TERMS OF USE | PRIVACY POLICY | DATA PROCESSING ADDENDUM (DPA)
PRIVACY POLICY
Last update: 02/19/2026
I. INTRODUCTION
We are ToBeOut, Corp.
Address: 1111B S Governors Ave STE 39626 Dover, DE 19904, United States
Tel: +1 251 277 7754
E-mail: info@tobeout.com
We are the owner of the website https://tobeout.com and the ToBeOut service - a reservation management platform for venues that facilitates bookings, seating management, guest database administration, and 24/7 guest messaging (collectively, the “Services”). We may also maintain official pages, channels, and communities on social media (e.g., LinkedIn, YouTube, TikTok, Facebook, Instagram, Telegram, etc.) to provide updates about our services and interact with users (“Social Media”).
We will call ourselves simply ToBeOut. The terms “we” or “our” used in this Policy mean our company and are used depending on the context. This Privacy Policy describes how ToBeOut collects, stores, uses, processes, and transfers personal data. The Policy applies to all individuals (“you”, “your” depending on the context) — visitors and users of the website, applications, social media pages, and other ToBeOut services.
When we say Venue, we mean that you are a B2B user of our services. When we say Guest, we mean that you are a B2C user of services and use or only plan to use the services of the Venue. Venue Employees: if you use our services as an employee or authorized representative of the Venue (B2B user), then in relation to your data (logins, actions in the system, work contacts) ToBeOut acts exclusively as a Processor, and your employer (the Venue) is the Controller. All requests for the exercise of rights (deletion, access to data) should be directed by you directly to your employer. Here you can find information on how to exercise your rights to protect your personal data. You may have certain rights and choices related to the collection and processing of your personal data.
We, ToBeOut, highly respect your privacy, therefore we make every effort to ensure that our services comply with the highest standards of user confidentiality and we take appropriate technical and organizational measures to protect your personal data that we collect and process. To ensure security, we use industrial standards: the transfer of all data between your device and our resources is carried out via the encrypted TLS/SSL protocol. We will update the Privacy Policy as we develop, as the legislation of those territories where ToBeOut offers its services changes, and also in response to your requests and comments. The current Privacy Policy can be found at: https://tobeout.com/privacy.
Please note! The website and other ToBeOut services are not intended for persons under 18 years of age. We do not offer our services for use by children and do not knowingly collect or request information from persons under 18 years of age. If you are under 18 years old, do not provide us with your personal data. If, according to your national legislation (state legislation), you have not reached the age of majority, then do not provide us with your personal data. We do not verify the information provided by you, except in cases provided for by the user agreement or the terms of use of individual Services, and we cannot judge its accuracy, as well as whether you possess sufficient legal capacity. Nevertheless, we assume that you provide accurate and sufficient personal information and update it in a timely manner.
Prohibition on third-party data: You are prohibited from entering in any fields of our forms or transferring to us personal data of third parties who have not reached the age of 18. If you, in violation of this prohibition, enter data of children (for example, in booking comments), you bear full and sole responsibility for such actions and guarantee that you possess legal rights (as a parent or guardian) for the transfer of such data, and also release ToBeOut from any liability related to the processing of such data. If it becomes known to us that we have accidentally collected personal data of a person who has not reached 18 years of age without confirmed consent from parents or legal guardians, we undertake to immediately take measures to delete such information from our systems within 48 hours from the moment of discovery or receipt of a corresponding request at privacy@tobeout.com.
II. GENERAL INFORMATION ON PERSONAL DATA PROCESSING
1. General Information.
For transparency, this Privacy Policy (Policy) regulates how we, ToBeOut, process personal data that we collect or receive when you visit our website, when you use our services, when you book and provide us with your preferences, when we receive your data from third-party sources (e.g., from venues), when we use personal data obtained from our clients and from our service providers (e.g., contact data), and when you interact with us through our social media profiles or feedback form. Your personal data is collected and processed in the volume necessary for feedback with you, providing a functional website, applications, our content in social networks, as well as for the implementation of services or providing licenses for the use of the ToBeOut service. Collection and use of personal data are carried out either with the consent of the user, or the processing is necessary for our performance of a contract, to fulfill a legal obligation, or the data processing is permitted by the provisions of current legislation.
2. Our role in data processing (Controller vs Processor).
We differentiate our duties and responsibility depending on the source of the data: (a) Data imported by the Venue (Imported Data): in relation to data that the Venue uploads to our services independently (via file import or manual entry), we initially act exclusively as a Processor. We do not use this data for our own purposes. However, if, on behalf of the Venue, we send you a subscription confirmation request (Double-Opt-In) and you give your consent to receive information not only from the Venue but also from the ToBeOut platform, then from the moment such consent is received, we become an independent Controller in relation to your contact data for ToBeOut marketing communication purposes.
(b) Data obtained via the ToBeOut Widget (Direct Booking): in relation to data that you enter into our booking forms for reservation purposes, we act as a Processor on behalf of the Venue.
If, during booking or in another lawful manner, you provide a separate, explicit, and freely given consent to receive marketing communications from ToBeOut (separate from any consent for the Venue), then ToBeOut becomes an independent Controller for processing your contact data and related communication preferences for ToBeOut’s own marketing purposes.
Consent to receive marketing from the Venue and consent to receive marketing from ToBeOut must be presented as separate choices where required by applicable law.
3. Deletion of data and storage duration
Your data is deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored where required by applicable law. Blocking or deletion is also carried out when the storage period prescribed by applicable law expires, unless further storage is necessary for the conclusion or performance of a contract, compliance with legal obligations, fraud prevention, security, or the establishment, exercise, or defense of legal claims.
For clarity, retention periods may differ depending on the role in which ToBeOut processes the data (for example, as a Processor on behalf of a Venue or as an independent Controller for ToBeOut’s own purposes).
As an example:
(a) technical server and session logs may be stored for up to 90 days for security and operational purposes, after which they are deleted or anonymized, unless a longer retention period is required for incident investigation, fraud prevention, or legal compliance;
(b) Guest booking data and booking-related communications processed by ToBeOut on behalf of a Venue (Customer Data) are stored during the contract term with the Venue and thereafter handled in accordance with the deletion/return provisions of the DPA and the Venue’s instructions, unless applicable law requires longer retention;
(c) certain records processed by ToBeOut as an independent Controller (for example, support communications, security records, and marketing consent/opt-out records) may be retained for the periods described below, where permitted by applicable law.
