Privacy Policy

BOOKMYDINING PRIVACY POLICY

Last Updated: 2025-11-30

BookMyDining (“BookMyDining,” “we,” “us,” or “our”) is a Canada-based digital platform that enables diners and merchant partners located in Canada to discover restaurants and make reservations at participating venues. We are committed to protecting personal information in strict compliance with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Law 25, Alberta’s Personal Information Protection Act (AB PIPA), and British Columbia’s Personal Information Protection Act (BC PIPA). This Privacy Policy applies to all individuals who access or use our websites, mobile apps, merchant dashboards, APIs, and related online tools (collectively, the “Services”), and explains how we collect, use, disclose, retain, and safeguard personal information.

BookMyDining operates exclusively in Canada and serves only Canadian diners and merchant partners. To provide, maintain, and support the Services, BookMyDining may engage third-party service providers or personnel, whether located within or outside Canada, who are contractually required to process personal information solely according to BookMyDining’s instructions and in compliance with Canadian privacy requirements. All such service providers must implement appropriate technical, administrative, and organizational safeguards to protect personal information in accordance with PIPEDA and applicable provincial laws.

This Policy also outlines your privacy rights under Canadian law, including access, correction, deletion, consent withdrawal, and enhanced rights for Quebec residents under Law 25 (such as transparency regarding automated processing). By using the Services, you agree that your personal information may be handled in accordance with this Privacy Policy. Continued use of the Services constitutes acceptance of this Policy and any updates we may implement.

BOOKMYDINING AS A CANADIAN ONLINE RESERVATION PLATFORM

BookMyDining operates as a Canada-based online reservation platform that enables diners (“Customers”) to search participating restaurants, view real-time seating availability, make reservations, receive automated confirmations and reminders, manage bookings, and interact with restaurant offerings. Merchant Partners use BookMyDining’s digital tools to receive, manage, and track reservations and to view relevant diner information for operational purposes. BookMyDining processes personal information in accordance with Canadian privacy laws and ensures that all handling, storage, and access meet Canadian legal standards. BookMyDining does not sell personal information or make it available to unauthorized foreign entities. If BookMyDining develops corporate affiliates or materially expands its organizational structure in the future, any such development will be reflected in an updated version of this Privacy Policy.

ROLE OF BOOKMYDINING IN HANDLING PERSONAL INFORMATION

BookMyDining’s role under Canadian privacy legislation depends on the specific context in which personal information is collected or processed. We act as an “organization” under PIPEDA and as an “enterprise” or “personal information holder” under Quebec Law 25 when collecting and using personal information from diners, visitors, and merchant personnel. We also act as a “service provider” when processing Customer reservation information strictly on behalf of Merchant Partners. When BookMyDining determines system functionality, product design, or data-processing purposes, we act as what Quebec Law 25 identifies as a “person in charge of the protection of personal information” or “controller.” Regardless of context, BookMyDining ensures that any service providers engaged to support our platform operate under binding contractual privacy and security requirements that meet or exceed Canadian legal obligations.

INFORMATION SHARING WITH RESTAURANTS AND MERCHANT PARTNERS

To process reservations and provide platform functionality, BookMyDining shares only the personal information necessary for participating restaurants to manage bookings. This may include:

Restaurants may collect additional information directly through their own systems or in-person interactions. BookMyDining does not control, monitor, or govern the independent privacy practices of Merchant Partners, and restaurant use of Customer information is subject to their own privacy policies and applicable provincial laws. BookMyDining is not responsible for merchant-specific data handling once information has been transferred to them, and Customers should review merchant privacy practices where appropriate.

SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to all BookMyDining websites, mobile applications, customer accounts, reservation interfaces, merchant dashboards, analytics features, automated notifications, support interactions, and cookie or tracking technologies used within Canada. It does not apply to third-party websites, merchant-operated platforms, independent merchant marketing activities, payment processors, delivery platforms, social media channels, or any external services that BookMyDining does not own or control. Where BookMyDining relies on third-party infrastructure or service providers to operate components of the platform or deliver technical support, those providers are contractually required to protect personal information in accordance with Canadian law and BookMyDining’s internal privacy requirements.

MERCHANT-SPECIFIC PRIVACY DISCLOSURE

Merchant Partners receive Customer information through the BookMyDining platform and therefore have separate and independent privacy obligations under Canadian privacy laws. Merchant personnel accounts, business contact details, and administrative data are covered by this Policy; however, diner information shared with merchants is governed by each merchant’s own privacy practices and legal responsibilities. Merchants operating in Quebec or serving Quebec residents must comply with Quebec Law 25, including requirements related to transparency, data minimization, safeguard implementation, consent management, accountability, and response to deletion requests. BookMyDining publishes a separate Merchant Privacy Notice that explains obligations regarding merchant staff information, Customer data processed on behalf of merchants, restrictions on secondary use, deletion protocols, audit requirements, and safeguards. Merchant Partners must review and comply with the Merchant Privacy Notice in addition to this Privacy Policy as a condition of participation on the BookMyDining platform.

