Privacy Policy

 This Privacy Policy describes how Kyma Inc.  and its subsidiaries and affiliates in Canada (“Kyma”, “we”, “our”, “us”) may collect, use, and disclose personal information of visitors who access or interact with our mobile application (“App”) or our websites (“Websites”) that link to this Privacy Policy, as well as other personal information that we collect about our customers.  The App, those Websites, our restaurants, and our related service offerings are referred to in this Privacy Policy as our “Services.”  Please note, this Privacy Policy is applicable to consumers in Canada. We maintain separate privacy policies for our Canadian employees and job applicants.

Collection Notice

We collect personal information as detailed below and elsewhere in this Privacy Policy. When you provide your personal information to us, you agree that we may collect, use and disclose it as described in this Privacy Policy.  To learn more, including how you can opt-out of the collection, use or disclosure of your personal information, please see the “Your Canadian Privacy Rights” section below.

We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.

This Privacy Policy includes the following sections:

1. Collection of Information
2. Use of Information
3. Sharing of Information
4. Retention of Information
5. Security
6. Children’s Privacy
7. Interest-Based Advertising and Cookies - Your Choices
8. Your Canadian Privacy Rights
9. Changes to Kyma’s Privacy Policy

 1.    COLLECTION OF INFORMATION

For the purposes of this policy, “personal information” means any information about an identifiable individual including, without limitation, your name, address, telephone number, and email address. Personal information does not include deidentified or aggregated consumer information that Chipotle does not attempt to reidentify. We collect and use your personal information when you:

• Visit one of our restaurants
• Visit our Website or use our App
• Order through our Website or App
• Sign-up to receive our marketing communications
• Contact Us with a comment, question or complaint
• Use the Find a Location feature on our Website or App
• Restaurant Purchases: You do not have to provide us with any personal information when you pay using cash at one of our restaurants. If you use a credit or debit card, we collect your debit or credit card-related information and your signature to process and administer your payment. We may also use video surveillance (e.g. CCTV) in our restaurants for quality assurance, loss prevention, safety, and security purposes. If you order catering through a local restaurant, we also collect the delivery address.
• Ordering Online: If you place an individual or group order through our Website or App, you will be asked to provide your first and last name, email address, phone number, payment card information, and, optionally, your accessibility and nutrition preference for pick-up orders.  If you place an order for delivery, you will be asked for the physical address you would like the order delivered to. We may also offer you the ability to order through a third-party food delivery service, in which case we obtain your information from the third party in order to fulfil your order.
• Contests, Promotions, Surveys, Focus Groups, or other Market Research: If you enter a contest or participate in a promotion, we or a third party we retain to provide these services on our behalf, may, with your consent, collect your name, address, email address, phone number, and any additional information or content required for the contest or promotion (such as information you post on social media). We use this information to administer your participation in the contest or promotion, including prize fulfillment. As part of a contest or promotion, we may obtain your consent to share or otherwise publish the content you submit. You may provide these same data elements to us (or a party retained by us) when you participate in surveys, focus groups, or market research, and you may also share additional information generated by your participation in the surveys, focus groups, and/or other marketing research efforts. We may use the information you share with us a result of your participation in a survey, focus group, or other marketing research efforts to personalization your experience with our Services and to send you personalized advertising.
• Contact Us: When you contact us with a comment, question or complaint, you may be asked for information that identifies you, such as your name, address and a telephone number, along with additional information we need to help us promptly answer your question or respond to your comment.  We may record or create transcripts of your calls to us, your emails to us, or any other method by which you connect with us and may retain the information disclosed during these interactions to assist you in the future, to improve our customer service and service offerings, to meet our legal obligations or to protect our legal interests, as well as for other business purposes that are detailed in this Privacy Policy. We may also use vendors to provide these services which means these vendors may have to access to these recordings or transcripts, including in real time. Please also note that if you contact us or we engage with you through Google Business Messages, Facebook Messenger, or similar, your communications with us and any personal information you share with us through those platforms is subject to the terms of use and related privacy policies provided by those platforms.
• Find a Location / Location Nudges: If you search for a restaurant on our Website or in the App, we collect your postal code or city and province, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants and to ensure you are on your way to the correct location when you have placed a digital order for pickup. When you give the App permission to collect your precise geolocation, the App may use your mobile device’s location services to collect real-time information about the location of your device (using GPS, WiFi, Bluetooth or other methods, including in store beacons) to provide requested location services and ensure your orders are placed at the correct location.  Kyma does not retain, store, or use your precise geolocation beyond what is necessary to fulfill the purposes identified in this section. However, Kyma does retain general location data such as your postal code, city, and province, and this general location data may be used to identify an audience for targeted advertising.

