Privacy Policy

This Privacy Policy describes how Guzman y Gomez ("we," "us," "our," or "the Company") collects, uses, discloses, stores, and protects personal information about individuals ("you," "your," or "users") who visit our website at guzimanygomez.com, use our mobile applications, place orders through our digital platforms, or otherwise interact with our food services and business operations.

We are committed to protecting your privacy and handling your personal information in a responsible, transparent, and lawful manner. This Privacy Policy has been prepared in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act, and any other applicable Australian privacy legislation. Please read this document carefully. By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the terms set out in this Privacy Policy.

If you do not agree with any part of this Privacy Policy, please discontinue your use of our website, mobile applications, and related services immediately. We encourage you to review this policy periodically, as we may update it from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

1. About Us

Guzman y Gomez is a food and restaurant business operating across Australia, dedicated to serving authentic Mexican-inspired cuisine made from fresh, natural ingredients. Our digital services, including our website at guzimanygomez.com, allow customers to explore our menu, place online orders, access loyalty programs, and engage with our brand.

For all privacy-related inquiries, questions, concerns, or complaints, you may contact our Privacy Officer directly at [email protected].

2. Information We Collect

We collect various types of information depending on how you interact with our business, website, and digital platforms. The information we collect can broadly be categorised into the following types:

2.1 Personal Information You Provide Directly

When you interact with our website, create an account, place an order, participate in loyalty programs, or contact us, you may provide us with personal information, including but not limited to:

• Identity Information: Full name, date of birth, and gender (where voluntarily provided).
• Contact Information: Email address, home or delivery address, phone number, and postal code.
• Account Credentials: Username, password (stored in encrypted format), and account security questions.
• Order Information: Food and beverage orders, order history, dietary preferences, and special instructions or allergy information you provide.
• Payment Information: Credit card or debit card details, billing address, and payment method preferences. Please note that full payment card numbers are not stored by us directly — they are processed through our PCI DSS-compliant third-party payment processors.
• Loyalty Program Data: Membership details, points balance, redemption history, and reward preferences.
• Communications: Messages, feedback, reviews, complaints, or inquiries you send to us via email, contact forms, or social media.
• Survey and Promotional Responses: Answers to surveys, competitions, promotions, or marketing campaigns in which you choose to participate.

2.2 Information Collected Automatically

When you visit our website or use our mobile application, we and our third-party service providers may automatically collect certain technical and usage information, including:

• Device Information: Device type, operating system, browser type and version, device identifiers (such as IP address, MAC address, and device ID), screen resolution, and hardware configuration.
• Usage Data: Pages visited, time spent on pages, links clicked, search queries made on our website, navigation paths, and referring URLs.
• Location Data: Approximate geographic location derived from your IP address, or, with your explicit consent, precise GPS-based location data used to help you find the nearest Guzman y Gomez location or enable delivery services.
• Transaction Metadata: Time and date of orders, frequency of orders, and value of transactions.
• Log Data: Server logs, error reports, and activity logs associated with your use of our digital platforms.

2.3 Information Collected Through Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing behaviour and preferences. This helps us improve our website functionality, personalise your experience, and deliver relevant advertising. For more detailed information about the cookies we use, please refer to our Cookie Policy, which is available on our website. You may control your cookie preferences through our cookie consent tool or your browser settings.

2.4 Information From Third Parties

We may also receive personal information about you from third parties, including:

• Social Media Platforms: If you log in using a social media account (such as Facebook or Google), we receive information such as your name, email address, and profile picture as authorised by your social media privacy settings.
• Delivery Partners: Third-party delivery platforms (such as DoorDash, Uber Eats, or Menulog) may share order and contact details with us to facilitate your food delivery.
• Marketing Partners: Advertising networks and analytics providers may share aggregated or segmented audience data to help us understand our customer base better.
• Payment Processors: Information related to successful payment transactions may be shared with us for order confirmation and fraud prevention purposes.

