Effective date: September 8, 2025 We at Subtotal, Inc. (together with our affiliates, “Subtotal,” “we,” “our,” or “us”) take your privacy seriously. This Privacy Policy sets forth our policies and practices with respect to identifiable data that we collect from or about you (“Personal Data”) when you use our website, online tools, applications, and services (collectively, “Services”)—for example, when you use Subtotal to connect with and provide your information to the apps and websites you use. These apps and websites are owned and maintained by our business customers, including, but not limited to, consumer packaged goods brands whose products are sold in retail (“Customers”). By using or accessing our Services, you agree to the practices and policies outlined below, and to our collection, use, and disclosure of your Personal Data as set forth in this Policy. Remember that your use of the Services is also at all times subject to our End User Terms of Service, which incorporate this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service. By entering into and agreeing to our Terms of Service and this Privacy Policy, you acknowledge that Subtotal is the “data controller” or “business” of your Personal Data collected through the Services.

What this Privacy Policy Covers

This Policy describes the data we collect when you access or use our Services and explains how we use and disclose that information. This Policy does not cover the policies or practices of companies we don’t own or control or people we don’t manage, such as Customers. You should review the privacy policies and terms of service for those Customers’ apps and websites for information about their practices. This Policy also does not apply to personal information we collect from and about Customers, which is governed by our Customer Privacy Policy.

Collection, Use, and Disclosure of Personal Data

Personal Data We Collect

We collect your Personal Data from the following sources:
  • Data you provide directly to us when you use the Services;
  • Data from businesses you use, transact with, or purchase or order from, including retailers, marketplaces, shopping providers and platforms, and delivery services (“Retailers”), when you connect your Retailer accounts through the Services, subject to any applicable privacy settings you have selected;
  • Data from the device you use to connect your Retailer accounts or otherwise use the Services;
  • Data from Customers whose apps and websites you have connected your Retailer accounts to, as well as any applicable service providers of Customers where Customers have implemented integrations with such service providers to assist in providing services on their behalf; and
  • Data from other sources, including our partners, service providers, and identity verification and fraud prevention services.
Personal Data You Provide: When you use our Services (for example, when you use Subtotal to connect a Retailer account to a Customer app or website), we collect the following Personal Data:
  • Identifiers such as your name, address, email address, phone number, and information included in any profiles you maintain with a Retailer (which could include demographic information, your date of birth, your shopping interests, etc.);
  • Information related to your communications with us—for example, when you communicate with us via email or our social media pages—such as your name, contact information, and the contents of your communications;
  • Information related to your use of our Services, including which Retailers and Customers you connect using our Services; and
  • Other information that you may provide to us—for example, when you provide information in free-form text boxes in connection with our Services, participate in our events, or respond to our surveys or questionnaires.
Personal Data from Retailers: If you use our Services to connect a Retailer account to a Customer app or website, we collect the following Personal Data from the Retailer:
  • Identifiers and data about the account owner(s), including name, address, email address, phone number, and information from any profile you maintain with the Retailer (which could include demographic information, your date of birth, your shopping interests, etc.); and/or
  • Data about your commercial transactions, purchases, and orders with the Retailer, including but not limited to amount paid, all items purchased (even those not associated with a Customer’s brand), purchase date, payment method, device used, and store location, in accordance with any applicable privacy settings you have configured.
Personal Data Collected Automatically when You Use the Services: When you visit, use, or interact with the Services, we automatically collect the following information about your visit, use, or interaction:
  • Log Data: We collect information that your browser or device automatically sends when you use our Services. Log data includes your internet protocol (“IP”) address, browser type and settings, the date and time of your request, and how you interact with our Services.
  • Usage Data: We collect information about your use of our Services, including which Retailer accounts and Customer apps and websites you connect using Subtotal.
  • Device Information: When you use a device to interact with our Services, we collect information about that device, such as the name of the device, hardware model and operating system, IP address, domain server, the date and time of your interaction with the Services, timezone setting and location, and other technical information about the device. The information we collect may depend on the type of device you use and its settings.
  • Location Information: We may determine the general area from which your device accesses our Services based on information such as its IP address.
  • Cookies and Similar Technologies: As described more fully in our Cookie Policy, we use cookies and other related technologies in operating our Services⁠.
Personal Data from Customers: If you use Subtotal to connect a Retailer account to a Customer app or website, we may collect identifiers and commercial information about you, including your name, system-specific identifiers (such as a customer ID), address, email address, phone number, and information about your commercial transactions. Personal Data from Other Sources: We receive Personal Data and other information from our partners, including service providers, analytics providers, advertising partners, and security partners—for example, to help us provide you with customer support, to generate leads, and to prevent fraud, abuse, and security threats. Information Derived from Personal Data: We may derive additional information about you from the Personal Data we collect. For example, we may infer your general location from your IP address or your purchasing patterns from your commercial transactions. De-Identified Data: We may de-identify information we collect so the information is no longer Personal Data in that it can no longer reasonably identify you or your device, or we may collect information that is already in de-identified form. Our use and disclosure of de-identified information is not subject to any restrictions under this Privacy Policy, and we may use and disclose it to others for any purpose, without limitation.

