Privacy Policy
This Privacy Policy describes how [website] (“we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you use our online ordering website, mobile-optimized pages, account features, and related digital services (collectively, the “Service”). By accessing or using the Service, you acknowledge this Policy. If you do not agree, please do not use the Service.
This Policy is intended to be read together with our Terms of Service and, if you submit health-related order information (such as allergy or dietary instructions), our separate Consumer Health Data Privacy Notice.
1. Scope and Applicable Laws
This Policy applies to personal information we collect through the Service when you browse our menu, place an order for pickup, delivery, or dine-in, create an account, contact customer support, or interact with marketing communications. It does not apply to third-party websites, payment processors, or services that we link to but do not operate.
We provide the disclosures and rights described below consistent with applicable U.S. federal and state privacy laws, including (as applicable to the residence of the consumer and to our processing activities):
- California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA, Cal. Civ. Code §§ 1798.100 et seq.);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act (CPA);
- Connecticut Data Privacy Act (CTDPA);
- Utah Consumer Privacy Act (UCPA);
- Texas Data Privacy and Security Act (TDPSA);
- Oregon Consumer Privacy Act (OCPA);
- Delaware Personal Data Privacy Act (DPDPA);
- Iowa, Indiana, Montana, Tennessee, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Kentucky, and Rhode Island comprehensive privacy laws (as in effect);
- Washington My Health My Data Act (RCW 19.373), Nevada SB 370, and Connecticut consumer health data provisions (for consumer health data);
- Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501 et seq., and the FTC’s 2025 amendments;
- California Online Privacy Protection Act (CalOPPA); and
- Other U.S. state and federal privacy or data-protection laws as applicable.
Applicability of any given law depends on the consumer’s residence and on the thresholds and exceptions in the law. Not every right described below is available to every consumer.
2. Categories of Personal Information We Collect
We collect the following categories of personal information, organized to align with the CCPA/CPRA categories and the comparable concepts in other state privacy laws:
| Category | Examples | Sources | Purposes | Disclosed To | “Sold” or “Shared”? | Retention |
|---|---|---|---|---|---|---|
| Identifiers | Name, email, phone, mailing/delivery address, account login, unique device identifiers, IP address. | Directly from you; automatically from your device. | Operate the Service; fulfill orders; account management; security; communications. | Service providers; payment processors; delivery partners; affiliates. | No sale. May be “shared” for analytics where opt-out applies. | Duration of account + 7 years (tax/accounting) or as required by law. |
| Commercial Information | Order history, items viewed, dietary preferences and allergen notes you provide, loyalty balances, gift card balances, tips. | Directly from you; from our systems during ordering. | Fulfill orders; maintain order history; loyalty program; service improvements. | Service providers; affiliates; payment processors. | No sale. No share for cross-context behavioral advertising of this category. | Duration of account + 7 years or as required by law. |
| Payment Information | Last four digits of card, card brand, authorization status, tokenized references. We do not store full payment card numbers on our systems. | From you and from our PCI-DSS compliant payment processor. | Authorize and complete payment; chargeback and fraud handling. | Payment processors; card networks; fraud-prevention vendors. | No sale; not shared for advertising. | As required by PCI-DSS and applicable law (typically 7 years). |
| Internet / Network Activity | Browser type, operating system, referring URL, pages viewed, session timestamps, interactions, error logs. | Automatically through cookies, pixels, log files. | Operate, secure, troubleshoot, and improve the Service; measure performance. | Hosting and analytics providers. | No sale as defined under applicable state privacy laws. May be “shared” or constitute “targeted advertising” if analytics or advertising cookies are enabled; you may opt out via the methods in Section 6 and the “Your Privacy Choices” link in the footer of the Service. | Up to 24 months for analytics; shorter for security logs unless under legal hold. |
| Geolocation | Approximate location from IP; precise location only with explicit device permission (for pickup/delivery). | From your device and IP. | Identify nearest location; estimate delivery; fraud prevention. | Mapping and delivery partners; service providers. | No sale; not shared for advertising. | Duration of session for precise location; aggregated logs up to 24 months. |
| Health-Related Order Instructions | Allergy notes (e.g., “nut allergy”), dietary restrictions (e.g., gluten-free, vegan, kosher, halal), accessibility needs, and similar instructions you choose to provide. | Directly from you at checkout or in your account profile. | Prepare and fulfill your order safely; staff communication; refund or replacement handling. | Staff and contractors of the establishment processing your order; service providers as needed for fulfillment. | Never sold. Never shared or used for targeted advertising. | Retained on the specific order record; aggregated patterns may inform menu planning without identifying you. |
| Communications | Customer-support messages (email, chat, SMS, in-app). | Directly from you. | Respond to inquiries; quality assurance; disputes. | Support tools; service providers. | No sale; not shared for advertising. | Up to 3 years unless under legal hold. |
| Inferences | Favorite items, visit frequency, ordering habits. | Derived from the above. | Personalize content and offers; improve the Service. | Service providers; affiliates. | No sale. Disclosed to service providers for personalization; not “shared” for cross-context behavioral advertising unless advertising personalization is enabled; you may opt out via the methods in Section 6. | Duration of account. |
Sensitive Personal Information. CCPA/CPRA defines certain categories as “sensitive personal information,” including precise geolocation and certain categories of health data. To the extent we process precise geolocation or health-related order instructions, we use those data only for the purposes set out above (primarily order fulfillment) and not for the purpose of inferring characteristics about you. You may request that we limit the use and disclosure of sensitive personal information as described in Section 8.
