Chipotle -- Privacy Policy

 

CHIPOTLE’S U.S. PRIVACY POLICY


(LAST UPDATED JULY 28, 2021)

This Privacy Policy describes how Chipotle Mexican Grill, Inc. and its subsidiaries and affiliates in the United States (“Chipotle”, “we”, “our”, “us”) may collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites that link to this Privacy Policy, as well as other personal information about our customers.  The App, those websites, our restaurants, and our related service offerings are referred to in this Privacy Policy as our “Services.”  Please note that we maintain separate privacy policies for recruiting and human resources management and for our operations in Canada and Europe.

By using our Services or otherwise providing personal information to us, you consent to the collection, use, disclosure and other handling of personal information described in this Privacy Policy, except for activities for which we first require your consent to be given through other means.

This Privacy Policy includes the following sections:

1.    Collection of Information

2.    Use of Information

3.    Sharing of Information

4.    Retention of Information

5.    Children’s Privacy

6.    Your Choices

7.    Security

8.    Notice to California Residents

9.    Links to Other Websites and Services

10. Changes to Chipotle’s Privacy Policy

11. Contact Us

 

1.    COLLECTION OF INFORMATION

 Information You Provide When you visit or interact with the Services, Chipotle may obtain certain personal information from you, such as:

·      Names, addresses, phone numbers, email addresses, and other identifiers;

·      Date of birth;

·      Records of your orders and other transactions with us;

·      Credit/debit/gift card number(s) and account information, including any associated billing address(es) and expiration date(s);

·      Information provided via surveys, focus groups, and/or other marketing research efforts;

·      Employer and/or other company affiliations (e.g., employer names, titles, work addresses, and other contact information);

·      Audio or visual information, such as CCTV images;

·      Precise location;

·      Other information described in the Information Collected Automatically section below (some of which is personal information); and

·      Any other information you provide to us, including user-generated content.

We may also create inferences from this information or from other personal information we hold.

If you submit someone else’s personal information to us (e.g., someone else’s contact information), you represent that you are authorized to provide this information to us.

 

Information Collected Automatically

We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.

We and our vendors may automatically collect this information using various tools and technologies such as cookies, web server logs, tags, SDKs, tracking pixels, local storage, JavaScript, APIs, session replay/screen capture (i.e., how you use and navigate the services, but not your keystroke data), and other similar technologies.  Additional information on other technologies we may use is set forth below.

·      What is a cookie? A cookie is a piece of data that a website can send to your browser, which may then be stored on your device, sometimes with a code unique to your device. Cookies enable us and our vendors to (i) recognize your computer; (ii) store your preferences, settings, and other data; (iii) understand the web pages you have visited on our Services and elsewhere; (iv), enhance your user experience by delivering and measuring the effectiveness of content and advertising tailored to your interests; (v) perform searches and analytics; and (vi) assist with security and administrative functions.

·      What is a web server log? A web server log is a file where online activity is stored.  It may be used for similar purposes.

·      What’s an SDK? An SDK is a set of tools and/or code that we embed in our applications and software to perform certain functions, such as allowing us or third parties to collect information about how users interact with our Services.

·      What are Tags or tracking pixels? Tags or tracking pixels (sometimes also referred to as web beacons or clear GIFs) are small code (sometimes containing, generating, or detecting a unique identifier) embedded in websites, online ads, and email, that can be used for purposes such as generating web server logs or reading or writing cookies for the purposes described above.

As we adopt additional technologies, we may also gather information through other methods.  

We may also use certain third-party web and mobile app analytics services – including but not limited to Google Analytics, Adobe Analytics, Twitter Analytics, and Facebook Custom Audiences – to help us understand and analyze how visitors use the online Services and serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps. We’ve implemented Google Analytics Advertising features such as remarketing with analytics, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and third-party vendors may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Chipotle with insight into behavior information relating to inferred visitor age range (e.g., GenZ, Millenial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, detect your location, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken. For more information on how the Google Marketing Platform uses the data collected through the online Services, visit: www.google.com/policies/privacy/partners/.

In addition to the automatic collection mechanisms listed above, we may also:

·      As an advertising publisher, use tags in connection with the Nielsen Digital Ad Ratings Service for Google Ad Manager;

·      Through tracking technologies, receive and use Foursquare service user data, including search terms, what pages you view, your access times, the time you spend on each page, the IP address used to access the pages, and other user data (see Foursquare Privacy Policy); and

·      Use Microsoft’s Bing Universal Event Tracking (UET) feature, in which case Microsoft collects your personal information (see Microsoft Privacy Statement).

