Privacy Policy

Updated October 26, 2023

SEVENROOMS INC. (“SevenRooms“), along with its affiliated companies, is committed to safeguarding your privacy. This Privacy Policy (the “Policy”) describes SevenRooms’ policies and procedures regarding the collection, use and disclosure of the information collected through the SevenRooms website, www.sevenrooms.com (“Site”), mobile applications, and other affiliated websites owned and operated by SevenRooms (the site, and any products and services provided by SevenRooms are collectively referred to as the “Services,” which includes the Platform, as defined below).

1. SevenRooms Service Overview

Each of the restaurants and other locations available through the Service (a “Venue”) has adopted SevenRooms’ proprietary reservation and inventory management system (the “Platform“). The Platform interacts with the Venue to find available reservations, to secure, change or cancel online reservations, and to confirm that reservations were honored. Where reservations are placed directly with a Venue that uses the Platform, or through other third-party reservation services that the Venue may use, information about patrons of a Venue (each, a “Guest”) is recorded in (or transferred to) the Platform to assist the Venue in managing the reservation and provide services to such Guest. While an individual Venue’s reservation inventory is accessible to the Platform to perform these functions, other information that may be stored by a Venue (for example, credit card numbers) is not accessible to the Platform. Where a Guest may pay or enter payment information via the Platform (either to hold a reservation, or for services received at a Venue), payment is processed by a third-party payment processor and information about that payment is subject to such processor’s policies. Note that in no case does SevenRooms store credit card or payment information on the Service; all such information is held by our third-party payment processor(s) or the Venue itself.

A Note for Guests. SevenRooms’ customers are the Venues (or agents that Venues have contracted to handle their reservations), and only Venue employees or agents have Accounts (as defined below) with SevenRooms. Guests do not have Accounts on the Platform. Except where provisions are specific to Registered Users, Accounts, or Guests, all the terms of this Policy apply equally to both Guest and Registered User information. Our use of information that we process on behalf of our Venues may be governed by our agreements with such Venues. If you have concerns regarding your personal data that we process on behalf of a Venue, please direct your concerns to that Venue.

2. Types of Data We Collect

Information You Provide to Us.

Account data. We may collect personal data from you, such as your first and last name, gender, phone number, e-mail and mailing addresses, and password when you create an account to use the Services (“Account”). Only representatives of a Venue may create an Account (each such individual, a “Registered User”).

Transactional data. Such as information relating to or needed to complete your orders on or through the Service, including order numbers and transaction history.

Marketing data. Such as your preferences for receiving our marketing communications and details about your engagement with them.

Communications data. If you provide us feedback or contact us via e-mail, we will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply.

Survey data. If you participate in a survey conducted via the Services, we may collect additional profile information.

Other data. We may also collect other personal data not specifically listed here, which we will use as described in this Policy or as otherwise disclosed at the time of collection.

Information Collected From Third Parties.

Venues. When a Venue takes a reservation directly from a Guest, or receives such information from a third party service or platform (i.e., Google, Yelp), personal data about the Guest is recorded in the Platform. In addition, Guest notes (such as dining preferences) may be recorded in the Platform by Venue staff.

Public sources. Such as government agencies, public records, social media platforms, and other publicly available sources.

Private sources. Such as data providers, social media platforms and data licensors.

Marketing partners. Such as joint marketing partners and event co-sponsors.

Third-party services, such as social networking sites, that you use in connection with, or otherwise link to, the Site or Services. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service.

Information Collected Via Technology.

Information Collected By Our Servers. To make our Site and Services more useful to you, we, our service providers and partners may collect information about you, your computer or mobile device, and your interaction over time with the Site and Services, our communications and other online services, such as:

Device data. Such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, phone number, unique device id number (Registered Users only), radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.

Online activity data. Such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

Location data. When you authorize (our mobile application/the Services) to access your device’s location.

Communication interaction data. Such as your interactions with our email, text or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.

Log Files. As is true of most websites, we gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, administer the Site, track users’ movements around the Site, gather demographic information about our user base as a whole, and better tailor our Services to our users’ needs. For example, some of the information may be collected so that when you visit the Site or the Services again, it will recognize you and the information could then be used to serve advertisements and other information appropriate to your interests. Except as noted in this Policy, we do not link this automatically-collected data to personal data.

