MilEats Privacy Policy

Version: v1.0 · Effective date: May 24, 2026 · Last updated: April 21, 2026

1. Notice at a glance

A plain-English summary. The sections below have the full detail.

• Who we are. MilEats LLC, a Delaware LLC that operates a food-delivery service on U.S. military installations.
• What we collect. The minimum we need to take your order, deliver it, pay our riders and restaurant partners, keep the platform safe, and comply with the law. We never store your full credit card number.
• Who we share with. The vendors we need to run the service (hosting, payments, email, analytics, identity verification, background checks). We name all of them in §8. Your delivery address and first name go to the rider for that order. Restaurants receive your order contents and your first name, not your address.
• What we don't do. We do not sell your personal information. We do not share it with advertising networks. We do not use it to build cross-site behavioral profiles. We honor Global Privacy Control (GPC) signals.
• Your rights. You can see, correct, delete, and limit use of your data. Californians have additional rights. Europeans and UK residents have GDPR and UK-GDPR rights. See §12.
• Contact. Email privacy@mileatsdelivery.com or use the form at mileatsdelivery.com/legal/dsr. Postal address in §23.

2. About this policy

We review this policy at least annually and whenever our data practices change in a material way.

3. Who we are

MilEats LLC operates the MilEats food-delivery platform. We are a limited liability company organized under the laws of the State of Delaware.

Registered-agent address (for service of legal process):

MilEats LLC 254 Chapman Rd, Ste 208 #23094 Newark, DE 19702 United States

For privacy matters, contact us at privacy@mileatsdelivery.com or via the form at mileatsdelivery.com/legal/dsr. For other legal matters, use legal@mileatsdelivery.com. For accessibility matters, use accessibility@mileatsdelivery.com.

We have not appointed a Data Protection Officer (DPO). Our current data processing does not meet the GDPR Art. 37 triggers that would require one. If that changes, we will update this section.

4. Scope: what this policy covers

This policy applies to every MilEats product and service listed below, unless that product or service provides its own notice at the point of collection.

This policy does not cover:

• Third-party services you use alongside MilEats (your email provider, your phone carrier, third-party restaurant websites linked from our platform).
• Data held by Department of Defense installation access systems (DBIDS, RAPIDGate, or installation-specific gate systems). MilEats does not operate those systems and does not receive data back from them. See §16.
• Employee or contractor data collected for employment purposes. That is covered by our internal Employee and Contractor Privacy Notice, available on request.

5. Information we collect

We organize the information we collect by California Consumer Privacy Act (CCPA) category, as amended by the California Privacy Rights Act (CPRA). Europeans and UK residents should read this alongside the GDPR legal-basis information in §7.

5.1 Identifiers

Examples: name, email address, phone number, mailing address, account username, IP address, device identifier.

• From everyone: email, your Auth0 user ID (once you create an account), IP address (automatically, for security and fraud prevention).
• From customers: name, phone, delivery addresses (street, base, building, unit, and any gate instructions you add), push notification tokens.
• From riders: legal name, phone, email, push notification tokens, device identifier.
• From restaurant partners: admin name, email, phone, business address.

5.2 Customer records

Examples: California Civil Code §1798.80(e) categories. Physical characteristics, address, insurance, license information.

• From customers: delivery addresses including base, building, unit, and gate instructions.
• From riders: date of birth, driver's license number and state, vehicle make, model, year, color, plate, and VIN, auto insurance provider and policy number, W-9 or EIN information.
• From restaurant partners: business license, food-service permit, EIN.

5.3 Protected classifications (limited)

Examples: age, military status.

California's protected-classifications definition includes veteran and military status (Cal. Civ. Code §51 et seq., and the California Fair Employment and Housing Act at Gov. Code §12940). We process military status only in the circumstances below.

• From riders: military-affiliation status (veteran, active-duty, spouse, dependent, or civilian supporter), as verified by ID.me when you opt to claim eligibility for founding-rider status or veteran-specific pricing.
• From waitlist signups: a self-reported status category for rider applicants.

