CHIPOTLE EUROPEAN PRIVACY POLICY
(LAST UPDATED: 15 MARCH 2024)

This privacy policy ("Privacy Policy") describes how EMEA Tortilla, Ltd. and its subsidiaries and affiliates in Europe ("Chipotle", "we", "us", "our") collects, uses and discloses personal data relating to individuals located in the European Economic Area, the United Kingdom or Switzerland (collectively, "Europe"), including those who visit or use our mobile application or our websites that display a link to this Privacy Policy, customers, business partners, recipients of marketing communications and event attendees (collectively, "you" or "your"). This Privacy Policy also provides information on how you can exercise your privacy rights.

The controller of your personal data is Chipotle Mexican Grill UK Ltd., with registered office at: 83 Baker Street Marylebone, London W1U 6AG.

In particular, this Privacy Policy explains how we collect, use and share your personal data when you:

•      Visit, interact with or use any of our websites and apps (which link to this Privacy Policy), social media pages, online advertisements, marketing, or sales communications.

•      Visit, interact with or use any of our restaurants, events, sales, marketing, and other online and offline activities.

•      Contact support or customer service, respond to a survey through our websites and mobile apps.

When we refer to any combination of the above, we use the term "Services".

In connection with the provision of specific Services, we may provide additional "just-in-time" disclosures or additional information about our data processing practices. These disclosures may supplement this Privacy Policy or clarify our privacy practices in the circumstances described or may provide you with additional choices about how we process your data.

This Privacy Policy does not apply to websites, products, or services that display or link to different privacy policies, notices, or statements or that are operated by companies other than Chipotle, or to business activities or practices of third parties.

When you access or use our Services, you acknowledge that you have read this Privacy Policy and understand its content. Your use of our Services and any dispute over privacy is subject to this Privacy Policy and any applicable service terms (including any applicable limitations on damages and the resolution of disputes).

Quick links

We recommend that you read this Privacy Policy in its entirety to ensure you are fully informed. However, in order to simplify the reading of the parts that apply to you, we have included quick links to each section below:

Our company

Collection of personal data

Personal Data You Provide to Us

Personal Data Collected Automatically

Location data

Personal Data Collected from Third Parties

Use of Personal Data and Legal Bases

Sharing of Personal Data

Security

International Data Transfers

Links to Third Party Websites and Services

Retention

Children's Privacy

Your Privacy Rights and Choices

Changes To This Privacy Policy

Contact Us

Our company

Chipotle Mexican Grill, Inc. and its affiliated entities is a U.S.-headquartered family restaurant chain with restaurants in the United States, the United Kingdom, Canada, Germany, and France, specializing in high-quality, Mexican-inspired food made to order.

We believe that food truly has the power to change the world. The Chipotle company was born from the deep belief that there is a connection between the way different ingredients are produced and prepared and the flavors that these dishes exude. Real food is much better. Better for you, better for those who consume it, better for our planet. Even if we think that this method is not the simplest there is, it is the right way to proceed.

For more information, please visit Chipotle - Our Values.

Collection of personal data

The data we collect depends on the context of your interactions with Chipotle, the Services, your geographic location, applicable laws, and your choices.

Personal Data You Provide to Us

When you use the Services, such as when you log in or create an account on our websites or mobile application, place an order, respond to our surveys or other marketing activities, or otherwise communicate with us in any way, including through our customer service, you may share certain data with Chipotle or its service providers. This includes:

  • Contact data: including name, postal address, e-mail addresses and phone number;
  • Your date of birth (month and day only);
  • Account login credentials: such as user ID and password;
  • Preferences: such as favorite restaurant or your favorite meal;
  • Transaction data: including credit card number(s) and banking information, including the associated billing address(es) and expiration date(s);
  • Support data: data you provide when you contact us for support and which may include the Services you use and other details that help us provide support;
  • Marketing data: data you provide when you sign up for our newsletter marketing activities in which you participate or that may be collected through our digital marketing efforts; and
  • Market research data: data you provide when you sign up to participate in surveys or market research.

If you communicate directly with us, such as by sending us an email, we will collect and maintain an archive of our communications with you (including their content).

Providing your data is optional, but it may be necessary for certain Services, such as account registration. In such cases, if you do not provide your personal data, we may not be able to provide you with the requested Services.

If you provide us with the personal data of a third party (e.g. contact details), you declare that you have the right to provide it to us.

Personal Data Collected Automatically

We automatically collect certain data about you when you use our websites, app, email us, or as part of your use of the Services. This includes:

  • Device data: Computer Internet Protocol (IP) address, unique device identifier (UDID), cookies and other data linked to a device; and
  • Usage data: data about usage of our websites and apps including the number of pages viewed, the duration of any period of inactivity on a page, the original URLs, the duration of visits, and the loading speed of the website.

