Last update: June 3, 2024
The National Restaurant Association and its affiliates, National Restaurant Association Solutions LLC, The National Restaurant Association Educational Foundation, Environmental Health Testing LLC (dba National Registry of Food Safety Professionals), Multicultural Foodservice and Hospitality Alliance, Restaurant Law Center, NRAS Restaurant Owner, LLC, and National Restaurant Association Political Action Committee (collectively, the “Association,” “we” or “us”) understand that you care about how we collect, use, and share information when you interact with us through our websites, mobile applications, social media sites and handles, email, events, surveys, and research (our “Services”) and we value the trust you place in us. This Privacy Policy explains:
We also include specific disclosures for residents of the European Economic Area, the United Kingdom and Switzerland as well as Colorado, Oregon, California, and Nevada.
This Policy applies to the Association and our Services. It also applies anywhere it is linked. It does not apply to non-Association websites and mobile applications that may link to the Services or be linked to from the Services. Please review the privacy policies on those websites and applications directly to understand their privacy practices.
How to Contact Us
We have appointed a data privacy officer who is responsible for overseeing questions concerning this Policy. If you have any questions, please contact our data protection officer in the following ways:
Information We Collect
Below is a summary of the kinds of personal information we collect. We may collect this name directly from you, as you use our Services, automatically through technology you use when using our Services, or from third parties who obtain information about you from publicly available sources, or from third parties that share your information with us on your behalf.
How We Use Your Information
We use your personal data for the purposes noted above and otherwise set out in this Policy and where we have a valid legal ground for doing so under applicable data protection law. The legal ground will depend on the purpose for which we process your personal data. We use your personal data in the following ways as necessary in our legitimate business interests, including to meet our membership obligations and to provide Services.
We may use the information we collect from you for the following purposes:
We may use your personal data in the following ways as necessary for certain legitimate interests, or where you have given your consent to such processing to the extent required by applicable law (in which case, such consent can be withdrawn at any time):
We retain your information in accordance with record retention policies, based on levels of business importance and internal guidance for compliance with auditing and legal requirements, and in accordance with retention requirements set forth by accreditation bodies.
How We Secure the Information We Collect from or About You
We use a combination of physical, technical, and administrative safeguards to protect the information we collect through the Services. Once we have deidentified your data, we will not attempt to reidentify it.
While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.
Our Sharing of Your Information
Additional Information About our Data Collection and Sharing Practices
Your Options and Rights
Please visit the login page on any of our websites to update your contact information and payment method.
If at any time you would like to unsubscribe from receiving future emails from an Association entity, you can click the unsubscribe link at the bottom of any email bulletin, or email us at Privacy@restaurant.org and we will promptly remove you from correspondence from that entity.
Please note that we may be required to contact you with important information relating to your use of our Services.
Your Colorado Privacy Rights
The Colorado Privacy Act (“CPA”) provides Colorado residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The CPA defines “Personal Data” to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” Certain information we collect may be exempt from the CPA because it is de-identified, considered public information (i.e., it is made available by a government entity), covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the CPA.
From time to time in this section of the Privacy Policy, we may refer to the “processing” or Personal Data. “Process” or “Processing” means collecting, using, selling, storing, analyzing, deleting, or modifying Personal Data.
If you are a Colorado resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a Colorado resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.
If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response.
To the extent that we collect Personal Data that is subject to the CPA, that information, our practices, and your rights are described below.
Sensitive Data
Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the CPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.
Your Oregon Privacy Rights
The Oregon Consumer Data Privacy Act (“OCDPA”) provides Oregon residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Data,” as well as rights to access and control Personal Data. The OCDPA defines “Personal Data” to mean “means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Certain information we collect may be exempt from the OCDPA because it is de-identified, considered public information (i.e., it is made available by a government entity or widely distributed media), covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the OCDPA.
