Operator Playbook
Your POS vendor collects your customer data every day. The real question: who's making money from it — and how much did you give away without reading the contract?
By Justin K. Sellers · 12 min read · March 3, 2026
The best-run companies make 11% of their revenue just from selling data.
That's five times more than everyone else.
For restaurant operators, that raises one question:
Who's making money from your data?Every transaction you process generates data. Customer name. Email. Purchase history. Visit frequency. Average ticket. Daypart preference. Payment method.
That data has value.
The question operators aren't asking: Who's capturing that value?
And what did you agree to when you signed your POS contract?
Restaurant technology vendors collect customer data across every touchpoint:
POS systems collect transaction timestamps, order contents, payment methods, tender amounts, ticket averages, void patterns, and employee IDs processing orders. Loyalty and CRM platforms collect email addresses, phone numbers, birth dates, ZIP codes, purchase history, points balances, redemption behavior, and email engagement metrics. Online ordering platforms collect delivery addresses, order preferences, cart abandonment data, browsing behavior, promo code usage, and order frequency. Delivery aggregators collect ordering patterns across multiple brands, competitive set analysis, delivery instructions, rating data, and driver tip behavior.Every data point has a price tag — the question is who's collecting the check.
When DoorDash and Uber Eats won a court battle in September 2024 to block New York City's law requiring them to share customer data with restaurants, the result was clear: operators still don't have access to their own customers' data on these platforms.
The court blocked the data-sharing mandate on First Amendment grounds — not on the question of who owns the data.
But the practical outcome is the same: the customer who ordered from your restaurant through DoorDash remains DoorDash's customer in their system — not yours — regardless of the legal reasoning behind the ruling.
[CUSTOMER_DATA_BUYERS_CHART]
The restaurant data marketplace extends far beyond technology vendors.
CPG brands — companies like PepsiCo, Mondelēz, and General Mills that manufacture the products restaurants serve — purchase restaurant transaction data. They use it to target promotions and develop new products.According to CPG industry analysis, brands like Mondelēz, PepsiCo, and General Mills use first-party retail data to overcome marketing limitations and unlock new paths to growth.
Retailers and data brokers provide CPG brands with anonymized transaction data on individual shoppers.
This reveals granular differences between customer segments — gluten-free buyers versus organic food buyers, brand loyalists versus switchers.
Marketing agencies purchase customer contact lists for targeted advertising.Modern consumers leave substantial digital footprints across social media, retail media, and in-store digital media.
Omnichannel shoppers now account for 86% of all CPG sales.
Real estate developers and investors purchase transaction density data for site selection analysis. Payment processors analyze transaction volumes, payment mix, and ticket averages to build spend analytics products.In our view, the most significant data buyers are the ones operators don't see: the technology vendors themselves.
Walmart's data monetization business — called Scintilla — announced 173% year-over-year customer growth in October 2024.
Every customer signed on for at least three years.
100% renewal rate.
Walmart also launched Scintilla Insights Activation. It's an AI-powered platform that turns data insights into real-time recommendations for audience targeting and ad campaigns.
That's not a POS vendor. That's a retailer.
But the principle applies: Companies sitting on proprietary customer data are building entire businesses around monetizing it.
Restaurant technology vendors operate in the same market.
They collect transaction data. Behavioral data. Customer contact information. Operational metrics.
The question is what happens next. Industry research documents how aggregated, anonymized transaction data flows from retailers and platforms to outside buyers. CPG brands. Data brokers. Marketing agencies.
According to Harvard Business Review, the most effective data monetization strategies start with one thing: understanding your proprietary advantage. That could be privileged access to high-quality data, deep customer knowledge, or domain-specific infrastructure.
POS vendors have all three.
Privacy policies use specific language around data usage.
Here's what one major POS vendor's privacy statement says:
"With our third-party business partners in order to provide, maintain, improve and expand our Services; With third parties that help us provide, maintain, and improve our Services."
The same policy lists what those service providers can access: hosting, IT services, payment processing, identity verification, fraud prevention, marketing, advertising, data analytics, personalization, and customer support.
That language covers data sharing with third parties for "data analytics and personalization."The same policy continues:
"Using transactional data and order history to offer recommendations within our Services or those of our Merchants; Using information about your dining experience (including waitlist and reservation details) to enhance current and future dining experiences at our Merchants' restaurants; Using analytics and profiling technologies to personalize your experience."
That's standard language across most platform agreements.
In our view, "anonymized" data may carry re-identification risk when combined with other data sources — a concern privacy researchers have raised across industries.
CPG brands can now track purchases at the family level over time through "householding" — monitoring what families buy as children age and needs evolve.
They build customer lifetime value profiles, not just transaction snapshots.
