Privacy Policy

This Privacy Policy explains how Guzman y Gomez ("we", "us", "our", or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at guzmaanygomez.com, use our mobile application, place orders, participate in our loyalty programs, or otherwise interact with our food services and platforms. We are committed to handling your personal information in a transparent, responsible, and lawful manner in accordance with applicable Australian privacy laws.

Please read this Privacy Policy carefully. By accessing or using our website, placing an order, or providing us with your personal information, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.

1. About Us and Our Legal Obligations

Guzman y Gomez is a food service company operating in Australia. Our contact details are as follows:

We are bound by the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act. These principles govern how organisations like ours must collect, use, disclose, store, and provide access to personal information. We take our obligations under Australian privacy law very seriously and have implemented robust measures to ensure full compliance.

In addition to the Privacy Act, we may also be subject to relevant state-based privacy legislation and, in certain circumstances where we interact with individuals located in other jurisdictions, applicable international privacy frameworks. Where our operations involve the handling of health information or other sensitive information, additional obligations may apply under the Privacy Act and related guidelines issued by the Office of the Australian Information Commissioner (OAIC).

2. What Personal Information We Collect

We collect a variety of personal information from and about you in the course of providing our food services, managing our digital platforms, and communicating with our customers. The types of personal information we collect may include the following:

2.1 Identity and Contact Information

• Full name and date of birth
• Postal and delivery addresses
• Email address
• Mobile and telephone numbers
• Username and account credentials (for registered accounts on our website or app)
• Profile photographs (where voluntarily provided)

2.2 Order and Transaction Information

• Details of food orders placed through our website, app, or in-store platforms
• Billing and payment information (note: full payment card details are processed by our secure third-party payment processors and are not stored by us directly)
• Order history and purchase preferences
• Dietary preferences, allergen disclosures, and food customisation details
• Loyalty program points, rewards, and redemption history
• Promotional codes and discount usage

2.3 Usage and Technical Data

• IP address and approximate geographic location derived from IP
• Browser type, version, and settings
• Operating system and device type
• Pages visited on our website, time spent on each page, and click-through data
• Referring URLs (the website you came from before visiting ours)
• Search terms used within our website or app
• Date and time stamps of visits and interactions
• App usage statistics and in-app behaviour data
• Crash reports and error logs

2.4 Location Data

• Precise GPS location data (only when you grant permission through your device settings, such as when using our store locator or delivery features)
• General location data inferred from your IP address or postcode
• Location history associated with delivery addresses you have provided

2.5 Communications and Feedback Data

• Messages, enquiries, and complaints submitted to us via email, contact forms, or customer service channels
• Survey responses and feedback submitted through our platforms
• Reviews and ratings you post about our food or services
• Social media interactions with our brand pages
• Records of communications for training and quality assurance purposes (where calls are recorded with prior notice)

2.6 Cookies and Tracking Data

We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing behaviour on our website and app. Please refer to Section 8 of this Privacy Policy for detailed information on our cookie practices and your options regarding cookies.

2.7 Sensitive Information

Under the Privacy Act, certain categories of information are classified as "sensitive information" and attract a higher level of protection. We do not intentionally collect sensitive information such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal records. However, you may voluntarily disclose dietary information that could indirectly reveal information about your religious or cultural background (for example, halal or kosher dietary requirements). We treat such information with the utmost care and use it solely for the purpose of fulfilling your food orders. We will always seek your consent before collecting sensitive information where required by law.

3. How We Collect Your Personal Information

We collect personal information through a variety of channels, including:

• Directly from you: When you create an account, place an order online or in-store, join our loyalty program, contact us with an enquiry, complete a survey, or subscribe to our marketing communications.
• Automatically: Through our website, app, and related digital platforms using cookies, analytics tools, and other tracking technologies when you browse or interact with our content.
• From third parties: From delivery partners and third-party ordering platforms where you place an order with us through their services; from social media platforms when you interact with our brand pages or log in using a social media account; from analytics providers; and from publicly available sources.
• From our in-store systems: Through point-of-sale systems, loyalty card readers, and other in-restaurant technologies.

We only collect personal information that is reasonably necessary for our business functions. Where practicable, we give you the option to interact with us anonymously or by using a pseudonym, although this may limit the services we can provide to you.