We do not request race, ethnicity, religion, sexual orientation, or national origin. If you choose to volunteer information in a free-text field (for example, a dietary preference that implies a religious practice), we handle it in accordance with this policy and use it only to respond to your request.

5.4 Commercial information

Examples: orders, tips, refunds, payment history.

• From customers: order contents, order timestamps and status, ratings you give, tip amounts, refund records.
• From riders: per-delivery earnings, tips received, bonuses, payout history.
• From restaurant partners: menu items and prices, incoming orders, payout history.

5.5 Internet or network activity

Examples: app usage, page views, events, cookie identifiers.

• From everyone: user-agent string, device type, operating system, app version, cookie-consent choice, pages viewed, features used, timestamps.
• Analytics events: page views, form submissions, button clicks, captured via PostHog (see §8). PostHog session replay is turned off in v1. If we ever turn it on, we will update this policy before the change takes effect.

5.6 Geolocation

Examples: IP-derived location, coarse GPS, precise GPS.

• Coarse geolocation: derived from IP or approximate device location, used to estimate delivery times and center maps. Not retained in our systems for longer than 24 hours.
• Precise geolocation, riders only, during active shifts: GPS breadcrumbs from the rider app while a rider's shift status is set to on. Used for dispatch, delivery tracking (so the customer can see the rider's location on the map for their in-progress order), safety, and dispute resolution. When a rider's shift status is set to off, our servers do not receive the rider's location. Retained for 90 days, after which individual tracks are deleted and only aggregate statistics (time-of-day by base by zone density) are kept. Treated as Sensitive PI under CPRA (see §14).

5.7 Professional or employment information

Riders only.

• Background check results from Checkr (criminal history, driving history, identity verification). We receive a pass or fail summary and high-level disposition information. The full report remains with Checkr under its FCRA obligations. The summary we retain has a 5-year retention period (see §10). If a background check results in an adverse decision, you will receive the pre-adverse and final adverse notices required by the Fair Credit Reporting Act (15 U.S.C. §1681m).
• Shift start and end timestamps, active versus idle status during shift.
• Deactivation or suspension history (if any). This is a distinct record from the background check summary and is retained for 7 years for audit and legal-compliance purposes.

5.8 Financial information

Treated as Sensitive PI under CPRA.

• From customers: Stripe customer ID, payment method tokens. We never store your full credit or debit card number. Card capture happens entirely inside Stripe's PCI-DSS environment via Stripe Elements iframes. For display purposes in receipts and settings, we retain only the last four digits of the card number. See §17.
• From riders and partners: bank account details for payouts, via Stripe Connect. We never store raw bank account numbers. Stripe Connect holds the information under its own PCI and GLBA obligations.

5.9 Government identifiers

Riders only. Treated as Sensitive PI under CPRA.

• Social Security Number (full SSN), required for IRS 1099-NEC reporting and for the Checkr background check. Your SSN is transmitted over an encrypted channel directly to Checkr (for identity verification and the background check) and to the IRS (for 1099 reporting). It is not stored in MilEats' systems. Checkr and the IRS retain the SSN under their own obligations.
• Driver's license number and state, required for motor vehicle record checks and identity verification.

5.10 Inferences

Examples: preferences and patterns drawn from the data above.

• Order frequency, cuisine preferences, preferred delivery windows, favorite restaurants, base activity patterns.

5.11 What we do not systematically process

For clarity:

• Biometric information. We do not collect or process fingerprints, face prints, voice prints, retina scans, gait, or any other biometric identifier. We do not use selfie-match or liveness verification in v1.
• Health information. We do not collect or process health or medical data. If a restaurant's menu contains allergen information, that belongs to the restaurant, not to MilEats.
• Racial, ethnic, religious, union, genetic, or sexual orientation data. We do not request it. If you volunteer it in a free-text field, we do not analyze or use it beyond responding to your request.
• Contents of your phone calls. We do not listen to or record phone calls. Twilio routes calls through proxy numbers. We retain only call metadata (duration, time).

