Operator Playbook
Your POS vendor collects your customer data every day. The real question: who's making money from it — and how much did you give away without reading the contract?
By Justin K. Sellers · 12 min read · March 3, 2026
The best-run companies make 11% of their revenue just from selling data.
That's five times more than everyone else.
For restaurant operators, that raises one question:
Who's making money from your data?Every transaction you process generates data.
Customer name :: Email :: Purchase history :: Visit frequency :: Average ticket :: Daypart preference :: Payment method
That data has value.The question operators aren't asking: Who's capturing that value?
And what did you agree to when you signed your POS contract?
Restaurant customer data ownership — who collects it, who can sell it, and what rights operators actually retain — is one of the most underexamined questions in the industry. This analysis covers three things in order:
- What your POS vendor is actually collecting from every transaction - Who's buying that data — and how vendors are monetizing it - What you can do right now to protect your data rights
Restaurant technology vendors collect customer data across every touchpoint:
POS systems collect transaction timestamps, order contents, payment methods, tender amounts, ticket averages, void patterns, and employee IDs processing orders. Loyalty and CRM platforms collect email addresses, phone numbers, birth dates, ZIP codes, purchase history, points balances, redemption behavior, and email engagement metrics. Online ordering platforms collect delivery addresses, order preferences, cart abandonment data, browsing behavior, promo code usage, and order frequency. Delivery aggregators collect ordering patterns across multiple brands, competitive set analysis, delivery instructions, rating data, and driver tip behavior.Every data point has a price tag, the question is who's collecting the check.
When DoorDash and Uber Eats won a court battle in September 2024 to block New York City's law requiring them to share customer data with restaurants, the result was clear: operators still don't have access to their own customers' data on these platforms.
The court blocked the data-sharing mandate on First Amendment grounds, not on the question of who owns the data.
But the practical outcome is the same: the customer who ordered from your restaurant through DoorDash remains DoorDash's customer in their system, not yours, regardless of the legal reasoning behind the ruling.
[CUSTOMERDATABUYERS_CHART]
The restaurant data marketplace extends far beyond technology vendors.
CPG brands, companies like PepsiCo, Mondelēz, and General Mills that manufacture the products restaurants serve, purchase restaurant transaction data. They use it to target promotions and develop new products.According to CPG industry analysis, brands like Mondelēz, PepsiCo, and General Mills use first-party retail data to overcome marketing limitations and unlock new paths to growth.
Retailers and data brokers provide CPG brands with anonymized transaction data on individual shoppers.
This reveals granular differences between customer segments, gluten-free buyers versus organic food buyers, brand loyalists versus switchers.
Marketing agencies purchase customer contact lists for targeted advertising.Modern consumers leave substantial digital footprints across social media, retail media, and in-store digital media.
Omnichannel shoppers now account for 86% of all CPG sales.
Real estate developers and investors purchase transaction density data for site selection analysis. Payment processors analyze transaction volumes, payment mix, and ticket averages to build spend analytics products.In our view, the most significant data buyers are the ones operators don't see: the technology vendors themselves.
Walmart's data monetization business, called Scintilla, announced 173% year-over-year customer growth in October 2024.
Every customer signed on for at least three years.
100% renewal rate.
Walmart also launched Scintilla Insights Activation. It's an AI-powered platform that turns data insights into real-time recommendations for audience targeting and ad campaigns.
That's not a POS vendor. That's a retailer.
But the principle applies: Companies sitting on proprietary customer data are building entire businesses around monetizing it.
Restaurant technology vendors operate in the same market.
They collect transaction data. Behavioral data. Customer contact information. Operational metrics.
The question is what happens next. Industry research documents how aggregated, anonymized transaction data flows from retailers and platforms to outside buyers. CPG brands. Data brokers. Marketing agencies.
According to Harvard Business Review, the most effective data monetization strategies start with one thing: understanding your proprietary advantage. That could be privileged access to high-quality data, deep customer knowledge, or domain-specific infrastructure.
POS vendors have all three.
Privacy policies use specific language around data usage.
