Chowbus Privacy Policy

Effective: March 2026

Chowbus, Inc. ("Chowbus," "we," "us" or "our") respects your privacy. This Privacy Policy (this "Policy") explains how we collect, use, disclose, and otherwise process personal information in connection with the following products and services operated by Chowbus in the United States:

• Restaurant Clients Branded Mobile Applications that we provision to our restaurant Clients and that their end customers use to browse menus, place orders, make payments, and otherwise interact with the Restaurant Clients (the "Restaurant Branded Apps");
• Restaurant Clients Loyalty Programs that we host or otherwise make available for our Restaurant Clients to provide to their End Customers (the "Loyalty Programs");
• Restaurant Client Gift Card Programs that we host or otherwise make available for our Restaurant Clients to provide to their End Customers (the "Gift Card Programs"); and
• The publicly available Chowbus website located at chowbus.com and any website that displays or links to this Policy (collectively, the "Website").

This Policy applies only to our collection and processing of personal information in connection with the Restaurant Branded Apps, Loyalty Programs, Gift Card Programs, and the Website (collectively, the "Services"). Chowbus and its Restaurant Clients currently operate and process personal information only in the United States.

This Policy is incorporated into and subject to the Chowbus Terms of Use. By accessing or using the Services, you agree to our collection, use, and disclosure of your personal information as described in this Policy and in accordance with our Terms of Use. If you do not agree with this Policy and/or Terms of Use, please do not use the Services.

Personal Information means any information that identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, consumer or household.

Scope and Users

This Policy is intended to explain our privacy practices with respect to the following categories of users:

• Restaurant Clients (Business Customers). Restaurants and other food service businesses that enter into agreements with Chowbus to deploy Restaurant Branded Apps and to operate Loyalty Programs and Gift Card Programs ("Restaurant Clients").
• End Customers of Restaurant Clients. Individual users of the Restaurant Branded Apps and participants in Loyalty Programs and Gift Card Programs offered by our Restaurant Clients ("End Customers").
• Website Visitors. Individuals who visit or interact with our Website ("Website Visitors").

Relationship of the Parties and Data Ownership

Restaurant Clients as Owners of End Customer Data

For the Restaurant Branded Apps, Loyalty Programs, and Gift Card Programs, Restaurant Clients are the owners of the personal information of their End Customers collected through these Services. They solely determine the purposes and means of processing that End Customer personal information, subject to applicable law and their own privacy notices and processes.

Chowbus as Service Provider / Processor

With respect to End Customer personal information processed in connection with the Restaurant Branded Apps, Loyalty Programs, and Gift Card Programs, Chowbus acts as a "service provider" or "processor" to Restaurant Clients under applicable US state privacy laws. This means that Chowbus processes end customer personal information only:

• to provide the Services to the relevant Restaurant Client and to perform our contractual obligations;
• to maintain, secure, and improve the Services and related infrastructure used to provide the Services;
• to comply with applicable law, legal process, or enforceable governmental requests; and
• for such other limited purposes as may be permitted for service providers/processors under applicable US state privacy laws.

Please note that Chowbus does not sell, share, or otherwise use End Customers' personal information for its own independent marketing or other purposes unrelated to providing the Services to Restaurant Clients. Any use of End Customers' personal information by Chowbus is on behalf of, and subject to the instructions of, the relevant Restaurant Client and our written agreement with that Restaurant Client, except where otherwise required or permitted by law.

Chowbus as a Business / Controller

In some contexts, Chowbus acts as an independent "business" or "controller" under applicable US state privacy laws, including when we process personal information:

• about Restaurant Clients (for example, contact details of restaurant personnel responsible for managing the relationship with Chowbus); and
• about Website Visitors who visit or interact with the Website (when individuals access the Website, fill out forms, sign up for communications, or otherwise engage directly with Chowbus via the Website).

When Chowbus acts as a business/controller, we determine the purposes and means of processing the personal information and are directly responsible for compliance with applicable privacy laws with respect to that processing. The sections of this Policy that describe consumer privacy rights, including rights under the California Consumer Privacy Act (CCPA/CPRA) and other similar US state laws, apply to the extent Chowbus is acting as a business/controller.

