These FAQs are designed to inform California residents who have signed up for an Olo Account (as defined below) about their rights under the California Consumer Privacy Act (“CCPA”). If you do not have an Olo Account, these FAQs do not apply to you.
About your Olo Account
Olo Inc. (“Olo”, “we”, “us”, or “our”) provides ordering and payment tools and solutions that, among other things, facilitate our merchant customers to run their businesses and allow consumers to save and access their on-file payment information to securely speed through checkout with any participating merchant. By creating an Olo account which saves consumers’ payment information, preferences, and other details to use across Olo-powered merchant sites and applications (an “Olo Account”), the consumer is offered a seamless ordering experience without password management or manual credit card entry.
What is the CCPA?
The CCPA governs how businesses handle the personal information of consumers who are California residents. The CCPA requires companies to inform these consumers about the companies’ privacy practices and to enable consumers to, among other things:
- Access the information that companies maintain about the consumers.
- Delete that information in certain circumstances.
- Direct companies not to sell consumers’ information to third parties, or allow third parties to access that information for those third parties’ own purposes.
- Exercise these rights free of discrimination.
What information does the CCPA cover?
The CCPA applies to “personal information.” Personal information includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This can include:
- Information about consumers or their households (e.g., name, address, phone number, IP address, email, driver’s license number, passport number, etc.).
- Information about devices that consumers use to connect to the internet (e.g., device geolocation or information collected via cookies, beacons, mobile ad identifiers, user alias, pixel tags, etc.).
- Online browsing or application use history.
- Purchase and reservation history.
- Inferences drawn from any information described above to create a profile about a consumer.
Personal information does not include information that:
- Is publicly available from government sources.
- Is modified (i.e., de-identified) so that it can no longer be associated with an individual or household.
- Cannot reasonably be linked to or associated with a particular customer.
Does Olo sell my personal information?
Not all sharing of personal information is a “sale.” For example, it is not a sale of data to:
- Share personal information with service providers.
- Share personal information at a consumer’s direction – for example, with entities in the food ordering and delivery ecosystem to complete and deliver your order.
- Transfer personal information as a part of a merger or other corporate transaction.
How can I exercise my rights under the CCPA?
If you have an Olo Account:
To request access to or deletion of your personal information, please fill out this request form or email us at firstname.lastname@example.org. In order to confirm your identity, we may ask you for certain information and/or send a verification link to your email address.
If you ask someone to make this request on your behalf, we will need to verify that that individual is authorized by you to submit the request.
If you do not have an Olo Account:
Please contact the merchant(s) where you placed your orders to exercise your CCPA rights, and we will assist the merchants with responding to your request. This process for consumers who do not have an Olo Account is different because they do not have a direct relationship with Olo, and we act as a service provider to the merchants using Olo technology, operating at the merchants’ direction.
What happens when I submit a data deletion request?
If you have an Olo Account:
If you submit a data deletion request to Olo, Olo will: (a) delete the copy of your personal information that we maintain on our own behalf; and (b) disassociate all of your personal information from your Olo Account such that Olo can no longer use your personal information for its own purposes.
Olo will continue to maintain your information as a service provider on behalf of merchants with which you’ve interacted. You can always reach out to those merchants to request deletion of your information.
If you do not have an Olo Account:
If you do not have an Olo Account and you submit a deletion request directly to Olo, Olo will ask you to contact the merchants with which you’ve placed orders, and those merchants will be responsible for responding to all requests for deletion. As their service provider, Olo will assist the merchants using Olo technology in fulfilling such requests.
What happens when I submit a request to delete my Olo Account?
If you request that Olo delete your Olo Account, Olo will delete your account and you will no longer be able to log into or use that account. However, we may maintain a copy of your information on our servers for record retention and risk management purposes. Additionally, Olo will continue to maintain certain information (such as order and transaction history) on behalf of merchants with which you’ve interacted. You can contact those merchants directly to request that they delete your data.
How does Olo protect my personal information?
Olo values the security of your information and views the CCPA as yet another opportunity for Olo to strengthen our long-standing commitment to data protection principles and practices. Olo maintains a written information security program designed to protect the personal information in Olo’s possession, custody, or control and Olo’s facilities and systems, including: (a) business facilities, data centers, servers, and back-up systems; (b) our network, device applications, and databases; and (c) transmission, storage, and disposal of information, including through the use of encryption. In addition, Olo is fully compliant with the Payment Card Industry Data Security Standards and undergoes various assessments conducted by independent auditors (including the Qualified Security Assessors) each year to ensure our information systems meet industry standards.
Can Olo limit its response to my requests?
Yes. The CCPA imposes significant limitations on consumer requests to help protect against abuse and to make sure companies have the information they need to provide their services and to protect themselves.
For example, Olo is not required to respond to requests for access to personal information when:
- Fulfilling a request for specific pieces of personal information would create a substantial, articulable, and unreasonable risk to (a) the security of that personal information, (b) your Olo Account or (c) the security of our systems or networks.
- You have made two requests in the past twelve months.
- It would restrict our ability to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena or summons.
- It would jeopardize our ability to work with law enforcement agencies.
- It would jeopardize our ability to exercise or defend legal claims.
- And for other reasons set out in the CCPA.
We do not need to delete your personal information if:
- The information was not collected directly from you (i.e., we collected it from a third party).
- The information is necessary to complete a transaction with you.
- We use the information solely for internal purposes that are reasonably aligned with your expectations.
- We use the information to detect security incidents, protect you against malicious activity, or prosecute malicious activity.
- We use the information to comply with a legal obligation.