How We Use Your Personal Data

We use your Personal Data for the following business and commercial purposes: Providing, Operating, and Improving the Services: To operate, provide, improve, modify, and further develop our Services, including:
  • Connecting to and accessing your Retailer accounts on your behalf;
  • Connecting your Retailer accounts with the Customer apps and websites you use;
  • Creating and managing your account and profile on our system;
  • Providing you with the products, services, and information you request;
  • Providing support and assistance for the Services, including to both you and our Customers;
  • Improving the Services, including through testing, research, internal analytics, and product development;
  • Personalizing the Services and our website content and communications based on your preferences; and
  • Carrying out other business purposes stated when collecting your Personal Data or as otherwise permitted under applicable data privacy laws.
Marketing the Services: To market and sell the Services—for example, and in accordance with applicable laws, by sending marketing emails related to the Services. Preventing Fraud: To investigate and help protect you, Customers, Subtotal, and others from fraud, malicious activity, and other privacy and security-related concerns, including by validating your identity and preventing fraud on your account. Developing Insights: To develop insights based on the Personal Data we’ve collected. This includes but is not limited to your transaction data, data about which Retailer accounts you have connected to which Customer apps and websites, and data from other sources, including Customers and other third parties. Communicating with You: To communicate with you—for example, to respond to emails and other communications we receive from you and to send you legal notices, system updates, and other information about Subtotal or the Services. Please note that our written and verbal communications with you may be recorded and stored by us and vendors on our behalf for training and internal business purposes. For Legal Purposes: To meet legal obligations and protect legal rights under applicable law, including:
  • Detecting and preventing potential security incidents and other unlawful or prohibited activities;
  • Investigating any misuse of our Services or Customer apps and websites;
  • Protecting the rights, property, and safety of you, Subtotal, and other parties;
  • Enforcing any agreements with you; and
  • Establishing and defending against claims.

Online Analytics and Advertising

Online Analytics. As discussed in greater detail in our Cookie Policy, we may use third-party analytics in connection with our Services (e.g., analytics platforms such as Google Analytics or PostHog). These vendors may set and access their own cookies, pixel tags, and similar technologies on our Services and on third-party services to collect information that can be used to track users over time and across services. These analytics tools help us understand how users arrive at and use our Services. If you do not want Google Analytics to collect and use information about your use of our Services, then you can install an opt-out in your web browser. You also may opt-out from Google Analytics for Display Advertising or the Google Display Network by using Google’s ads settings. Online Advertising. We strive to provide you with relevant, value-added content in our online advertisements. We work with online analytics and advertising partners to: (i) better understand the use of our Services so that we can improve them; and (ii) deliver advertisements that are more tailored to you both on our Services and on third-party apps and websites. Our partners may place cookies, pixel tags, and similar technologies on many online services, including ours. They use these technologies to collect information about your activities on these services in order to deliver you more relevant advertising. For example, they may use the information they collect from their cookies on our Services to identify products and services you might be interested in. For information about how to opt out of receiving personalized online advertisements from our advertising partners, follow the instructions in the “Your Rights and Choices” section below. Please visit our Cookie Policy for more details.

