Privacy Notice

Last Updated: August 2, 2023‍

California Residents: See here for information specific to California residents. 

This Privacy Notice (“Notice”) provides information on how Olo Inc. (“Olo,” “us” and “we”) collects, uses and discloses personal data of (i) individuals subject to our Know Your Customer (“KYC”) process for Olo Pay and (ii) individuals who access or use certain Olo payment facilitation services by engaging in in-store transactions at participating merchants (“buyers”). This Notice also explains the rights and choices individuals have related to their personal data and how to contact us regarding our privacy practices.  

 We treat all personal data processed as part of our KYC process as pertaining to individuals acting in their business capacity, and not in their individual or household capacity.  

We recommend that you read this entire Notice so that you are informed about our privacy practices.

Special Biometric Data Notice for Illinois, Washington and Texas Residents 

For residents of Illinois, Washington and Texas, as part of our KYC process for Olo Pay, we may require that you verify your identity by providing certain identification documents that contain your photograph and a photograph and/or video of yourself. The data derived from your face from these photographs and/or videos may be considered biometric data. We will use your biometric data for the purpose of verifying your identity and preventing fraud as described below under “How Do We Use Your Personal Data?”. We only share your biometric data with our service provider IDVerse (which is the trading name of OCR Labs) and as required by law. Please see IDVerse’s privacy policy for more information: https://idverse.com/privacy-policy/. We will store your biometric data as long as required for these purposes, but not longer than three years.

Personal Information We Collect

Individuals Subject to KYC Process 

We collect the categories and types of personal data described below if you are subject to our KYC process for Olo Pay. We collect this information from you and third-party sources (e.g., LexisNexis and other public sources) as well as automatically when you use our websites and services. We may also derive information or inferences about you from the personal data we collect.     

Personal data we collect includes: 

• Identifiers that allow us to identify you and communicate with you, such as your first and last name, residential street address, email address, phone number, date of birth, Social Security number and other personal data you choose to share with us. If you are not a US individual, we may also collect your taxpayer identification number and passport number.  

• Records Information, such as governmental identification documents (including any barcode or machine readable zone), information from sanctions screenings and information from adverse media screenings.   

• Protected Classifications Information, including nationality and citizenship information. 

• Biometric Information, such as data derived about your face from photographs and/or videos. 

• Inferences, such as information that verifies your identity and the accuracy of the information you provide, makes associations between data points and assesses risk and potential for fraud. 

We and our service providers also automatically collect personal data about you, your computer or mobile device and your interaction over time with our websites and services, including: 

• Internet and Other Electronic Network Activity, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 3G) and location information. We may also collect online activity data, such as pages or screens you viewed and your activity on the page or screen, how long you spent on a page or screen, the website you visited before browsing to our website, navigation paths between pages or screens, access times, duration of access and whether you have opened emails we have sent or clicked on links within emails.  

The tools we may use for automatic data collection include: 

• Cookies, which are text files that websites store on a visitor‘s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping users navigate between pages efficiently, remembering preferences, enabling functionality and helping understand user activity.  

Most browser settings let you delete and reject cookies placed by websites. We note, however, that if you do not accept cookies, you may not be able to use all functionality of our websites and our websites may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, please visit www.allaboutcookies.org. 

• Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications. 

• Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked. 

‍Buyers 

We collect the categories and types of personal data described below if you are a buyer. We collect this information from you and third-party sources (e.g., merchants you do business with and fraud monitoring service providers) as well as automatically when you engage in an in-store transaction. We may also derive information or inferences about you from the personal data we collect.     

Personal data we collect includes: 

• Commercial Information including certain payment card information, transaction information and location information.  

• Inferences, such as information that makes associations between data points and information inferred and derived from fraud and transaction monitoring activities.  

‍How Do We Use Your Personal Data?

We use your personal data for the following purposes, to the extent permitted by law: 

‍To Whom Do We Disclose Your Personal Data?

We may disclose your personal data to: 

• Affiliates.  

• Service Providers that provide services on our behalf or help us operate our services or our business, such as technology service providers, customer support, identity verification/fraud prevention providers and business analytics providers.  

• Merchants that utilize our payment services. Please refer to the relevant merchant’s privacy notice for further information on how they use your personal data.   

• Business Partners, such as LexisNexis, who provide services in connection with our KYC process and other business partners who provide services in connection with our payment facilitation services. You can read LexisNexis’ processing notice here.  

• Professional advisors, such as lawyers, auditors, bankers and insurers, in the course of the professional services that they render to us. 

• Authorities and others, such as law enforcement, government authorities, courts and other third parties, as we believe in good faith to be necessary or appropriate for compliance and protection purposes. 
• Business transferees include acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Olo or our affiliates (including, in connection with a bankruptcy or similar proceedings).

How Will Linked Websites and Services Treat Your Personal Data? 

This Notice only addresses our use and sharing of your personal data. Our services may contain links to websites and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices provided by third parties.  

How Do We Protect Your Personal Data? 

We employ technical, organizational and physical safeguards designed to protect the personal data we collect. However, no security measures are failsafe, and we cannot guarantee the security of your personal data. 