Depending on your personal device and App permission settings, when using the App, we may collect or have access to your:

  • Precise geolocation. When you give the App permission to do this, the App may use your mobile device’s location services to collect real-time information about the location of your device (using both GPS and other methods) to provide requested location services, ensure your orders are placed at the correct location, and to serve you relevant offers or promotions. However, Chipotle does not retain or store your precise location when you enable sharing this information on your mobile device.
  • Camera. When enabled, this may allow the App to access the camera to scan and input payment method details. Providing access to your Camera function is entirely optional.
  • Wi-Fi connection information. When enabled, this may allow the App to view Wi-Fi connections.
  • Other. The App will send and receive data to and from the Internet, and may view network connections, have full network access, control vibration of your device, or prevent your device from sleeping.

You may be able to enable or disable geolocation collection by the App by adjusting the permissions in your account or device settings. If GPS precise location services are disabled, other means of establishing or estimating location (e.g., connecting to or proximity to Wi-Fi, Bluetooth, beacons, or our networks) may still be active.  networks generally

Some of the technology described above is used by us or our partners to correlate information collected about you over time across two or more websites or online services.

Please review Section 7 (“Your Choices”) for additional information about how you can manage the use of these technologies.

Information Collected From Third Parties

Our vendors and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us.

In some circumstances, we also may collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms).  We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest, but these providers get the location data from sources other than our own App and websites.    

Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms. We may combine information that we have about you with information we obtain from third parties. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.

2.    USE OF INFORMATION

We may use personal information we obtain about you to:

  • facilitate and personalize your user experience and improve the Services;
  • conduct statistical analysis of the content, layout, and features of the Services for our marketing purposes;
  • communicate with you regarding our restaurants and other Services;
  • respond to your requests or inquiries;
  • register you for accounts on the Services;
  • register you for our email and postal mailing lists or for promotions or offers conducted in connection with the Services;
  • process payment information for online food orders or online purchases through our merchandise or gift card store;
  • process your fundraiser applications;
  • send marketing information to you, such as promotional offers or information about new product offerings, programs, or restaurant openings;
  • advertise to you both on and off the Services, which may include tailoring ads to your inferred interests and measuring the performance of our ad campaigns;
  • make inferences about connections between different internet-connected devices used by you or members of your household;
  • provide location services;
  • manage health and safety in our restaurants;
  • address legal matters;
  • prevent, investigate, identify, stop, or take any other action with regard to suspected or actual fraudulent or illegal activity, claims or other liabilities, or any activity that violates our policies; or
  • for any other purpose, with your consent where appropriate.

We may also use any of the personal information we collect to (1) generate pseudonymous or other proprietary identifiers and use them for any of the purposes described in this Privacy Policy (for example, creating, using and sharing an encrypted hash of an email address you provided to us for our advertising purposes); and (2) generate anonymous or de-identified information and use it for any purpose.

3.    SHARING OF INFORMATION

We may share your personal information with vendors who assist us with the uses and disclosures described in this Privacy Policy, such as delivery services, analytics providers, marketing and advertising services, providers of payment services, providers of of other support for our transactions (e.g., accounting services), providers of technical services (e.g., data storage and customer relationship management databases). We generally require our vendors to provide at least the same or equal protection of user data as stated in this Privacy Policy.

Some of the vendors who help us (for example, those mentioned in the “Information Collected Automatically” section above) may view, edit, or set their own tracking technologies/cookies, some of which collect personal information.

We may also share, including by publicly posting on our online Services or other public online locations, certain content about us or our Services that you submit to us or otherwise make publicly available.  For example, we may repost content that you post about us on social media.

In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services. You acknowledge that such transfers may occur and are permitted by this Privacy Policy.  To the extent legally permitted, the acquiring party may use the information pursuant to their own privacy policy instead of this one.

We may also disclose personal information when required by subpoena, search warrant, or other legal processes, or in response to activities that are unlawful or a violation of Chipotle’s rules for use of the Services, or to protect and defend the rights or property of Chipotle or others.  This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.

4.    RETENTION OF INFORMATION

We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.

5.    SECURITY

Although we use various security measures as part of an effort to protect your personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction, these measures may fail or be insufficient. No collection, transmission, storage or other handling of personal information is completely secure (whether online or offline), and we cannot guarantee the security of your information.

6.    CHILDREN’S PRIVACY

The online Services are not intended for, and are not intentionally targeted to, children under 13, and we do not knowingly request or collect personal information from any person under 13 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 13, we will delete the information in accordance with applicable law.

7.    YOUR CHOICES

To update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences), (1) log into your registered website or App account and change your account settings (including location tracking), (2) change your device’s settings for our Apps, or (e) contact us as described at the end of this Privacy Policy.  If you no longer want us to collect information through the App, please uninstall it.