STRUCTURE OF THIS PRIVACY POLICY

This Privacy Policy is structured into the following sections:

DEFINITIONS

SECTION 1 — INFORMATION COLLECTION

BookMyDining collects personal information to operate, maintain, and provide its reservation, waitlist, merchant-management, and user-account services exclusively in Canada. The personal information we collect is necessary for providing, improving, and securing the Services and is processed in strict compliance with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec’s Law 25. Information may be collected directly from you, automatically through your interaction with the Services, and from third-party sources as permitted under Canadian law. BookMyDining’s customers and merchant partners are located solely in Canada, though to facilitate operational support, including technical assistance or customer service, BookMyDining may engage personnel or service providers located in other jurisdictions; all such individuals are contractually bound to handle personal information exclusively under Canadian privacy requirements and in accordance with this Policy.

Information provided directly by you may include details submitted when you create a BookMyDining user or merchant account, make reservations, submit feedback, participate in promotions or incentive programs, create merchant profiles, or otherwise communicate with us. For individual users, this may include your full name, email address, phone number, password or authentication credentials, preferred language, communication preferences, and province of residence. For merchant partners, we may collect business information such as registered and operating business names, contact email and phone number, address, ownership or authorized representative details, business operating hours, seating capacity and layout, reservation preferences, and public-facing profile information.

BookMyDining also collects information automatically when you access or use the Services through web browsers, mobile devices, or integrated merchant systems. This includes device information such as type, operating system, browser, IP address (used to infer region, not precise location), and configuration details, as well as usage information, including pages viewed, search queries, reservation actions, clickstream data, referring URLs, dates and times of access, and time spent on platform features. General geographic location may also be collected based on IP address for purposes of localizing content, directing diners to nearby restaurants, supporting bilingual and Québec-specific features, and maintaining system integrity. Precise device-level GPS information is only collected with your explicit consent.

To operate the Services effectively, BookMyDining may obtain information from third-party sources. Merchant partners may share reservation confirmations, no-show status, seating preferences, dining history relevant to reservation fulfillment, special requests, and any incident reports strictly for operational purposes. Payment partners, if engaged, may provide limited transaction data, payment confirmations, and refund or dispute information; BookMyDining does not store full credit card numbers or CVV codes. Identity verification and fraud-prevention services may supply confirmation of identity, authentication tokens, and fraud-risk indicators, in compliance with Canadian identity-verification and consent regulations. Marketing or advertising partners may provide referral attribution data, campaign identifiers, or engagement metrics when you interact with advertisements or campaigns.

In addition, BookMyDining collects information required to comply with applicable Canadian laws, including Québec’s Law 25. This may involve documenting and retaining consent, tracking withdrawal of consent, maintaining records of the purposes for which personal information is collected, and preserving certain data as required by law. In all cases, BookMyDining collects only the minimum amount of information necessary to meet legal obligations and provide the Services.

SECTION 2 — USE OF YOUR DATA

BookMyDining uses the personal information it collects for specific purposes directly related to operating and maintaining the reservation platform, supporting merchant operations, enhancing user experiences, and complying with Canadian privacy laws, including PIPEDA and Québec’s Law 25. Personal information is used to create and manage user and merchant accounts, facilitate restaurant reservations, manage waitlists, send confirmations and reminders, handle updates, cancellations, and no-show notifications, process merchant seat-fee billing, and maintain the functionality, uptime, and performance of the Services. All operational use is limited to what is necessary to provide, secure, and improve the Services.

BookMyDining analyzes aggregated and anonymized data to enhance platform performance, improve search results, provide personalized restaurant recommendations, develop and refine features, identify bugs or performance issues, and measure user engagement. Any analytics processing is conducted in accordance with Canadian anonymization and de-identification standards to ensure privacy protection. Identifiable data is only used for research or development purposes when proper consent has been obtained where required by law.

We also use personal information to communicate with users and merchant partners. This includes service announcements, reservation reminders, policy updates, responses to support inquiries, merchant communications regarding platform functionality or billing, and optional promotional communications, which are sent only where consent has been provided. In Québec, BookMyDining ensures express consent for commercial electronic messages in compliance with Law 25 and Canada’s Anti-Spam Legislation (CASL).

To maintain the security and integrity of the platform, information is used to detect and prevent fraud, identify misuse or unauthorized access, ensure safe and trustworthy interactions between diners and merchants, and maintain system logs for potential security investigations. Personal information is also used to comply with Canadian legal requirements, including maintaining records, responding to lawful requests, enforcing contractual obligations, and satisfying applicable regulations under PIPEDA and Québec’s Law 25.

