Chipotle -- Privacy Notice

 

CHIPOTLE’S PRIVACY NOTICE

 
(LAST UPDATED OCTOBER 31, 2021)

This Privacy Notice (“Notice”) describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in Europe (“Chipotle”, “we”, “our”, “us”) collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites that link to this Notice, as well as about customers of our restaurants (collectively "You", "Your"). The Notice also provides information about how you can exercise your privacy rights. The App, those websites, our restaurants, and our related service offerings are referred to in this Notice as our “Services.”

Quick Links

We recommend that you read this Notice in full to ensure you are fully informed. However, to make it easier for you to review those parts of this Notice, which apply to you, we have divided up the document into the following sections:

Who We Are

We believe that food has the power to change the world. Chipotle was born of the radical belief that there is a connection between how food is raised and prepared, and how it tastes. Real food is better. Better for you, better for people, better for our planet. We believe it may be the hard way to do things, but it is the right way.

Chipotle Mexican Grill, Inc. and its affiliated entities is an American chain of casual restaurants based in the United States with restaurants in the US, United Kingdom, Canada, Germany, and France, specializing in Mexican inspired high-quality food that are made to order.

Collection of information

The information we collect depends on the context of your interactions with Chipotle, the Services you use, your location and the choices you make.

Information You Provide To Us

When you visit or interact with the Services, such as when you sign up or create an account on our websites or App, participate in our loyalty program, place an order with us, respond to our surveys or other marketing research efforts or communicate with us, including via our customer care team, you may share the following information with Chipotle:

  • Names, addresses, contact numbers, and email addresses;
  • Date of birth;
  • Preferred restaurant, as indicated by you;
  • Records of your orders and other transactions with us;
  • Credit/debit card number(s) and account information, including associated billing address(es) and expiration date(s);
  • Information provided via surveys, focus groups, and/or other marketing research efforts in which you participate;

We may also create inferences from using aggregated and anonymized information.

If you communicate directly with us, we will collect and may maintain a record of our communications with you (including the content of such communications).

If you submit someone else’s personal information to us (e.g., someone else’s contact information), you represent that you are authorized to provide this information to us.

Information Collected Automatically

We collect certain information about you automatically when you visit or use our online Services, such as our websites and App. This information may include number of page visits, idle time on a page, referring URLs, length of visits, and website load speed. In countries in the European Economic Area ("EEA") and UK, this information is considered 'personal data' under data protection laws.

We automatically collect this information using various tools and tracking technologies such as cookies and web server logs. A cookie is a piece of data that a website can send to your browser, which may then be stored on your computer, sometimes with a tag that identifies your computer.

Many web browsers are set to accept cookies by default, but you may be able to set your browser to notify you before you receive a cookie, or to remove or reject cookies. Please note that disabling cookies may affect the availability and functionality of our online Services and other websites.

The information collected via cookies and tracking technologies is used to analyze overall trends, to help us provide, improve and personalize our Services (including our online Services), advertising and marketing activities, and to guarantee their security and continued proper functioning. For more information about the cookies and other tracking technologies we use on our websites, please read our Cookie Notice.

Depending on your personal device settings and App permission settings, when using the App, we may collect or have access to your:

  • Precise geolocation. When enabled through your mobile device, this provides the App with the nearest Chipotle restaurant location. However, no precise location data itself is stored by Chipotle when this is enabled through your mobile device’s location sharing options.
  • Camera. When enabled, this may allow the App to access the camera to scan and input payment method details.
  • Other. The App will send and receive data to and from the Internet, and may view network connections, have full network access, control vibration of your device, or prevent your device from sleeping, depending on your mobile settings.

Information Collected From Third Parties

For certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms, such as TikTok or Instagram. 

Use of Information and Legal Bases

We may use personal information we obtain about you to:

  • Create and manage your Account: We collect and use information that is necessary for you to register an account with us such as your contact details, delivery information, username/password (if you wish to create an account), payment information, and your food order details. This allows us to perform our contract with you and to fulfill our obligations under applicable terms and conditions and laws. Where we have not entered into a contract with you, we base the processing of your personal information on our legitimate interest to operate and administer our Services.

  • Provide you with our Services and fulfil your orders: We collect and use information that is necessary for us to provide you with our Services, including to fulfil your orders to the extent it is necessary to perform our contract with you. This includes your contact details, payment information and details about the orders you placed on our Services.

  • Personalize our Services: We collect and use information such as details about the orders you placed and your preferred Chipotle restaurant to suggest items that could be of interest and personalize your experience with our Services, including our online Services where necessary for our legitimate interest in supporting our marketing activities or advertising our Services or, where required by law, with your consent.

  • Communicate with you: We collect information that is necessary to respond to products or service enquiries, support requests or any other communications you submit through our online Services or via social media platforms and we process your personal information to perform our contract with you and/or (if we have not entered into a contract with you) to the extent it is necessary for our legitimate interest in fulfilling your request and communicating with you. This includes your personal identifiers (such as your name and contact details), information submitted on our online forms and commercial information (such as your purchase history and communications).  

·       Conduct direct marketing activities: When you sign up on our online Services, we collect information to send you, in accordance with your marketing preferences, marketing information via email about our Services, including our restaurants and products as necessary for our legitimate interests in conducting direct marketing or if required by law, with your consent. We use your personal identifiers (such as your email), and commercial information (such as your purchase history and purchasing tendencies) to contact you with personalized or general marketing offers and resources, newsletters and other updates about Chipotle;

 

·       Display personalized advertisements and content: We process your personal information to conduct marketing research, advertise to you, provide personalized information about our Services and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in promoting and advertising our Services or, where necessary, to the extent you have provided your prior consent;

 

·       Improve our Services: We use personal information, such as information about your use of our Services (including using tracking technologies), and information you provide when you participate in a survey or other marketing research to better understand how our Services are used (including through statistical analysis of the content, layout and features of our Services) and to help us improve our Services, to the extent it is necessary for our legitimate interest in improving our Services and conducting our marketing activities or, where required by law, with your consent.