Personal Information We Collect

The personal information we collect depends on how you interact with the Services and whether you are a Restaurant Client, an End Customer, or a Website Visitor. We may collect the following categories of personal information:

Contact and Account Information

• Full name;
• Business name and role or title (for Restaurant Clients and their personnel);
• Postal address (billing, shipping, or delivery address);
• Email address;
• Telephone number or mobile number; and
• Username, password, and other credentials for accounts hosted on the Services.

Transaction and Payment Information

• Order details (items ordered, date and time, price, special instructions, restaurant location);
• Payment method details (such as partial credit/debit card numbers, card type, expiration date, and billing address) processed through our third-party payment processors;
• Gift card purchases, balances, redemptions, and transaction history; and
• Loyalty Program enrollment, point balances, rewards earned and redeemed, and related activity.

Identifiers and Online Activity (collected automatically)

• IP address, device identifiers, and cookie identifiers;
• Browser type, operating system, and app version;
• Logs of access dates and times, pages or screens viewed, referring/exit pages, and clickstream data;
• Information about how you interact with the Restaurant Branded Apps and the Website (for example, features used, links clicked, and time spent on pages); and
• User-generated content (such as reviews, ratings, comments, photos, or other content you may submit through the Services).

Location Information

• Approximate location information derived from your IP address; and
• Precise geolocation information from your device when you choose to enable location services within a Restaurant Branded Apps (for example, to find nearby restaurant locations, estimate delivery times, or support fraud detection and security).

You may disable collection of precise location information through your device or browser settings, but doing so may affect certain features of the Services.

Demographic and Preference Information

• Age range, gender, language preferences, and similar demographic information to enable your access to and use of the Services (where permitted by law); and
• Inferences and profile information drawn from the categories described above, such as cuisine preferences, frequency of visits, and purchase patterns.

Communications and Support Information

• Records of communications with us or with Restaurant Clients through the Services, including emails, in-app messages, and chat content;
• Customer support inquiries and related notes; and
• Call recordings and transcripts of customer support calls, where permitted by law and where you consent.

Business Relationship Information (Restaurant Clients)

• Business contact information for Restaurant Client personnel, including owners, managers, and authorized representatives;
• Information about the Restaurant Client's locations, menus, and operational preferences; and
• Contractual, billing, and account management information relating to our relationship with Restaurant Clients.

Job Applicants

We collect the following categories of personal information regarding job applicants:

• Personal and online identifiers (such as first and last name, email address, cellphone number or unique online identifiers).
• Categories of information described in Section 1798.80(e) of the California Civil Code (such as physical characteristics or description, social security number, driver’s license or state identification number, address, insurance policy number, and bank account number).
• Characteristics of protected classifications under California or federal law (such as race or gender).
• Internet or other electronic network activity information (such as browsing history, search history, interactions with a website, email, application, or advertisement).
• Geolocation information.
• Professional or employment-related information.
• Education information.
• Inferences drawn from the above information about your predicted characteristics and preferences.
• Other information about you that is linked to the personal information listed above.

We use and disclose the personal information to process, evaluate and communicate with job applicants about their application and qualifications for the position applied for, to check your references and to communicate with you about other jobs for which you may be qualified.

How We Collect Personal Information

We collect personal information in a variety of ways, including:

• Directly from you. We collect personal information that you provide directly, such as when you create an account with a Restaurant Branded App, enroll in a Loyalty Program, purchase or redeem a Gift Card, place an order, contact customer support, make an inquiry, or otherwise communicate with us or a Restaurant Client through the Services.
• From Restaurant Clients. To the extent permitted by our agreement with the Restaurant Client and applicable law, we may receive End Customer personal information from Restaurant Clients (for example, to register accounts, manage Loyalty or Gift Card Programs, or migrate data from legacy systems).
• Automatically through the Services. We and our service providers automatically collect certain information about your device and usage of the Restaurant Branded Apps and the Website through cookies, pixels, SDKs, and similar technologies, as described in the "Cookies and Similar Technologies" section below.
• From Service Providers and Partners. We may obtain information from payment processors, analytics providers, fraud prevention partners, marketing and advertising partners (to the extent we engage them), and other vendors that support our Services.
• From Social Media and Third-Party Platforms. If you choose to connect or interact with us or with a Restaurant Client through a social media or third-party platform (for example, by using a social sign-on, or by liking or following our pages), we may receive information from that platform in accordance with its privacy practices and your settings.

