect, use, or disclose your personal information except for the purposes we have identified for collection (including those listed in section 4 of the Toast Privacy Statement above and/or identified at the time of collection), unless we have received your consent (which may be express or implied, depending on the nature and sensitivity of the personal information) or the processing is authorized without consent.Accessing and correcting your personal information If you are located in Canada, you have the right to request access to and to correct the personal information that we hold about you, subject to certain conditions and limitations. Subject to the applicable law and the nature of your relationship with Toast, this may include a right to review, correct, update, suppress, delete or otherwise limit our use of your personal information that has been previously provided to us. You may also have the right to access information about the ways in which your personal information is or has been used and the names of individuals and/or organizations to which your information has been disclosed.Toast has established an individual rights portal for the purposes of submitting such individual rights requests. The link to Toast’s individual rights portal can be found here. Individual rights requests can also be submitted to Toast through the below channels:By email: privacy@toasttab.comBy post:Attn: Toast Privacy OfficeToast, Inc.333 Summer St. Boston, MA 02210United States of AmericaIn your request, please specify what information you would like to access or have corrected. We will respond to your request as soon as reasonably practicable, and within the time period required by law. The exercise of these rights is free of charge. Once an individual rights request has been submitted, Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your request. This may include your name, email address, phone number or other details related to your use of Toast’s Services or Websites. If we correct your information, we will also send the corrected information to organizations to which we disclosed the information during the year before the date the correction was made.Please note that in certain circumstances, we may refuse to act or impose limitations on your rights, as permitted by the applicable law. If we cannot provide you with access to your personal information or are unable to correct your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions, and outline further steps available to you. If we refuse to act on a request to correct your personal information, we will nonetheless annotate the information, noting the correction that was requested but not made. In certain cases, depending on the nature of your request, there may also be residual information that will remain within our databases and other records, which, due to applicable law or as part of Services that are in the process of being carried out, will not be removed or changed. We will also retain information relating to your request for recordkeeping and compliance purposes.International transfers We may process, store, and transfer your personal information in and to a foreign country, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Specifically, the personal information collected as part of the Services or as otherwise contemplated by this Statement is primarily processed and stored in the United States. However, as Toast is an international organization with business processes, offices and third parties around the world, your information may be sent to any other country in the world where we do business or maintain third-party relationships. When you provide personal information to us through the Services and as part of this Statement, you consent to the transfer of your information and the processing of your information in this manner. Any international transfers made will be in accordance with this Statement and the applicable law. We also impose appropriate safeguards for the transfer of personal information among our affiliates and to third-party service providers in various jurisdictions, and have implemented appropriate contractual arrangements or other measures for such purposes. To obtain a current list of the countries where personal information subject to this Statement is collected, used, disclosed and/or stored, including with our service providers, as well as the purposes for which our service providers outside Canada have been authorized to collect, use or disclose personal information for or on behalf of Toast, please contact privacy@toasttab.com. Right to challenge compliance and file a complaintIf you believe any privacy laws relating to the protection of your personal information or the practices described in this Statement have not been respected, you may file a complaint with our Assistant General Counsel, Privacy at the address listed below: By email: privacy@toasttab.comBy post:Attn: Assistant General Counsel, PrivacyToast, Inc.333 Summer St. Boston, MA 02210United States of AmericaBy phone (toll-free): +1 (866) 226-4484Toast may ask you for additional information in order to verify your identity or to provide additional details to help us respond to your complaint. We will investigate all complaints. If, after an investigation, your complaint is deemed justified, Toast will take appropriate steps to correct the situation, including, if necessary, amending our policies and practices. If you are not satisfied with the results of the investigation or the corrective measures taken by Toast, you may exercise the remedies available under law by contacting the Office of the Privacy Commissioner of Canada at the address below:Office of the Privacy Commissioner of Canada30 Victoria StreetGatineau, Quebec K1A 1H3https://www.priv.gc.caIf you reside in the Province of Alberta, you may also contact the Office of the Information and Privacy