4. How We Use Your Personal Information

We use the personal information we collect for the following primary purposes:

4.1 Providing and Managing Our Services

• Processing and fulfilling your food orders, whether placed online, via our app, or in-store
• Facilitating payment processing and issuing receipts or tax invoices
• Managing your customer account, loyalty program membership, and rewards
• Arranging and coordinating food delivery to your specified address
• Responding to your enquiries, complaints, and feedback promptly and effectively
• Providing customer support and resolving any issues related to your orders
• Verifying your identity and preventing fraud or unauthorised access

4.2 Improving Our Products and Services

• Analysing purchasing patterns and customer preferences to improve our menu offerings
• Conducting internal research, analytics, and reporting to understand how our platforms are used
• Monitoring and improving the performance, functionality, and security of our website and app
• Conducting quality assurance and training activities
• Developing new products, services, and features based on customer demand and feedback

4.3 Marketing and Communications

• Sending you promotional offers, special deals, and information about new menu items (where you have provided your consent or where otherwise permitted under the Spam Act 2003 (Cth))
• Personalising marketing communications based on your order history and stated preferences
• Conducting competitions, prize draws, and promotional campaigns
• Delivering targeted advertising through digital platforms and social media
• Sending service-related notifications such as order confirmations, delivery updates, and account alerts

You may opt out of receiving marketing communications from us at any time by clicking the "unsubscribe" link in any marketing email, adjusting your account notification settings, or contacting us directly at [email protected]. Please note that even if you opt out of marketing communications, we will continue to send you essential transactional communications related to your orders and account.

4.4 Legal and Compliance Purposes

• Complying with our legal obligations under Australian law, including tax, food safety, and consumer protection laws
• Detecting, preventing, and investigating fraud, security breaches, and other harmful or unlawful activity
• Enforcing our Terms of Service and other applicable agreements
• Responding to lawful requests from government authorities, law enforcement agencies, or courts
• Maintaining records as required under the Australian Consumer Law (ACL) and other applicable legislation

5. Disclosure of Personal Information to Third Parties

We may share your personal information with third parties in the following circumstances. We take care to ensure that any third parties with whom we share information are bound by appropriate confidentiality and data protection obligations.

5.1 Service Providers and Business Partners

We engage third-party service providers who assist us in operating our business and delivering our services. These may include:

• Payment processors: To securely process your payment transactions (for example, Stripe, PayPal, or similar providers)
• Delivery partners: Third-party delivery companies who deliver your food orders to your address
• IT and cloud infrastructure providers: Who host our website, app, and customer databases
• Analytics providers: Such as Google Analytics, who help us understand website traffic and user behaviour
• Email and SMS marketing platforms: Used to send promotional and transactional communications
• Customer relationship management (CRM) software providers: Who help us manage customer interactions
• Loyalty program technology providers: Who power our rewards and loyalty systems
• Legal, accounting, and professional advisors: Who provide advice in connection with our business operations

5.2 Third-Party Ordering and Aggregator Platforms

If you place an order with us through a third-party food delivery platform (such as Uber Eats, DoorDash, or Menulog), that platform will also collect and process your personal information in accordance with its own privacy policy. We encourage you to review the privacy policies of any third-party platforms you use to order from us.

5.3 Social Media Platforms

If you interact with our social media pages, participate in social media contests, or choose to log in to our website or app using your social media credentials, the relevant social media platform (such as Meta/Facebook, Instagram, or TikTok) may share certain information with us in accordance with their own terms and privacy policies.

5.4 Legal Requirements and Law Enforcement

We may disclose your personal information to government authorities, regulatory bodies, law enforcement agencies, or courts where we are required to do so by law, where disclosure is necessary to protect our legal rights or the rights and safety of others, or where we receive a valid legal request such as a subpoena or court order.

5.5 Business Transfers

In the event that Guzman y Gomez undergoes a merger, acquisition, restructure, sale of assets, or other business transaction, your personal information may be transferred to the relevant successor entity as part of that transaction. We will endeavour to notify you of any such transfer and any changes to this Privacy Policy that may result.

