This Privacy Policy describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in the United States (“Chipotle”, “we”, “our”, “us”) may collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites (“Websites”) that link to this Privacy Policy, as well as other personal information about our customers. The App, those Websites, our restaurants, and our related service offerings are referred to in this Privacy Policy as our “Services.” Please note, this Privacy Policy is applicable to consumers in the United States (US) and that we maintain separate privacy policies for our US employees and job applicants and for customers, employees, and job applicants in the European Union, United Kingdom, and Canada. This Privacy Policy also does not apply to our former employees and their family members, dependents, and beneficiaries; if you are a California resident who is a current or former employee of Chipotle or a family member, dependent, or beneficiary of any of our current or former employees, you may request access to our Employee Privacy Policy by sending an email to privacy@chipotle.com.
California Notice at Collection
We collect personal information identified below under “Collection of Information” for business purposes and commercial purposes listed below under “Use of Information.” To learn more, including how you can opt-out of the sale or sharing of your personal information, please see the “Your Privacy Rights” section below.
This Privacy Policy includes the following sections:
For the purposes of this policy, “personal information” means any information about an identifiable individual including, without limitation, your name, address, telephone number, and email address. We collect and use your personal information when you:
· Visit one of our restaurants
· Order through our Website or App
· Participate in our Chipotle Community Fundraising Program
· Sign-up to receive our marketing communications
· Enter a contest or participate in a promotion
· Participate in our Chipotle Rewards program
· Apply for a job with us
· Contact Us with a comment, question or complaint
· Use the Find a Location feature on our Website or App
· Restaurant Purchases: You do not have to provide us with any personal information when you pay using cash at one of our restaurants. If you use a credit or debit card, we collect your debit or credit card-related information and your signature to process and administer your payment. We may also use video surveillance (e.g. CCTV) in our restaurants for loss prevention, safety, and security purposes. If you order catering through a local restaurant, we also collect the delivery address.
· Ordering Online: If you place an order through our Website or App, you will be asked to provide your first and last name, email address, phone number, payment card information, and, optionally accessibility and nutrition preference for pick-up orders. If you place an order for delivery, you will be asked for the physical address you would like the order delivered to. If you choose to create a Chipotle Rewards account to save your favorites, order faster and place group orders, we will collect all of the foregoing elements and the data elements identified in the Chipotle Rewards paragraph below. If you place a Group Order, we will collect the name of each participant in the Group Order in order to correctly match the names of the Group Order participants with the items that they have ordered. We may also offer you the ability to order through a third-party food delivery service, in which case we obtain your information from the third party in order to fulfil your order. If you purchase an e-gift card for a friend or family member, we collect the name and email address for the recipient in order to deliver an email containing your e-gift card on your behalf. We do not use the recipient’s information for any other purpose.
· Chipotle Rewards: If you join our Chipotle Rewards program, we will collect your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We collect this information to establish and administer your Chipotle Rewards account, including to create and send you a digital Chipotle Rewards card, create an ID number, scannable code or other unique identifier to associate you with your Chipotle Rewards account, to award points to you on qualifying purchases and to enable you to redeem points. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, general geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program. We may also use this information to send non-personalized advertising, retargeted advertisements and personalized advertising and marketing offers and other special offers available only to members of the Chipotle Rewards program.
· The Chipotle Community Fundraising Program: We collect personal information if you choose to participate in our Chipotle Community Fundraising Program, which allows organizations to apply to raise money for a particular fundraiser. You may apply for the Chipotle Community Fundraising Program by filling out an application on our Website. If you apply to participate, we will collect the name of the individual applying and their address, email, phone number, and information on behalf of the Organization that will benefit from the fundraiser (e.g. Organization Name, Address, EIN).
· Round Up: Customers are offered the opportunity to round up their purchase to the nearest dollar and have Chipotle donate the excess amount to the chosen fundraiser.
· Push Notifications: If you sign-up to receive push notifications, we will send push notifications to your mobile device, which may include, depending on your elections, SMS text messages or emails.
· Contests, Promotions, Surveys, Focus Groups, or other Market Research: If you enter a contest or participate in a promotion, we may collect your name, address, email address, phone number, and any additional information or content required for the contest or promotion (such as information you post on social media). We use this information to administer your participation in the contest or promotion, including prize fulfillment. As part of a contest or promotion, we may obtain your consent to share or otherwise publish the content you submit. You may provide these same data elements to us when you participate in surveys, focus groups, or market research, and you may also share additional information generated by your participation in the surveys, focus groups, and/or other marketing research efforts.
· Contact Us: When you contact us with a comment, question or complaint, you may be asked for information that identifies you, such as your name, address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment. We may retain this information to assist you in the future and to improve our customer service and service offerings.