3A. Indicative retention periods (unless longer retention is required by law):
• Customer account and billing records: term of contract + applicable statutory retention period;
• Guest booking records (Customer Data): during contract term and deletion/return period under the DPA, unless Customer configures shorter retention where available;
• Support requests and support correspondence (Customer contacts / Venue contacts): up to 24 months after closure, unless a longer period is required for an unresolved dispute, legal claim, or security investigation;
• Security and fraud-prevention logs/records: up to 12 months, unless a longer period is required for incident investigation, fraud prevention, or legal compliance;
• Marketing consent records and opt-out/suppression records (ToBeOut marketing): retained for as long as necessary to demonstrate compliance, process and honor unsubscribe/objection requests, and prevent further marketing to individuals who opted out.
4. Legal basis for personal data processing. We process personal data in accordance with the legislation of the territories in which we operate, such as US federal legislation in the field of personal data protection, the Delaware Personal Data Protection Act (DPDPA), the Law of the Republic of Serbia on the Protection of Personal Data (ZZPL), and other state legislation on the protection of personal information, the EU General Data Protection Regulation (GDPR), and national legislation on the protection of personal information. ToBeOut takes measures to ensure appropriate data processing in accordance with these laws. When transferring data abroad, we take measures to comply with applicable data protection laws related to such transfer, including the use of standard contractual clauses or obtaining user consent where required by local legislation.
5. Transfer of information We may share the information received with Venues (their affiliates), with our partners, service providers, and social networks. This is done for the purposes of providing and improving our services, for our marketing purposes, as well as other purposes specified below. We take care that access to personal information is granted only to those who need such access to perform their tasks and duties, as well as to third parties who have a legitimate purpose for accessing them. Whenever we allow third parties access to personal information, we take appropriate measures to ensure the use of information in accordance with this Policy, as well as to ensure the security and confidentiality of the information. Since we provide our services to users from different countries, we sometimes need to transfer your personal data to other countries, including the United States. In these countries, data protection rules may differ from the rules of your country. When transferring data abroad, we take measures to comply with applicable data protection laws related to such transfer. In certain situations, we may be obliged to disclose personal data in response to lawful requests from officials, such as law enforcement or security agencies. Storage of your personal data is carried out in accordance with the requirements of local legislation on the localization of personal data. Since our headquarters is located in the USA, and servers may be located in different jurisdictions, we carry out cross-border data transfer. To legalize data transfer from the European Economic Area (EEA) to the USA or other countries that do not provide an adequate level of protection, we rely on Standard Contractual Clauses (SCC) approved by the European Commission, unless another basis applies.
Business Transfers: In the event that ToBeOut is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information (including personal data and booking history) may be sold or transferred as part of such a transaction. You hereby agree that such transfers may occur and that any acquirer of ToBeOut may continue to use your personal data in accordance with this Policy.
6. Third parties and Sub-processors (including DPA-relevant Sub-processors for Customer Data)
This section includes (i) Sub-processors used by ToBeOut to process Customer Data on behalf of Venues in connection with the Services (for purposes of the DPA), and (ii) other third parties used by ToBeOut for its own website, analytics, and marketing activities.
The list below may be updated from time to time. Where required by the DPA or applicable law, ToBeOut will provide notice of changes to DPA-relevant Sub-processors and allow Customers to raise objections in accordance with the DPA.
Where personal data is transferred outside the country of collection, ToBeOut applies appropriate transfer safeguards where required by applicable law (including adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms).
(A) Sub-processors used to provide the Services (Customer Data / DPA-relevant)
(B) Third parties used by ToBeOut for its own website analytics/marketing
(C) Payment service providers (role depends on context)
III. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
1. Description and scope of data processing With each visit to the pages of our website on the Internet (https://tobeout.com) or other resources belonging to us, our system can automatically collect data and information from the system of the device from which the visit is carried out. At the same time, the following data are collected:
IV. USE OF COOKIE FILES AND ANALYTICAL TOOLS
1. Use of cookie files. Our site uses cookies. Cookies are text files that are saved inside the browser program or by the browser program on the user's computer system. When a user accesses the site, a cookie file may be saved in the user's operating system. This file contains a characteristic sequence of characters allowing for unique identification of the browser program upon repeated access to the website. We use cookies to make our site more convenient to use. On our site, we, in addition, use cookies in order to analyze user behavior when using our website. Cookies installed by the Widget are "Strictly Necessary" for the functioning of the booking, unless otherwise configured by the Venue. The purpose of using technically necessary and functional cookies is to simplify the use of the site for users. Some functions of our site cannot be offered to the user without the use of cookies — for this it is necessary that the browser program be recognized when moving to a new page. We use cookies that are necessary technically or functionally. Cookies are saved on the user's device and transferred from it to our site. Thus, you as a user also have full control over the use of cookies. By changing the settings in your browser program, you can disable or limit the transfer of cookies. Previously saved cookies can be deleted at any moment. This can also happen automatically. If cookies are deactivated for our site, possibly the entire functionality of the latter will not be able to be used to the full extent. More detailed information about cookies can be found at this link https://www.allaboutcookies.org/. We also recognize and process Global Privacy Control (GPC) signals transmitted by your browser program. In case of receipt of such a signal, we automatically limit the use of analytical and marketing cookies, considering this as your lawful refusal of tracking.
2. Use of analytical tools. Currently we use analytical tools, including, but not limited to: Google Analytics, Google Tag Manager, Meta/Facebook pixel. We reserve the right to delete or add new analytical tools.
3. Cookies on the booking widget. Our booking widget, placed on the Venue's site (including third-level domains *.tobeout.com), can install technical and analytical cookies. The Venue, as the site administrator, is obliged to notify Guests about the use of these cookies through its own Cookie-banner.
For clarity, ToBeOut’s cookie and tracking controls apply to ToBeOut-controlled interfaces and ToBeOut booking widgets as implemented by ToBeOut. The Venue remains responsible for privacy and cookie compliance on other parts of the Venue’s website that are not controlled by ToBeOut.
V. MARKETING COMMUNICATIONS (MAILING)
1. Description and scope of data processing
(a) On our website there is an opportunity to subscribe to a news mailing. When registering to receive the mailing, data from the input fields are transferred to us. At the same time, your email address is saved and used. In addition, when registering, we collect the following data:
If you as a Guest use our web-forms for booking (Widget users), ToBeOut may send you informational and marketing communications (including news about the ToBeOut mobile application, personal selections, and offers of Partner Venues) only where: (i) you have provided a separate, explicit opt-in to receive marketing communications from ToBeOut (separate from any consent for the Venue, where required by applicable law), and (ii) such communications are permitted by applicable law. You may opt out at any time.
