Surf Bagel Holdings, LLC — Privacy Policy
Effective Date: June 13, 2025
Surf Bagel Holdings, LLC (“Surf Bagel,” “we,” “us,” or “our”) values your trust. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you:
visit our websites or mobile services,
order food or merchandise online or in-store, or
join our loyalty or promotional programs
(collectively, the “Services”). It also explains the rights that Delaware residents enjoy under the Delaware Personal Data Privacy Act (“DPDPA”) and how to exercise them.
Using our Services means you consent to the practices below. If you disagree, please do not use the Services.
1. Scope
This Policy applies to personal information we collect from consumers. It does not cover employee or job-applicant data, nor data collected by unaffiliated third-party sites or apps that link to or from us.
2. Information We Collect
2.1 Data you provide
Identifiers & contact details — name, postal address, e-mail, telephone
Account & loyalty credentials — username, password, membership ID, points balance
Payment data — card brand, last 4 digits, expiration date (processed by PCI-DSS-certified partners; we never store full numbers or CVVs)
Commercial records — items ordered, purchase date, location, payment method, refunds
Demographics — date of birth or age (for age verification or birthday rewards)
Preferences & feedback — reviews, survey responses, contest entries, messages you send us
2.2 Data collected automatically
Device & browser data — IP address, device identifiers, operating system, browser type
Online activity — pages visited, links clicked, cart actions, timestamps, referring URLs
Approximate location — city or region inferred from IP
Precise geolocation — only if you actively grant permission (e.g., “find nearest store”)
2.3 Cookies and similar technologies
We use essential cookies to operate the site, functional cookies to remember preferences, and first-party analytics cookies (e.g., Google Analytics) to measure traffic. We do not use third-party advertising cookies that track you across non-Surf Bagel websites. Your browser settings let you refuse or delete cookies; doing so may limit certain features.
2.4 Sensitive data
We do not intentionally collect sensitive personal data—such as health details, biometric identifiers, or children’s data—unless you provide it voluntarily or enable a feature that requires it. Any such data is handled only with your explicit consent and subject to heightened protections.
3. How We Use Information
We use personal information only for legitimate business purposes:
Provide & improve Services – process orders and payments, arrange delivery or pickup, and enhance performance.
Manage accounts & loyalty – create, authenticate, and maintain membership and reward balances.
Communicate with you – confirmations, digital receipts, service notices, policy updates, and responses to inquiries (via e-mail, SMS, or phone, consistent with CAN-SPAM and other rules).
Marketing with choice – send you news about menu items, offers, or events similar to those you already enjoy; every marketing e-mail includes an opt-out link and we send promotional texts only with your express consent.
Personalize experience – remember preferred store, suggest menu items based on prior orders, and tailor digital content.
Analytics & security – detect fraud, monitor usage patterns, debug, and compile statistics.
Legal & compliance – meet tax, accounting, food-safety, and privacy-rights obligations, and document compliance.
Corporate events – evaluate or complete mergers, acquisitions, or asset transfers; the protections of this Policy follow any transferred data.
Other purposes you request or consent to.
We do not engage in fully automated decisions that produce legal or similarly significant effects.
4. Disclosure of Information
Surf Bagel does not sell personal data for money and does not share data for third-party targeted advertising. We disclose information only:
To service providers (processors) that perform tasks for us—payment processors, online ordering and delivery partners, hosting and IT support, e-mail and text distributors, analytics providers, and fraud-prevention vendors. Each is bound by contract to safeguard data, use it solely for our instructions, and delete it when services end.
To affiliates under common ownership or control (none at present, but included for completeness) for internal operations and under the same privacy commitments.
To co-promotion partners when you enter a joint contest or event and explicitly agree to sharing.
For legal reasons or safety—to comply with a lawful subpoena or protect rights, property, or personal safety. We evaluate each request, seek to narrow overly broad demands, and disclose only what is legally required.
In business transfers—as part of a merger, acquisition, sale of assets, or similar change in control. If ownership changes, we will give you notice before new privacy terms apply.
With your consent—for any other purpose that you direct.
5. Retention
We keep personal information only as long as needed for the purposes above or as required by law. Once no longer necessary, we securely delete or de-identify it. If data resides in backup archives, it is isolated until deletion is possible.
6. Security
We maintain administrative, technical, and physical safeguards: TLS encryption of payment traffic, firewalls, role-based access controls, multifactor authentication for critical systems, employee privacy training, routine vulnerability scans, and annual penetration testing. Despite these measures, no system is perfectly secure; if a breach occurs, we will notify affected individuals and regulators as required.
7. Your Rights (Delaware Residents as outlined by DPDPA)
Access / Know – request confirmation and a copy of personal data we hold.
Correction – ask us to fix inaccuracies.
Deletion – request erasure of data we collected from you, subject to legal exceptions.
Portability – receive data you provided in a portable format.
Opt-out – direct us not to sell or share data or to use it for targeted ads or significant profiling.
Appeal – contest a refusal of your request within 60 days.
We will not discriminate against you for exercising these rights.
How to submit a request
Online – use the “contact us” form on our website’s About Us page.
Mail – write to Surf Bagel Holdings, LLC — Privacy Team, P.O. Box 1618, Rehoboth Beach, DE 19971.
Provide enough information for us to verify your identity (e.g., name plus a recent order number or loyalty ID). We will respond within 45 days (15 days for opt-out requests); if we need up to 45 additional days, we will explain why.
You may designate an authorized agent to act for you, but we will require proof of identity and written authorization or power of attorney.
Global Privacy Control (GPC)
A browser signal such as GPC indicating “do not sell or share my data” will be honored for that device no later than January 1, 2026 (and sooner wherever feasible).
If you feel your request was improperly denied, you may appeal by replying to our decision e-mail or resubmitting via the contact form. Unresolved appeals may be filed with the Delaware Department of Justice through its Personal Data Privacy Portal.
8. Children
Our online Services are not directed to children under 13 and we do not knowingly collect their data. Parents who believe a child has provided information should contact us; we will delete it promptly. We also do not process teen (13-17) data for targeted advertising or sale without the teen’s affirmative consent.
9. Changes to This Policy
We may update this Policy from time to time. Material changes will be highlighted on our site or sent directly to you if we have your e-mail. The “Last Updated” date tells you when revisions take effect. Continued use of the Services after that date signifies acceptance.
10. Contact Us
For privacy questions or requests, use the contact form on our website’s About / Contact Us page or write to:
Surf Bagel Holdings, LLC – Privacy Team
P.O. Box 1618
Rehoboth Beach, DE 19971 USA
We will respond as promptly as possible.
TO VIEW OUR PRIVACY POLICY ARCHIVE, PLEASE CLICK THE BUTTON BELOW