6. Where we get it (sources)

We do not receive any data from Department of Defense installation access systems (DBIDS, RAPIDGate, or installation-specific gate systems). See §16.

7. Why we use it

Each purpose is mapped to a legal basis under the GDPR and UK-GDPR. Californians and residents of other U.S. states can read this as a plain statement of purpose.

8. Who we share it with

We share information only with the recipients listed below, and only as described. We do not sell your personal information and we do not share it for cross-context behavioral advertising (see §9).

8.1 Infrastructure and operations

8.2 Payments and payouts

8.3 Messaging and notifications

8.4 Identity and compliance

8.5 Analytics, error tracking, and uptime monitoring

8.6 Operational recipients (per order, per delivery)

8.7 Legal, safety, and corporate transactions

9. What we don't do with your data

9.1 We do not sell your personal information.

We do not exchange your personal information for money or other valuable consideration with anyone. "Sale" here is used in the CCPA and CPRA sense.

9.2 We do not share your personal information for cross-context behavioral advertising.

Under CPRA, "share" has a specific meaning: disclosing personal information to a third party for cross-context behavioral advertising. We do not do that. We do not use Meta Pixel, TikTok Pixel, Google Ads conversion tracking, or similar advertising technologies on our site or in our apps. PostHog, our product-analytics vendor, is configured for product analytics only, with no advertising integrations enabled.

9.3 We honor Global Privacy Control (GPC).

If you visit our site with a browser or browser extension that sends a GPC signal, we treat that signal as a valid request to opt out of sale and sharing under CCPA and CPRA and similar state laws. You do not need to take any other action.

9.4 We do not use your data to train third-party AI models.

We do not share customer, rider, or partner data with third parties for the purpose of training large language models or other machine-learning systems.

10. How long we keep it

We keep information only as long as we need it for the purpose we collected it, or as the law requires. If we retain anonymized or aggregated data after that period, it can no longer be linked back to you.

Actual cleanup runs approximately on the schedule above. Jobs may run a few days late due to normal operational variation.

11. How we protect it

We apply industry-standard administrative, technical, and physical safeguards to the personal information we hold.

• Encryption in transit. TLS 1.3.
• Encryption at rest. AES-256 at the storage layer. Field-level AES-256 encryption for the Sensitive PI fields listed in §14 that we actually store (bank account references and rider precise geolocation breadcrumbs). SSN is not stored at MilEats and therefore has no at-rest footprint here; it is encrypted in transit to Checkr and the IRS.
• Access controls. Auth0 identity provider with multi-factor authentication required for all staff and contractors with access to production data.
• PCI scope. MilEats has no cardholder data environment. Stripe handles all card processing within its PCI-certified infrastructure. Our PCI self-assessment is completed as SAQ A.
• Least-privilege access. Staff have access only to the systems and data they need for their role. Access to Sensitive PI is logged.
• Breach response. We maintain an incident response plan. If we experience a security breach that affects your personal information, we will notify you without undue delay, consistent with applicable law (including, where GDPR applies, notification to the relevant supervisory authority within 72 hours).

No system is 100 percent secure. We work hard to protect your data but cannot guarantee absolute security.

12. Your rights

The rights you have depend on where you live. Read §12.1 first. It applies to everyone in the U.S. Then read the section for your state, and (if applicable) §12.7 for the EU and UK.

12.1 Rights for all U.S. users

You can ask us to:

• Know what personal information we hold about you and how we use it.
• Correct information that is inaccurate.
• Delete your personal information. Note that some data must be retained for legal reasons (1099 records, tax, FCRA disposition). If you ask to delete while those legal obligations are in force, we will delete what we can and explain what we cannot.
• Opt out of marketing. Every marketing email has an unsubscribe link. Every marketing push has an off switch in the app.
• Not be discriminated against for exercising any of these rights. We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.

To submit a request, see §13.