Finally, BookMyDining uses reservation-specific data to support merchant billing and operational needs. This includes calculating seat fees, determining billing totals, providing invoices, maintaining financial records, and tracking no-show declarations. Only the agreed seat fees—currently CAD $0.75 per seated reservation—are applied, with no hidden charges, surcharges, or unrelated fees beyond those explicitly stated in the Merchant Agreement. All data used by BookMyDining, including support provided by offshore personnel, is strictly controlled under contractual and technical safeguards to ensure compliance with Canadian privacy requirements.

SECTION 3 — INFORMATION DISCLOSURE

BookMyDining discloses personal information only when necessary to deliver the Services, comply with Canadian privacy legislation, or fulfill legitimate operational purposes that a user would reasonably expect when using a reservation platform. BookMyDining does not sell, rent, or exchange personal information for financial or commercial gain unrelated to the operation of the Services. All disclosures are subject to appropriate safeguards, confidentiality requirements, and compliance mechanisms in accordance with PIPEDA, Québec’s Law 25, CASL, and applicable provincial legislation.

Personal information may be disclosed to restaurants, merchant partners, and hospitality providers solely for the purposes of managing reservations, waitlists, and customer interactions. Shared data typically includes the diner’s name, reservation date, time, party size, contact information, special seating requests, notes relevant to the visit, confirmation of cancellations or attendance, and no-show designations. Merchants may use this information only to manage reservations, prepare for visits, communicate as necessary, and ensure seating and availability. In Québec, any sensitive information or behavioral data included in no-show reports is handled with additional consent requirements and privacy safeguards under Law 25.

BookMyDining also engages service providers and operational partners to support the platform. These third parties may access personal information strictly for performing services on BookMyDining’s behalf, including cloud hosting, data storage and backup, reservation management infrastructure, email and SMS systems, customer support tools, security and fraud prevention, analytics, and system monitoring. All service providers are contractually required to protect personal information, use it solely for the services provided, and comply with Canadian privacy standards. For Québec residents, written agreements include Law 25-mandated privacy clauses, breach notification obligations, and audit provisions.

Disclosures may also be required by law, regulation, or legal process. BookMyDining may provide personal information to federal or provincial authorities, municipal regulators, courts, or law enforcement agencies only when requests are valid, necessary, proportionate, and limited to the minimum information required. BookMyDining actively resists overly broad or unjustified requests to minimize the exposure of personal data.

In the event of corporate transactions, such as mergers, acquisitions, restructuring, financing, or sale of assets, personal information may be disclosed to potential or actual acquiring entities. Such transfers are governed by Canadian privacy law, confidentiality agreements, restrictions on use and retention by the acquiring party, and, if required, notification to users. Any future affiliates or corporate partners will be subject to the same privacy obligations. In Québec, these transfers are treated as “communications outside the organization” and require privacy impact assessments, contractual protections, and equivalent data protection measures.

BookMyDining may also disclose personal information with your explicit and informed consent. Examples include linking your account to third-party services, participating in promotional or incentive programs, opting to share feedback publicly, or engaging in partner-based loyalty systems. Consent is obtained and managed in compliance with federal and provincial requirements, including the enhanced consent standards under Québec’s Law 25.

Finally, BookMyDining may share de-identified or aggregated information with restaurants, research organizations, industry partners, or public entities. Such data cannot be used to identify individuals, is processed according to recognized Canadian anonymization guidelines, and is intended solely for trend analysis, service improvement, or platform development. BookMyDining does not attempt to re-identify anonymized information under any circumstances.

SECTION 4 — DATA SECURITY AND RETENTION (DETAILED & CANADA-COMPLIANT)

BookMyDining is fully committed to safeguarding personal information and maintaining the confidentiality, integrity, and availability of all data collected through the Services. We implement a comprehensive set of administrative, technical, and physical measures designed to prevent unauthorized access, misuse, loss, alteration, or destruction of personal information. Administrative controls include employee confidentiality agreements, mandatory privacy and security training, access restrictions based on job function, role-segregated permissions, vendor and service-provider vetting, and regular security and privacy impact assessments, particularly those required under Québec’s Law 25. Technical controls encompass encryption of data at rest and in transit, multi-factor authentication for internal systems, firewalls and intrusion-prevention systems, secure coding practices, continuous vulnerability scanning, network segmentation, access logging, rate limiting, bot mitigation, and enforcement of HTTPS and TLS protocols. Physical measures include secure data-center protections, restricted-access server rooms, security surveillance, hardware security policies, and backup redundancy protections to ensure operational continuity.

BookMyDining retains personal information only for as long as necessary to operate and provide the Services, comply with legal requirements, resolve disputes, maintain accurate operational and billing records, prevent fraud or misuse, and satisfy provincial and federal retention standards. Reservation and activity data is generally retained to maintain operational integrity and support potential audits, while merchant billing records are kept in accordance with Canadian tax law. Québec-specific requirements under Law 25 mandate that personal data is destroyed or anonymized once the purposes for which it was collected are fulfilled, that a documented retention schedule is maintained, and that secure destruction or anonymization practices are followed. Account deletion requests are honored promptly; identifiable information is deleted, backups are purged according to standard retention cycles, and anonymized logs may remain for security, fraud prevention, and system integrity purposes.

