Your Colorado Privacy Rights

The Colorado Privacy Act (“CPA”) provides Colorado residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The CPA defines “Personal Data” to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” Certain information we collect may be exempt from the CPA because it is de-identified, considered public information (i.e., it is made available by a government entity), covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the CPA.

From time to time in this section of the Privacy Policy, we may refer to the “processing” of Personal Data. “Process” or “Processing” means collecting, using, selling, storing, analyzing, deleting, or modifying Personal Data.

If you are a Colorado resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a Colorado resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.

If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response.

To the extent that we collect Personal Data that is subject to the CPA, that information, our practices, and your rights are described below.

• Right to Information Regarding the Categories of Personal Data Collected, Sold, and Disclosed. You have a right to obtain information about the categories of Personal Data we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing Personal Data collected about you and to access that Personal Data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and (to the extent feasible) a format that is readily usable and allows you to transmit the data to another entity. You may exercise this right up to two times per calendar year. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Correction. You have the right to correct inaccuracies in your Personal Data. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may not have to comply with this request based on the nature of the Personal Data you are asking us to correct or the purposes of processing that Personal Data. If that is the case, we will explain that to you in our response.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Information Regarding Participation in Data Sharing for Financial Incentives. We may run promotions from time to time whereby we incentivize a consumer to share certain pieces of information with us; for example, we may offer a one-time discount if consumers sign up for our email marketing list. Participation in these incentives is voluntary, and you may opt out of the data sharing at any time. If we do so, we will disclose the categories of Personal Data that we collect through the program, the categories of third parties to whom we will share the Personal Data received, the value of the program benefits available to you whether or not you opt out of the sale of Personal Data or the processing of Personal Data for targeted advertising, and a list of any benefits that require the sale of Personal Data or processing of Personal Data for targeted advertising at the time such Personal Data is collected.
• Right to Opt Out of Targeted Advertising, Sale of Personal Data to Third Parties, and Certain Profiling. You have the right to opt out of any targeted advertising or sale of your Personal Data by us to third parties. You also have the right to opt out of profiling (described below) that is used in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. Profiling is the automated processing of your Personal Data to evaluate, analyze or predict things about your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in any of the profiling described above in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. To exercise your right to opt out of targeted advertising or the sale of your Personal Data, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Data with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Data only for that function, or with state agencies, as required by such agencies.

Sensitive Data

Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the CPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.

• Protected Classifications. We may collect your age in order to comply with laws that restrict collection and disclosure of personal information belonging to minors or as required by law to provide certain Services to you. We may collect information about your gender identity or status as a transgender or nonbinary person, sexuality, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, (d) to ensure that we appropriately refer to your gender identity, or (e) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services. We disclose that information only to third parties performing services on our behalf, to governmental entities as required by applicable law, federal contracts or grants, and to accreditation bodies as required in order to offer certifications accredited by such bodies.

Your Oregon Privacy Rights

The Oregon Consumer Data Privacy Act (“OCDPA”) provides Oregon residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The OCDPA defines “Personal Data” to mean “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Certain information we collect may be exempt from the OCDPA because it is de-identified, considered public information (i.e., it is made available by a government entity or widely distributed media), covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the OCDPA.

From time to time in this section of the Privacy Policy, we may refer to the “processing” of Personal Data. “Process” or “Processing” means performing an action or operation, or a series of actions or operations (including automatically) on Personal Data, such as collecting, using, selling, storing, analyzing, deleting, or modifying Personal Data.

If you are an Oregon resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are an Oregon resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.

If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response. We will approve or deny your appeal, in writing with an explanation of our decision, within forty-five (45) days of our receipt of your appeal.

To the extent that we collect Personal Data that is subject to the OCDPA, that information, our practices, and your rights are described below.