3. How We Use Your Personal Information

We collect and use your personal information only for lawful purposes that are directly related to our food services and business operations. Specifically, we use your information for the following purposes:

3.1 Providing and Managing Our Services

• Processing and fulfilling your food orders, whether placed online, via mobile app, or in-store.
• Managing your customer account, loyalty program membership, and reward redemptions.
• Facilitating delivery or pick-up services and communicating order status updates.
• Responding to your questions, complaints, feedback, and support requests.
• Processing refunds, exchanges, and handling disputes or billing inquiries.

3.2 Improving Our Products and Services

• Analysing usage patterns and customer behaviour to improve our website, app, and in-store experience.
• Conducting internal research, customer satisfaction surveys, and quality assurance assessments.
• Developing new menu items, services, or features based on customer preferences and feedback.
• Monitoring and improving the security, performance, and reliability of our digital platforms.

3.3 Marketing and Promotions

• Sending you promotional offers, newsletters, special deals, and marketing communications about Guzman y Gomez products and services, where you have provided consent or where we have a legitimate interest to do so under applicable law.
• Personalising marketing messages and advertisements based on your order history, preferences, and interactions with our platform.
• Running competitions, promotions, loyalty campaigns, and referral programs.
• Displaying targeted advertising on our platforms and third-party websites using cookies and similar technologies.

You may opt out of receiving direct marketing communications at any time by clicking the "unsubscribe" link in any marketing email, updating your account preferences, or contacting us directly at [email protected]. Please note that even if you opt out of marketing communications, you will continue to receive transactional messages related to your orders and account.

3.4 Legal and Compliance Purposes

• Complying with our obligations under Australian law, including the Privacy Act 1988 (Cth), Australian Consumer Law (ACL), Food Standards Australia New Zealand (FSANZ) regulations, and other applicable legislation.
• Detecting, investigating, and preventing fraud, unauthorised access, and other illegal or prohibited activities.
• Enforcing our Terms of Service and other agreements.
• Responding to lawful requests from government authorities, law enforcement agencies, and regulatory bodies.
• Establishing, exercising, or defending legal claims in connection with our business operations.

4. Disclosure of Personal Information to Third Parties

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. However, we may disclose your personal information to certain third parties in the following circumstances:

4.1 Service Providers and Business Partners

We engage trusted third-party service providers to help us operate our business and deliver our services. These providers are contractually obligated to handle your information securely and only for the specific purposes we have authorised. They may include:

• Payment Processors: To securely process your financial transactions.
• Delivery Partners: Third-party delivery platforms and courier services that fulfil your food delivery orders.
• Cloud Hosting and IT Service Providers: Entities that provide server infrastructure, data storage, and technical support.
• Analytics Providers: Companies such as Google Analytics that help us understand how users interact with our website and applications.
• Email and Communication Platforms: Services that help us send transactional and marketing emails, push notifications, and SMS messages.
• Customer Support Platforms: Third-party tools used to manage and respond to customer inquiries and complaints.
• Marketing and Advertising Partners: Digital advertising networks and social media platforms that help us reach relevant audiences with targeted advertisements.

4.2 Legal and Regulatory Authorities

We may disclose your personal information to government bodies, law enforcement agencies, courts, regulators, or other authorised parties where we are legally required or permitted to do so, including in response to a subpoena, court order, or other legal process, or where we believe disclosure is necessary to prevent harm, protect our legal rights, or comply with a legal obligation under Australian law.

4.3 Business Transfers

In the event that Guzman y Gomez undergoes a merger, acquisition, restructuring, sale of assets, or other change of control, your personal information may be transferred to the acquiring entity as part of that transaction. We will take reasonable steps to ensure that your information continues to be protected in accordance with this Privacy Policy.

4.4 With Your Consent

We may share your personal information with other parties where you have provided your explicit consent to do so, such as when participating in joint promotions or third-party reward programs.