Cookies. For more information on how we use cookies and other technologies on our Site, please see our Cookie Notice.

How We Respond to Do Not Track Signals. We do not currently respond to “do not track” signals.

Mobile Services. (Registered Users only). We may also device-level data from your mobile device if you have downloaded our mobile application (the “Application”). This information is generally used to help us deliver the most relevant information to you. Examples of information that may be collected and used include your geographic location, how you use the Application, and information about the type of device you use. In addition, in the event our Application crashes on your mobile device, we will receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of our Application. This information is sent to us as aggregated information and is not traceable to any individual and cannot be used to identify an individual.

Location of Servers. We maintain servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy. For information on how we transfer your personal data outside the European Economic Area, United Kingdom, and/or Switzerland, please see the Notice to European users below.

3. Use of Your Data

3.1 By SevenRooms

Service Delivery and Operations. In general, personal data you submit to us is used either to deliver the Services or respond to requests that you make. We use your personal data in the following ways:

facilitate the creation of and secure your Account (Registered Users only);

identify you as a user of the Services;

provide, operate and improve the Site and Services;

provide the Services you request;

communicate about the Services, including sending you administrative e-mail notifications, such as security or support and maintenance advisories (Registered Users only);

respond to your inquiries related to employment opportunities or other requests;

understand your needs and interests, and personalize your experience with the Services and our communications; and

send newsletters, surveys, offers, and other promotional materials related to our Services and for other marketing purposes of SevenRooms. (Registered Users only).

Marketing and Advertising. We, our service providers and our third-party advertising partners may collect and use your personal data for marketing and advertising purposes:

Direct marketing. We may send you direct marketing communications and may personalize these messages based on your needs and interests. You may opt-out of our marketing communications as described in the Communications and Disclosures section below.

Interest-based advertising. Our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the automatic data collection section above) with the Site and Services, our communications and other online services over time, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms.

Compliance and Protection. We may use your personal data to:

comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities, including to meet national security or law enforcement requirements;

protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);

audit our internal processes for compliance with legal and contractual requirements or our internal policies;

enforce the terms and conditions that govern the Site and Services; and

prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Service Improvement and Analytics. We may use your personal data to analyze your usage of the Site and Services, improve the Site and Services, improve the rest of our business, help us understand user activity on the Site and Services, including which pages are most and least visited and how visitors move around the Site and Services, as well as user interactions with our emails, and to develop new products and services.

With Your Consent. In some cases, we may specifically ask for your consent to collect, use or share your personal data, such as when required by law.

Anonymous Data. We may create anonymous, aggregated, and/or de-identified records from personal data of both Guests and Registered Users (e.g., in relation to dietary preferences). We use this anonymous, aggregated and/or de-identified data to analyze request and usage patterns so that we may enhance the content of our Services and improve Site navigation.

3.2 By Venues

When you make a reservation using the Services, your name is provided to the applicable Venue, just as would occur if you were making a reservation over the phone. Your email address and phone number are also provided to the Venue in case the Venue needs to contact you regarding your reservation. You may also provide special preferences or comments regarding your reservation, which the Services will pass on to that Venue. Venues will process your Personal Data in accordance with their own privacy policies.

SevenRooms will only share the information specified above with the Venue at which a Guest has made reservations using the Service. Venues cannot use the Services to access information pertaining to Guests, reservations or related information from other Venues, except that Venues with the same corporate ownership may elect to share such information with their corporate group and subject to that Venue’s privacy policy.

Each Venue is a separate business from SevenRooms. While SevenRooms encourages Venues to comply with data protection requirements, SevenRooms will not be responsible for a Venue’s failure to comply with laws applicable to the use of Personal Data. Any complaints or inquiries regarding use of your information by a Venue, or marketing communications from a Venue, should be addressed directly to the Venue in question.

In no event will SevenRooms be responsible for information, management, and use of data collected by Venues from their own websites and not stored on the Services.

