These Merchant Terms of Service ("Merchant Terms") are a legal agreement between you, the restaurant, café, bar, or other food-service establishment ("Merchant," "you," or "your") and Dashi POS Inc. ("Dashi," "we," "us," or "our"). These Merchant Terms govern your access to and use of the Dashi platform, including reservation and waitlist management, guest relationship tools, marketing and loyalty features, point-of-sale services, analytics, and any related services (collectively, the "Services").

By accessing or using the Services, you agree to these Merchant Terms, our Privacy Policy, and any other policies referenced herein. If you do not agree, do not use the Services.

These Merchant Terms do not apply to Guests who interact with Dashi directly; Guest use is governed by our Terms of Service.

1. Definitions

"Guest" means an identifiable individual who makes a reservation, joins a waitlist, places an order, or otherwise interacts with your establishment through the Services.

"Guest Data" means personal information relating to a Guest that is processed through or stored in Dashi's systems in connection with your use of the Services, including name, phone number, email address, reservation and waitlist details, party size, timestamps, visit history, dietary preferences, communication preferences, and staff notes.

"Dashi Diner Profile" means a consumer account created by Dashi when a Guest independently opts in to Dashi's consumer services (such as the loyalty network, consumer app, or account features) under Dashi's own Terms of Service and Privacy Policy.

"Service Communications" means operational or transactional messages strictly related to a reservation, waitlist, order, or Guest account (for example, confirmations, reminders, waitlist status updates, and post-visit feedback requests), excluding any promotional content.

"Marketing Communications" means messages that encourage participation in a commercial activity or promote your establishment, including offers, events, and loyalty promotions, whether sent by email, SMS, or other electronic means.

"Consent Record" means an audit record evidencing a Guest's opt-in or opt-out for Marketing Communications, including the fields described in Section 7.

"Suppression List" means the list of identifiers (phone numbers, email addresses) for Guests who have opted out, withdrawn consent, or must not receive Marketing Communications for any legal or compliance reason.

"Sub-processor" means a third party engaged by Dashi to process Guest Data on Dashi's behalf, such as cloud hosting, SMS delivery, email delivery, or analytics providers.

2. The Services

2.1 What Dashi Provides

Dashi provides technology services that enable you to manage reservations and waitlists, accept orders and payments, run loyalty and marketing programmes, and access analytics for your establishment. The specific features available to you depend on your subscription plan.

2.2 Acceptance of Terms

By using the Services, you represent that you are an authorized representative of your establishment and have the authority to bind it to these Merchant Terms.

2.3 Changes to These Terms

We may update these Merchant Terms from time to time. If changes materially reduce your rights or increase your obligations, we will provide you with at least 30 days' notice by email or through the Services. Your continued use of the Services after the effective date of any update constitutes acceptance.

3. Data Roles and Responsibilities

3.1 Merchant as Controller; Dashi as Processor

For Guest Data processed in connection with your reservation, waitlist, ordering, guest relationship management, and marketing activities, you are the controller (you determine purposes and means of processing) and Dashi is the processor (we process Guest Data on your documented instructions as set out in these Merchant Terms and through your in-product configuration).

This allocation is consistent with the mainstream approach used by leading restaurant technology platforms and reflects Canadian accountability principles under PIPEDA.

3.2 Dashi as Independent Controller for Dashi Consumer Services

When a Guest independently creates a Dashi Diner Profile — for example, by signing up on a Dashi loyalty page, downloading the Dashi app, or opting in to Dashi's consumer network — the Guest enters a direct relationship with Dashi. For that relationship, Dashi collects and processes personal information as an independent controller under Dashi's own Terms of Service and Privacy Policy.

To be clear: you own your Guest Data. Dashi's creation of a Dashi Diner Profile does not transfer ownership of your Guest Data to Dashi, and Dashi will not use your Guest Data to market competing establishments to your Guests.

3.3 How These Roles Work in Practice

When a Guest makes a reservation at your restaurant, that data belongs to you and Dashi processes it for you. If that same Guest separately opts in to a Dashi loyalty programme or creates a Dashi account, they are also entering a relationship with Dashi. Both relationships can exist at the same time, but they are distinct and governed by separate consent.

3.4 No Sale of Guest Data

Dashi will not sell Guest Data. Dashi will not share identifiable Guest Data with other merchants without the Guest's consent.

4. Permitted Processing

4.1 What Dashi May Do with Guest Data

Dashi may process Guest Data to:

(a) provide, maintain, and secure the Services;
(b) display Guest Data in your staff dashboard for operational use;
(c) send Service Communications as configured by you;
(d) provide reporting and operational insights to you based on your Guest Data;
(e) provide marketing and loyalty features as configured by you, subject to Section 5; and
(f) create and maintain Dashi Diner Profiles where the Guest has independently opted in under Section 3.2.

