Effective Date: December 21, 2023
Tock LLC (“Tock”, “we”, “us” or “our”) respects your privacy. When it comes to your personal information, we believe in transparency, not surprises. That's why we've set out here what personal information we collect, what we do with it and your choices and rights.
Certain jurisdictions require us to provide you with specific additional information. Please see this page for such additional information if you are in: (I) California; or (II) other specified U.S. states.
1. Some key terms
With respect to personal information in Tock's possession, we play a few different roles under global data privacy laws. In order to understand your and Tock's obligations, it's important to understand the difference between Tock Controlled PI and Merchant Controlled PI.
- “Merchant Controlled PI” means personal information for which a Merchant determines the purposes and means of processing. For Merchant Controlled PI, Tock acts as a data processor, service provider or similar term under applicable law. Merchant Controlled PI includes Guest Booking Information (as defined below) and any data or notes entered by a Merchant into the Services about a Guest or their partner or other dining companions, Merchant personnel or other individuals. Merchants tell us what we do with Merchant Controlled PI on our Merchant's instructions. Our Merchants are responsible for ensuring that their collection and processing of Merchant Controlled PI complies with applicable law.
To learn about a Merchant's data practices with respect to Merchant Controlled PI, please visit the applicable Merchant's Merchant Page or website or reach out directly to them.
Please be aware that some personal information in Tock's possession is both Tock Controlled PI and Merchant Controlled PI. This category of data is “Independently Controlled PI.” See Section 6 for more details.
3. Personal information we collect
We collect various personal information regarding you or your device. This includes the following:
- Information a Guest provides to create an Account or make a Booking, specifically email address, first name, last name and phone number. This information is “Basic Guest Information.” You do not need an Account to browse our Services (including Merchant Pages), but you do need an Account to make a Booking.
- Information a Guest with an Account provides to complete their diner profile on the Services. This optional information is called “Guest Diner Profile Information.” Guest Diner Profile Information includes a photograph, birthday or anniversary details for the Guest and/or their partner and the Guest's hospitality preferences or dietary restrictions.
- Information a Guest provides when they make a Paid Booking. For most Paid Bookings, this will include billing address as well as a portion of payment information which is provided to us from our payment processor (such as the last four digits, the country of issuance and the expiration date of the payment card).
- The emails and other communications that you send us or otherwise contribute, such as customer support inquiries. Please be aware that information on public parts of our sites is available to others.
- Information shared with us about you by an individual who has purchased a Gift Card for you. This information is your name and email address.
- Information shared with us about you by a person or service acting as your concierge to make a Booking on your behalf, or by a Merchant for purposes of making a Booking on your behalf.
- Information you share with us in connection with surveys, contests or promotions.
- Information about individuals who own or work for either Merchants who use the Services or for businesses who may benefit from using the Services.
- Information from your interactions with the Services (including Merchant Pages). This includes: IP addresses, preferences, web pages you visited prior to coming to our sites, information about your browser, network or device (such as browser type and version, operating system, internet service provider, preference settings, unique device IDs and language and other regional settings), information about how you use the Services (such as timestamps, clicks, scrolling, browsing times, searches, transactions, referral pages, load times, and problems you may encounter, such as loading errors).
- Information we get from our partners to support our marketing initiatives, improve our Services and better monitor, manage and measure our ad campaigns, such as details about when Guests or Merchants interact with our Services via a marketing partner or when an advertising partner shows a Guest one of our ads on or via its advertising platform.
- Other information you submit to us directly or through Third Party Services if you use a Third Party Service to make a Booking and/or create an Account (based on your privacy settings with such Third Party Service).
4. How we collect personal information
We obtain personal information from various sources. We do this in three main ways:
- You provide some of it directly (such as by registering for an Account or completing a Guest diner profile).
- We record some of it automatically when you use our Services (including Merchant Pages), including with technologies like cookies.
- We receive some of it from Merchants or other third parties (like from a Third Party Service when a Guest registers for an Account using a Third Party Service or when a Guest makes a Booking through such Third Party Service, from a Merchant or concierge when a Booking is initiated by such Merchant or concierge on your behalf of a Guest or from our payment processor when a Guest makes a Paid Booking or a Merchant purchases a subscription).
We've described this in more detail below.
a. Personal information you provide
When you use our Services, we collect information from you in a number of ways. For instance, we ask you to provide your name, email address and phone number in order to enable you to register and manage your Account. If you elect to provide us with Guest Diner Profile Information, we also collect that information from you. We also collect information about your Bookings and maintain your marketing preferences and the emails and other communications that you send us or otherwise contribute, such as customer support inquiries. You might also provide us with information in other ways, including by responding to surveys, submitting a form or participating in contests or similar promotions.