Commissioner of Alberta at the address below:Office of the Information and Privacy Commissioner of Alberta#410, 9925 - 109 Street NWEdmonton, AlbertaT5K 2J8https://www.oipc.ab.ca/ If you reside in the Province of British Columbia, you may also contact the Office of the Information and Privacy Commissioner for British Columbia at the address below:Office of the Information and Privacy Commissioner for British ColumbiaPO Box 9038 Stn. Prov. Govt.Victoria B.C. V8W 9A4 https://www.oipc.bc.ca/ We will retain personal information used to make a decision that directly affects you for at least one year after we make that decision. Addendum I – IrelandLast updated: July 1, 2024The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and applies where the General Data Protection Regulation (“GDPR”) and local implementing legislation apply, which includes where Toasttab Ireland Limited provides Services. To the extent that there is a conflict between the provisions of this Addendum G and the provisions of the main body of the Privacy Statement, the provisions of this Addendum G shall prevail.Data controller(s)For the purposes of the processing pursuant to this Statement, the joint data controllers will include:Toasttab Ireland Limited (“Toast Ireland”)124 St Stephen’s GreenDublin 2IrelandD02 C628Toast, Inc. (“Toast US”)333 Summer St.Boston, MA 02210United States of America Toast US is primarily responsible for ensuring that personal information is collected and processed pursuant to the applicable law. These obligations include (a) the implementation of appropriate data protection policies, (b) the management and notification of security incidents involving personal information, (c) the completion of data protection impact assessments (where appropriate) and (d) the implementation of appropriate technical and organizational security measures. Toast US is also responsible for managing any requests that you may make to exercise your rights under the GDPR or other applicable data protection legislation, on behalf of both Toast Ireland and Toast US.Toast Ireland is responsible for managing aspects of the processing that are within its control as part of the joint controller relationship. This includes support and management pertaining to the provision of the Services, obtaining consents from data subjects (where applicable) as well as support with providing notice to data subjects. Where Toast Ireland receives a data subject request under the GDPR, Toast Ireland will promptly notify Toast US of the request.As a data controller, we are free to rely on “data processors” (as defined within the GDPR) and have engaged various third-party service providers in order to provide the Services as well as for other purposes described in the main body of the Privacy Statement. For more information, see the “How we share personal information” section of the Privacy Statement.Toast Ireland and Toast US also act as processors on behalf of Merchants as to certain Services provided to Guests as well as our Merchants Employees in connection with certain aspects of our Services. The Merchant is the data controller in respect of this relationship.Purposes and legal basis for processingWe collect and process your personal information based on the following legal bases:Purpose of processing (as described further in section 4 of this Statement)Legal basis for processingTo provide, maintain and support our ServicesWhere we have a contract with you, necessary for the performance of our contract with youWhere we do not have a contract with you, our legitimate interests in operating our businessTo manage our business and for internal operational purposesNecessary for our legitimate interests of effectively managing our business operations and improving our products and servicesTo personalize your experienceNecessary for our legitimate interests of effectively managing our business operations and improving our products and servicesTo advertise and market to youYour consent which is required under law some cases) or as necessary for our legitimate interests of effectively promoting our business, products and servicesTo communicate with you or provide information you have requestedWhere we have a contract with you, necessary for the performance of our contract with you Where we do not have a contract with you, our legitimate interests in operating our businessFor legal, compliance and security-related purposes, including to:comply with our Irish legal obligations, including under anti-money laundering, know-your-customer or similar lawscomply with our legal obligations outside Ireland, including under anti-money laundering, know-your-customer or similar laws in any relevant jurisdictionsecure and protect our network and systemsidentify and protect against fraud and other crimesestablish, exercise or defend legal claimsmonitor and report compliance issuesSee belowNecessary for compliance with our legal obligations under Irish lawNecessary for our legitimate interest in complying with laws, protecting our network and systems, our business and others and establishing, exercising or defending our legal rightsNecessary for compliance with our legal obligations under Irish law where required by Irish law or, where not required by Irish law, necessary for our legitimate interest in effective compliance managementWhere we process personal information on the basis of a legitimate interest (as identified above), as required by data protection law, we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of this Addendum.Where we collect personal information to administer our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to perform the contract we have entered into with you or otherwise provide the Services without this information. In all other cases, provision of the requested personal information is optional, but this may affect your ability to use our Services