Effective Date: September 8, 2025 This Privacy Policy describes how we at Subtotal, Inc. (“Subtotal”, “we”, “our”, or “us”) collect, use, and disclose information about our business customers (“Customers,” “you,” or “your”) with respect to identifiable data that we collect from or about you (“Personal Data”) when you use our website, online tools, applications, or services (collectively, “Services”), or otherwise interact with us. This Policy does not apply to information we collect about end users—for example, when they connect their Retailer accounts to Customer apps or websites through Subtotal. Please see our End User Privacy Policy for information about our practices regarding end user data. Subtotal is the “data controller” or “business” with respect to the collection and processing of your information through the Services. Your use of our Services is subject to our Services Agreement, which incorporates this Privacy Policy. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Services Agreement. We may update this Policy from time to time. We will alert you of material changes by giving notice on the Subtotal website, by sending you an email, or by other means as may be appropriate or required by law. By using the Services after any changes to this Policy have been posted, you agree to all of the changes.

Personal Data We Collect

Personal Data you provide. We collect Personal Data that you provide directly to us. For example, you provide certain Personal Data when you create a Customer Account, enter into a contractual relationship with us (individually or on behalf of a company or other legal entity), fill out a “contact us” form, enroll in billing, or otherwise communicate with us. The types of Personal Data we collect include:
  • Customer Account Information. We collect Personal Data that you provide when you register for a Customer Account, including account credentials (such as your password), professional information (such as your company name, company URL, and job title), and identifiers (such as your name, email address, and phone number).
  • Payment Information. We collect payment information that you provide when you sign up for our Services. We use third-party payment processors to process the payments you make to us. As such, you provide payment information directly to the third-party processor. You should review the processor’s privacy notice to learn how they treat your information. We receive only the last 4 digits of your credit card number and transaction-related information such as payment date, amount, card type, device type, and IP address.
  • End User Information. We collect Personal Data that you provide to us or authorize us to access regarding your customers, including but not limited to customer identifiers, transaction history, order identifiers, and item-level purchase details. This Personal Data is collected and processed solely for the purpose of providing you with our Services. You must only provide end user Personal Data to us in accordance with applicable laws, and subject to any privacy or disclosure settings made by such end users.
  • Product Information. We collect and process Personal Data regarding your products, including product identifiers (such as barcodes, SKUs, and UPCs), product names, and related metadata, in order to enable accurate matching of external retail purchases and for other purposes in connection with our Services.
  • Communications. When you contact us through any mode of communication, such as email or a “contact us” form on our website, we may collect your name, email address, address, phone number, company name, account ID, and other Personal Data you provide to us. We may also collect information from you in connection with customer service calls. Please note that our written and verbal communications with you may be recorded and stored by us and vendors on our behalf for training and internal business purposes.
Personal Data we collect when you link your own Retailer account. Customers who use our Services often link their own Retailer accounts to test and evaluate our technology. If you do this, the collection of your information in this circumstance will be covered by our End User Privacy Policy, and not this Policy. Please see the End User Privacy Policy for details on how we collect and handle that information. Personal Data we collect automatically when you use our Services. When you use our Services, we collect the following Personal Data:
  • Log Information. We collect information that your browser or device automatically sends when you use our Services. Log information includes your IP address, browser type and settings, the date and time of your request, and how you interact with our Services.
  • Device Information. We collect information about the device you use to interact with our Services, such as the name of the device, the hardware model and operating system, IP address, domain server, the date and time of your interaction with the Services, timezone setting and location, and other technical information about the device. The information we collect may depend on the type of device you use and its settings.
  • Location Information. We may determine the general area from which your device accesses our Services based on information such as its IP address.
  • Cookies and Similar Technologies. As described more fully in our Cookie Policy, we use cookies and other related technologies in operating our Services⁠.
Personal Data we collect from other sources. We may collect Personal Data about you from other sources, such as vendors who help us identify new potential customers, including your name, email address, and social media profile URL. De-identified data. We may de-identify information we collect so the information can no longer reasonably identify you or your device, or we may collect information that is already in de-identified form. Our use and disclosure of de-identified information is not subject to any restrictions under this Privacy Policy, and we may use and disclose it to others for any purpose, without limitation.

How We Use Your Personal Data

We may use the Personal Data we collect for the following purposes:
  • To fulfill our contractual obligations and provide the Services you have requested;
  • To operate, improve, and personalize our Services;
  • To promote and sell our Services;
  • To track opportunities and generate leads;
  • To bill you for our Services;
  • To respond to your communications with us, including support requests;
  • To communicate with you about our products, services, offers, and events;
  • To send you legal and technical notices, updates, security alerts, and messages about your account;
  • To prevent and investigate fraud and other illegal activities;
  • To monitor, test, and update our Services, and diagnose and fix technical problems;
  • To maintain the security and integrity of our Services and property;
  • To enforce our contractual rights, resolve disputes, and protect the rights, privacy, safety, and property of Subtotal and others; and
  • To comply with our legal obligations.