Sometimes we require you to provide us with information for contractual or legal reasons. For example, we may ask a Guest to provide information involving a chargeback dispute or to provide a mailing address and/or select their jurisdiction when they make a Paid Booking to determine if, and how much, tax we need to collect from the Guest on behalf of a Merchant. We'll normally let you know when information is required, and the consequences of failing to provide it. If you do not provide personal information when requested, you may not be able to use our Services if that information is necessary to provide you with the service or if we are legally required to collect it.
b. Personal information obtained from your use of our Services
When you use our Services, we collect information about your activity on and interaction with the Services (including Merchant Pages), such as your IP address(es), your device and browser type, the web page you visited before coming to our sites, what pages on our sites you visit and for how long and identifiers associated with your devices. If you've given us permission through your device settings, we may collect your location information in our mobile apps.
c. Personal information obtained from other sources
If you use a Third Party Service to register for an Account, the Third Party Service may provide us with your Third Party Service account information on your behalf, such as your name and email address (we don't collect or store passwords you use to access Third Party Services). If you use a Third Party Service to make a Booking, the Third Party Service will provide us with Basic Guest Information on your behalf. Your privacy settings on the Third Party Service usually control what they share with us. Make sure you are comfortable with what they share by reviewing their privacy policies and, if necessary, modifying your privacy settings directly on the Third Party Service.
If a Guest doesn't have an Account with us, Bookings may sometimes be initiated by a concierge or Merchant on behalf of a Guest. For example, this might happen if you use a concierge or if you call a Merchant or visit a Merchant's location in person. When a concierge- or Merchant-initiated Booking occurs, necessary information is collected by Tock in order to facilitate the Booking. For clarity, Merchants may also add Merchant-Controlled PI about a Guest into our Services.
5. How we use your personal information
We use the personal information we obtain about you for the following purposes:
- Provision of the Services to you and our Merchants. Create and manage your Account, make Bookings, process payments, respond to your inquiries and enable Merchants to contact you and remember you and your preferences to customize and optimize your experiences.
- Communicating with you. Communicate with you, including by sending you emails about your or your business' transactions and Service-related announcements.
- Surveys and contests. Administer surveys, contests and other promotions.
- Promotion. Promote our Services and send you tailored marketing communications about products, services, offers, programs and promotions of Tock and our Merchants and partners and measure the success of those campaigns. For example, we may send different marketing communications to you based on what we think may interest you based on other information we hold about you.
- Advertising. Analyze your interactions with our Services and third parties' online services so we can tailor our advertising to what we think will interest you. For example, we may decide not to advertise our Services to you on a social media site if you already have an Account or we may choose to serve you a particular advertisement based on previous Bookings you've made or what we think may interest you based on other information we hold about you.
- Improving our Services. Analyze and learn about how the Services are accessed and used, evaluate and improve our Services (including by developing new products and services and managing our communications) and monitor and measure the effectiveness of our advertising. We usually do this based on anonymous, pseudonymized or aggregated information which does not identify you directly. For example, if we learn that most Guests or Merchants use a particular integration or feature, we might wish to expand on that integration or feature.
- Security. Ensure the security and integrity of our Services.
- Third party relationships. Manage our vendor and partner relationships.
- Protection. Protect our and others' interests, rights and property (e.g., to protect our Guests and Merchants from abuse).
- Complying with law. Comply with applicable legal requirements, such as tax and other government regulations and industry standards, contracts and law enforcement requests.
We process your personal information for the above purposes when:
- Consent. You have consented to the use of your personal information in a particular way. When you consent, you can change your mind at any time.
- Performance of a contract. We need your personal information to provide you with services and products requested by you, or to respond to your inquiries. In other words, so we can perform our contract with you or take steps at your request before entering into one. For example, we need your email address so you can sign in to your Account.
- Legal obligation. We have a legal obligation to use your personal information, such as to comply with applicable tax and other government regulations or to comply with a court order or binding law enforcement request.
- Legitimate interests. We have a legitimate interest in using your personal information. In particular, we have a legitimate interest in the following cases:
- To operate the Tock business and enable our Merchants to utilize the Services to run their businesses.
- To provide you with tailored advertising and communications to develop and promote our business.
- To analyze and improve the safety and security of our Services - we do this as it is necessary to pursue our legitimate interests in ensuring Tock is secure, such as by implementing and enhancing security measures and protections and protecting against fraud, spam and abuse.
