Search PAR
Get a Demo

EEA, UK, & Switzerland Privacy Rights

Effective Date: August 15, 2025

 TABLE OF CONTENTS

  1. INTRODUCTION
  2. CHANGES AND UPDATES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES
  3. IMPORTANT INFORMATION AND WHO WE ARE
  4. PURPOSE OF THIS PRIVACY POLICY
  5. THIRD-PARTY WEBSITES
  6. THE COLLECTION OF PERSONAL INFORMATION
  7. THE SOURCES FROM WHICH WE COLLECT YOUR PERSONAL INFORMATION
  8. HOW WE USE YOUR PERSONAL INFORMATION
  9. CHOICES ABOUT YOUR PERSONAL INFORMATION
  10. CHILDREN’S PRIVACY
  11. DISCLOSURES OF YOUR PERSONAL INFORMATION
  12. INFORMATION SECURITY
  13. INFORMATION RETENTION
  14. COLLECTION AND USE OF BIOMETRIC INFORMATION
  15. CONTACT INFORMATION

SEPARATE PAGES

  1. EEA, UK, & SWITZERLAND PRIVACY RIGHTS
    1. EU-U.S. DATA PRIVACY FRAMEWORK, UK EXTENSION, AND SWISS-U.S. DATA PRIVACY FRAMEWORK
  2. CALIFORNIA PRIVACY RIGHTS
  3. US STATE PRIVACY RIGHTS
  4. CANADA PRIVACY RIGHTS
  5. AUSTRALIA PRIVACY RIGHTS
Effective Date: August 15, 2025

This section only applies to purchasers (“Data Subjects”) of our products/services that are located in the EEA, UK or Switzerland at the time of data collection. We may ask you to identify which country you are located in when you purchase some of our Products and Services, or we may rely on your IP address to identify your country location. Data subjects in the EEA and UK have certain privacy rights under EU and UK law, including the general data protection regulations (“GDPR”) and UK data protection act 2018. In the event, we collect personal data (as defined in the GDPR) that is subject to the GDPR, this section shall apply. Terms in this section are to be understood in a manner consistent with GDPR including the definitions of such terms in the GDPR. Such terms may have a different definition or meaning in other portions of this privacy policy because GDPR may not apply to those sections.

 

CONTROLLER, JOINT CONTROLLER, AND PROCESSOR

We process personal data as a “processor,” “joint controller,” and as a “controller” under the GDPR. A “controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. Any third parties that act as our service providers are “data processors” that handle your personal information in accordance with our instructions. With respect to your personal data that you enter or that is received through our Sites, PAR is the controller.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity (except as required for affirmative action compliance), religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

 

PROCESSING PURPOSES AND LEGAL BASIS

We process your personal data for the lawful purposes, and under the legal basis, set forth in “HOW WE USE YOUR INFORMATION” section of the Privacy Policy.

 

PRIVACY RIGHTS UNDER GDPR

If you are in the EEA, United Kingdom or Switzerland, you have the following rights (where applicable):

  • Access. You have the right to request a copy of the information we are processing about you;
  • Rectification. You have the right to have incomplete or inaccurate information that we process about you rectified;
  • Deletion. You have the right to request that we delete information that we process about you, except we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise, or defend legal claims;
  • Restriction. You have the right to restrict our processing of your information where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
  • Portability. You have the right to obtain information we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) information which you have provided to us, and (b) if we are processing that data on the basis of your consent or to perform a contract with you;
  • Objection. Where the legal basis for processing your information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests, or if we need to continue to process the data for the establishment, exercise, or defense of a legal claim;
  • Withdrawing Consent. If you have consented to our processing of your information, you have the right to withdraw your consent at any time, free of charge. This includes where you wish to opt out from marketing messages.
  • Lodge a Complaint with a Supervisory Authority. You also have the right to lodge a complaint with the local data protection authority (“DPA”) if you believe that we have not complied with applicable data protection laws. A list of local DPAs in European countries is available here.
 

INVOKE YOUR RIGHTS

You can make a request to exercise any of these rights in relation to your information by contacting us via the “CONTACT INFORMATION” section of the Privacy Policy. For your own privacy and security, at our discretion, we may require you to prove your identity before providing the requested information. Please note that we may take up to 30 days to fulfill such request. We reserve the right to charge a fee when permitted by law, for instance if your request is manifestly unfounded or excessive. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

 

INTERNATIONAL TRANSFERS

We share your personal data with our parent company, PAR Technology Corporation, our Affiliates, and with our IT, development, consulting, hosting and other services providers within the U.S. and other countries. This will involve transferring your data outside the European Economic Area (the “EEA”) to territories which do not provide a level of privacy protection equivalent to that which exists in the EEA. This transfer will be made taking into account all necessary legal safeguards and following a privacy impact assessment of the transfer in question (such safeguards will generally include the conclusion of standard contractual clauses approved by the European Commission and, where necessary, the implementation of additional, usually technical, protection measures, such as encryption of the data). To obtain a copy of the safeguards or for further details about international data transfers, please refer to the “CONTACT INFORMATION” section of the Privacy Policy.

