← Back to Ding!Ding!

Data Processing Agreement

Addendum to the Restaurant Partner Agreement

Effective Date: March 29, 2026

This Data Processing Agreement ("DPA") is entered into between Join Ding LLC, an Ohio limited liability company operating as Ding! ("Processor," "we," "us," or "our") and the restaurant or food service business registered as a Ding! Partner ("Controller," "you," or "your").

This DPA forms part of and is incorporated into the Restaurant Partner Agreement between the parties. In the event of a conflict between this DPA and the Restaurant Partner Agreement, this DPA shall govern with respect to data processing matters.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under applicable data protection laws, including the UK GDPR and relevant US state privacy laws where applicable.

1. Definitions

In this DPA, the following terms have the meanings given below:

  • "Controller" means the restaurant Partner that determines the purposes and means of processing personal data of its diners through the Ding! platform.
  • "Processor" means Join Ding LLC (Ding!), which processes personal data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed — primarily diners and guests of the Controller's restaurant.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by Ding! to process personal data on behalf of the Controller.
  • "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA, and any other applicable national or state-level data protection or privacy legislation.

2. Roles of the Parties

The parties acknowledge and agree that:

  • The Controller determines the purposes and means of processing personal data of its diners through the Ding! platform;
  • The Processor processes such personal data solely on behalf of and under the instructions of the Controller; and
  • Each party is independently responsible for complying with its own obligations under applicable data protection law.

For the avoidance of doubt, Ding! acts as an independent data controller in respect of its own platform users (e.g., restaurant account holders), analytics data it processes for its own legitimate business purposes, and any data used in aggregate or de-identified form for platform improvement.

3. Subject Matter, Nature, and Purpose of Processing

a. Subject Matter

Ding! processes personal data submitted to or generated through the platform by diners of the Controller's restaurant location(s).

b. Nature of Processing

Collection, storage, transmission, analysis, and deletion of personal data in connection with the operation of the Ding! platform.

c. Purpose of Processing

  • Providing AI-powered menu assistance, concierge, and booking services to diners;
  • Transmitting diner feedback and engagement data to the Controller;
  • Generating analytics and insights for the Controller's dashboard; and
  • Any other purpose expressly instructed by the Controller in writing.

d. Duration

Processing continues for the duration of the Restaurant Partner Agreement. Upon termination or account deletion, personal data is deleted in accordance with Section 9 of this DPA.

4. Types of Personal Data and Data Subjects

a. Categories of Data Subjects

  • Diners and guests visiting the Controller's restaurant location(s);
  • Individuals making reservations or inquiries via the Concierge Agent.

b. Categories of Personal Data

  • Identifiers voluntarily provided: name, email address, phone number;
  • Dietary preferences, allergen information, and food restrictions;
  • Reservation details: date, time, party size, special requests;
  • Chatbot and AI conversation content;
  • Menu engagement and feedback data;
  • Device and technical data: IP address, browser type, approximate location;
  • Session identifiers and usage data.

c. Sensitive Data

Dietary and allergen information may constitute health-related data under certain jurisdictions. The Controller is responsible for obtaining any required explicit consent from diners before such data is collected through the platform.

5. Controller Obligations

The Controller agrees to:

  • Ensure it has a valid legal basis under applicable law for all personal data processed through the platform;
  • Provide diners with a clear and compliant privacy notice disclosing the use of Ding! and the nature of data processing;
  • Only instruct Ding! to process personal data in ways that are lawful and consistent with this DPA;
  • Promptly notify Ding! if it becomes aware of any instruction that may violate applicable data protection law; and
  • Comply with all applicable data protection laws in its jurisdiction, including obtaining any necessary consents.

