CHIPOTLE’S U.S. PRIVACY POLICY, INCLUDING CALIFORNIA PRIVACY RIGHTS

This “Privacy Policy” describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in the United States (“Chipotle”, “we”, “our”, “us”) may collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites (“Websites”) that link to this Privacy Policy, as well as other personal information about our customers.  The App, those Websites, our restaurants, and our related service offerings are referred to in this Privacy Policy as our “Services.”  This Privacy Policy is applicable to consumers in the United States (US). We maintain separate privacy policies for our employees in the United States and for customers and employees in the European Union, United Kingdom, and Canada. We also maintain a separate Applicant Privacy Notice that is applicable to job applicants in the United States, European Union, United Kingdom, and Canada. This Privacy Policy also does not apply to our former employees and their family members, dependents, and beneficiaries; if you are a California resident who is a current or former Independent Contractor (as that term is defined in the California Consumer Privacy Act (CCPA)) or employee of Chipotle or a family member, dependent, or beneficiary of any of our current or former employees, you may request access to our Privacy Notice To California Independent Contractors or Employee Privacy Policy by sending an email to privacy@chipotle.com.

Notice at Collection

We collect personal information as detailed below and in our Privacy Policy. To learn more, including how you can opt-out of the sale or sharing of your personal information, please see the “Your State Privacy Rights and Additional Disclosures” section below.

Category of personal information	Purpose for collection and Processing (Including Business and Commercial Purposes)	Categories of Recipients	Used for “Sell”, “Share”, or Targeted Advertising (yes/no)
Identifiers such as names, addresses, phone numbers, and email addresses	To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Payment Processors   Vendors providing services to us	Yes   No   Yes     No     No   No
Protected categories of information, such as your age range, marital status, and other demographic information	To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To improve our customer service and other internal business purposes	Vendors providing services to us	No
Commercial information, such as records of your orders and other transactions with us	To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Payment Processors   Vendors providing services to us	Yes   No   Yes   No       No   No
Precise Geolocation Data (this is sensitive personal information)	To provide you with products and services reasonably expected (e.g., to provide you with the nearest restaurant location, location nudges, and to have your order ready when you arrive)	Vendors providing services to us	No
General Geolocation Data	To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Payment Processors   Vendors providing services to us	Yes   No   Yes   No       No   No
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interactions with websites, applications, or advertisements, and other information described in the Information Collected Automatically section of our Privacy Policy	To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	Yes   No   Yes   No       No
Other information you provide to us, including user-generated content and information provided via contests, giveaways, and / or promotions	To operate our businesses To conduct business analytics For safety and security purposes To design and develop new product and service offerings To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	Yes   No   Yes   No       No
Sensory data such as recordings of customer care calls or CCTV footage	To operate our businesses To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request	Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	No       No
Inferences from personal information collected such as a profile about a consumer reflecting the consumer’s preferences, demographics, characteristics, and interests	To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To conduct business analytics For research purposes To design and develop new product and service offerings For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	Yes   No   Yes   No       No
Accessibility (i.e. whether you want your order placed on an ADA accessible shelf)	To provide you with products and services To improve our customer service and other internal business purposes To fulfill or meet the request To fulfill our legal obligations and other notified purposes	Vendors providing services to us	No
Nutrition Preferences (i.e. whether you are avoiding dairy, soy, or gluten, or if you are interested in options that are vegan or keto)	To provide you with products and services To design and develop new product and service offerings To improve our customer service and other internal business purposes To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To conduct business analytics To fulfill or meet the request To fulfill our legal obligations and other notified purposes	Analytics companies   Data Brokers   Third Party Advertisers   Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	Yes   No   Yes   No       No
Fundraising and Donations	To provide you with products and services To operate our businesses To communicate with you To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request	Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	No       No
Contests, Promotions, Surveys, Focus Groups, or other Market Research	To operate our businesses To conduct business analytics To conduct marketing, personalization, and advertising For research purposes For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes	Government Agencies (if necessary to meet legal obligations)   Vendors providing services to us	No       No

We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.

