Privacy Policy

Last Updated: May 30, 2026

(Ellen's test change Admin - Privacy Policy)

1. Introduction and Scope

We respect and value your privacy and are committed to protecting your personal information. Throughout this Policy, Order Online, Inc. (doing business as eHungry, Chinese Menu Online, Order Online, and Springroll; collectively, the “Company,” “we,” “us,” or “our”) refers to our directors, officers, employees, and affiliates. Throughout this Policy, 'Service' refers to all platforms through which we operate, including our websites, web-based account portals, and any mobile applications. 

• User Categorization: This Policy applies to Restaurant Users (merchants), Restaurant Customers (diners), and Resellers (entities managing accounts for Restaurants).
• Agreement: By using the Service, you agree to this Policy, which is incorporated into our Terms of Service.
• International Data Transfer: The Service is hosted in the United States. If you access the Service from the EU, Asia, or other regions, you expressly consent to the transfer and processing of your data in the U.S.
• Minors: We do not knowingly solicit information from or market to children under 18. If we learn data from a minor under 13 was collected without parental consent, we will delete it per COPPA requirements.
• Mobile Applications: {ACCOUNT_NAME} may or may not have an online ordering app available from the Apple App Store or Google Play Store. If an app is available, it is named here: (if this space is blank, no app is currently available for this account). 

2. Types of Information We Collect & How We Collect It

We, along with any third-party companies or individuals with whom we work, may collect information directly and voluntarily from you when you use the Service or contact us directly. Some, but not all, information we may collect is mentioned throughout this privacy policy. 

2.1 Personal Information

Personal information we collect that can identify you includes but is not limited to the following:

• Contact & Account Data: Name, email, phone number, and postal address.
• Credentials: Username, password, and security info for authentication.
• Payment and Financial Information: We collect and process financial information to facilitate transactions and comply with financial regulations. The specific data collected depends on your interaction with the Service.

• For Customers: To process your orders, we collect your card type (e.g., Visa, Mastercard), the last four digits of your card number, and the expiration date, billing address, and phone number.
  • Secure Tokenization: We utilize PCI-compliant payment orchestration and vaulting services (such as Spreedly) to "tokenize" your payment information. This means your full credit card number is replaced with a unique, non-sensitive identifier (a "token"). We do not store raw, unencrypted credit card numbers or security codes (CVV) on our primary web servers.
  • Restaurant Storage: For Customers, payment data may also be stored by Restaurants you order from. Please review their individual privacy policies.
• For Restaurants: To facilitate payouts, manage your account, and satisfy federal "Know Your Customer" (KYC) and tax reporting requirements, we collect:
  • Business information (Legal Name, EIN/Tax ID, and bank account/routing numbers).
  • Personal identification for business principals (Name, Address, and Social Security Number where required by law for identity verification).
• Transaction Metadata: For all users, we collect transaction-related data, including order totals, timestamps, and authorization codes provided by processing partners (e.g., Stripe, Square, or our sponsoring banks) to facilitate refunds and prevent fraud.

• Identifiers & Demographics: IP addresses, device info, and location data when linked to identifiable data.
• Order Details: Goods and/or services purchased, special instructions (including dietary or allergen notes), order amounts, date/time of the transaction and other information related to the order. 
• Fulfillment Details: Whether the order was for pickup, dine-in, or delivery.
• Reward Data: Details of any loyalty points earned or redeemed and coupons or promotional codes applied to the order.
• Inferences: Profiles reflecting your preferences (e.g., favorite cuisines or ordering habits) drawn from the data above.

How We Collect Personal Information 

We collect this data when you:

• Visit a website owned or managed by our company or partners.
• Register or create an account.
• Place an order or conduct a transaction.
• Email us or use electronic forms.
• Are added to the Service by a Reseller or Restaurant.
• Respond to surveys or enter promotions.

2.2 Non-Personal Information

For statistical data that does not identify you personally, we may collect (among other data):

• Anonymous usage data, referring/exit URLs, browser/platform type, equipment used, mobile device hardware models, and date/time of requests.

