Privacy Statement for Partners

This privacy statement (“Statement”) explains how Reactor Technology OÜ (referred to as “DineOS”, “we”, “us”, or “our”) collects, uses, discloses, and otherwise processes personal data. It applies to the processing of personal data of restaurant partners, grocery stores, convenience stores, or other business partners (“Partner”) who make use of our platforms and products, including the website, app, Partner webshop, and DineOS’s platform and services (“Services”).

At DineOS, we are committed to protecting the privacy of everyone in our community.

It is important that you read this Statement together with any other privacy statements that may apply to you or that we may provide in specific circumstances or for specific services when we are collecting or processing personal data about you. This ensures you are aware of how and why we use such data, your rights regarding your personal data, and how to exercise them.

What personal data we process and why

Personal data, in this Statement also referred to as “your data,” means any information or set of information from which we can, directly or indirectly, identify you personally, particularly by reference to an identifier, such as your name and surname, email address, phone number, and similar information. This does not include data where the identity has been removed (anonymous data).

DineOS processes your data because we have entered into a Partner relationship with you regarding the use of our Services. We use the following data for the purposes outlined below:

1. Registration process and compliance with our legal obligations

We process the personal data necessary to register you as a Partner, including during our contracting process with you. The legal basis for this processing is the performance of our contract with you.

We also process personal data collected during registration to comply with our legal obligations under applicable laws, such as those related to anti-money laundering, counter-terrorist financing, taxation, or other similar requirements. Additionally, we may collect and use your personal data—or the personal data of third parties—for purposes such as fraud prevention, preventing other criminal activity, or ensuring the security of our systems, based on our legitimate interests (or equivalent legal basis under applicable data protection law).

Where required, we may verify your identity using manual or digital methods, subject to your consent.

If required to comply with legal obligations, we may ask you to provide an email address that will be published on our platform. Please note that this email will be publicly visible, and we recommend not using a personal email address for this purpose.

During the registration process, we process the following personal and company data:

• Company name
• Address information
• Contact information
• Chamber of Commerce and/or trade registry number
• VAT number
• Tax identification information, including DAC7 and other relevant TINs
• Payment account details
• Payment method
• Copy of proof of identity of the legal representative or Ultimate Beneficial Owner (UBO)
• Copy of bank statement
• Articles of Association (if no UBO is available)
• Chamber of Commerce and/or trade registry extract

2. Order process

When your business is listed on our platform or uses our Services via the Partner webshop, we process your personal data. The legal basis for this processing is the performance of our contract with you and/or compliance with our legal obligations under applicable data protection laws.

We may process the following personal data for these purposes:

• Company name
• Address information
• Contact information
• Chamber of Commerce number and VAT number (if applicable)
• Order and transaction data (if applicable)
• Payment data (if applicable)

This information is used to manage orders, process payments, and ensure the proper provision of our Services while complying with legal requirements.

3. Partner Hub Portal and Partner Webshop Account

DineOS provides you with a Partner account, which enables you to list your business on our platform in accordance with your agreement with us. The Partner Hub Portal gives you access to essential information, such as invoices, and provides operational options to manage your business effectively.

Within the Partner Hub Portal, you have the option to delegate portal access rights to your employees. Please note that account access management is your responsibility. We may process the following personal data in connection with these purposes:

• Company name
• Address information
• Contact information
• Chamber of Commerce number
• Copy of a business bank card or declaration
• Copy of proof of domestic address
• Invoices (if applicable)
• Delegated account login information (if applicable)
• Login credentials

Similarly, to place orders via our Partner webshop (in applicable markets), you must register for an account. This account ensures that our Services are provided only to verified Partners. We may process the following personal data to create and maintain your webshop account:

• Company name
• Contact information
• Chamber of Commerce number (if applicable)
• VAT number (if applicable)
• Order data
• Payment information

This information is processed to provide you with secure access, manage your account, facilitate transactions, and ensure compliance with applicable laws and contractual obligations.

4. Partner Support
If you contact the Partner Support department, we will use the information you provide to respond to your questions or address your complaints. We may process the following personal data for this purpose:

• Name
• Address information (if applicable)
• Contact information
• Order and transaction data
• Payment information
• Comments (if applicable)
• Content of communications between you and the Partner Support team
• Any other information required to comply with applicable laws

We may also collect personal data through call recordings or chatbot interactions, if offered, to provide support, investigate and resolve issues, and monitor and improve our support processes.

