This Privacy Policy describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in the United States (“Chipotle”, “we”, “our”, “us”) may collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites (“Websites”) that link to this Privacy Policy, as well as other personal information about our customers. The App, those Websites, our restaurants, and our related service offerings are referred to in this Privacy Policy as our “Services.” Please note, this Privacy Policy is applicable to consumers in the United States (US) and that we maintain separate privacy policies for our US employees and job applicants and for customers, employees, and job applicants in the European Union, United Kingdom, and Canada. This Privacy Policy also does not apply to our former employees and their family members, dependents, and beneficiaries; if you are a California resident who is a current or former employee of Chipotle or a family member, dependent, or beneficiary of any of our current or former employees, you may request access to our Employee Privacy Policy by sending an email to privacy@chipotle.com.
Notice at Collection
We collect personal information as detailed below and in our Privacy Policy. To learn more, including how you can opt-out of the sale or sharing of your personal information, please see the “Your State Privacy Rights and Additional Disclosures” section below.
Category of personal information |
Purpose for collection and Processing (Including Business and Commercial Purposes) |
Categories of Recipients |
Use for “Sell”, “Share”, or Targeted Advertising (yes/no): |
Identifiers such as names, addresses, phone numbers, and email addresses |
To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes |
Analytics companies
Data Brokers
Third Party Advertiser Government Agencies (if necessary to meet legal obligations)
Payment Processors
Vendors providing services to us |
Yes
No
Yes
No
No
Yes
|
Commercial information, such as records of your orders and other transactions with us |
To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request |
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Payment Processors
Vendors providing services to us |
Yes
No
Yes
No
No
No
|
Precise Geolocation Data (this is sensitive personal information) |
To provide you with products and services reasonably expected (e.g., to provide you with the nearest restaurant location, location nudges, and to have your order ready when you arrive) |
Vendors providing services to us |
No |
General Geolocation Data |
To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes |
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Payment Processors
Vendors providing services to us |
Yes
No
Yes
No
No
No
|
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interactions with websites, applications, or advertisements, and other information described in the Information Collected Automatically section of our Privacy Policy |
To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To communicate with you For research purposes To design and develop new product and service offerings To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes
|
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
Yes
No
Yes
No
Yes
|
Other information you provide to us, including user-generated content and information provided via contests, giveaways, and / or promotions, |
To operate our businesses To conduct business analytics For safety and security purposes To design and develop new product and service offerings To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request |
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
Yes
No
Yes
No
No
|
Sensory data such as recordings of customer care calls or CCTV footage |
To operate our businesses To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request |
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
Yes
No |
Inferences from personal information collected such as a profile about a consumer reflecting the consumer’s preferences, characteristics, and interests |
To provide you with products and services To operate our businesses To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To conduct business analytics For research purposes To design and develop new product and service offerings For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes |
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
Yes
No
Yes
Yes
No
|
Health (i.e. whether you want your order placed on an ADA accessible shelf) |
To provide you with products and services To improve our customer service and other internal business purposes To fulfill or meet the request To fulfill our legal obligations and other notified purposes |
Vendors providing services to us |
No |
Nutrition Preferences (i.e. whether you are avoiding dairy, soy, or gluten, or if you are interested in options that are vegan or keto) |
To provide you with products and services To design and develop new product and service offerings To improve our customer service and other internal business purposes To conduct marketing, personalization, and advertising, including interest based advertising and cross-context advertising To conduct business analytics To fulfill or meet the request To fulfill our legal obligations and other notified purposes |
Analytics companies
Data Brokers
Third Party Advertisers
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
Yes
No
Yes
No
No
|
Fundraising and Donations |
To provide you with products and services To operate our businesses To communicate with you To conduct business analytics For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes To fulfill or meet the request |
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
No
No
|
Contests, Promotions, Surveys, Focus Groups, or other Market Research |
To operate our businesses To conduct business analytics For research purposes For safety and security purposes To improve our customer service and other internal business purposes To fulfill our legal obligations and other notified purposes |
Government Agencies (if necessary to meet legal obligations)
Vendors providing services to us |
No
No
|
We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.