• Right to Information Regarding the Categories of Personal Data Collected, Sold, and Disclosed. You have a right to obtain information about the categories of Personal Data we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing Personal Data collected about you and to access that Personal Data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and (to the extent feasible) a format that is readily usable and allows you to transmit the data to another entity. You may also request that we provide you with a list of third parties we have shared either your Personal Data specifically, or anyone’s personal data generally. Please note that this list would not include any of our affiliates or any service providers or other entities that process your Personal Data on our behalf. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Correction. You have the right to correct inaccuracies in your Personal Data. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may not have to comply with this request based on the nature of the Personal Data you are asking us to correct or the purposes of processing that Personal Data. If that is the case, we will explain that to you in our response.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you or Personal Data that we have collected from another source. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Opt Out of Targeted Advertising, Sale of Personal Data to Third Parties, and Certain Profiling. You have the right to opt out of any targeted advertising or sale of your Personal Data by us to third parties. You also have the right to opt out of profiling (described below) that is used in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. Profiling is the automated processing of your Personal Data to evaluate, analyze or predict things about your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in any of the profiling described above in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. To exercise your right to opt out of targeted advertising or the sale of your Personal Data, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Data with affiliates or service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Data only for that function, or with state agencies, as required by such agencies.
• Revoking Consent. If you wish to revoke your consent to our processing of your Personal Data as specified in this Privacy Policy, you may do by visiting our Privacy Request webpage. Please note that we may continue using your Personal Data as required to provide the Services, as described in this Privacy Policy.

We will provide information that you request pursuant to this section once during any twelve (12)-month period without charge. For any subsequent requests in a twelve (12)-month period (other than subsequent requests intended for you to verify our compliance with your prior request), we may charge a reasonable fee to cover the administrative costs of complying with your subsequent requests.

Sensitive Data

Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the OCDPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.

• Protected Characteristics. We may collect your age in order to comply with laws that restrict collection and disclosure of personal information belonging to minors or as required by law to provide certain Services to you. We may collect information about your gender identity or status as a transgender or nonbinary person, sexuality, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, (d) to ensure that we appropriately refer to your gender identity, or (e) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services. We disclose that information only to third parties performing services on our behalf, to governmental entities as required by applicable law, federal contracts or grants, and to accreditation bodies as required in order to offer certifications accredited by such bodies.

Your Minnesota Privacy Rights

The Minnesota Consumer Data Privacy Act (“MCDPA”) provides Minnesota residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The MCDPA defines “Personal Data” to mean “any information that is linked to or is reasonably linkable to an identified or identifiable natural person.” Certain information we collect may be exempt from the MCDPA because it is de-identified, considered public information (i.e., it is made available by a government entity or widely distributed media), covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the MCDPA.

From time to time in this section of the Privacy Policy, we may refer to the “processing” of Personal Data. “Process” or “Processing” means performing an action or operation, or a series of actions or operations (including automatically) on Personal Data, such as collecting, using, storing, disclosing, analyzing, deleting, or modifying Personal Data.

If you are a Minnesota resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a Minnesota resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.

If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response. We will approve or deny your appeal, in writing with an explanation of our decision, within forty-five (45) days of our receipt of your appeal.

To the extent that we collect Personal Data that is subject to the MCDPA, that information, our practices, and your rights are described below.

• Right to Information Regarding the Categories of Personal Data Collected, Sold, and Disclosed. You have a right to obtain information about the categories of Personal Data we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing Personal Data collected about you and to access that Personal Data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and (to the extent feasible) a format that is readily usable and allows you to transmit the data to another entity. You may also request that we provide you with a list of third parties we have shared anyone’s personal data generally since we do not maintain the information in a format that is specific to each consumer. Please note that this list would not include any of our affiliates or any service providers or other entities that process your Personal Data on our behalf. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Correction. You have the right to correct inaccuracies in your Personal Data. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may not have to comply with this request based on the nature of the Personal Data you are asking us to correct or the purposes of processing that Personal Data. If that is the case, we will explain that to you in our response.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you or Personal Data that we have collected from another source. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Opt Out of Targeted Advertising, Sale of Personal Data to Third Parties, and Certain Profiling. You have the right to opt out of any targeted advertising or sale of your Personal Data by us to third parties. You also have the right to opt out of profiling (described below) that is used in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. Profiling is the automated processing of your Personal Data to evaluate, analyze or predict things about your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in any of the profiling described above in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities or other legal or similarly significant effects concerning you. To exercise your right to opt out of targeted advertising or the sale of your Personal Data, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Data with affiliates or service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Data only for that function, or with state agencies, as required by such agencies.
• Revoking Consent. If you wish to revoke your consent to our processing of your Personal Data as specified in this Privacy Policy, you may do by visiting our Privacy Request webpage. Please note that we may continue using your Personal Data as required to provide the Services, as described in this Privacy Policy.

We will provide information that you request pursuant to this section twice during any twelve (12)-month period without charge. For any subsequent requests in a twelve (12)-month period (other than subsequent requests intended for you to verify our compliance with your prior request), we may charge a reasonable fee to cover the administrative costs of complying with your subsequent requests.