5. Data Security

We take the security of your personal information seriously and implement a range of administrative, technical, and physical safeguards to protect your data from unauthorised access, disclosure, alteration, misuse, and loss. Our security measures include, but are not limited to:

• Encryption: All data transmitted between your browser or device and our servers is encrypted using industry-standard Transport Layer Security (TLS) protocols. Sensitive data such as payment information is also encrypted at rest.
• Access Controls: Access to personal information is restricted to authorised employees, contractors, and service providers who have a legitimate business need to access it. All personnel with access to personal data are subject to confidentiality obligations.
• Firewalls and Intrusion Detection: We use firewalls, intrusion detection systems, and other network security tools to protect our systems from unauthorised access and cyber threats.
• Password Security: User account passwords are stored in hashed format using strong cryptographic algorithms. We recommend that you choose a strong, unique password for your account and enable two-factor authentication where available.
• Regular Security Audits: We conduct periodic security assessments, penetration testing, and vulnerability scans to identify and address potential security risks.
• Incident Response: We maintain a data breach response plan in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law.

While we take every reasonable precaution to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your personal information and encourage you to take appropriate steps to protect your own information, such as using strong passwords and keeping your account credentials confidential.

6. Your Rights Under Australian Privacy Law

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have certain rights regarding your personal information. These rights include:

6.1 Right to Access

You have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable timeframe (generally within 30 days) and provide you with the information in a format that is appropriate and practical. In some limited circumstances, we may be required or permitted by law to refuse access, in which case we will provide you with written reasons for our refusal.

6.2 Right to Correction

If you believe that any personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you have the right to request that we correct it. We will take reasonable steps to update or correct your information upon receiving a valid correction request. You may also update much of your personal information directly through your account settings on our website or app.

6.3 Right to Deletion

In certain circumstances, you may request that we delete or de-identify your personal information. We will consider your request in accordance with our legal obligations. Please note that we may be required to retain certain information for legal, regulatory, or legitimate business purposes even after you request deletion. Where deletion is not possible, we will take steps to de-identify or anonymise your data where practicable.

6.4 Right to Data Portability

Where technically feasible and required by applicable law, you may request a copy of your personal information in a structured, commonly used, and machine-readable format. This allows you to transfer your data to another service provider if you wish.

6.5 Right to Withdraw Consent

Where we process your personal information based on your consent (such as for direct marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to your withdrawal.

6.6 Right to Opt Out of Marketing

You have the right to opt out of receiving direct marketing communications from us at any time. You may exercise this right by clicking the "unsubscribe" link in any marketing email, updating your communication preferences in your account settings, or contacting us at [email protected].

To exercise any of the above rights, please contact our Privacy Officer at [email protected]. We may require you to verify your identity before processing your request to ensure that we do not disclose or modify information belonging to another person.

7. Cookies and Tracking Technologies

Our website and mobile application use cookies and similar tracking technologies to enhance your browsing experience, understand how users interact with our platforms, and deliver relevant content and advertising. Cookies are small text files placed on your device when you visit our website.

7.1 Types of Cookies We Use

• Essential Cookies: These cookies are strictly necessary for the operation of our website and cannot be switched off. They enable core functions such as session management, security, and authentication.
• Performance and Analytics Cookies: These cookies collect information about how visitors use our website, such as which pages are visited most frequently and whether users encounter error messages. This information is used to improve website performance and user experience.
• Functionality Cookies: These cookies allow our website to remember choices you make (such as your preferred language or location) and provide enhanced, more personalised features.
• Targeting and Advertising Cookies: These cookies are used to deliver advertisements that are relevant to your interests, both on our website and on third-party platforms. They also help us measure the effectiveness of our advertising campaigns.

7.2 Managing Your Cookie Preferences

You may control your cookie settings through our cookie consent tool, which is presented when you first visit our website. You can also manage cookies through your browser settings, although please note that disabling certain cookies may affect the functionality of our website. For more detailed information about the cookies we use and how to manage them, please refer to our full Cookie Policy available on our website.

8. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods vary depending on the type of information and the purpose for which it is held:

When personal information is no longer required, we will take reasonable steps to destroy, delete, or permanently de-identify it in a secure manner.

9. Children's Privacy

Our website and digital services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 18 without verifiable parental or guardian consent.

