Privacy Policy

Falco, Inc. ("Falco," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, share, and protect information when you apply to become a vendor partner through our vendor signup platform at vendor.thefalco.com (the "Service").

Who We Are:

Falco, Inc.
251 Little Falls Drive
Wilmington, New Castle County
Delaware 19808
Email: support@thefalco.com

Scope of This Policy: This Privacy Policy applies specifically to our vendor signup process and vendor partnership program. If you are a customer using the Falco app to place orders, a separate Privacy Policy applies.

Updates to This Policy: We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email and by updating the "Last Updated" date at the top of this policy. Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy.

We collect several types of information from and about you when you apply to become a Falco vendor partner.

3.1 Information You Provide Directly

When you submit a vendor application, you provide us with:

• Contact Information: Your name, email address, phone number, and your role at the business (e.g., Owner, Manager)
• Business Information: Business name, legal entity type, business type (restaurant, café, etc.), cuisine type, website URL, Tax ID (EIN or SSN)
• Location Information: Business address including street address, city, state, postal code, country, and neighborhood
• Operational Data: Estimated daily order volume, average order value, opening hours, existing delivery platforms you use, delivery capabilities
• Hardware and Technology: Information about existing tablets, printers, POS systems
• Financial Information: Bank account details for payment disbursements
• Marketing Information: How you heard about Falco (referral source), referral restaurant name if applicable
• Consent Preferences: Your preferences for contact methods, contact times, and consent to marketing communications
• Communications: Messages, emails, support tickets, and other communications with Falco support or sales teams
• Documentation: Business licenses, insurance certificates, health permits, and other compliance documents

3.2 Information Automatically Collected

When you use our Service, we automatically collect certain information:

• Device Information: IP address, browser type and version, operating system, device type, screen resolution
• Usage Data: Pages visited, time spent on pages, links clicked, form completion time, form drop-off points
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to track your activity on our Service (see Section 10 for details)
• Google Maps Data: When you use the address autocomplete feature, Google Maps collects location and search data subject to Google's Privacy Policy
• Analytics Data: We use analytics services (e.g., Google Analytics) to understand how users interact with our Service

3.3 Information from Third-Party Sources

We may collect additional information about you from third-party sources:

• Business Verification: We may verify your business information through public databases, business registries, and credit reporting agencies
• Background Checks: For certain vendor categories, we may conduct background checks through third-party services
• Credit Checks: We may obtain credit reports to assess financial stability
• Public Records: Health inspection scores, business licenses, and legal judgments from public sources

We use the information we collect for the following purposes:

Application Processing

• Review and evaluate your vendor application
• Verify your business credentials and legitimacy
• Conduct background and credit checks where applicable
• Assess eligibility for the vendor partnership program
• Make decisions about application approval or rejection

Onboarding and Account Setup

• Create and configure your vendor account
• Set up payment processing and banking integrations
• Configure POS system integrations
• Provide training and onboarding materials
• Upload and optimize your menu and business information

Service Provision

• Operate and maintain the vendor platform
• Process and route customer orders to you
• Facilitate payment processing and disbursements
• Provide customer support and technical assistance
• Monitor platform performance and uptime

Communication

• Send updates about your application status
• Provide important service announcements and updates
• Send operational notifications (new orders, system maintenance)
• Respond to your inquiries and support requests
• Send marketing communications about platform features (with your consent)
• Conduct surveys to improve our services

Analytics and Improvement

• Analyze how vendors use the platform
• Identify areas for product improvement
• Understand application completion rates and drop-off points
• Develop new features and services
• Test and optimize user experience

Marketing and Promotion

• Promote your business to Falco customers
• Feature your restaurant in marketing campaigns
• Analyze marketing effectiveness
• Provide targeted promotional opportunities

Fraud Prevention and Security

• Detect and prevent fraudulent applications
• Monitor for suspicious activity
• Protect against unauthorized access
• Enforce our Terms of Service
• Investigate violations and resolve disputes

Legal Compliance

• Comply with legal obligations and regulations
• Respond to legal requests and court orders
• Maintain records for tax and accounting purposes
• Protect our legal rights and interests

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing is necessary to perform our vendor partnership agreement with you, including evaluating your application, providing the platform services, and processing payments.
• Legal Obligations: Processing is necessary to comply with legal requirements, such as tax reporting, financial record-keeping, and regulatory compliance.
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as fraud prevention, security, analytics, and business development, provided these interests are not overridden by your privacy rights.
• Consent: For marketing communications and certain optional data processing activities, we rely on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

We share your information with third parties only in the following circumstances:

6.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Cloud Hosting: AWS, Google Cloud, or similar providers host our platform and store data
• Payment Processors: Stripe and banking partners process payments and transfers
• Email Services: SendGrid, Mailgun, or similar services deliver transactional and marketing emails
• Analytics Providers: Google Analytics and similar tools help us understand platform usage
• Customer Support: Zendesk, Intercom, or similar platforms manage support tickets
• Background Check Providers: Third-party services conduct background and credit checks
• SMS Providers: Twilio or similar services send SMS notifications

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

6.2 Business Transfers

If Falco is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

6.3 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in response to:

• Court orders, subpoenas, or other legal processes
• Law enforcement requests
• National security or public safety requirements

We may also disclose information when we believe it is necessary to:

• Protect Falco's rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Investigate and prevent fraud or security issues
• Enforce our Terms of Service

6.4 With Your Consent

We may share your information with third parties when you explicitly consent, such as:

• Participation in co-marketing campaigns
• Featured vendor promotions
• Business partnerships and integrations

6.5 Aggregated and De-identified Data

We may share aggregated, de-identified, or anonymized data that cannot be used to identify you for research, analytics, or business purposes. This includes industry benchmarks, market trends, and usage statistics.

