Kitch logo
Join the Waitlist
Skip to main content

Kitch Legal

Privacy Policy

How Grid Creative Advertising Inc. (operating as Kitch) collects, uses, and protects data across the dashboard, restaurant templates, and supporting services.

Grid Creative Advertising Inc.

Updated September 28, 2025

Kitch — Privacy Policy

Last updated: September 28, 2025 Who we are: Kitch, operated by Grid Creative Advertising Inc. ("Kitch", "we", "us", "our"). Applies to: The Kitch dashboard, restaurant app templates, websites (including getkitch.com), and related services and APIs (the “Service”).

This is a working draft for counsel review. Brackets [like this] indicate fields you may tailor before publishing.

1) Scope & Roles

  • B2B focus. Kitch is offered to restaurants and food service businesses (each, a “Customer”).
  • Controller vs. Processor. When Customers upload or generate data about their staff and end customers (e.g., menu images, store hours, promotions, roster, limited customer info), the Customer is typically the controller/business and Kitch acts as the processor/service provider. For our own business operations (e.g., account administration, security, analytics), Kitch is an independent controller.
  • Regional coverage. This Policy is designed for Canada (PIPEDA/CASL), the United States (state privacy laws including CA/CO/CT/UT/VA), and the EEA/UK/Switzerland (GDPR/UK GDPR).

2) Personal Data We Collect

We collect information in the categories below, depending on how you use the Service. From account holders and workspace users (restaurant staff):

  • Identifiers & contact. Name, email, phone, role, organization, branch location, authentication or SSO IDs.
  • Account & usage. Tenant ID, role assignments, feature usage, settings, device/browser metadata, IP address, event logs, support tickets.
  • Payment & billing. Billing contact, plan tier, transaction records [processed by third‑party payment processors].

From our websites and marketing:

  • Online identifiers. Cookies and similar technologies, IP, pages viewed, referral URLs.
  • Lead data. Forms (name, email, company, role, interests), campaign performance.

From end customers of restaurants (when provided by the Customer):

  • Basic contact/order metadata. Only where the Customer chooses to collect or sync such data via integrations or custom fields. Customers should avoid uploading sensitive categories unless strictly necessary.

Special categories. We do not seek to collect sensitive personal data (e.g., health, precise geolocation, biometric templates). Customers should not upload such data to the Service. If you believe sensitive data has been uploaded in error, contact us to request removal.

3) Sources of Personal Data

  • You or your organization (account creation, workspace configuration, customer support).
  • Automated collection through the Service (logs, cookies, device/browser signals).
  • Third‑party integrations you connect (e.g., analytics, storage, authentication, communications tools).
  • Public sources and vendors that help us validate business contact information.

4) How We Use Personal Data (Purposes & Legal Bases)

We use personal data to:

  1. Provide and secure the Service (account setup, role‑based access, uptime, incident response).
  2. Operate, maintain, and improve features, UI, and performance.
  3. Support (answer requests, diagnose issues).
  4. Billing and account management.
  5. Communications (service notices, product updates; optional marketing with your consent or as permitted by law).
  6. Compliance with legal obligations and enforcement of our Terms.
  7. Research & analytics using aggregated/de‑identified data.

GDPR/UK GDPR legal bases. Depending on context: performance of a contract, legitimate interests (e.g., securing and improving the Service, preventing fraud), consent (where required for marketing/cookies), and legal obligation. Where we act as a processor, the Customer provides the lawful basis and instructions in the DPA.

5) AI‑Assisted Features

Some features generate text or outputs ("Outputs") from prompts and your inputs. We process the necessary data to deliver these features and to prevent abuse. AI Outputs may be inaccurate—review before publishing. We do not use your Customer Content to train third‑party foundation models unless expressly stated in the DPA or your settings.