We automatically collect this data using various tracking tools and technologies such as cookies, pixels, tags, beacons, SDKs, and web server logs. A cookie is a small data file that a website can send to your browser and can then be stored on your computer, sometimes accompanied by a tag that identifies your computer. To learn more about our use of cookies and other tracking mechanisms and your choices, please review our Cookie Policy found in the footer of our Website.

Location data

Certain services request permission to access your precise geolocation. Where you grant this permission to us, we will collect information about your location using GPS, wireless, or Bluetooth technology. For example, the app will request your precise geolocation in order to show you the locations of the nearest Chipotle restaurants. You can control access to precise location data through your mobile device settings. We also look up your IP address to infer your general location.

Personal Data Collected from Third Parties

As part of certain features offered by our Services, we receive information about you from other sources and combine that information with the information we collect. For example, when you log in or access a Chipotle website or app through your account on a third-party website or social network. Please review the privacy settings of these social media platforms or third-party features you use to determine how those third parties share your data with Chipotle and other parties. In addition, we collect personal data from marketing partners.

This data includes:

•      mailing addresses, email addresses, phone numbers, intent data (or user behaviour data), IP addresses and social media profiles; and

•      transaction data.

Use of Personal Data and Legal Bases

We use the personal data that we collect from and about you only for the purposes described in this Privacy Policy or for purposes that we explain to you at the time we collect your information. Depending on our purpose for collecting your information, we rely on one of the following legal bases:

•      Contract – we require certain personal data in order to provide the Services;

•      Consent – in certain circumstances, we may ask for your consent (separately from any contract between us) before we collect, use, or disclose your personal data, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you;

•      Legitimate interests – we will use or disclose your personal data for the legitimate business interests of either Chipotle or a third party, but only when we are confident that your privacy rights will remain appropriately protected. If we rely on our (or a third party’s) legitimate interests, these interests will normally be to: operate, provide and improve our business, including our websites and mobile apps; communicate with you and respond to your questions; improve our websites and mobile apps; detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors. Where we require your data to pursue our legitimate interests or the legitimate interests of a third party, it will be in a way which is reasonable for you to expect as part of the running of our organisation and which does not materially affect your rights and freedoms. We have identified below what our legitimate interests are; or 

•      Legal obligation – there are instances where we must process and retain your personal data to comply with laws or to fulfil certain legal obligations.

The following table provides more details on our purposes for processing your personal data and the related legal bases. The legal basis under which your personal data is processed will depend on the data concerned and the specific context in which we use it.

Purpose

Associated Activities

Type of Personal Data

Legal Bases

Responding to Your Inquiries and Facilitating Engagement

If you have reached out to us with questions or concerns (such as through our contact information or forms provided on our Websites), or if you have responded to one of our social media posts, we may respond to your inquiry or social media post.

Contact Data such as your first and last name, phone number and email address and the time, date and restaurant visited.

•    We process your personal data to perform a contract with you or in order to provide you with the information you requested when you contacted us or when you responded to us on social media.

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide and as necessary to operate, provide and improve our business.

Account Management

If you have elected to create an account, we collect and use the personal data you provided when you created the account and to maintain your customer account.

Contact Data such as your first and last name, phone number and email address, delivery address information (collected by delivery partners), username/password (if you created an account) and information relating to your purchase history. Security Question and Security Answer if you create an account.

•    We process your personal data to perform a contract with you by providing you with the Services you requested.

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide, as necessary to operate, provide and improve our business, improve our websites and mobile apps; detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors.

Provision of our Services and Fulfillment of your Orders

We collect and use the data necessary for the provision of our Services, including to fulfill your orders.

Contact Data such as your first and last name, phone number and email address, Delivery Address (if relevant to the order you have placed), payment information, and the details of the order you placed through our Services.

•    We process your personal data to perform a contract with you by providing you with the Services you requested.

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide and to operate, provide and improve our business.

Personalizing the Services

We collect and use data such as details of orders you have placed and your preferred Chipotle restaurant in order to suggest dishes that may be of interest to you and to personalize your interactions with our Services.

Contact Data such as your first and last name, phone number and email address, order history, favorite meal, and preferred location, if you share this information with us.

•    We process your personal data in order to improve your customer experience where you have consented to receive a personalized experience.  

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide and as necessary to operate, provide and improve our business.

Improving our Services

We use personal data, such as data relating to your use of our Services (including the use of tracking technologies), and information you provide (including through statistical content analysis, the presentation and functionality of our Services) to help us improve and secure our Services.

