Use Tock at your businessSign upLog in

Privacy Policy

Effective Date: October 15, 2024

Tock LLC (“Tock”, “we”, “us” or “our”) respects your privacy. Tock is owned by American Express. When it comes to your personal information, we believe in transparency, not surprises. That's why we've set out here what personal information we collect, what we do with it and your choices and rights.

By using any of Tock's Services, you confirm you have read and understood this Privacy Policy and our Cookie Policy.

Certain jurisdictions require us to provide you with specific additional information. Please see this page for such additional information if you are in: (I) California; or (II) other specified U.S. states.

1. Some key terms

Any capitalized terms not defined in this Privacy Policy have the meanings in our Terms of Use.

2. How does this Privacy Policy apply?

This Privacy Policy describes what we do with personal information that we collect and use for our own purposes (i.e., where we are a controller), such as Guest and Merchant account information and information about how Guests and Merchants use and interact with our Services, including information Guests and Merchants submit to our customer support. This Privacy Policy does not apply to personal information of our employees or job applicants (except to the extent employees or job applicants are Guests or Merchants).

We use cookies and similar technologies. Cookie Policy describes what we do in that regard.

With respect to personal information in Tock's possession, we play a few different roles under global data privacy laws. In order to understand your and Tock's obligations, it's important to understand the difference between Tock Controlled PI and Merchant Controlled PI.

  • “Tock Controlled PI” means personal information for which Tock determines the purposes and means of processing. This Privacy Policy and this additional information page only address Tock Controlled PI.
  • “Merchant Controlled PI” means personal information for which a Merchant determines the purposes and means of processing. For Merchant Controlled PI, Tock acts as a data processor, service provider or similar term under applicable law. Merchant Controlled PI includes Guest Booking Information (as defined below) and any data or notes entered by a Merchant into the Services about a Guest or their partner or other dining companions, Merchant personnel or other individuals. Merchants tell us what we do with Merchant Controlled PI on our Merchant's instructions. Our Merchants are responsible for ensuring that their collection and processing of Merchant Controlled PI complies with applicable law.

To learn about a Merchant's data practices with respect to Merchant Controlled PI, please visit the applicable Merchant's Merchant Page or website or reach out directly to them.

Please be aware that some personal information in Tock's possession is both Tock Controlled PI and Merchant Controlled PI. This category of data is “Independently Controlled PI.” See Section 6 for more details.

3. Personal information we collect

We collect various personal information regarding you or your device. This includes the following:

  • Information a Guest provides to create an Account or make a Booking, specifically email address, first name, last name and phone number. This information is “Basic Guest Information.” You do not need an Account to browse our Services (including Merchant Pages), but you do need an Account to make a Booking.
  • Information a Guest with an Account provides to complete their diner profile on the Services. This optional information is called “Guest Diner Profile Information.” Guest Diner Profile Information includes a photograph, birthday or anniversary details for the Guest and/or their partner and the Guest's hospitality preferences or dietary restrictions.
  • Information a Guest provides when they make a Paid Booking. For most Paid Bookings, this will include billing address as well as a portion of payment information which is provided to us from our payment processor (such as the last four digits, the country of issuance and the expiration date of the payment card).
  • The emails and other communications that you send us or otherwise contribute, such as customer support inquiries. Please be aware that information on public parts of our sites is available to others.
  • Information shared with us about you by an individual who has purchased a Gift Card for you. This information is your name and email address.
  • Information shared with us about you by a person or service acting as your concierge to make a Booking on your behalf, or by a Merchant for purposes of making a Booking on your behalf.
  • Information you share with us in connection with surveys, contests or promotions.
  • Information about individuals who own or work for either Merchants who use the Services or for businesses who may benefit from using the Services.
  • Information from your interactions with the Services (including Merchant Pages). This includes: IP addresses, preferences, web pages you visited prior to coming to our sites, information about your browser, network or device (such as browser type and version, operating system, internet service provider, preference settings, unique device IDs and language and other regional settings), information about how you use the Services (such as timestamps, clicks, scrolling, browsing times, searches, transactions, referral pages, load times, and problems you may encounter, such as loading errors).
  • Information we get from our partners to support our marketing initiatives, improve our Services and better monitor, manage and measure our ad campaigns, such as details about when Guests or Merchants interact with our Services via a marketing partner or when an advertising partner shows a Guest one of our ads on or via its advertising platform.
  • Other information you submit to us directly or through Third Party Services if you use a Third Party Service to make a Booking and/or create an Account (based on your privacy settings with such Third Party Service).