This Privacy Policy includes the following sections:

1. Collection of Information
2. Use of Information
3. Sharing of Information
4. Retention of Information
5. Security
6. Privacy for those under the age of 18
7. Interest-Based Advertising and Cookies - Your Choices
8. Your State Privacy Rights and Additional Disclosures
9. Links to Other Websites and Services
10. Changes to Chipotle’s Privacy Policy
11. Contact Us

 1.    COLLECTION OF INFORMATION

For the purposes of this policy, “personal information” means any information about an identifiable individual including, without limitation, your name, address, telephone number, and email address. Personal information does not include publicly available information from government records or deidentified or aggregated consumer information that Chipotle does not attempt to reidentify. We collect and use your personal information when you:

• Visit one of our restaurants
• Order through our Website or App, or otherwise use the Services
• Participate in our Chipotle Rewards program
• Participate in our Chipotle Community Fundraising Program or if you elect to Round Up
• Sign-up to receive our marketing communications
• Sign-up to receive push notifications
• Enter a contest, participate in a promotion, or participate in market research
• Contact Us with a comment, question or complaint
• Use the Find a Location feature on our Website or App
• Search our Website or App

·        Restaurant Purchases: You do not have to provide us with any personal information when you pay using cash at one of our restaurants. If you use a credit or debit card, we collect your debit or credit card-related information and your signature to process and administer your payment. We may also use video surveillance (e.g. CCTV) in our restaurants for loss prevention, safety, and security purposes. If you order catering through a local restaurant, we also collect the delivery address.

·        Ordering Online: If you place an individual or group order through our Website or App, you will be asked to provide your first and last name, email address, phone number, payment card information, and, optionally your nutrition preferences and if you would like to have your order placed on an accessible shelf for pick-up orders. You may also choose to create an account without joining our Rewards program, and through this account you may also elect to receive push notifications and marketing communications. If you place an order for delivery, you will be asked for the physical address you would like the order delivered to.  If you choose to: (i) place a group order, or (ii) create a Chipotle Rewards account to save your favorites and order faster, we will collect all of the foregoing elements and, if you are a Rewards member, the data elements identified in the Chipotle Rewards paragraph below. If you place a Group Order, we will collect the name of each participant in the Group Order in order to correctly match the names of the Group Order participants with the items that they have ordered. We may also offer you the ability to order through a third-party food delivery service, in which case we obtain your information from the third party in order to fulfil your order. If you purchase an e-gift card for a friend or family member, we collect the name and email address for the recipient in order to deliver an email containing your e-gift card on your behalf. We do not use the recipient’s information for any other purpose.

·        Chipotle Rewards: If you join our Chipotle Rewards program, we will collect your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), password used to create the account, telephone number, and marketing preferences, device settings, country, and you may also elect to provide other information, including your birthday, payment card or gift card information, and optionally your delivery address, accessibility preferences for pick up orders and nutrition preferences. We collect this information to establish and administer your Chipotle Rewards account, including to create and send you a digital Chipotle Rewards card, create an ID number, scannable code or other unique identifier to associate you with your Chipotle Rewards account, to award points to you on qualifying purchases and to enable you to redeem points. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, general geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods.  Note that we also may collect all of this information outside the context of the Rewards Program. We may also use this information to send non-personalized advertising, retargeted advertisements and personalized advertising and marketing offers and other special offers available only to members of the Chipotle Rewards program. For more information on the categories of recipients that receive your information, please see the “Notice at Collection” section above.

·        The Chipotle Community Fundraising Program: We collect personal information if you choose to participate in our Chipotle Community Fundraising Program, which allows organizations to apply to raise money for a particular fundraiser. You may apply for the Chipotle Community Fundraising Program by filling out an application.  If you apply to participate, we will collect the name of the individual applying and their address, email, phone number, and information on behalf of the organization that will benefit from the fundraiser (e.g. organization name, address, EIN).

·        Round Up: You may be offered the opportunity to round up your purchase to the nearest dollar and have Chipotle donate the excess amount to the applicable fundraiser.

·        Push Notifications: If you sign-up to receive push notifications, we will send push notifications to your mobile device, which may include marketing and transactional messages. You may opt-out from allowing us to send you push notifications by adjusting the permissions in your mobile device.