6) Cookies & Similar Technologies

  • Types. Strictly necessary (auth, security), functional, performance/analytics, [optional advertising].
  • Controls. You can manage non‑essential cookies via our banner in EEA/UK and settings page; you may also configure your browser to block cookies.
  • Analytics. We use privacy‑respecting analytics with IP truncation where supported. See our Cookie Notice for details.
  • Advertising. [We do not conduct cross‑context behavioral advertising and do not sell/share personal information as defined by CPRA.] [OR: We may engage in limited retargeting—provide “Do Not Sell or Share” controls and GPC signals.]

7) Sharing & Disclosures

We share personal data with:

  • Service providers / sub‑processors who support hosting, storage, security, email delivery, analytics, and support; we bind them by contract to only process as instructed.
  • Integrations you choose to enable in your tenant (data is shared under the terms you accept with those providers).
  • Corporate transactions (merger, acquisition, financing, or sale of assets).
  • Legal and safety (to comply with law or protect rights, security, and the Service). We do not sell personal information.

8) International Data Transfers

Where data moves outside its origin country/region, we rely on appropriate safeguards:

  • EEA/Switzerland → outside EEA. EU Standard Contractual Clauses (SCCs) with supplementary technical and organizational measures.
  • UK → outside UK. UK IDTA/IDTA Addendum to the SCCs.
  • Additional risk assessments and controls as appropriate.

9) Data Retention

We retain personal data for the term of your subscription and a reasonable period thereafter to comply with legal obligations, resolve disputes, and maintain security. We may retain backups for a limited period. We will de‑identify or delete data when it is no longer needed.

10) Security

We implement administrative, technical, and physical safeguards aligned with industry standards, including access controls, encryption in transit, vulnerability management, monitoring, and employee training. No method is 100% secure; please safeguard your credentials and notify us promptly of suspected unauthorized access.

11) Your Privacy Rights

EEA/UK/Swiss individuals may have the right to access, rectify, erase, restrict, object, and data portability; where consent is the legal basis, you may withdraw consent at any time. United States residents (where applicable laws apply) may have rights to access/know, delete, correct, and to opt out of sale/share/targeted advertising and profiling decisions with legal effects. We honor Global Privacy Control (GPC) signals where required. Canada: You may request access and correction of personal information and may withdraw consent to marketing under CASL.

How to exercise rights. Email privacy@getkitch.com with your name, organization, region, and request. We will verify your identity and respond within applicable timelines. Authorized agents may submit requests where permitted by law. You may appeal a decision by replying “appeal” to our response in jurisdictions that provide an appeal right.

Restaurant end customers. If your data was provided by a restaurant using Kitch, please contact that restaurant to exercise your rights; we will support them as processor.

12) Children’s Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child provided data, contact us to request deletion.

13) Communications & Marketing

  • Service communications. We may send transactional or service‑related emails (e.g., security alerts, feature notices).
  • Marketing. We send marketing only with consent or as permitted by law. You can unsubscribe via the email footer or by contacting us. For Canada (CASL), we rely on express or implied consent and identify our sender information clearly.

14) Third‑Party Links & Integrations

Third‑party sites and services are governed by their own privacy policies. Review those policies before enabling integrations or sharing information.

15) Data Processing Addendum (DPA)

Our DPA (including SCCs/UK IDTA as applicable) forms part of your contract when Kitch processes Customer Personal Data on your behalf. Contact legal@getkitch.com to execute a copy or visit [link].

16) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. If changes materially affect your rights, we will provide advance notice (e.g., email or in‑app) and indicate the effective date at the top of the page.

17) How to Contact Us

Controller (for Kitch’s own processing): Grid Creative Advertising Inc. [Mailing address] Email: privacy@getkitch.com [If applicable: Data Protection Officer: dpo@getkitch.com]

For processor requests (restaurant end customers): Contact your restaurant directly. We assist Customers in responding to verified requests.

18) Regional Disclosures

Expand a region to review local notices and rights. All sections print expanded automatically.