4. How we collect personal information

We obtain personal information from various sources. We do this in three main ways:

  • You provide some of it directly (such as by registering for an Account or completing a Guest diner profile).
  • We record some of it automatically when you use our Services (including Merchant Pages), including with technologies like cookies.
  • We receive some of it from Merchants or other third parties (like from a Third Party Service when a Guest registers for an Account using a Third Party Service or when a Guest makes a Booking through such Third Party Service, from a Merchant or concierge when a Booking is initiated by such Merchant or concierge on your behalf of a Guest or from our payment processor when a Guest makes a Paid Booking or a Merchant purchases a subscription).

We've described this in more detail below.

    a. Personal information you provide

    When you use our Services, we collect information from you in a number of ways. For instance, we ask you to provide your name, email address and phone number in order to enable you to register and manage your Account. If you elect to provide us with Guest Diner Profile Information, we also collect that information from you. We also collect information about your Bookings and maintain your marketing preferences and the emails and other communications that you send us or otherwise contribute, such as customer support inquiries. You might also provide us with information in other ways, including by responding to surveys, submitting a form or participating in contests or similar promotions.

    Sometimes we require you to provide us with information for contractual or legal reasons. For example, we may ask a Guest to provide information involving a chargeback dispute or to provide a mailing address and/or select their jurisdiction when they make a Paid Booking to determine if, and how much, tax we need to collect from the Guest on behalf of a Merchant. We'll normally let you know when information is required, and the consequences of failing to provide it. If you do not provide personal information when requested, you may not be able to use our Services if that information is necessary to provide you with the service or if we are legally required to collect it.

    For clarity, a Guest may also provide information directly to a Merchant via the Services. However, such information is Merchant Controlled PI (not the subject of this Privacy Policy), which may include, for example, personal information about a Guest's Merchant-specific experience or preferences, or personal information included in a text message sent by a Guest when a Merchant uses the Services to send a text message to a Guest and the Guest responds.

    b. Personal information obtained from your use of our Services

    When you use our Services, we collect information about your activity on and interaction with the Services (including Merchant Pages), such as your IP address(es), your device and browser type, the web page you visited before coming to our sites, what pages on our sites you visit and for how long and identifiers associated with your devices. If you've given us permission through your device settings, we may collect your location information in our mobile apps.

    Some of this information is collected automatically using cookies and similar technologies when you use our Services (including Merchant Pages). We let our Merchants add cookies and similar technologies provided by Third Party Services with which our Services are integrated to Merchant Pages. You can read more about our use of cookies in our Cookie Policy. Some of this information is similarly collected automatically through your browser or from your device.

    c. Personal information obtained from other sources

    If you use a Third Party Service to register for an Account, the Third Party Service may provide us with your Third Party Service account information on your behalf, such as your name and email address (we don't collect or store passwords you use to access Third Party Services). If you use a Third Party Service to make a Booking, the Third Party Service will provide us with Basic Guest Information on your behalf. Your privacy settings on the Third Party Service usually control what they share with us. Make sure you are comfortable with what they share by reviewing their privacy policies and, if necessary, modifying your privacy settings directly on the Third Party Service.