We do not sell, rent, or trade your personal information to unrelated third parties for their own marketing purposes without your explicit consent.

6. International Transfers of Personal Information

Guzman y Gomez primarily operates in Australia, and we store most of your personal information on servers located within Australia. However, some of our third-party service providers (including cloud infrastructure, analytics, and marketing platforms) may store or process data on servers located outside of Australia, including in countries such as the United States of America, the United Kingdom, and other regions.

Where we transfer personal information outside of Australia, we take steps to ensure that the overseas recipient handles your information in a manner consistent with the Australian Privacy Principles (APPs), or that the country to which the information is transferred has privacy laws that provide substantially similar protection to those in Australia. This may involve entering into contractual arrangements with overseas recipients that require them to handle your information in accordance with applicable Australian privacy standards.

By using our services and providing us with your personal information, you acknowledge that your information may be transferred to and processed in countries outside of Australia as described in this section. If you have concerns about international data transfers, please contact us at [email protected].

7. Data Security

We take the security of your personal information seriously and implement a range of technical, administrative, and physical safeguards to protect your information from unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include, but are not limited to:

• Encryption: We use industry-standard SSL/TLS encryption to protect data transmitted between your device and our website and app. Sensitive data stored in our systems is encrypted at rest where appropriate.
• Access controls: Access to personal information within our organisation is restricted to authorised personnel who have a legitimate business need to access such information. We enforce role-based access controls and require staff to authenticate their identity before accessing sensitive systems.
• Password security: Account passwords are stored using secure hashing algorithms. We encourage all users to choose strong, unique passwords and to enable two-factor authentication where available.
• Regular security assessments: We conduct regular internal and external security audits, vulnerability assessments, and penetration testing to identify and address potential security weaknesses in our systems.
• Incident response: We maintain an incident response plan to enable us to promptly detect, respond to, and recover from data security incidents. In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
• Staff training: Our staff receive regular training on privacy and data security obligations and best practices.
• Vendor due diligence: Before engaging third-party service providers who will handle personal information on our behalf, we conduct appropriate due diligence to ensure they maintain adequate data security standards.

While we take all reasonable steps to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information. You also play an important role in keeping your information secure — please keep your account login credentials confidential and contact us immediately if you suspect unauthorised access to your account.

8. Cookies and Tracking Technologies

Our website and mobile app use cookies and similar tracking technologies to enhance your experience, analyse usage patterns, and deliver relevant content and advertising. A cookie is a small text file that is placed on your device when you visit our website. Cookies help us to remember your preferences, keep you logged in, and understand how visitors use our website.

8.1 Types of Cookies We Use

• Essential cookies: These cookies are strictly necessary for the operation of our website, enabling core functions such as secure login, shopping cart functionality, and payment processing. Our website cannot function properly without these cookies.
• Analytics and performance cookies: These cookies help us understand how visitors interact with our website by collecting anonymised information about page views, traffic sources, and user behaviour. We use this information to improve our website's performance and content.
• Functionality cookies: These cookies allow our website to remember your preferences and settings (such as your preferred store location or language settings) to provide a more personalised experience.
• Marketing and advertising cookies: These cookies track your browsing activity to enable us and our advertising partners to deliver targeted advertisements and promotional content that is relevant to your interests. They may also be used to limit how frequently you see a particular advertisement.

8.2 Managing Your Cookie Preferences

You can control and manage cookies through your web browser settings. Most browsers allow you to block or delete cookies. However, please note that if you disable essential cookies, certain features of our website may not function correctly. You may also opt out of interest-based advertising through industry opt-out tools such as the Network Advertising Initiative (NAI) opt-out tool or the Digital Advertising Alliance (DAA) opt-out tool.

For full details about the cookies we use, the specific third-party cookies on our platform, and how to manage your preferences, please refer to our dedicated Cookie Policy, which is available on our website at guzmaanygomez.com.

9. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The specific retention period applicable to your personal information will depend on the nature of the information and the purpose for which it is held. As a general guide:

At the end of the applicable retention period, we will securely delete or de-identify your personal information in accordance with our data disposal procedures and the requirements of the Privacy Act 1988 (Cth).