Information Collected Automatically

We may collect certain information about you automatically when you visit or use our online Services, or when you interact with emails, advertisements, or other electronic messages we send to you through the Services. This information may include your IP address, device characteristics (including device identifiers), web browser characteristics, unique identifiers and other data stored in cookies, operating system details, language preference, referring URLs, length of visits, pages viewed, and other information that may be automatically accessible to us from your browser or device.

We and our vendors may automatically collect this information using various tools and technologies such as cookies, web server logs, tags, beacons, SDKs, pixels, local storage, JavaScript, APIs, session replay/screen capture (i.e., how you use and navigate the services, but not your keystroke data), and other similar technologies.  Additional information on other technologies we may use is set forth below in the section titled: Interest-Based Advertising and Cookies - Your Choices.

We may also use certain third-party web and mobile app analytics services – including but not limited to Google Analytics, Adobe Analytics, Branch Analytics, and Facebook Custom Audiences – to help us understand and analyze how visitors use the online Services (including session replay) and serve ads on our behalf across the Internet and in different channels (including on the web, in mobile apps, on out-of-home digital surfaces, and in connected TV apps). We also use these services for remarketing, interest-based advertising, demographics and interests reporting, user segment analysis, look-alike modeling and impression reporting. We and third-party vendors may use first-party cookies or other first-party identifiers as well as third-party cookies or other third-party identifiers to provide Kyma with insight into behaviour information relating to inferred visitor age range (e.g., GenZ, Millennial, GenX, etc.), your interests, and to deliver advertisements to you, create a profile of you, measure your interests, detect your demographics, personalize content, and detect and associate online and offline behaviors such as site visitation, dwell time and actions taken.

For more information on how the Google Marketing Platform uses the data collected through the online Services, visit: www.google.com/policies/privacy/partners/.

Some of the technology described above is used by us or our partners to correlate information collected about you over time and across websites or online services.

Please review Section 7, Interest-Based Advertising and Cookies - Your Choices, for additional information about how you can manage the use of these technologies.

Information Collected From Third Parties

Our vendors (who may include data brokers) and other third parties may share with us your personal information. For example, if you order food or catering, order gift cards, make a purchase for merchandise, make a payment, or provide feedback on your experiences, you may submit personal information to one or more third parties that may share your information with us, based on their privacy policies and terms of use.

In some circumstances, we also may collect information about you from publicly-available sources, including content about our Services that you make publicly available on third-party websites (e.g., social media platforms).  We or vendors assisting us may also receive information from geolocation data providers to help us understand aggregate visit patterns in restaurant markets of interest, but these providers get the location data from sources other than our own App and Websites.   

Additionally, for certain features of the online Services, you may log in through your third-party social media account or share content from the online Services through third-party social media platforms.

We may combine information that we collect from and about you. When you submit information to a third party, you are subject to that third party’s terms of use and privacy policies, for which we are not responsible.

2.    USE OF INFORMATION

We may use personal information we obtain about you for the following purposes:

Business Purposes

• communicate with you regarding our restaurants and other Services;
• respond to your requests or inquiries;
• register you for accounts on the Services;
• process payment information for online food orders or online purchases through our merchandise or gift card store;
• process your fundraiser applications;
• provide you with search results for a restaurant on our Website or in the App, or, if you choose to provide it, your device’s precise geolocation, in order to provide you with information on nearby restaurants and to ensure you are on your way to the correct location when you have placed a digital order for pickup;
• maintain healthy and safe conditions in our restaurants;
• address legal matters;
• prevent, investigate, identify, stop, or take any other action with regard to suspected or actual fraudulent or illegal activity, claims or other liabilities, or any activity that violates our policies;

Commercial Purposes

• facilitate and personalize your user experience and improve the Services;
• conduct statistical analysis of the content, layout, and features of the Services for our marketing purposes;
• register you for our email and postal mailing lists or for promotions or offers conducted in connection with the Services;
• send marketing information to you, such as promotional offers or information about new product offerings, programs, or restaurant openings;
• advertise to you both on and off the Services, which may include tailoring ads to your interests and measuring the performance of our ad campaigns;
• make inferences about you or members of your household based on your device; or
• for any other purpose, with your consent where appropriate.