·        Contests, Promotions, Surveys, Focus Groups, or other Market Research: If you enter a contest or participate in a promotion, we or a third party we retain to provide these services on our behalf, may, with your consent, collect your name, address, email address, phone number, and any additional information or content required for the contest or promotion (such as information you post on social media). We use this information to administer your participation in the contest or promotion, including prize fulfillment. As part of a contest or promotion, we may obtain your consent to share or otherwise publish the content you submit. You may provide these same data elements to us (or a party retained by us) when you participate in surveys, focus groups, or market research, and you may also share additional information generated by your participation in the surveys, focus groups, and/or other marketing research efforts. We may use the information you share with us a result of your participation in a survey, focus group, or other marketing research efforts to personalization your experience with our Services and to send you personalized advertising.

·        Contact Us: When you contact us with a comment, question or complaint, you may be asked for information that identifies you, such as your name, address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment.  You may be asked to provide all of this same information if you contact us through our chat bot, Pepper.  We may record or create transcripts of your calls to us, your chats with Pepper, or any other method by which you connect with us and may retain the information disclosed during these interactions to assist you in the future, to improve our customer service and service offerings, to meet our legal obligations or to protect our legal interests, as well as for other business purposes that are detailed in this Privacy Policy. We may also use vendors to provide these services which means these vendors may have to access to these recordings or transcripts, including in real time. By using Pepper, you consent to Chipotle’s monitoring and recording of the chat and to the collection and analysis of all personal information provided through the chat. We utilize a service provider to process, analyze, and store the contents of the chat on our behalf. By using Pepper, you direct Chipotle to disclose to and share with our service provider, including, any personal information you provide. If you do not consent to Chipotle’s collection and analysis of your data or to the processing of this data by our service provider on Chipotle’s behalf, then please do not use the chat feature. Please also note that if you contact us or we engage with you through Apple Business Chat, Google Business Messages, Facebook Messenger, or similar, your communications with us and any personal information you share with us through those platforms is subject to the terms of use and related privacy policies provided by those platforms. You may also contact us to submit a customer service request or complaint related to your health, the data you provide to us in that context is covered by our Consumer Health Data Notice.

·        Find a Location / Location Nudges: If you search for a restaurant, we, or our service provider, collect your postal code or city and province, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants and to ensure you are on your way to the correct location when you have placed a digital order for pickup. When you give the App permission to collect your precise geolocation, the App (in conjunction with a provider of map services, such as Google Maps or Apple Maps) may use your mobile device’s location services to collect real-time information about the location of your device (using GPS, WiFi, Bluetooth or other methods, including in store beacons) to provide requested location services and ensure your orders are placed at the correct location.  Chipotle does not retain, store, or use your precise geolocation beyond what is necessary to fulfill the purposes identified in this section. However, Chipotle does retain general location data such as your zip code, city, state, and country and this general location data may be used to identify an audience for targeted advertising. Please note, use of Google Maps or App Maps through our App is subject to: (i) Google Maps/Google Earth Additional Terms of Service and Google’s Privacy Policy and (ii) Apple Map’s Terms of Use and Apple’s Privacy Policy.

·        Accessibility: As described in the Online Ordering and Chipotle Rewards sections above, you may elect to tell us if you would like to have your order placed on an ADA accessible shelf.  We will not ask you for any specific medical condition, disability status, or diagnosis associated with your request to have your order placed on an ADA accessible shelf.

·        Nutrition: As described in the Online Ordering and Chipotle Rewards sections above, you may elect to tell us if you have certain nutrition preferences such as that you are eating a plant based V+ Vegan diet, Paleo, or that you are avoiding Gluten or Dairy.  We will not ask you for any specific medical condition, disability status, or diagnosis associated with your nutrition preferences. We may use your nutrition preferences to personalize your experience on our Website and App and we (or entities who send advertisements on our behalf) may also send you advertisements related to these preferences (e.g. we may suggest vegetarian options when you are on our Website or send you advertisements associated with your nutritional preferences).

Information Collected Automatically

We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.

We and our vendors may automatically collect this information using various tools and technologies such as cookies, web server logs, tags, beacons, SDKs, pixels, local storage, JavaScript, APIs, session replay/screen capture (i.e., how you use and navigate through our website, but not your keystroke data), search contents, form field data, and other similar technologies. Additional information on other technologies we may use is set forth below in the section titled: Interest-Based Advertising - Your Choices.

