California Notice at Collection
We collect personal information identified below under “Collection of Information” for business purposes and commercial purposes listed below under “Use of Information.” To learn more, including how you can opt-out of the sale or sharing of your personal information, please see the “Your Privacy Rights” section below.
For the purposes of this policy, “personal information” means any information about an identifiable individual including, without limitation, your name, address, telephone number, and email address. We collect and use your personal information when you:
· Visit one of our restaurants
· Order through our Website or App
· Participate in our Chipotle Community Fundraising Program
· Sign-up to receive our marketing communications
· Enter a contest or participate in a promotion
· Participate in our Chipotle Rewards program
· Apply for a job with us
· Contact Us with a comment, question or complaint
· Use the Find a Location feature on our Website or App
· Restaurant Purchases: You do not have to provide us with any personal information when you pay using cash at one of our restaurants. If you use a credit or debit card, we collect your debit or credit card-related information and your signature to process and administer your payment. We may also use video surveillance (e.g. CCTV) in our restaurants for loss prevention, safety, and security purposes. If you order catering through a local restaurant, we also collect the delivery address.
· Ordering Online: If you place an order through our Website or App, you will be asked to provide your first and last name, email address, phone number, payment card information, and, optionally accessibility and nutrition preference for pick-up orders. If you place an order for delivery, you will be asked for the physical address you would like the order delivered to. If you choose to create a Chipotle Rewards account to save your favorites, order faster and place group orders, we will collect all of the foregoing elements and the data elements identified in the Chipotle Rewards paragraph below. If you place a Group Order, we will collect the name of each participant in the Group Order in order to correctly match the names of the Group Order participants with the items that they have ordered. We may also offer you the ability to order through a third-party food delivery service, in which case we obtain your information from the third party in order to fulfil your order. If you purchase an e-gift card for a friend or family member, we collect the name and email address for the recipient in order to deliver an email containing your e-gift card on your behalf. We do not use the recipient’s information for any other purpose.
· Chipotle Rewards: If you join our Chipotle Rewards program, we will collect your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We collect this information to establish and administer your Chipotle Rewards account, including to create and send you a digital Chipotle Rewards card, create an ID number, scannable code or other unique identifier to associate you with your Chipotle Rewards account, to award points to you on qualifying purchases and to enable you to redeem points. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, general geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program. We may also use this information to send non-personalized advertising, retargeted advertisements and personalized advertising and marketing offers and other special offers available only to members of the Chipotle Rewards program.
· The Chipotle Community Fundraising Program: We collect personal information if you choose to participate in our Chipotle Community Fundraising Program, which allows organizations to apply to raise money for a particular fundraiser. You may apply for the Chipotle Community Fundraising Program by filling out an application on our Website. If you apply to participate, we will collect the name of the individual applying and their address, email, phone number, and information on behalf of the Organization that will benefit from the fundraiser (e.g. Organization Name, Address, EIN).
· Round Up: Customers are offered the opportunity to round up their purchase to the nearest dollar and have Chipotle donate the excess amount to the chosen fundraiser.
· Push Notifications: If you sign-up to receive push notifications, we will send push notifications to your mobile device, which may include, depending on your elections, SMS text messages or emails.
· Contests, Promotions, Surveys, Focus Groups, or other Market Research: If you enter a contest or participate in a promotion, we may collect your name, address, email address, phone number, and any additional information or content required for the contest or promotion (such as information you post on social media). We use this information to administer your participation in the contest or promotion, including prize fulfillment. As part of a contest or promotion, we may obtain your consent to share or otherwise publish the content you submit. You may provide these same data elements to us when you participate in surveys, focus groups, or market research, and you may also share additional information generated by your participation in the surveys, focus groups, and/or other marketing research efforts.
· Contact Us: When you contact us with a comment, question or complaint, you may be asked for information that identifies you, such as your name, address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment. We may retain this information to assist you in the future and to improve our customer service and service offerings.
· Find a Location: If you search for a restaurant on our Website or in the App, we collect your postal code or city and province, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants. When you give the App permission to collect your precise geolocation, the App may use your mobile device’s location services to collect real-time information about the location of your device (using both GPS and other methods) to provide requested location services and ensure your orders are placed at the correct location. Chipotle does not retain, store, or use your precise geo-location (e.g. for any purpose beyond what is identified in this section, however Chipotle does retain general location data such as your zip code, city, state, and country and this general location data may be used to identify an audience for targeted advertising).
Information Collected Automatically
We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.
We may also use certain third-party web and mobile app analytics services – including but not limited to Google Analytics, Adobe Analytics, Branch Analytics, and Facebook Custom Audiences – to help us understand and analyze how visitors use the online Services (including session replay) and serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps. We’ve implemented Google Analytics Advertising features such as remarketing with analytics, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and third-party vendors may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Chipotle with insight into behavior information relating to inferred visitor age range (e.g., GenZ, Millenial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, detect your location, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken. For more information on how the Google Marketing Platform uses the data collected through the online Services, visit: www.google.com/policies/privacy/partners/.