4. Sharing of Your Data

We may disclose your personal data as described below and as described elsewhere in this Policy.

Service Providers. We may share your personal data with third party service providers to: provide you with the Services; to conduct quality assurance testing; to facilitate creation of Accounts; to provide technical support; and/or to provide other services to the SevenRooms.

Payment Processors. We use third party payment processors to process payments made through the Platform to Venues. These payment processors may use your payment data in accordance with their privacy policies.

Social Networking Sites. We allow Guests to place reservations with Venues on the Platform via social networking sites (e.g., Facebook or Twitter, and each an “SNS”). Guests who access the Platform via an SNS (i.e., by choosing to “sign in via Facebook” or the equivalent) consent to SevenRooms receiving information required to make the reservation from the SNS. The Platform may also enable you to post content to an SNS. If you choose to do this, we will provide information to such SNS in accordance with your elections. You agree that you are solely responsible for your use of an SNS and that it is your responsibility to review the terms of use and privacy policy of such SNS. Any information that we collect from an SNS account will depend on the privacy settings you have with that SNS, so please consult the SNS’ privacy and data practices.

Affiliates. We may share some or all of your personal data with our parent company, joint ventures, or other companies under a common control (“Affiliates”).

Partner Marketing. In the event you provided your contact information to SevenRooms in conjunction with a co-marketing initiative with another company, such as downloading a white paper written in conjunction with an integration partner, SevenRooms will share your information with that party, in compliance with applicable laws. In these events, the partner will be explicitly represented on the landing page or other marketing materials so that you are aware it is a co-marketing initiative.

Advertising Partners. Third-party advertising companies for the interest-based advertising purposes described above.

Corporate Restructuring. We may share some or all of your personal data in connection with or during negotiation of any merger, financing, acquisition or dissolution transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of an insolvency, bankruptcy, or receivership, personal data may also be transferred as a business asset. If another company acquires our company, business, or assets, that company will possess the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this Policy.

Professional Advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and Others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above.

5. Communications and Disclosures.

From SevenRooms. SevenRooms sends automated service messages to Guests via email and / or text pertaining to upcoming or recent Venue reservations or other core functions of the Services, such as confirmations, reminders, and/or invitations to provide customer feedback (“Service Communications”). In addition, Guests and Registered Users may also opt in to receive promotional notices, special offers, and other related information from SevenRooms (“Marketing Communications”). You may always unsubscribe from Marketing Communications. However, so long as you use the Service, we may send essential Service Communications to the contact information associated with your Account.

From Venues. Venues may independently use the Platform to send Guests Service Communications and, if opted in by a Guest, Marketing Communications. Communications sent directly from a Venue via the Platform are subject to this Policy, but communications sent by a Venue outside of the Platform are subject to the Venue’s policies and practices.

Third Parties. SevenRooms will never sell, rent, loan or otherwise distribute any of your personal data (including but not limited to your name, email address, phone number or any other identifiable information about you) to any third party except as set forth in this Policy without your prior, express written consent.

6. Accounts

Registered Users can view and manage their Account information, including any associated personal data, by clicking on the “Account” link at the top of the login page. Guests and Registered Users may at any time contact SevenRooms at privacy@sevenrooms.com or as set forth in Section 13 to request that all personal data be deactivated.

7. How SevenRooms Protects Data

SevenRooms uses a number of technical, organizational and physical safeguards designed to protect the personal data we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal data.

8. A Note About Children

We do not intentionally gather personal data from visitors who are under the age of 18. If we learn that a child under the age of 18 has submitted personal data to SevenRooms, we will attempt to delete such data as soon as possible. If you believe that we might have any personal data from a child under 18, please contact us at privacy@sevenrooms.com or as set forth in Section 13.

9. Changes to this Policy

Any changes to this Policy will always be posted to this page of the Site, along with the effective date of the updated Policy. You should check this page periodically to stay abreast of any such changes. SevenRooms will never make changes to the Policy that violate any applicable privacy laws. For any material changes to the Policy, we will notify you via email or by placing a prominent notice on the homepage of our Site.