or our websites.International transfersWe may transfer the personal information we collect about you for the purposes described in this Privacy Statement to countries that have not been found to provide an adequate level of data protection by the European Commission.In particular, we may transfer your personal information to third parties, including to parties located in the United States. We use appropriate safeguards for the transfer of personal information to third party service providers. Where required, we have implemented the EU/EEA approved standard contractual clauses, rely on a service provider’s processor binding corporate rules or have implemented/rely on other legally recognized safeguards for data transfer purposes.We also use appropriate safeguards for the transfer of personal information among our affiliates in the United States. We have implemented the EU/EEA approved standard contractual clauses or have implemented/rely on other legally recognized safeguards for data transfer purposes.To obtain a copy of the standard contractual clauses or other transfer safeguards, please send a request to privacy@toasttab.com. Choice and accessYou have additional rights regarding how your personal information is processed, including the right to:request access to and obtain a copy of your personal information;request the transfer of your personal information you have provided to us to you or another company in a structured, commonly used and machine-readable format;request rectification of your personal information when it is inaccurate or incomplete; request erasure of your personal information where permitted under the applicable law, such as where the information is no longer necessary or lawful for us to store or where your information is outdated;restrict or object to the processing of your personal information (as applicable), including to object to the processing of personal information for direct marketing purposes; andwithdraw your consent at any time where this is the legal basis on which we are processing your personal information. If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time.Please note that if you choose to withdraw your consent, you may not be able to participate in or benefit from the programs, services and initiatives for which you provided consent to the processing of your personal information. Your rights will in each case be subject to the restrictions set out in applicable data protection laws.You may exercise these rights free of charge by submitting your request here or to privacy@toasttab.com. Subject to the applicable law, Toast may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character. In some situations, Toast may refuse to act or impose limitations on the information disclosed if, for instance, if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. You also have the right to lodge a complaint about our processing of your personal information with the Irish Data Protection Commission.Retention We will retain your personal information for only as long as needed for the purpose of the processing activity or where we have a legitimate business need to retain it, subject to our legal and regulatory obligations to retain it longer and our applicable records retention periods. The duration of these periods will vary depending on your relationship with Toast and the Service you are using. For example,Merchants: Merchant account and ownership information will generally be maintained for seven (7) years following the termination of the relationship absent a legal or regulatory obligation to retain longer;Merchant Employees: Merchant employee information will generally be maintained for seven (7) years following the termination of the relationship with the Merchant unless removed sooner by the Merchant; andGuests: Digital ordering accounts created by our Guests will be maintained for the duration of their use of the service and removed following five (5) years of inactivity. Transactional information and other Guest information held by our Merchants as part of their operations will be retained for the duration of our relationship with the Merchant plus a period of seven (7) years.Other periods are set out within Toast’s records retention policy and schedule. Our retention periods are also subject to any rights of individuals or other requirements that might dictate a shorter retention period (e.g., deletion requests). In certain cases, Toast may also maintain information for a longer period of time, such as in cases where the information is subject to a legal claim or complaint. Following those periods and other determinations on the duration of the processing of personal information by Toast, we will delete or take measures to anonymize your personal information.Cookies and other technologiesIn addition to the information found in the section of the main body of the Statement titled “Cookies and other tracking technologies”, Toast’s Cookie Policy can be found here and provides some supplemental information for users in the EU/EEA and UK.ChildrenOur Services are not targeted or directed at children under the age of 16, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If you have reason to believe that a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us as described in the “How to contact us” section within main body of the Privacy Statement to request that we remove the information from our systems. If we learn that any personal information we collected has been provided by a child under the age of 16, we will promptly delete that personal information.How to contact Toast IrelandIf you have data protection questions specific to Toast Ireland, you can reach us at:Attention: Toast Ireland Data Protection OfficeToasttab Ireland Limited124 St Stephen’s GreenDublin 2IrelandD02 C628Email: privacy@toasttab.com Lodging a complaintIf you are not satisfied with