Here's what one major POS vendor's privacy statement says:
"With our third-party business partners in order to provide, maintain, improve and expand our Services; With third parties that help us provide, maintain, and improve our Services."
The same policy lists what those service providers can access: hosting, IT services, payment processing, identity verification, fraud prevention, marketing, advertising, data analytics, personalization, and customer support.
That language covers data sharing with third parties for "data analytics and personalization."The same policy continues:
"Using transactional data and order history to offer recommendations within our Services or those of our Merchants; Using information about your dining experience (including waitlist and reservation details) to enhance current and future dining experiences at our Merchants' restaurants; Using analytics and profiling technologies to personalize your experience."
That's standard language across most platform agreements.
In our view, "anonymized" data may carry re-identification risk when combined with other data sources, a concern privacy researchers have raised across industries.
CPG brands can now track purchases at the family level over time through "householding", monitoring what families buy as children age and needs evolve.
They build customer lifetime value profiles, not just transaction snapshots.
Operators receive valuable tools in exchange for customer data:
Real-time sales dashboards. Labor scheduling tools. Inventory waste reduction. Benchmarking reports. Customer segmentation. Menu performance analytics. Loyalty program templates.
According to industry data, 8 in 10 organizations with loyalty programs report they helped during economic challenges. 9 out of 10 report positive ROI averaging over 40%.
Customers who redeem personalized rewards spend 4.3 times more annually than those who redeem non-personalized rewards.
That's real value.
But operators may not know the answers to questions like:
- Is their "free" benchmarking report funded by licensing their data to other parties? - Does their loyalty platform share customer emails with CPG brands? - Does their delivery aggregator use menu and pricing data to recruit competing concepts? - Do payment processors package transaction patterns into analytics products sold to investors?
These are open questions, not accusations. But they're worth asking.
[DATABREACHRISK_BLOCK]
That's the downside risk operators understand.
What they don't understand: The upside value they're giving away.
Based on vendor privacy policies and data usage disclosures, here are the questions that separate transparent vendors from opaque ones:
Do you monetize customer data collected through your platform?Ask directly. The answer reveals whether data licensing is part of their business model.
Who do you sell aggregated data to?CPG brands? Suppliers? Real estate firms? Investors? Competitors?
Can I opt out of data resale and still use your platform?If the answer is no, data monetization subsidizes your "discounted" software fees.
If I switch vendors, do I retain ownership of historical customer data?Most contracts are silent on this point. That silence benefits vendors, not operators.
What rights do I have to restrict how my data is used?Under GDPR and some state laws, customers can access, delete, and control their personal data.
But what rights do operators have over aggregate customer data collected through vendor platforms?
Who is responsible if customer data is breached?PCI compliance makes operators liable for card data breaches.
But if a loyalty platform is breached and customer emails are stolen, who pays?
"Which POS systems are transparent about data ownership" is the question most operators ask only after they've already signed. Here is what the major platforms publicly disclose — and what they don't.
ToastToast's published privacy statement describes sharing customer data with "third-party business partners in order to provide, maintain, improve and expand our Services." The same policy explicitly lists "data analytics and personalization" as permitted uses for data shared with service providers. Toast does not publish a separate data licensing disclosure for operators. Their public documentation does not address whether aggregated, anonymized restaurant transaction data is licensed to outside parties for commercial purposes.
SquareSquare's privacy policy covers data collected across its seller ecosystem. Square states it may use aggregate, non-personally identifiable data for its own business purposes, including product improvement. Square's Seller Community documentation acknowledges that transaction data may be used to improve Square's services and products. Like most POS vendors, Square does not publish a specific disclosure about whether anonymized restaurant operator data is sold or licensed to third parties such as CPG brands or marketing agencies.
LightspeedLightspeed's privacy policy permits sharing personal information with "service providers" and notes that data may be used to "improve, customize and optimize" their platform. Lightspeed operates across multiple verticals (retail, golf, hospitality) and collects cross-merchant transaction data. Their public disclosures do not address commercial licensing of operator data to outside buyers.