How We Use Personal Information

We use personal information for the following purposes and in reliance on one or more of the following bases: to provide and operate the Services, to perform our contracts, to comply with legal obligations, and for other legitimate business purposes consistent with applicable law.

Providing the Services to Restaurant Clients and End Customers

We use personal information to:

• Provision, host, and maintain Restaurant Branded Apps, Loyalty Programs, and Gift Card Programs for Restaurant Clients;
• Create and manage user accounts, including End Customer accounts and Restaurant Client administrative accounts;
• Process and fulfill orders placed through Restaurant Branded Apps, including transmitting order details to Restaurant Clients and facilitating pickup or delivery;
• Process payments, refunds, discounts, promotions, and Gift Card purchases and redemptions via our third-party payment processors;
• Administer Loyalty Programs, including tracking points, rewards, and status tiers, and enabling reward redemptions;
• Facilitate communications between End Customers and Restaurant Clients (for example, order confirmations, status updates, and service messages); and
• Provide customer service and support for Restaurant Clients and End Customers in connection with the Services.

Operating and Improving the Website and Platform

We use personal information to:

• Operate, maintain, and secure the Website and the infrastructure that supports the Services;
• Monitor and analyze trends, usage, and activities in connection with the Services;
• Debug, identify, and repair errors and improve the performance, security, and user experience of the Services;
• Develop new features, products, or services that may benefit Restaurant Clients and, where applicable, their End Customers; and
• Conduct internal research and analytics regarding the operation of and to improve our Services.

Communications

• Transactional and Service Communications. We use contact and account information to send you transactional communications related to your use of the Services, such as confirmations, technical notices, updates, security alerts, and support messages.
• Marketing and Promotional Communications. When Chowbus is acting as a business/controller (for example, with respect to Restaurant Clients or Website Visitors), we may use your contact information to send you marketing and promotional communications about Chowbus and our Services, in accordance with applicable law and your communication preferences. You can opt out of such communications as described in the "Your Choices" section below. Please note that we do not send marketing communications to our Restaurant Clients’ End Customers regarding our offers or promotions.
• Communications on Behalf of Restaurant Clients. In our role as a service provider, we may send communications to End Customers on behalf of Restaurant Clients (for example, notifications about Loyalty rewards, Gift Card status, or restaurant-specific promotions) at the direction of the Restaurant Client.

Security, Fraud Prevention, and Legal Compliance

We use personal information to:

• Protect the security and integrity of the Services, our systems, and our users;
• Detect, investigate, and help prevent fraud, abuse, security incidents, and other harmful or illegal activities;
• Verify identities and authenticate accounts, including in connection with high-risk or unusual transactions;
• Comply with and enforce applicable laws, regulations, court orders, and legal process; and
• Enforce our terms and agreements with Restaurant Clients and other counterparties.

Other Purposes with Your Consent or as Permitted by Law

We may use personal information for other purposes not included in this Policy that we describe at the time of collection or with your consent, or as otherwise permitted by applicable law.

How We Share Personal Information

We do not sell (to third parties such as data brokers) or share (for cross-context behavioral advertising purposes) personal information that we process as a service provider/processor for Restaurant Clients. We share personal information only as described in this Policy, with:

Restaurant Clients

• For End Customers using the Restaurant Branded Apps, Loyalty Programs, or Gift Card Programs, we share personal information with the applicable Restaurant Client to enable them to operate and manage those services, fulfill orders, administer Loyalty and Gift Card Programs, and otherwise interact with their End Customers.

Service Providers and Vendors

• We share personal information with third-party service providers and vendors that perform services on our behalf, such as hosting, cloud infrastructure, data storage, payment processing, fraud detection, analytics, customer support tools, email and SMS delivery, and IT and security services.
• These service providers are authorized to use personal information only as necessary to provide services to us and are subject to contractual obligations to protect personal information.