This Privacy Policy includes the following sections:
5. Security
7. Interest-Based Advertising and Cookies - Your Choices
8. Delete My Personal Information
9. Your State Privacy Rights and Additional Disclosures
10. Links to Other Websites and Services
11. Changes to Chipotle’s Privacy Policy
12. Contact Us
For the purposes of this policy, “personal information” means any information about an identifiable individual including, without limitation, your name, address, telephone number, and email address. Personal information does not include publicly available information from government records or deidentified or aggregated consumer information that Chipotle does not attempt to reidentify. We collect and use your personal information when you:
· Visit one of our restaurants
· Order through our Website or App
· Participate in our Chipotle Community Fundraising Program
· Sign-up to receive our marketing communications
· Enter a contest or participate in a promotion
· Participate in our Chipotle Rewards program
· Contact Us with a comment, question or complaint
· Use the Find a Location feature on our Website or App
· Restaurant Purchases: You do not have to provide us with any personal information when you pay using cash at one of our restaurants. If you use a credit or debit card, we collect your debit or credit card-related information and your signature to process and administer your payment. We may also use video surveillance (e.g. CCTV) in our restaurants for loss prevention, safety, and security purposes. If you order catering through a local restaurant, we also collect the delivery address.
· Ordering Online: If you place an individual or group order through our Website or App, you will be asked to provide your first and last name, email address, phone number, payment card information, and, optionally your accessibility and nutrition preference for pick-up orders. If you place an order for delivery, you will be asked for the physical address you would like the order delivered to. If you choose to: (i) place a group order, or (ii) create a Chipotle Rewards account to save your favorites and order faster, we will collect all of the foregoing elements and, if you are a Rewards member, the data elements identified in the Chipotle Rewards paragraph below. If you place a Group Order, we will collect the name of each participant in the Group Order in order to correctly match the names of the Group Order participants with the items that they have ordered. We may also offer you the ability to order through a third-party food delivery service, in which case we obtain your information from the third party in order to fulfil your order. If you purchase an e-gift card for a friend or family member, we collect the name and email address for the recipient in order to deliver an email containing your e-gift card on your behalf. We do not use the recipient’s information for any other purpose.
· Chipotle Rewards: If you join our Chipotle Rewards program, we will collect your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, and optionally your delivery address, accessibility preferences for pick up orders and nutrition preferences. We collect this information to establish and administer your Chipotle Rewards account, including to create and send you a digital Chipotle Rewards card, create an ID number, scannable code or other unique identifier to associate you with your Chipotle Rewards account, to award points to you on qualifying purchases and to enable you to redeem points. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, general geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program. We may also use this information to send non-personalized advertising, retargeted advertisements and personalized advertising and marketing offers and other special offers available only to members of the Chipotle Rewards program. For more information on the categories of third parties that receive your information, please see the “Notice at Collection” section above.
· The Chipotle Community Fundraising Program: We collect personal information if you choose to participate in our Chipotle Community Fundraising Program, which allows organizations to apply to raise money for a particular fundraiser. You may apply for the Chipotle Community Fundraising Program by filling out an application on our Website. If you apply to participate, we will collect the name of the individual applying and their address, email, phone number, and information on behalf of the organization that will benefit from the fundraiser (e.g. organization name, address, EIN).
· Round Up: Customers are offered the opportunity to round up their purchase to the nearest dollar and have Chipotle donate the excess amount to the chosen fundraiser.
· Push Notifications: If you sign-up to receive push notifications, we will send push notifications to your mobile device, which may include, depending on your elections, SMS text messages or emails.