· Find a Location: If you search for a restaurant on our Website or in the App, we collect your postal code or city and province, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants. When you give the App permission to collect your precise geolocation, the App may use your mobile device’s location services to collect real-time information about the location of your device (using both GPS and other methods) to provide requested location services and ensure your orders are placed at the correct location. Chipotle does not retain, store, or use your precise geo-location (e.g. for any purpose beyond what is identified in this section, however Chipotle does retain general location data such as your zip code, city, state, and country and this general location data may be used to identify an audience for targeted advertising).
Information Collected Automatically
We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.
We and our vendors may automatically collect this information using various tools and technologies such as cookies, web server logs, tags, SDKs, pixels, local storage, JavaScript, APIs, session replay/screen capture (i.e., how you use and navigate the services, but not your keystroke data), and other similar technologies. Additional information on other technologies we may use is set forth below in the section titled: Interest-Based Advertising - Your Choices
We may also use certain third-party web and mobile app analytics services – including but not limited to Google Analytics, Adobe Analytics, Branch Analytics, and Facebook Custom Audiences – to help us understand and analyze how visitors use the online Services (including session replay) and serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps. We’ve implemented Google Analytics Advertising features such as remarketing with analytics, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and third-party vendors may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Chipotle with insight into behavior information relating to inferred visitor age range (e.g., GenZ, Millenial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, detect your location, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken. For more information on how the Google Marketing Platform uses the data collected through the online Services, visit: www.google.com/policies/privacy/partners/.
In addition to the automatic collection mechanisms listed above, we may also:
· As an advertising publisher, use tags in connection with the Nielsen Digital Ad Ratings Service for Google Ad Manager;
· Through tracking technologies, receive and use Foursquare service user data, including search terms, what pages you view, your access times, the time you spend on each page, the IP address used to access the pages, and other user data (see Foursquare Privacy Policy); and
· Use Microsoft’s Bing Universal Event Tracking (UET) feature, in which case Microsoft collects your personal information (see Microsoft Privacy Statement).
Depending on your personal device and App permission settings, when using the App, we may collect or have access to your:
Some of the technology described above is used by us or our partners to correlate information collected about you over time and across websites or online services.
Please review Section 7, Interest-Based Advertising - Your Choices, for additional information about how you can manage the use of these technologies.
Information Collected From Third Parties
Our vendors (who may include data brokers) and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us.
In some circumstances, we also may collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms). We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest, but these providers get the location data from sources other than our own App and Websites.
Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms.
We may combine information that we collect from and about you. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.
We may use personal information we obtain about you for the following purposes:
Business Purposes
Commercial Purposes
We may also use any of the personal information we collect to generate and use anonymous or de-identified information about our customers for commercial purposes.
Information Shared By You
When you interact with the Services, including posting on social media, this content may be visible to the public. We may share certain content that you post or make available, including by publicly posting on our online Services or other public online locations. For example, we may repost content that you post about us on social media.
Information Shared By Us
We may share your information with our affiliates, such as your name, address, phone number, email address, identifiers, date of birth (month and day only, if you elected to provide us with this information), records of your orders and other transactions with us, credit/debit/gift card number and account information (including associated billing addresses and expiration date), information described in the Collection of information and Information Collected Automatically sections above (some of which is personal information, inferences, and other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts.
We may share your personal information (including all the information listed in the preceding paragraph) with vendors who assist us with offering the Services or as otherwise described in this Privacy Policy, such as delivery services, analytics providers, marketing and advertising services (including to provide you with targeted, personalized advertising), providers of payment services, providers of other support for our transactions (e.g., accounting services), providers of technical services (e.g., data storage and customer relationship management databases). We generally require our vendors to provide at least the same or equal protection of user data as stated in this Privacy Policy. Some of our vendors (for example, those mentioned in the Information Collected Automatically section above) may view, edit, or set their own tracking technologies/cookies on our Services.
In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services. You acknowledge that such transfers may occur and are permitted by this Privacy Policy. To the extent legally permitted, the acquiring party may use the information pursuant to their own privacy policy instead of this one.
We may also disclose personal information when required by subpoena, search warrant, or other legal processes, governmental request, or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, or to protect and defend the rights or property of Chipotle or others. This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.
We may share your information for other purposes as disclosed at the time you provide your information or otherwise with your consent.
We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.
We are committed to the protection of your personal information from unauthorized access or use. We will use reasonable organizational, physical, technical and administrative measures to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with is no longer secure, please notify us by sending an email to privacy@chipotle.com.
The online Services are not intended for, and are not intentionally targeted to, children under 13, and we do not knowingly request or collect personal information from any person under 13 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 13, we will delete the information in accordance with applicable law.
7. INTEREST-BASED ADVERTISING - YOUR CHOICES
When you visit any web site, including our Website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information gathered through cookies can give you a more personalized web experience. For example cookies allow you to navigate between pages efficiently, letting us analyze how well our website is performing, and educates us on the content that you found most helpful based on the amount of time you spent reviewing that content. A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting.