Online Analytics and Advertising

Online Analytics. As discussed in greater detail in our Cookie Policy, we may use third-party analytics in connection with our Services (e.g., analytics platforms such as Google Analytics or PostHog). These vendors may set and access their own cookies, pixel tags, and similar technologies on our Services and on third-party services to collect information that can be used to track users over time and across services. These analytics tools help us understand how users arrive at and use our Services. If you do not want Google Analytics to collect and use information about your use of our Services, then you can install an opt-out in your web browser. You also may opt-out from Google Analytics for Display Advertising or the Google Display Network by using Google’s ads settings. Online Advertising. We strive to provide you with relevant, value-added content in our online advertisements. We work with online analytics and advertising partners to: (i) better understand the use of our Services so that we can improve them; and (ii) deliver advertisements that are more tailored to you both on our Services and on third-party apps and websites. Our partners may place cookies, pixel tags, and similar technologies on many online services, including ours. They use these technologies to collect information about your activities on these services in order to deliver you more relevant advertising. For example, they may use the information they collect from their cookies on our Services to identify products and services you might be interested in. For information about how to opt out of receiving personalized online advertisements from our advertising partners, follow the instructions in the “Your Rights and Choices” section below. Please visit our Cookie Policy for more details.

How We Disclose Your Personal Data

We disclose your Personal Data as follows:
  • With service providers, agents, and contractors who provide services for us, such as payment processors, web hosting providers, data storage providers, email and messaging communications providers, analytics providers, and customer relationship and support providers;
  • With advertisers and other third parties who use cookies and related technologies to collect information about your use of the Services (see our Cookie Policy and the “Online Advertising and Analytics” section above for more details);
  • To comply with our legal obligations and with legal or regulatory processes (such as subpoenas);
  • To prevent fraud, malicious activity, and other privacy and security-related concerns or otherwise protect the rights, property, and safety of Customers, end users, Retailers, Subtotal, and others;
  • With third parties in relation to a change in ownership or control of all or a part of our business or assets, or in contemplation thereof, such as a merger, acquisition, bankruptcy, or reorganization; and/or
  • Between and among Subtotal and our current and future parents, affiliates, and subsidiaries.
We may also collect, use, and disclose aggregated, de-identified, or anonymized information that does not identify you personally for any purpose permitted by law.

Data Security

We seek to protect your Personal Data from unauthorized access, use, and disclosure. We maintain a variety of physical, technical, and administrative security measures appropriate to the risk associated with the processing of your Personal Data. Unfortunately, no data transmission or storage system is completely secure. For additional information about our security practices, please visit our Security Page.

​Data Retention

We retain your Personal Data for as long as necessary to provide our Services and to fulfill the purposes for which we collected it, including for the purposes of complying with our legal obligations, resolving disputes, and collecting fees. When establishing a retention period for specific categories of information, we consider who we collected the information from, our need for the information, our reason for collecting the information, and the amount and sensitivity of the information. If we aggregate, de-identify, or anonymize information such that it can no longer be used to identify you personally, we may use that information indefinitely without further notice to you.

Your Rights and Choices

Your Choices
  • Customer Account Information. You may update your Customer Account information by logging into your account on our website or by contacting us.
  • Cookies. You can find more information about how we use cookies and your related choices in our Cookie Policy.
  • Marketing Communications. In accordance with applicable law, we may send you marketing communications. You may opt out of receiving marketing emails from Subtotal by following the instructions in those emails. If you opt out, we may still send you other types of emails, such as legal notices and support, service, and other emails regarding your account.
Your Rights Regardless of where you live, we recognize, and you may exercise, the following rights with respect to your Personal Data, subject to applicable exceptions provided by law:
  • Information. To request information about the categories of Personal Data we have collected, the sources from which we collected the data, and how we have used and disclosed your Personal Data; this information is contained in this Privacy Policy.
  • Access. To access a copy of the Personal Data we have collected from and about you.
  • Deletion. To request that we delete the Personal Data we have collected from and about you.
  • Opt Out. To request to opt out of:
    • The “sale” of your Personal Data;
    • The “sharing” or “processing” of your Personal Data for online targeted advertising purposes;
    • The use of automated decision-making regarding your Personal Data, where such processing results in legal or similarly significant impacts (note that we have not engaged in such processing over the prior 12 months); and
    • The use of your “sensitive” Personal Data, in certain circumstances (note that we do not process “sensitive” Personal Data in a way that is subject to this opt out right).
  • Nondiscrimination. To exercise these rights free from discrimination.
Oregon and Minnesota residents can also request a list of the specific third parties, other than natural persons, to which we have disclosed personal information. Exercising Your Rights You can exercise the rights described in this section by submitting a request to support@subtotal.com⁠. You may be required to provide additional information to confirm your identity before we can respond to your request. If an authorized agent submits a request on your behalf, we may ask for a valid power of attorney to verify that the agent has written authority to submit requests on your behalf. In certain cases, we may be required or permitted by law to deny your request. To opt out of our use of cookies/pixels in ways that could be considered “sales” or “processing” for “online targeted advertising,” please see the “Online Advertising and Analytics” section above. If you are a resident of Colorado, Connecticut, Minnesota, Montana, Oregon, Tennessee, Texas, or Virginia, and we deny your Personal Data request, you have the right to appeal our denial. You can exercise this right by emailing us at support@subtotal.com or contacting us as provided below. Your description must include your full name and the email address used for your account with us, along with a copy of the denial notice you received from us.