the processing of your personal information, you have the right to lodge a complaint with the Data Protection Commission (https://www.dataprotection.ie/). Addendum J – United Kingdom (“UK”)Last updated: July 1, 2024The provisions below supplement the information provided in the generally applicable portion of our Privacy Statement and applies where the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (together the “UK Data Protection Law”) apply, which includes where Toasttab UK Limited provides Services. To the extent that there is a conflict between the provisions of this Addendum H and the provisions of the main body of the Privacy Statement, the provisions of this Addendum H shall prevail.Data controller(s)For the purposes of the processing pursuant to this Statement, the joint data controllers will include:Toasttab UK Limited (“Toast UK”)3rd Floor, 1 Ashley RoadAltrinchamCheshireWA14 2DTUnited KingdomToast, Inc. (“Toast US”)333 Summer St.Boston, MA 02210United States of America Toast US is primarily responsible for ensuring that personal information is collected and processed pursuant to UK Data Protection Law. These obligations include (a) the implementation of appropriate data protection policies, (b) the management and notification of security incidents involving personal information, (c) the completion of data protection impact assessments (where appropriate) and (d) the implementation of appropriate technical and organizational security measures. Toast US is also responsible for managing any requests that you may make to exercise your rights under UK Data Protection Law, on behalf of both Toast UK and Toast US.Toast UK is responsible for managing aspects of the processing that are within its control as part of the joint controller relationship. This includes support and management pertaining to the provision of the Services, obtaining consents from data subjects (where applicable) as well as support with providing notice to data subjects. Where Toast UK receives a data subject request under UK Data Protection Law, Toast UK will promptly notify Toast US of the request.As a data controller, we are free to rely on “data processors” (as defined within UK Data Protection Law) and have engaged various third-party service providers in order to provide the Services as well as for other purposes described in the main body of the Privacy Statement. For more information, see the “How we share personal information” section of the Privacy Statement.Toast UK and Toast US also act as processors on behalf of Merchants as to certain Services provided to Guests as well as our Merchants Employees in connection with certain aspects of our Services. The Merchant is the data controller in respect of this relationship.Purposes and legal basis for processingWe collect and process your personal information based on the following legal bases:Purpose of processing (as described further in section 4 of this Statement)Legal basis for processingTo provide, maintain and support our ServicesWhere we have a contract with you, necessary for the performance of our contract with youWhere we do not have a contract with you, our legitimate interests in operating our businessTo manage our business and for internal operational purposesNecessary for our legitimate interests of effectively managing our business operations and improving our products and servicesTo personalize your experienceNecessary for our legitimate interests of effectively managing our business operations and improving our products and servicesTo advertise and market to youYour consent which is required under law some cases) or as necessary for our legitimate interests of effectively promoting our business, products and servicesTo communicate with you or provide information you have requestedWhere we have a contract with you, necessary for the performance of our contract with youWhere we do not have a contract with you, our legitimate interests in operating our businessFor legal, compliance and security-related purposes, including to:comply with our UK legal obligations, including under anti-money laundering, know-your-customer or similar lawscomply with our non-UK legal obligations, including under anti-money laundering, know-your-customer or similar laws in any relevant jurisdictionsecure and protect our network and systemsidentify and protect against fraud and other crimesestablish, exercise or defend legal claimsmonitor and report compliance issuesSee belowNecessary for compliance with our legal obligations under UK lawNecessary for our legitimate interest in complying with laws, protecting our network and systems, our business and others and establishing, exercising or defending our legal rightsNecessary for compliance with our legal obligations under UK law where required by UK law or, where not required by UK law, necessary for our legitimate interest in effective compliance managementWhere we process personal information on the basis of a legitimate interest (as identified above), as required by data protection law, we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of this Addendum.Where we collect personal information to administer our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to perform the contract we have entered into with you or otherwise provide the Services without this information. In all other cases, provision of the requested personal information is optional, but this may affect your ability to use our Services or our websites. International transfersWe may transfer the personal information we collect about you for the purposes described in this Privacy Statement to countries that have not been found to provide an adequate level of data protection by UK Data Protection Law.In particular, we may transfer your personal information to third parties, including to parties located in the United States. We use appropriate safeguards for the