(c) Legal basis for ToBeOut marketing communications.
Where ToBeOut sends marketing communications to Guests as an independent Controller, ToBeOut relies on the legal basis required by applicable law, which may include consent and, where permitted, legitimate interests. For email, SMS, and messenger marketing communications, ToBeOut will obtain prior consent where required by applicable law (including, where applicable, ePrivacy/PECR, GDPR, UK GDPR, Swiss FADP, TCPA, and similar laws). Guests may withdraw consent or opt out at any time, and ToBeOut will maintain suppression/unsubscribe records as required by law.
For the purposes of applicable electronic marketing laws, ToBeOut may treat direct messages sent through messaging platforms (including, where applicable, Telegram and similar services) as electronic marketing communications and will apply consent and opt-out requirements accordingly.
2. Purpose and conditions of processing Provision of up-to-date information about ToBeOut services, including personalized information. Data is deleted as soon as it ceases to be necessary for achieving the purpose of its collection. As a rule, data is stored as long as the news mailing subscription is active, unless a different storage period is required to confirm our compliance with advertising legislation. You can stop the subscription at any time. For this purpose, in each news mailing there is a corresponding link. This also makes possible the withdrawal of consent for the storage of personal data collected during the registration process.
3. Third-party messaging platforms: if you communicate with us or the Venue through third-party platforms (WhatsApp, Telegram, Facebook Messenger, etc.), you understand that such communications are regulated not only by our Policy but also by the privacy policies of the corresponding platforms. We do not control and do not bear responsibility for how these third parties (Meta, Telegram, etc.) collect, store, and use the content of your messages and metadata.
4. Targeted advertising (Custom Audiences): if you have given consent for marketing communications, we may use your contact data (in hashed/anonymized form) to create “Custom Audiences” or “Look-alike” audiences on the advertising platforms of third parties (such as Meta/Facebook, Google Ads, LinkedIn Ads, X Ads, etc.). This is done in order to show you or people with similar interests advertisements for our services. You can refuse such use by writing to us at privacy@tobeout.com or by changing the advertising settings in the corresponding social networks.
VI. REGISTRATION
1. Description and scope of data processing When specifying personal data on our site, you have the possibility of registration. The data entered at the same time is transferred to us and saved; the transfer of data to third parties is not carried out. Within the framework of registration, the following data are collected:
VII. FEEDBACK FORM AND E-MAIL COMMUNICATIONS
1. Description and scope of data processing On our site there is a feedback form that can be used for directing electronic appeals to us. The entered data are transferred to us and saved. Such data are:
VIII. SOCIAL NETWORKS
1. Description and scope of data processing Through our site you can visit our pages in social networks. By clicking on the link (hyperlink) on our page leading to the page of the corresponding social network, you appeal to the page of the social network operator. To visit our page, it is necessary for you to log into the account of the corresponding social network. In this case, if applicable, we get access to your public data, as well as to information that you make public for one or another application inside the social network. Public information can be viewed by any third party. Such information can be, in particular, your first and last name, profile data, cover images and photos, gender, username. At the same time, according to contractual agreements between operators of the corresponding social networks, exchange of information between these social networks may also be carried out. Decisions about individual provisions for personal data processed inside the social network are made by the social network operator in accordance with your contractual relations, corresponding provisions, regulatory legal documents on personal data protection to which reference is made. The latter can be viewed on the social network page. They are used and processed by us also only inside the social network, within the framework of the functions and procedures offered there. Personal data used by us within our representation in social networks are not transferred to third parties.
2. Purpose and conditions of data processing We use your personal data to offer one or another service in the social network, to constantly check and optimize our services offered there, as well as the display on our page. Exactly this determines the lawfulness of data processing. Data are stored as long as they are on our page in the social network and as long as the latter is not deleted/closed. The user can at any moment withdraw consent for the processing of his personal data — by e-mail and phone. In addition, you can use the feedback form for this. All personal data saved in the course of using our services in social networks will be deleted if provisions of legislation on personal data protection, making necessary the required storage of certain data, do not prevent such deletion. In the settings of your account in social networks you can also cancel or limit the linking of your data to our services on the Internet.
IX. SERVICES / IT PRODUCTS
1. Description and scope of data processing (1) Within the framework of the procedure for formalizing an order for the purchase of our services (IT products) through our site, we collect your personal data which you provide by entering them into corresponding fields on our site, in the volume necessary for the conclusion, performance, or formalization of the purchase of individual services/ IT products. For these purposes, you can use the form for entering data — they will be saved by us after their transfer to us (see above “Registration”). (2) Upon conclusion of a contract for the purchase of individual services/ IT products through our site, you also choose a convenient payment method for you for the acquisition of services/IT products. Data necessary for performing a payment transaction are directed to the payment services of the enterprise that issued your bank card. On our part, access is provided to the Stripe service for payment processing. Standard Stripe conditions in relation to payment processing and personal data processing policy can be found at https://stripe.com/legal (3) When you use our services as a Guest of a Venue (for example, with the help of a booking widget) for personal use, we act as a Processor of your data and transfer necessary booking details directly to the Venue chosen by you. In doing so, we ask to provide the following data: e-mail (optional); phone number (mandatory); name (how to address you) (mandatory); preferences (restaurant, time, date, etc.) (mandatory); other information indicated in the booking form/booking services (optional). Sensitive Data: We intentionally do not request or collect special categories of personal data (data on health, religion, race, etc.). However, if you at your own discretion indicate such information in fields for free comments (for example, report food allergies, religious restrictions in nutrition, that you are a Person with a disability), you thereby provide your explicit consent for the processing of these data by us and the Venue exclusively for the purposes of taking into account your wishes when providing services. (4) When we receive your personal data from Venues, we act as a Processor processing data exclusively on behalf of the Venue. In this case, responsibility for the legal bases of data collection is borne by the Venue.
2. Purpose and conditions of data processing The purpose of data processing consists in the preparation, conducting, and formalization of contractual relations with you. It is exactly this that determines the legitimate interest in personal data processing, including for (3): the ability to book tables in Venues, receive notifications, the ability to communicate with Venues; for (4): allowing Venues to manage bookings through our SaaS service, providing Venues with our services, receiving notifications and communicating with Venues, sending you notifications, improving the service provided to Venues. Data processed by us for the preparation, performance, or formalization of a contract are deleted when storage is no longer required in connection with one or another purpose under the contract. Consequences of non-provision of data — impossibility of performance of the contract.