· Contests, Promotions, Surveys, Focus Groups, or other Market Research: If you enter a contest or participate in a promotion, we or a third party we retain to provide these services on our behalf, may, with your consent, collect your name, address, email address, phone number, and any additional information or content required for the contest or promotion (such as information you post on social media). We use this information to administer your participation in the contest or promotion, including prize fulfillment. As part of a contest or promotion, we may obtain your consent to share or otherwise publish the content you submit. You may provide these same data elements to us (or a party retained by us) when you participate in surveys, focus groups, or market research, and you may also share additional information generated by your participation in the surveys, focus groups, and/or other marketing research efforts.
· Contact Us: When you contact us with a comment, question or complaint, you may be asked for information that identifies you, such as your name, address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment. You may be asked to provide all of this same information if you contact us through our chat bot, Pepper. We may record or create transcripts of your calls to us, your chats with Pepper, or any other method by which you connect with us and may retain the information disclosed during these interactions to assist you in the future, to improve our customer service and service offerings, to meet our legal obligations or to protect our legal interests, as well as for other business purposes that are detailed in this Privacy Policy. We may also use vendors to provide these services which means these vendors may have to access to these recordings or transcripts, including in real time. By using Pepper, you consent to Chipotle’s monitoring and recording of the chat and to the collection and analysis of all personal information provided through the chat. We utilize a service provider to process, analyze, and store the contents of the chat on our behalf. By using Pepper, you direct Chipotle to disclose to and share with our service provider, including, any personal information you provide. If you do not consent to Chipotle’s collection and analysis of your data or to the processing of this data by our service provider on Chipotle’s behalf, then please do not use the chat feature. Please also note that if you contact us or we engage with you through Apple Business Chat, Google Business Messages, Facebook Messenger, or similar, your communications with us and any personal information you share with us through those platforms is subject to the terms of use and related privacy policies provided by those platforms.
· Find a Location / Location Nudges: If you search for a restaurant on our Website or in the App, we collect your postal code or city and province, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants and to ensure you are on your way to the correct location when you have placed a digital order for pickup. When you give the App permission to collect your precise geolocation, the App may use your mobile device’s location services to collect real-time information about the location of your device (using GPS, WiFi, Bluetooth or other methods, including in store beacons) to provide requested location services and ensure your orders are placed at the correct location. Chipotle does not retain, store, or use your precise geolocation beyond what is necessary to fulfill the purposes identified in this section. However, Chipotle does retain general location data such as your zip code, city, state, and country and this general location data may be used to identify an audience for targeted advertising.
· Health: As described in the Online Ordering and Chipotle Rewards sections above, you may elect to tell us if you would like to have your order placed on an ADA accessible shelf. We will not ask if you for any specific medical condition, disability status, or diagnosis associated with your request to have your order placed on an ADA accessible shelf.
· Nutrition: As described in the Online Ordering and Chipotle Rewards sections above, you may elect to tell us if you have certain nutrition preferences such as that you are eating a plant based V+ Vegan diet, Paleo, or that you are avoiding Gluten or Dairy. We will not ask if you for any specific medical condition, disability status, or diagnosis associated with your nutrition preferences. We may use your nutrition preferences to personalize your experience on our Website and App and we (or entities who send advertisements on our behalf) may also send you advertisements related to these preferences (e.g. we may suggest vegetarian options when you are on our Website or send you advertisements associated with your nutritional preferences).
Information Collected Automatically
We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.
We and our vendors may automatically collect this information using various tools and technologies such as cookies, web server logs, tags, beacons, SDKs, pixels, local storage, JavaScript, APIs, session replay/screen capture (i.e., how you use and navigate the services, but not your keystroke data), and other similar technologies. Additional information on other technologies we may use is set forth below in the section titled: Interest-Based Advertising - Your Choices.