We may also use certain service providers of web and mobile app analytics services, including but not limited to Google Analytics, Adobe Analytics, Branch Analytics, and Facebook Custom Audiences, to help us understand and analyze how visitors use our Website and App or serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps). We also use these services for remarketing, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and our service providers may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Chipotle with insight into behavior information relating to inferred visitor age range (e.g., GenZ, Millennial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken.

Please check your browser and device settings to control the location data you allow your browser and device to collect and share with third parties.  For example, Google allows you to control whether or not you will see ads that are personalized based on your interaction with our website. To learn more, visit: Ad Settings. You can also turn off ads personalization from the 100+ vendors that participate in YourAdChoices platform administered by the Digital Advertising Alliance, to learn more visit: WebChoices: Digital Advertising Alliance's Consumer Choice Tool for Web US.

We use a session replay service to analyze how visitors use the online Services. Session-replay technologies are software services provided by our service providers and used to record a video replay of a visitor’s interactions with our Website. The video replay may include Website visitor clicks, mouse movements, scrolls, typing, and other activity taken during the session on the Website. We use session replay technologies for research and development purposes, such as to help us troubleshoot problems with the Website, understand how users interact with and use the Website, and identify areas for improvement.

Finally, our service providers may detect your location (including precise location) to provide us with aggregated information about how our advertising campaigns are performing in certain geographic areas, for security purposes to ensure an order is being placed from a location near Chipotle restaurants, to provide you with the location of your closest Chipotle, or in response to your search requesting job openings at your nearest Chipotle. Please check your browser and device settings to control the location data you allow your browser and device to collect and share with third parties.

For more information on how the Google Marketing Platform uses the data collected, visit: www.google.com/policies/privacy/partners/.

In addition to the automatic collection mechanisms listed above, we may also:

• As an advertising publisher, use tags in connection with the Nielsen Digital Ad Ratings Service for Google Ad Manager; and
• Use Microsoft’s Bing Universal Event Tracking (UET) feature, in which case Microsoft collects your personal information (see Microsoft Privacy Statement).

Depending on your personal device and App permission settings, when using the App, we may collect or have access to your:

• Precise geolocation. When you give the App permission to collect your precise geolocation, the App may use your mobile device’s location services to collect real-time information about the location of your device (using both GPS, WiFi, Bluetooth or other methods, including in-store beacons) to provide requested location services and ensure your orders are placed at the correct location. To turn off geolocation, please adjust the permissions on your device. If location services are disabled, other means of establishing or estimating your general location (e.g., connecting to or proximity to Wi-Fi, Bluetooth, beacons, or our networks) may still be active.  
• Camera. When enabled, this may allow the App to access the camera to scan and input payment method details. Providing access to your Camera function is entirely optional.
• Wi-Fi connection information. When enabled, this may allow the App to view Wi-Fi connections.
• Other. The App will send and receive data to and from the Internet, and may view network connections, have full network access, control vibration of your device, or prevent your device from sleeping.

Some of the technology described above is used by us or our vendors to correlate information collected about you over time and across websites or online services.

Please review Section 7, Interest-Based Advertising - Your Choices, for additional information about how you can manage the use of these technologies.

Information Collected From Service Providers

Our service providers (which may include data brokers) and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us.

In some circumstances, we may also collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms).  We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest.    

Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms.

We may combine information that we collect from and about you. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.

2.    USE OF INFORMATION

We may use personal information we obtain about you for the following purposes:

Business Purposes

• communicate with you regarding our restaurants and other Services;
• respond to your requests or inquiries;
• register you for accounts on the Services;
• process payment information for online food orders or online purchases through our merchandise or gift card store;
• process your fundraiser applications;
• provide you with search results for a restaurant, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants and to ensure you are on your way to the correct location when you have placed a digital order for pickup;
• maintain healthy and safe conditions in our restaurants;
• address legal matters;
• prevent, investigate, identify, stop, or take any other action with regard to suspected or actual fraudulent or illegal activity, claims or other liabilities, or any activity that violates our policies;

Commercial Purposes

• facilitate and personalize your user experience and improve the Services;
• conduct statistical analysis of the content, layout, and features of the Services for our marketing purposes;
• register you for our email and postal mailing lists or for promotions or offers conducted in connection with the Services;
• send marketing information to you, such as promotional offers or information about new product offerings, programs, or restaurant openings;
• advertise to you both on and off the Services, which may include tailoring ads to your interests and measuring the performance of our ad campaigns;
• make inferences about you or members of your household based on your device; or
• for any other purpose, with your consent where appropriate.