‍Additional Information for California, Colorado, Connecticut, Oregon, Texas, Virginia and Utah Residents 

This section applies (as described below) to residents of California, Colorado, Connecticut, Oregon, Texas, Virginia and Utah.  

Information for California Residents 

If you reside in California, this section applies to you. California law requires us to provide you with the following information about our collection, use and disclosure of personal data:  

• We collect the following categories of personal data: identifiers, records information, protected classifications information, biometric information, internet and other electronic network activity information, commercial information and inferences. For more information about each category of personal data, please see “What Personal Data Do We Collect?”  

• We collect personal data from you, third-party sources and automatically when you use our website and services. For more information, please see “What Personal Data Do We Collect?” 

• We use personal data for the commercial and business purposes described above under “How Do We Use Your Personal Information?” 

• We do not sell or share your personal data. “Sell” and “share” both have the meaning given to such terms under California privacy law. 

• We do not have actual knowledge about selling or sharing personal data of consumers under the age of 16. 

• We do not offer financial incentives for the collection or sale of personal data. 

• We process sensitive personal data only for the purposes permitted under California privacy law. 

• We store personal data for as long as necessary to carry out the purposes for which we originally collected it or for the period that is required under applicable law. In determining the length of the retention period, we will consider the amount, nature and sensitivity of personal data; the potential risk of harm for unauthorized use or disclosure of personal data; the purposes for which we collected personal data and whether we can achieve those purposes through other means; and applicable legal requirements.  

• We disclose personal data for the business and commercial purposes described above in “To Whom Do We Disclose Personal Information?”. We make disclosures to the following categories of recipients: 

Privacy Rights for California Residents 

‍If you are a California resident, subject to certain conditions, you have the rights listed below with respect to your personal data that we process: 

• Right to Know and Access: You have the right to know what personal data we have collected, used, disclosed and sold about you, including the categories of personal data; the categories of sources from which the personal data is collected; the business or commercial purpose for 
  collecting, selling or sharing personal data; the categories of third parties to whom we have disclosed personal data; and the specific pieces of personal data we have collected about you.  

• Right to Correct: You have the right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing. 

• Right to Delete: You have the right to request that we delete any personal data we have collected about you. 

• Right to Opt-Out: You have the right to opt-out of the selling or sharing of your personal data, which you can exercise as described below. 

If you are a California resident, the Shine the Light law permits you to request and obtain from us once per calendar year information about any of your personal data shared with third parties for their own direct marketing purposes, including the categories of personal data and the names and addresses of those businesses with which we have shared such information. To request this information, please contact us as described below under “How to Contact Us?” 

Privacy Rights for Colorado, Connecticut, Oregon, Texas, Utah and Virginia Residents 

If you are a buyer and a resident of Colorado, Connecticut, Oregon, Texas, Utah or Virginia, this section applies to you. Subject to certain conditions, you have the rights listed below with respect to your personal data that we process: 

• Right to Know and Access: You have the right to confirm whether we process your personal data and to access your personal data. Oregon residents also have the right to a list of third parties to whom we have disclosed personal data.  

• Right to Correct: You have the right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing. 

• Right to Delete: You have the right that we delete personal data we have collected about you. 

• Right to Portability: You have the right to obtain a copy of your personal data in a portable, and to the extent technically feasible, readily usable format that allows your data to be transmitted to another controller where the processing is carried out by automated means.  

• Right to Opt-Out: You have the right to opt-out of the processing of your personal data for purposes of targeted advertising, the sale of personal data and/or profiling in furtherance of decisions that produce legal or similarly significant effects. 

• Right to Appeal: Colorado, Connecticut, Oregon, Virginia and Texas residents have the right to appeal our decision if we deny your privacy request. Please see below under “Exercising Your Privacy Rights” for information on how to appeal.  

Exercising Your Privacy Rights 

If you are a resident of California, Colorado, Connecticut, Oregon, Texas, Virginia or Utah, you can exercise your privacy rights by emailing us at dataprivacy@olo.com. 

When you exercise your rights and submit a request to us, we will verify your identity by asking you to confirm certain information. We may also use a third-party verification provider to verify your identity.  

Applicable data protection law may allow you to designate an authorized agent to make a request on your behalf. As permitted by applicable law, when we verify your agent’s request, we may verify both your and your agent’s identities and request that you directly confirm with us that you provided the authorized agent permission to make the request on your behalf. To protect your personal data, we reserve the right to deny a request from an agent that does not submit proof (which must meet the requirements of applicable data protection law) that they have been authorized by you to act on your behalf.  

Applicable data protection law may require or permit us to decline your privacy request. If we decline your request, we will tell you the reason why, unless we are not permitted by law to share the reason. Certain data protection laws may allow you to appeal a decision we have made regarding your request. To appeal a decision, you may email us at dataprivacy@olo.com.   

The fact that you have exercised your privacy rights will not have an adverse effect on the price or quality of our products and services.  

What if We Change this Privacy Notice? 

We reserve the right to modify this Notice at any time. If we make material changes to this Notice, we will post the updated notice on this webpage and update the effective date of the Notice.  

How to Contact Us? 

You can reach us by email at dataprivacy@olo.com or at the following mailing address: 

Olo Inc. 
One World Trade Center
285 Fulton Street, 82nd Floor
New York, NY 10007 USA