Many web browsers are set to accept cookies by default, but you also may be able to set your browser to notify you before you receive a cookie, or to remove or reject cookies. Disabling all cookies completely may affect the availability and functionality of our online Services and other websites. If you would like to delete cookies or change the settings on your web browser to delete or refuse cookies, please visit the Help pages of your web browser such as those listed below, but note that our Services do not respond to browser-based privacy signals, such as do-not-track signals:

To limit our collection of data via Google Analytics on our websites, visit the sites only from browsers on which you have installed Google Analytics’ opt-out browser add-on.  Google also provides certain controls for interest-based Google ads in the Google Ads Settings.  Certain preferences for some of the Nielsen tools we use can be adjusted here and here.

To find out more about how some third-party services manage the privacy of information in conjunction with delivering ads online, and how to opt-out of certain collection or uses by of information by certain participating companies, at http://www.youradchoices.comhttp://www.aboutads.info/appchoiceshttp://www.networkadvertising.org, or https://www.networkadvertising.org/mobile-choice. We are not responsible for the opt-out process of third parties.

You should repeat the preference options described above from each device and browser that you use in connection with our Service, and repeat them again in a particular browser or device if you clear cookies or reset the browser. 

Certain state residents have additional rights and choices, as described in the next section.

8.    NOTICE TO CALIFORNIA RESIDENTS

The following section provides detailed information applicable to California residents under the California Consumer Privacy Act (CCPA).

Collection, Use, and Disclosure of California Personal Information

During the 12 months leading up to the effective date of this Privacy Policy, we have collected all of the types of personal information described in Section 1 (“Collection of Information) of this Privacy Policy.  During that period, we made the following disclosures of personal information about Californians for the purposes described in Section 2 (“Use of Information) above:

Category of personal information

Categories of third parties to which it was disclosed

Names, addresses, phone numbers, and email addresses and other identifiers;

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers, providers of technical services, governmental entities

Date of birth (month and year)

Affiliates, marketing and advertising services, and providers of technical services.

Records of your orders and other transactions with us

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers, providers of technical services, governmental entities

Credit/debit/gift card number(s) and account information, including associated billing address(es) and expiration date(s)

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers, providers of technical services, governmental entities (though in some cases a portion of the card number is shared instead of the entire number).

Employer and/or other company affiliations (e.g., employer names, titles, work addresses, and other contact information)

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers, providers of technical services, governmental entities

Visual information

Affiliates, providers of technical services, and governmental entities.

Geolocation and restaurant location

Providers of technical services.

Other information described in the Information Collected Automatically section above (some of which is personal information)

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers.

Other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers.

Inferences

Affiliates, delivery services, marketing and advertising services, providers of payment services, transactional support providers.

 

During the 12 months leading up to the effective date of this Privacy Policy, we “sold” (as that term is defined under the CCPA), commercial information (transaction data), payment card information, and internet or other network or device activity (like a record of a browser’s visit to our website) to market and advertise services to assist with such activities.  We do not “sell” personal information if we have actual knowledge that the consumer is less than 16 years of age.

Your CCPA Information & Deletion Rights

The CCPA allows you to request us to:

  • Inform you about the categories of personal information we collect or disclose about you; the categories of sources of such information; the business or commercial purpose for collecting your personal information; and the categories of third parties with whom we share/disclose personal information.
  • Provide access to and/or a copy of certain personal information we hold about you.
  • Delete certain personal information we have about you.

If you would like to exercise any of these rights, you may submit your request by completing our CCPA Data Request Form or contacting us by phone at 833-506-0473.

Please note that certain information may be exempt from such requests under California law.  For example, we need certain information to provide our Services to you.  We also will take reasonable steps verify your identity before responding to your request, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, and other information regarding your use of the Services (e.g., date of last purchase or last 4 digits of a payment/gift card).  

While you have the right to make a deletion request at any time, kindly note that processing this right would cause you may lose any promotional offers that would have been provided as a result of maintaining your deleted Chipotle Rewards account.  This may include any benefit provided through the exclusive use of Rewards account, like any accrued points, prizes, and promotional coupons.

Your CCPA Right to Opt Out of “Sale” of Personal Information

Californians have a right to direct us not to “sell” certain personal information as that term is defined in under the CCPA.  You can exercise that right by performing BOTH of the following steps:

1.    Follow the instructions on our CCPA Do Not Sell Request Form

2.    OR contact us by phone at 833-506-0473 to make a general do-not-sell request. We may take reasonable steps to verify the validity of your request. 

Requests Made by Agents 

If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a notarized authentication letter or a power of attorney, as stipulated applicable state law.  As part of the process, we may additionally require the customer to verify their identity directly with us. For security and legal reasons, Chipotle will reject requests that require us to access third-party websites or services.