Sensitive Data

Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the MCDPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.

• Protected Characteristics. We may collect your age in order to comply with laws that restrict collection and disclosure of personal information belonging to minors or as required by law to provide certain Services to you. We may collect information about your sexual orientation, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, or (d) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services. We disclose that information only to third parties performing services on our behalf, to governmental entities as required by applicable law, federal contracts or grants, and to accreditation bodies as required in order to offer certifications accredited by such bodies.

Your California Privacy Rights

The California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CPRA”) provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to access and control Personal Information with respect to certain business entities. The CPRA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CPRA because it is considered public information (i.e., it is made available by a government entity) or covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, or the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the CPRA.

Due to the Association and its subsidiaries’ and affiliates’ status as tax-exempt, not-for-profit trade associations, public charities, and political action committees, it is our position that we are not subject to either the CCPA or the CPRA.

Because we respect your privacy, we have voluntarily agreed to make certain disclosures available to California residents. If you are a California resident and would like to see the categories of personal information that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a California resident and would like to make such a request to access your personal information, delete your personal information, request that we do not sell or share your information, or request that we limit the use of your sensitive personal information to those purposes authorized by the CPRA, please visit our Privacy Request webpage, or contact us as described above.

To the extent that we collect Personal Information that is subject to the CPRA, that information, our practices, and any rights you may have under the CPRA are described below.

• Right to Information Regarding the Categories of Personal Information Collected, Sold, and Disclosed. To the extent that we collect Personal Information that is subject to the CPRA, you may have a right to obtain information about the categories of Personal Information we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information. To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and service providers with whom we share it. To protect our customers’ Personal Information, we are required to verify your identity before we can act on your request.
• Right to Request Deletion of Information. To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to request in certain circumstances that we delete any Personal Information that we have collected directly from you. To protect our customers’ Personal Information, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Correction. To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to correct inaccuracies in your Personal Information. To protect our customers’ Personal Information, we are required to verify your identity before we can act on your request. We may not have to comply with this request if we determine that the contested information is more likely to be accurate than not, if such a request would conflict with federal or state law, or if compliance would be impossible or involve disproportionate effort, or for other reasons permitted under the CPRA. If that is the case, we will explain that to you in our response.
• Right to Information Regarding Participation in Data Sharing for Financial Incentives. We may run promotions from time to time whereby we incentivize a consumer to share certain pieces of information with us; for example, we may offer a one-time discount if consumers sign up for our email marketing list. Participation in these incentives is voluntary, and you may opt out of the data sharing at any time.
• Right to Opt Out of Sale of Personal Information to Third Parties and Targeted Advertising. To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to opt out of any sale of your Personal Information or sharing of your Personal Information for cross-context behavioral (targeted) advertising purposes by the Association to third parties. To exercise this right, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function, or with state agencies, as required by such agencies.

Sensitive Personal Information

Some of the Personal Information we collect falls under the definition of “Sensitive Personal Information” under the CPRA. The following is a description of our data collection practices with respect to Sensitive Personal Information, including the Sensitive Personal Information we collect, the sources of that Sensitive Personal Information, the purposes for which we collect Sensitive Personal Information, and whether we disclose that Sensitive Personal Information to external parties. We may use any and all of the Sensitive Personal Information for any of the purposes described in this Privacy Policy, unless limitations are listed. The categories we use to describe the information are those enumerated in the CPRA.

• Government Identifiers. If you take an examination, we may collect images of your driver’s license, state identification card, or passport to verify your identity. We may collect your Social Security number to verify your identity or to comply with applicable law.
• Complete account access credentials. We may collect information, such as usernames, account numbers, or card numbers combined with required access/security code or password, for security purposes.
• Racial or ethnic origin. We may collect information about your gender identity, sexuality, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, (d) to ensure that we appropriately refer to your gender identity, or (e) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services.

Right to Limit Use or Disclosure of Sensitive Personal Information

To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to limit the use or disclosure of your Sensitive Personal Information to just actions to those that:

• help to ensure security and integrity, if the use of your Sensitive Personal Information is reasonably necessary and proportionate to the purpose of ensuring security and integrity;
• are for short-term, transient use, so long as your Sensitive Personal Information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience;
• are involved in the performance of services on behalf our business, such as maintaining or servicing accounts, verifying customer information, processing payments, providing financing, providing analytic services, and/or providing storage; and
• are used to undertake activities to verify or maintain the quality or safety of the Services.