What we do not collect. We do not knowingly collect Social Security numbers, driver’s license numbers (except where required by law to verify age for restricted items), financial account passwords, genetic or biometric data, immigration status, or information about race, religion (other than dietary practice information you voluntarily provide for fulfillment), sexual orientation, or union membership.
3. How We Collect Information
- Directly from you — account creation, order placement, forms, communications.
- Automatically — cookies, pixels, log files, and similar technologies.
- From third parties — payment processors, delivery partners, analytics providers, and fraud-prevention services.
4. How We Use Information
- Process and fulfill your orders, including payment authorization, preparation, pickup, or delivery.
- Manage your account, save preferences, and recognize you on return visits.
- Communicate order confirmations, receipts, status updates, and customer-service responses.
- Send promotional communications, offers, and loyalty rewards — only consistent with your preferences and applicable consent rules.
- Detect, investigate, and prevent fraud, security incidents, and abuse.
- Analyze usage to maintain, troubleshoot, and improve the Service.
- Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
We do not use health-related order instructions (such as allergy or dietary notes) for advertising, profiling, or inferences beyond what is necessary to fulfill your order, except with your separate consent.
5. Cookies and Tracking Technologies
The Service uses the following categories of cookies and similar technologies:
- Strictly necessary — cart, session, authentication, security. Cannot be disabled without breaking the Service.
- Functional — preferences, language, accessibility settings.
- Analytics / performance — usage measurement and error monitoring (for example, Google Analytics or similar). Used to understand and improve the Service.
- Advertising — only with consent where required, and only where enabled by the establishment.
You can manage cookies through your browser settings or, where available, through the cookie-preference center linked in the Service footer. Blocking strictly necessary cookies will prevent the Service from functioning correctly.
Universal opt-out signals. We honor recognized browser-based opt-out signals, including the Global Privacy Control (GPC), where required by applicable law. When we detect a recognized GPC signal from your browser, we treat it as a valid request to opt out of any “sale” or “sharing” of your personal information and out of processing for targeted advertising for the browser and device, to the extent required by law.
6. How We Share Information; “Sale” and “Sharing”
We disclose personal information to the following categories of recipients, only as necessary for the purposes described above:
- Service providers / processors — payment processors, hosting providers, analytics vendors, delivery partners, SMS/email providers, and customer-support tools, each bound by contractual confidentiality and data-protection obligations.
- Affiliates — entities under common ownership or control with us, for the same purposes described in this Policy.
- Legal and safety — law enforcement, regulators, or other parties when required by valid legal process, to protect rights, property, or safety, or to investigate fraud or violations of our Terms.
- Business transfers — counterparties to a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality protections.
We do not sell personal information as “sell” is defined under applicable state privacy laws. To the extent our use of advertising, analytics, or measurement tools constitutes a “sale,” “sharing,” or “processing for targeted advertising” under California, Colorado, Connecticut, Virginia, or similar state law, you may opt out at any time by (a) using the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link in the footer of the Service; (b) enabling a recognized universal opt-out signal such as Global Privacy Control; or (c) contacting us using the methods in Section 13.
We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under 16 without affirmative consent (opt-in) as required by CCPA/CPRA.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including to provide the Service, comply with our legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. Indicative retention periods are shown in the table in Section 2; actual retention depends on the data category, legal requirements, and any applicable legal hold. We delete or de-identify personal information when it is no longer required.