Business Partners and Integrations

• At the direction of a Restaurant Client, we may share End Customer information with third-party platforms or tools that integrate with the Restaurant Client's systems (for example, point-of-sale systems, customer relationship management platforms, or marketing tools). Such sharing is controlled by the Restaurant Client, and the third party's use of the information is subject to its own privacy policy.

Corporate Transactions

• We may disclose or transfer personal information in connection with, or during negotiations of, any merger, acquisition, financing, reorganization, sale of company assets, or transition of service to another provider.

Legal Requirements and Protection of Rights

• We may disclose personal information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, a subpoena, court order, or other legal process or request; (b) protect the rights, property, or safety of Chowbus, our Restaurant Clients, End Customers, Website Visitors, or others; or (c) enforce our terms, policies, and agreements.

With Your Consent or at Your Direction

• We may share personal information with third parties when you direct us to do so, when you use a feature of the Services that requires sharing, or when you otherwise provide your consent.

Cookies and Similar Tracking Technologies

A “cookie” is a small text file stored in your browser when you visit a Restaurant Branded app or the Website and, in some cases, the websites of our business partners, service providers or other third parties. We and our service providers use cookies, pixel tags, software development kits (SDKs), and similar tracking technologies (collectively, “Cookies”) to operate the Restaurant Branded Apps and the Website, understand usage patterns, and improve the Services. We use session cookies (stored only during a single visit) and persistent cookies (stored beyond a single visit) to provide our Services and for the purposes described in this Statement. Cookies may be set by us (first-party cookies) or by third parties acting on our behalf (third-party cookies), such as Google Analytics.

We may deploy Cookies on the Restaurant Branded Apps and/or the Website for the following purposes:

• Allowing you to navigate and use features of the Services (Strictly Necessary Cookies);
• Recognizing you when you return and remembering your preferences (Functional Cookies);
• Analyzing how the Services are used and measuring performance (Analytics Cookies); and
• Providing and measuring advertising and marketing communications (Advertising Cookies), in accordance with applicable law and your choices.

You may be able to manage Cookies through your browser or device settings. However, if you disable certain Cookies, some features of the Services may not function properly. For more information about Cookies and your choices, see allaboutcookies.org. You also may refer to the “Your Privacy Rights and Choices” section below and any cookie-specific notices we may provide. Where required by law, we will obtain your consent before placing non-essential Cookies.

In addition, we may use web beacons, pixel tags, and similar technologies on the Restaurant Branded Apps and Website and in emails to determine whether a page has been viewed or an email has been opened. These tools help us understand which pages and features are most popular, which emails are effective, and how to make the Services and our communications more user-friendly.

Note: We do not use your personal information to serve you with targeted online ads (also called cross-context behavioral advertising), whether on the Website or when you visit third-party websites.

Analytics

We use analytics services, including Google Analytics, to collect information about your use of the Platform. Google Analytics uses cookies to collect information such as how often you visit the Platform, what pages you visit, and what other sites you used prior to visiting.

You may find additional information about how Google Analytics collects and processes data at Google’s Privacy & Terms. You may opt out of Google Analytics by installing the browser add-on available at Google Analytics Opt-Out.

Do Not Track

Some browsers offer a “Do Not Track” (“DNT”) feature. Because there is no widely accepted standard for how to interpret DNT signals, neither the Restaurant Branded Apps nor Website currently responds to DNT signals. We will update this policy if a uniform standard is established.

Data Retention

We retain personal information for as long as reasonably necessary to achieve the purposes described in this Policy or as otherwise required or permitted by law, including for the purposes of satisfying any legal, regulatory, accounting, or reporting obligations, resolving disputes, enforcing our agreements and our legitimate business purposes (including maintaining backup copies for data integrity and disaster recovery).

Where we act as a service provider or processor to Restaurant Clients, we retain End Customers’ personal information for the period specified in our agreements with the relevant Restaurant Clients and in accordance with their instructions, subject to our own legal obligations and applicable law.

Information Security

We implement reasonable administrative, technical, and physical security measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit, access controls, and regular security assessments.