The legal basis for this processing by DineOS is that it is necessary for the performance of a contract, as well as to comply with legal obligations or pursue legitimate interests (or equivalent under applicable data protection law).

5. Marketing Communications

We may process your personal data to send you marketing communications and notifications, as well as to administer, support, improve, and develop our Services. These messages may include updates, news, discounts, or other communications that may constitute direct marketing. In some cases, DineOS may also use your personal data to promote our own or third-party offers, products, and services.

We rely on your consent for marketing communications unless consent is not required under applicable law. You can change your preferences at any time, including by unsubscribing through the link or method provided in the messages, updating your account settings, or contacting us directly.

The personal data we may process for marketing purposes includes:

• Name
• Address information
• Contact information
• Campaign details (optional)
• Device ID (if applicable)
• Cookie and technology data (if applicable)

6. Partner Research & Surveys

To ensure that our Services align with your needs and preferences, we may use your personal data to conduct product research, user studies, or satisfaction surveys. DineOS will process your personal data based on your consent, unless consent is not required under applicable law.

The personal data we may process for these purposes includes:

• Name
• Address information
• Contact information
• Responses or input provided in research or surveys

This data helps us improve our Services, better understand our Partners’ needs, and enhance the overall Partner experience.

7. Campaigns, Competitions, Merchandising and Promotions

DineOS may run specific campaigns, competitions, merchandising activities, or promotions in connection with our Services. If you wish to participate in these activities or benefit from related content, we may request your consent to process your personal data, unless consent is not required under applicable law.

Where consent is required and has been provided, you may withdraw it at any time by contacting us using the details provided within the campaign or via the Partner Portal.

The personal data we may process for these purposes includes:

• Name
• Address information (if applicable)
• Contact information
• Campaign details (if applicable)
• Transaction details for merchandising orders placed through DineOS-approved merchandising sites

This data allows us to manage your participation, fulfill orders, and provide a smooth and compliant experience for all Partners.

8. Cookies & Similar Technologies

DineOS uses cookies and similar technologies for functional purposes, analytics, and personalized targeting or advertising. The data processed through these technologies depends on the preferences you set.

For more details, please refer to our Cookie Statement, which explains our use of cookies and similar technologies. You can manage or change your preferences at any time via the Cookie Statement, the cookie banner, or your browser/tool settings.

Please note that disabling cookies may limit your ability to use certain Services or features on our website and could affect your overall user experience.

9. Analytics

DineOS uses your information to meet reporting obligations to advertisers, improve our website, enhance our products and Services, and understand how you interact with our platforms.

Depending on the circumstances, we may rely on your consent, the necessity of processing to perform a contract with you, compliance with legal obligations, or our legitimate interests (or equivalent under applicable data protection law).

Where possible, we ensure that analytics and reports are anonymized and do not contain information that can be directly traced back to you.

10. Orderpad App

DineOS provides the Orderpad App to help you manage orders from customers and configure basic business settings efficiently. The legal basis for processing your personal data through the Orderpad App is the performance of our contract with you.

We may process the following personal data in connection with the Orderpad App:

• Company name
• Address information
• Contact information
• Device ID
• Cookie and technology data

This data allows us to provide the App’s functionality, manage orders, and ensure the security and proper operation of the Service.

11. Publishing Your Details as Part of Legal Requirements

To comply with legal obligations, DineOS may be required to publish certain information about your business on our platform. This may include your company name, address, and email address.

These details will be publicly visible on our customer-facing platform(s) to ensure compliance with applicable laws. For this reason, we recommend not using a personal email address when registering with us.

How We Collect Your Personal Data

DineOS collects, processes, and retains personal data, including information about the devices you use to access our platforms on computers or mobile devices. This data may be provided by you directly when using our platforms, creating an account, accessing our Services, or contacting us.

We process personal data that:

• You provide voluntarily;
• We collect automatically through your use of our platforms; and
• We obtain from third-party sources.

All personal data is collected and used for the purposes described in this Statement, including providing and improving our Services, fulfilling legal obligations, and maintaining the security and functionality of our platforms.

1. Personal data that you provide voluntarily
We may receive personal data from you when you list your business on our platform, create an account, provide marketing preferences, participate in surveys, or submit reviews in connection with our Services.

2. Personal data that we collect automatically
With your prior consent or when permitted by applicable law, we may automatically collect technical data about your devices, browsing activity, and usage patterns when you access our platforms. This is done through cookies and similar technologies. For more information, please refer to the Cookies & Similar Technologies section above.