How We Disclose Your Personal Data

We disclose your Personal Data as follows:
  • With service providers, agents, and contractors that help us provide the Services and perform business functions for us or Customers—for example, hosting and storage providers, analytics and communication providers, and customer support providers;
  • With Customers and Retailers, in relation to the connections you’ve chosen to make between your Retailer accounts and the Customer apps and websites you use;
  • With service providers, agents, and contractors of Customers as directed by Customers, where these entities perform services on behalf of Customers;
  • With advertisers and other third parties who use cookies and related technologies to collect information about your use of the Services and use that information to serve online ads that they think will interest you (please see our Cookie Policy for more details);
  • To comply with our legal obligations and with legal or regulatory processes (such as subpoenas);
  • To prevent fraud, malicious activity, and other privacy and security-related concerns or otherwise protect the rights, property, and safety of you, Customers, Retailers, Subtotal, and others;
  • With third parties in relation to a change in ownership or control of all or a part of our business or assets, or in contemplation thereof, such as a merger, acquisition, bankruptcy, or reorganization; and/or
  • Between and among Subtotal and our current and future parents, affiliates, and subsidiaries.
We may also disclose aggregated, de-identified, or anonymized data for any purpose permitted by law.

Data Security

We seek to protect your Personal Data from unauthorized access, use, and disclosure. We maintain a variety of physical, technical, and administrative security measures appropriate to the risk associated with the processing of your Personal Data. Unfortunately, no data transmission or storage system is completely secure. For additional information about our security practices, please visit our Security Page.

Data Retention

We retain Personal Data for as long as necessary to provide our Services and to fulfill the purposes for which we collected the data, including for the purposes of complying with our legal obligations, resolving disputes, and collecting fees. When establishing a retention period for specific categories of data, we consider who we collected the data from, our need for the data, our reason for collecting the data, and the amount and sensitivity of the data. If we aggregate, de-identify, or anonymize data such that it can no longer be used to identify you personally, we may use that information indefinitely without further notice to you.

Your Rights and Choices

Your Rights No matter where you live, we recognize, and you may exercise, the following rights with respect to your Personal Data, subject to applicable exceptions provided by law:
  • Information. To request information about the categories of Personal Data we have collected, the sources from which we collected the data, and how we have used and disclosed your Personal Data; this information is contained in this Privacy Policy.
  • Access. To access a copy of the Personal Data we have collected from and about you.
  • Deletion. To request that we delete the Personal Data we have collected from and about you.
  • Opt Out. To request to opt out of:
    • The “sale” of your Personal Data;
    • The “sharing” or “processing” of your Personal Data for online targeted advertising purposes;
    • The use of automated decision-making regarding your Personal Data, where such processing results in legal or similarly significant impacts (note that we have not engaged in such processing over the prior 12 months); and
    • The use of your “sensitive” Personal Data, in certain circumstances (note that we do not process “sensitive” Personal Data in a way that is subject to this opt out right).
  • Nondiscrimination. To exercise these rights free from discrimination.
Oregon and Minnesota residents can also request a list of the specific third parties, other than natural persons, to which we have disclosed personal information. Marketing Communications In accordance with applicable law, we may send you marketing communications. You may opt out of receiving marketing emails from Subtotal by following the instructions in those emails. Even if you opt out of marketing emails, we may still send you other types of messages, such as legal notices and support, service, and other emails regarding your account. Exercising Your Rights You can exercise the rights described in this section by submitting a request to support@subtotal.com⁠. You may be required to provide additional information to confirm your identity before we can respond to your request. If an authorized agent submits a request on your behalf, we may ask for a valid power of attorney to verify that the agent has written authority to submit requests on your behalf. In certain cases, we may be required or permitted by law to deny your request. To opt out of our use of cookies and pixels in ways that could be considered “sales” or “processing” for “online targeted advertising,” please refer to the “Online Advertising and Analytics” section above. If you are a resident of Colorado, Connecticut, Minnesota, Montana, Oregon, Tennessee, Texas, or Virginia, and we deny your Personal Data request, you have the right to appeal our denial. You can exercise this right by emailing us at support@subtotal.com or contacting us as provided below. Your description must include your full name and the email address you used in connection with our Services, along with a copy of the denial notice you received from us.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date on this page and provide additional notice as may be appropriate or required by law—for example, by sending you an email. If you use the Services after any changes to this Policy have been posted, that means you consent to the changes, subject to any applicable legal requirements.

Personal Data of Children

We do not knowingly collect or solicit Personal Data from children under 16 years of age. If you are a child under the age of 16, please do not register for or otherwise use the Services or send us any Personal Data. If we learn that we have collected any Personal Data from a child under 16 years of age, we will take steps to delete that information. If you believe that a child under 16 years of age has provided us with Personal Data, please contact us at support@subtotal.com.