X. YOUR RIGHTS
During the processing of your personal data, you act as an interested person. In accordance with the requirements of current legislation, you are provided with, including, the following rights:
This section applies only to US residents. Categories of collected data. We may collect data specified in sections 3-9 of this Policy, for example, we collect: identifiers (name, e-mail, IP); commercial information (booking history); internet activity.
Sale of data. We do not sell personal data for monetary consideration. In some circumstances, certain disclosures to advertising and analytics partners may be considered “sharing” or “targeted advertising” under applicable U.S. state privacy laws. Where required, we provide notice and opt-out mechanisms (including recognition of Global Privacy Control (GPC) signals). We do not use identifiable Guest data or identifiable Customer Data for general-purpose AI model training unless permitted by applicable law and the required consents/permissions have been obtained.
Your rights. You have the right: to know what data we collected; to demand deletion of data; to prohibit the sale/sharing of data (“Do Not Sell/Share My Personal Information”); the right to appeal our refusal to perform your request (Right to Appeal). To exercise rights, contact us at privacy@tobeout.com. We do not discriminate against users for using these rights. Our website is technically configured to recognize Global Privacy Control (GPC) signals. If you use a browser or extension with an activated GPC signal, we perceive this as a valid request to opt out of the sale or sharing of your personal information (Do Not Sell or Share My Personal Information) in automatic mode, without the need to file a separate request.
XI-A. U.S. STATE PRIVACY DISCLOSURES (where applicable)
This section applies to personal data of individuals protected by applicable U.S. state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), where applicable.
No sale for monetary consideration. ToBeOut does not sell personal data for monetary consideration.
Sharing / targeted advertising. ToBeOut uses certain analytics and advertising technologies on its website and booking interfaces (including, where enabled, tools such as Google Analytics, Google Ads tags, and Meta Pixel / Conversions API). Depending on applicable law, certain disclosures of personal data through these technologies may be considered “sharing” or processing for “targeted advertising” / “cross-context behavioral advertising.” Where required by applicable law, ToBeOut provides notice and the right to opt out of such processing.
Global Privacy Control (GPC). ToBeOut honors browser-based Global Privacy Control (GPC) signals as a valid opt-out request for sale/sharing/targeted advertising, where required by applicable law and where technically recognized on the relevant ToBeOut-controlled interface.
Your rights (where applicable). Subject to applicable law and verification requirements, you may have the right to request access to, correction of, or deletion of your personal data, and to opt out of sale/sharing/targeted advertising. You may also have the right to limit the use or disclosure of sensitive personal data where applicable.
How to exercise your rights. You may submit privacy requests by contacting us at info@tobeout.com. Where technically available, additional request methods may be provided in the relevant interface.
Authorized agents. Where required by applicable law, ToBeOut accepts requests submitted by an authorized agent, subject to verification of the agent’s authority and the identity of the relevant individual.
No discrimination. ToBeOut will not discriminate against you for exercising privacy rights granted by applicable law.
Notice at collection. Categories of personal data collected, purposes of processing, and categories of recipients are described in this Privacy Policy and, where required, in notices presented at or before the point of collection (including ToBeOut booking forms and widgets).
XII. USE OF DATA FOR AI AND MACHINE LEARNING
We may create Aggregated and De-identified Data on the basis of Guest data, booking histories, communication contents, including message texts, audio files, and metadata transmitted through connected messengers and the AI assistant on behalf of the Venue. We use data for AI training exclusively in aggregated and de-identified form (De-identified Data), which does not allow for the identification of a specific individual. The creation of such de-identified data sets is our legitimate interest (Legitimate Interest) in improving the service. Aggregated and De-identified Data may be used by us for any purposes, including:
If you have questions or requests regarding this Privacy Policy, about ToBeOut services, and about how your personal data were used, please contact us by sending an email to info@tobeout.com.
We are ToBeOut, Corp.
Address: 1111B S Governors Ave STE 39626 Dover, DE 19904, United States
Tel: +1 251 277 7754
E-mail: info@tobeout.com
We are the owner of the website https://tobeout.com and the ToBeOut service - a reservation management platform for venues that facilitates bookings, seating management, guest database administration, and 24/7 guest messaging (collectively, the “Services”). We may also maintain official pages, channels, and communities on social media (e.g., LinkedIn, YouTube, TikTok, Facebook, Instagram, Telegram, etc.) to provide updates about our services and interact with users (“Social Media”).
We will call ourselves simply ToBeOut. The terms “we” or “our” used in this Policy mean our company and are used depending on the context. This Privacy Policy describes how ToBeOut collects, stores, uses, processes, and transfers personal data. The Policy applies to all individuals (“you”, “your” depending on the context) — visitors and users of the website, applications, social media pages, and other ToBeOut services.
When we say Venue, we mean that you are a B2B user of our services. When we say Guest, we mean that you are a B2C user of services and use or only plan to use the services of the Venue. Venue Employees: if you use our services as an employee or authorized representative of the Venue (B2B user), then in relation to your data (logins, actions in the system, work contacts) ToBeOut acts exclusively as a Processor, and your employer (the Venue) is the Controller. All requests for the exercise of rights (deletion, access to data) should be directed by you directly to your employer. Here you can find information on how to exercise your rights to protect your personal data. You may have certain rights and choices related to the collection and processing of your personal data.
We, ToBeOut, highly respect your privacy, therefore we make every effort to ensure that our services comply with the highest standards of user confidentiality and we take appropriate technical and organizational measures to protect your personal data that we collect and process. To ensure security, we use industrial standards: the transfer of all data between your device and our resources is carried out via the encrypted TLS/SSL protocol. We will update the Privacy Policy as we develop, as the legislation of those territories where ToBeOut offers its services changes, and also in response to your requests and comments. The current Privacy Policy can be found at: https://tobeout.com/privacy.
Please note! The website and other ToBeOut services are not intended for persons under 18 years of age. We do not offer our services for use by children and do not knowingly collect or request information from persons under 18 years of age. If you are under 18 years old, do not provide us with your personal data. If, according to your national legislation (state legislation), you have not reached the age of majority, then do not provide us with your personal data. We do not verify the information provided by you, except in cases provided for by the user agreement or the terms of use of individual Services, and we cannot judge its accuracy, as well as whether you possess sufficient legal capacity. Nevertheless, we assume that you provide accurate and sufficient personal information and update it in a timely manner.