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Active Vendor Accounts

While your vendor account is active, we retain all account information, business data, transaction history, and communications to provide ongoing services.

After Account Termination

• Financial Records: We retain financial data, transaction records, and tax documents for 7 years to comply with tax laws and accounting regulations
• Order History: We retain order history and customer reviews indefinitely for business records and platform integrity
• Communications: Support tickets and email correspondence are retained for 3 years
• Account Information: Basic account information is anonymized or deleted within 90 days after account closure, unless retention is required for legal reasons

Rejected Applications

For applications that are rejected or incomplete, we retain application data for 1 year to improve our evaluation process and respond to inquiries. After 1 year, this data is deleted or anonymized.

Legal Holds

If your information is subject to a legal hold (pending litigation, government investigation, or regulatory inquiry), we will retain the data until the legal matter is resolved, regardless of the standard retention periods.

Deletion Procedures

When data is deleted, we use commercially reasonable efforts to ensure complete deletion from our systems and backups within 90 days. Some data may persist in archived backups for up to 12 months before complete removal.

We implement robust security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

Technical Safeguards

• Encryption: Data is encrypted in transit using TLS/SSL (minimum TLS 1.2) and at rest using industry-standard encryption (AES-256)
• Secure Infrastructure: We use secure cloud hosting with Amazon Web Services (AWS) or Google Cloud Platform, which maintain SOC 2 and ISO 27001 certifications
• Firewalls and Access Controls: Network firewalls and access control lists restrict access to authorized personnel only
• Database Security: Databases are secured with encryption, access logging, and regular security patches
• Payment Security: Payment information is processed through PCI DSS compliant payment processors. We do not store full credit card numbers on our servers

Organizational Safeguards

• Access Controls: Access to personal data is restricted based on job role and necessity (least privilege principle)
• Employee Training: Employees receive regular security and privacy training
• Confidentiality Agreements: Employees and contractors sign confidentiality agreements
• Background Checks: Employees with access to personal data undergo background checks

Security Monitoring

• 24/7 system monitoring and intrusion detection
• Regular security audits and penetration testing
• Vulnerability scanning and patch management
• Incident response plan and procedures

Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Describe the nature of the breach and data affected
• Provide information about steps we are taking to mitigate harm
• Offer guidance on steps you can take to protect yourself
• Notify regulatory authorities as required by law

Limitations

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and promptly notifying us of any unauthorized access.

Depending on your location, you may have certain rights regarding your personal information.

9.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request a machine-readable copy of your data
• Opt-Out of Marketing: Unsubscribe from marketing emails or withdraw consent for marketing communications
• Withdraw Consent: Withdraw consent for processing based on consent at any time

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: Request disclosure of categories and specific pieces of personal information we have collected about you in the past 12 months
• Right to Know About Business Purposes: Request information about the business purposes for collecting and sharing your information
• Right to Know About Third-Party Sharing: Request information about categories of third parties with whom we share your information
• Right to Deletion: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out of Sale: We do not sell personal information. If our practices change, we will provide an opt-out mechanism
• Right to Non-Discrimination: You have the right to not receive discriminatory treatment for exercising your privacy rights

Authorized Agents

California residents may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization, and we may require you to verify your identity directly.

Verification Process

To protect your privacy, we will verify your identity before fulfilling requests. We may request:

• Email verification
• Business name and Tax ID
• Answers to security questions
• Government-issued ID for deletion requests

9.3 European Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right to Access: Obtain confirmation of whether we process your data and access to your personal data
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of personal data in certain circumstances
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used format and transmit it to another controller
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (we do not engage in such processing)
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority if you believe we are processing your data unlawfully

EU Representative

If required under GDPR, we will appoint an EU representative. Contact information will be provided here when applicable.

Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: support@thefalco.com
• Subject line: "Privacy Rights Request"
• Include your full name, business name, and email address

We will respond to your request within:

• 45 days for California residents (CCPA)
• 30 days for European residents (GDPR)
• Reasonable timeframe for all other users

We use cookies and similar tracking technologies to improve your experience on our Service.

What Are Cookies?

Cookies are small text files stored on your device that help websites remember your preferences and activity. They enable essential features and provide analytics about site usage.