We may also use any of the personal information we collect to generate and use deidentified or aggregated information about our customers for commercial purposes.

3.    DISCLOSURE OF INFORMATION

Information Disclosed By You

When you post or comment on social media or interact with the Services this content may be visible to the public.  We or our vendors may analyze or share certain content that you post or make available, including by publicly posting on our online Services or other public online locations.  For example, we may repost content that you post about us on social media. We may also use any of the information you share for analytics or other business or commercial purposes.

Information Disclosed By Us

We may share your information with our affiliates, such as your name, address, phone number, email address, identifiers, date of birth, records of your orders and other transactions with us, credit/debit/gift card number and account information (including associated billing addresses and expiration date), information described in the Collection of information and Information Collected Automatically sections above (some of which is personal information, inferences, and other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts).

We may share, your personal information (including all the information listed in the preceding paragraph), the contents of your searches or forms you complete with service providers who assist us with offering the Services or as otherwise described in this Privacy Policy, such as delivery services, analytics providers, marketing and advertising services (including to provide you with targeted, personalized advertising), providers of payment services, providers of other support for our transactions (e.g., accounting services), providers of technical services (e.g., data storage and customer relationship management databases), and providers of outsourced customer service. We generally require our service providers to provide at least the same or equal protection of user data as stated in this Privacy Policy.  Some of our service providers (for example, those mentioned in the Information Collected Automatically section above) may view, edit, or set their own tracking technologies/cookies on our Services. Those service providers may use cookies that differ from those on the Website and App hosted and managed by us. This means that you may be presented with additional opportunities to opt out of targeted advertising and / or the “sale” or “sharing” of your personal information when navigating between pages on Chipotle’s webpages and applications.  When our service providers’ cookies run on our Services they may collect identifiers such as your IP address, Cookie ID, Device ID, and Pixel ID, network activity information such as HTTP header information, button click data, referring website activity, and location data, this may be limited by your cookie selections on the service provider hosted pages.

In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services. You acknowledge that such transfers may occur and are permitted by this Privacy Policy.  To the extent legally permitted, the acquiring party may use the information pursuant to their own privacy policy instead of this one.

We may also disclose personal information when required by subpoena, search warrant, other legal process, governmental request, in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, or to protect and defend the rights or property of Chipotle or others.  This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.

We may share your information for other purposes as disclosed at the time you provide your information or otherwise with your consent.

4.    RETENTION OF INFORMATION

We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law. In deciding how long to retain personal information that we collect, we consider many criteria, including, but not limited to the business purposes for which the personal information was collected; relevant federal, state and local recordkeeping laws; applicable statutes of limitations for claims to which the information may be relevant; and legal preservation of evidence obligations.

5.    SECURITY

We are committed to the protection of your personal information from unauthorized access or use. We will use reasonable organizational, physical, technical and administrative measures to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with is no longer secure, please notify us by sending an email to privacy@chipotle.com.

6.     PRIVACY FOR THOSE UNDER THE AGE OF 18

The online Services are not intended for, and are not intentionally targeted to, children under 13, and we do not knowingly request or seek to collect personal information from any person under 13 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 13, we will delete the information in accordance with applicable law.

The account settings for individuals who indicate they are age 13-17 (“Minors”) will be set to high privacy selections by default. Minors will not receive marketing emails, text messages, push notifications, personalized marketing, personalized experience, or have their precise geolocation utilized/have their personal information sold or shared with non-service provider third parties unless they opt in/consent to these respective options. Once an individual turns 18, their account will automatically be enrolled in personalized experience and marketing.