OloOlo positions itself as a B2B platform operating on behalf of restaurant brands — meaning guest data collected through Olo's ordering infrastructure is framed as belonging to the restaurant operator, not Olo. Their Data Processing Addendum describes Olo as a "data processor" acting under restaurant operator instructions. This is a meaningfully different framing than typical POS vendor policies. However, Olo's third-party integrations (delivery aggregators, payment processors) introduce their own data collection terms outside of Olo's direct control.
The Common ThreadNone of the four platforms above publish a plain-language disclosure stating whether they sell or license aggregated restaurant transaction data to CPG brands, marketing agencies, or data brokers. All four use standard language permitting data sharing with "service providers" for broad operational purposes. The absence of a clear "no, we don't sell your data" statement is itself informative.
The most operator-protective contract language you can ask for: a written addendum stating the vendor will not sell, license, or commercially transfer aggregated or anonymized data derived from your restaurant's transactions to any third party without your explicit written consent.
The customer data question isn't about privacy.
It's about value capture.
Every operator collects valuable customer data. Transaction patterns. Visit frequency. Menu preferences. Daypart behavior.
That data has commercial value. CPG brands want it. Suppliers want it. Investors and competitors want it too.
According to data monetization experts, organizations that successfully monetize data move up the "DIKW pyramid", from raw data to information to knowledge to wisdom.
Restaurant technology vendors are positioned at the top of that pyramid. They have the infrastructure to aggregate data from thousands of operators. Analyze patterns. Package insights. Monetize the intelligence.
In our analysis, operators appear positioned at the bottom of this value chain. They generate the data. They may not see the revenue.
In our view, this dynamic raises questions about long-term sustainability for the industry.
CPG brands increasingly use retail media networks to access first-party transaction data. AI makes that analysis easier and more valuable every year. The commercial value of restaurant customer data will only keep growing.
Operators who don't understand what they're trading may keep subsidizing technology platforms. The commercial value of the data they give away may be larger than they realize.
The question worth asking before signing any technology contract in 2026:
If the vendor can't answer that question in writing, the terms of the exchange may not be as clear as they appear.
Understanding who owns your customer data is one thing. Doing something about it is another. Here are four specific steps any operator can take, regardless of which technology vendor you're currently using.
Step 1: Pull your POS contract and find the data rights clause.Look for the words "license," "aggregated data," "anonymized," and "third-party sharing." These are the sections that determine what your vendor can do with your customers' transaction data. If your contract is silent on these points — that's important information too.
Step 2: Request written clarification from your vendor.Ask your account representative or legal contact to confirm in writing: (1) whether they share or sell aggregated data derived from your transactions, (2) which third parties receive that data, and (3) whether that data includes any information traceable back to your specific location. A vendor with nothing to hide will answer this in a business day.
Step 3: Audit your loyalty and CRM platform separately.Your POS contract and your loyalty platform contract are different agreements with different terms. Operators often review one without the other. Run both through the same scrutiny — loyalty platforms frequently have separate data sharing provisions that operators never examine.
Step 4: Negotiate data portability before you sign your next contract.The time to negotiate is before you commit, not when you want to leave. Ask specifically: "If I cancel, can I export my full customer list — name, email, and purchase history — in a standard format? What is the timeline, and is there a fee?" If the answer is unclear, make it a contract requirement before you sign.
This analysis is based on publicly available privacy policies, industry reports on data monetization, and CPG purchasing behavior research.
But several key questions remain unanswered:
We don't know how much revenue restaurant technology vendors generate from data licensing.Vendors don't disclose this in public filings. Private companies don't report it at all.
We don't know which specific vendors sell customer data and which don't.Privacy policies describe data sharing with "third-party business partners" without naming them or specifying commercial terms.
We don't know what percentage of operators read data usage clauses in vendor contracts.Anecdotal evidence suggests most operators focus on pricing and features, not data rights.
We don't know whether operators who opt out of data sharing pay higher software fees.If data monetization subsidizes platform costs, opting out should increase subscription prices. But no vendor discloses this trade-off.