Operators receive valuable tools in exchange for customer data:
Real-time sales dashboards. Labor scheduling tools. Inventory waste reduction. Benchmarking reports. Customer segmentation. Menu performance analytics. Loyalty program templates.
According to industry data, 8 in 10 organizations with loyalty programs report they helped during economic challenges. 9 out of 10 report positive ROI averaging over 40%.
Customers who redeem personalized rewards spend 4.3 times more annually than those who redeem non-personalized rewards.
That's real value.
But operators may not know the answers to questions like:
- Is their "free" benchmarking report funded by licensing their data to other parties? - Does their loyalty platform share customer emails with CPG brands? - Does their delivery aggregator use menu and pricing data to recruit competing concepts? - Do payment processors package transaction patterns into analytics products sold to investors?
These are open questions — not accusations. But they're worth asking.
According to PCI security experts, POS systems contain "a treasure trove of customer data."
Restaurants are required to comply with Payment Card Industry Security Standards Council standards.
But PCI compliance addresses card data security, not customer data ownership.
The average global cost of a data breach reached $4.45 million in 2025, a 9% increase since 2023.
Nearly 60% of breached small businesses close permanently within six months of an attack.
That's the downside risk operators understand.
What they don't understand: The upside value they're giving away.
Based on vendor privacy policies and data usage disclosures, here are the questions that separate transparent vendors from opaque ones:
Do you monetize customer data collected through your platform?Ask directly. The answer reveals whether data licensing is part of their business model.
Who do you sell aggregated data to?CPG brands? Suppliers? Real estate firms? Investors? Competitors?
Can I opt out of data resale and still use your platform?If the answer is no, data monetization subsidizes your "discounted" software fees.
If I switch vendors, do I retain ownership of historical customer data?Most contracts are silent on this point. That silence benefits vendors, not operators.
What rights do I have to restrict how my data is used?Under GDPR and some state laws, customers can access, delete, and control their personal data.
But what rights do operators have over aggregate customer data collected through vendor platforms?
Who is responsible if customer data is breached?PCI compliance makes operators liable for card data breaches.
But if a loyalty platform is breached and customer emails are stolen, who pays?
The customer data question isn't about privacy.
It's about value capture.
Every operator collects valuable customer data. Transaction patterns. Visit frequency. Menu preferences. Daypart behavior.
That data has commercial value. CPG brands want it. Suppliers want it. Investors and competitors want it too.
According to data monetization experts, organizations that successfully monetize data move up the "DIKW pyramid" — from raw data to information to knowledge to wisdom.
Restaurant technology vendors are positioned at the top of that pyramid. They have the infrastructure to aggregate data from thousands of operators. Analyze patterns. Package insights. Monetize the intelligence.
In our analysis, operators appear positioned at the bottom of this value chain. They generate the data. They may not see the revenue.
In our view, this dynamic raises questions about long-term sustainability for the industry.
CPG brands increasingly use retail media networks to access first-party transaction data. AI makes that analysis easier and more valuable every year. The commercial value of restaurant customer data will only keep growing.
Operators who don't understand what they're trading may keep subsidizing technology platforms. The commercial value of the data they give away may be larger than they realize.
The question worth asking before signing any technology contract in 2026:
If the vendor can't answer that question in writing, the terms of the exchange may not be as clear as they appear.
This analysis is based on publicly available privacy policies, industry reports on data monetization, and CPG purchasing behavior research.
But several key questions remain unanswered:
We don't know how much revenue restaurant technology vendors generate from data licensing.Vendors don't disclose this in public filings. Private companies don't report it at all.
We don't know which specific vendors sell customer data and which don't.Privacy policies describe data sharing with "third-party business partners" without naming them or specifying commercial terms.
We don't know what percentage of operators read data usage clauses in vendor contracts.Anecdotal evidence suggests most operators focus on pricing and features, not data rights.
We don't know whether operators who opt out of data sharing pay higher software fees.If data monetization subsidizes platform costs, opting out should increase subscription prices. But no vendor discloses this trade-off.
We don't know what legal precedents exist for customer data ownership disputes between operators and vendors.The DoorDash/Uber Eats case addressed First Amendment compelled speech, not commercial data ownership. Contract disputes over who owns customer data collected through vendor platforms haven't been litigated publicly.
This analysis cites multiple independent industry sources on data monetization, privacy policy disclosures, and CPG purchasing behavior. We reference publicly available research with full attribution and direct links to support our independent analysis.
Operators seeking to understand specific vendor data practices should request written clarification of data usage terms before signing contracts.
QSR Research Hub is an independent publication. We are not affiliated with any technology vendor and receive no compensation for citations or analysis.