No other transfers of personal data will be made to recipients in jurisdictions that do not provide a level of data protection equivalent to that in the EEA, unless expressly stated otherwise in the specific privacy notice applicable to that transfer.

 

EU-U.S. DATA PRIVACY FRAMEWORK , UK EXTENSION, AND SWISS-U.S. DATA PRIVACY FRAMEWORK 

ParTech, Inc. and its subsidiaries PAR Payment Services, LLC, AccSys, LLC, and Punchh, Inc., (collectively referred to as “PAR”) complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (collectively, the “Framework”), as set forth by the U.S. Department of Commerce (the “Department”).  PAR has certified to the Department that it adheres to the EU-U.S. Data Privacy Framework Principles (the “Principles”) with regard to the processing of personal data received from the EU and UK in reliance on the Framework and from the United Kingdom in reliance on the UK Extension to the Framework. PAR has certified to the Department that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Framework, and to view our certification, please visit www.dataprivacyframework.gov.

 

FEDERAL TRADE COMMISSION 

PAR is subject to investigatory and enforcement powers of the U.S. Federal Trade Commission and may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

 

ONWARD TRANSFER

Except as permitted or required by applicable law, PAR provides you with an opportunity to opt out of sharing your personal data with third parties. PAR requires third parties to whom it discloses personal data to contractually agree to: (i) only process the personal data for limited and specified purposes consistent with the consent provided by you; (ii) provide the same level of protection for personal data as is required by the Principles; and (iii) take reasonable and appropriate steps to ensure that the third party effectively processes the personal data in a manner consistent with PAR’s obligations under the Principles; (iv) notify PAR and cease processing personal data if the third party determines that it cannot meet its obligation to provide the same level of protection for personal data as is required by the Principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing of the personal data by the third party; and (vi) provide a summary or representative copy of the relevant privacy provisions of the third party contract to the Department, upon request.

Pursuant to the Principles, PAR remains responsible for personal data that it receives under the Framework and subsequently transfers to a third-party agent. In particular, PAR remains responsible and liable under the Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless PAR proves that it is not responsible for the event giving rise to the damage.

 

RIGHT OF ACCESS

You generally have the right to access your personal data. Accordingly, where appropriate, PAR provides you with reasonable access to the personal data PAR maintains about you. PAR also provides a reasonable opportunity for you to correct, amend, or delete the information where it is inaccurate or has been processed in violation of the Framework and Principles, as appropriate. PAR may limit or deny access to personal data where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated. You may request access to your personal data by contacting PAR at privacy@partech.com.

 

LIMITING THE USE AND DISCLOSURE OF YOUR PERSONAL DATA

PAR limits the personal data it processes to that which is relevant for the purposes of the particular processing. PAR does not process personal data in ways that are incompatible with the purposes for which the information was collected or subsequently authorized by the relevant person. In addition, to the extent necessary for these purposes, PAR takes reasonable steps to ensure that the personal data PAR processes is (i) reliable for its intended use, and (ii) accurate, complete and current. In this regard, PAR relies on you to update and correct the relevant personal data to the extent necessary for the purposes for which the information was collected or subsequently authorized. You may contact PAR at privacy@partech.com to request that PAR update or correct relevant personal data.

Subject to applicable law, PAR retains personal data in a form that identifies or renders you identifiable only for as long as it serves a purpose that is compatible with the purposes for which the personal data was collected or subsequently authorized by you.

 

RECOURSE MECHANISM

In compliance with the Framework, PAR commits to resolve Principles-related complaints about our collection or use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the Framework should first contact PAR at privacy@partech.com. We will work to resolve your issue and respond no later than 45 days after receipt.

In compliance with the Framework, PAR commits to refer unresolved complaints concerning our handling of personal data received in reliance on the Framework to the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA) an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your Principles-related complaint to your satisfaction, please visit ICDR/AA at https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of IDCR/AAA are provided at no cost to you.

BINDING ARBITRATION

EU, UK and Swiss individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Framework and Principles compliance not resolved by any of the other mechanisms described above. If you would like to invoke binding arbitration, please notify PAR by using one of the contact methods in the “CONTACT INFORMATION” section of the Privacy Policy and follow the procedures and conditions set forth in Annex 1 of the Principles.

Tiffany Disher, General Manager, MENU North America

Tiffany Disher

General Manager, MENU North America

Tiffany Disher, General Manager, MENU North America, an omni-channel ordering solution to futureproof restaurant’s growing digital sales needs. Before taking on this new role in January 2023, she was an integral part of Punchh’s growth story. She has advised hundreds of customers over the past eight years on their loyalty strategies both from a base program standpoint as well as ongoing marketing strategies. Before Punchh, Tiffany worked for Schlotzsky’s where she supported the brand marketing team by leading loyalty, eClub, R&D, Franchise advisory council and marketing analytics. Tiffany has her Bachelor’s of Science in Economics from University of Oregon and Master’s in Business with a specialty in Marketing from Baylor University. An avid golfer, hiker and mom of two small children, Tiffany spends her limited free time entering into baking competitions.