Your Delaware Privacy Rights

The Delaware Personal Data Privacy Act (“DPDPA”) provides Delaware residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The DPDPA defines “Personal Data” to mean “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.” Certain information we collect may be exempt from the DPDPA because it is de-identified, covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, information that is collected in the context of an individual being employed by or acting as an agent or independent contractor, or otherwise excluded from the definition of Personal Data under the DPDPA.

From time to time in this section of the Privacy Policy, we may refer to the “processing” of Personal Data. “Process” or “Processing” means collecting, using, storing, disclosing, analyzing, deleting, or modifying Personal Data.

If you are a Delaware resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a Delaware resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.

If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within sixty (60) days of your receipt of our response.

To the extent that we collect Personal Data that is subject to the DPDPA, that information, our practices, and your rights are described below.

• Right to Information Regarding the Categories of Personal Data Collected, Sold, and Disclosed. You have a right to obtain information about the categories of Personal Data we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing Personal Data collected about you and to access that Personal Data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and (to the extent feasible) a format that is readily usable and allows you to transmit the data to another entity. You may also request that we provide you with a list of the categories of third parties we have shared your Personal Data with. Please note that this list would not include any of our affiliates or any service providers or other entities that process your Personal Data on our behalf. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Correction. You have the right to correct inaccuracies in your Personal Data. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may not have to comply with this request based on the nature of the Personal Data you are asking us to correct or the purposes of processing that Personal Data. If that is the case, we will explain that to you in our response.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Opt Out of Targeted Advertising, Sale of Personal Data to Third Parties, and Certain Profiling. You have the right to opt out of any targeted advertising or sale of your Personal Data by us to third parties. You also have the right to opt out of profiling (described below) that is used in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. Profiling is the automated processing of your Personal Data to evaluate, analyze or predict things about your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in any of the profiling described above in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. To exercise your right to opt out of targeted advertising or the sale of your Personal Data, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Data with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Data only for that function, or with state agencies, as required by such agencies.
• Revoking Consent. If you wish to revoke your consent to our processing of your Personal Data as specified in this Privacy Policy, you may do by visiting our Privacy Request webpage. Please note that we may continue using your Personal Data as required to provide the Services, as described in this Privacy Policy.

We will provide information that you request pursuant to this section once during any twelve (12)-month period without charge. For any subsequent requests in a twelve (12)-month period (other than subsequent requests intended for you to verify our compliance with your prior request), we may charge a reasonable fee to cover the administrative costs of complying with your subsequent requests.

Sensitive Data

Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the DPDPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.

• Protected Characteristics. We may collect your age in order to comply with laws that restrict collection and disclosure of personal information belonging to minors or as required by law to provide certain Services to you. We may collect information about your gender identity or status as a transgender or nonbinary person, sexuality, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, (d) to ensure that we appropriately refer to your gender identity, or (e) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services. We disclose that information only to third parties performing services on our behalf, to governmental entities as required by applicable law, federal contracts or grants, and to accreditation bodies as required in order to offer certifications accredited by such bodies.

Your New Jersey Privacy Rights

The New Jersey Data Privacy Act (“NJPDA”) provides New Jersey residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The NJPDA defines “Personal Data” to mean “any information that is linked or reasonably linkable to an identified or identifiable person.” Certain information we collect may be exempt from the NJDPA because it is de-identified, covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the scope of the NJPDA.

From time to time in this section of the Privacy Policy, we may refer to the “processing” of Personal Data. “Process” or “Processing” means collecting, using, storing, disclosing, analyzing, deleting, or modifying Personal Data.

If you are a New Jersey resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a New Jersey resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.

If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response.

To the extent that we collect Personal Data that is subject to the NJPDA, that information, our practices, and your rights are described below.

• Right to Information Regarding the Categories of Personal Data Collected, Sold, and Disclosed. You have a right to obtain information about the categories of Personal Data we collect, sell, and disclose. Please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices.
• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing Personal Data collected about you and to access that Personal Data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and (to the extent feasible) a format that is readily usable and allows you to transmit the data to another entity. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Correction. You have the right to correct inaccuracies in your Personal Data. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may not have to comply with this request based on the nature of the Personal Data you are asking us to correct or the purposes of processing that Personal Data. If that is the case, we will explain that to you in our response.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Opt Out of Targeted Advertising, Sale of Personal Data to Third Parties, and Certain Profiling. You have the right to opt out of any targeted advertising or sale of your Personal Data by us to third parties. You also have the right to opt out of profiling (described below) that is used in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. Profiling is the automated processing of your Personal Data to evaluate, analyze or predict things about your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We do not engage in any of the profiling described above in furtherance of decisions that result in providing or denying education enrollment or opportunity or employment opportunities. To exercise your right to opt out of targeted advertising or the sale of your Personal Data, please visit our Privacy Request webpage. Please note that your right to opt out does not apply to our sharing of Personal Data with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Data only for that function, or with state agencies, as required by such agencies.
• Revoking Consent. If you wish to revoke your consent to our processing of your Personal Data as specified in this Privacy Policy, you may do by visiting our Privacy Request webpage. Please note that we may continue using your Personal Data as required to provide the Services, as described in this Privacy Policy.