10. Disclosure, Correction, Control of Personal Data

If you wish to have SevenRooms disclose what personal data of yours it holds, and/or how SevenRooms obtained such information, or if you desire the correction, suspension of use, or to be informed of the purpose of use of personal data by SevenRooms, please contact SevenRooms as set forth below. SevenRooms will process such request in compliance with all applicable privacy laws, but may first confirm that such request has been made by you personally.

11. State Privacy Rights

This section applies only to California and Virginia residents and provides additional information to residents pursuant to applicable state privacy laws including the California Consumer Privacy Act (“CCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”) (collectively the “State Privacy Laws”). In this section, the term “Personal Information” means information defined as “personal information,“ “personal data,” or other similar term under the State Privacy Laws. The State Privacy Laws may provide residents with some or all of the rights listed below. Please note that not all rights listed below may be afforded to all users and that if you are not a resident of one of these states listed above, you may not be able to exercise these rights. In addition, we may not be able to process your request if you do not provide us with sufficient detail to allow us to confirm your identity or understand and respond to it. We may decline your request in certain cases as permitted by law.

Furthermore, this section applies only to Personal Information which SevenRooms collects and processes on its own behalf, such as information collected about employees or agents of Venues in the initiation or administration of Accounts.

With respect to Personal Information of Guests of the Venues that are SevenRooms’ customers, SevenRooms processes such information as a service provider to such Venues. This section does not apply to data collected by SevenRooms as a service provider. Any requests relating to this Personal Information should be directed to the appropriate Venue.

Your Privacy Rights. The State Privacy Laws may provide residents with some or all of the rights listed below. However, these rights are not absolute and some State Privacy Laws do not provide these rights to their residents. Therefore, we may decline your request in certain cases as permitted by law.

Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:

The categories of Personal Information that we have collected.

The categories of sources from which we collected Personal Information.

The business or commercial purpose for collecting and/or selling Personal Information.

The categories of third parties with which we share Personal Information.

The categories of Personal Information that we sold or disclosed for a business purpose.

The categories of third parties to whom the Personal Information was sold or disclosed for a business purpose.

Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.

Appeal. You can appeal our denial of any request validly submitted.

Correction. You can ask us to correct inaccurate Personal Information that we have collected about you.

Deletion. You can ask us, subject to certain exceptions, to delete the personal information that we have collected from you.

Opt-out of certain processing for targeted advertising purposes. You can opt-out of certain processing of personal information for targeted advertising purposes.

Limit processing of Sensitive Personal Information. You can ask us to limit the processing of any Sensitive Personal Information we collect as necessary for our (1) service or product delivery and operations, (2) Compliance and protection, (3) research and development, or (4) service or product improvement and analytics purposes.

Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the State Privacy Laws.

How to Exercise Your Rights to information/know, access, appeal, correction, deletion. You can submit requests to exercise your right to information/know, access appeal, correction and deletion rights by contacting us at (212) 242-5607 or at privacy@sevenrooms.com.

Exercising your right to opt-out of processing for targeted advertising purposes. While we do not sell Personal Information for money, like many companies, we use services that help deliver interest-based ads to you as described above. The State Privacy Laws may classify our use of some of these services as “selling” or “sharing” your Personal Information with the Advertising Partners that provide the services. You can opt-out of tracking for targeted advertising purposes or other sales of Personal Information by emailing privacy@sevenrooms.com for the time being while an automated solution is developed. Your request to opt-out will apply only to the browser and the device from which you submit the request. You can also broadcast the Global Privacy Control (GPC) to opt-out for each participating browser system that you use. Learn more at the Global Privacy Control website.

We sell or share the following categories of Personal Information with Advertising Partners: Contact data, Demographic data, Profile data, Communications data, Transactional data, Marketing data, Promotion data, Device data, Online activity data, and Communication interaction data.

Verification of Identity; Authorized agents. We may need to verify your identity in order to process your information/know, access, appeal, correction, or deletion requests and reserve the right to confirm your residency. To verify your identity, we may require government identification, a declaration under penalty of perjury, or other information, where permitted by law.