transfer of personal information to third party service providers. Where required, we have implemented the UK approved standard contractual clauses or the UK approved addendum to the European Commission approved standard contractual clauses, rely on a service provider’s processor binding corporate rules or have implemented/rely on other legally recognized safeguards for data transfer purposes.We also use appropriate safeguards for the transfer of personal information among our affiliates in the United States. We have implemented the UK approved standard contractual clauses or the UK approved addendum to the European Commission approved standard contractual clauses or have implemented/rely on other legally recognized safeguards for data transfer purposes.To obtain a copy of the standard contractual clauses or other transfer safeguards, please send a request to privacy@toasttab.com.Choice and accessYou have additional rights regarding how your personal information is processed, including the right to: request access to and obtain a copy of your personal information;request the transfer of your personal information you have provided to us to you or another company in a structured, commonly used and machine-readable format;request rectification of your personal information when it is inaccurate or incomplete; request erasure of your personal information where permitted under the applicable law, such as where the information is no longer necessary or lawful for us to store or where your information is outdated;restrict or object to the processing of your personal information (as applicable), including to object to the processing of personal information for direct marketing purposes; andwithdraw your consent at any time where this is the legal basis on which we are processing your personal information. If you ask to withdraw your consent, this will not affect any processing which has already taken place at that time. Please note that if you choose to withdraw your consent, you may not be able to participate in or benefit from the programs, services and initiatives for which you provided consent to the processing of your personal information. Your rights will in each case be subject to the restrictions set out in UK Data Protection Law.You may exercise these rights free of charge by submitting your request here or to privacy@toasttab.com. Subject to the applicable law, Toast may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character. In some situations, Toast may refuse to act or impose limitations on the information disclosed if, for instance, if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.You also have the right to lodge a complaint about our processing of your personal information with the UK Information Commissioner’s Office. RetentionWe will retain your personal information for only as long as needed for the purpose of the processing activity or where we have a legitimate business need to retain it, subject to our legal and regulatory obligations to retain it longer and our applicable records retention periods. The duration of these periods will vary depending on your relationship with Toast and the Service you are using. For example, Merchants: Merchant account and ownership information will generally be maintained for seven (7) years following the termination of the relationship absent a legal or regulatory obligation to retain longer;Merchant Employees: Merchant employee information will generally be maintained for seven (7) years following the termination of the relationship with the Merchant unless removed sooner by the Merchant; andGuests: Digital ordering accounts created by our Guests will be maintained for the duration of their use of the service and removed following five (5) years of inactivity. Transactional information and other Guest information held by our Merchants as part of their operations will be retained for the duration of our relationship with the Merchant plus a period of seven (7) years.Other periods are set out within Toast’s records retention policy and schedule. Our retention periods are also subject to any rights of individuals or other requirements that might dictate a shorter retention period (e.g., deletion requests). In certain cases, Toast may also maintain information for a longer period of time, such as in cases where the information is subject to a legal claim or complaint. Following those periods and other determinations on the duration of the processing of personal information by Toast, we will delete or take measures to anonymize your personal information.Cookies and other technologiesIn addition to the information found in the section of the main body of the Statement titled “Cookies and other tracking technologies”, Toast’s Cookie Policy can be found here and provides some supplemental information for users in the EU/EEA and UK.ChildrenOur Services are not targeted or directed at children under the age of 18, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 18. If you have reason to believe that a child under the age of 18 has provided personal information to us, we encourage the child’s parent or guardian to contact us as described in the “How to contact us” section within main body of the Privacy Statement to request that we remove the information from our systems. If we learn that any personal information we collected has been provided by a child under the age of 18, we will promptly delete that personal information.How to contact Toast UKIf you have data protection questions specific to Toast UK, you can reach us at:Attn: Toast UK Data Protection Office3rd Floor, 1 Ashley RoadAltrinchamCheshireWA14 2DTUnited KingdomEmail: privacy@toasttab.com Lodging a complaintIf you are not satisfied with the processing of your personal information, you have the right to lodge a complaint with the UK Information Commissioner’s Office (https://ico.org.uk/).