12.2 California (CCPA and CPRA)

In addition to the rights above, Californians have the right to:

• Know categories of information collected, sources, purposes, and recipients, all of which are listed in §§5 through 8.
• Opt out of sale of personal information. We do not sell, but this link honors the request: mileatsdelivery.com/legal/do-not-sell.
• Opt out of sharing for cross-context behavioral advertising. We do not share for this purpose, but the link above honors the request.
• Limit use and disclosure of Sensitive Personal Information. See §14 for the specific Sensitive PI we handle and the link to exercise this right.
• Portability. Receive your personal information in a portable, readily usable format.
• Authorized agent. You may designate an agent to submit requests on your behalf. We require written authorization and may need to verify your identity.
• Shine the Light (Cal. Civ. Code §1798.83). Request a summary of disclosures of your personal information to third parties for their direct marketing purposes during the previous calendar year. We do not make such disclosures, so our response will confirm zero.
• Metrics disclosure. California law requires businesses that handle the personal information of 10 million or more California consumers in a calendar year to publish annual metrics. We are not above that threshold. If we cross it, we will publish the report by July 1 of the following year.

12.3 Colorado (Colorado Privacy Act)

Colorado residents have the right to confirm processing, access, correct, delete, obtain portability, opt out of targeted advertising, sale, and certain profiling. You may designate an authorized agent. You may appeal a denial of your request to us. If we deny the appeal, you may contact the Colorado Attorney General at coag.gov.

12.4 Virginia (Virginia Consumer Data Protection Act)

Virginia residents have the right to confirm, access, correct, delete, obtain portability, and opt out of sale, targeted advertising, and profiling. Appeals follow the same process as §12.3. Escalation goes to the Virginia Attorney General.

12.5 Connecticut (Connecticut Data Privacy Act)

Connecticut residents have the same rights as Virginia and Colorado residents, with the same appeal structure. Escalation goes to the Connecticut Attorney General.

12.6 Utah (Utah Consumer Privacy Act)

Utah residents have rights of access, deletion, portability, and opt-out from sale and targeted advertising. Utah does not provide an appeals process. Escalation goes to the Utah Attorney General's Division of Consumer Protection.

12.7 European Economic Area and United Kingdom (GDPR and UK-GDPR)

If you are in the EEA or UK, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten"), subject to our legal retention obligations.
• Restrict processing while we resolve a dispute.
• Portability. Receive your data in a structured, commonly used, machine-readable format.
• Object to processing based on our legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local supervisory authority. In the UK, that is the Information Commissioner's Office (ico.org.uk). In the EEA, find your national authority at edpb.europa.eu.

Because MilEats is based in the United States and we do not currently have a lead supervisory authority in the EU, you may lodge a complaint with the authority in the country of your habitual residence.

13. How to exercise your rights

Submit a request through any of the following:

• Webform: mileatsdelivery.com/legal/dsr (preferred, fastest, trackable)
• Email: privacy@mileatsdelivery.com
• Postal mail: MilEats LLC, 254 Chapman Rd, Ste 208 #23094, Newark, DE 19702

What to include. Your name, email address, and enough detail for us to verify your identity and understand what you are asking for. If you are submitting a request on behalf of someone else (authorized agent), include written authorization and proof of your identity.

Identity verification. Before we fulfill a request that involves your personal information, we need to confirm that you are who you say you are. We will ask you to verify matching information we already have (email, account activity, recent order). We will not ask for Sensitive PI (SSN, DL, bank) as part of verification.

Response times.

• California (CCPA and CPRA): we will confirm receipt within 10 business days and substantively respond within 45 calendar days. We may extend once by an additional 45 days if necessary, with notice.
• Other U.S. states: we will respond within 45 calendar days, consistent with each state's law.
• EU and UK (GDPR): we will respond within 30 calendar days. We may extend by up to two further months for complex requests, with notice.

Fees. Requests are free. If a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or decline, and will explain why.

If we deny. If we deny any part of a request, we will tell you why and how to appeal. U.S. state appeals go to the relevant state attorney general. EU and UK complaints go to the relevant supervisory authority.

14. Sensitive Personal Information: Right to Limit

Under CPRA, you have the right to ask us to limit the use and disclosure of your Sensitive Personal Information to purposes that are strictly necessary to deliver the service. Exercise this right at mileatsdelivery.com/legal/do-not-sell or via §13.

Here are the Sensitive PI categories we handle and the strictly-necessary uses we will continue after you exercise the right to limit:

15. If you ride for us

This section covers information specific to independent-contractor riders on the MilEats platform. It supplements, and does not replace, the Independent Contractor Agreement you signed at onboarding.

• Your SSN. We collect your Social Security Number at onboarding so we can run a Checkr background check and so we can report your earnings to the IRS on Form 1099-NEC at year end. We do not store your SSN in MilEats systems. It is transmitted over an encrypted channel directly to Checkr and the IRS; those recipients retain it under their own obligations.
• Background check (Checkr). When you applied, you provided a separate Fair Credit Reporting Act (FCRA) Disclosure and Authorization. That document, not this policy, governs the full scope of the background check. We receive a pass or fail summary; the raw report stays with Checkr. If your background check results in an adverse decision, you will receive the pre-adverse and final adverse notices required by FCRA §615 (15 U.S.C. §1681m).
• Military affiliation (ID.me). If you claimed founding-rider status or veteran-specific pricing, you consented to verification through ID.me. We receive a verification token, not raw DoD records.
• Precise geolocation. While your shift status is set to on, the rider app reports GPS breadcrumbs so we can dispatch you, so the customer can see your location on the map for their active order, and so we can review safety and dispute issues. When your shift status is set to off, our servers do not receive your location. Breadcrumbs are kept for 90 days and then individual tracks are deleted.
• Base access. Your base-access status (the credential you carry: CAC, RAPIDGate, dependent ID, or civilian-contractor pass) and the installations you can access are self-reported to us. See §16.
• Tax documents. We generate a 1099-NEC each year using the information you provided on your W-9. Tax records are retained for 7 years as required by the IRS.
• Payouts (Stripe Connect). Stripe Connect holds your bank details. We never store raw bank account numbers.
• Right to work for other platforms. Nothing in this policy or in our agreement with you prevents you from working for other delivery platforms at the same time.

16. Base access and military installations

MilEats is a private company. MilEats has no Department of Defense (DoD) contracts, federal contracting relationships, or agency status as of the effective date of this policy.

We operate on-base food delivery by working with riders who carry their own valid base-access credentials (CAC, dependent ID, RAPIDGate, or installation-specific pass). We do not connect to, query, or receive data from any DoD installation access system, including DBIDS, RAPIDGate, and installation-specific gate systems.

Here is what we do store:

• Self-reported status. What type of credential you carry (rider app and customer app).
• Installation list. Which installations you can access (rider app).

Here is what we do not store:

• Data from DBIDS, RAPIDGate, or any installation system.
• CAC serial numbers or identifiers that would be used by DoD systems.
• Any fingerprint, biometric, or gate-scan data.

Installation access is entirely at the discretion of each installation commander. If a gate denies a rider entry, the installation's decision is final. Remedies for an undelivered order are described in our Terms of Service.

17. Payments

MilEats has no cardholder data environment. Card capture happens entirely inside Stripe Elements iframes, which run within Stripe's PCI-certified infrastructure. Our PCI self-assessment is completed as SAQ A.

In practical terms:

• The full card number never touches MilEats' servers, logs, or backups.
• We receive: the Stripe customer ID, a tokenized payment method ID, and transaction metadata (amount, status, and the last four digits of the card for display in your receipts and settings).
• Refunds, chargebacks, and disputes are processed through Stripe.

For rider and restaurant partner payouts, Stripe Connect holds bank account information and processes transfers. MilEats does not hold raw bank account numbers.

18. SMS and text-message communications

This Privacy Policy does not capture your consent to receive SMS messages from MilEats. SMS consent is a separate, explicit action you take in the MilEats customer app (Profile -> Edit Phone, or at first checkout), with its own checkbox, frequency disclosure, and link to our SMS Disclosure.

What SMS we send is limited to:

• Order confirmations and receipts.
• Delivery status updates (driver assigned, en route, arrived, delivered).
• Customer support replies.
• Account or security alerts (one-time login codes, only if you opt into SMS login).

We do not send promotional or marketing SMS without separate, additional opt-in.

How to opt out:

• Reply STOP to any MilEats SMS.
• Or toggle off the SMS preference in Profile -> Edit Phone.

For frequency, cost disclosure, carrier information, HELP and STOP behavior, and full data-handling for SMS interaction logs, see our SMS Disclosure. For the data category and legal basis of phone-number processing, see §5.1, §7, and §8.3.

19. Cookies and similar technologies

MilEats uses a small set of cookies and similar technologies on its website and apps.

Strictly necessary. Auth0 session cookie, CSRF token, load balancer stickiness, Stripe Elements session. These are required for the service to work and are set without prior consent.

Functional. Cookie-consent choice (stored for 12 months, to remember your preferences), language preference, last-used base.

Analytics. PostHog session identifier and event cookies. PostHog is configured in PostHog Cloud (US) with session replay turned off. Analytics events are retained for 12 months (rolling). In the EU and UK, we do not set analytics cookies until you grant consent via our cookie banner. In the U.S., analytics cookies are set by default, but you can opt out at any time by following the instructions in our Cookie Policy or by sending a GPC signal.

Marketing. None. We do not use Meta Pixel, TikTok Pixel, Google Ads conversion tracking, or similar advertising cookies.

For the full list, purpose, and duration of each cookie, see our Cookie Policy.

20. Children

MilEats is not directed to children. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, email privacy@mileatsdelivery.com and we will hard-delete it promptly. For children under 13, there is no 30-day soft-delete buffer.

For California residents under 16, CPRA requires opt-in consent before we would sell or share their personal information. We do not sell or share personal information, so this consent is not applicable in practice. If that ever changes, we will obtain the required opt-in.

To use the MilEats customer or rider app, you must be at least 18 years old, or 19 years old in Alabama and Nebraska, where that is the age of majority. Restaurant-partner administrators must be authorized agents of the partner business.

21. International transfers

MilEats' servers and sub-processors are located in the United States. If you access the service from the European Economic Area or the United Kingdom, your personal information will be transferred to the United States for processing.

We rely on the following transfer mechanisms:

• EU to US. Standard Contractual Clauses (SCCs), Module 2 (controller to processor), with each of our EU-facing sub-processors.
• UK to US. UK International Data Transfer Addendum (IDTA) or the International Data Transfer Agreement, as appropriate.
• Where available. We rely on the EU-US Data Privacy Framework adequacy decision for sub-processors that are certified (for example, AWS, Stripe, Auth0, and others as listed on the DPF website).

If you would like a copy of the transfer mechanism we rely on for a specific sub-processor, email privacy@mileatsdelivery.com.

22. Changes to this policy

We may update this policy from time to time.

• Non-material changes (typos, clarifications, reorganization). We post the updated version and bump the "Last updated" date at the top.
• Material changes (any change that expands the categories of information we collect, the purposes for which we use it, or the parties with whom we share it). We will notify you by email (for account holders) or by a prominent banner on the site and in the app at least 30 days before the change takes effect. If you do not agree to the change, you can delete your account (see §13).
• Emergency changes. A change required to maintain security, comply with legal process, or respond to a vendor's closure or acquisition may take effect immediately. We will provide notice as soon as practicable.

Prior versions are archived at mileatsdelivery.com/legal/privacy/archive/v{n}. The changelog at the end of this document summarizes material changes over time.

23. Contact us

Privacy inquiries and rights requests Email: privacy@mileatsdelivery.com Webform: mileatsdelivery.com/legal/dsr Postal: MilEats LLC, 254 Chapman Rd, Ste 208 #23094, Newark, DE 19702, United States

Accessibility inquiries Email: accessibility@mileatsdelivery.com

General legal matters Email: legal@mileatsdelivery.com

Customer support Email: support@mileatsdelivery.com

We respond to privacy inquiries as described in §13.

Change log