We don't know what legal precedents exist for customer data ownership disputes between operators and vendors.The DoorDash/Uber Eats case addressed First Amendment compelled speech, not commercial data ownership. Contract disputes over who owns customer data collected through vendor platforms haven't been litigated publicly.
In most cases, the vendor's contract governs ownership — not the operator's assumption. POS vendors typically claim a broad license to use, aggregate, and analyze transaction data to "improve services." That license language usually doesn't distinguish between improving their product and monetizing aggregated insights commercially. Operators who have not requested a written data rights addendum may have unknowingly granted their vendor broad rights over their customers' transaction history.
Does Toast own my restaurant's customer data?Toast does not publicly claim outright ownership of restaurant customer data. However, Toast's privacy statement permits sharing data with third-party business partners for "data analytics and personalization." Their documentation does not explicitly state that they do not sell or license aggregated, anonymized restaurant transaction data to outside parties. The practical implication: operators using Toast should request written clarification of what Toast does with aggregated data derived from their restaurant's transactions.
Does DoorDash own my restaurant's customer data?For orders placed through DoorDash's platform, DoorDash effectively controls the customer relationship. The customer's name, email, address, and order history sit in DoorDash's system, not the restaurant's. In September 2024, a federal court blocked New York City's law requiring DoorDash to share that data with restaurants, ruling on First Amendment grounds. The practical result: customers who order through DoorDash remain DoorDash's customers in their data systems, regardless of which restaurant they ordered from.
Can I get my customer data back when I switch POS systems?Most POS vendor contracts are silent on data portability — meaning what happens to your customer data when you leave is not addressed. Some vendors provide data export tools that give you access to your transaction history. Others do not. Aggregated or anonymized data derived from your transactions is typically retained by the vendor indefinitely under most standard contracts. Before signing with any new POS vendor, ask specifically: "If I cancel my account, what customer data can I export, in what format, and what happens to aggregated data derived from my transactions?"
Can I opt out of my POS vendor selling my customer data?This depends on the vendor and your contract. Most POS vendors do not offer a formal opt-out from aggregated data use — and most don't publicly disclose whether such a program exists. If data monetization is subsidizing your software fee, opting out may increase your subscription cost, though no vendor has publicly disclosed this trade-off. The strongest position is to negotiate a data use restriction addendum before signing, not after.
What is restaurant customer data worth?Top-performing companies generate 11% of their revenue from data monetization — five times more than average performers, according to McKinsey. For restaurant technology vendors with transaction data from thousands of operators, the aggregate data asset is substantial. CPG brands, marketing agencies, real estate investors, and payment analytics firms all purchase transaction data. The per-operator value of data licensing revenue is not publicly disclosed by any major POS vendor. But if your vendor is making 11% of revenue from data, and your restaurant is one of tens of thousands on their platform, the math on who is capturing value from your customers' behavior is worth examining.
For a full breakdown of what POS systems are available in 2026, how to compare them honestly on total cost, and how to read a vendor contract before you sign it, see Restaurant POS Systems: What's Available, What Matters, and What Vendors Don't Tell You.
This analysis cites multiple independent industry sources on data monetization, privacy policy disclosures, and CPG purchasing behavior. We reference publicly available research with full attribution and direct links to support our independent analysis.
Operators seeking to understand specific vendor data practices should request written clarification of data usage terms before signing contracts.
QSR Research Hub is an independent publication. We are not affiliated with any technology vendor and receive no compensation for citations or analysis.
QSR Research Hub publishes independent, operator-first analysis — 3,000+ word deep dives with 15-25 cited sources. No vendor spin. No paywall. No pitch disguised as an article. Join a growing network of operators, investors, and suppliers who want real research on the questions that actually affect your business.