In addition to the automatic collection mechanisms listed above, we may also:
· As an advertising publisher, use tags in connection with the Nielsen Digital Ad Ratings Service for Google Ad Manager;
· Use Microsoft’s Bing Universal Event Tracking (UET) feature, in which case Microsoft collects your personal information (see Microsoft Privacy Statement).
Depending on your personal device and App permission settings, when using the App, we may collect or have access to your:
Some of the technology described above is used by us or our partners to correlate information collected about you over time and across websites or online services.
Please review Section 7, Interest-Based Advertising - Your Choices, for additional information about how you can manage the use of these technologies.
Information Collected From Third Parties
Our vendors (who may include data brokers) and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us.
In some circumstances, we also may collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms). We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest, but these providers get the location data from sources other than our own App and Websites.
Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms.
We may use personal information we obtain about you for the following purposes:
We may also use any of the personal information we collect to generate and use anonymous or de-identified information about our customers for commercial purposes.
Information Shared By You
When you interact with the Services, including posting on social media, this content may be visible to the public. We may share certain content that you post or make available, including by publicly posting on our online Services or other public online locations. For example, we may repost content that you post about us on social media.
Information Shared By Us
We may share your information with our affiliates, such as your name, address, phone number, email address, identifiers, date of birth (month and day only, if you elected to provide us with this information), records of your orders and other transactions with us, credit/debit/gift card number and account information (including associated billing addresses and expiration date), information described in the Collection of information and Information Collected Automatically sections above (some of which is personal information, inferences, and other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts.
We may also disclose personal information when required by subpoena, search warrant, or other legal processes, governmental request, or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, or to protect and defend the rights or property of Chipotle or others. This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.
We may share your information for other purposes as disclosed at the time you provide your information or otherwise with your consent.
We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.
We are committed to the protection of your personal information from unauthorized access or use. We will use reasonable organizational, physical, technical and administrative measures to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with is no longer secure, please notify us by sending an email to firstname.lastname@example.org.
The online Services are not intended for, and are not intentionally targeted to, children under 13, and we do not knowingly request or collect personal information from any person under 13 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 13, we will delete the information in accordance with applicable law.
7. INTEREST-BASED ADVERTISING - YOUR CHOICES
When you visit any web site, including our Website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information gathered through cookies can give you a more personalized web experience. For example cookies allow you to navigate between pages efficiently, letting us analyze how well our website is performing, and educates us on the content that you found most helpful based on the amount of time you spent reviewing that content. A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting.
If you want to clear all cookies left behind by the websites you have visited, here are links where you can download three third party programs that clean out tracking cookies:
Many advertising companies that collect information for interest-based advertising are members of the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), both of which maintain websites where people can opt out of interest-based advertising from their members. To opt-out of website interest-based advertising provided by each organization’s respective participating companies, visit the DAA’s opt-out portal available at http://optout.aboutads.info/, or visit the NAI’s opt-out portal available at http://optout.networkadvertising.org/?c=1.
To opt-out of data collection for interest-based advertising across mobile applications by participating companies, download the DAA’s AppChoices mobile application opt-out offering here: https://youradchoices.com/appchoices.
Our Website and App use third party cookies from Google Analytics for demographics and interest reporting. This feature gives us insight into behavior information relating to visitor general age range, gender and interests on an anonymous and aggregate level. This will help us to understand browsing behavior to give you a better experience while visiting our Website or App. You can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings Feature on Google. By clicking Ads Settings, you will be taken out of chipotle.com to a page on Google where you can control the information Google uses to show you ads. In addition, you can use Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics.
Our Website and App also use Adobe Analytics to collect a hashed user ID when you sign into the Website or App. This user ID is stored in encrypted form and cannot be linked to you. We use this hashed user ID to track our users’ demographic information (such as the user’s general age range and gender) and their behavior while using the Website or App, such as how they interact with the Website/App, the time spent using the Website/App and when they click on the URL for the Website or open the App.
You should repeat the preference options described above from each device and browser that you use in connection with our Service, and repeat them again in a particular browser or device if you clear cookies or reset the browser.
Certain state residents have additional rights and choices, as described in the next section.
The following section provides detailed information applicable to California residents under the California Consumer Privacy Act (CCPA).
Collection, Use, and Disclosure of California Personal Information
During that period, we made the following disclosures of personal information to affiliates, delivery services providers, marketing and advertising services providers, payment services providers, transactional support providers, technical services providers, and governmental entities for business purposes consistent with the purposes described in Section 2, Use of Information, above: Identifiers/contact information, categories of protected classifications under federal and California law, commercial information, payment details, professional or employment-related information, visual information, internet or other electronic network activity information, geolocation information, and inferences based on the above categories.