3. Personal data that we obtain from third-party sources
We may receive personal data from third-party sources, such as advertising networks, social media platforms, or technical payment and service providers, including those located outside the EU. This data may be used to support the provision of our Services, measure the performance of marketing campaigns, and better understand your preferences to tailor our Services and marketing efforts.

Where we receive personal data from third parties, we ensure that they have either obtained your consent or are legally permitted or required to share your data with us.

We may also use publicly available information from authorities and local councils to verify that you hold the appropriate licenses and certifications to operate your business.

Legal Basis for Processing
We ensure that we have a legal basis to collect and use your personal data. The basis depends on the type of information and the context in which it is collected. Our primary reason for processing data obtained from third-party sources is to perform our contract with you. In addition, we may process personal data based on our legitimate interests to improve our Services and make partnering with DineOS simpler and more efficient.

Additional purposes

We will only use your personal data for the purposes described in this Statement, unless we reasonably consider that another use is compatible with the original purpose. If we intend to use your personal data for a new purpose, we will take appropriate measures to inform you, in line with the significance of the change.

Please note that we may process your personal data without your knowledge or consent where required by applicable data protection law, in compliance with these rules.

Automated Decision-Making and Profiling

DineOS may use automated decision-making and algorithmic tools to perform our contract with you, fulfill our obligations, or improve our platforms and Services. Examples include:

• Automated decision-making to prevent money laundering, terrorist financing, and other criminal activity.

• Algorithmic tools for personalized content (profiling), recommendations, and smart chat functionalities to enhance your experience, maintain platform security, and optimize our Services.

You will not be subject to decisions that have a significant impact on you based solely on automated decision-making unless we have a lawful basis and have informed you. If you wish to object to such processing, you may contact us via email. We will then reassess the situation and provide further information about the automated decision and its rationale.

How Long We Keep Your Data

DineOS retains personal data only for as long as necessary to fulfill the purposes for which it was collected (see the section What Personal Data We Process and Why) and to meet legal, tax, accounting, or reporting obligations. When determining retention periods, we consider:

1. The time needed to serve the respective business purpose;

2. Compliance with applicable legal requirements; and

3. Applicable statutes of limitations.

Where data falls into multiple retention categories, the category requiring the longest retention period will apply, while maintaining other requirements such as security and access.

In some cases, we may anonymize personal data so it can no longer be linked to you. Once anonymized, this data may be used without further notice.

Sharing Your Personal Data with Customers

DineOS shares your business details with customers who place orders with you. As these customers are your direct clients, you are independently responsible for handling their personal data and ensuring compliance with applicable data protection laws. Customers may contact you directly with questions regarding how you process their personal data.

You and DineOS act as separate data controllers with respect to customer personal data that is processed for your respective purposes, using your or our own resources, or on your or our behalf. This means that both you and DineOS are independently responsible for determining the purposes and means of processing such customer data.

Sharing of Your Personal Data with Others

DineOS may work with, or share personal data with, other companies and third parties in order to carry out the processing described in this Statement.

These companies and third parties may act as data processors on our behalf or as independent data controllers (as defined under applicable data protection laws) and will have access to your personal data for the purposes described here. We require that all group companies and third parties protect your personal data in accordance with the standards set out in this Statement, and we take appropriate measures under applicable data protection laws to ensure your data is treated with the same level of protection and confidentiality.

We may also share your personal data with other third parties where required or permitted by law or regulation (including court orders or legal authority requests) or when disclosure is necessary to establish, exercise, or defend legal rights, or to protect the vital interests of any person. Such third-party controllers may include law enforcement agencies.

The personal data listed under the “What Personal Data We Process and Why” section above may be shared with the following parties:

Personal data shared with	Reason / purpose(s)
DineOS affiliates, subsidiaries, and/or group companies	To provide our Services and/or operate our business
Software providers (including providers for software, hosting, application support, implementation, delivery, logistics, information security, etc.)	To operate our Services and/or provide or receive the services they offer in relation to our Services or our business
Marketing and advertising providers	To promote, market, and support our or third-party products and services, including discounts, offers, or advertisements tailored to your interests, and to measure advertisement performance
Service providers responsible for implementation, activation, and operation (i.e. offshore customer support agents)	To provide and improve our Services and platforms
Merchants, payment and card service providers such as Stripe	To process payments or for fraud prevention
Satisfaction survey firms and/or market research companies	To improve our Services provided to you
Loyalty (shop) partners	To provide you with loyalty offers
Professional consultants or advisors	To operate our business and/or Services To comply with our legal obligations
Insurance providers	To operate our business and/or services To comply with our legal obligations
Law enforcement, government agencies and/or regulatory bodies (including tax authorities)	To comply with our legal obligations
Prospective buyers	To administer and operate our business in terms of sale and/or asset transfer
Any other third party provided that you have given your consent for information disclosure	Purpose depends on the service / third party

Third-Party Websites and Services

Our website and platforms may include links to third-party websites and services. When accessing such websites, please note that each third-party site has its own privacy policy. While DineOS carefully selects the websites we link to, we cannot assume responsibility for how these third parties handle your personal data.