  • Controller details. See Section 17.
  • Lawful bases. Contract, legitimate interests (e.g., security, improvement), consent (marketing/cookies), legal obligation.
  • Data subject rights. As listed in Section 11.
  • Transfers. SCCs and UK IDTA/addendum (Section 8).
  • Supervisory authority. You may lodge a complaint with your local supervisory authority.

19) Definitions

Customer means a business using Kitch. Customer Personal Data means personal data processed by Kitch on behalf of a Customer within the Service. Personal Data/Personal Information means information that identifies or relates to an identifiable individual. Processor/Service Provider means an entity processing personal data on behalf of a controller/business. SCCs means the EU Standard Contractual Clauses.

Optional Appendices (add links if applicable)

  • Data Processing Addendum (DPA) — [link]
  • Sub‑processor List / Trust Page — [link]
  • Cookie Notice — [link]

Data Processing Addendum (DPA)

Last updated: September 28, 2025 Between: Grid Creative Advertising Inc. ("Kitch", "Processor", "Service Provider"), and the undersigned customer ("Customer", "Controller", "Business").

This DPA forms part of the agreement between the parties governing Customer’s use of Kitch’s Service (the “Agreement”). Capitalized terms not defined here have the meaning in the Agreement or, where indicated, in applicable data protection laws.

This is a working draft for counsel review. Brackets [like this] indicate configurable fields.

1) Scope & Roles

1.1 Roles. For Customer Personal Data processed in the Service, Customer is the Controller/Business and Kitch is the Processor/Service Provider. For Kitch’s own business operations (security, anti‑abuse, analytics of de‑identified aggregates), Kitch is an independent Controller. 1.2 Processing. Kitch will Process Customer Personal Data only on documented instructions from Customer, as set forth in the Agreement, this DPA, and Customer’s configuration of the Service.

2) Details of Processing (Annex I)

  • Subject matter. Provision of the Service (dashboard, templates, APIs, hosting, and support).
  • Duration. Term of the Agreement plus the Deletion Period (Section 10).
  • Nature & Purpose. Hosting, storage, retrieval, transmission, display, transformation, backup, security, support, and analytics of de‑identified aggregates.
  • Types of Data. Basic identifiers (names, emails), role/permission metadata, logs, limited end‑customer contact/order metadata when enabled by Customer. No special categories are required for the Service and should not be uploaded.
  • Data Subjects. Customer’s staff/users, contractors, and end customers if provided by Customer.
  • Processing Locations. Primary: [Canada/US]. Cross‑border transfers may occur per Section 11.

3) Customer Instructions

3.1 Kitch shall Process Customer Personal Data solely on Customer’s instructions and in compliance with applicable laws. 3.2 Customer is responsible for the lawfulness of its instructions, the accuracy of data provided, and obtaining necessary consents/permissions. 3.3 If Kitch reasonably believes an instruction violates law, it will notify Customer unless prohibited by law.

4) Confidentiality & Personnel

Kitch ensures that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training.

5) Security (Annex II)

5.1 Measures. Kitch implements appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data, considering the state of the art, costs, nature, scope, context, and risks. Measures include, at a minimum: access control; encryption in transit; network segregation; vulnerability and patch management; monitoring and logging; secure development practices; and business continuity/disaster recovery. 5.2 Updates. Kitch may update the TOMs from time to time, provided the overall security is not materially diminished.

6) Sub‑processors

6.1 Authorization. Customer hereby provides general written authorization for Kitch to engage Sub‑processors to Process Customer Personal Data. 6.2 Requirements. Kitch will: (a) impose data protection obligations on Sub‑processors no less protective than those in this DPA; (b) remain responsible for Sub‑processors’ acts and omissions; and (c) maintain a public or customer‑accessible list of current Sub‑processors (the “Sub‑processor List”). 6.3 Changes. Kitch will provide prior notice of new Sub‑processors by updating the Sub‑processor List and, where required, emailing account owners [<days> days] in advance. Customer may object on reasonable, documented grounds related to data protection by notifying Kitch within [<days> days] of notice. If the parties cannot resolve an objection in good faith, Customer may terminate the affected Service and receive a pro‑rata refund of prepaid, unused Fees for the terminated portion.