6. Processor Obligations

Ding! agrees to:

a. Instructions

Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. Ding! will promptly inform the Controller if it believes an instruction infringes applicable data protection law.

b. Confidentiality

Ensure that all personnel authorized to process personal data are subject to appropriate confidentiality obligations.

c. Security

Implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit and at rest;
  • Access controls and authentication requirements;
  • Regular security assessments and monitoring; and
  • Incident response procedures.

d. Sub-processors

Not engage any new sub-processor without either (i) the Controller's prior written consent, or (ii) providing at least 14 days' advance notice through the platform or via email, during which the Controller may object. Current authorized sub-processors are listed in Section 11 of this DPA.

e. Data Subject Rights

Provide reasonable assistance to the Controller to fulfill its obligations to respond to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection. Given the nature of the platform, Ding! will respond to technically feasible data subject requests within 30 days where the Controller cannot fulfill the request without Ding!'s assistance.

f. Data Protection Impact Assessments

Provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required by applicable law.

g. Breach Notification

Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting personal data processed under this DPA. Notification will include: (i) the nature of the incident; (ii) categories and approximate number of data subjects affected; (iii) likely consequences; and (iv) measures taken or proposed to address the incident.

7. Audit Rights

Ding! will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may, upon at least 30 days' prior written notice and no more than once per calendar year, request an audit of Ding!'s data processing activities relevant to this DPA.

Audits must be conducted during normal business hours, must not unreasonably disrupt Ding!'s operations, and are subject to appropriate confidentiality obligations. The Controller bears the cost of any such audit unless the audit reveals a material breach of this DPA by Ding!.

8. International Data Transfers

Ding! is based in the United States. Personal data processed through the platform may be transferred to and stored in the United States and other countries where Ding!'s sub-processors operate.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to countries not recognized as providing an adequate level of protection, Ding! relies on one or more of the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission;
  • UK International Data Transfer Agreements (IDTAs); or
  • Other lawful transfer mechanisms under applicable law.

By entering into this DPA, the Controller authorizes Ding! to make such transfers subject to these safeguards.

9. Retention and Deletion of Data

Ding! retains personal data for the duration of the active Partner relationship. Upon termination of the Restaurant Partner Agreement or deletion of the Partner account, Ding! will:

  • Permanently delete all personal data associated with the Controller's account within 30 days of termination or deletion request, except where retention is required by applicable law;
  • Retain anonymized or aggregated data derived from personal data for platform improvement purposes; and
  • Provide written confirmation of deletion upon request.

The Controller acknowledges that data deletion following account deletion is irreversible, as stated in the Restaurant Partner Agreement.

10. Liability

Each party shall be liable for damages caused by processing that infringes applicable data protection law to the extent it is responsible for such infringement.

Ding!'s total liability under this DPA is subject to the limitations set out in the Restaurant Partner Agreement. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

11. Authorized Sub-processors

The Controller hereby provides general authorization for Ding! to engage the sub-processors listed at joinding.com/legal/sub-processors, each of which is subject to data protection obligations no less protective than this DPA. That page is the authoritative and current list; the summary below is provided for reference only.

Sub-processorPurposeLocation
Anthropic, PBCAI language model (Operations, Marketing, Forecasting Agents)United States
OpenAI, L.L.C.AI language model (Waiter, Concierge Agents) and image processingUnited States
Supabase, Inc.Database, authentication, and file storageUnited States
Stripe, Inc.Payment processing and billingUnited States
Vercel, Inc.Frontend hosting and deploymentUnited States
Resend, Inc.Transactional email notificationsUnited States
Square, Inc. / Clover Network, LLC / Toast, Inc.POS data integration (optional, operator-connected only)United States

Ding! will provide at least 14 days' notice before adding or replacing any sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the Agreement without penalty.

12. Governing Law

This DPA is governed by the laws of the State of Ohio, without regard to conflict-of-law principles, except where mandatory provisions of applicable data protection law (such as GDPR) require otherwise. For EEA or UK data subjects, the applicable supervisory authority provisions shall apply.

13. Updates to This DPA

Ding! may update this DPA to reflect changes in applicable law or its data processing practices. Material changes will be communicated with at least 14 days' notice. Continued use of the platform following notice constitutes acceptance of the updated DPA.

14. Contact

For data protection inquiries or to exercise rights under this DPA:

joindingapp@gmail.com

Join Ding LLC · Ohio, United States · joinding.com