In the event of a security incident or data breach, BookMyDining follows strict Canadian and Québec protocols, including immediate assessment of severity and scope, containment to prevent further exposure, mitigation of risks, and documentation of all actions taken. Affected individuals are notified when required under applicable laws, including PIPEDA, CASL, and Québec’s Law 25. Notifications are also sent to the Office of the Privacy Commissioner of Canada (OPC) and, for Québec residents, to the Commission d’accès à l’information (CAI), as applicable. All incidents are documented, and corrective actions are implemented to prevent recurrence, ensuring ongoing compliance with Canadian privacy obligations and the highest standards of data protection.

SECTION 5 — USE OF COOKIES AND SIMILAR TOOLS (CANADA-COMPLIANT)

BookMyDining uses cookies, web beacons, pixels, local storage objects, SDKs, and similar tracking technologies (collectively, “cookies and tracking tools”) to operate, maintain, and enhance our Services, improve performance, analyze usage trends, and deliver a secure, reliable, and personalized platform experience. These technologies support essential platform functionality such as user authentication, session continuity, reservation flows, merchant dashboard operations, security protections, analytics, and fraud prevention. While diners and merchants are located exclusively in Canada, certain support or operational services that process cookie or analytics data may be handled by service providers or personnel outside Canada under strict contractual, confidentiality, and security obligations.

5.1 Categories of Cookies and Tracking Tools

BookMyDining employs multiple categories of cookies. Essential cookies are required for the basic operation of the platform, including reservation creation, login, session integrity, security authentication, site navigation, and merchant tools. Functional cookies remember user preferences such as language, region, accessibility settings, recently viewed restaurants, and dashboard configurations. Performance and analytics cookies track usage patterns, feature engagement, error occurrences, page load times, and other operational metrics. Personalization cookies help tailor the user experience by supporting recommended restaurants, search history, seating preferences, and notification settings. Attribution cookies are used to measure the effectiveness of BookMyDining advertising campaigns, and currently, we do not use retargeting or behavioral advertising technologies.

5.2 Use of Cookie Data

Data collected through cookies and tracking tools is used to authenticate users, maintain secure sessions, detect unauthorized access, remember preferences, localize restaurant results, streamline reservation flows, analyze system performance, improve design and navigation, troubleshoot errors, and optimize customer support interactions. Analytics are processed in accordance with Canadian privacy law, ensuring anonymization or aggregation where appropriate.

5.3 Québec Law 25 Compliance

For Québec users, BookMyDining follows enhanced requirements under Law 25 for cookies or tracking technologies that may identify or profile individuals. This includes providing clear notice prior to installation of non-essential cookies, obtaining explicit consent, offering mechanisms to accept or refuse cookies, ensuring consent is freely given, informed, specific, and revocable, and maintaining consent logs for audit purposes. Essential cookies required for functionality do not require consent under Law 25.

5.4 User Control Over Cookies

Users may manage cookies through browser settings, mobile device permissions, platform-level preference tools, and email tracking controls. Browser-level controls allow blocking or deleting cookies and receiving alerts when cookies are set, although blocking essential cookies may impair functionality. Mobile apps allow controlling permissions such as ad tracking, location, and background data sharing. BookMyDining provides cookie banners and preference options for Québec users and clear instructions to manage cookie consent. Users may opt out of marketing-related tracking or email pixels.

5.5 Consequences of Rejecting Cookies

Rejecting essential cookies may prevent signing in, making reservations, or accessing merchant dashboards. Rejecting functional cookies may limit remembered preferences or dashboard customization. Rejecting analytics or personalization cookies may reduce insights into system performance or limit the tailored experience, but core platform functionality will remain operational. BookMyDining ensures that the use of cookies and related tools complies fully with Canadian privacy standards while preserving the ability to use trusted service providers, including those outside Canada, under strict confidentiality and security controls.

SECTION 6 — YOUR PRIVACY RIGHTS

BookMyDining is committed to ensuring that all users of our Services, including diners and merchant partners, have clear and meaningful control over their personal information in accordance with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial legislation such as Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and related regulations. Users have the right to access, correct, and update their personal information. Upon request, BookMyDining will provide a copy of the information collected in a readable electronic or physical format, unless restricted by law, and will make reasonable efforts to correct any inaccuracies. Requests may require identity verification or supporting documentation. Users may also withdraw consent for the collection, use, or disclosure of their personal information at any time, subject to legal, contractual, or operational constraints. Withdrawal of consent may limit access to certain features, including reservations, waitlist management, or promotional offers, and BookMyDining will inform users of the implications of such withdrawal.