From time to time in this section of the Privacy Policy, we may refer to the “processing” or Personal Data. “Process” or “Processing” means performing an action or operation, or a series of actions or operations (including automatically) on Personal Data, such as collecting, using, selling, storing, analyzing, deleting, or modifying Personal Data.
If you are an Oregon resident and would like to see the categories of Personal Data that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are an Oregon resident and would like to make a request to access your Personal Data, correct your Personal Data, delete your Personal Data, or request that we do not sell your Personal Data or use it for targeted advertising or certain kinds of profiling (as described in more detail below), please visit our Privacy Request webpage, or contact us as described above.
If you would like to appeal any decision we make not to comply with your request (in whole or in part), please respond to the email you received from Privacy@restaurant.org notifying you of our decision, or write to us or call us at the above address within forty-five (45) days of your receipt of our response. We will approve or deny your appeal, in writing with an explanation of our decision, within forty-five (45) days of our receipt of your appeal.
To the extent that we collect Personal Data that is subject to the OCDPA, that information, our practices, and your rights are described below.
We will provide information that you request pursuant to this section once during any twelve (12)-month period without charge. For any subsequent requests in a twelve (12)-month period (other than subsequent requests intended for you to verify our compliance with your prior request), we may charge a reasonable fee to cover the administrative costs of complying with your subsequent requests.
Sensitive Data
Some of the Personal Information we collect falls under the definition of “Sensitive Data” under the OCDPA. The following is a description of our data collection practices with respect to Sensitive Data, including the Sensitive Data we collect, the sources of that Sensitive Data, the purposes for which we collect Sensitive Data, and whether we disclose that Sensitive Data to external parties.
Your California Privacy Rights
The California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CPRA”) provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to access and control Personal Information with respect to certain business entities. The CPRA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CPRA because it is considered public information (i.e., it is made available by a government entity) or covered by a federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, or the Fair Credit Reporting Act, or otherwise excluded from the definition of Personal Data under the CPRA.
Due to the Association and its subsidiaries’ and affiliates’ status as tax-exempt, not-for-profit trade associations, public charities, and political action committees, it is our position that we are not subject to either the CCPA or the CPRA.
Because we respect your privacy, we have voluntarily agreed to make certain disclosures available to California residents. If you are a California resident and would like to see the categories of personal information that we collect or sell, please see the Sections above entitled Information We Collect, How We Use Your Information, Our Sharing of Your Information, and Additional Information About our Data Collection and Sharing Practices. If you are a California resident and would like to make such a request to access your personal information, delete your personal information, request that we do not sell or share your information, or request that we limit the use of your sensitive personal information to those purposes authorized by the CPRA, please visit our Privacy Request webpage, or contact us as described above.
To the extent that we collect Personal Information that is subject to the CPRA, that information, our practices, and any rights you may have under the CPRA are described below.
Sensitive Personal Information
Some of the Personal Information we collect falls under the definition of “Sensitive Personal Information” under the CPRA. The following is a description of our data collection practices with respect to Sensitive Personal Information, including the Sensitive Personal Information we collect, the sources of that Sensitive Personal Information, the purposes for which we collect Sensitive Personal Information, and whether we disclose that Sensitive Personal Information to external parties. We may use any and all of the Sensitive Personal Information for any of the purposes described in this Privacy Policy, unless limitations are listed. The categories we use to describe the information are those enumerated in the CPRA.
Right to Limit Use or Disclosure of Sensitive Personal Information
To the extent that we collect Personal Information that is subject to the CPRA, you may have the right to limit the use or disclosure of your Sensitive Personal Information to just actions to those that:
Your Nevada Privacy Rights
Residents of the State of Nevada have the right to opt out of the sale of certain pieces of their information to third parties who will sell or license their information to others. If you are a Nevada resident and would like to make such a request, please visit our Privacy Request webpage, or contact us as described above.
Special Information for Students of Academic Institutions (FERPA)
Students using our Services through an educational agency or institution (“School”) may be entitled to certain rights under federal and/or state student privacy laws, such as the Family Educational Rights and Privacy Act (“FERPA”). Under FERPA, these rights include the right to:
As part of our Services to students, you must authorize us to:
Schools that we work with are required to provide students, parents or guardians required notices and obtain required consents for use of the Services as provided above.