BE ADVISED THAT NO DATA TRANSMISSION OVER THE INTERNET OR ANY WIRELESS NETWORK CAN BE GUARANTEED TO BE 100% SECURE. WHILE WE STRIVE TO PROTECT YOUR PERSONAL INFORMATION USING COMMERCIALLY AVAILABLE AND INDUSTRY-STANDARD SECURITY MEASURES, WE CANNOT ENSURE OR GUARANTEE THE SECURITY OF ANY INFORMATION YOU TRANSMIT TO US, AND YOU DO SO AT YOUR OWN RISK.

If we determine that your personal information has been or may reasonably have been compromised due to a security breach of our systems, we will notify you in accordance with and to the extent required by applicable law using the contact information we have on file.

Electronic Records

We maintain backup files as protection against natural disasters, equipment failures or other disruptions. Backup files may contain records with your personal information. Removing a record from our active files and databases does not remove that record from backup systems. Backup data will be passively deleted as backup records are recycled through our normal business processes. As long as backup records exist, they receive the same security protections as our active records.

Children’s Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that we have collected personal information from a child under 13 without such consent, we will take reasonable steps to delete it. If you believe that we may have collected personal information from a child under 13, please contact us using the information in the “Contact Us” section below.

Located in the United States.

We control and operate the Services and supporting infrastructure in the United States. Although we do not actively block or monitor visitors from other countries, the online and mobile resources are directed only at visitors from the United States who are age 13 or older. If you are located outside the United States when accessing and using the Services, be aware that your personal information may be transferred to, stored, and processed by us and/or our third-party cloud providers in the United States. Further, you fully understand and unambiguously consent to this transfer, processing and storage of your personal information in the United States, which privacy laws may not be as comprehensive as those in the country where you reside and/or are a citizen. Note also that your personal information may be available to the U.S. government or U.S. law enforcement under appropriate legal processes in the United States.

US State Privacy Notices (Including California)

Certain US state privacy laws, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (collectively, the “CCPA”), as well as similar consumer privacy laws in other US states, provide residents of those states with specific rights regarding their personal information. This section describes those rights and how to exercise them, to the extent these laws apply.

Important: For End Customers, Chowbus often acts as a “service provider” or “processor” on behalf of Restaurant Clients, who are typically the “businesses” or “controllers” under these laws. In such cases, we will generally direct End Customers to submit requests directly to the applicable Restaurant Client, and we will support our Restaurant Clients in responding to those requests as required by law and by our agreements with them.

Categories of Personal Information We Collect (CCPA/Similar Laws)

In the preceding 12 months, we may have collected the following categories of personal information (as defined by the CCPA and similar laws) in connection with the Services:

• Identifiers (e.g., name, email address, postal address, phone number, IP address, device identifiers);
• Customer records and account information (e.g., account credentials, billing information);
• Commercial information (e.g., order history, loyalty and gift card transactions);
• Internet or other electronic network activity information (e.g., browsing history, usage data);
• Geolocation data (e.g., IP-based location, precise location where enabled);
• Audio, electronic, visual, or similar information (e.g., customer support call recordings, user-generated content);
• Inferences drawn from other personal information (e.g., preferences and characteristics); and
• Professional or employment-related information for Restaurant Clients and their personnel (e.g., business contact details, role).

Purposes for Collection and Disclosure

We collect and disclose the categories of personal information listed above for the business and commercial purposes described in the “How We Use Personal Information” and “How We Disclose Personal Information” sections of this Policy.

Disclosures for Business Purposes

In the preceding 12 months, we may have disclosed the categories of personal information listed above for “business purposes” (as such term is defined under the CCPA and similar laws) to the following categories of recipients:

• Restaurant Clients (for End Customers’ interactions with the Restaurants Clients);
• Our service providers and contractors;
• Affiliated entities and corporate transaction counterparties;
• Governmental authorities and third parties in connection with legal, compliance, and safety purposes; and
• Other third parties with your consent or at your direction.

Sales and Sharing of Personal Information

We do not “sell” (to third parties such as data brokers) or “share” (for purposes of cross-context behavioral advertising) End Customers’ personal information that we process solely as a service provider or processor to Restaurant Clients. Accordingly, we have not implemented Global Privacy Controls or other browser-based opt-out signals.