Users have the right to request deletion of personal information, subject to retention requirements for legal, contractual, or operational purposes, such as fulfilling existing reservations, complying with tax or audit requirements, preventing fraud, or maintaining records required under PIPEDA or provincial laws. Users may also request restrictions on processing or object to certain uses, including marketing or automated decision-making, with BookMyDining respecting such requests unless otherwise required by law. Data portability requests may be made, enabling users to receive their personal information in a structured, machine-readable format, and where technically feasible, request that the data be transmitted to another service provider. Users may opt out of marketing communications at any time without affecting essential transactional communications or service notifications.

Automated systems may be used to process reservations, analyze trends, recommend restaurants, or provide loyalty program benefits. Users have the right to receive information about the logic, significance, and potential consequences of automated processing. Human review will be provided where legally required. Quebec residents have additional rights, including the right to be informed of the purposes of collection, use, and disclosure, the right to access and rectify personal information, the right to refuse disclosure for marketing purposes, and transparency obligations regarding automated decision-making.

To exercise any privacy rights, users may submit requests through designated BookMyDining privacy contact channels. Requests must provide sufficient information to verify identity, and additional documentation may be requested to ensure secure handling of sensitive data. BookMyDining strives to respond within 30 days, though complex requests or legal requirements may extend processing times. Certain limitations may apply, such as retention for legal compliance, operational requirements, fraud prevention, or system security.

BookMyDining reserves the right to update privacy practices or implement new features affecting rights, with notifications provided through email, in-platform messages, or updated Privacy Policy postings. Continued use of the Services after such updates constitutes acceptance of changes. While all users and merchants are based in Canada, BookMyDining may engage support or operational personnel in other jurisdictions under strict contractual, confidentiality, and security obligations to ensure compliance with Canadian privacy standards and maintain service quality.

SECTION 7 — INCENTIVE PROGRAMS, PROMOTIONS AND LOYALTY OFFERS

BookMyDining may offer incentive programs, promotional campaigns, loyalty points, discounts, vouchers, or other customer-engagement initiatives (collectively, “Incentive Programs”). Participation is voluntary and subject to the terms and conditions at the time of enrollment. BookMyDining will process personal information as necessary to operate, administer, verify, analyze, and communicate about Incentive Programs, in compliance with PIPEDA, provincial privacy laws, and Québec’s Law 25.

To administer Incentive Programs, BookMyDining may collect and use information including your name, email, phone number, reservation and redemption history, promotional balances (e.g., Promotion Fund credits), delivery preferences, and any voluntarily provided details such as dietary preferences. This information is used to validate eligibility, credit or debit promotional balances, prevent and detect fraud, measure program performance, and communicate program updates and rewards.

Where consent is required for marketing or profiling purposes, BookMyDining will obtain express consent prior to enrollment. Participants may withdraw consent at any time via account preferences or communication opt-out links. Withdrawal does not affect lawful processing prior to the withdrawal.

Merchants and users may deposit funds in advance (“Promotion Funds”) in amounts specified in program terms, such as CAD 50 or multiples thereof, to fund loyalty points or rewards. Funds may be allocated flexibly according to operational preferences but will be used only as permitted under program rules. Promotion Fund balances are generally non-refundable; however, if a program is permanently discontinued, BookMyDining may, at its discretion, refund remaining balances after verification and anti-fraud checks.

Participation may be suspended or denied if fraud, abuse, or circumvention is suspected. Records relating to program activity, deposits, and redemptions are retained to investigate and address such issues.

Transactional and program data are retained according to the data-retention schedule in this Policy. Aggregated or de-identified program data may be used for analytics, research, product development, or reporting, provided re-identification of participants is not reasonably possible. Operational or support activities related to Incentive Programs are conducted under strict confidentiality and security obligations to ensure that personal information is handled in accordance with Canadian privacy standards.

8. Data Transfers Outside Canada

BookMyDining stores and processes all personal information on servers located within Canada. All routine operations, including handling reservations, managing merchant accounts, and providing user-account services, are conducted entirely in Canada. The personal information of diners and merchants remains fully under Canadian jurisdiction and is protected in accordance with federal and provincial privacy laws, including PIPEDA and Québec Law 25.

Should BookMyDining determine that transferring personal information outside Canada becomes necessary, for example to leverage specialized service providers, such transfers will only occur in strict compliance with Canadian privacy requirements. Such transfers will be limited to the minimum personal information necessary and conducted under contractual and technical safeguards designed to ensure protection equivalent to Canadian standards. These safeguards include:

Any third-party service providers engaged outside Canada to support BookMyDining operations will undergo rigorous vetting and contractual agreements to ensure that privacy, confidentiality, and security standards meet or exceed Canadian legal requirements. BookMyDining maintains a record of such subprocessors and will provide this information upon reasonable request when legally required.

In the event that a lawful request or order from a foreign authority compels access to data stored outside Canada, BookMyDining will limit disclosure to the minimum required, assert all available legal protections, and notify affected individuals whenever permitted or required under Canadian law.

BookMyDining maintains a primary commitment to the privacy and security of Canadian diners and merchants, ensuring that personal information is protected under Canadian law at all times, regardless of operational arrangements or the location of support personnel.