QSR Research Hub publishes independent, operator-first analysis — 3,000+ word deep dives with 15-25 cited sources. No vendor spin. No paywall. No pitch disguised as an article. Join a growing network of operators, investors, and suppliers who want real research.
Subscribe to QSR Research Hub1. McKinsey & Company. "Intelligence at scale: Data monetization in the age of gen AI." Survey of 349 senior leaders showing top performers attribute 11% of revenue to data monetization. July 31, 2025. https://www.mckinsey.com/capabilities/business-building/our-insights/intelligence-at-scale-data-monetization-in-the-age-of-gen-ai
2. Otter. "How secure is customer data in a restaurant POS system?" POS systems collect transaction timestamps, order contents, payment methods, and CRM data. June 19, 2024. https://www.tryotter.com/resource/wiki/securing-customer-data-restaurant-pos-systems
3. Olo. "7 Restaurant Marketing Trends to Watch in 2024." Guest Data Platforms collect customer contact information, purchase history, and behavior metrics. October 19, 2023. https://www.olo.com/blog/7-restaurant-marketing-trends-to-watch-in-2024
4. Restaurant Dive. "DoorDash, Uber Eats win NYC customer data court battle." Court blocked NYC's data-sharing mandate on First Amendment grounds; operators remain without access to customer data on aggregator platforms. September 25, 2024. https://www.restaurantdive.com/news/doordash-uber-eats-win-nyc-customer-data-court-battle/727994/
5. Catalina. "2025 CPG Marketing Guide | Leveraging CPG Data & Insights." CPG brands purchase anonymized transaction data from retailers and data brokers. https://www.catalina.com/perspectives-blog/2025-guide-cpg-marketing-data-analytics-insights
6. Food Industry Executive. "Unlocking Opportunities in Retail Media: How CPG Brands Are Bridging the Data Gap." Mondelēz, PepsiCo, and General Mills leverage retail data for customer lifetime value tracking. December 4, 2024. https://foodindustryexecutive.com/2024/12/unlocking-opportunities-in-retail-media-how-cpg-brands-are-bridging-the-data-gap-to-drive-growth-and-engagement/
7. Cliffe Edge Marketing. "5 Key Trends in CPG Food & Beverage for 2025." Omnichannel shoppers account for 86% of CPG sales; brands use analytics for personalization. April 23, 2025. https://cliffedgemarketing.com/5-key-trends-in-cpg-food-and-beverage-for-2025/
8. EY. "The consumer-data value exchange for retailers and CPG." Retailers own discovery and purchase occasion data; CPG companies purchase transaction insights. April 7, 2024. https://www.ey.com/en_us/insights/transforming-retail/the-consumer-data-value-exchange-for-retailers-and-cpg
9. Fishbowl. "Restaurant Data Privacy: Best Practices and Compliance for 2025." Payment processors handle transaction volumes, payment mix, and spend analytics. https://www.fishbowl.com/blog/restaurant-data-privacy
10. McKinsey & Company. "Intelligence at scale: Data monetization in the age of gen AI." Walmart's Scintilla data business achieved 173% YOY growth with 100% renewal rate. July 31, 2025. https://www.mckinsey.com/capabilities/business-building/our-insights/intelligence-at-scale-data-monetization-in-the-age-of-gen-ai
11. Harvard Business Review. "How to Monetize Your Data." Effective data monetization strategies start with proprietary advantage in data access. November 1, 2025. https://hbr.org/2025/11/how-to-monetize-your-data
12. Toast. "Privacy Statement." Toast shares customer data with third-party business partners for data analytics and personalization. https://pos.toasttab.com/privacy
13. Evokad. "Restaurant Digital Transformation Guide for CMOs 2026." 81% of organizations with loyalty programs report positive ROI; personalized rewards drive 4.3x higher spend. November 26, 2025. https://evokad.com/restaurant-digital-transformation-guide-cmos-2026/
14. CRMBC. "POS System Security: 2025 Guide for Restaurant Owners." Average global cost of data breach reached $4.45 million in 2025. November 4, 2025. https://www.crmbc.com/securing-point-of-sale-pos-systems-practical-steps-for-restaurant-owners/
15. Core Payment Solutions. "What Security Features Should a Restaurant POS System Have?" PCI DSS compliance requirements for securing credit card data. July 20, 2024. https://corepaymentsolutions.com/what-security-features-should-a-restaurant-pos-system-have/
16. POSNation. "What Is POS Security? 5 Ways To Protect Customer Data." 60% of breached small businesses close within six months. November 14, 2023. https://www.posnation.com/blog/pos-security
17. LinkedIn. "How do you handle customer data privacy and consent in your POS system?" GDPR gives customers rights to access, delete, and control personal data. January 27, 2024. https://www.linkedin.com/advice/0/how-do-you-handle-customer-data-privacy