Prohibition on third-party data: You are prohibited from entering in any fields of our forms or transferring to us personal data of third parties who have not reached the age of 18. If you, in violation of this prohibition, enter data of children (for example, in booking comments), you bear full and sole responsibility for such actions and guarantee that you possess legal rights (as a parent or guardian) for the transfer of such data, and also release ToBeOut from any liability related to the processing of such data. If it becomes known to us that we have accidentally collected personal data of a person who has not reached 18 years of age without confirmed consent from parents or legal guardians, we undertake to immediately take measures to delete such information from our systems within 48 hours from the moment of discovery or receipt of a corresponding request at privacy@tobeout.com.
II. GENERAL INFORMATION ON PERSONAL DATA PROCESSING
1. General Information.
For transparency, this Privacy Policy (Policy) regulates how we, ToBeOut, process personal data that we collect or receive when you visit our website, when you use our services, when you book and provide us with your preferences, when we receive your data from third-party sources (e.g., from venues), when we use personal data obtained from our clients and from our service providers (e.g., contact data), and when you interact with us through our social media profiles or feedback form. Your personal data is collected and processed in the volume necessary for feedback with you, providing a functional website, applications, our content in social networks, as well as for the implementation of services or providing licenses for the use of the ToBeOut service. Collection and use of personal data are carried out either with the consent of the user, or the processing is necessary for our performance of a contract, to fulfill a legal obligation, or the data processing is permitted by the provisions of current legislation.
2. Our role in data processing (Controller vs Processor).
We differentiate our duties and responsibility depending on the source of the data: (a) Data imported by the Venue (Imported Data): in relation to data that the Venue uploads to our services independently (via file import or manual entry), we initially act exclusively as a Processor. We do not use this data for our own purposes. However, if, on behalf of the Venue, we send you a subscription confirmation request (Double-Opt-In) and you give your consent to receive information not only from the Venue but also from the ToBeOut platform, then from the moment such consent is received, we become an independent Controller in relation to your contact data for ToBeOut marketing communication purposes.
(b) Data obtained via the ToBeOut Widget (Direct Booking): in relation to data that you enter into our booking forms for reservation purposes, we act as a Processor on behalf of the Venue.
If, during booking or in another lawful manner, you provide a separate, explicit, and freely given consent to receive marketing communications from ToBeOut (separate from any consent for the Venue), then ToBeOut becomes an independent Controller for processing your contact data and related communication preferences for ToBeOut’s own marketing purposes.
Consent to receive marketing from the Venue and consent to receive marketing from ToBeOut must be presented as separate choices where required by applicable law.
3. Deletion of data and storage duration
Your data is deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored where required by applicable law. Blocking or deletion is also carried out when the storage period prescribed by applicable law expires, unless further storage is necessary for the conclusion or performance of a contract, compliance with legal obligations, fraud prevention, security, or the establishment, exercise, or defense of legal claims.
For clarity, retention periods may differ depending on the role in which ToBeOut processes the data (for example, as a Processor on behalf of a Venue or as an independent Controller for ToBeOut’s own purposes).
As an example:
(a) technical server and session logs may be stored for up to 90 days for security and operational purposes, after which they are deleted or anonymized, unless a longer retention period is required for incident investigation, fraud prevention, or legal compliance;
(b) Guest booking data and booking-related communications processed by ToBeOut on behalf of a Venue (Customer Data) are stored during the contract term with the Venue and thereafter handled in accordance with the deletion/return provisions of the DPA and the Venue’s instructions, unless applicable law requires longer retention;
(c) certain records processed by ToBeOut as an independent Controller (for example, support communications, security records, and marketing consent/opt-out records) may be retained for the periods described below, where permitted by applicable law.
3A. Indicative retention periods (unless longer retention is required by law):
• Customer account and billing records: term of contract + applicable statutory retention period;
• Guest booking records (Customer Data): during contract term and deletion/return period under the DPA, unless Customer configures shorter retention where available;
• Support requests and support correspondence (Customer contacts / Venue contacts): up to 24 months after closure, unless a longer period is required for an unresolved dispute, legal claim, or security investigation;
• Security and fraud-prevention logs/records: up to 12 months, unless a longer period is required for incident investigation, fraud prevention, or legal compliance;
• Marketing consent records and opt-out/suppression records (ToBeOut marketing): retained for as long as necessary to demonstrate compliance, process and honor unsubscribe/objection requests, and prevent further marketing to individuals who opted out.
4. Legal basis for personal data processing. We process personal data in accordance with the legislation of the territories in which we operate, such as US federal legislation in the field of personal data protection, the Delaware Personal Data Protection Act (DPDPA), the Law of the Republic of Serbia on the Protection of Personal Data (ZZPL), and other state legislation on the protection of personal information, the EU General Data Protection Regulation (GDPR), and national legislation on the protection of personal information. ToBeOut takes measures to ensure appropriate data processing in accordance with these laws. When transferring data abroad, we take measures to comply with applicable data protection laws related to such transfer, including the use of standard contractual clauses or obtaining user consent where required by local legislation.
5. Transfer of information We may share the information received with Venues (their affiliates), with our partners, service providers, and social networks. This is done for the purposes of providing and improving our services, for our marketing purposes, as well as other purposes specified below. We take care that access to personal information is granted only to those who need such access to perform their tasks and duties, as well as to third parties who have a legitimate purpose for accessing them. Whenever we allow third parties access to personal information, we take appropriate measures to ensure the use of information in accordance with this Policy, as well as to ensure the security and confidentiality of the information. Since we provide our services to users from different countries, we sometimes need to transfer your personal data to other countries, including the United States. In these countries, data protection rules may differ from the rules of your country. When transferring data abroad, we take measures to comply with applicable data protection laws related to such transfer. In certain situations, we may be obliged to disclose personal data in response to lawful requests from officials, such as law enforcement or security agencies. Storage of your personal data is carried out in accordance with the requirements of local legislation on the localization of personal data. Since our headquarters is located in the USA, and servers may be located in different jurisdictions, we carry out cross-border data transfer. To legalize data transfer from the European Economic Area (EEA) to the USA or other countries that do not provide an adequate level of protection, we rely on Standard Contractual Clauses (SCC) approved by the European Commission, unless another basis applies.
Business Transfers: In the event that ToBeOut is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information (including personal data and booking history) may be sold or transferred as part of such a transaction. You hereby agree that such transfers may occur and that any acquirer of ToBeOut may continue to use your personal data in accordance with this Policy.