10. Your Privacy Rights

Under the Australian Privacy Principles (APPs) and other applicable Australian privacy laws, you have a number of rights in relation to your personal information. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

10.1 Right to Access

You have the right to request access to the personal information we hold about you. We will provide you with a copy of the information, subject to certain exceptions permitted under the Privacy Act (for example, where access would pose a serious threat to the life or safety of another person, or where the information relates to legal proceedings). We will respond to access requests within 30 days of receipt. We may charge a reasonable fee to cover the cost of providing access, which we will notify you of in advance.

10.2 Right to Correction

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you have the right to request that we correct it. We will take reasonable steps to correct the information promptly. If we disagree with your request for correction, we will notify you in writing of our reasons and of your right to complain to the OAIC.

10.3 Right to Deletion (De-identification)

In certain circumstances, you may have the right to request that we delete or de-identify personal information we hold about you — for example, where the information is no longer necessary for the purpose for which it was collected. Please note that we may be required to retain certain information for legal compliance purposes even following a deletion request.

10.4 Right to Opt Out of Direct Marketing

You have the right to opt out of receiving direct marketing communications from us at any time. You can exercise this right by clicking the "unsubscribe" link in any email we send you, by adjusting your account notification preferences, or by contacting us at [email protected]. We will action your opt-out request promptly and within the timeframe required by the Spam Act 2003 (Cth) and the Privacy Act.

10.5 Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing your personal information (for example, for sending you marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10.6 How to Exercise Your Rights

To exercise any of the rights described above, please contact our Privacy Officer using the contact details provided in Section 12 of this Privacy Policy. We may require you to verify your identity before processing your request to ensure the security of your personal information. We will aim to respond to all legitimate requests within 30 days. In complex or multiple-request situations, this period may be extended, in which case we will notify you accordingly.

11. Children's Privacy

Our website, app, and online services are intended for use by individuals who are aged 18 years and over. We do not knowingly collect personal information from children under the age of 18. If you are under 18, please do not use our online platforms to create an account or provide us with any personal information. Orders placed on behalf of children should be managed by a parent or legal guardian.

If we become aware that we have inadvertently collected personal information from a child under the age of 18 without appropriate parental consent, we will take immediate steps to delete such information from our records. If you believe that we may have collected personal information from a minor in your care, please contact us immediately at [email protected] so that we can address the matter promptly.

12. Contact Us — Privacy Enquiries

If you have any questions, concerns, or complaints about this Privacy Policy or about the way in which we handle your personal information, please contact our Privacy Officer using the details below:

When contacting us with a privacy enquiry or complaint, please include:

• Your full name and contact details
• A clear description of your concern, question, or complaint
• Any relevant reference numbers (such as order numbers or account IDs)
• Any supporting documentation that may assist us in understanding and resolving your concern

We will acknowledge receipt of your enquiry or complaint promptly and will investigate and respond to you as quickly as reasonably practicable — generally within 30 days of receipt. If your matter is complex or requires extended investigation, we will keep you informed of our progress.

13. How to Lodge a Complaint with the OAIC

If you are not satisfied with our response to your privacy complaint, or if you believe that we have not handled your personal information in accordance with the Australian Privacy Principles, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

The OAIC is the independent national regulator for privacy and freedom of information in Australia. Complaints to the OAIC must generally be lodged within 12 months of the event that is the subject of the complaint, although the OAIC has discretion to extend this timeframe in certain circumstances.

You can contact the OAIC as follows:

We encourage you to contact us directly in the first instance so that we have an opportunity to resolve your concerns before you approach the OAIC. However, you are entitled to contact the OAIC at any time.

14. Changes to This Privacy Policy

We may update or amend this Privacy Policy from time to time to reflect changes in our business practices, technological developments, or changes in applicable laws and regulatory requirements. When we make material changes to this Privacy Policy, we will notify you by posting the updated policy on our website at guzmaanygomez.com with a revised "Last Updated" date. In some cases, we may also send you a direct notification of material changes via email or through a notice on our app.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal information. Your continued use of our website or services following the posting of any changes to this Privacy Policy constitutes your acceptance of those changes, to the extent permitted by applicable law.

15. Glossary of Key Terms

For ease of reference, the following key terms are defined as they are used in this Privacy Policy: