We work with a lot of POS companies. Many of them serve restaurant merchants. Over the years we heard whispers of some pretty nonsensical positions by the third party delivery companies… mainly that POS companies were not allowed to share third party delivery sales data with third parties/their merchants.
Huh?
Yea, it struck us as super odd too. So to get this straight: POS systems, which reporting functions to allow merchants to extract their total sales for tax and other reasons, weren’t allowed to include third party delivery numbers in those metrics?
It’s totally nonsensical, but that’s what many POS companies have come to believe. So we investigated.
We think the market perception stems from ambiguity around the term “user”. Here’s the specific language from an Uber Eats agreement with the most relevant parts in bold:
Restrictions. Without limiting any restrictions on access or use of the Uber API (which includes the Uber Eats APIs) set forth in the API TOS, Provider shall not allow any other party to, and shall ensure its Representatives do not themselves nor allow any other party to: (a) license, sublicense, sell, resell, transfer, assign, distribute or otherwise provide or make available to any other party the Uber Applications or Uber Eats APIs; (b) modify or make derivative works based upon the Uber Applications or Uber Eats APIs; (c) improperly use the Uber Applications or Uber Eats APIs, including creating Internet “links” to any part of the Uber Applications or Uber Eats APIs, “framing” or “mirroring” any part of the Uber Applications or Uber Eats APIs on any other websites or systems, or “scraping” or otherwise improperly obtaining data from the Uber Applications or Uber Eats APIs; (d) reverse engineer, decompile, modify, or disassemble the Uber Applications and Uber Eats APIs, except as allowed under applicable law; (e) send spam or otherwise duplicative or unsolicited messages with the Uber Applications or Uber Eats APIs; (f) use the Uber Eats APIs to display any offensive content or any content for which Provider does not have the right share with Uber to display; or (g) use the Uber Applications or Uber Eats APIs for any unlawful purpose. In addition, Provider shall not, and shall not allow any other party to, access or use the Uber Applications or Uber Eats APIs to: (i) design or develop a competitive or substantially similar product or service; (ii) copy or extract any features or functionality thereof; (iii) launch or cause to be launched on or in connection with the Uber Applications or Uber Eats APIs a malicious automated program or script, including web spiders, crawlers, robots, indexers, bots, viruses or worms, or any program intended to overburden or hinder the operation and/or performance of the Uber Applications and Uber Eats APIs; (iv) attempt to gain unauthorized access to the Uber Applications and Uber Eats APIs or its related systems or networks; (v) aggregate non-corporate or nonfranchised stores to its developer account; (vi) include the Uber Eats Platform with competitors in any aggregated view i.e. webpage, app, software, etc.; (vii) aggregate Uber’s or any of its affiliate’s data with competitors’ data; or (viii) parse or scrape any of Uber’s or any of its affiliate’s data, other than as permitted under the API TOS. Provider will not share with a third party (or enable a third party to use) any operational, technical or other data obtained through use of the Uber Platform or Uber Eats APIs in any manner that is competitive to Uber or any of its affiliate, including, without limitation, in connection with any application, website or other product or service that also includes, features, endorses, or otherwise supports in any way a third party that provides services competitive to the products and services of Uber or an Uber affiliate.
Uber gave us the following pointers upon making this known to them:
The two clauses highlighted refer to 1) scraping or hacking the Uber Eats API and 2) aggregating Uber Eats API data with competitors to resell or monetize it. Note that the agreement refers to Uber Eats API data, not sales data. To be clear: sales data belongs to the restaurant and there’s nothing in agreements that restricts POS from sharing this information with merchants.
What Uber is concerned about is user data. User data in their world is not the merchant but the consumer or delivery courier. That’s likely due to the legislative interest around consumer protection vis a vis GDPR, CCPA, and Facebook’s Cambridge Analytica debacle which has created ripples throughout the tech ecosystem.
Uber doubled down on this in commenting on an email some of our POS partners received from Uber Eats.
Dear API partner,
At Uber, we care deeply about the privacy and security of user data. We hope you agree with us that protecting user data is at the heart of all we in the technology community do. Without user trust in our products and services, we can’t innovate and create great technologies and partnerships.
As one step amongst the many things we do to protect user data, we’re doing a routine “check up” on our API partnerships to make sure we’re all doing our part to safeguard Uber user data and protect against potential misuse of it. We ask that you reply to this email with a signed copy of the attached letter to confirm that:
- You keep the Uber user data that you receive, including by API, private and confidential and do not share it with third parties, other than pursuant to consent from the user.
- You are not aware of any instance in which that data was used, either internally or externally, for any purpose other than your legitimate business purposes.
- You use reasonable security measures to protect that data.
- You are not aware of any data security incidents (i.e., unauthorized access by a third party) with respect to that data, or if you are, you have informed Uber of the facts and circumstances of the incident.
Your signature on the attached letter indicates your agreement with the above statements. If you do not respond or are not able to agree to the above statements, we may consider that as part of our assessment of your ability to protect Uber user data.
Much like with GDPR and CCPA, POS companies grossly overreact. We suspect there’s some overpaid lawyer whose job it is to say no. And while they’re busy telling the POS company all the things they shouldn’t be doing the business model of the POS company is being stolen right out from under them. All that legal naysaying just going to drive those companies out of business faster. Which reminds us…
What do you call 10 lawyers on the bottom of the ocean? A good start.
Add comment