- To provide and improve the Services, including any personalized services - we do this as it is necessary to pursue our legitimate interests of providing an innovative and tailored offering to Guests and Merchants on a sustained basis.
- To share your personal information with our affiliates (including Squarespace) that help us provide and improve the Services.
- To comply with a court order or binding law enforcement request.
- To anonymize and subsequently use anonymized information.
- Protecting you and others. To protect your vital interests, or those of others.
- Others' legitimate interests. Where necessary for the purposes of a third party's legitimate interests, such as our partners who have a legitimate interest in delivering tailored advertising to you and monitoring and measuring its effectiveness or our Merchants who have a legitimate interest in having the Services (including their Merchant Pages) function properly and securely and analyzing the usage of their Merchant Pages so they can understand trends and improve their services.
6. How we share your personal information
We share personal information in the following ways:
- Affiliates. We share personal information with our affiliates when it is reasonably necessary or desirable, such as to help provide services to you or analyze and improve the services we or they provide.
- Merchants. We share Guest personal information with our Merchants when a Guest visits the Merchant Page of a Merchant or makes a Booking with a Merchant.
- If a Merchant has configured their Merchant Page to provide analytics to them, including as may be provided by a Third Party Service, the Merchant will receive personal information of visitors to that Merchant Page.
- When a Guest makes a Booking, we share Guest Booking Information to the Merchant with whom the Guest made the Booking. “Guest Booking Information” means Basic Guest Information and may also include Guest Diner Profile Information.
- Business partners. We may share personal information with business partners. For example, we may share your personal information with a business partner when our Services are integrated with their Third Party Services, but only when you have been informed or would otherwise expect such sharing.
- Service providers. We share personal information with our service providers that perform services on our behalf. For example, we may use third parties to help us provide customer support, manage our advertisements on other sites, send marketing and other communications on our behalf or assist with data storage.
- Process payments. We transmit some of your personal information via an encrypted connection to our payment processor.
- Advertising. We share personal information with third parties so they and we can provide you with tailored advertising and measure and monitor its effectiveness. For example, we may share your pseudonymized email address with a third party social media platform on which we advertise to avoid serving Tock ads to people who already use Tock.
- Business transfers. If we're involved in a reorganization, merger, acquisition or sale of some or all of our assets, your personal information may be transferred as part of that deal or the negotiation of contemplated deals.
7. Your rights and choices
Where applicable law requires (and subject to any relevant exceptions under law), you may have the right to access, update, change or delete personal information.
If you are a Merchant, you can access, update, change or delete Merchant Controlled PI of your Guests directly in your Account.If you are a Guest:
- You can access, update, change or delete Tock Controlled PI either directly in your Account or by contacting us at firstname.lastname@example.org to submit your request.
- You will need to reach out to any Merchants with whom you have made a Booking in order to request they delete any Merchant Controlled PI they hold about you.
- You can also delete your account by following the instructions on this Guest help center page. Please note that we may need to verify your identity in connection with your requests, and such verification process may, if you do not have access to your Account, require you to provide us with additional information we maintain about you to verify your identity. Even if you have access to your Account, we may request additional information if we believe it's necessary to verify your identity. If we are unable to verify your identity or request, we may not, in accordance with applicable law, be able to fulfill your request.
- You can also elect not to receive marketing communications by following the unsubscribe instructions in such communications.
Please note that, for technical reasons, there is likely to be a delay in deleting your personal information from our systems when you ask us to delete it. We also will retain personal information in order to comply with the law, protect our and others' rights, resolve disputes or enforce our legal terms or policies, to the extent permitted under applicable law.
You may have the right to restrict or object to the processing of your personal information or to exercise a right to data portability under applicable law. You also may have the right to lodge a complaint with a competent supervisory authority, subject to applicable law. If you are subject to EU data protection laws, we suggest you lodge any such complaints with our lead supervisory authority:
Irish Data Protection Commissioner
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Phone 01 7650100 & 1800437 737
If you are a resident of the United Kingdom (the “UK”) or otherwise subject to UK data protection laws, you may lodge such complaints with the UK supervisory authority:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF United Kingdom, Phone 0303 123 1113, Live Chat
Additionally, if we rely on consent for the processing of your personal information, you have the right to withdraw it at any time and free of charge. When you do so, this will not affect the lawfulness of the processing before your consent withdrawal.