We will provide information that you request pursuant to this section once during any twelve (12)-month period without charge. For any subsequent requests in a twelve (12)-month period (other than subsequent requests intended for you to verify our compliance with your prior request), we may charge a reasonable fee to cover the administrative costs of complying with your subsequent requests.

Sensitive Data

Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the NJDPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.

• Protected Characteristics. We may collect your age in order to comply with laws that restrict collection and disclosure of personal information belonging to minors or as required by law to provide certain Services to you. We may collect information about your gender identity or status as a transgender or nonbinary person, sexuality, disability status, race, and/or ethnic origin that you voluntarily disclose to us when using the Services (a) as required by applicable law, federal contracts or grants, or accreditation agencies, (b) to ensure that we are not discriminating against anyone on the basis of their protected classifications, (c) to provide accommodations on the basis of disability, (d) to ensure that we appropriately refer to your gender identity, or (e) to evaluate our strategies so that our Services are available to people of all backgrounds. This information is never used to determine if someone is eligible to access any of our products, programs, events, or other Services. We disclose that information only to third parties performing services on our behalf, to governmental entities as required by applicable law, federal contracts or grants, and to accreditation bodies as required in order to offer certifications accredited by such bodies.
• Financial Information. We may collect your credit card or debit card number, security code and expiration date on the card, and other account holder information for transactions, including to process payments, when you make purchases from us or donations to us. We may collect your account and routing numbers, and other information necessary to make and receive payments via ACH or other electronic transfers of funds. We collect and use this information only for transactions, including to process payments, and disclose this information only to service providers assisting us in processing invoices and payments, and completing transactions.

Your Nevada Privacy Rights

Residents of the State of Nevada have the right to opt out of the sale of certain pieces of their information to third parties who will sell or license their information to others. If you are a Nevada resident and would like to make such a request, please visit our Privacy Request webpage, or contact us as described above.

Special Information for Students of Academic Institutions (FERPA)

Students using our Services through an educational agency or institution (“School”) may be entitled to certain rights under federal and/or state student privacy laws, such as the Family Educational Rights and Privacy Act (“FERPA”). Under FERPA, these rights include the right to:

• Access and inspect the student’s education records;
• Provide written consent to the disclosure of education records or personally identifiable information; and
• Request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading or in violation of the student’s privacy rights.

Our Student Data Privacy Policy describes how we use student data.

Please note that in order to provide our Services to students, we may receive or collect education records and personally identifiable information as reasonably required to provide the Services. We may also be required to disclose your education records or personally identifiable information as required by state agencies (such as state departments of health). If you do not consent to such disclosure, do not use our Services.

As part of our Services to students, you must provide authorization for us to:

• Share with Schools, prospective employers or current employers of a student the exam results, certification status and professional training of such student;
• Post accreditation, certification or training results to our public website for access by Schools, employers, educators or others;
• Share or publicly disclose such other education records or personally identifiable information as reasonably required to attest to a student’s certification status or for other purposes relevant to users of the Services; and
• Provide students information regarding additional Services that may advance or enhance the workforce development or career opportunities of students.

If you are a User who is an academic student at an American educational institution (a “Student User”), how you give consent depends on what website you are using. For users of the websites listed below, please follow the instructions below based upon when your account was created.

Website	New Users	Accounts Created After March 12, 2022	Accounts Created Before March 12, 2022
ServSafe.com Textbooks.restaurant.org AHLEI.ServSafeBrands.com MyProStart.chooserestaurants.org Restaurant.org All other sites not listed below	Create your account, select ‘Academic Student’ as Job Role, and provide consent.	Update your profile, select ‘Academic Student’ as Job Role, and provide consent.	Complete this Online Consent Form and send it to Privacy@restaurant.org before commencing any Services or providing any educational records or personal information.
ServSafeInternational.com Benefits.ServSafeBrands.com	Complete this Online Consent Form and send it to Privacy@restaurant.org before commencing any Services or providing any educational records or personal information.

