This Privacy Notice (“Notice”) describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in Europe (“Chipotle”, “we”, “our”, “us”) collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites that link to this Notice, as well as about customers of our restaurants (collectively "You", "Your"). The Notice also provides information about how you can exercise your privacy rights. The App, those websites, our restaurants, and our related service offerings are referred to in this Notice as our “Services.”
We recommend that you read this Notice in full to ensure you are fully informed. However, to make it easier for you to review those parts of this Notice, which apply to you, we have divided up the document into the following sections:
Who We Are
We believe that food has the power to change the world. Chipotle was born of the radical belief that there is a connection between how food is raised and prepared, and how it tastes. Real food is better. Better for you, better for people, better for our planet. We believe it may be the hard way to do things, but it is the right way.
Chipotle Mexican Grill, Inc. and its affiliated entities is an American chain of casual restaurants based in the United States with restaurants in the US, United Kingdom, Canada, Germany, and France, specializing in Mexican inspired high-quality food that are made to order.
Collection of information
The information we collect depends on the context of your interactions with Chipotle, the Services you use, your location and the choices you make.
When you visit or interact with the Services, such as when you sign up or create an account on our websites or App, participate in our loyalty program, place an order with us, respond to our surveys or other marketing research efforts or communicate with us, including via our customer care team, you may share the following information with Chipotle:
We may also create inferences from using aggregated and anonymized information.
If you communicate directly with us, we will collect and may maintain a record of our communications with you (including the content of such communications).
If you submit someone else’s personal information to us (e.g., someone else’s contact information), you represent that you are authorized to provide this information to us.
We collect certain information about you automatically when you visit or use our online Services, such as our websites and App. This information may include number of page visits, idle time on a page, referring URLs, length of visits, and website load speed. In countries in the European Economic Area ("EEA") and UK, this information is considered 'personal data' under data protection laws.
We automatically collect this information using various tools and tracking technologies such as cookies and web server logs. A cookie is a piece of data that a website can send to your browser, which may then be stored on your computer, sometimes with a tag that identifies your computer.
Many web browsers are set to accept cookies by default, but you may be able to set your browser to notify you before you receive a cookie, or to remove or reject cookies. Please note that disabling cookies may affect the availability and functionality of our online Services and other websites.
The information collected via cookies and tracking technologies is used to analyze overall trends, to help us provide, improve and personalize our Services (including our online Services), advertising and marketing activities, and to guarantee their security and continued proper functioning. For more information about the cookies and other tracking technologies we use on our websites, please read our Cookie Notice.
Information Collected From Third Parties
For certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms, such as TikTok or Instagram.
Use of Information and Legal Bases
We may use personal information we obtain about you to:
· Conduct direct marketing activities: When you sign up on our online Services, we collect information to send you, in accordance with your marketing preferences, marketing information via email about our Services, including our restaurants and products as necessary for our legitimate interests in conducting direct marketing or if required by law, with your consent. We use your personal identifiers (such as your email), and commercial information (such as your purchase history and purchasing tendencies) to contact you with personalized or general marketing offers and resources, newsletters and other updates about Chipotle;
· Display personalized advertisements and content: We process your personal information to conduct marketing research, advertise to you, provide personalized information about our Services and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in promoting and advertising our Services or, where necessary, to the extent you have provided your prior consent;
· Improve our Services: We use personal information, such as information about your use of our Services (including using tracking technologies), and information you provide when you participate in a survey or other marketing research to better understand how our Services are used (including through statistical analysis of the content, layout and features of our Services) and to help us improve our Services, to the extent it is necessary for our legitimate interest in improving our Services and conducting our marketing activities or, where required by law, with your consent.
SHARING OF INFORMATION
We do not share your personal information with third party except as outlined below. We may disclose your personal information to the following categories of recipients:
· Chipotle Group Companies: We may share your personal information with Chipotle group companies for purposes consistent with this Notice, such as to maintain, provide and improve our Services and for marketing related activities (with your consent where required by applicable law).
· Service providers: In order to provide our Services to you and to promote and advertise our Services, we may share your personal information with our contracted third-party service providers and partners who perform a variety of services on our behalf, such as fulfilling orders, assisting with promotions, hosting our Services, performing website analytics, delivering relevant marketing messages and advertisements, providing technical services, and otherwise carrying out any of the uses and disclosures described in this Notice (on our behalf). We generally require our service providers to provide at least the same or equal protection of user data as stated in this Notice and these third party service providers are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.
· Advertising partners: We may partner with third-party advertising networks (for example, those mentioned in the “Information Collected Automatically” Section above) to display advertising on our online Services or to manage and service advertising on other websites and we may share personal information with them for this purpose. Please read our [Cookie Notice] for further information.
· Business transfers: In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Notice.
· Compliance with laws: We may also disclose personal information when we are legally required to do so such as when we are required by subpoena, search warrant, or other legal processes.
· Vital interest and legal rights: We may disclose your personal information in prevention or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, suspected fraud, situations involving potential threats to the safety of any persons or to protect and defend the rights or property of Chipotle or others.
We may also share your information with any other person with your consent to the disclosure.
If at any time you want to update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences or location tracking), you may do so by (1) logging into your registered website or App account and changing your account settings (including location tracking), or (2) contacting us as described at the end of this Notice.
You also can make certain choices by using the options described in the “Information Collected Automatically” section above and in our cookie notice.
Individuals in the European Economic Area, Switzerland and some other jurisdictions (including the UK, regardless of Brexit status) have certain additional legal rights to do the following with personal information we handle:
Many of the rights described above are subject to limitations or exceptions under applicable law.
If you wish to exercise any of these rights or raise a complaint on how we have handled your personal information, please contact us as described at the end of this Notice under the "Contact Us" heading.
We use various security measures as part of an effort to protect your personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. Nevertheless, transmission and storage are not completely secure (whether online or offline) and we cannot guarantee the security of your information.
INTERNATIONAL DATA TRANSFER
Your information may be transferred, stored and processed by Chipotle and the third parties to whom it discloses information from outside the EEA, including in the United States. These countries may have data protection laws that are different to the laws of your country. Regardless of where your information is located, we treat all personal information in accordance with this Notice and applicable laws and we take steps necessary to ensure that we implement appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission.
If you require further information about our international transfers of personal information, please contact us using the contract details provided under the “Contact Us” heading further below.
LINKS TO OTHER WEBSITES AND SERVICES
The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with our Services or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
CHANGES TO THIS NOTICE
From time to time, Chipotle may change this Notice. When we update this Notice, we take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material changes if and where this is required by applicable data protection laws. Changes will be indicated by the “Last Updated” date at the top of this page.
Please note that the controller of your personal information is
EMEA Tortilla, Ltd., with registered offices at:
83 Baker Street
For questions about this Privacy Notice, you may contact us at firstname.lastname@example.org or:
83 Baker Street