4.2 Processing Limits

Dashi will not send Marketing Communications on your behalf unless you have configured the relevant marketing feature and valid consent has been obtained and recorded.

4.3 Acceptable Use

You will not use Guest Data obtained through the Services to harass Guests, take adverse action unrelated to legitimate hospitality operations, or engage in any use that violates applicable law.

5. Marketing and Loyalty

5.1 You Are Responsible for Marketing Compliance

You are solely responsible for:

(a) determining whether you have valid consent (express or implied) for Marketing Communications under Canada's Anti-Spam Legislation (CASL) and any other applicable law;
(b) the content of your Marketing Communications; and
(c) complying with all applicable law for marketing, including CASL.

This allocation of responsibility is standard across the restaurant technology industry.

5.2 CASL Requirements Summary

Under CASL, Marketing Communications may only be sent if the recipient has given consent (express or implied), and each message must include:

(a) your business name, mailing address, and at least one of phone number, email address, or website URL;
(b) a clear and prominent unsubscribe mechanism that is easy to perform; and
(c) unsubscribe contact information and links that remain valid and functional for at least 60 days.

Unsubscribe requests must be honoured without delay and in any event within 10 business days. The burden of proving consent rests with the sender.

5.3 Implied Consent

CASL allows implied consent only in defined circumstances, notably where there is an existing business relationship based on a purchase or lease within the prior two years, or an inquiry or application within the prior six months. You are responsible for determining whether implied consent applies and for being able to evidence it.

5.4 Separation of Service and Marketing Communications

You will not include promotional content in Service Communications unless you have valid marketing consent and the message otherwise complies with applicable law.

5.5 Suppression Lists and Opt-Outs

You acknowledge that Dashi maintains a Suppression List within the Services for your establishment. The marketing features will not send Marketing Communications to suppressed identifiers. If you export Guest Data and use external tools for marketing, you must also export and apply the Suppression List and must not message suppressed Guests.

5.6 No Bypassing Compliance Controls

You will not use exports, re-uploads, or any workaround to send Marketing Communications to Guests who are on the Suppression List or who have not provided valid consent.

5.7 SMS-Specific Rules

Where SMS marketing is used, you will ensure recipients can opt out by replying "STOP" (where supported by the carrier) and that opt-outs are applied to the Suppression List without delay.

6. Consent Capture

6.1 Consent Must Be Opt-In and Purpose-Specific

You will obtain marketing consent in a manner that is clear, purpose-specific, and separate by channel (email versus SMS). Consent for marketing must not be bundled with acceptance of reservation or ordering services — a Guest must be able to use your restaurant's core services while declining marketing.

6.2 Required Information in the Consent Request

Under CASL regulations, a request for marketing consent must include your business identity, mailing address, at least one of phone number, email, or web address, and a statement that consent can be withdrawn. You will ensure your consent requests include this information.

6.3 Dashi Diner Profile Consent

Consent for a Dashi Diner Profile is separate from marketing consent. Where a Guest opts in to Dashi's consumer services (such as a loyalty programme or app), Dashi will present its own consent flow explaining what data is collected and how it will be used.

7. Consent Records and Auditability

7.1 Minimum Consent Record Fields

For each marketing opt-in or opt-out processed through the Services, Dashi will log (and you may export) at least:

(a) timestamp with time zone;
(b) your venue identifier;
(c) staff user identifier (if captured in person) or source (web, QR, app);
(d) channel (email and/or SMS);
(e) consent text shown (exact wording or version reference); and
(f) Guest identifier (email or phone) and action (opt-in, opt-out, or withdrawal).

7.2 Retention of Consent Records

Consent Records will be retained within Dashi's systems during the service relationship and for at least 24 months after the last Marketing Communication sent, unless a longer period is required by applicable law or for active dispute resolution.

7.3 Audit Right

Dashi may request reasonable proof that your consent practices are compliant as a condition of enabling or continuing marketing functionality. If Dashi reasonably believes you are using marketing features unlawfully, Dashi may suspend those features until the issue is corrected.

8. Exports and Staff Access

8.1 Export Responsibility

If you export Guest Data from the Services (including guest lists, CSV files, or similar), you are responsible for:

(a) limiting access to authorized personnel;
(b) storing exported data securely;
(c) respecting the Suppression List and consent status in any downstream use;
(d) not repurposing reservation data for new purposes (such as marketing) without proper consent; and
(e) securely deleting exported data when no longer needed.

8.2 No Selling or Renting Guest Data

You will not sell, rent, or share Guest Data lists with third parties, except as necessary for your legitimate hospitality operations and only under appropriate legal authority.

8.3 Staff Training

You will maintain internal policies and provide training for staff who access Guest Data through the Services.

9. Guest-Facing Notices

9.1 Your Responsibility

You are responsible for providing Guests with a clear notice at or before collection that explains what information is collected, the reservation or ordering purposes, any optional marketing purposes, and any cross-border processing (if applicable). Dashi provides template notice language for your convenience, but compliance with notice requirements is your responsibility.

10. Security and Breach Notification

10.1 Dashi's Safeguards

Dashi maintains physical, technical, and organizational safeguards appropriate to the sensitivity of Guest Data, including access controls, authentication, encryption, and logging.

10.2 Your Safeguards

You will maintain appropriate safeguards for credentials, staff access, and any exported Guest Data.

10.3 Breach Notification

If Dashi becomes aware of a security incident affecting Guest Data in Dashi's systems, Dashi will notify you without undue delay and provide reasonably available information to support your legal obligations (scope, categories of data, and mitigation steps).

If you become aware of a security incident arising from your systems or exports that affects Guest Data originating from the Services, you will notify Dashi without undue delay.

10.4 PIPEDA Breach Obligations

Under PIPEDA's mandatory breach regime, businesses must report breaches that pose a real risk of significant harm, notify affected individuals as soon as feasible, and keep breach records for at least two years. The party determined to be in control of the personal information for a given incident is responsible for required reporting and individual notification, but both parties will provide reasonable cooperation.

11. Sub-processors

11.1 Use of Sub-processors

Dashi uses Sub-processors to deliver the Services. Dashi will restrict Sub-processor access to what is necessary, enter into written agreements requiring appropriate protections, and remain responsible for Sub-processors' compliance.

11.2 Sub-processor List

A current list of Sub-processors is available at dashipos.com/sub-processors or upon request. Dashi will provide notice of material changes to the Sub-processor list.

12. Analytics, Benchmarking, and Aggregated Data

12.1 Merchant Reports

Dashi may provide you with analytics and insights about your operations derived from your Guest Data.

12.2 Aggregated and De-identified Analytics

Dashi may create and use aggregated or de-identified data derived from Guest Data to improve Dashi's products, develop industry insights and trends, and create city-level or neighbourhood-level benchmarking outputs. Dashi will not:

(a) attempt to re-identify any Guest from aggregated or de-identified data;
(b) disclose Guest-identifiable data to other merchants; or
(c) disclose your identifiable competitive metrics to other merchants without your permission.

13. Termination and Data

13.1 Export on Discontinuation

If you discontinue use of the Services, Dashi will provide you with a reasonable opportunity to export your Guest Data and Consent Records through Dashi's standard export tools for a period of 30 days.

13.2 Deletion

After the export window, Dashi will delete or anonymize Guest Data associated with your establishment from active systems within 90 days, subject to legal retention requirements and technical retention in backups (which will remain protected and be overwritten in the ordinary course).

13.3 Dashi Diner Profiles

Dashi Diner Profiles are maintained under the Guest's direct relationship with Dashi and are not affected by your discontinuation of the Services.

14. Indemnity and Liability

14.1 Your Indemnity for Marketing Misuse

You will defend, indemnify, and hold harmless Dashi from third-party claims, regulatory investigations, penalties, and fines arising from your Marketing Communications (whether sent via the Services or via exports), your failure to obtain or retain valid consents or to honour opt-outs, or your unlawful disclosure of Guest Data.

14.2 Dashi Indemnity for Security Incidents

Dashi will indemnify you for third-party claims arising directly from Dashi's gross negligence or wilful misconduct that results in unauthorized disclosure of Guest Data in Dashi's systems.

14.3 Limitation of Liability

Except for wilful misconduct, gross negligence, breach of confidentiality, and indemnity obligations, each party's total liability under these Merchant Terms is limited to the greater of (a) the fees paid by you to Dashi in the twelve months preceding the claim, or (b) CAD $5,000.

15. Québec Note (Law 25)

If you are subject to Québec's private-sector privacy law as amended by Law 25, you are responsible for completing any required privacy impact assessments for the adoption or overhaul of information systems handling Guest Data and for the communication of personal information outside Québec. Dashi will provide reasonable cooperation for these assessments.

16. General

16.1 Governing Law

These Merchant Terms are governed by the laws of Ontario and the federal laws of Canada applicable therein.

16.2 Amendments

Dashi may update these Merchant Terms in accordance with Section 2.3. Material changes to data processing or marketing compliance terms will be communicated with at least 30 days' notice.

16.3 Entire Agreement

These Merchant Terms, together with the Privacy Policy and any order form or subscription confirmation, constitute the entire agreement between the parties regarding the subject matter herein.

16.4 Severability

If any provision of these Merchant Terms is found to be unenforceable, the remaining provisions will continue in full force and effect.

17. Contact

If you have questions about these Merchant Terms, contact us:

Email: legal@dashipos.com

Support: support@dashipos.com

Mail:

Dashi POS Inc.

Attn: Legal Department

8171 Yonge St

Toronto, ON L3T 2C6

Merchant Terms of Service

Table of Contents