Information for Individuals Located in the United Kingdom, European Economic Area and Switzerland

The categories of personal data that we collect, and the recipients of that data are described above. We process personal data on the following legal bases (which are described in more detail above): (1) with your consent; (2) as necessary to perform our agreement to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedom related to data privacy, as described above. Personal information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities, as described above.

Users that reside in the United Kingdom, EEA or Switzerland have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here.

If you are a resident of the United Kingdom, EEA or Switzerland, you are entitled to certain rights. Please note: In order to verify your identity, we may require you to provide us with personal information prior to accessing any records containing information about you. These rights include the following:

• Right to Access Information and Right to Data Portability. You have the right to confirm whether we are processing personal data collected about you (including the purposes, the categories, the categories of recipients, the retention period, the source of the data) and to access that personal data. When exercising your right to access your Personal Data, you have the right to obtain your Personal Data in a portable format, and to the extent feasible a format that is readily usable and allows you to transmit the data to another entity. To protect our customers’ Personal Data, we are required to verify your identity before we can act on your request, and we may redact any highly sensitive information (such as driver’s license numbers, social security numbers, or financial account numbers). If we redact any information, we will clearly describe what information we are redacting.
• Right to Rectification. You have the right to correct inaccuracies in your Personal Information or, taking into account the purpose of the processing, to have incomplete personal data completed.
• Right to Request Deletion of Personal Data. You have the right to request in certain circumstances (such as if the data is no longer necessary to fulfill the purpose for which it was collected, where you withdraw consent and no other legal ground exists for processing, where you object to the processing and there are no overriding legitimate grounds for processing, where the data was unlawfully processed, where the data is required to be deleted to be in compliance with applicable law) that we delete any personal data about you. To protect our customers’ personal data, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Request Restriction of Processing: You have the right to request that we restrict our processing if we are processing your data based on legitimate interests or the performance of a task in the public interest as an exercise of official authority (including profiling); using your data for direct marketing (including profiling); or processing your data for purposes of scientific or historical research and statistics.

To submit a request to exercise your rights, please contact us at Privacy@restaurant.org. We may have a reason under the law why we do not have to respond to your request, or respond to it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Changes to This Policy

We may make changes to this Policy from time to time. We will post any changes, and such changes will become effective when they are posted unless otherwise required by law. Your continued use of our Services following the posting of any changes will mean you accept those changes. For questions about our privacy practices, contact us at:

Director of Security
National Restaurant Association
233 South Wacker Drive
Chicago, IL 60606
1-800-765-2122
Email: Privacy@restaurant.org

Additional Information About Our Use of Tracking Technologies and Interest-Based Advertising

The Association relies on partners to provide many features of our sites and services using data about your use of the Association and other sites. We use cookies for the following purposes:

• Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. These cookies do not store any personally identifiable information.
• Performance Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.
• Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages.
• Targeting Cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertising on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device.
• Social Media Cookies: These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests.

Below is a list of these partners with links to more information about the use of your data by our service providers and third parties that use tracking devices or cookies. We have provided links to information about the choices these services may make available to you.

Category	Partner	Further Information
Analytics	Google	Google Privacy & Terms
Personalized Advertising and Social Media	Facebook	Data Policy
Personalized Advertising	LinkedIn	Privacy Policy
Analytics	Microsoft Clarity	Privacy Policy (see below)
Site Operations	Marketo Forms	Privacy Information
Personalized Advertising	Marketo Munchkin	Privacy Information
Site Operations	ON24	Privacy Center

In addition to the foregoing, the National Restaurant Association and its affiliates, including National Restaurant Association Solutions LLC and The National Restaurant Association Educational Foundation, partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our websites through behavioral metrics, heatmaps, and session replay to improve and market our programs and any products/services made available through our website. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Most web browsers automatically accept cookies but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your browser to decline cookies, some features of the Services may not be available, work, or work as designed. You may also be able to opt out of or block tracking by interacting directly with the third parties who conduct tracking through our Services.

You can learn more about ad serving companies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative. Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device.

Please note that opting-out of advertising networks services does not mean that you will not receive advertising while using our Services or on other websites, nor will it prevent the receipt of interest-based advertising from third parties that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. If you delete your cookies, you may also delete your opt-out preferences.