We may also use certain third-party web and mobile app analytics services – including but not limited to Google Analytics, Adobe Analytics, Branch Analytics, and Facebook Custom Audiences – to help us understand and analyze how visitors use the online Services (including session replay) and serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps). We also use these services for remarketing, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and third-party vendors may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Chipotle with insight into behavior information relating to inferred visitor age range (e.g., GenZ, Millennial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken.
Finally, our third-party vendors may detect your location (including precise location) to provide us with aggregated information about how our advertising campaigns are performing in certain geographic areas. Please check your browser and device settings to control the location data you allow your browser and device to collect and share with third parties.
For more information on how the Google Marketing Platform uses the data collected through the online Services, visit: www.google.com/policies/privacy/partners/.
In addition to the automatic collection mechanisms listed above, we may also:
· As an advertising publisher, use tags in connection with the Nielsen Digital Ad Ratings Service for Google Ad Manager; and
· Use Microsoft’s Bing Universal Event Tracking (UET) feature, in which case Microsoft collects your personal information (see Microsoft Privacy Statement).
Depending on your personal device and App permission settings, when using the App, we may collect or have access to your:
Some of the technology described above is used by us or our partners to correlate information collected about you over time and across websites or online services.
Please review Section 7, Interest-Based Advertising - Your Choices, for additional information about how you can manage the use of these technologies.
Information Collected From Third Parties
Our vendors (who may include data brokers) and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us.
In some circumstances, we also may collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms). We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest, but these providers get the location data from sources other than our own App and Websites.
Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms.
We may combine information that we collect from and about you. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.
We may use personal information we obtain about you for the following purposes:
Business Purposes
Commercial Purposes
We may also use any of the personal information we collect to generate and use anonymous or de-identified information about our customers for commercial purposes.
Information Shared By You
When you post or comment on social media or interact with the Services this content may be visible to the public. We or our vendors may analyze or share certain content that you post or make available, including by publicly posting on our online Services or other public online locations. For example, we may repost content that you post about us on social media. We may also use any of the information you share for analytics or other business or commercial purposes.
Information Shared By Us
We may share your information with our affiliates, such as your name, address, phone number, email address, identifiers, date of birth (month and day only, if you elected to provide us with this information), records of your orders and other transactions with us, credit/debit/gift card number and account information (including associated billing addresses and expiration date), information described in the Collection of information and Information Collected Automatically sections above (some of which is personal information, inferences, and other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts).
We may share your personal information (including all the information listed in the preceding paragraph) with vendors who assist us with offering the Services or as otherwise described in this Privacy Policy, such as delivery services, analytics providers, marketing and advertising services (including to provide you with targeted, personalized advertising), providers of payment services, providers of other support for our transactions (e.g., accounting services), providers of technical services (e.g., data storage and customer relationship management databases), providers of outsourced customer service. We generally require our vendors to provide at least the same or equal protection of user data as stated in this Privacy Policy. Some of our vendors (for example, those mentioned in the Information Collected Automatically section above) may view, edit, or set their own tracking technologies/cookies on our Services. When our vendors’ cookies run on our Services they may collect identifiers such as your IP address, Cookie ID, Device ID, and Pixel ID; network activity information such as HTTP header information, button click data, referring website activity; and location data.
In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services. You acknowledge that such transfers may occur and are permitted by this Privacy Policy. To the extent legally permitted, the acquiring party may use the information pursuant to their own privacy policy instead of this one.
We may also disclose personal information when required by subpoena, search warrant, or other legal processes, governmental request, or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, or to protect and defend the rights or property of Chipotle or others. This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.
We may share your information for other purposes as disclosed at the time you provide your information or otherwise with your consent.
We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.
We are committed to the protection of your personal information from unauthorized access or use. We will use reasonable organizational, physical, technical and administrative measures to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with is no longer secure, please notify us by sending an email to privacy@chipotle.com.
The online Services are not intended for, and are not intentionally targeted to, children under 13, and we do not knowingly request or seek to collect personal information from any person under 13 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 13, we will delete the information in accordance with applicable law.