Many web browsers are set to accept cookies by default, but you can set your browser to notify you before accepting a cookie, or to delete or refuse cookies. You can control and manage cookies associated with your browser. If you are interested controlling and managing cookies from your browser including any set by our website, please refer to http://www.allaboutcookies.org/manage-cookies/index.html for information on different ways to configure your browser’s cookie settings.
If you want to clear all cookies left behind by the websites you have visited, here are links where you can download three third party programs that clean out tracking cookies:
· http://www.lavasoftusa.com/products/ad-aware_se_personal.php
· http://www.spybot.info/en/download/index.html
· http://www.webroot.com/consumer/products/spysweeper/
Many advertising companies that collect information for interest-based advertising are members of the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), both of which maintain websites where people can opt out of interest-based advertising from their members. To opt-out of website interest-based advertising provided by each organization’s respective participating companies, visit the DAA’s opt-out portal available at http://optout.aboutads.info/, or visit the NAI’s opt-out portal available at http://optout.networkadvertising.org/?c=1.
To opt-out of data collection for interest-based advertising across mobile applications by participating companies, download the DAA’s AppChoices mobile application opt-out offering here: https://youradchoices.com/appchoices.
Our Website and App use third party cookies from Google Analytics for demographics and interest reporting. This feature gives us insight into behavior information relating to visitor general age range, gender and interests on an anonymous and aggregate level. This will help us to understand browsing behavior to give you a better experience while visiting our Website or App. You can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings Feature on Google. By clicking Ads Settings, you will be taken out of chipotle.com to a page on Google where you can control the information Google uses to show you ads. In addition, you can use Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics.
Our Website and App also use Adobe Analytics to collect a hashed user ID when you sign into the Website or App. This user ID is stored in encrypted form and cannot be linked to you. We use this hashed user ID to track our users’ demographic information (such as the user’s general age range and gender) and their behavior while using the Website or App, such as how they interact with the Website/App, the time spent using the Website/App and when they click on the URL for the Website or open the App.
To update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences), (1) log into your account on our Website or within your instance of our App and change your account settings (including location tracking) with the “Personal & Preferences” section, (2) change your device’s settings for our App, or (3) contact us as described at the end of this Privacy Policy. If you no longer want us to collect information through the App, please uninstall it.
Many web browsers are set to accept cookies by default, but you also may be able to set your browser to notify you before you receive a cookie, or to remove or reject cookies. Disabling all cookies completely may affect the availability and functionality of our online Services and Websites. If you would like to delete cookies or change the settings on your web browser to delete or refuse cookies, please visit the Help pages of your web browser such as those listed below. At this time we are not able to honor all do-not-track signals, however in certain instances we honor the Global Privacy Control supported by Take Control Of Your Privacy.
You should repeat the preference options described above from each device and browser that you use in connection with our Service, and repeat them again in a particular browser or device if you clear cookies or reset the browser.
Certain state residents have additional rights and choices, as described in the next section.
The following section provides detailed information applicable to California residents under the California Consumer Privacy Act (CCPA).
Collection, Use, and Disclosure of California Personal Information
During the 12 months leading up to the effective date of this Privacy Policy, we have collected the following categories of Personal Information as described in more detail in Section 1, Collection of Information, of this Privacy Policy: Identifiers/contact information, categories of protected classifications under federal and California law, commercial information, payment details, professional or employment-related information, visual information, internet or other electronic network activity information, geolocation information, and inferences based on the above categories.
During that period, we made the following disclosures of personal information to affiliates, delivery services providers, marketing and advertising services providers, payment services providers, transactional support providers, technical services providers, and governmental entities for business purposes consistent with the purposes described in Section 2, Use of Information, above: Identifiers/contact information, categories of protected classifications under federal and California law, commercial information, payment details, professional or employment-related information, visual information, internet or other electronic network activity information, geolocation information, and inferences based on the above categories.
During the 12 months leading up to the effective date of this Privacy Policy, we “sold” or “shared” (as these terms are defined under the CCPA) commercial information (transaction data), payment card information, and internet or other network or device activity (like a record of a browser’s visit to our website) for marketing and advertising purposes to advertising providers, analytics companies, and social media networks. We do not “sell” or “share”: (i) Personal Information if we have actual knowledge that the consumer is less than 16 years of age, or (ii) Sensitive Personal Information.
Your CCPA Information & Deletion Rights
The CCPA allows you to request that we:
If you would like to exercise any of these rights, you may submit your request by completing our Data Request Form or contacting us by phone at 833-506-0473.
We will take reasonable steps verify your identity before responding to your request, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, and other information regarding your use of the Services (e.g., date of last purchase or last 4 digits of a payment/gift card).