6. Third parties and Sub-processors (including DPA-relevant Sub-processors for Customer Data)
This section includes (i) Sub-processors used by ToBeOut to process Customer Data on behalf of Venues in connection with the Services (for purposes of the DPA), and (ii) other third parties used by ToBeOut for its own website, analytics, and marketing activities.
The list below may be updated from time to time. Where required by the DPA or applicable law, ToBeOut will provide notice of changes to DPA-relevant Sub-processors and allow Customers to raise objections in accordance with the DPA.
Where personal data is transferred outside the country of collection, ToBeOut applies appropriate transfer safeguards where required by applicable law (including adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms).
(A) Sub-processors used to provide the Services (Customer Data / DPA-relevant)
- Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) and OVH US LLC (11480 Commerce Park Dr. Suite 500, Reston, VA 20191, USA) (hosting);
- Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France) and Infobip PLC (5th Floor, 125 Old Broad Street, London, EC2N 1AR, United Kingdom) (communications service providers that may be used by ToBeOut to deliver transactional and marketing messages, including on behalf of Venues (where applicable under the DPA) and, separately, for ToBeOut’s own communications where permitted by law);
(B) Third parties used by ToBeOut for its own website analytics/marketing
- Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — Google Ads advertising platform, including Google Analytics 4 and Google Ads / Conversion Linker (may receive website and booking widget event data, device/browser identifiers, and other technical data for analytics, attribution, audience building, and advertising performance measurement, subject to applicable law and consent requirements where required);
- Meta Platforms, Inc. (1601 Willow Road, Menlo Park, CA 94025, USA) — Meta Ads advertising platform including Meta Pixel and/or Conversions API (may receive website and booking widget event data, device/browser identifiers, and other technical data for analytics, attribution, audience building, and advertising performance measurement, subject to applicable law and consent requirements where required);
(C) Payment service providers (role depends on context)
- Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) — payment service provider used for subscription billing and payment processing. Depending on the processing context, Stripe may act as an independent controller or as a processor under its own terms and privacy documentation.
III. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
1. Description and scope of data processing With each visit to the pages of our website on the Internet (https://tobeout.com) or other resources belonging to us, our system can automatically collect data and information from the system of the device from which the visit is carried out. At the same time, the following data are collected:
- information about the type of browser program and its version used;
- user's operating system;
- user's IP address;
- type of user device;
- date and time of the visit;
- websites from which the user's system moved to our resources on the Internet;
- any other information that your browser may send us.
IV. USE OF COOKIE FILES AND ANALYTICAL TOOLS
1. Use of cookie files. Our site uses cookies. Cookies are text files that are saved inside the browser program or by the browser program on the user's computer system. When a user accesses the site, a cookie file may be saved in the user's operating system. This file contains a characteristic sequence of characters allowing for unique identification of the browser program upon repeated access to the website. We use cookies to make our site more convenient to use. On our site, we, in addition, use cookies in order to analyze user behavior when using our website. Cookies installed by the Widget are "Strictly Necessary" for the functioning of the booking, unless otherwise configured by the Venue. The purpose of using technically necessary and functional cookies is to simplify the use of the site for users. Some functions of our site cannot be offered to the user without the use of cookies — for this it is necessary that the browser program be recognized when moving to a new page. We use cookies that are necessary technically or functionally. Cookies are saved on the user's device and transferred from it to our site. Thus, you as a user also have full control over the use of cookies. By changing the settings in your browser program, you can disable or limit the transfer of cookies. Previously saved cookies can be deleted at any moment. This can also happen automatically. If cookies are deactivated for our site, possibly the entire functionality of the latter will not be able to be used to the full extent. More detailed information about cookies can be found at this link https://www.allaboutcookies.org/. We also recognize and process Global Privacy Control (GPC) signals transmitted by your browser program. In case of receipt of such a signal, we automatically limit the use of analytical and marketing cookies, considering this as your lawful refusal of tracking.
2. Use of analytical tools. Currently we use analytical tools, including, but not limited to: Google Analytics, Google Tag Manager, Meta/Facebook pixel. We reserve the right to delete or add new analytical tools.
3. Cookies on the booking widget. Our booking widget, placed on the Venue's site (including third-level domains *.tobeout.com), can install technical and analytical cookies. The Venue, as the site administrator, is obliged to notify Guests about the use of these cookies through its own Cookie-banner.
For clarity, ToBeOut’s cookie and tracking controls apply to ToBeOut-controlled interfaces and ToBeOut booking widgets as implemented by ToBeOut. The Venue remains responsible for privacy and cookie compliance on other parts of the Venue’s website that are not controlled by ToBeOut.
V. MARKETING COMMUNICATIONS (MAILING)
1. Description and scope of data processing
(a) On our website there is an opportunity to subscribe to a news mailing. When registering to receive the mailing, data from the input fields are transferred to us. At the same time, your email address is saved and used. In addition, when registering, we collect the following data:
- IP address of the computer from which the connection is carried out;
- date and time of registration;
- country;
- city;
- name;
- e-mail.
If you as a Guest use our web-forms for booking (Widget users), ToBeOut may send you informational and marketing communications (including news about the ToBeOut mobile application, personal selections, and offers of Partner Venues) only where: (i) you have provided a separate, explicit opt-in to receive marketing communications from ToBeOut (separate from any consent for the Venue, where required by applicable law), and (ii) such communications are permitted by applicable law. You may opt out at any time.
(c) Legal basis for ToBeOut marketing communications.
Where ToBeOut sends marketing communications to Guests as an independent Controller, ToBeOut relies on the legal basis required by applicable law, which may include consent and, where permitted, legitimate interests. For email, SMS, and messenger marketing communications, ToBeOut will obtain prior consent where required by applicable law (including, where applicable, ePrivacy/PECR, GDPR, UK GDPR, Swiss FADP, TCPA, and similar laws). Guests may withdraw consent or opt out at any time, and ToBeOut will maintain suppression/unsubscribe records as required by law.
For the purposes of applicable electronic marketing laws, ToBeOut may treat direct messages sent through messaging platforms (including, where applicable, Telegram and similar services) as electronic marketing communications and will apply consent and opt-out requirements accordingly.
2. Purpose and conditions of processing Provision of up-to-date information about ToBeOut services, including personalized information. Data is deleted as soon as it ceases to be necessary for achieving the purpose of its collection. As a rule, data is stored as long as the news mailing subscription is active, unless a different storage period is required to confirm our compliance with advertising legislation. You can stop the subscription at any time. For this purpose, in each news mailing there is a corresponding link. This also makes possible the withdrawal of consent for the storage of personal data collected during the registration process.