7. INTEREST-BASED ADVERTISING - YOUR CHOICES
Our Website may store or retrieve information on your browser, mostly in the form of cookies. A cookie is a small piece of data (text file) that a website – when visited by a user – places on your device to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. Chipotle uses first-party cookies mainly to make the site work as you expect it to. For example, we use the information we collect through first-party cookies to allow you to navigate between pages efficiently, analyze how well our website is performing, and understand the content that you found most helpful based on the amount of time you spent reviewing that content.
We also incorporate cookies and similar technologies, such as pixels, tags, and web beacons, from outside Chipotle’s domain (“third-party cookies”). Third-party cookies gather information to enable our vendors to provide a range of services to us, including targeting ads and measuring the success of our advertising campaigns.
Below is a detailed list of the categories of first- and third-party cookies we use on our Website. You can prevent the collection of data by Targeting and Social Media Cookies by clicking on “Cookie Preferences” in our Website footer and toggling off the related functionality.
Essential Cookies. These cookies are necessary for the website to function properly and cannot be switched off in our systems. They are usually only set in response to a site visitor’s request for services, such as a visitor setting their privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but blocking these cookies will prevent the site from working correctly or might prevent the site from working at all.
Targeting & Social Media Cookies. These third-party cookies may be set through our site by our advertising partners, and by social media partners that we have added to the site to enable you to share our content with your friends and networks (such as Facebook, Twitter, LinkedIn). The cookies may be used by those companies to build a profile of your interests and show you advertisements on other sites based on those interests. They may track your browser across other sites and create a profile of your interests.
Functional & Customization Cookies. These cookies enable our websites to provide enhanced functionality and personalization for site visitors and may help provide more specialized (non-essential) services that a visitor requests and to collect and “remember” visitor choices and preferences (e.g. what language the visitor prefers, user name and password to allow automatic log in, what region a user is located in). They may be set by us or by third party service providers whose services we have added to our Website.
Performance & Analytics. These cookies allow us to count visits to our sites and understand traffic sources (the website a visitor came from) so we can measure and improve the performance of our Website. They help us to know which pages are the most and least popular and see how visitors move around the Website. We may collect identifiers that do not directly identify visitors, such as a session ID that is automatically generated when a visitor lands on the Website, visitor’s IP address, the device identifier of the device a visitor used to visit the Website, and activity on the Website associated with these identifiers, and similar information. We will disclose this type of information to third party service providers to help us run these analytics.
You can control and manage cookies associated with your browser. If you are interested in controlling and managing cookies from your browser including any set by our Website, please refer to http://www.allaboutcookies.org/manage-cookies/index.html for information on different ways to configure your browser’s cookie settings.
If you want to clear all cookies left behind by the websites you have visited, here are links where you can download three third party programs that clean out tracking cookies.
· http://www.lavasoftusa.com/products/ad-aware_se_personal.php
· http://www.spybot.info/en/download/index.html
· http://www.webroot.com/consumer/products/spysweeper/
Many advertising companies that collect information for interest-based advertising are members of the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), both of which maintain self-regulatory programs along with websites where people can opt out of interest-based advertising from their members. To opt-out of website interest-based advertising provided by each organization’s respective participating companies, visit the DAA’s opt-out portal available at http://optout.aboutads.info/, or visit the NAI’s opt-out portal available at http://optout.networkadvertising.org/?c=1.
To opt-out of data collection for interest-based advertising across mobile applications by participating companies, download the DAA’s AppChoices mobile application opt-out offering here: https://youradchoices.com/appchoices.
Some of our vendors do not participate in the DAA or NAI self-regulatory programs for online behavioral advertising or have developed their own processes for allowing consumers to opt-out:
Some devices and apps do not have access to web-based browser cookie opt-outs.
If you no longer want us to collect information through the App, please uninstall it.