If you are under the age of 18, please do not use our website or services or provide us with any personal information without the supervision and consent of a parent or legal guardian. If you are a parent or guardian and you believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected] so that we can take steps to remove that information from our systems.

In the event that we discover we have collected personal information from a child under 18 without appropriate consent, we will promptly delete that information from our records.

10. International Data Transfers

As a business that operates primarily in Australia and uses global technology service providers, your personal information may be transferred to, stored in, or processed in countries outside of Australia. These countries may include the United States of America, the European Union, Singapore, and other jurisdictions where our service providers maintain data centres or operations.

Where we transfer your personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle your information in a manner consistent with the Australian Privacy Principles (APPs) and our obligations under the Privacy Act 1988 (Cth). This may include:

• Entering into data processing agreements with overseas service providers that include privacy protections equivalent to those required under Australian law.
• Transferring data only to countries with adequate privacy protections as recognised under applicable international frameworks.
• Implementing contractual clauses, standard contractual terms, or other appropriate safeguards to protect your information during international transfers.

Please be aware that once your information is transferred to an overseas recipient, that recipient may be subject to different privacy laws than those applicable in Australia. In some cases, Australian privacy law may not govern how your information is handled overseas. By using our services, you acknowledge and consent to the transfer of your personal information outside of Australia in accordance with this Privacy Policy.

11. Third-Party Websites and Links

Our website may contain links to third-party websites, social media platforms, delivery partner portals, or other external services that are not operated or controlled by Guzman y Gomez. We are not responsible for the privacy practices, security measures, or content of those third-party websites. We encourage you to review the privacy policies of any third-party websites you visit before providing your personal information.

The inclusion of a link on our website does not constitute an endorsement of the linked website or its privacy practices. Our Privacy Policy applies only to our own website at guzimanygomez.com and our associated digital platforms.

12. How to Lodge a Privacy Complaint

We take all privacy complaints seriously and are committed to resolving them promptly and fairly. If you have a concern or complaint about the way we have collected, used, or disclosed your personal information, we encourage you to contact us in the first instance.

12.1 Contact Our Privacy Officer

Please submit your complaint in writing to our Privacy Officer using the following contact details:

When submitting your complaint, please include the following information to help us investigate and resolve the matter as efficiently as possible:

• Your full name and contact details.
• A clear description of your concern or complaint.
• Details of any relevant interactions or communications with us.
• Any supporting documentation or evidence.
• Your preferred outcome or resolution.

We will acknowledge receipt of your complaint within 5 business days and aim to provide a substantive response within 30 days. If the matter is complex or requires further investigation, we will keep you informed of the progress and expected timeframe for resolution.

12.2 Escalating to the Office of the Australian Information Commissioner (OAIC)

If you are not satisfied with our response to your complaint, or if we fail to respond within a reasonable timeframe, you have the right to escalate your complaint to the Office of the Australian Information Commissioner (OAIC), which is the independent national regulator for privacy and freedom of information in Australia.

The OAIC can investigate complaints, make determinations, and take enforcement action where it finds that an entity has breached the Australian Privacy Principles. There is no fee for lodging a complaint with the OAIC.

13. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our business practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you by:

• Posting the updated Privacy Policy on our website at guzimanygomez.com with a revised "Last Updated" date.
• Sending an email notification to registered account holders where the changes are significant.
• Displaying a prominent notice on our website or mobile application.

Your continued use of our website and services after any changes to this Privacy Policy have been posted will constitute your acknowledgment and acceptance of those changes. We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your information.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Australia, including the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Spam Act 2003 (Cth), and the Australian Consumer Law (ACL) as contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth). Any disputes arising in connection with this Privacy Policy shall be subject to the jurisdiction of the courts of Australia.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal information, please do not hesitate to get in touch with our Privacy Officer:

We are dedicated to ensuring that your personal information is handled with care, respect, and transparency. Thank you for trusting Guzman y Gomez with your personal information. We value your privacy and are committed to maintaining your confidence in our services.