 

Contact Data such as your first and last name, phone number and email address, order history, favorite meal, and preferred location, if you share this information with us.

•    Consent: If you have participated in a survey or market research, you provided us with your consent to use the personal data you included in the survey or market research for these purposes.

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide and as necessary to operate, provide and improve our business.

Marketing & Promotions

We process your personal data in order to offer you coupons or discount codes based on your activities, interests, and prior use of our Services. If you have provided us with your birthday (month and day only, at your option), we may also send you a coupon on discount code on your birthday.

Contact Data such as your first and last name, phone number and email address, order information, favorite meal, birthday, and preferred location, if you share this information with us.

•    We process your personal data for marketing & promotions, including targeted advertising, to the extent that you have consented to receive or participate in these experiences.  Your consent is collected through your online account preferences and through the cookies you have allowed us to place as a result of the opt-in preferences you selected on our cookie banner.

•    Legitimate interests: to improve the functionality of our Services based on the feedback you provide and as necessary to operate, provide and improve our business.

To Comply With Our Legal Obligations

We collect (including using tracking technologies) and use personal data to prevent, investigate, identify, stop or take any other action with respect to any suspected or actual fraudulent or illegal activity, or any activity that would be contrary to our policies and terms of use in order to comply with legal or contractual obligations.

Contact Data such as your first and last name, phone number and email address, online identifiers and payment information

•    We rely on our obligations under applicable laws to the extent that this requires the processing or disclosure of personal data.

•    Legitimate interests: to detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors.

 

In addition to the purposes described in the chart above, we may process your personal data for any purpose that we bring to your attention at the time of collection, that you have specifically provided your consent for, or if we are required to process your personal data under applicable law.

Sharing of Personal Data

We share your personal data with the following categories of recipients:

•      Chipotle Group Companies: We share your personal data with Chipotle group companies for purposes that are consistent with this Privacy Policy, including to operate, provide and improve the Services we provide to you and as part of our marketing activities (if you have consented to this where required by applicable law).

•      Third party service providers and partners: As part of the provision of our Services and their promotion, we share your personal data with our service providers and third-party partners in order to provide us with various services, such as order fulfillment, assistance in connection with promotions, hosting our Services, analyzing our website, delivering relevant commercial messages and advertisements, providing security and other technical services and, in any way, for any use or disclosure described in and in accordance with this Privacy Policy (on our behalf). 

•      A buyer (and its agents and advisers): In connection with a business transaction, including any actual or proposed sale or transfer all or part of our business or assets (for example, as a result of a merger, restructuring, liquidation or other business transaction, including negotiations conducted as such), provided that we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Policy.

•      Any competent law enforcement body, regulatory, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights or so a third party can defend theirs, or (iii) to protect your vital interests or those of any other person.

•      Any other person with your consent to the disclosure (obtained separately from any contract between us).

Security

We use reasonable technical and organizational industry standard measures to protect the personal data that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing.

Where you have created an account with us that uses a unique password to enable you to access our website or mobile applications, it is your responsibility to keep this password secure and confidential.

While we implement safeguards that are designed to protect your personal data, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.

International Data Transfers

In some cases, your personal data is transferred, stored and processed by Chipotle and third parties to whom we disclose your personal data outside Europe, including to the United States.

Specifically, our servers are located in Ireland and the UK, and our group companies in the United States and Canada have servers located in the United States, Japan, Northern Europe, and the UK.  Our third party service providers and partners operate around the world.  This means that when we collect your personal data we will process it in any of these countries. These third countries have different data protection laws than those in the country you are located (and, in some cases, may not be as protective).

Where we transfer your personal data to countries or organisations outside Europe which have been formally recognised as providing an adequate level of protection for personal data, we rely on the relevant adequacy decisions and regulations. This includes transfers to Canada. Where the transfer is not subject to an adequacy decision or regulation, we have taken appropriate safeguards to ensure that your personal data will remain protected in accordance with this Privacy Policy and applicable laws. These safeguards are the European Commission’s Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2), including the UK Addendum permitted under Article 46(2) of the UK GDPR for the transfer of personal data originating in the UK and the Swiss modifications to the Standard Contractual Clauses for the transfer of personal data originating in Switzerland.

Our Standard Contractual Clauses entered into by our group companies and with our third party service providers and partners can be provided upon request. Please note that some sensitive commercial information will be redacted.

Links to Third Party Websites and Services

The Services may contain links to third-party websites and services that are not operated by Chipotle. By visiting any of these linked websites or services, you are subject to their respective privacy policy and other notices. We are not responsible for, or able to monitor or control the policies and practices of these other companies.