9. Third-Party Links, Embedded Content, and Integrations

9.1 Third-Party Links

The BookMyDining Services may contain links to third-party websites, services, reservation widgets, social media platforms, merchant websites, or advertising networks. BookMyDining does not control these third parties and is not responsible for their privacy practices, security measures, or content. Any interaction with such third-party services is subject to their own privacy policies and terms of use.

9.2 Embedded Content and Widgets

The Services may display or embed content provided by third parties, including maps, social plugins, or payment widgets. Such embedded content may collect information, set cookies, or track usage independently of BookMyDining. Users should review the relevant third-party privacy policies before interacting. BookMyDining is not responsible for the data collection, storage, or processing practices of these third parties.

9.3 Third-Party Integrations for Merchant Partners

Merchants may choose to integrate BookMyDining with third-party restaurant management tools, point-of-sale systems, analytics platforms, or loyalty services. When interacting with a merchant using such integrations, personal information may be shared with the integrated third-party system under the merchant’s control. BookMyDining requires that merchants ensure all integrations comply with Canadian privacy laws, including PIPEDA and Québec Law 25, and that data is processed securely and lawfully.

9.4 No Endorsement

The inclusion of third-party links, content, or integrations does not constitute an endorsement or recommendation by BookMyDining. BookMyDining disclaims liability for any actions, content, security practices, or privacy measures implemented by third parties.

10. Minors’ Privacy

BookMyDining is intended for use by individuals of legal age in accordance with Canadian and provincial privacy requirements. We do not knowingly collect personal information from children under the age of thirteen (13) without verifiable parental or guardian consent. If you are under the applicable minimum age, you should not provide personal information directly on or through the Services; instead, a parent or guardian should contact BookMyDining to manage any necessary interactions or reservations.

Certain provincial rules or merchant-specific requirements may establish higher minimum ages for specific services, and BookMyDining will comply with the most restrictive applicable requirements.

Where collection of personal information from minors is permitted and appropriate (for example, for family dining profiles or similar use cases), BookMyDining will obtain verifiable consent from a parent or guardian prior to collection. Such consent will be documented and retained in accordance with Canadian privacy laws, including PIPEDA and Québec’s Law 25, ensuring that any information collected is used solely for the purposes specified in the Services.

If BookMyDining becomes aware that personal information has been collected from a minor without valid consent, we will promptly take steps to delete the information and, where legally permissible, notify the parent or guardian. Any personal information previously shared with third-party service providers or merchants will also be addressed in accordance with contractual obligations and privacy requirements, ensuring compliance and minimizing exposure.

Parents and guardians are encouraged to supervise minors’ online activities and to review BookMyDining’s privacy practices and account settings. BookMyDining implements administrative, technical, and organizational safeguards to protect all personal information, including that of minors, and may provide operational support through qualified personnel under contractual and confidentiality obligations consistent with Canadian privacy standards.

11. Changes to This Privacy Policy

BookMyDining reserves the right to update, amend, or revise this Privacy Policy at any time to reflect changes in Canadian law, technology, the Services offered, or operational practices. Any material updates that may affect users’ rights, obligations, or the manner in which personal information is processed will be communicated clearly by posting an updated Policy on the Services, accompanied by a revised “Last Updated” date, and, where appropriate or legally required, via email or in-platform notice to affected users.

Minor, administrative, or clarifying updates may take effect immediately upon posting and may not require individual notice. Material changes, including those affecting consent, automated processing, or users’ privacy rights, will comply with applicable federal and provincial requirements, including Québec’s Law 25, which may include obtaining additional consent or providing enhanced notice.

BookMyDining maintains records of prior versions of this Privacy Policy for regulatory, audit, and transparency purposes. Archived versions may be made available to users upon request, where required by Canadian law.

Operational support for the administration of Policy updates, including customer notifications or inquiries, may involve qualified personnel working under strict contractual, confidentiality, and security obligations. All personal information related to these activities will be managed in accordance with Canadian privacy standards, ensuring that the rights of Canadian diners and merchants are fully protected.

12. Contact Information and Privacy Officer

12.1 Privacy Officer

BookMyDining has designated a Privacy Officer responsible for overseeing compliance with this Privacy Policy, Canadian privacy laws, and provincial regulations, including PIPEDA, Québec’s Law 25, and other applicable provincial statutes. The Privacy Officer is authorized to manage inquiries, complaints, and requests related to personal information and data protection.

12.2 How to Contact Us

For privacy-related questions, access requests, complaints, or to exercise your rights under this Policy, you may contact BookMyDining’s Privacy Officer or Data Protection Office using the following channels:

When submitting a request or complaint, please provide sufficient details to enable BookMyDining to locate the relevant records and verify your identity. Requests will be handled in accordance with applicable Canadian legal requirements, generally within 30 calendar days, though processing times may be extended where permitted under law due to complexity or verification requirements.