7.     INTEREST-BASED ADVERTISING - YOUR CHOICES

Our Website may store or retrieve information on your browser, mostly in the form of cookies. A cookie is a small piece of data (text file) that a website – when visited by a user – places on the user’s device to remember information about the user, such as the user’s language preference or login information. This type of cookie is set by us and is referred to as a “first-party cookies.” Chipotle uses first-party cookies primarily to make the Website work as you expect it to. For example, we use the information we collect through first-party cookies to allow you to navigate between pages efficiently, analyze how well our Website is performing, and understand the content that you spent the most time reviewing. In some cases, we use first-party cookies to store information that we use for targeted advertising.

We also incorporate cookies and similar technologies, such as pixels, tags, and web beacons, from outside Chipotle’s domain (“third-party cookies”). Third-party cookies gather information to enable our vendors to provide a range of services to us, including targeted advertising and measuring the success of our advertising campaigns. 

Additionally, Chipotle engages service providers to host and manage certain pages of its website. These service providers may use cookies that differ from those on webpages hosted and managed by Chipotle. This means that you may be presented with additional opportunities to opt out of targeted advertising and / or the “sale” or “sharing” of your personal information when navigating between pages on Chipotle’s website or application.

Please review our Cookie Policy for a detailed list of the categories of first and third-party cookies we use on our Website and additional information related to your ability to control cookies on Webpages and Apps hosted and managed by us. You can prevent the collection of data by Non-Essential Targeting, Social Media, Analytics & Functional Cookies by clicking on “Your Privacy Choices ” in our Website footer and toggling off the related functionality. 

We honor the following universal opt out mechanism: Global Privacy Control supported by Take Control Of Your Privacy. To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs.

You may need to repeat the preference options described above from each device and browser that you use in connection with our Service, as well as in a particular browser or device if you clear cookies or reset the browser. 

To update certain personal information we have about you, or if you wish to change certain preferences (including location tracking and certain communication preferences, such as your receipt of push notifications), (1) log into your account on our Website or within your instance of our App and change your account settings (including location tracking) with the “Personal & Preferences” section, (2) change your device’s settings for our App, or (3) contact us as described at the end of this Privacy Policy.  For most mobile devices, you can disable the collection of geolocation information by turning off location services on your device. 

If you would like to be removed from the Chipotle mobile text program, text STOP to 888222 (US) to opt-out. After texting STOP to 888222 you will receive one additional message confirming that your request has been processed.

If you no longer want us to collect information through the App, please uninstall it.

8.  YOUR STATE PRIVACY RIGHTS AND ADDITIONAL DISCLOSURES

Depending on the state in which you reside, you may have certain privacy rights regarding your personal data as explained in the following sections. For example, California, Colorado, Connecticut, Delaware, and other states have passed privacy laws.

Collection, Use, and Disclosure of Personal Information

During the 12 months leading up to the effective date of this Privacy Policy, we have collected the following categories of personal information as described in more detail in Section 1, Collection of Information, of this Privacy Policy:  Identifiers/contact information, protected classifications such as your age range, marital status and other demographic information, commercial information, payment details, visual information, internet or other electronic network activity information, precise geolocation data, general geolocation data, other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts, sensory data such as recordings of customer care calls or CCTV footage, health, nutrition, fundraising and donations, and inferences based on the above categories.

We collect personal information directly from you and from advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers. We do not collect all categories of personal information from each source.

During that period, we made the following disclosures of personal information to affiliates, delivery services providers, marketing and advertising services providers, payment services providers, transactional support providers, technical services providers, and governmental entities for business purposes consistent with the purposes described in Section 2, Use of Information, above:  Identifiers/contact information, protected classifications such as your age range, marital status and other demographic information, commercial information, payment details, visual information, internet or other electronic network activity information, geolocation information, and inferences based on the above categories.

During the 12 months leading up to the effective date of this Privacy Policy, we “sold” or “shared” (as these terms are defined under California law) commercial information (transaction data), and internet or other network or device activity (like a record of a browser’s visit to our Website) for marketing and advertising purposes to advertising providers, analytics companies, and social media networks. 

Chipotle permits individuals 13 years of age and older to join our Rewards program. Our Rewards Terms state, “If you are between the ages of 13 and 18, you may participate in Chipotle Rewards only with the permission and under the supervision of a parent or legal guardian who agrees to be bound by these Chipotle Rewards Terms.”