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

• Authentication cookies (keep you logged in)
• Security cookies (prevent fraud and protect your account)
• Session cookies (maintain form data during your session)

Analytics Cookies (Optional)

These cookies help us understand how you use the Service:

• Google Analytics (tracks page views, session duration, bounce rate)
• Form analytics (tracks completion rates and drop-off points)
• Performance monitoring (tracks load times and errors)

Marketing Cookies (Optional)

These cookies support our marketing efforts:

• Conversion tracking (measures application completion rates)
• Retargeting pixels (Facebook Pixel, Google Ads)
• Email campaign tracking

Third-Party Cookies

Some cookies are placed by third-party services we use:

• Google Analytics: Tracks website usage and traffic sources
• Google Maps: Provides address autocomplete functionality
• Facebook: Conversion tracking and advertising

Cookie Management

You can control cookies through:

• Browser Settings: Most browsers allow you to block or delete cookies through settings. Note that blocking essential cookies may affect functionality
• Opt-Out Tools:
  • Google Analytics: Google Analytics Opt-out Browser Add-on
  • NAI Opt-Out: Network Advertising Initiative
  • DAA Opt-Out: Digital Advertising Alliance

Do Not Track Signals

Some browsers transmit "Do Not Track" signals. Because there is no common industry standard for interpreting these signals, we do not currently respond to Do Not Track signals. However, you can use the opt-out tools listed above to limit tracking.

Our Service may contain links to third-party websites, services, or integrations (e.g., POS systems, payment processors, Google Maps). These third-party services have their own privacy policies and terms of service.

We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

Examples of Third-Party Services:

• Google Maps (address autocomplete)
• Payment processors (Stripe, PayPal, etc.)
• POS systems (Square, Toast, Clover, etc.)
• Social media platforms (if you share content)

Falco operates primarily in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States.

Data Transfer Mechanisms

For data transfers from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses for transfers to countries without adequacy decisions
• Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission
• Your Consent: In some cases, we obtain your explicit consent for international transfers

Data Protection Safeguards

When transferring data internationally, we implement appropriate safeguards, including:

• Encryption of data in transit and at rest
• Contractual obligations on data recipients
• Regular security audits and assessments
• Compliance with applicable data protection laws

Our Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18.

COPPA Compliance: Our Service is not intended for children under 13, and we do not knowingly collect information from children under 13 years of age in compliance with the Children's Online Privacy Protection Act (COPPA).

Business Requirement: To become a Falco vendor partner, you must be at least 18 years old and legally authorized to enter into business agreements.

If we become aware that we have collected personal information from a child under 18 without proper authorization, we will take steps to delete that information promptly.

If you believe we have collected information from a minor, please contact us immediately at support@thefalco.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes

When we make changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Post the revised policy on our website
• For material changes that significantly affect your rights, we will:
  • Send email notification to your registered email address
  • Provide a prominent notice on our website
  • May require you to acknowledge the changes before continuing to use the Service

Material Changes

Material changes include:

• Changes to the types of personal information we collect
• Changes to how we use or share your information
• Changes to your rights or how to exercise them
• Changes to data retention periods
• Changes to international data transfer practices

Your Acceptance

Your continued use of the Service after we post changes to this Privacy Policy constitutes your acceptance of the revised policy. If you do not agree with the changes, you should discontinue use of the Service and contact us to delete your account.

Previous Versions

If you would like to review previous versions of this Privacy Policy, please contact us at support@thefalco.com.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

General Privacy Inquiries

Email: support@thefalco.com
Subject Line: "Privacy Inquiry"

Data Subject Rights Requests

Email: support@thefalco.com
Subject Line: "Privacy Rights Request"
Include: Your full name, business name, email address, and description of your request

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer:
Email: support@thefalco.com
Subject Line: "Attn: Data Protection Officer"

Mailing Address

Falco, Inc.
Attn: Privacy Office
251 Little Falls Drive
Wilmington, New Castle County
Delaware 19808
United States

Response Time

We will respond to your inquiries within:

• General inquiries: 5-7 business days
• California residents (CCPA): 45 days
• European residents (GDPR): 30 days

Supervisory Authority (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to lodge a complaint with your local supervisory authority if you believe we are processing your personal data unlawfully.

You can find your supervisory authority at: EDPB Member Authorities

Residents of certain U.S. states have additional privacy rights under state laws.

Nevada Residents

Nevada residents may opt out of the sale of certain covered information. We do not currently sell covered information as defined under Nevada law. If our practices change, we will update this policy and provide a mechanism to opt out.

Virginia Residents (VCDPA)

Virginia residents have the right to:

• Access personal data we have collected about you
• Correct inaccuracies in your personal data
• Delete personal data you have provided
• Obtain a copy of your personal data in a portable format
• Opt out of the processing of personal data for targeted advertising, sale, or profiling

To exercise these rights, contact us at support@thefalco.com.

Colorado Residents (ColoPA)

Colorado residents have similar rights to Virginia residents under the Colorado Privacy Act. The same contact methods apply.

Connecticut Residents (CTDPA)

Connecticut residents have similar rights under the Connecticut Data Privacy Act. Contact us at support@thefalco.com to exercise your rights.

Appeal Process

If we decline your privacy rights request, you have the right to appeal. To appeal:

1. Reply to our decision email with "Appeal" in the subject line
2. Explain why you believe the decision was incorrect
3. We will review your appeal and respond within 30 days
4. If we deny your appeal, you may contact your state attorney general