    If a Guest doesn't have an Account with us, Bookings may sometimes be initiated by a concierge or Merchant on behalf of a Guest. For example, this might happen if you use a concierge or if you call a Merchant or visit a Merchant's location in person. When a concierge- or Merchant-initiated Booking occurs, necessary information is collected by Tock in order to facilitate the Booking. For clarity, Merchants may also add Merchant-Controlled PI about a Guest into our Services.

    If a Guest makes a Paid Booking or a Merchant purchases a subscription to our Services, we obtain limited information about their payment card from our payment processor, such as the last four digits, the country of issuance and the expiration date.

5. How we use your personal information

We use the personal information we obtain about you for the following purposes:

  • Provision of the Services to you and our Merchants. Create and manage your Account, make Bookings, process payments, respond to your inquiries and enable Merchants to contact you and remember you and your preferences to customize and optimize your experiences.
  • Communicating with you. Communicate with you, including by sending you emails about your or your business' transactions and Service-related announcements.
  • Surveys and contests. Administer surveys, contests and other promotions.
  • Promotion. Promote our Services and send you tailored marketing communications about products, services, offers, programs and promotions of Tock and our Merchants and partners and measure the success of those campaigns. For example, we may send different marketing communications to you based on what we think may interest you based on other information we hold about you.
  • Advertising. Analyze your interactions with our Services and third parties' online services so we can tailor our advertising to what we think will interest you. For example, we may decide not to advertise our Services to you on a social media site if you already have an Account or we may choose to serve you a particular advertisement based on previous Bookings you've made or what we think may interest you based on other information we hold about you.
  • Customizing the Services. Provide you with customized services. For example, we use your location information to determine your language preferences or display accurate date and time information. We also use cookies and similar technologies for this purpose.
  • Improving our Services. Analyze and learn about how the Services are accessed and used, evaluate and improve our Services (including by developing new products and services and managing our communications) and monitor and measure the effectiveness of our advertising. We usually do this based on anonymous, pseudonymized or aggregated information which does not identify you directly. For example, if we learn that most Guests or Merchants use a particular integration or feature, we might wish to expand on that integration or feature.
  • Security. Ensure the security and integrity of our Services.
  • Third party relationships. Manage our vendor and partner relationships.
  • Enforcement. Enforce our Terms of Use and other legal terms and policies.
  • Protection. Protect our and others' interests, rights and property (e.g., to protect our Guests and Merchants from abuse).
  • Complying with law. Comply with applicable legal requirements, such as tax and other government regulations and industry standards, contracts and law enforcement requests.

We process your personal information for the above purposes when:

  • Consent. You have consented to the use of your personal information in a particular way. When you consent, you can change your mind at any time.
  • Performance of a contract. We need your personal information to provide you with services and products requested by you, or to respond to your inquiries. In other words, so we can perform our contract with you or take steps at your request before entering into one. For example, we need your email address so you can sign in to your Account.
  • Legal obligation. We have a legal obligation to use your personal information, such as to comply with applicable tax and other government regulations or to comply with a court order or binding law enforcement request.
  • Legitimate interests. We have a legitimate interest in using your personal information. In particular, we have a legitimate interest in the following cases:
    • To operate the Tock business and enable our Merchants to utilize the Services to run their businesses.
    • To provide you with tailored advertising and communications to develop and promote our business.
    • To analyze and improve the safety and security of our Services - we do this as it is necessary to pursue our legitimate interests in ensuring Tock is secure, such as by implementing and enhancing security measures and protections and protecting against fraud, spam and abuse.
    • To provide and improve the Services, including any personalized services - we do this as it is necessary to pursue our legitimate interests of providing an innovative and tailored offering to Guests and Merchants on a sustained basis.
    • To share your personal information with our affiliates (including American Express) that help us provide and improve the Services.
    • To comply with a court order or binding law enforcement request.
    • To anonymize and subsequently use anonymized information.
    • Protecting you and others. To protect your vital interests, or those of others.
    • Others' legitimate interests. Where necessary for the purposes of a third party's legitimate interests, such as our partners who have a legitimate interest in delivering tailored advertising to you and monitoring and measuring its effectiveness or our Merchants who have a legitimate interest in having the Services (including their Merchant Pages) function properly and securely and analyzing the usage of their Merchant Pages so they can understand trends and improve their services.