 

Because opt-out requests for sales made through cookies and related technology must be performed from each browser that is used to access our Services, it is easiest for the consumer to perform such opt-outs themselves.  However, if a consumer wishes for an agent to perform browser-based requests on their behalf, the consumer may arrange for the agent to use the consumer’s browser to make such requests.  We are not responsible for the security risks of this or any other arrangements that a consumer may have with an agent.  For clarity, this is not permission for any user to share their login credentials with an agent or any third party.  Such sharing is a violation of our Terms of Use and is not required for an agent to make requests under this Privacy Policy.

Nondiscrimination

You also have the right not to receive “discriminatory treatment” (within the meaning of the CCPA) for exercising CCPA rights.

Notice of Financial Incentives

The Chipotle Rewards Program lets participants earn or otherwise receive rewards (e.g., free entrees) and discounts, in return for registering and/or making purchases, including:

  • Spend-based incentives, where you earn credit based upon spend levels
  • Discounts and free products offered for frequent visitors 
  • Periodic promotional discounts and offers

You can sign up for the Rewards Program by registering on our website or through the Chipotle app.  Registration requires you to provide your name, email address, telephone number, and (optionally) your day and month of birth.  We will then associate that and other categories of personal information with your Rewards Program account, such as other unique identifiers, purchase history, geolocation data, preferences you provide (e.g., favorite Chipotle restaurants), and stored payment methods.  Note that we also may collect all of this information outside the context of the Rewards Program.

Full terms for the Rewards Program are available here.

You may withdraw from the Rewards Program at any time and forfeit any ongoing incentives by contacting us using the contact information below.


While we do not and cannot assign a monetary value to the personal information we collect through the Rewards Program, we do benefit financially from the Rewards Program. For example, although we may lose immediate revenue when a member uses a discount, the positive experience may lead to an overall increase in visits to our restaurants.

Calculating the actual value that Chipotle generates from those efforts (whether in aggregate or by individual) or a monetary value of the personal information involved is impossible. There are many reasons for this:

·      First, the information is of no monetary value by itself, as Chipotle achieves personal information-related benefits only when the information is used in combination with, and in the context of, other aspects of our business such as (1) high-quality marketing efforts, (2) the compelling financial components of our Rewards Program that do not require use of the personal information, such as the ability to earn discounts and rewards, (3) the high quality of our food and service, and (4) the proximity of our restaurants to Rewards Program members. 

·      Second, we can’t precisely determine the motivating factors of any specific purchase, or the relative weights of each factor.  Even if somebody redeems a coupon we sent to the contact information they supplied during Rewards Program registration, we can’t determine whether they would have made the same purchase on the same day even without the coupon.  In a lot of households, Tuesday is taco Tuesday – coupon or not.

·      Third, the level of engagement with our uses of personal information varies among Rewards Program members. For example, some members may read a lot of our marketing content, while others have unsubscribed and never see any. Some live next door to one of our restaurants, while others are out of delivery range.

·      Fourth, the dining habits of our Rewards Program members appear to vary significantly.

·      Fifth, not all members link their purchases to their Rewards Program membership, so we can’t identify all purchases by Rewards Program members, let alone which ones were influenced by their participation in the program.

For these reasons, we estimate that the value of the personal information collected for the Rewards Program would be less than the value the individual receives from their participation in the Reward Program. 

Other California Law

Subject to certain limitations under California’s Shine the Light law, residents of the State of California may contact us as described at the end of this Privacy Policy to request a list of third parties to whom we disclosed certain personal information for those third parties’ direct marketing purposes during the preceding year. The information we will provide will describe our general practices in the prior calendar year and will not be specific to you. 

Your request should indicate that you are a California resident, and you must provide your full current California address, to which we will send our response. Your inquiry must specify “Shine the Light Request” in the subject line of the email or the first line of the letter, and include your California address. We are only required to respond to one such request per individual each year.  We may take reasonable steps to verify your identity and the authenticity of the request.

9.    LINKS TO OTHER WEBSITES AND SERVICES

The Services may offer links to websites and other services that are not maintained by Chipotle. By visiting one of these linked websites or services, you are subject to their privacy and other policies. We are not responsible for, or able to monitor or control, the policies and practices of other companies.

10. CHANGES TO CHIPOTLE’S PRIVACY POLICY

From time to time, Chipotle may change this Privacy Policy. Changes will be indicated by the “Last Updated” date at the top of this page.

11. CONTACT US

For questions or concerns about this Privacy Policy or our privacy practices, you may contact our Privacy Team at privacy@chipotle.com or via postal mail at:

Attn: Privacy Officer
Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660


CONTACT US

For questions or complaints about this Privacy Policy or our handling of personal information, you may contact our Privacy Team at privacy@chipotle.com or via postal mail at:

Attn: Privacy Officer

Chipotle Mexican Grill, Inc.
610 Newport Center Dr.
Newport Beach, CA 92660