2.3 SMS Marketing & Communications Data 

If you opt in to receive SMS marketing messages through our Service or through a Restaurant's SMS marketing program operated on our platform, we collect and process the following data in connection with that program:

• Consent records: Your mobile phone number, the date, time, and timezone of your opt-in, the method by which you opted in (e.g. web form, keyword reply, QR code), the exact consent language presented to you at the time of opt-in, and your IP address where consent was collected via a web form.
• Communication history: Records of messages sent to your mobile number, including message content, delivery status, timestamps, and any responses or interactions (including opt-out events).
• Opt-out and suppression data: If you unsubscribe from SMS communications, we retain a record of your opt-out (phone number, timestamp, and method) in a suppression list to ensure no further marketing messages are sent to you. This record is retained even if you request deletion of other personal data, as it is required for ongoing legal compliance.
• Re-opt-in events: If you previously opted out and subsequently re-enrolled in SMS communications, we retain a record of that re-enrollment.

How this data is collected

We collect SMS marketing data when you:

• Submit a web form or check an opt-in checkbox on our platform or on a Restaurant's page operated through our platform.
• Reply to a keyword (such as JOIN or YES) to a designated SMS number.
• Scan a QR code linked to an SMS opt-in program.

Important disclosures

• Consent to receive SMS marketing is voluntary and is never a condition of placing an order or using our Service.
• Message and data rates may apply. Message frequency varies by program.
• You may opt out of SMS marketing at any time by replying STOP (or ARRÊT for Quebec residents) to any message you receive. You will receive one final confirmation message and no further marketing messages will be sent.
• Reply HELP to any message for assistance, or contact us at [support email / phone].
• SMS consent data is not sold, rented, or shared with third parties for their own marketing purposes.
• We retain consent records for a minimum of four years from the date of opt-in, or three years following opt-out, whichever is longer, as required by applicable law.

Sub-processors

To deliver SMS marketing services, your mobile number and associated consent data may be processed by our SMS infrastructure providers (such as Twilio, Telnyx, or Sinch). These providers act as sub-processors under contractual data protection obligations consistent with this policy. A current list of our SMS sub-processors is available upon request.

2.4 Social Sign-On

If you use platforms like Google, Apple, or Facebook to sign in:

• Permission: You grant us access to platform info per your privacy settings.
• Security Disclaimer: We are not liable for unauthorized access or data exposure resulting from the compromise of your third-party credentials. We are not responsible for the loss of account data if a third-party platform modifies or terminates its integration.
• Limitations: Our ability to provide social sign-on is dependent on the third-party platform’s APIs and policies. We are not responsible for any inability to access your account or the loss of account data if a third-party platform modifies, suspends, or terminates its integration with our Service.
• Data Minimization & Usage: You acknowledge that third-party platforms may provide the Company with more information than is required for the Service. The Company’s use of such data is strictly limited to information necessary to authenticate your identity and process your orders (e.g., name and email address). We do not store, sell, or utilize any extraneous data (such as social connections or personal interests) that may be transmitted via the third-party platform’s API.

3. Automatic Data Collection and Data Technologies

3.1 Data Technologies Various technologies are used to automatically collect information, such as cookies, local shared objects, and web beacons (collectively, “Data Technologies”). These may be used by us or by third parties on our behalf to connect information about you from different sources, devices, and mobile applications.

3.2 Analytics and Performance Tools We use analytics tools (such as Google Analytics and Splunk) to collect information about your equipment, browsing actions, and patterns. This statistical data helps us maintain security, troubleshoot technical issues, and improve Service functionality.

3.3 Specific Technologies Used:

• Cookies (or browser cookies): Small files placed on your device. You may refuse them via browser settings, but this may limit your access to certain parts of the Service.
• Global Privacy Control (GPC): We recognize and process GPC signals. If transmitted, we treat them as a valid request to opt-out of the "sale" or "sharing" of personal info for targeted advertising.
• Web Beacons: Small electronic files (clear gifs, pixel tags) used to count users who visited pages or opened emails and for system/server integrity verification.
• Local Shared Objects: Certain features of our Service may use locally stored objects to collect and store information about your preferences and navigation. These are managed differently than browser cookies.
• Log Files & SDKs: We automatically log information such as your IP address, browser type, and "clickstream" data. In our mobile applications, we use Software Development Kits (SDKs) to collect information regarding app performance and user interaction.
• reCAPTCHA: We have implemented Google reCAPTCHA on certain products to prevent malicious software from engaging in abusive activities. You acknowledge that Google’s Privacy Policy and Terms of Service apply to the data collected by this feature.

3.4 Third-Party Use of Data Technologies Some content or applications on the Service are served by third parties, including advertisers, ad networks, and content providers. These third parties may use cookies alone or in conjunction with web beacons to collect information about you when you use our Service. We do not control these third parties' tracking technologies.