6. How we share your personal information

We share personal information in the following ways:

  • Affiliates. We share personal information with our affiliates when it is reasonably necessary or desirable, such as to help provide services to you or analyze and improve the services we or they provide.
  • Merchants. We share Guest personal information with our Merchants when a Guest visits the Merchant Page of a Merchant or makes a Booking with a Merchant.
    • If a Merchant has configured their Merchant Page to provide analytics to them, including as may be provided by a Third Party Service, the Merchant will receive personal information of visitors to that Merchant Page.
    • When a Guest makes a Booking, we share Guest Booking Information to the Merchant with whom the Guest made the Booking. “Guest Booking Information” means Basic Guest Information and may also include Guest Diner Profile Information.
  • Business partners. We may share personal information with business partners. For example, we may share your personal information with a business partner when our Services are integrated with their Third Party Services, but only when you have been informed or would otherwise expect such sharing.
  • Service providers. We share personal information with our service providers that perform services on our behalf. For example, we may use third parties to help us provide customer support, manage our advertisements on other sites, send marketing and other communications on our behalf or assist with data storage.
  • Process payments. We transmit some of your personal information via an encrypted connection to our payment processor.
  • Following the law or protecting rights and interests. We disclose your personal information if we determine that such disclosure is reasonably necessary to comply with the law, protect our or others' rights, property or interests (such as enforcing our Terms of Use) or prevent fraud or abuse of Tock or our Guests or Merchants. In particular, we may disclose your personal information in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
  • Advertising. We share personal information with third parties so they and we can provide you with tailored advertising and measure and monitor its effectiveness. For example, we may share your pseudonymized email address with a third party social media platform on which we advertise to avoid serving Tock ads to people who already use Tock.
  • Business transfers. If we're involved in a reorganization, merger, acquisition or sale of some or all of our assets, your personal information may be transferred as part of that deal or the negotiation of contemplated deals.

7. Your rights and choices

Where applicable law requires (and subject to any relevant exceptions under law), you may have the right to access, update, change or delete personal information.

If you are a Merchant, you can access, update, change or delete Merchant Controlled PI of your Guests directly in your Account.

If you are a Guest:
  • You can access, update, change or delete Tock Controlled PI either directly in your Account or by contacting us at [email protected] to submit your request.
  • You will need to reach out to any Merchants with whom you have made a Booking in order to request they delete any Merchant Controlled PI they hold about you.
  • You can also delete your account by following the instructions on this Guest help center page. Please note that we may need to verify your identity in connection with your requests, and such verification process may, if you do not have access to your Account, require you to provide us with additional information we maintain about you to verify your identity. Even if you have access to your Account, we may request additional information if we believe it's necessary to verify your identity. If we are unable to verify your identity or request, we may not, in accordance with applicable law, be able to fulfill your request.
  • You can also elect not to receive marketing communications by following the unsubscribe instructions in such communications.

Please note that, for technical reasons, there is likely to be a delay in deleting your personal information from our systems when you ask us to delete it. We also will retain personal information in order to comply with the law, protect our and others' rights, resolve disputes or enforce our legal terms or policies, to the extent permitted under applicable law.

You also have the right to lodge a complaint with a local competent data protection authority, subject to applicable law, in particular in the EU country where you live, work or where there may have been an infringement.

In the UK, you may lodge such complaints with the UK supervisory authority:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF United Kingdom, Phone 0303 123 1113, Live Chat

Additionally, if we rely on consent for the processing of your personal information, you have the right to withdraw it at any time and free of charge. When you do so, this will not affect the lawfulness of the processing before your consent withdrawal.