12.3 Complaints and Regulatory Recourse

If you are not satisfied with BookMyDining’s response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada (OPC) or, for Québec residents, the Commission d’accès à l’information (CAI). BookMyDining will cooperate fully with these supervisory authorities and comply with binding determinations or corrective measures, as required under applicable law.

12.4 Operational Flexibility

Operational support, including handling inquiries, complaints, or requests, may involve qualified personnel working under strict contractual, confidentiality, and security obligations. All such personnel are required to comply with Canadian privacy standards and process personal information only for the specific purposes outlined in this Policy, ensuring that the privacy rights of Canadian diners and merchants are fully protected.

13. Legal Basis and Accountability for Processing

BookMyDining fully adheres to the ten fair information principles recognized under Canadian privacy law and PIPEDA, including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and mechanisms to challenge compliance. Where consent is used as the legal basis for processing personal information, it is obtained in a meaningful, informed, and revocable manner, subject to applicable legal or contractual exceptions.

For processing activities involving Québec residents or data subject to Québec’s Law 25, BookMyDining complies with additional obligations, including maintaining records of processing activities and conducting privacy impact assessments for high-risk operations, appointing a Privacy Officer and making contact information publicly accessible, implementing privacy by design and by default principles, providing clear and accessible information regarding the purpose, scope, and methods of processing, obtaining express consent for sensitive processing, profiling, or automated decision-making when required, and observing enhanced breach notification, mitigation, and remediation obligations.

BookMyDining relies on one or more lawful bases to process personal information depending on the context. Consent is obtained when users opt in to services, marketing communications, Incentive Programs, or optional features. Processing necessary to establish or fulfill a Merchant Agreement, complete a reservation, or provide requested Services is conducted on the basis of contract performance. Personal information may also be processed to comply with federal or provincial legal obligations, including tax, reporting, or regulatory requirements. In limited circumstances, BookMyDining relies on legitimate interests, for example, to prevent fraud, ensure platform security, conduct operational research, or improve service functionality, provided that a balancing assessment of organizational and individual interests is documented, mitigation measures are applied, and transparency is maintained. In exceptional situations, processing may occur to protect vital interests or address matters of public interest, such as emergencies affecting health or safety, only where permitted by law.

To ensure ongoing accountability and compliance, BookMyDining maintains comprehensive internal policies and procedures, provides employee and contractor training on privacy and security standards, conducts regular audits and assessments of processing operations, and manages vendors and service providers through contractual and technical safeguards. Processing inventories are maintained, and privacy impact assessments are prepared for high-risk activities involving Québec residents. Oversight is provided by the designated Privacy Officer, who monitors compliance, responds to inquiries, and ensures prompt action on privacy-related matters. Operational support, including assistance with user requests and privacy inquiries, is performed under strict confidentiality and security requirements to guarantee that the personal information of Canadian diners and merchants is handled in full compliance with applicable laws.

14. Security Practices (Technical, Organizational, and Physical Measures)

BookMyDining implements a comprehensive security framework encompassing organizational, technical, and physical measures designed to protect the personal information of Canadian diners and merchants. Oversight of privacy and security compliance is provided by a designated Privacy Officer who reports to senior management and the board as required, ensuring that all policies, procedures, and controls remain aligned with Canadian privacy legislation, including PIPEDA and Québec’s Law 25. Documented policies cover privacy, access control, data retention, incident response, encryption standards, and vendor management. All employees and contractors undergo mandatory privacy and security training, which is periodically refreshed and tailored to role-specific responsibilities, and vendor engagements include due diligence, contractual security obligations, periodic audits, and termination rights to ensure compliance. Security considerations are integrated into change management, system updates, code deployments, and feature rollouts to maintain a strong control environment.

Technical safeguards include strong encryption of personal information both in transit, using industry-standard TLS protocols, and at rest, employing AES-256 or equivalent standards for sensitive data. Multi-factor authentication, strong password requirements, role-based access controls, and adherence to the principle of least privilege govern administrative and operational access. Centralized logging, anomaly detection, SIEM tools, and automated alerts support ongoing monitoring, while network protections include firewalls, network segmentation, DDoS mitigation, and secure configuration management. The software development lifecycle incorporates secure coding standards, static and dynamic code analysis, dependency scanning, and pre-deployment security assessments to mitigate vulnerabilities. Data minimization practices are applied to reduce stored personal information, and sensitive identifiers, including financial or reservation-related data, are masked or tokenized where appropriate.

Physical measures protect all equipment, storage devices, and records, including controlled access to facilities, secure disposal of physical media, and geographically diverse backups within Canada where feasible. Incident response is guided by a structured playbook covering detection, containment, forensic analysis, remediation, and lessons learned. In the event of a breach, BookMyDining will notify affected individuals and regulators, including the Office of the Privacy Commissioner of Canada and Québec’s Commission d’accès à l’information, in accordance with statutory timelines and applicable laws. Notifications will provide details regarding the nature of the breach, categories of affected data, mitigation steps, and relevant contact information. Remediation measures, such as system improvements and monitoring to prevent recurrence, will be promptly implemented, and credit protection or other corrective actions will be provided where applicable.