8. How we protect your personal information
While no service is completely secure, we have a security team dedicated to keeping personal information safe. We maintain administrative, technical and physical safeguards that are intended to appropriately protect against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful form of processing, of the personal information in our possession. We employ security measures such as using firewalls to protect against intruders, building redundancies throughout our network (so that if one server goes down, another can cover for it) and testing for and protecting against network vulnerabilities.
9. How we retain your personal information
The precise periods for which we keep your personal information vary depending on the nature of the information and why we need it. Factors we consider in determining these periods include the minimum required retention period prescribed by law or recommended as best practice, the period during which a claim can be made with respect to an agreement or other matter, whether the personal information has been aggregated or pseudonymized, and other relevant criteria. For example, the period we keep your email address is connected to how long your Account is active.
Please note that in the course of providing the Services, we collect and maintain aggregated, anonymized or de-personalized information which we may retain indefinitely.
10. Data transfers
Personal information that you submit through the Services may be transferred to countries other than where you live, such as, for example, to our servers in the U.S. We also store personal information locally on the devices you use to access the Services.
Your personal information may be transferred to countries that do not have the same data protection laws as the country in which you initially provided the information. For example, data we store may be accessible to law enforcement and national security authorities under certain circumstances.
We rely upon a number of means to transfer personal information which is subject to: (a) the European General Data Protection Regulation (“GDPR”) in accordance with Chapter V of the GDPR; or (b) applicable UK data privacy laws in accordance therewith. References to GDPR and its provisions include the GDPR as amended and/or incorporated into UK law. These include:
- Standard data protection clauses. We transfer, in accordance with Article 46 of the GDPR, personal information to recipients that have entered into the European Commission approved contract for the transfer of personal data outside the European Economic Area (“EEA”). We transfer, in accordance with UK law, personal information to recipients that have entered into the UK Information Commissioner's Office approved international data transfer agreement and the UK addendum to such European Commission approved contract.
- Other means. We may, in accordance with Articles 45 and 46 of the GDPR, transfer personal information to recipients that are in a country the European Commission or a European or UK data protection supervisory authority has confirmed, by decision, offers an adequate level of data protection, pursuant to an approved certification mechanism or code of conduct, together with binding, enforceable commitments from the recipient to apply the appropriate safeguards, including as regards data subjects' rights, or to processors which have committed to comply with binding corporate rules.
- Data Privacy Frameworks. We transfer personal data to the US from, as applicable, the EEA, Switzerland and the UK pursuant to the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Frameworks (each individually and jointly, the “Data Privacy Frameworks”). In accordance with Article 45 of the GDPR, an adequacy decision was adopted for the EU-U.S., Swiss-U.S. and UK Extension to the EU-U.S. Data Privacy Frameworks.
You can find out more information about these transfer mechanisms here or you can request a copy from us.
11. Data Privacy Frameworks
Tock complies with the Data Privacy Frameworks to provide a legal basis for transfers of personal data to the US from, as applicable, the EEA, Switzerland and the UK. Our affiliate Squarespace, Inc. has certified its compliance to the Data Privacy Frameworks, and we are a covered entity under their certification.
Tock is committed to treating personal information received from the EEA, Switzerland and the UK pursuant to the Data Privacy Frameworks in accordance with the principles thereof (the “DPF Principles”). You can find Squarespace, Inc.'s certification here and you can learn more about the Data Privacy Frameworks and DPF Principles by visiting https://www.dataprivacyframework.gov/.
If you have a question or complaint you believe to be within the scope of our Data Privacy Frameworks certification, please contact us first at email@example.com, or using the contact details in the “How to contact us” section below. We'll respond within 45 days.
For any complaints that we can't resolve directly, JAMS is the independent organization responsible for reviewing and resolving complaints about our Data Privacy Frameworks compliance. You can contact JAMS free of charge at https://www.jamsadr.com/eu-us-data-privacy-framework. JAMS is an alternative dispute resolution provider based in the U.S.
If your concern still isn't addressed by JAMS, you may be entitled to a binding arbitration under the DPF Principles. For purposes of enforcing compliance with the Data Privacy Frameworks, we are subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.
13. How to contact us
If you are a resident of or have your principal place of business in the US:
Attention: Legal - Privacy
320 N Sangamon Street, 6th Floor
Chicago, IL 60607 United States
If you are a resident of or have your principal place of business anywhere other than the US:
Squarespace Ireland Limited
Attention: Legal - Privacy Squarespace House
Ship Street Great
Dublin 8, D08N12C
If you are a resident of or have your principal place of business in the UK, you may prefer to write to Squarespace UK Limited, Attention: Legal - Privacy, 10 John Street, London, WC1N 2EB United Kingdom.