Consumer Rights

You may request that we:

• Inform you about the categories of personal information we collect or disclose about you; the categories of sources of such information; the business or commercial purpose for collecting, selling or sharing your personal information; and the categories of third parties with whom we share/disclose personal information.
• Confirm whether we are processing your personal information and provide access to and/or a copy of certain personal information we hold about you.
• Obtain, our choice of either, a list of specific third parties, other than natural persons, to which we have disclosed your personal information or any personal information.
• Delete certain personal information we have about you. Note that there are some reasons we will not be able to fully address your request, such as if we need to complete a transaction for you, for our internal purposes, or to comply with a legal obligation.
• Correct certain personal information we have about you.

If you would like to exercise your right to know, access, delete or correct your personal information you may submit your request by completing our Data Request Form. Alternatively, you submit your data subject request by phone at 833-506-0473. In accordance with applicable law, there may be circumstances that prevent us from honoring all or a portion of your rights request. In those instances, you may appeal our decision through the notification you receive from us indicating our processing and closure of your rights request. 

We will take reasonable steps verify your identity before responding to your request, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, and other information regarding your use of the Services (e.g., date of last purchase or last 4 digits of a payment/gift card).  

Opt Out Targeted Advertising or the “Sale” or “Sharing” of Personal Information

You may direct us not to “sell” or “share” certain personal information or use your personal information for targeted advertising as these terms are defined in state privacy laws.  You can exercise these rights by:

·       Clicking on “Your Privacy Choices ” in our Website footer and either toggling off Non Essential Targeting, Social Media, Analytics, & Functional Cookies or clicking “Reject All” and then clicking “Save choices.”  Completing this step will opt out you out of targeted advertising or the “sale” or “sharing” facilitated through web-initiated device tracking.   

·       Selecting “Opt-Out of Sale, Sharing, or Targeted Advertising” when you complete and submit a Data Request Form. Completing this step will opt out you out of targeted advertising or the “sale” or “sharing” of your personal information directly with third parties; or

·        Contacting us by phone at 833-506-0473 to make a general request.

Your choices do not apply to services hosted and managed by our service providers. Those service providers will present you with their own cookie consent options for the services they provide.

Note that Chipotle limits how some of our advertising partners use your personal information after you opt out of sale, sharing, or targeted advertising. These partners may continue to collect your personal information, including by using cookies and similar technologies on our Websites, but we prohibit them from using your information in a way that conflicts with your opt-out choice.

Requests Made by Agents

If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof, such as a power of attorney. As part of the process, we may additionally require the consumer to verify their identity directly with us. For security and legal reasons, Chipotle will reject requests that require us to access third-party websites or services.

Privacy Metrics

Below is the status of privacy requests for the previous year, detailing the number of requests to know, access, delete and requests to opt out of sale and sharing that we received, complied with, and denied as well as the mean number of days within which we responded to each privacy request.

REQUEST TYPE	CY (FOR 12 MONTHS STARTING ON OR AFTER April 1, 2022)	NUMBER OF REQUESTS RECEIVED	REQUEST FULFILLED	REQUEST REJECTED	TOTAL
Delete My Personal Information	CY2023	5575	1974	3601	5575
	CY2024	3599	1979	1628	3599
Right to Know	CY2023	61	50	11	61
	CY2024	11	11	0	11
Right to Access	CY2023	54	1	53	54
	CY2024	31	0	31	31
Right to Correct	CY2023	1	1	0	1
	CY2024	4	2	2	4
Do Not Sell or Share My Personal Information	CY2023	905	417	418	905
	CY2024	5361	5361	0	5361
Total		15,602	10,273	5,337	15,602

REQUEST TYPE	AVERAGE - REQUEST COMPLETE IN DAYS	MEDIAN - REQUEST COMPLETE IN DAYS
Delete My Personal Information	19	15
Right to Know	23	25
Right to Access	20	21
Right to Correct	N/A	N/A
Do Not Sell or Share My Personal information	11	4
Request Complete in days = Date Request opened – Date Request closed

 

Nondiscrimination

We will not discriminate against you for exercising your privacy rights.