Under the State Privacy Laws, you may be permitted to authorize an authorized agent to make a request on your behalf. However, we may need to verify your authorized agent’s identity and authority to act on your behalf. We may require a copy of a valid power of attorney given to your authorized agent pursuant to applicable law. If you have not provided your agent with such a power of attorney, we may ask you to take additional steps permitted by law to verify that your request is authorized, such as by providing your agent with written and signed permission to exercise your privacy rights on your behalf, the information we request to verify your identity, and confirmation that you have given the authorized agent permission to submit the request.

Additional information for California residents.

Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes that California residents have a right to limit under the California Consumer Privacy Act.

California Categories of Personal Information. California law requires that we describe to California residents the categories of personal information we collect by reference to certain categories described in the California Consumer Privacy Act (Cal. Civ. Code Section 1798.140(v)):

All categories described in this Policy may include “identifiers” or “inferences”;

Account data may include “commercial information” and “California customer records”;

Payment data may include “financial information,” “commercial information,” and “California customer records”;

Transaction data may include “financial information,” “commercial information,” and “California customer records”;

Communications data and Communication interaction data may include “commercial information,” “California customer records,” and “internet or other electronic network activity information”;

Survey data may include “commercial information” and “California customer records”;

Marketing data may “commercial information,” “California customer records,” and “internet or other electronic network activity information; and

Online Activity Data, Device Data, Location data, and Log files include “internet or other electronic network activity information” and “geolocation data”.

Shine the Light Law. Under California’s Shine the Light law (California Civil Code Section 1798.83), California residents may ask companies with whom they have formed a business relationship primarily for personal, family or household purposes to provide the names of third parties to which they have disclosed certain personal information (as defined under the Shine the Light law) during the preceding calendar year for their own direct marketing purposes, and the categories of personal information disclosed. You may send us requests for this information to privacy@sevenrooms.com. In your request, you must include the statement “Shine the Light Request,” and provide your first and last name and mailing address and certify that you are a California resident. We reserve the right to require additional information to confirm your identity and California residency. Please note that we will not accept requests via telephone, mail, or facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.

12. Additional information for European users

Where this Notice to European users applies. The information provided in Section 12 applies only to individuals in the European Economic Area, United Kingdom, and Switzerland (“Europe”).

Controller. SevenRooms Inc. is the controller in respect of the processing of Registered User, Accounts, and website visitor personal data covered by this Policy for purposes of the “GDPR” (i.e., the General Data Protection Regulation 2016/679 (“EU GDPR”) and the EU GDPR as it forms part of UK law (“UK GDPR”). See the ‘Contacting SevenRooms’ section below for our contact details. With respect to personal information of Guests of the Venues that are SevenRooms’ customers, SevenRooms processes such information as a processor under GDPR to such Venues. Such Venues determine the purposes and means of processing of any personal information collected from Guests, constitute the controller under GDPR with respect to such personal information and consequently, with respect to such information, the privacy policies of such Venues govern.

Our GDPR Representatives. We have appointed the following representatives – you can also contact them directly should you wish:

Our Representative in the EU. Our EU representative appointed under the EU GDPR is Rickert Law. You can contact them:

By email to: art-27-rep-sevenrooms@rickert.law

By postal mail to:

Rickert Rechtsanwaltsgesellschaft mbH

SevenRooms Inc.

Colmantstraße 15

53115 Bonn

GermanyOur Representative in the UK. Our UK representative appointed under the UK GDPR is SevenRooms Ltd. You can contact them:

By email to: privacy@sevenrooms.com

By postal mail to:

Fieldfisher Riverbank House,

SevenRooms Ltd.

2 Swan Lane

London, United Kingdom

EC4R 3TT

Legal Bases. In respect of each of the purposes for which we use your personal data, the GDPR requires us to ensure that we have a “legal basis” for that use. Our legal bases for processing your personal data described in this Policy are listed below.

Where we need to perform a contract, we are about to enter into or have entered into with you (“Contractual Necessity”).

Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each purpose we use your personal data for is set out in the table below.

Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).

Where we have your specific consent to carry out the processing for the Purpose in question (“Consent”).

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your personal data – for more information on these purposes and the data types involved, see ‘Use of your data’ above.