For example, our websites include plugins of social media platforms, such as Facebook and Twitter. You can identify the plugins by the respective network's logo. Details about purpose and extent of data collection, as well as processing and use of the personal data by the social media networks can be obtained by reading the privacy policies of Facebook and Twitter.

Retention

We retain the personal data we collect from you for as long as we have a legitimate business need to do so (for example, to provide you with our Services or to comply with applicable legal, tax or accounting requirements) in line with the purpose for which it was collected as described in this Privacy Policy (including as required by law). In certain circumstances, we will need to keep your information for legal reasons after our contractual relationship has ended or your account has been deleted.

The specific retention periods depend on the nature of the information and why it is collected and processed and the nature of the legal requirement. We determine the appropriate retention period for personal data based on the amount, nature and sensitivity of your personal data processed, the potential risk of harm from unauthorized use or disclosure of your personal data and whether we can achieve the purposes of the processing through other means, as well as applicable legal requirements (such as applicable statutes of limitation).

When we have no ongoing legitimate need or legal reason to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will keep it in a safe place and protect it from further processing until it is possible to delete it and to prevent any further use of that data.

Children's Privacy

Our Services are not intended for children under 16 years of age. We do not knowingly collect, use, or disclose personal data from children under 16. If you are a parent or guardian and you learn that your children under 16 have provided us with personal data, please contact us.

Your Privacy Rights And Choices

If, at any time, you wish to update certain personal data we hold about you, or if you wish to change certain preferences (including contact preferences or location), you may do so by (1) logging into your account and changing your account settings (for example,  geolocation), or (2) contacting us using the Contact Us details provided at the end of this Privacy Policy.

You can also make certain choices in relation to cookies and other tracking technologies as provided for in our Cookie Preferences and as further described in our Cookie Policy, both of which can be found in the footer of our website.

Individuals located in Europe have the following data protection rights in relation to their personal data:

  • Right of access: you have the right to obtain confirmation that we hold personal data about you, receive information about how it is used and disclosed and obtain a copy
  • Right to rectification, update and deletion/ erasure: you have the right to rectify, update, or delete your personal data. Please be aware that if you have an account with us, you may rectify and update some of your personal data by logging into your account and changing your account settings;
  • Right to restriction of processing: in certain cases, you have the right to request that we restrict our processing of your personal data;
  • Right to object to processing: in certain cases, you have the right to object to the processing on grounds relating to your particular situation;
  • Right to data portability: in certain cases, you may request to receive the personal data we hold about you in a structured, commonly used and machine-readable format, and to transmit it to a third party in this form;
  • Right to withdraw consent: if we rely on your consent to process your personal data, you may withdraw your consent at any time and free of charge (without affecting the lawfulness of the prior use and disclosure of such personal data, nor impacting the processing of your personal data conducted in reliance on lawful processing grounds other than consent);
  • Opting out of receiving marketing communications: you may opt-out and unsubscribe from our marketing communications (such as emails or text messages) at any time by logging into your account and changing your communication preferences, by clicking in an unsubscribe option or by contacting us at the contact details set out in the "Contact Us" section below. If you choose to opt out of marketing communications, we will still send you non-promotional emails, such as emails about your account or our ongoing business relations; and
  • Right to lodge a complaint: you have the right to lodge a complaint to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. Contact details for data protection authorities in Europe are available at Data Protection Authorities - European Commission (europa.eu). Certain supervisory authorities will require that you exhaust our own internal complaints process before looking into your complaint.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Many of the rights described above are subject to limitations or exceptions under applicable law. At our discretion, we may require you to prove your identity before responding to your request.

If you wish to exercise any of these rights or lodge a complaint about the way in which we have processed your personal data, please contact us at the following email address privacy@chipotle.com or complete the applicable form found by clicking on the link to Cookie Preferences in the footer of our website and clicking on Data Request Form.  You can also contact us using the Contact Us details provided at the end of this Privacy Policy.

Changes To This Privacy Policy

Chipotle may change this Privacy Policy from time to time in response to changing legal, regulatory, technical or business developments. When we update our Privacy Policy, we will post an amended version and change the "Last Updated" date above and we will take appropriate measures to inform you consistent with the significance of the changes we make.

You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. Please review this Privacy Policy periodically.

Contact Us

If you have any questions or concerns about this Privacy Policy, or if you wish to lodge a complaint about our privacy practices, please contact us at the following email address privacy@chipotle.com,  or by registered mail or post at the following addresses:

In the European Economic Area:
Chipotle Mexican Grill France SAS
6 place de la Madeleine
75008 Paris
France

In the United Kingdom:
Chipotle Mexican Grill UK Ltd
83 Baker Street
Marylebone, London W1U 6AG