  • Rights and obligations: We collect (including using tracking technologies) and use personal information such as your contact details, online identifiers purchase and payment information to prevent, investigate, identify, stop, or take any other action with regard to suspected or actual fraudulent or illegal activity, or any activity that violates our policies and Terms of Use to carry out our obligations and enforce our rights arising from any contracts entered into between you and us and we rely on our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal information or is necessary for our legitimate interest in protecting against fraud, misuse or abuse of our Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests or for any other purpose we communicate with you at the time of collection, with your consent where required by law.

 

SHARING OF INFORMATION

We do not share your personal information with third party except as outlined below. We may disclose your personal information to the following categories of recipients:

·      Chipotle Group Companies: We may share your personal information with Chipotle group companies for purposes consistent with this Notice, such as to maintain, provide and improve our Services and for marketing related activities (with your consent where required by applicable law).

 

·      Service providers: In order to provide our Services to you and to promote and advertise our Services, we may share your personal information with our contracted third-party service providers and partners who perform a variety of services on our behalf, such as fulfilling orders, assisting with promotions, hosting our Services, performing website analytics, delivering relevant marketing messages and advertisements, providing technical services, and otherwise carrying out any of the uses and disclosures described in this Notice (on our behalf). We generally require our service providers to provide at least the same or equal protection of user data as stated in this Notice and these third party service providers are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.

 

·      Advertising partners: We may partner with third-party advertising networks (for example, those mentioned in the “Information Collected Automatically” Section above) to display advertising on our online Services or to manage and service advertising on other websites and we may share personal information with them for this purpose. Please read our [Cookie Notice] for further information.

 

·      Business transfers: In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Notice.

 

·      Compliance with laws: We may also disclose personal information when we are legally required to do so such as when we are required by subpoena, search warrant, or other legal processes.

 

·      Vital interest and legal rights: We may disclose your personal information in prevention or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, suspected fraud, situations involving potential threats to the safety of any persons or to protect and defend the rights or property of Chipotle or others.

We may also share your information with any other person with your consent to the disclosure.

YOUR CHOICES

If at any time you want to update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences or location tracking), you may do so by (1) logging into your registered website or App account and changing your account settings (including location tracking), or (2) contacting us as described at the end of this Notice.

You also can make certain choices by using the options described in the “Information Collected Automatically” section above and in our cookie notice.

Individuals in the European Economic Area, Switzerland and some other jurisdictions (including the UK, regardless of Brexit status) have certain additional legal rights to do the following with personal information we handle:

  • Right to access: You may have the right to obtain confirmation of whether we hold personal information about you, receive information about how it is used and disclosed and obtain a copy of the personal information;
  • Right to data portability in some cases, you can request to receive the personal information we hold about you in a structured, commonly used and machine-readable format, and to transmit it to a third party in such form;
  • Right to rectification and erasure: you may have the right to update, correct or delete the information. Note that if you have registered an account with us, you can correct and update some of your information by logging into your registered website or App account and changing your account settings, ;
  • Right to object to the processing: In certain circumstances, you can object to the use or disclosure of the information;
  • Right to withdraw consent: Where we rely on your consent to process your personal information, you may withdraw your consent at any time (without affecting the lawfulness of prior use and disclosure of the information); and
  • Right to restriction of processing: In some circumstances, you may obtain a restriction on the use of your information by Chipotle.
  • Opt-out from receiving marketing communications: You can unsubscribe from our marketing communications (such as marketing emails) at any time by logging into your registered website or App account and changing your communication preferences or by contacting us using the contact details provided under the "Contact Us" heading.
  • Right to complain: You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. If you are resident in the EEA and UK, the contact details for data protection authorities are available here.

Many of the rights described above are subject to limitations or exceptions under applicable law.

If you wish to exercise any of these rights or raise a complaint on how we have handled your personal information, please contact us as described at the end of this Notice under the "Contact Us" heading.

SECURITY

We use various security measures as part of an effort to protect your personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. Nevertheless, transmission and storage are not completely secure (whether online or offline) and we cannot guarantee the security of your information.

INTERNATIONAL DATA TRANSFER

Your information may be transferred, stored and processed by Chipotle and the third parties to whom it discloses information from outside the EEA, including in the United States. These countries may have data protection laws that are different to the laws of your country. Regardless of where your information is located, we treat all personal information in accordance with this Notice and applicable laws and we take steps necessary to ensure that we implement appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission.

If you require further information about our international transfers of personal information, please contact us using the contract details provided under the “Contact Us” heading further below.

LINKS TO OTHER WEBSITES AND SERVICES

The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.

DATA RETENTION

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with our Services or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

CHANGES TO THIS NOTICE

From time to time, Chipotle may change this Notice. When we update this Notice, we take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material changes if and where this is required by applicable data protection laws. Changes will be indicated by the “Last Updated” date at the top of this page.

CONTACT US

Please note that the controller of your personal information is
EMEA Tortilla, Ltd., with registered offices at:
83 Baker Street
Marylebone, London
W1U 6AG

For questions about this Privacy Notice, you may contact us at privacy@chipotle.com or:

Chipotle Europe

83 Baker Street

Marylebone, London

W1U 6AG