3. Third-party messaging platforms: if you communicate with us or the Venue through third-party platforms (WhatsApp, Telegram, Facebook Messenger, etc.), you understand that such communications are regulated not only by our Policy but also by the privacy policies of the corresponding platforms. We do not control and do not bear responsibility for how these third parties (Meta, Telegram, etc.) collect, store, and use the content of your messages and metadata.
4. Targeted advertising (Custom Audiences): if you have given consent for marketing communications, we may use your contact data (in hashed/anonymized form) to create “Custom Audiences” or “Look-alike” audiences on the advertising platforms of third parties (such as Meta/Facebook, Google Ads, LinkedIn Ads, X Ads, etc.). This is done in order to show you or people with similar interests advertisements for our services. You can refuse such use by writing to us at privacy@tobeout.com or by changing the advertising settings in the corresponding social networks.
VI. REGISTRATION
1. Description and scope of data processing When specifying personal data on our site, you have the possibility of registration. The data entered at the same time is transferred to us and saved; the transfer of data to third parties is not carried out. Within the framework of registration, the following data are collected:
- e-mail;
- IP address of the device from which the connection is carried out;
- date and time of registration;
- country;
- city;
- last name, first name;
- phone;
- user's IP addresses;
- date and time of registration. Within the framework of the registration process, the user's consent for the processing of these data is obtained.
VII. FEEDBACK FORM AND E-MAIL COMMUNICATIONS
1. Description and scope of data processing On our site there is a feedback form that can be used for directing electronic appeals to us. The entered data are transferred to us and saved. Such data are:
- last name, first name;
- Registration number;
- contact phone;
- e-mail;
- your appeal in the text field labeled “Message text”.
- user's IP address;
- date and time of registration. For data processing within the framework of the sending process, your consent is requested with a link to this Privacy Policy. As an alternative, an appeal can be used at the email address provided by us. In such a case, the user's personal data obtained by email are saved. In connection with this, no transfer of data to third parties occurs. Data are used exclusively for processing the dialogue.
VIII. SOCIAL NETWORKS
1. Description and scope of data processing Through our site you can visit our pages in social networks. By clicking on the link (hyperlink) on our page leading to the page of the corresponding social network, you appeal to the page of the social network operator. To visit our page, it is necessary for you to log into the account of the corresponding social network. In this case, if applicable, we get access to your public data, as well as to information that you make public for one or another application inside the social network. Public information can be viewed by any third party. Such information can be, in particular, your first and last name, profile data, cover images and photos, gender, username. At the same time, according to contractual agreements between operators of the corresponding social networks, exchange of information between these social networks may also be carried out. Decisions about individual provisions for personal data processed inside the social network are made by the social network operator in accordance with your contractual relations, corresponding provisions, regulatory legal documents on personal data protection to which reference is made. The latter can be viewed on the social network page. They are used and processed by us also only inside the social network, within the framework of the functions and procedures offered there. Personal data used by us within our representation in social networks are not transferred to third parties.
2. Purpose and conditions of data processing We use your personal data to offer one or another service in the social network, to constantly check and optimize our services offered there, as well as the display on our page. Exactly this determines the lawfulness of data processing. Data are stored as long as they are on our page in the social network and as long as the latter is not deleted/closed. The user can at any moment withdraw consent for the processing of his personal data — by e-mail and phone. In addition, you can use the feedback form for this. All personal data saved in the course of using our services in social networks will be deleted if provisions of legislation on personal data protection, making necessary the required storage of certain data, do not prevent such deletion. In the settings of your account in social networks you can also cancel or limit the linking of your data to our services on the Internet.
IX. SERVICES / IT PRODUCTS
1. Description and scope of data processing (1) Within the framework of the procedure for formalizing an order for the purchase of our services (IT products) through our site, we collect your personal data which you provide by entering them into corresponding fields on our site, in the volume necessary for the conclusion, performance, or formalization of the purchase of individual services/ IT products. For these purposes, you can use the form for entering data — they will be saved by us after their transfer to us (see above “Registration”). (2) Upon conclusion of a contract for the purchase of individual services/ IT products through our site, you also choose a convenient payment method for you for the acquisition of services/IT products. Data necessary for performing a payment transaction are directed to the payment services of the enterprise that issued your bank card. On our part, access is provided to the Stripe service for payment processing. Standard Stripe conditions in relation to payment processing and personal data processing policy can be found at https://stripe.com/legal (3) When you use our services as a Guest of a Venue (for example, with the help of a booking widget) for personal use, we act as a Processor of your data and transfer necessary booking details directly to the Venue chosen by you. In doing so, we ask to provide the following data: e-mail (optional); phone number (mandatory); name (how to address you) (mandatory); preferences (restaurant, time, date, etc.) (mandatory); other information indicated in the booking form/booking services (optional). Sensitive Data: We intentionally do not request or collect special categories of personal data (data on health, religion, race, etc.). However, if you at your own discretion indicate such information in fields for free comments (for example, report food allergies, religious restrictions in nutrition, that you are a Person with a disability), you thereby provide your explicit consent for the processing of these data by us and the Venue exclusively for the purposes of taking into account your wishes when providing services. (4) When we receive your personal data from Venues, we act as a Processor processing data exclusively on behalf of the Venue. In this case, responsibility for the legal bases of data collection is borne by the Venue.
2. Purpose and conditions of data processing The purpose of data processing consists in the preparation, conducting, and formalization of contractual relations with you. It is exactly this that determines the legitimate interest in personal data processing, including for (3): the ability to book tables in Venues, receive notifications, the ability to communicate with Venues; for (4): allowing Venues to manage bookings through our SaaS service, providing Venues with our services, receiving notifications and communicating with Venues, sending you notifications, improving the service provided to Venues. Data processed by us for the preparation, performance, or formalization of a contract are deleted when storage is no longer required in connection with one or another purpose under the contract. Consequences of non-provision of data — impossibility of performance of the contract.
X. YOUR RIGHTS
During the processing of your personal data, you act as an interested person. In accordance with the requirements of current legislation, you are provided with, including, the following rights:
- Right of inquiry. You can demand from us to provide an inquiry about which personal data concerning you are processed by us. You are also granted the right to receive written confirmation of whether your personal data are transferred to another state or international organization. In connection with this, you can demand that appropriate guarantees in connection with data transfer be explained to you.
- Right to rectification. You have the right to rectification and/or making additions if personal data concerning you are inaccurate or incomplete. We will immediately take measures to introduce amendments.
- Right to restriction of processing. You can demand restriction of processing of personal data concerning you if you consider that your rights are violated.