Your CCPA Information & Deletion Rights
The CCPA allows you to request that we:
If you would like to exercise any of these rights, you may submit your request by completing our Data Request Form or contacting us by phone at 833-506-0473.
We will take reasonable steps verify your identity before responding to your request, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, and other information regarding your use of the Services (e.g., date of last purchase or last 4 digits of a payment/gift card).
Your CCPA Right to Opt Out of “Sale” or “Sharing” of Personal Information
Californians have a right to direct us not to “sell” or “share” certain personal information as these terms are defined in the CCPA. You can exercise these rights by either:
1. Following the instructions on our Do Not Sell or Share Request Form
2. OR contacting us by phone at 833-506-0473 to make a general request.
Requests Made by Agents
If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a notarized authentication letter or a power of attorney, as stipulated in applicable state law. As part of the process, we may additionally require the customer to verify their identity directly with us. For security and legal reasons, Chipotle will reject requests that require us to access third-party websites or services.
Your Virginia Consumer Data Protection Act (VCDPA) Information & Deletion Rights
The VCDPA allows you to request us to:
If you would like to exercise any of these rights, or to submit an appeal of any decision with regard to your privacy rights, you may submit your request by completing our Data Request Form or contacting us by phone at 833-506-0473.
If you are a Virginia resident, under the VCDPA, you have a Right to opt-out of sale of personal data, targeted advertising, and profiling.
Virginian’s have a right to direct us not to “sell” certain personal information about you and not to process your personal data for targeted advertising as those terms are defined in under the VCDPA. You can exercise that right by performing either of the following steps:
1. Follow the instructions on our Do Not Sell Request Form
2. OR contact us by phone at 833-506-0473 to make a general opt-out of sale of personal data and/or targeted advertising request. We may take reasonable steps to verify the validity of your request.
We will not discriminate against you for exercising your privacy rights.
Notice of Financial Incentives
The Chipotle Rewards Program lets participants earn or otherwise receive rewards (e.g., free entrees) and discounts, in return for registering and/or making purchases, including:
You can sign up for the Rewards Program by registering on our website, iframe, or through the App. Registration requires you to provide your first name, last name, email address (required in order to receive all eligible Chipotle Rewards), delivery address, password used to create the account, telephone number, and marketing preferences, device settings country, and you may also elect to provide other information, including your birthday (month / day only), payment card or gift card information, accessibility preferences for pick up orders, and nutrition preferences. We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods. Note that we also may collect all of this information outside the context of the Rewards Program.
Full terms for the Rewards Program are available here.
You may withdraw from the Rewards Program at any time and forfeit any ongoing incentives by contacting us using the contact information below.
The value of Personal Information we collect is reasonably related to our expenses related to offering the Rewards Program. While we do not and cannot assign a monetary value to the personal information we collect through the Rewards Program, we do benefit financially from the Rewards Program. For example, although we may lose immediate revenue when a member uses a discount, the positive experience may lead to an overall increase in visits to our restaurants.
Calculating the actual value that Chipotle generates from those efforts (whether in aggregate or by individual) or a monetary value of the personal information involved is impossible. There are many reasons for this:
· First, the information is of no monetary value by itself, as Chipotle achieves personal information-related benefits only when the information is used in combination with, and in the context of, other aspects of our business such as (1) high-quality marketing efforts, (2) the compelling financial components of our Rewards Program that do not require use of the personal information, such as the ability to earn discounts and rewards, (3) the high quality of our food and service, and (4) the proximity of our restaurants to Rewards Program members.
· Second, we can’t precisely determine the motivating factors of any specific purchase, or the relative weights of each factor. Even if somebody redeems a coupon we sent to the contact information they supplied during Rewards Program registration, we can’t determine whether they would have made the same purchase on the same day even without the coupon. In a lot of households, Tuesday is taco Tuesday – coupon or not.
· Third, the level of engagement with our uses of personal information varies among Rewards Program members. For example, some members may read a lot of our marketing content, while others have unsubscribed and never see any. Some live next door to one of our restaurants, while others are out of delivery range.
· Fourth, the dining habits of our Rewards Program members appear to vary significantly.
· Fifth, not all members link their purchases to their Rewards Program membership, so we can’t identify all purchases by Rewards Program members, let alone which ones were influenced by their participation in the program.
For these reasons, we estimate that the value of the personal information collected for the Rewards Program would be less than the value the individual receives from their participation in the Reward Program.
Other California Law
Your request should indicate that you are a California resident, and you must provide your full current California address, to which we will send our response. Your inquiry must specify “Shine the Light Request” in the subject line of the email or the first line of the letter, and include your California address. We are only required to respond to one such request per individual each year. We may take reasonable steps to verify your identity and the authenticity of the request.
9. LINKS TO OTHER WEBSITES AND SERVICES
The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.
Attn: Privacy Officer
Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660