8. Your Privacy Rights
Depending on where you live, you may have the following rights regarding your personal information:
| Right | What it means |
|---|---|
| Right to Know / Access | Request confirmation of whether we process your personal information and request a copy of the categories and specific pieces collected. |
| Right to Delete | Request that we delete personal information we have collected from you, subject to legal exceptions. |
| Right to Correct | Request that we correct inaccurate personal information we maintain about you. |
| Right to Data Portability | Request a portable copy of certain personal information in a commonly used electronic format. |
| Right to Opt Out of Sale / Sharing / Targeted Advertising | Opt out of the “sale” or “sharing” of personal information and out of processing for targeted advertising. |
| Right to Limit Use of Sensitive Personal Information | Where we use sensitive personal information for purposes beyond those permitted by law without your consent, you may direct us to limit such use. |
| Right to Non-Discrimination | We will not deny services, charge different prices, or provide a different level of service because you exercise your privacy rights, except where a financial-incentive program is permitted by law and disclosed. |
| Right to Appeal | If we deny your request, you may appeal our decision by replying to our written response within 60 days, and we will respond within 45 days. |
| Profiling / Automated Decision-Making | To the extent applicable law gives you the right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects, you may contact us. We do not currently use such profiling for our online ordering services. |
How to Submit a Request
You may submit a verifiable consumer request by either of the following two designated methods:
- Email: [contact.gcpcard@gmail.com] (with “Privacy Request” in the subject line)
We will verify your request by matching at least two data points (such as account email and order history) against records we maintain, proportionate to the sensitivity of the information requested. You may authorize an agent to submit a request on your behalf by providing the agent with signed written permission (and, in California, by also verifying your identity directly with us). We will acknowledge receipt within 10 business days where required by law and substantively respond within 45 calendar days (extendable by an additional 45 days where permitted, with notice to you).
8.1 Right to Appeal
If we decline to take action on your request, you may appeal by replying to our written denial within 60 days. We will respond to your appeal within 45 days and, if the appeal is denied, we will provide information on how to contact the applicable state Attorney General to lodge a complaint.
9. California-Specific Disclosures
9.1 “Shine the Light” (Cal. Civ. Code § 1798.83)
California residents who have an established business relationship with us may request, once per calendar year, information regarding our disclosure of certain personal information to third parties for those third parties’ direct-marketing purposes. To make such a request, email [contact.gcpcard@gmail.com] with “Shine the Light Request” in the subject line.
By opting in, you authorize us to collect the categories of personal information listed above for the purposes described, until you withdraw. You may request the underlying calculation or additional detail at any time by contacting [contact.gcpcard@gmail.com].
9.2 Notice of Right to Opt Out
Where required by California law, a “Do Not Sell or Share My Personal Information” and a “Limit the Use of My Sensitive Personal Information” link is provided in the footer of the Service.
9.3 Consumer Complaint Notice (Cal. Civ. Code § 1789.3)
The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.
10. Consumer Health Data
If you provide allergy notes, dietary restrictions, accessibility instructions, or other health-related information through the Service, that information may constitute “consumer health data” under laws such as the Washington My Health My Data Act, Nevada SB 370, and the Connecticut Data Privacy Act’s consumer-health-data provisions. We provide a separate Consumer Health Data Privacy Notice that describes our collection, use, sharing, retention, and rights for consumer health data. To the extent of any conflict between this Policy and the Consumer Health Data Privacy Notice, the Consumer Health Data Privacy Notice controls for consumer health data.
11. Children’s Privacy
The Service is intended for adults. We do not knowingly collect personal information from children under 13 in violation of COPPA. Account creation, payment, and order placement are restricted to adults (see Section 2 of the Terms of Service). If you are a parent or guardian and believe a child under 13 has provided us with personal information, please contact us at [contact.gcpcard@gmail.com] so we can delete it. We do not knowingly sell or share for cross-context behavioral advertising the personal information of consumers under 16 without affirmative opt-in consent as required by applicable law.
12. Data Security
We use reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Payment information is transmitted using TLS encryption and processed by PCI-DSS compliant payment partners. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
13. Third-Party Links and Services; Accessibility
The Service may contain links to third-party websites, payment processors, or social-media platforms that operate under their own privacy policies. We are not responsible for the privacy practices of those third parties; we encourage you to review their policies before sharing personal information with them.
For our commitment to digital accessibility, please see the Accessibility section of our Terms of Service.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Effective Date” date, where appropriate, provide additional notice (for example, by email or a prominent notice on the Service). Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes.
15. Contact Us
If you have questions about this Policy or wish to exercise your privacy rights:
General Email: [contact.gcpcard@gmail.com]