Your CCPA Right to Opt Out of “Sale” or “Sharing” of Personal Information
Californians have a right to direct us not to “sell” or “share” certain personal information as these terms are defined in the CCPA. You can exercise these rights by either:
1. Following the instructions on our Do Not Sell or Share Request Form
2. OR contacting us by phone at 833-506-0473 to make a general request.
Requests Made by Agents
If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a notarized authentication letter or a power of attorney, as stipulated in applicable state law. As part of the process, we may additionally require the customer to verify their identity directly with us. For security and legal reasons, Chipotle will reject requests that require us to access third-party websites or services.
Your Virginia Consumer Data Protection Act (VCDPA) Information & Deletion Rights
The VCDPA allows you to request us to:
If you would like to exercise any of these rights, or to submit an appeal of any decision with regard to your privacy rights, you may submit your request by completing our Data Request Form or contacting us by phone at 833-506-0473.
If you are a Virginia resident, under the VCDPA, you have a Right to opt-out of sale of personal data, targeted advertising, and profiling.
Virginian’s have a right to direct us not to “sell” certain personal information about you and not to process your personal data for targeted advertising as those terms are defined in under the VCDPA. You can exercise that right by performing either of the following steps:
1. Follow the instructions on our Do Not Sell Request Form
2. OR contact us by phone at 833-506-0473 to make a general opt-out of sale of personal data and/or targeted advertising request. We may take reasonable steps to verify the validity of your request.
Nondiscrimination
We will not discriminate against you for exercising your privacy rights.
Notice of Financial Incentives
The Chipotle Rewards Program lets participants earn or otherwise receive rewards (e.g., free entrees) and discounts, in return for registering and/or making purchases, including:
You can sign up for the Rewards Program by registering on our website, iframe, or through the App. Registration requires you to provide your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program.
Full terms for the Rewards Program are available here.
You may withdraw from the Rewards Program at any time and forfeit any ongoing incentives by contacting us using the contact information below.
The value of Personal Information we collect is reasonably related to our expenses related to offering the Rewards Program. While we do not and cannot assign a monetary value to the personal information we collect through the Rewards Program, we do benefit financially from the Rewards Program. For example, although we may lose immediate revenue when a member uses a discount, the positive experience may lead to an overall increase in visits to our restaurants.
Calculating the actual value that Chipotle generates from those efforts (whether in aggregate or by individual) or a monetary value of the personal information involved is impossible. There are many reasons for this:
· First, the information is of no monetary value by itself, as Chipotle achieves personal information-related benefits only when the information is used in combination with, and in the context of, other aspects of our business such as (1) high-quality marketing efforts, (2) the compelling financial components of our Rewards Program that do not require use of the personal information, such as the ability to earn discounts and rewards, (3) the high quality of our food and service, and (4) the proximity of our restaurants to Rewards Program members.
· Second, we can’t precisely determine the motivating factors of any specific purchase, or the relative weights of each factor. Even if somebody redeems a coupon we sent to the contact information they supplied during Rewards Program registration, we can’t determine whether they would have made the same purchase on the same day even without the coupon. In a lot of households, Tuesday is taco Tuesday – coupon or not.
· Third, the level of engagement with our uses of personal information varies among Rewards Program members. For example, some members may read a lot of our marketing content, while others have unsubscribed and never see any. Some live next door to one of our restaurants, while others are out of delivery range.
· Fourth, the dining habits of our Rewards Program members appear to vary significantly.
· Fifth, not all members link their purchases to their Rewards Program membership, so we can’t identify all purchases by Rewards Program members, let alone which ones were influenced by their participation in the program.
For these reasons, we estimate that the value of the personal information collected for the Rewards Program would be less than the value the individual receives from their participation in the Reward Program.
Other California Law
Subject to certain limitations under California’s Shine the Light law, residents of the State of California may contact us as described at the end of this Privacy Policy to request a list of third parties to whom we disclosed certain personal information for those third parties’ direct marketing purposes during the preceding year. The information we will provide will describe our general practices in the prior calendar year and will not be specific to you.
Your request should indicate that you are a California resident, and you must provide your full current California address, to which we will send our response. Your inquiry must specify “Shine the Light Request” in the subject line of the email or the first line of the letter, and include your California address. We are only required to respond to one such request per individual each year. We may take reasonable steps to verify your identity and the authenticity of the request.
9. LINKS TO OTHER WEBSITES AND SERVICES
The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.
10. CHANGES TO CHIPOTLE’S PRIVACY POLICY
From time to time, Chipotle may change this Privacy Policy. Changes will be indicated by the “Last Updated” date at the top of this page.
For questions or concerns about this Privacy Policy or our privacy practices, you may contact our Privacy Team at privacy@chipotle.com or via postal mail at:
Attn: Privacy Officer
Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660