Login
Start trial

Legal

GDPR Privacy Notice (EU/EEA & UK)

Last updated: October 19, 2025
Controller: OtterOrder, LLC (Wyoming, USA)
Contact: support@otterorder.com

This GDPR Privacy Notice explains how OtterOrder, LLC (“OtterOrder”, “we”, “us”, “our”) processes personal data of individuals located in the European Economic Area (EEA) and the United Kingdom (UK) when they visit our websites, apps, kiosks, or otherwise use our services (collectively, the “Services”).
 Your primary rights and our general practices are described in our main Privacy Policy; this Notice supplements it for GDPR/UK GDPR purposes.

If we are required to appoint an EU/UK Representative under Article 27 GDPR/UK GDPR, we will publish their contact details here. Until then, please contact us directly at support@otterorder.com.

1) Roles and Key Definitions

  • Controller. For the Services, OtterOrder, LLC is the controller of your personal data.
  • Processors / Sub-processors. We engage vetted service providers (hosting, analytics, messaging, support) as processors under written data processing agreements.
  • Payment Processing (Payroc). Card payments are handled by Payroc and its banking partners. For payment card data they determine, Payroc typically acts as an independent controller (e.g., underwriting, fraud checks, settlement, disputes). We receive limited payment metadata (e.g., token, last 4 digits, status).

     

2) What We Collect

We collect the categories of data outlined in our Privacy Policy, including:

  • Identity & contact: name, email, phone; for merchants: business details, EIN, payout banking info.
  • Account & usage: login, preferences, logs, device/IP, approximate location.
  • Order & service data: items, totals, tips, taxes/fees, timestamps, fulfillment status.
  • Communications: support messages, feedback, and (where enabled) SMS/10DLC transactional messaging preferences.
  • KYC/Underwriting (merchants): information Payroc may require (e.g., beneficial owners).
     We do not intentionally collect data from children under 13 and do not seek special-category data unless strictly necessary (e.g., identity verification) and permitted by law.

     

3) Purposes and Legal Bases (Art. 6 GDPR)

We process personal data for:

Purpose

Legal Basis

Provide and operate the Services (accounts, orders, receipts, support)

Contract (Art. 6(1)(b))

Payments via Payroc; fraud prevention; dispute handling

Contract (b); Legitimate interests (f); Legal obligation (c)

Security, logging, and service integrity

Legitimate interests (f)

Analytics, service improvement

Legitimate interests (f)

Transactional messaging (email/SMS/10DLC)

Contract (b); Legitimate interests (f)

Marketing (email/app notifications) where applicable

Consent (a) or Legitimate interests (f) as permitted

Compliance (tax, accounting, lawful requests)

Legal obligation (c)

10DLC note (transactional only): We use 10DLC for receipts, 2FA codes, and order-ready updates. Marketing texts are sent only through authorized third-party platforms with their own consent flows and 10DLC registrations. See our “10DLC Compliance and Privacy” section in the main Privacy Policy.

4) Your GDPR/UK GDPR Rights

You have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (“right to be forgotten”), where applicable.
  • Restrict processing in certain circumstances.
  • Port data you provided, in a commonly used, machine-readable format.
  • Object to processing based on legitimate interests and to direct marketing at any time.
  • Withdraw consent at any time (where processing is based on consent).
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

How to exercise: email support@otterorder.com with subject “GDPR Request” and specify your request. We’ll respond within one month (extendable as permitted). You may lodge a complaint with your supervisory authority (for the EEA) or the ICO (UK) if you believe your rights are infringed.

5) Recipients and Disclosures

We share data only as necessary and under appropriate safeguards:

  • Service providers (processors): hosting/cloud, analytics, messaging, support, logging/monitoring.
  • Merchants: when you place an order, relevant order/contact details are shared so they can fulfill it.
  • Payroc & banking partners: to process payments, manage settlement, prevent fraud, and handle disputes; Payroc may act as an independent controller for certain card data.
  • Integrations you enable: e.g., POS, delivery, accounting.
  • Legal, safety, corporate events: as described in our Privacy Policy (e.g., lawful requests, merger/acquisition).

We do not sell your personal data. Limited “sharing” for cross-context advertising may occur for site analytics/ads—see your opt-out options in our Privacy Policy.

6) International Transfers

We are U.S.-based and may transfer your data outside the EEA/UK (e.g., to the U.S.). Where GDPR/UK GDPR applies, we use appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (and UK Addendum where applicable); and
  • Supplementary measures where necessary (encryption in transit, access controls, minimization).

     

You may request a copy of the relevant transfer safeguards (with redactions) at support@otterorder.com.

7) Retention

We retain personal data only as long as necessary for the purposes described above, including:

  • to provide the Services,
  • for legal/accounting obligations,
  • for dispute resolution and fraud prevention.
     When no longer needed, we delete or de-identify data per our retention schedules.

     

8) Security

We implement appropriate technical and organizational measures (e.g., TLS encryption in transit, access controls, logging, vulnerability management). No system is perfectly secure; please protect your credentials and notify us promptly of suspected compromise.

9) Cookies and Similar Technologies

We use cookies/SDKs/pixels for essential functionality, analytics, security, and (where permitted) personalization/marketing. Where required, we request consent for non-essential cookies. You can adjust preferences via your browser/device and any consent tool we provide. Details appear in our Cookie section of the Privacy Policy.

10) Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects solely based on automated processing. If this changes, we will provide the required disclosures and safeguards and, where applicable, seek your consent.

11) Children

Our Services are not directed to children under 13. Where local law imposes a higher age for valid consent, we will comply with that standard.

12) Contact; EU/UK Supervisory Authorities

Questions, requests, or complaints: support@otterorder.com
 EU/EEA residents may contact their local supervisory authority.
 UK residents may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

13) Changes to this Notice

We may update this Notice from time to time. The “Last updated” date reflects the latest version. Material changes will be communicated through the Services or by email where appropriate. Continued use after changes constitutes acceptance.

Annex: Payments via Payroc (Summary)

  • Card data is entered into Payroc’s environment or securely tokenized.
  • Payroc (and its banks) conducts KYC/AML, fraud screening, settlement, and chargeback handling.
  • Payroc’s processing is subject to its own privacy terms; OtterOrder receives limited transaction metadata necessary for receipts, support, and compliance.