PurposeCategories of personal data involvedLegal basisService delivery and operationsAccount data

Payment data

Transactional data

Communications data

Survey data

Device data

Log files– Contractual Necessity

– Legitimate Interests. If Contractual Necessity is not applicable, we have a legitimate interest in providing a good Service Direct marketingAccount data

Transactional data

Marketing data– Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given communications, including our newsletter

– Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation, including by sending direct marketingInterest-based advertisingOnline activity data– ConsentCompliance and protectionAny and all data types relevant in the context– Compliance with Law

– Legitimate interest. Where Compliance with Law is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our rights, property, and/or safetyService improvement and analyticsAny and all data types relevant in the context– Consent, in respect of any non-essential cookies used for this purpose

– Legitimate Interest. We have a legitimate interest in providing a good ServiceTo aggregate, de-identify or otherwise anonymize your personal dataAny and all data types relevant in the context– Legitimate interest. We have a legitimate interest in assessing the use of our Service in a manner that is not intrusive

Retention. We retain personal data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for Compliance and protection purposes.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

No Automated Decision-Making and Profiling. As part of the Service, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

Your rights.

The GDPR gives you certain rights regarding your personal data. If you are located in Europe, the UK, or Switzerland you may ask us to take the following actions in relation to your personal data that we hold:

Access. Provide you with information about our processing of your personal data and give you access to your personal data.

Correct. Update or correct inaccuracies in your personal data.

Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your choice.

Restrict. Restrict the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.

Object. Object to our processing of your personal data where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal data for direct marketing purposes.

Withdraw Consent. When we use your personal data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to privacy@sevenrooms.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Data Processing Outside Europe. We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Service, your personal data will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe.

It is important to note that the US is not the subject of an ‘adequacy decision’ under the GDPR – basically, this means that the U.S. legal regime is not considered by relevant European bodies to provide an adequate level of protection for personal data, which is equivalent to that provided by relevant European laws.

EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF and the Swiss-US Data Privacy Framework (Swiss-US DPF). SevenRooms is certified under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF and relies on this certification as its primary transfer mechanisms for transfers of personal data from the EU, UK, and Switzerland to the US. SevenRooms adheres to the DPF principles for onward transfers of personal data to third parties and remains liable for damages caused by third parties under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF unless SevenRooms did not cause the event giving rise to damage. The U.S. Federal Trade Commission has jurisdiction over SevenRoom’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. More information about the DPF Program is available at: https://www.dataprivacyframework.gov.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SevenRooms commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact SevenRooms at: privacy@sevenrooms.com.

Independent Dispute Resolution. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SevenRooms commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Residents of Europe, the UK, and Switzerland may also choose to arbitrate unresolved complaints. Prior to initiating arbitration for those unresolved complaints, you must:

(1) contact SevenRooms allowing an opportunity to resolve the issue;

(2) seek assistance from our designated independent recourse mechanism; and

(3) contact the U.S. Department of Commerce and afford them time to resolve the issue.

Each party will be responsible for its own attorney’s fees. This arbitration process is provided through the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. As such, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the EU-US DPF, the UK Extension, and the Swiss-US DPF with respect to the individual.

Where we share your personal data with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by making sure one of the following mechanisms is implemented:

Transfers to territories with an adequacy decision. We may transfer your personal data to countries or territories whose laws have been deemed to provide an adequate level of protection for personal data by the European Commission or UK Government (as and where applicable) (from time to time).

Transfers to territories without an adequacy decision. We may transfer your personal data to countries or territories whose laws have not been deemed to provide such an adequate level of protection (e.g., the U.S., see above).

However, in these cases:

we may use specific appropriate safeguards, which are designed to give personal data effectively the same protection it has in Europe – for example, standard-form contracts approved by relevant authorise for this purpose; or

in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.

You may contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Europe.

13. Contacting SevenRooms

If you have any questions or concerns or complaints about our Policy or our data collection or processing practices, or if you want to report any security violations to us, please contact us at the following address, phone number or email:

By phone at: 1-212-242-5607

By email at: privacy@sevenrooms.com