7) Assistance

Kitch will provide reasonable assistance to Customer to: (a) respond to data subject requests; (b) conduct DPIAs and consult with regulators where required; and (c) demonstrate compliance with this DPA, taking into account the nature of the Processing and available information.

8) Audits & Reports

8.1 Documentation. Upon written request, Kitch will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security overview, policies, summaries of penetration tests, and third‑party audit reports where available). 8.2 Audits. If such documentation is insufficient, and no material equivalent assurance is available, Customer may conduct an audit [no more than once per 12 months], subject to: (a) 30 days’ notice; (b) a detailed audit plan; (c) confidentiality; (d) non‑interference with operations; and (e) reimbursement of Kitch’s reasonable costs. Remote audits are preferred; onsite audits where required by law.

9) Incident Response & Breach Notification

Kitch maintains an incident response program. In the event of a Security Incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, Kitch will notify Customer without undue delay and include information known at the time (nature, categories, approximate numbers, likely consequences, measures taken or proposed). Kitch will update information as it becomes available and cooperate in good faith.

10) Return & Deletion

Upon termination or expiration of the Agreement, Kitch will, at Customer’s choice and within a reasonable period, delete or return Customer Personal Data, unless retention is required by law. Backups will age out pursuant to standard retention cycles. Kitch may retain minimal logs as necessary for security, billing, or legal compliance.

11) International Transfers

11.1 Mechanisms. Where Kitch or its Sub‑processors transfer Customer Personal Data internationally, Kitch will ensure appropriate safeguards, including: (a) EU Standard Contractual Clauses (SCCs) (Processor‑to‑Processor/Controller‑to‑Processor modules as applicable); and (b) UK IDTA/Addendum for UK transfers. 11.2 Supplementary Measures. Kitch will implement technical, contractual, and organizational measures to address government access risks where required (e.g., encryption in transit, access controls, transparency). 11.3 Docking Clause. Affiliates may accede to the SCCs as data exporters or importers by executing a Joinder.

12) CCPA/US State Law (Service Provider/Processor Terms)

For California (CPRA) and similar U.S. state laws, Kitch shall: (a) act as a Service Provider/Processor; (b) not sell or share personal information or use it for cross‑context behavioral advertising; (c) not retain, use, or disclose personal information for any purpose other than to provide the Service or as otherwise permitted by law; (d) comply with applicable audit rights; and (e) notify Customer if Kitch determines it can no longer meet its obligations under applicable privacy laws.

13) Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent such limitations are prohibited by applicable law.

14) Conflict; Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls for data protection matters. If there is a conflict between this DPA and the SCCs or UK IDTA/Addendum, the SCCs/IDTA control to the extent of the conflict.

15) Miscellaneous

15.1 Governing Law. As specified in the Agreement/Regional Terms, without prejudice to the SCCs’ governing law where applicable. 15.2 Severability. If a provision is unenforceable, the remainder remains in effect. 15.3 Counterparts & Electronic Signatures. This DPA may be executed electronically and in counterparts.

Annex I — Description of Processing

(See Section 2.)

Annex II — Technical & Organizational Measures (TOMs)

  • Access controls (role‑based, least privilege, MFA for admin access)
  • Encryption in transit (TLS), encryption at rest [if applicable to storage tier]
  • Network security (segmentation, firewalls, DDoS protections)
  • Logging/monitoring, anomaly detection
  • Secure SDLC, code review, dependency scanning
  • Vulnerability management and patching
  • Business continuity and disaster recovery
  • Employee security training and background checks as permitted by law
  • Incident response runbooks and tabletop exercises

Annex III — Sub‑processors

See current Sub‑processor List (Trust page) referenced below.