Other California Notices

Pursuant to California’s “Shine The Light law (California Statute § 1798.983), California residents are entitled to request, once a year and free of charge, certain information regarding what types of their personal information may be shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business is to either provide California customers certain information upon request or permit California customers to opt out of this type of sharing. Note, however, that we do not sell, rent, lease or otherwise make available personal information to third parties for their marketing purposes, unless giving you a choice before disclosing your personal information to third parties for this purpose. For questions, please contact us via email at: privacy@chowbus.com.

For California residents under the age of 18 and registered users of a Restaurant Branded App or our Website, California law (Business and Professionals Code § 22581) provides that you can request the removal of content or information you posted on a Restaurant Branded App or Website. Any such request should be sent to us at: privacy@chowbus.com along with a description of the posted content or other information to be removed. Be advised, however, that applicable law may not permit us to completely or comprehensively remove your deleted content or for other reasons as set forth in this California law.

Note: Chowbus does not control and is not responsible for Restaurant Clients’ use of End Customer personal information for their or third-party marketing efforts.

Your Privacy Rights and Your Choices

Your Privacy Rights.

Subject to applicable law, residents of certain US states (including California) may have the following rights regarding their personal information:

• Right to Know/Access. The right to request that we disclose the personal information we have collected about you, including specific pieces of information and additional details about our data practices.
• Right to Delete. The right to request that we delete personal information that we have collected from you, subject to certain exceptions.
• Right to Correct. The right to request that we correct inaccurate personal information that we maintain about you.
• Right of Portability. Where technically feasible and required by law, you may request a copy of your personal information in a structured, commonly used, machine-readable format.
• Right to Opt Out of Sales or Sharing. The right to direct us not to sell or share your personal information, as those terms are defined in the CCPA or other US state consumer privacy law.
• Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at: privacy@chowbus.com. We may ask to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Account Information

Where you have an account for a Restaurant Branded App, Loyalty Program, or Gift Card Program, you may be able to update certain account information directly through that account. End Customers may also contact the relevant Restaurant Client or Chowbus to request updates or corrections, subject to our roles and obligations under applicable law.

Marketing Communications

You may opt out of receiving marketing emails from Chowbus by following the unsubscribe instructions included in those emails or by contacting us. Please note that even if you opt out of marketing emails, we may still send you non-promotional communications, such as transactional or service-related messages.

End Customers who wish to opt out of marketing communications from Restaurant Clients should follow the instructions provided in those communications or contact the Restaurant Client directly. Note: Chowbus does not control and is not responsible for Restaurant Clients’ use of End Customer personal information for their or third-party marketing efforts.

Cookies and Online Tracking

You may be able to set your browser to refuse cookies or to alert you when cookies are being sent. You may also use industry tools and device settings to limit certain advertising or analytics cookies and similar technologies. Please refer to your browser or device documentation for more information. Also see allaboutcookies.org for further information.

Updating or Amending Your Information

You may update your information through your account settings in a Restaurant Branded App or by contacting the relevant Restaurant Client or us at: privacy@chowbus.com.

Third-Party Websites

This Policy only applies to information collected when visiting our Websites or otherwise using our Services. While visiting our Website or using the Services, you may be directed through links to third-party websites or services that are not operated or controlled by us. We are not responsible for the privacy practices and policies of these third parties. As a result, we encourage you to review the privacy policies of these third-party websites as their practices may differ from ours.

Updates to This Policy

We may update this Policy periodically. If we make material changes, we or the Restaurant Clients will notify you through the Restaurant Branded App or by other reasonable means (such as email to the address associated with your account). The updated Policy will be posted on the Restaurant Branded Apps and the Website with a revised “Last Updated” date. Information collected before changes are made will be treated in accordance with the Policy in effect at the time of collection. Your continued use of the Restaurant Branded App or the Website after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms.

Questions or Comments

For questions or concerns, contact us at privacy@chowbus.com or by mail:

224 S Michigan Ave, Suite 400

Chicago, IL 60604

Attn: Data Privacy

‍