Additional Information for California Residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with information about:
  • The purpose for which we use each category of “personal information” (as defined in the CCPA) we collect; and
  • The categories of third parties to which we (a) disclose such personal information for a business purpose, (b) “share” personal information for “cross-context behavioral advertising,” and/or (c) “sell” such personal information.
Under the CCPA, “sharing” is defined as the targeting of advertising to a consumer based on that consumer’s personal information obtained from the consumer’s activity across distinct online services, and “selling” is defined as the disclosure of personal information to third parties in exchange for monetary or other valuable consideration. We “share” information with our advertising partners to provide more relevant and tailored advertising to you regarding our Services. Moreover, our use of third-party analytics services and online advertising services may result in the sharing of online identifiers (e.g., cookie data, IP addresses, device identifiers, and usage information) in a way that may be considered a “sale” under the CCPA. In the past 12 months, we have processed the categories of personal information listed in the table below. For each category, the table provides the source, business purpose, and general categories of third parties to whom the information may be disclosed. For more detailed information, please see the Personal Data We Collect,” “How We Use Your Personal Data,” and “How We Disclose Your Personal Data” sections above.
Personal Information CategoryBusiness Purpose of UseThird Parties to Whom Information is DisclosedThird Parties to Whom Information is Sold/Shared
Identifiers (e.g., name, email address, address)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Commercial information (e.g., records of your purchase of Services from us)
  • Provide the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Professional Information (e.g., company, title, and role)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Payment Information (collected and stored by a third-party payment processor on our behalf)
  • Provide the Services
  • Respond to your requests for information
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Not sold/shared
Internet or other similar network activity (including usage information)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Geolocation data (e.g., physical location at the city/state level)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Advertising and marketing
  • Analyze and improve the Services
  • For security and legal purposes
  • Affiliates
  • Vendors
  • Entities for Legal Purposes
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Inferences drawn from other information
  • Provide the Services
  • Personalize the Services
  • Advertising and marketing
  • Analyze and improve the Services
  • Affiliates
  • Vendors
  • Advertising and Analytics Vendors/Partners
  • Advertising and Analytics Vendors/Partners
Sensory data (e.g., photos or videos you provide in reviews, customer service call recordings for quality assurance)
  • Provide the Services
  • Personalize the Services
  • Respond to your requests for information
  • Analyze and improve the Services
  • Vendors
  • Entities for Legal Purposes
  • Not sold/shared
Account log-in credentials
  • Provide the Services
  • For security and legal purposes
  • Vendors
  • Entities for Legal Purposes
  • Not sold/shared
Your Choices Regarding “Sharing” and “Selling.” You have the right to opt out of the sale or sharing of your personal information for online analytics and advertising purposes. You can exercise this right by contacting us as described in the “Your Rights and Choices” section above. We also honor browser-based opt out signals, such as the global privacy control, in accordance with our legal obligations. Other CCPA Rights. For information about the additional rights you have under California law and how to exercise them, please see the “Your Rights and Choices” section above. If we ever offer any financial incentives in exchange for your personal information, we will provide you with appropriate disclosures at that time. The CCPA also gives California residents the right to limit the use and disclosure of their “sensitive personal information” (as defined in the CCPA) if such information is used for certain purposes. However, we do not use or disclose sensitive personal information for purposes that would trigger this right to limit. Retention of Your Personal Information. Please see the “Data Security” and “Data Retention” sections above. Do Not Track. Do Not Track (“DNT”) is a privacy preference that users can enable in certain web browsers. While we are committed to providing meaningful choices about the information collected on our Services for third-party purposes—including through the opt-out mechanisms described above—we do not currently recognize or respond to browser-based DNT signals. Learn more about DNT at https://www.allaboutdnt.com. California “Shine the Light” Disclosure. Under California Civil Code Sections 1798.83-1798.84, California residents have the right, in certain circumstances, to request that we do not disclose certain categories of personal information to third parties for their direct marketing purposes, or alternatively, that we maintain a policy to provide a cost-free means of opting out of such disclosures. We maintain such an opt out policy. To make an opt out request, please contact us using the contact information below and include “California Shine the Light Request” in the email subject line.

Contact Us

If you have any questions or comments about this Privacy Policy, our collection and use of your Personal Data, or your rights and choices regarding such collection and use, please contact us at: https://www.subtotal.com/
legal@subtotal.com
100 Church Street, Suite 800
New York, NY 10007