Our Cookie Policy explains how you can manage cookies and similar technologies.

8. How we protect your personal information

We have a security team dedicated to keeping personal information safe. We maintain administrative, technical and physical safeguards that are intended to appropriately protect against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful form of processing, of the personal information in our possession. We employ security measures such as using firewalls to protect against intruders, building redundancies throughout our network (so that if one server goes down, another can cover for it) and testing for and protecting against network vulnerabilities.

9. How we retain your personal information

We retain personal information regarding you or your use of the Services for as long as your Account is active or for as long as needed to provide you or our Merchants with the Services. We also retain personal information for as long as necessary to achieve the purposes described in this Privacy Policy, for example, to comply with our legal obligations, to protect us in the event of disputes and to enforce our agreements and to protect our and others' interests.

The precise periods for which we keep your personal information vary depending on the nature of the information and why we need it. Factors we consider in determining these periods include the minimum required retention period prescribed by law or recommended as best practice, the period during which a claim can be made with respect to an agreement or other matter, whether the personal information has been aggregated or pseudonymized, and other relevant criteria. For example, the period we keep your email address is connected to how long your Account is active.

You may delete your Account by following the instructions on this Guest help center page and/or by contacting us at [email protected] and Tock will delete the Tock Controlled PI it holds about you (unless we need to retain it for the purposes set out in this Privacy Policy). If you are a Guest, you will need to reach out to any Merchants with whom you have made a Booking in order to request they delete any Merchant Controlled PI they hold about you.

Please note that in the course of providing the Services, we collect and maintain aggregated, anonymized or de-personalized information which we may retain indefinitely.

10. Data transfers

Personal information that you submit through the Services may be transferred to countries other than where you live, such as, for example, to our servers in the U.S. We also store personal information locally on the devices you use to access the Services.

Your personal information may be transferred to countries that do not have the same data protection laws as the country in which you initially provided the information.

We rely upon a number of means to transfer personal information which is subject to: (a) the European General Data Protection Regulation (“GDPR”) in accordance with Chapter V of the GDPR; or (b) applicable UK data privacy laws in accordance therewith. References to GDPR and its provisions include the GDPR as amended and/or incorporated into UK law. These include:

  • Standard data protection clauses. We transfer, in accordance with Article 46 of the GDPR, personal information to recipients with whom we have entered into the European Commission approved Standard Contractual Clauses for the transfer of personal data outside the European Economic Area (“EEA”). We transfer, in accordance with UK law, personal information to recipients with whom we have entered into the UK Information Commissioner's Office approved international data transfer agreement and the UK addendum to such European Commission approved contract.
  • Other means. We may, in accordance with Articles 45 and 46 of the GDPR, transfer personal information to recipients that are in a country the European Commission or a European or UK data protection supervisory authority has confirmed, by decision, offers an adequate level of data protection, pursuant to an approved certification mechanism or code of conduct, together with binding, enforceable commitments from the recipient to apply the appropriate safeguards, including as regards data subjects' rights.

You can request further information on where to find a copy of the appropriate safeguards in place by contacting us.

11. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in technology, law, our business operations or any other reason we determine is necessary or appropriate. When we make changes, we'll update the “Effective Date” at the top of the Privacy Policy and post it on our sites. If we make material changes to it or the ways we process personal information, we'll notify you (by, for example, prominently posting a notice of the changes on our sites before they take effect or directly sending you a notification).

We encourage you to check back periodically to review this Privacy Policy for any changes since your last visit. This will help ensure you better understand your relationship with us, including the ways we process your personal information.

12. How to contact us

If you have questions, comments or complaints about this Privacy Policy or our privacy practices or if you would like to exercise your rights and choices, please email us at [email protected], or write to us at the addresses below:


Tock LLC
Attention: Legal - Privacy
320 N Sangamon Street, 6th Floor
Chicago, IL 60607 United States