3.5 Location, Other Sources, & Minors

Location Information We may, from time to time, track user location through IP logging for security and fraud prevention purposes. User location may also be tracked in connection with our use of automatic data collection technologies, such as Google Analytics.

Do Not Track Disclosure You may set your web browser to transmit a “Do Not Track” signal to websites and online services you visit. At this time, we do not respond to or alter our practices when our systems receive a Do Not Track signal from a user’s web browser. For more information on Do Not Track, please visit www.allaboutdnt.com.

Information Collected from Other Sources We may obtain information about you from other sources, such as public databases, joint marketing partners, as well as from other third parties. Examples include social media profile information, marketing leads, and search results/links (including paid listings).

• Google Analytics Advertising Features: We use these features to collect data about website traffic via Google advertising cookies. You can learn more about how Google uses data here and opt-out of Google tracking here.
• Content Tracking: As part of your user experience, we may track the photos and videos you view on the Sites. You expressly consent to our tracking of your photo and video viewing history through the Site or third-party social media for up to two years or as permitted by applicable law.

We Do Not Collect Information from Minors We do not knowingly solicit data from or market to children under 18 years of age. By using the Service, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Service. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we have collected from children under age 18, please contact us at help@springroll.com.

4. How We Use Your Information

We use personal information collected via the Service for a variety of business purposes described below. We process your data based on our legitimate business interests ("Business Purposes"), to perform a contract with you ("Contractual"), with your "Consent", and/or for compliance with our "Legal Reasons".

• Account Management (Consent/Contractual): To facilitate account creation, logon, and general account management.
• Order Facilitation (Contractual/Business): To confirm, process, and fulfill orders between Restaurant Customers and Restaurants. This includes sharing contact and payment info with the relevant parties.
• Marketing Communications (Business): We and/or our third-party marketing partners may use your info for marketing purposes in accordance with your preferences. You may opt-out at any time via the "unsubscribe" link in our emails.
• Administrative Updates (Contractual/Business): To send you information regarding product/service updates, new features, or changes to our terms and policies.
• Testimonials (Consent): We may post testimonials that contain personal info. We will obtain your consent prior to posting. To update or delete a testimonial, contact us at help@springroll.com.
• Feedback & Troubleshooting (Business): To request feedback and contact you regarding your use of our Service.
• Security & Fraud Prevention (Business/Legal): To keep our Service safe and secure, including fraud monitoring and platform integrity.
• Legal Compliance & Harm Prevention (Legal): To respond to subpoenas or legal requests, and to enforce our terms, conditions, and policies.
• Analytics & Operations (Business): For data analysis, identifying usage trends, and evaluating the effectiveness of promotional campaigns to improve your experience.
• Video/Photo History (Consent): As noted in Section 1, you expressly consent to our tracking of your viewing history for up to two years.

4.1 Advertising Networks and Interest-Based Ads

We may partner with advertising networks to deliver "online behavioral" or "interest-based" advertising.

• Customization: These networks use Data Technologies to deliver ads tailored to your interests based on your visits across different websites and apps.
• Data Usage: While we do not provide your name or address directly to these networks, advertisers may infer interests based on your interaction with a customized ad.
• Your Control: You may see an icon in third-party ads that provides more info about the data practices used. To opt-out of targeted advertising by multiple companies, visit https://youradchoices.com/. Note: You will still see ads, but they will no longer be tailored to you.

4.2 SMS Marketing & Communications Data 

We use SMS marketing data to:

• Send promotional messages, offers, and updates from Restaurants whose SMS marketing programs you have opted in to receive.
• Maintain records of your consent for legal and regulatory compliance purposes, including compliance with the Telephone Consumer Protection Act (TCPA) and, where applicable, Canada's Anti-Spam Legislation (CASL).
• Honor opt-out requests and maintain suppression lists to ensure no further marketing messages are sent following unsubscription.
• Analyze aggregate campaign delivery and engagement metrics to improve the Service. This analysis does not involve selling or sharing individual subscriber data.

5. Sharing Your Information

We do not sell or otherwise share information about you, except as described below:

5.1 Restaurants, Resellers, Delivery Services, and Authorized Service Intermediaries. If you place an order, your personal information (including, but not limited to, name, phone, email, order details, and payment information) is shared with the Restaurant, any Resellers managing the account, selected platforms, delivery services, and our authorized service intermediaries.

• Export Warning: We allow Restaurants and Delivery Services to export such information outside of our services, where it may be retained or distributed in perpetuity. While we expect these parties to handle data in accordance with the law, we cannot control and are not liable for how your information is used once it is outside our Service.