Where your data gets sent

DineOS operates and processes personal data globally. This may involve transferring or accessing your personal data in countries, including the United States, whose data protection laws may differ from those in your country of residence.

If you are located in the European Economic Area (EEA), Switzerland, Israel, Australia, or the UK, please note that your personal data may be processed or transferred to countries outside these regions. Some of these countries (“Non-Adequate Countries”) may not provide the same level of data protection as your local laws. You can find the list of Adequate Countries adopted by the European Commission [here].

When we transfer personal data outside these countries, we apply appropriate safeguards to ensure your data is protected. These include:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, or their approved equivalents for the UK and Switzerland

• The EU-U.S. Data Privacy Framework (EU-U.S. DPF)

• The UK Extension to the EU-U.S. DPF

• The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

You may request a copy of the contractual clauses or safeguards that apply to transfers of your personal data depending on the destination country.

Your privacy rights

How to exercise of privacy rights or complaints

We will make every effort to address your request promptly and free of charge, except where fulfilling the request would require excessive or disproportionate effort. In certain cases, we may ask you to verify your identity before acting on your request.

For requests related to personal data processed in connection with DineOS services provided through your employer or business partner (for example, allowances or benefits linked to DineOS for Business), please contact the relevant employer or partner directly. This is necessary because DineOS and the entity granting the benefit each have separate responsibilities regarding the processing and protection of personal data.

Under applicable data protection laws, you may have the following rights with respect to your personal data processed by DineOS:

1. Right of Access
You have the right to access and be informed about the personal data we process about you. You can request a copy of your personal data by contacting us.

2. Right to Withdraw Consent
If we process your personal data based on your consent, you may withdraw that consent at any time, free of charge. Please note that withdrawing consent may limit your ability to use certain Services. The withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal.

3. Right to Rectification
You have the right to have incorrect or incomplete personal data corrected or completed. Some of your personal data can also be updated directly via your customer account.

4. Right to Erasure
You may request the deletion of your personal data from our systems. We will comply unless there is another legal basis requiring us to retain the data under applicable law.

5. Right to Object
You may object to certain uses of your personal data, particularly when it is processed for purposes other than those necessary to provide our Services or comply with legal obligations. Exercising this right may limit your ability to use some Services.

6. Right to Restriction of Processing
You may request that we restrict the processing of your personal data, for example when requests for erasure, rectification, or objection are pending, or when we do not have other legal grounds to process your data. Restricting processing may reduce your access to certain Services.

7. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. This allows you to transfer your data to your own systems or a third party.

8. Right to Lodge a Complaint
If you believe that the processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority.

To exercise any of these rights or submit a complaint, please contact us using the contact details provided below.

Security

DineOS takes the protection of your personal data seriously and implements appropriate technical and organizational measures to safeguard it against misuse, loss, unauthorized access, disclosure, or alteration.

Within DineOS, access to your personal data is strictly limited. Employees are granted access only on a “need-to-know” basis to perform their job responsibilities.

Contact Us

Unless otherwise indicated, Reactor Technology OÜ (DineOS) is the controller of your personal data.

If you have any questions or concerns regarding this Statement or our privacy practices, you may contact our Data Protection Officer via email or using the contact details below:

Data Protection Officer – Reactor Technology OÜ (DineOS)
Kesklinna linnaosa, Narva mnt 5
Harju maakond, Tallinn
10117 Estonia

Updates to This Statement

We may update this Statement from time to time in response to changes in legal, technical, or business developments. When we make updates, we will take appropriate measures to inform you, in line with the significance of the changes. If required by applicable data protection law, we will request your consent for any material changes to this privacy statement.

We encourage you to review this Statement periodically to stay informed about our privacy practices.

If there are multiple language versions of this Statement, the English version shall prevail in the event of any conflicts or discrepancies.

This Statement was last updated in January 2026.