Notice of Financial Incentives

The Chipotle Rewards Program lets participants earn or otherwise receive rewards (e.g., free entrees) and discounts, in return for registering and/or making purchases, including:

• Spend-based incentives, where you earn credit based upon spend levels
• Discounts and free products offered for frequent visitors 
• Periodic promotional discounts and offers

You can sign up for the Rewards Program by registering on our Website, iframe, or through the App. Registration requires you to provide your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, marketing preferences, device settings, country, and you may also elect to provide other information, payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods.  Note that we also may collect all of this information outside the context of the Rewards Program.

Full terms for the Rewards Program are available here.

You may withdraw from the Rewards Program at any time and forfeit any ongoing incentives through your online or App account or by contacting us using the contact information below. Please also note that if you submit a request to delete your personal information, this will also automatically withdraw you from the Rewards Program and will result in the forfeiture of your incentives, including your Rewards points that you may have accumulated. Requesting the deletion of your personal information results in the deletion of your Rewards account and accumulated incentives because we require your personal data (e.g., your name, email address, and log-in information) to be able to associate you to your account. You may elect to rejoin the Rewards program at any time, at which time we will once again begin collecting your personal information.

The value of Personal Information we collect is reasonably related to our expenses related to offering the Rewards Program. While we do not and cannot assign a monetary value to the personal information we collect through the Rewards Program, we do benefit financially from the Rewards Program. For example, although we may lose immediate revenue when a member uses a discount, the positive experience may lead to an overall increase in visits to our restaurants.

Calculating the actual value that Chipotle generates from those efforts (whether in aggregate or by individual) or a monetary value of the personal information involved is impossible. There are many reasons for this:

·      First, the information is of no monetary value by itself, as Chipotle achieves personal information-related benefits only when the information is used in combination with, and in the context of, other aspects of our business such as (1) high-quality marketing efforts, (2) the compelling financial components of our Rewards Program that do not require use of the personal information, such as the ability to earn discounts and rewards, (3) the high quality of our food and service, and (4) the proximity of our restaurants to Rewards Program members. 

·      Second, we cannot precisely determine the motivating factors of any specific purchase, or the relative weights of each factor.  Even if somebody redeems a coupon we sent to the contact information they supplied during Rewards Program registration, we cannot determine whether they would have made the same purchase on the same day even without the coupon.  In a lot of households, Tuesday is taco Tuesday – coupon or not.

·      Third, the level of engagement with our uses of personal information varies among Rewards Program members. For example: (i) some members may have elected to receive all of our marketing content, while others have limited the type or amount of marketing materials we send them, or (ii) some live next door to one of our restaurants, while others are out of delivery range.

·      Fourth, the dining habits of our Rewards Program members appear to vary significantly.

·      Fifth, not all members link their purchases to their Rewards Program membership, so we cannot identify all purchases by Rewards Program members, let alone which ones were influenced by their participation in the program.

For these reasons, we estimate that the value of the personal information collected for the Rewards Program would be less than the value the individual receives from their participation in the Reward Program. 

California “Shine the Light” Rights

Subject to certain limitations under California’s Shine the Light law, California residents may contact us as described at the end of this Privacy Policy to request a list of third parties to whom we disclosed certain personal information for those third parties’ direct marketing purposes during the preceding year. The information we will provide will describe our general practices in the prior calendar year and will not be specific to you. 

Your request should indicate that you are a California resident, and you must provide your full current California address, to which we will send our response. Your inquiry must specify “Shine the Light Request” in the subject line of the email or the first line of the letter, and include your California address. We are only required to respond to one such request per individual each year.  We may take reasonable steps to verify your identity and the authenticity of the request.

Oregon Residents

We are registered with the Oregon Secretary of State under the following business names: Chipotle Mexican Grill, Chipotle Mexican Grill of Colorado, LLC, Chipotle Mexican Grill Service Co., LLC, Chipotle Mexican Grill, Inc., Chipotle Services, LLC.

9.    LINKS TO THIRD PARTY WEBSITES AND SERVICES

The Services may offer links to third party websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.

10. CHANGES TO CHIPOTLE’S PRIVACY POLICY

From time to time, Chipotle may change this Privacy Policy. Changes will be indicated by the “Last Updated” date at the top of this page.

11. CONTACT US

For questions or concerns about this Privacy Policy or our privacy practices, you may contact our Privacy Team at privacy@chipotle.com or via postal mail at:

Attn: Privacy Officer
Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660