5.2 Vendors and Third-Party Service Providers. We share data with vendors who perform work or provide services on our behalf (hosting, payment processing, etc.). This list is illustrative and subject to change:

• Google Analytics, Stripe, Splunk, Spreedly, Amazon Web Services (AWS), Twilio, and Bandwidth.

5.3 Corporate Affiliates & Asset Transactions. We may share info with our corporate affiliates or transfer your data as part of a merger, sale of assets, or substantial business transfer.

5.4 Promotions and Third Parties.

• Co-Sponsored Promotions: If you enter a contest co-sponsored by a third party, your info is shared with them and subject to their privacy policy.
• Third-Party Surveys: Info provided to third parties conducting their own surveys on our site is governed by their respective policies.

5.5 Legal, Financial, and Regulatory Compliance. We may disclose information to comply with law (subpoenas, court orders), to fulfill mandatory tax reporting requirements, or to satisfy banking and "Know Your Customer" (KYC) obligations required by our financial partners. This includes sharing information with the IRS, state tax authorities, and our sponsoring banks.

5.6 With Your Consent. With your explicit opt-in, we may use your data for personalized marketing. You may withdraw this consent at any time via "unsubscribe" links or by contacting us. We may also disclose info for any other purpose with your explicit consent.

5.7 Other Disclosures. We may disclose info to protect our legal rights, the safety of our users, for risk management/fraud protection, or to comply with prudent legal practice.

6. Security, Retention, and Data Responsibility

6.1 Security Practices and Risks. We implement security measures designed to protect your information from unauthorized access, use, or disclosure, including encryption, firewalls, and secure socket layer (SSL) technology. However, these measures do not guarantee that your information will not be accessed, disclosed, altered, or destroyed by a breach of such firewalls and secure server software. By using our Service, you acknowledge that you understand and agree to assume these risks, and we shall not be responsible for the circumvention of any of the Service’s privacy settings or security measures.

6.2 Data Responsibility & Backups. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the Service. You agree that we shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against us arising from any such loss or corruption of such data.

6.3 Data Retention Practices. In general, we only retain personal information for as long as you are using the Service or as needed to satisfy legal requirements, enforce our agreements, and resolve disputes.

• Financial & Tax Compliance: Notwithstanding a request for deletion, we are required by law to retain Transaction Information (including order history, payment metadata, and tax records) for a minimum of seven (7) years to comply with tax audits, financial regulations, and "Know Your Customer" (KYC) requirements.
• Technical Delays: We aim to delete information promptly, but there may be technical delays in removing data from our servers, and backed-up versions may still exist after deletion. * Anonymized Data: We do not delete data that has been rendered anonymous or maintained in de-identified, aggregated form.
• Retention Factors: To determine retention periods, we consider the sensitivity of the data, the potential risk of harm from unauthorized disclosure, and applicable legal requirements.

6.4 User Responsibility. If you have an account, we urge you to keep your username and password protected. You should only access the services within a secure environment.

7. Your Privacy Rights

7.1 General Rights. We aim to provide transparency and accessibility. Depending on your jurisdiction (including the EEA and various U.S. states), you may request:

• Access & Portability: A copy of your data in a structured, electronic format.
• Correction & Deletion: Request that we fix or delete your data.
• Objection & Restriction: Object to our processing or request that we stop processing your data.

7.2 Limitations on Deletion. We may not be able to delete your data except by also deleting your account. We cannot accommodate requests that violate law or cause information to be incorrect. Important for Restaurant Customers: Even if we delete your data from our systems, we cannot delete data retained by a Restaurant or Reseller after it was shared to process an order. You must contact the Restaurant or Reseller directly for such requests.

7.3 Right to Opt-Out (CCPA "Sale" Disclosure). The CCPA defines “sale” very broadly. The transfer of your information to third parties to facilitate your orders or provide the Service (as described in Section 5) may be construed as a sale under California law. We do not sell your personal information to third parties for independent marketing purposes. We only share information with the third parties necessary to process your transaction or as otherwise detailed in Section 5. You may opt-out of this "sale," though doing so will prevent us from processing your orders.

7.4 Exercising Your Rights & Verification.

• Non-Discrimination: We will not discriminate against you for exercising your rights.
• Verification Process: To protect your data, we must verify your identity. We may require first/last name, email address, phone number, address, and the amount and date of your last transaction.  
• Authorized Agents: California residents may designate an authorized agent via written permission or power of attorney. We will still require you to verify your identity directly with us.