You can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings Feature on Google. By clicking Ads Settings, you will be taken out of chipotle.com to a page on Google where you can log in and can control the information Google uses to show you ads. In addition, you can use Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics. Certain preferences for some of the Nielsen tools we use can be adjusted here. You can also make adjustments to your preferences related Adobe Analytics by visiting the Adobe Privacy Center.
Please note, any reference to third party links, programs, or software listed above are provided for your convenience and consideration without implied or express endorsement or warranty from Chipotle. As with any third-party service, you should assess the provider’s policies and practices before using the service.
At this time, we are not able to honor all do-not-track signals, however in certain instances we honor the Global Privacy Control supported by Take Control Of Your Privacy. To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs.
You may need to repeat the preference options described above from each device and browser that you use in connection with our Service, as well as in a particular browser or device if you clear cookies or reset the browser.
To update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences, such as your receipt of push notifications), (1) log into your account on our Website or within your instance of our App and change your account settings (including location tracking) with the “Personal & Preferences” section, (2) change your device’s settings for our App, or (3) contact us as described at the end of this Privacy Policy. For most mobile devices, you can disable the collection of geolocation information by turning off location services on your device.
If you would like to be removed from the Chipotle mobile text program, you must text STOP to 888222 (US) to opt-out. After texting STOP to 888222 you will receive one additional message confirming that your request has been processed.
8. DELETE MY PERSONAL INFORMATION
Chipotle values your privacy. If you would like to submit a request to delete your personal information, please send your related request to privacy@chipotle.com. Certain state residents have additional rights and choices, as described in the next section.
9. YOUR STATE PRIVACY RIGHTS AND ADDITIONAL DISCLOSURES
Depending on the state in which you reside, you may have certain privacy rights regarding your personal data as explained in the following sections.
Collection, Use, and Disclosure of California Personal Information
During the 12 months leading up to the effective date of this Privacy Policy, we have collected the following categories of Personal Information as described in more detail in Section 1, Collection of Information, of this Privacy Policy: Identifiers/contact information, categories of protected classifications under federal and California law, commercial information, payment details, professional or employment-related information, visual information, internet or other electronic network activity information, precise geolocation data, general geolocation data, other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts, sensory data such as recordings of customer care calls or CCTV footage, health, nutrition, fundraising and donations, and inferences based on the above categories.
We collect Personal Information directly from California residents and from advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers. We do not collect all categories of Personal Information from each source.
During that period, we made the following disclosures of personal information to affiliates, delivery services providers, marketing and advertising services providers, payment services providers, transactional support providers, technical services providers, and governmental entities for business purposes consistent with the purposes described in Section 2, Use of Information, above: Identifiers/contact information, categories of protected classifications under federal and California law, commercial information, payment details, professional or employment-related information, visual information, internet or other electronic network activity information, geolocation information, and inferences based on the above categories.
During the 12 months leading up to the effective date of this Privacy Policy, we “sold” or “shared” (as these terms are defined under California law) commercial information (transaction data), and internet or other network or device activity (like a record of a browser’s visit to our Website) for marketing and advertising purposes to advertising providers, analytics companies, and social media networks.
Chipotle permits individuals 13 years of age and older to join our Rewards program. Our Rewards Terms state, “If you are between the ages of 13 and 18, you may participate in Chipotle Rewards only with the permission and under the supervision of a parent or legal guardian who agrees to be bound by these Chipotle Rewards Terms.” Chipotle Rewards members may elect to provide their birthday (month / day only), but we do not collect age or full date of birth from Rewards members.
We do not “sell” or “share” Personal Information if we have actual knowledge that the consumer is less than 16 years of age. We do not use Sensitive Personal Information for purposes other than those allowed by the CCPA and its regulations.
Your California Consumer Privacy Act (CCPA) Information, Deletion & Correction Rights
The CCPA allows you to request that we:
If you would like to exercise your right to know, access, delete or correct your personal information you may submit your request by completing our Data Request Form. Alternatively, you submit your data subject request by phone at 833-506-0473.