Annex IV — International Transfer Addendum

  • EEA/Swiss SCCs. Controller↔Processor and Processor↔Processor modules as applicable, including Annexes I–III.
  • UK Addendum/IDTA. Incorporated by reference for UK transfers.
  • Additional Safeguards. Commitment to challenge unlawful government data access requests where legally permitted.

Signatures By executing the Agreement or an Order that references this DPA, the parties agree to this DPA.

Customer: [Legal Name] By: [Name/Title] Date: []

Grid Creative Advertising Inc. (Kitch) By: [Authorized Signatory] Date: []

Kitch — Cookie Notice

Last updated: September 28, 2025 Applies to: getkitch.com, app subdomains, and related web properties operated by Grid Creative Advertising Inc.

This Cookie Notice explains how Kitch uses cookies and similar technologies (collectively, “cookies”) and how you can control them.

1) What are cookies?

Cookies are small text files stored on your device. Related technologies include local storage, pixels, SDKs, and tags. We use cookies to make the Service work, to understand usage, and (if enabled) to improve marketing.

2) Types of cookies we use

  • Strictly necessary — required for core site functionality (authentication, security, load balancing). These cannot be switched off.
  • Functional — remember choices like language, branch/location, and preferences.
  • Performance/Analytics — help us measure and improve the Service (page performance, feature usage).
  • Advertising [optional] — used for limited retargeting or to measure campaign effectiveness. Disabled by default in the EEA/UK until consent is obtained.

3) Legal basis & consent

  • In the EEA/UK/Switzerland, we request consent for non‑essential cookies via a banner.
  • In other regions, we rely on consent or legitimate interests, as permitted by law.
  • You may withdraw consent at any time via the Cookie Settings link (footer) or the banner.

4) Your choices

  • Cookie banner & settings. Use the banner or Cookie Settings to accept/reject non‑essential categories.
  • Browser controls. Block or delete cookies in your browser.
  • Global Privacy Control (GPC). We honor GPC signals where required by law.
  • Do Not Sell or Share. If we enable advertising technologies that qualify as “sale” or “sharing” under CPRA, you can opt out via Do Not Sell or Share My Personal Information.

5) Cookies we set (examples)

Replace placeholders with your actual tools and retention.

Cookie/ToolTypePurposeFirst/Third PartyRetention
kitch_sessionStrictly necessaryMaintains login sessionFirstSession
kitch_csrfStrictly necessaryCSRF protectionFirstSession
kitch_prefsFunctionalStores UI and branch preferencesFirst12 months
[Analytics SDK]PerformanceUsage analytics (IP truncated where supported)Third13 months
[A/B testing]PerformanceFeature experiment bucketingFirst/Third6–12 months
[Ad platform pixel]AdvertisingCampaign measurement/retargetingThird3–6 months

6) Third‑party cookies

When you enable integrations or visit pages with embedded content, those providers may set their own cookies under their privacy policies. Review their notices before enabling.

7) Changes

We may update this Notice as practices or laws change. The “Last updated” date shows when changes were made. Material changes will be communicated via the banner or in‑app.

8) Contact

Email: privacy@getkitch.com Mailing address: [insert]

Consent Banner Requirements (Implementation Notes)

  • Show consent banner on first visit and when material changes occur.
  • Default non‑essential categories to off in EEA/UK until consent.
  • Record consent (timestamp, categories, jurisdiction) and provide a Reopen banner control.
  • Support language localization and GPC signals.
  • Maintain a Cookie Settings modal with toggles for each category and a link to this Notice.
  • Provide Do Not Sell or Share link if advertising technologies are enabled in the U.S. (CPRA).

ENSURE NO CODE CONFLICTS.

Kitch — Privacy Policy | Kitch