We may also use any of the personal information we collect to generate and use anonymous or de-identified information about our customers for commercial purposes.

3.    SHARING OF INFORMATION

Information Shared By You

When you post or comment on social media or interact with the Services this content may be visible to the public.  We or our vendors may analyze or share certain content that you post or make available, including by publicly posting on our online Services or other public online locations.  For example, we may repost content that you post about us on social media. We may also use any of the information you share for analytics or for the business or commercial purposes described above.

Information Shared By Us

In order to provide you with the Services or for the business and commercial services described above, we may share your information with our affiliates, such as your name, address, phone number, email address, identifiers, date of birth (month and day only, if you elected to provide us with this information), records of your orders and other transactions with us, credit/debit/gift card number and account information (including associated billing addresses and expiration date), information described in the Collection of information and Information Collected Automatically sections above (some of which is personal information, inferences, and other information you provide to us, including user-generated content and information provided via surveys, focus groups, and/or other marketing research efforts).

We may share your personal information (including all the information listed in the preceding paragraph) with vendors who assist us with offering the Services or as otherwise described in this Privacy Policy, such as delivery services, analytics providers, marketing and advertising services (including to provide you with targeted, personalized advertising), providers of payment services, providers of other support for our transactions (e.g., accounting services), providers of technical services (e.g., data storage and customer relationship management databases), providers of outsourced customer service. We generally require our vendors to provide at least the same or equal protection of user data as stated in this Privacy Policy.  Some of our vendors (for example, those mentioned in the Information Collected Automatically section above) may view, edit, or set their own tracking technologies/cookies on our Services.  When our vendors’ cookies run on our Services they may collect identifiers such as your IP address, Cookie ID, Device ID, and Pixel ID; network activity information such as HTTP header information, button click data, referring website activity; and location data.

In the event of a business transaction, such as if we sell or transfer all or a portion of our business or assets (e.g., further to a merger, reorganization, liquidation, or any other business transaction, including negotiations of such transactions), we reserve the right to disclose any information we obtain through the Services. You acknowledge that such transfers may occur and are permitted by this Privacy Policy.  To the extent legally permitted, the acquiring party may use the information pursuant to their own privacy policy instead of this one.

We may also disclose personal information when required by subpoena, search warrant, or other legal processes, governmental request, or in response to activities that are unlawful or a violation of Kyma’s rules for use of the Services, or to protect and defend the rights or property of Kyma or others.  This may involve the disclosure of personal information to law enforcement, other governmental entities, or other third parties, depending on the circumstances.

We may share your information for other purposes as disclosed at the time you provide your information or otherwise with your consent.

4.    RETENTION OF INFORMATION

We retain personal information to achieve the purposes for which the information was collected. In certain cases, we may need to retain personal information for purposes required under applicable law, for tax or audit purposes, or for other purposes permitted under law.

5.    SECURITY

We are committed to the protection of your personal information from unauthorized access or use. We will use reasonable organizational, physical, technical and administrative measures to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure,

6.    CHILDREN’S PRIVACY

The online Services are not intended for, and are not intentionally targeted to, children under 16, and we do not knowingly request or seek to collect personal information from any person under 16 years of age through the Services. If we learn that the online Services have received personal information directly from a child who is under the age of 16, we will delete the information in accordance with applicable law.

7.    INTEREST-BASED ADVERTISING - YOUR CHOICES

Our Website may store or retrieve information on your browser, mostly in the form of cookies. A cookie is a small piece of data (text file) that a website – when visited by a user – places on your device to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. Chipotle uses first-party cookies mainly to make the site work as you expect it to. For example, we use the information we collect through first-party cookies to allow you to navigate between pages efficiently, analyze how well our website is performing, and understand the content that you found most helpful based on the amount of time you spent reviewing that content.