If you are a User who is an academic student at an American educational institution (a “Student User”), how you give consent depends on what website you are using.
For Student Users of Restaurant.org (including Trendmapper.Restaurant.org), ServSuccess.com, ServSafeInternational.com, and Benefits.ServSafeBrands.com, complete this Online Consent Form and send it to Privacy@restaurant.org before commencing any Services or providing any educational records or personal information.
For users of the websites listed below, please follow the instructions below based upon when your account was created.
Website | New Users | Accounts Created After March 12, 2022 | Accounts Created Before March 12, 2022 |
ServSafe.com ChooseRestaurants.org nrfsp.com AHLEI.ServSafeBrands.com ManageFirst.restaurant.org Textbooks.restaurant.org MyProStart.chooserestaurants.org | Select ‘Academic Student’ as job role and answer the subsequent questions regarding consent. | Update your profile to give consent by changing your job role to ‘Academic Student’ and answering the subsequent questions. | Complete this Online Consent Form and send it to Privacy@restaurant.org before commencing any Services or providing any educational records or personal information. |
Information for Individuals Located in the United Kingdom, European Economic Area and Switzerland
The categories of personal data that we collect, and the recipients of that data are described above. We process personal data on the following legal bases (which are described in more detail above): (1) with your consent; (2) as necessary to perform our agreement to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedom related to data privacy, as described above. Personal information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities, as described above.
Users that reside in the United Kingdom, EEA or Switzerland have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned.
Contact details for data protection authorities are available here.
If you are a resident of the United Kingdom, EEA or Switzerland, you are entitled to certain rights. Please note: In order to verify your identity, we may require you to provide us with personal information prior to accessing any records containing information about you. These rights include the following:
To submit a request to exercise your rights, please contact us at Privacy@restaurant.org. We may have a reason under the law why we do not have to respond to your request, or respond to it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
Changes to This Policy
We may make changes to this Policy from time to time. We will post any changes, and such changes will become effective when they are posted unless otherwise required by law. Your continued use of our Services following the posting of any changes will mean you accept those changes. For questions about our privacy practices, contact us at:
Director of Security
National Restaurant Association
233 South Wacker Drive
Chicago, IL 60606
1-800-765-2122
Email: Privacy@restaurant.org
Additional Information About Our Use of Tracking Technologies and Interest-Based Advertising
The Association relies on partners to provide many features of our sites and services using data about your use of the Association and other sites. We use cookies for the following purposes:
Below is a list of these partners with links to more information about the use of your data by our service providers and third parties that use tracking devices or cookies. We have provided links to information about the choices these services may make available to you.
Category | Partner | Further Information |
Analytics | Google Privacy & Terms | |
Personalized Advertising and Social Media | Data Policy | |
Personalized Advertising | Privacy Policy | |
Analytics | Microsoft Clarity | Privacy Policy (see below) |
Site Operations | Marketo Forms | Privacy Policy |
Personalized Advertising | Marketo Munchkin | Privacy Policy |
Site Operations | ON24 | Privacy Policy |
In addition to the foregoing, The National Restaurant Association Educational Foundation (“NRAEF”) partners with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with NRAEF’s website through behavioral metrics, heatmaps, and session replay to improve and market NRAEF’s programs and any products/services made available through NRAEF’s website. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
Most web browsers automatically accept cookies but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your browser to decline cookies, some features of the Services may not be available, work, or work as designed. You may also be able to opt out of or block tracking by interacting directly with the third parties who conduct tracking through our Services.
You can learn more about ad serving companies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative. Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device.
Please note that opting-out of advertising networks services does not mean that you will not receive advertising while using our Services or on other websites, nor will it prevent the receipt of interest-based advertising from third parties that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. If you delete your cookies, you may also delete your opt-out preferences.