We will take reasonable steps verify your identity before responding to your request, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, and other information regarding your use of the Services (e.g., date of last purchase or last 4 digits of a payment/gift card).
Your CCPA Right to Opt Out of “Sale” or “Sharing” of Personal Information
Californians have a right to direct us not to “sell” or “share” certain personal information as these terms are defined in the CCPA. You can exercise these rights by:
· Clicking on “Do Not Sell or Share My Personal Information / Opt Out of Targeted Advertising” when prompted by the cookie banner appearing on the bottom of Chipotle’s webpage. Completing this step will opt out you out of the “sale” or “sharing” facilitated through web-initiated device tracking.
· Clicking on “Cookie Preferences” in our website footer and toggle off Targeting and Social Media cookies. Completing this step will opt out you out of the “sale” or “sharing” facilitated through web-initiated device tracking.
· Clicking on the Do Not Sell or Share My Personal Information link in the footer of our webpage, and then follow the instructions on our Do Not Sell or Share My Personal Information / Opt Out of Targeted Advertising Form. Completing this step will opt out you out of Chipotle’s “sale” or “sharing” of your personal information directly with third parties; or
· Contacting us by phone at 833-506-0473 to make a general request.
Note that Chipotle limits how some of our advertising partners limit their use of your personal information after you opt out of sale, sharing, or targeted advertising. These partners may continue to collect your personal information, including by using cookies and similar technologies on our Websites, but we prohibit them from using your information in a way that conflicts with your opt-out choice.
Requests Made by Agents
If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a power of attorney, as stipulated in applicable state law. As part of the process, we may additionally require the customer to verify their identity directly with us. For security and legal reasons, Chipotle will reject requests that require us to access third-party websites or services.
Your Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”) Information & Deletion Rights
The VCDPA, CPA, and CTDPA allows you to request us to:
If you would like to exercise your right to access, delete, or correct personal information we hold about you or to submit an appeal of any decision with regard to your privacy rights, you may submit your request by completing our Data Request Form. Alternatively, you may submit your data subject request by phone at 833-506-0473.
If you are a Virginia, Colorado, or Connecticut resident, under the VCDPA, CPA, or CTDPA, respectively, you have a Right to opt-out of sale of personal data, targeted advertising, and profiling.
Residents of Virginia, Colorado, and Connecticut have a right to direct us not to “sell” certain personal information about you and not to process your personal data for targeted advertising as those terms are defined in under the VCDPA, CPA, or CTDPA, respectively.
Depending on how the applicable privacy law defines a “sale,” we may sell personal data to third parties. For instance, if you are a resident of Colorado or Connecticut, our use of cookies and tracking technologies constitutes a sale of personal data to third-party advertisers. We also use cookies and other tracking technologies to display advertisements about our products to you on nonaffiliated websites, applications, and online services. This is “targeted advertising” under applicable privacy laws. We do not use personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning individuals
You can exercise your rights by performing any of the following steps:
· Click on “Do Not Sell or Share My Personal Information / Opt Out of Targeted Advertising” when prompted by the cookie banner appearing on the bottom of Chipotle’s webpage. Completing this step will opt out you out of “targeted advertising” and the “sale” of your personal data facilitated through web-initiated device tracking.
· Clicking on “Cookie Preferences” in our website footer and toggle off Targeting and Social Media cookies. Completing this step will opt out you out of “targeted advertising” and the “sale” of your personal data facilitated through web-initiated device tracking.
· Clicking on the Do Not Sell or Share My Personal Information link in the footer of our webpage, and then follow the instructions on our Do Not Sell or Share My Personal Information / Opt Out of Targeted Advertising Form. Completing this step will opt out you out of Chipotle’s direct “sale” or sharing of your personal information directly with third parties; or
· Contact us by phone at 833-506-0473 to make a general request. We may take reasonable steps to verify the validity of your request.
