Data Sharing Agreement.

This Data Sharing Agreement ("DSA") supplements the DineRoute Terms of Service and the Privacy Policy. Where the agreements conflict on the subject of data sharing, this DSA controls.

1. Parties

   This DSA is between Anderson Collaborative LLC, a Florida limited liability company with EIN 84-3628405 ("DineRoute", "we"), and the restaurant operator, brand, multi-unit operator, or agency that signs up for a DineRoute account ("Customer", "you"). Where Customer is an agency acting on behalf of an end restaurant, Customer represents and warrants that it has authority from that restaurant to bind it to this DSA.

2. Purpose

   The purpose of this DSA is to authorize first-party data sharing between Customer and the advertising platforms Customer uses for paid media, routed through the DineRoute service. Specifically, this DSA authorizes DineRoute to forward server-side conversion events on Customer's behalf to Meta, Google, GA4, TikTok, and any other ad platform Customer connects to DineRoute, so that those platforms can attribute conversions and optimize Customer's campaigns.

   No data is shared with any third party except as needed to fulfill this purpose. DineRoute does not use Customer data for our own marketing, model training, or product development beyond aggregate usage analytics.

3. Data covered

   This DSA covers the categories of data described in Section "Information we collect" of the DineRoute Privacy Policy, which include but are not limited to:

   • Smart-link page events: page views, platform tile clicks, and outbound platform redirects.
   • Click identifiers: fbclid (Meta), gclid / gbraid / wbraid (Google), ttclid (TikTok), and any custom campaign tags carried on inbound URLs.
   • UTM parameters and additional querystring tags.
   • Visitor metadata limited to IP address, User-Agent, and the first-party dr_attrib and dr_vid cookies described in the cookie policy.
   • Conversion events that Customer chooses to forward (page view, lead, view content, initiate checkout, purchase intent).

   This DSA does not cover end-diner names, emails, phone numbers, mailing addresses, payment information, or order contents. DineRoute does not collect those fields.

4. Data sharing direction

   Data flows in one direction: from the Customer's DineRoute smart-link page out to the advertising platforms Customer has connected. Specifically, DineRoute forwards events on Customer's behalf via:

   • Meta Conversions API, using Customer's pixel ID and Customer's CAPI access token, fired server-side and deduplicated with the browser pixel via event_id.
   • Google Ads conversion tracking, using Customer's gclid / gbraid / wbraid identifiers, fired server-side via Customer's conversion action.
   • Google Analytics 4 Measurement Protocol, using Customer's GA4 property ID and Measurement Protocol secret.
   • TikTok Events API, using Customer's pixel ID and TikTok access token, deduplicated with the browser pixel via event_id.

   All credentials are Customer's. All events appear in Customer's ad accounts. DineRoute does not receive a copy of these events into our own ad accounts and does not commingle Customer's audiences with anyone else's.

5. Restrictions on use

   DineRoute commits to the following restrictions on Customer data:

   • No sale. DineRoute does not sell Customer data within the meaning of CCPA or any state equivalent.
   • No cross-customer sharing. Customer data is logically and physically isolated from other customers via database-level row-level security. DineRoute does not build cross-customer audiences, lookalikes, or benchmarks that expose individual Customer data.
   • No use for our own marketing. DineRoute does not run remarketing campaigns against end diners who visit Customer's smart-link pages.
   • No model training. DineRoute does not use Customer event data to train AI or machine-learning models that benefit anyone other than Customer.
   • No platform leakage. DineRoute does not forward Customer's events to ad platforms Customer has not connected.

6. Security obligations

   DineRoute will protect Customer data with the controls described on the security page, including: AES-256 encryption at rest, TLS 1.2+ in transit, pgcrypto column-level encryption on Customer-provided ad-platform credentials, least-privilege access for DineRoute personnel, immutable audit logging on production access and configuration changes, and annual external penetration testing.

   DineRoute will notify Customer of any confirmed security incident affecting Customer data without undue delay and in any event within 72 hours of confirmation, including a description of the incident, the data affected, and the remediation plan.

7. Term and termination

   This DSA takes effect when Customer creates a DineRoute account and remains in effect for as long as Customer maintains an active account. Either party may terminate this DSA at any time by terminating the underlying DineRoute account in accordance with the Terms of Service.

   On termination, DineRoute will stop forwarding events on Customer's behalf, revoke stored ad-platform credentials, and purge raw event data within 30 days. Aggregates may be retained for historical reporting, and billing records will be retained 7 years per US tax and accounting requirements.

8. Choice of law

   This DSA is governed by the laws of the State of Florida, United States, without regard to conflict-of-laws principles. Any dispute arising out of or related to this DSA follows the dispute-resolution mechanism in the Terms of Service, including binding individual arbitration in Miami-Dade County, Florida.

   Anderson Collaborative LLC is a Florida limited liability company with its principal office in Coral Gables, Florida. EIN 84-3628405.

9. Acknowledgment

   Customer acknowledges that signing up for a DineRoute account, accepting the Terms of Service at signup, or continuing to use the service after the "Last updated" date above constitutes acceptance of this DSA. No additional signature is required for this DSA to take effect.

   If Customer's procurement, legal, or compliance team requires a countersigned PDF of this DSA, email legal@dineroute.com. We return a signed copy within two business days at no charge.