7.5 California-Specific Rights.

• Shine the Light: Residents may request, once a year, information about categories of information disclosed to third parties for direct marketing.
• Minor Content Removal: Users under 18 in CA may request removal of publicly posted content.
• Do Not Track & GPC: We do not respond to DNT signals, but we do respond to GPC (Global Privacy Control) signals as a valid opt-out preference.

7.6 Additional State Rights (CO, CT, VA, UT, NV). Residents of these states have specific rights to confirm processing, delete data, and opt-out of targeted advertising. To exercise these or appeal a decision, email help@springroll.com.

7.7 California Notice at Collection and Financial Incentive

This notice provides California residents with the specific disclosures required by the CCPA/CPRA regarding the collection of personal information and the rewards/discounts we offer.

• Categories of Information Collected: We collect identifiers (name, email, phone number), commercial information (order history, restaurant preferences), and geolocation data (delivery addresses and IP addresses).
• Business Purpose for Collection: We use this data to process and deliver your orders, detect and prevent fraud, and provide you with personalized promotional offers, discounts, and restaurant updates.
• Notice of Financial Incentive: The Company may offer coupons, discounts, or loyalty rewards to users who provide their contact information for marketing purposes.
  • Value of Data: We provide these incentives based on our good-faith estimate of the value of your contact information, which allows us to offer more personalized services and drive repeat business to our restaurant partners.
  • Method of Opt-in: You opt-in to these incentives by placing an order or creating an account where a marketing disclosure is present.
  • Right to Withdraw: You may withdraw from these incentives at any time by using the "Unsubscribe" link in any email or replying "STOP" to any text message.
• Data Retention: We retain your personal information for as long as your account is active or as needed to provide the Service, resolve disputes, and comply with legal requirements.
• No "Shady" Sharing: We do not sell your personal information to third parties for their own independent marketing. Sharing is limited to the Restaurants and service providers necessary to fulfill your orders.

7.8 Canadian Residents (CASL & PIPEDA). If you are located in Canada, the following additional rights and disclosures apply:

• Commercial Electronic Messages (CASL). We will only send you commercial electronic messages (including email and SMS marketing) if we have obtained your express or implied consent as defined under Canada's Anti-Spam Legislation (CASL). You may withdraw consent at any time by clicking "Unsubscribe" in any email or replying ARRÊT or STOP to any SMS message. Withdrawal of consent will be processed within 10 business days.
• Access & Correction (PIPEDA). Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to request access to your personal information held by us and to request correction of any inaccuracies. To exercise these rights, contact us at help@springroll.com. We will respond within 30 days.
• Accountability. The Company is responsible for personal information under its control and has designated a privacy officer accountable for compliance with PIPEDA. Contact our privacy officer at help@springroll.com.
• Complaints. If you are unsatisfied with our handling of your personal information, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

8. Account Management & Updates

8.1 Changes to Account Data. You may review, change, or terminate your account by logging into your settings or emailing help@springroll.com. Upon termination, we deactivate your account but may retain certain info to prevent fraud or comply with legal requirements.

8.2 Account & Data Deletion.You may request deletion of your account and associated personal data at any time by logging into your account settings through the Service or by emailing help@springroll.com. This deletion pathway remains available regardless of how you previously accessed the Service. We will process deletion requests within 45 days, subject to the retention limitations described in Section 6.3 (e.g., transaction records required for tax compliance). Upon verified request, we will delete or anonymize your personal information and confirm completion via email. 

8.3 External Links. We are not responsible for the privacy practices of third-party websites or applications linked through our Service. Please read their privacy statements before proceeding.

8.4 Policy Updates. We may update this policy from time to time to reflect changes in our practices or legal obligations.

• Notification: For material changes, we will notify you via email or through a prominent notice on the Service (such as a banner or a notice at the point of checkout) prior to the change becoming effective.
• Review: The "Last Updated" date at the top of this page indicates the latest revision. We encourage you to review this policy periodically.
• Continued Use: Your continued use of the Service after a material change constitutes your acknowledgment of the updated terms.

9. Accessibility 

If you have a disability and need to access this policy in an alternative format, please contact us at accessibility@springroll.com or (800) 535-8613.

10. Contact Information

If you have questions or comments about this policy, you may contact us at:

• Email: help@springroll.com
• Address: 8480 Honeycutt Rd. Suite 200, Raleigh, NC 27615
• Phone: (800) 535-8613