Nondiscrimination
We will not discriminate against you for exercising your privacy rights.
Notice of Financial Incentives
The Chipotle Rewards Program lets participants earn or otherwise receive rewards (e.g., free entrees) and discounts, in return for registering and/or making purchases, including:
You can sign up for the Rewards Program by registering on our Website, iframe, or through the App. Registration requires you to provide your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program.
Full terms for the Rewards Program are available here.
You may withdraw from the Rewards Program at any time and forfeit any ongoing incentives through your online or App account or by contacting us using the contact information below. Please also note that if you submit a request to delete your personal information, this will also automatically withdraw you from the Rewards Program and will result in the forfeiture of your incentives, including your Rewards points that you may have accumulated. Requesting the deletion of your personal information results in the deletion of your Rewards account and accumulated incentives because we require your personal data (e.g., your name, email address, and log-in information) to be able to associate you to your account. You may elect to rejoin the Rewards program at any time, at which time we will once again begin collecting your personal information.
The value of Personal Information we collect is reasonably related to our expenses related to offering the Rewards Program. While we do not and cannot assign a monetary value to the personal information we collect through the Rewards Program, we do benefit financially from the Rewards Program. For example, although we may lose immediate revenue when a member uses a discount, the positive experience may lead to an overall increase in visits to our restaurants.
Calculating the actual value that Chipotle generates from those efforts (whether in aggregate or by individual) or a monetary value of the personal information involved is impossible. There are many reasons for this:
· First, the information is of no monetary value by itself, as Chipotle achieves personal information-related benefits only when the information is used in combination with, and in the context of, other aspects of our business such as (1) high-quality marketing efforts, (2) the compelling financial components of our Rewards Program that do not require use of the personal information, such as the ability to earn discounts and rewards, (3) the high quality of our food and service, and (4) the proximity of our restaurants to Rewards Program members.
· Second, we cannot precisely determine the motivating factors of any specific purchase, or the relative weights of each factor. Even if somebody redeems a coupon we sent to the contact information they supplied during Rewards Program registration, we cannot determine whether they would have made the same purchase on the same day even without the coupon. In a lot of households, Tuesday is taco Tuesday – coupon or not.
· Third, the level of engagement with our uses of personal information varies among Rewards Program members. For example, some members may read a lot of our marketing content, while others have unsubscribed and never see any. Some live next door to one of our restaurants, while others are out of delivery range.
· Fourth, the dining habits of our Rewards Program members appear to vary significantly.
· Fifth, not all members link their purchases to their Rewards Program membership, so we cannot identify all purchases by Rewards Program members, let alone which ones were influenced by their participation in the program.
For these reasons, we estimate that the value of the personal information collected for the Rewards Program would be less than the value the individual receives from their participation in the Reward Program.
Other California Law
Subject to certain limitations under California’s Shine the Light law, California residents may contact us as described at the end of this Privacy Policy to request a list of third parties to whom we disclosed certain personal information for those third parties’ direct marketing purposes during the preceding year. The information we will provide will describe our general practices in the prior calendar year and will not be specific to you.
Your request should indicate that you are a California resident, and you must provide your full current California address, to which we will send our response. Your inquiry must specify “Shine the Light Request” in the subject line of the email or the first line of the letter, and include your California address. We are only required to respond to one such request per individual each year. We may take reasonable steps to verify your identity and the authenticity of the request.
10. LINKS TO OTHER WEBSITES AND SERVICES
The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.
11. CHANGES TO CHIPOTLE’S PRIVACY POLICY
From time to time, Chipotle may change this Privacy Policy. Changes will be indicated by the “Last Updated” date at the top of this page.
12. CONTACT US
For questions or concerns about this Privacy Policy or our privacy practices, you may contact our Privacy Team at privacy@chipotle.com or via postal mail at:
Attn: Privacy Officer
Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660