Additional Information for California Residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with information about:
  • The purpose for which we use each category of “personal information” (as defined in the CCPA) we collect; and
  • The categories of third parties to which we (i) disclose such personal information for a business purpose, (ii) “share” personal information for “cross-context behavioral advertising,” and (iii) “sell” such personal information.
Under the CCPA, “sharing” is defined as the targeting of advertising to a consumer based on that consumer’s personal information obtained from the consumer’s activity across distinct online services, and “selling” is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration. We “share” information with our advertising partners to provide more relevant and tailored advertising to you regarding our Services. Moreover, our use of third-party analytics services and online advertising services may result in the sharing of online identifiers (e.g., cookie data, IP addresses, device identifiers, and usage information) in a way that may be considered a “sale” under the CCPA. In the past 12 months, we have processed the categories of personal information listed in the table below. For each category, the table provides the source, business purpose, and general categories of third parties to whom the information may be disclosed. For more detailed information, please see the “Collection, Use, and Disclosure of Personal Data” section above.
Personal Information CategoryBusiness Purpose of UseThird Parties to Whom Information is DisclosedThird Parties to Whom Information is Sold/Shared
Identifiers
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Customers
  • Retailers
  • Advertising and Analytics Vendors/Partners
Commercial information (e.g., products or services purchased or considered)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Customers
  • Retailers
  • Advertising and Analytics Vendors/Partners
Internet or other similar network activity (including usage information)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Customers
  • Retailers
  • Advertising and Analytics Vendors/Partners
Geolocation data (e.g., physical location at the city/state level)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Customers
  • Retailers
  • Advertising and Analytics Vendors/Partners
Inferences drawn from other information
  • Provide the Services
  • Personalize the Services
  • Advertising and marketing
  • Analyze and improve the Services
  • Affiliates
  • Vendors
  • Advertising and Analytics Vendors/Partners
  • Customers
  • Retailers
  • Advertising and Analytics Vendors/Partners
Sensory data (e.g., photos or videos you provide in reviews, customer service call recordings for quality assurance)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Analyze and improve the Services
  • Vendors
  • Entities for Legal Purposes
  • Not sold/shared
Account log-in credentials
  • Provide the Services
  • For security and legal purposes
  • Vendors
  • Entities for Legal Purposes
  • Not sold/shared
Your Choices Regarding “Sharing” and “Selling.” You have the right to opt out of the sale or sharing of your personal information for online analytics and advertising purposes. You can exercise this right by contacting us as described in the “Your Rights and Choices” section above. We also honor browser-based opt out signals, such as the global privacy control, in accordance with our legal obligations. Other CCPA Rights. For information about the additional rights you have under California law and how to exercise them, please see the “Your Rights and Choices” section above. If we ever offer any financial incentives in exchange for your personal information, we will provide you with appropriate disclosures at that time. The CCPA also gives California residents the right to limit the use and disclosure of their “sensitive personal information” (as defined in the CCPA) if such information is used for certain purposes. However, we do not use or disclose sensitive personal information for purposes that would trigger this right to limit. Retention of Your Personal Information. Please see the “Data Security” and “Data Retention” sections above. Do Not Track. Do Not Track (“DNT”) is a privacy preference that users can enable in certain web browsers. While we are committed to providing meaningful choices about the information collected on our Services for third-party purposes—including through the opt-out mechanisms described above—we do not currently recognize or respond to browser-based DNT signals. Learn more about DNT at https://www.allaboutdnt.com. California “Shine the Light” Disclosure. Under California Civil Code Sections 1798.83-1798.84, California residents have the right, in certain circumstances, to request that we do not disclose certain categories of personal information to third parties for their direct marketing purposes, or alternatively, that we maintain a policy to provide a cost-free means of opting out of such disclosures. We maintain such an opt out policy. To make an opt out request, please contact us using the contact information below and include “California Shine the Light Request” in the email subject line.

Contact Us

If you have any questions or comments about this Privacy Policy, our collection and use of your Personal Data, or your rights and choices regarding such collection and use, please contact us at: https://www.subtotal.com/
support@subtotal.com
100 Church Street, Suite 800
New York, NY 10007