We also incorporate cookies and similar technologies, such as pixels, tags, and web beacons, from outside Kyma’s domain (“third-party cookies”).  Third-party cookies gather information to enable our vendors to provide a range of services to us, including targeting ads and measuring the success of our advertising campaigns. 

We also use cookies and other tracking technologies to display advertisements about our products to you on nonaffiliated websites, applications, and online services. This is known as “targeted advertising”. We do not use personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning individuals.

Below is a detailed list of the categories of first and third-party cookies we use on our Website. You can prevent the collection of data by Non Essential Targeting, Social Media, Analytics & Functional Cookies by clicking on “Your Privacy Choices” in our Website footer and toggling off the related functionality. 

Essential Cookies. 

Essential cookies are necessary for the Website to function properly and cannot be switched off in our systems. They are usually only set in response to a visitor’s request for services, such as a visitor setting their privacy preferences, logging in, or filling in forms. For web-initiated cookies, you can set your browser to block or alert you about these cookies, but blocking these cookies will prevent the site from working correctly or might prevent the site from working at all.

 Non Essential Targeting, Social Media, Analytics, & Functional Cookies.

Targeting and Social Media third-party cookies may be set through our Website by our advertising partners, and by social media partners that we have added to our Website to enable you to share our content with your friends and networks. We also may use certain first-party cookies to send you personalized and targeted advertising. The cookies may be used by those companies to build a profile of your interests and show you advertisements on other websites based on those interests. They may track your browser across other websites and create a profile of your interests.

Analytics cookies allow us to count visits to our Website and understand traffic sources (the website you came from) so we can measure and improve the performance of our Website. They help us to know which pages are the most and least popular and see how visitors move around our Website. We may collect identifiers, such as a session ID that is automatically generated when a visitor lands on our Website, visitor’s IP address, the device identifier of the device a visitor used to visit our Website, and activity on our Website associated with these identifiers, and similar information. We will disclose this type of information to third party service providers to help us run these analytics.

Functional cookies enable our Website to provide enhanced functionality and personalization for visitors and may help provide more specialized, but non-essential, services that a visitor requests and to collect and “remember” visitor choices and preferences (e.g. what language the visitor prefers, user name and password to allow automatic log in, what region a user is located in). Functional cookies may be set by us or by third party service providers whose services we have added to our Website.

You can control and manage cookies associated with your browser. If you are interested in controlling and managing cookies from your browser including any set by our Website, please refer to http://www.allaboutcookies.org/manage-cookies/index.html for information on different ways to configure your browser’s cookie settings.

Please note, any reference to third party links, programs, or software are provided for your convenience and consideration without implied or express endorsement or warranty from us. As with any third-party service, you should assess the provider’s policies and practices before using the service.

To update certain personal information we have about you, or if you wish to change certain preferences (including certain communication preferences, such as your receipt of push notifications), (1) log into your account on our Website or within your instance of our App and change your account settings (including location tracking) with the “Personal & Preferences” section, (2) change your device’s settings for our App, or (3) contact us as described at the end of this Privacy Policy.  For most mobile devices, you can disable the collection of geolocation information by turning off location services on your device. 

8.   YOUR CANADIAN PRIVACY RIGHTS

The Personal Information Protection and Electronic Documents Act (PIPEDA) allows you to request us to:

• Provide a description of our uses and disclosures of your personal information.
• Provide you with access to and/or a copy of certain personal information we hold about you.
• Correct or supplement personal information we have about you that you can demonstrate is inaccurate or incomplete.

Under PIPEDA, you may withdraw your consent at any time to our collection, use and disclosure of your personal information, subject to legal and contractual restrictions. This includes the right to opt out of the disclosure of personal information, targeted advertising and profiling.

Nondiscrimination

We will not discriminate against you for exercising your privacy rights.

9. CHANGES TO KYMA’S PRIVACY POLICY

From time to time, Kyma may change this Privacy Policy. Changes will be indicated by the “Last Updated” date at the top of this page