- Right to deletion. a) You can demand from us the immediate deletion of your personal data, and we will do this immediately if at least one of the following reasons is present: (1) Your personal data are no longer required for the purposes for which they were collected or otherwise processed. (2) You withdraw your consent for data processing and at the same time other legal bases for data processing are absent. (3) You direct an objection against data processing, while there are no legitimate reasons for data processing. (4) Your personal data were processed unlawfully. (5) Deletion of your personal data is necessary for the performance of a legal obligation. (6) On other grounds provided for by applicable legislation. b) Transfer of information to third parties. If we made personal data concerning you available to third parties and are now obliged to delete them, then, taking into account available technologies and costs for implementation, we will take appropriate measures to inform those responsible for data processing that you, being the person whose interests are affected, demand from them the deletion of all links to these personal data, copies, or replications thereof. c) Exceptions. The right to deletion does not extend to cases when processing is necessary in cases provided for by the legislation of the territory of presence of ToBeOut.
- Right to awareness. If you have the right to rectification, deletion, or restriction of personal data and you have used it, we will inform all recipients to whom your personal data were disclosed about the rectifications, deletions, or restriction of their processing, except for cases when this is impossible or associated with disproportionate efforts. You have the right to receive information about such recipients.
- Right to data portability. You have the right to receive your personal data, which you provided to us, in a full, structured, and machine-readable format. Within the framework of the exercise of this right, you also have the right to have your personal data transferred directly to another responsible person, if this is technically feasible. At the same time, freedoms and rights of other persons cannot be restricted.
- Right to file an objection. You have the right at any moment to direct an objection against the processing of your personal data in cases provided for by the legislation of the territory of presence of ToBeOut.
- Right to withdraw the declaration of consent in accordance with legislation on personal data protection. You have the right to withdraw your declaration of consent in accordance with legislation on personal data protection. At the same time, the lawfulness of processing carried out on the basis of this consent before receipt of the withdrawal is not affected.
- Arbitration. To the extent permitted by applicable law, contractual disputes arising in connection with this Privacy Policy are subject to resolution in accordance with the section “Governing Law. Arbitration” of our Terms of Use located at: https://tobeout.com/business/terms. This does not limit any rights a Data Subject may have under applicable data protection law, including the right to file a complaint with a supervisory authority or to seek a judicial remedy where such rights cannot be waived.
- Right to file a complaint with a supervisory authority. Not affecting other possibilities of appeal by administrative or judicial means, you have the right to file a complaint with a supervisory authority, in particular, in the state of your place of residence or place of the alleged violation, if you consider that the processing of personal data concerning you violates your legitimate interests.
This section applies only to US residents. Categories of collected data. We may collect data specified in sections 3-9 of this Policy, for example, we collect: identifiers (name, e-mail, IP); commercial information (booking history); internet activity.
Sale of data. We do not sell personal data for monetary consideration. In some circumstances, certain disclosures to advertising and analytics partners may be considered “sharing” or “targeted advertising” under applicable U.S. state privacy laws. Where required, we provide notice and opt-out mechanisms (including recognition of Global Privacy Control (GPC) signals). We do not use identifiable Guest data or identifiable Customer Data for general-purpose AI model training unless permitted by applicable law and the required consents/permissions have been obtained.
Your rights. You have the right: to know what data we collected; to demand deletion of data; to prohibit the sale/sharing of data (“Do Not Sell/Share My Personal Information”); the right to appeal our refusal to perform your request (Right to Appeal). To exercise rights, contact us at privacy@tobeout.com. We do not discriminate against users for using these rights. Our website is technically configured to recognize Global Privacy Control (GPC) signals. If you use a browser or extension with an activated GPC signal, we perceive this as a valid request to opt out of the sale or sharing of your personal information (Do Not Sell or Share My Personal Information) in automatic mode, without the need to file a separate request.
XI-A. U.S. STATE PRIVACY DISCLOSURES (where applicable)
This section applies to personal data of individuals protected by applicable U.S. state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), where applicable.
No sale for monetary consideration. ToBeOut does not sell personal data for monetary consideration.
Sharing / targeted advertising. ToBeOut uses certain analytics and advertising technologies on its website and booking interfaces (including, where enabled, tools such as Google Analytics, Google Ads tags, and Meta Pixel / Conversions API). Depending on applicable law, certain disclosures of personal data through these technologies may be considered “sharing” or processing for “targeted advertising” / “cross-context behavioral advertising.” Where required by applicable law, ToBeOut provides notice and the right to opt out of such processing.
Global Privacy Control (GPC). ToBeOut honors browser-based Global Privacy Control (GPC) signals as a valid opt-out request for sale/sharing/targeted advertising, where required by applicable law and where technically recognized on the relevant ToBeOut-controlled interface.
Your rights (where applicable). Subject to applicable law and verification requirements, you may have the right to request access to, correction of, or deletion of your personal data, and to opt out of sale/sharing/targeted advertising. You may also have the right to limit the use or disclosure of sensitive personal data where applicable.
How to exercise your rights. You may submit privacy requests by contacting us at info@tobeout.com. Where technically available, additional request methods may be provided in the relevant interface.
Authorized agents. Where required by applicable law, ToBeOut accepts requests submitted by an authorized agent, subject to verification of the agent’s authority and the identity of the relevant individual.
No discrimination. ToBeOut will not discriminate against you for exercising privacy rights granted by applicable law.
Notice at collection. Categories of personal data collected, purposes of processing, and categories of recipients are described in this Privacy Policy and, where required, in notices presented at or before the point of collection (including ToBeOut booking forms and widgets).
XII. USE OF DATA FOR AI AND MACHINE LEARNING
We may create Aggregated and De-identified Data on the basis of Guest data, booking histories, communication contents, including message texts, audio files, and metadata transmitted through connected messengers and the AI assistant on behalf of the Venue. We use data for AI training exclusively in aggregated and de-identified form (De-identified Data), which does not allow for the identification of a specific individual. The creation of such de-identified data sets is our legitimate interest (Legitimate Interest) in improving the service. Aggregated and De-identified Data may be used by us for any purposes, including:
- Training of artificial intelligence models (AI/ML) for all clients of the service;
- Analysis of market trends and statistics;
- Improvement of speech and text recognition algorithms. We do not use audio recordings for identification of personality (biometrics) and do not create “voiceprints”.
If you have questions or requests regarding this Privacy Policy, about ToBeOut services, and about how your personal data were used, please contact us by sending an email to info@tobeout.com.