1. McKinsey & Company. "Intelligence at scale: Data monetization in the age of gen AI." Survey of 349 senior leaders showing top performers attribute 11% of revenue to data monetization. July 31, 2025. https://www.mckinsey.com/capabilities/business-building/our-insights/intelligence-at-scale-data-monetization-in-the-age-of-gen-ai
2. Otter. "How secure is customer data in a restaurant POS system?" POS systems collect transaction timestamps, order contents, payment methods, and CRM data. June 19, 2024. https://www.tryotter.com/resource/wiki/securing-customer-data-restaurant-pos-systems
3. Olo. "7 Restaurant Marketing Trends to Watch in 2024." Guest Data Platforms collect customer contact information, purchase history, and behavior metrics. October 19, 2023. https://www.olo.com/blog/7-restaurant-marketing-trends-to-watch-in-2024
4. Restaurant Dive. "DoorDash, Uber Eats win NYC customer data court battle." Court blocked NYC's data-sharing mandate on First Amendment grounds; operators remain without access to customer data on aggregator platforms. September 25, 2024. https://www.restaurantdive.com/news/doordash-uber-eats-win-nyc-customer-data-court-battle/727994/
5. Catalina. "2025 CPG Marketing Guide | Leveraging CPG Data & Insights." CPG brands purchase anonymized transaction data from retailers and data brokers. https://www.catalina.com/perspectives-blog/2025-guide-cpg-marketing-data-analytics-insights
6. Food Industry Executive. "Unlocking Opportunities in Retail Media: How CPG Brands Are Bridging the Data Gap." Mondelēz, PepsiCo, and General Mills leverage retail data for customer lifetime value tracking. December 4, 2024. https://foodindustryexecutive.com/2024/12/unlocking-opportunities-in-retail-media-how-cpg-brands-are-bridging-the-data-gap-to-drive-growth-and-engagement/
7. Cliffe Edge Marketing. "5 Key Trends in CPG Food & Beverage for 2025." Omnichannel shoppers account for 86% of CPG sales; brands use analytics for personalization. April 23, 2025. https://cliffedgemarketing.com/5-key-trends-in-cpg-food-and-beverage-for-2025/
8. EY. "The consumer-data value exchange for retailers and CPG." Retailers own discovery and purchase occasion data; CPG companies purchase transaction insights. April 7, 2024. https://www.ey.com/en_us/insights/transforming-retail/the-consumer-data-value-exchange-for-retailers-and-cpg
9. Fishbowl. "Restaurant Data Privacy: Best Practices and Compliance for 2025." Payment processors handle transaction volumes, payment mix, and spend analytics. https://www.fishbowl.com/blog/restaurant-data-privacy
10. McKinsey & Company. "Intelligence at scale: Data monetization in the age of gen AI." Walmart's Scintilla data business achieved 173% YOY growth with 100% renewal rate. July 31, 2025. https://www.mckinsey.com/capabilities/business-building/our-insights/intelligence-at-scale-data-monetization-in-the-age-of-gen-ai
11. Harvard Business Review. "How to Monetize Your Data." Effective data monetization strategies start with proprietary advantage in data access. November 1, 2025. https://hbr.org/2025/11/how-to-monetize-your-data
12. Toast. "Privacy Statement." Toast shares customer data with third-party business partners for data analytics and personalization. https://pos.toasttab.com/privacy
13. Evokad. "Restaurant Digital Transformation Guide for CMOs 2026." 81% of organizations with loyalty programs report positive ROI; personalized rewards drive 4.3x higher spend. November 26, 2025. https://evokad.com/restaurant-digital-transformation-guide-cmos-2026/
14. CRMBC. "POS System Security: 2025 Guide for Restaurant Owners." Average global cost of data breach reached $4.45 million in 2025. November 4, 2025. https://www.crmbc.com/securing-point-of-sale-pos-systems-practical-steps-for-restaurant-owners/
15. Core Payment Solutions. "What Security Features Should a Restaurant POS System Have?" PCI DSS compliance requirements for securing credit card data. July 20, 2024. https://corepaymentsolutions.com/what-security-features-should-a-restaurant-pos-system-have/
16. POSNation. "What Is POS Security? 5 Ways To Protect Customer Data." 60% of breached small businesses close within six months. November 14, 2023. https://www.posnation.com/blog/pos-security
17. LinkedIn. "How do you handle customer data privacy and consent in your POS system?" GDPR gives customers rights to access, delete, and control personal data. January 27, 2024. https://www.linkedin.com/advice/0/how-do-you-handle-customer-data-privacy