Privacy and security assessments, including privacy impact assessments for new or high-risk processing activities, are performed to ensure compliance and identify potential areas for improvement. A program of continuous monitoring, assessment, and enhancement is maintained, informed by threat intelligence, evolving regulatory requirements—including updates to Québec’s Law 25—and industry best practices. Operational support, including assistance with security, privacy, or incident-related inquiries, may be performed under strict contractual and confidentiality requirements to maintain compliance with Canadian privacy obligations while ensuring efficient and effective support for users and merchants.

15. Account and Data Deletion

BookMyDining provides users the ability to delete their accounts at any time. When a deletion request is submitted through the BookMyDining website, mobile applications, or by contacting our Privacy Team, BookMyDining will take reasonable steps to remove or anonymize personal information associated with the account, in accordance with applicable legal, regulatory, and contractual obligations.

Upon account deletion, personal identifiers such as your name, email address, phone number, and authentication credentials will be removed. Any reservation history, profile details, preferences, or other account-stored information will also be deleted. Transactional or usage data that is retained for purposes such as reporting, analytics, fraud prevention, or legal compliance will be anonymized to prevent identification of individual users.

Certain exceptions may apply to the deletion of data. BookMyDining may retain information necessary to comply with tax, accounting, or other legal obligations. Data required to investigate suspected fraud, abuse, or security incidents, or to resolve disputes or enforce agreements, may also be retained. Aggregated or anonymized data may continue to be used for research, analytics, and operational improvements without identifying individuals.

For users located in Quebec, BookMyDining will comply with the Act Respecting the Protection of Personal Information in the Private Sector, ensuring that personal information is deleted or anonymized upon request while retaining only the minimum data necessary to satisfy legal, contractual, or operational requirements. Operational support, including assistance in handling account deletion requests, may be performed by personnel under strict contractual and confidentiality obligations to maintain compliance with Canadian privacy standards, even if such support personnel are located outside Canada.

16. Automated Processing

BookMyDining may employ automated systems to process personal information for operational purposes, including confirming reservations, recommending restaurants or offers, analyzing trends and user behavior, and administering loyalty or incentive programs. Automated processing is designed to enhance platform efficiency, accuracy, and user experience while complying with applicable Canadian privacy laws.

Users have the right to be informed about the logic, criteria, and rationale underlying any automated decision-making that affects them. Where legally required, or when an automated decision may significantly impact a user, BookMyDining provides mechanisms to request human review and consideration of such decisions. Transparency regarding automated processing is maintained through clear explanations in this Privacy Policy and in the platform interface. Users may contact BookMyDining to obtain additional information regarding the logic, significance, and potential consequences of automated processing.

Automated processing may continue when necessary to fulfill contractual obligations, ensure operational efficiency, comply with legal or regulatory requirements, or detect and prevent fraud or misuse. BookMyDining implements safeguards to ensure that automated decision-making respects the rights of users and aligns with Canadian privacy standards.

17. Consent and Preferences

By using the BookMyDining Services, users provide consent to the collection, use, and disclosure of personal information as described in this Privacy Policy. Consent may be withdrawn at any time, subject to legal, contractual, or operational constraints, which may limit access to certain features or services.

Users may manage their communication preferences, including marketing, newsletters, and promotional offers, through account settings, by clicking unsubscribe links in emails, or by contacting BookMyDining directly. Certain processing activities, such as participation in surveys, enrollment in incentive or loyalty programs, or processing of sensitive personal information, require explicit, purpose-specific consent. Withdrawal of consent does not affect the lawfulness of prior processing but may restrict access to optional services or program participation.

For users located in Quebec, consent is obtained in accordance with the Act Respecting the Protection of Personal Information in the Private Sector. Quebec residents have clear mechanisms to grant, manage, and withdraw consent for the collection, use, or disclosure of personal information, including for marketing purposes. BookMyDining ensures all consent processes comply with provincial and federal legal standards. Operational support related to consent management may be provided under strict contractual and confidentiality requirements, consistent with Canadian privacy obligations.

18. Additional Provincial or Jurisdiction-Specific Notices

BookMyDining is committed to complying with provincial privacy laws in addition to federal requirements. In Quebec, users have the right to receive information about the purposes for which their personal information is collected, access the information held about them, request corrections or deletions, object to marketing communications, and be informed about automated processing activities. BookMyDining maintains records of processing activities and, where required, conducts privacy impact assessments for high-risk activities.

In other provinces, where applicable, BookMyDining complies with local privacy legislation, including rights to access, correct, or request deletion of personal information, as well as the right to lodge complaints with the appropriate provincial authorities. Operational support for these activities, including responding to inquiries or assisting with access or deletion requests, is performed under strict contractual and confidentiality obligations to ensure compliance with Canadian privacy standards.